services

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2022 License: Apache-2.0 Imports: 79 Imported by: 0

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.

* Local services are implemented in local package * Package suite contains the set of acceptance tests for services

Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source
const (
	// RDSEngineMySQL is RDS engine name for MySQL instances.
	RDSEngineMySQL = "mysql"
	// RDSEnginePostgres is RDS engine name for Postgres instances.
	RDSEnginePostgres = "postgres"
	// RDSEngineMariaDB is RDS engine name for MariaDB instances.
	RDSEngineMariaDB = "mariadb"
	// RDSEngineAurora is RDS engine name for Aurora MySQL 5.6 compatible clusters.
	RDSEngineAurora = "aurora"
	// RDSEngineAuroraMySQL is RDS engine name for Aurora MySQL 5.7 compatible clusters.
	RDSEngineAuroraMySQL = "aurora-mysql"
	// RDSEngineAuroraPostgres is RDS engine name for Aurora Postgres clusters.
	RDSEngineAuroraPostgres = "aurora-postgresql"
)
View Source
const (
	// RDSEngineModeProvisioned is the RDS engine mode for provisioned Aurora clusters
	RDSEngineModeProvisioned = "provisioned"
	// RDSEngineModeServerless is the RDS engine mode for Aurora Serverless DB clusters
	RDSEngineModeServerless = "serverless"
	// RDSEngineModeParallelQuery is the RDS engine mode for Aurora MySQL clusters with parallel query enabled
	RDSEngineModeParallelQuery = "parallelquery"
	// RDSEngineModeGlobal is the RDS engine mode for Aurora Global databases
	RDSEngineModeGlobal = "global"
	// RDSEngineModeMultiMaster is the RDS engine mode for Multi-master clusters
	RDSEngineModeMultiMaster = "multimaster"
)
View Source
const (
	// AzureEngineMySQL is the Azure engine name for MySQL single-server instances
	AzureEngineMySQL = "Microsoft.DBforMySQL/servers"
	// AzureEnginePostgres is the Azure engine name for PostgreSQL single-server instances
	AzureEnginePostgres = "Microsoft.DBforPostgreSQL/servers"
)
View Source
const (
	// AWSMatcherRDS is the AWS matcher type for RDS databases.
	AWSMatcherRDS = "rds"
	// AWSMatcherRDSProxy is the AWS matcher type for RDS Proxy databases.
	AWSMatcherRDSProxy = "rdsproxy"
	// AWSMatcherRedshift is the AWS matcher type for Redshift databases.
	AWSMatcherRedshift = "redshift"
	// AWSMatcherElastiCache is the AWS matcher type for ElastiCache databases.
	AWSMatcherElastiCache = "elasticache"
	// AWSMatcherMemoryDB is the AWS matcher type for MemoryDB databases.
	AWSMatcherMemoryDB = "memorydb"
	// AWSMatcherEC2 is the AWS matcher type for EC2 instances.
	AWSMatcherEC2 = "ec2"
	// AzureMatcherMySQL is the Azure matcher type for Azure MySQL databases.
	AzureMatcherMySQL = "mysql"
	// AzureMatcherPostgres is the Azure matcher type for Azure Postgres databases.
	AzureMatcherPostgres = "postgres"
	// AzureMatcherRedis is the Azure matcher type for Azure Cache for Redis databases.
	AzureMatcherRedis = "redis"
)
View Source
const (
	// UserIdentifier represents user registered identifier in the rules
	UserIdentifier = "user"
	// ResourceIdentifier represents resource registered identifier in the rules
	ResourceIdentifier = "resource"
	// ResourceLabelsIdentifier refers to the static and dynamic labels in a resource.
	ResourceLabelsIdentifier = "labels"
	// ResourceNameIdentifier refers to two different fields depending on the kind of resource:
	//   - KindNode will refer to its resource.spec.hostname field
	//   - All other kinds will refer to its resource.metadata.name field
	// It refers to two different fields because the way this shorthand is being used,
	// implies it will return the name of the resource where users identifies nodes
	// by its hostname and all other resources that can be `ls` queried is identified
	// by its metadata name.
	ResourceNameIdentifier = "name"
	// SessionIdentifier refers to a session (recording) in the rules.
	SessionIdentifier = "session"
	// SSHSessionIdentifier refers to an (active) SSH session in the rules.
	SSHSessionIdentifier = "ssh_session"
	// ImpersonateRoleIdentifier is a role to impersonate
	ImpersonateRoleIdentifier = "impersonate_role"
	// ImpersonateUserIdentifier is a user to impersonate
	ImpersonateUserIdentifier = "impersonate_user"
	// HostCertIdentifier refers to a host certificate being created.
	HostCertIdentifier = "host_cert"
	// SessionTrackerIdentifier refers to a session tracker in the rules.
	SessionTrackerIdentifier = "session_tracker"
)
View Source
const (
	// Equal means two objects are equal
	Equal = iota
	// OnlyTimestampsDifferent is true when only timestamps are different
	OnlyTimestampsDifferent = iota
	// Different means that some fields are different
	Different = iota
)
View Source
const (
	// EventWatcherRemoved is emitted when event watcher has been removed
	EventWatcherRemoved = iota
)

Variables

View Source
var (
	// ResourceNameExpr is the identifier that specifies resource name.
	ResourceNameExpr = builder.Identifier("resource.metadata.name")
	// CertAuthorityTypeExpr is a function call that returns
	// cert authority type.
	CertAuthorityTypeExpr = builder.Identifier(`system.catype()`)
)

DefaultCertAuthorityRules provides access the minimal set of resources needed for a certificate authority to function.

DefaultImplicitRules provides access to the default set of implicit rules assigned to all roles.

View Source
var ErrRequiresEnterprise = trace.AccessDenied("this feature requires Teleport Enterprise")
View Source
var ErrSessionMFARequired = trace.AccessDenied("access to resource requires MFA")

ErrSessionMFARequired is returned by AccessChecker when access to a resource requires an MFA check.

View Source
var StrictLockingModeAccessDenied = trace.AccessDenied("preventive lock-out due to local lock view becoming unreliable")

StrictLockingModeAccessDenied is an AccessDenied error returned when strict locking mode causes all interactions to be blocked.

Functions

func AccessRequestsToLockTargets

func AccessRequestsToLockTargets(accessRequests []string) []types.LockTarget

AccessRequestsToLockTargets converts a list of access requests to a list of LockTargets (one LockTarget per access request)

func AcquireSemaphoreWithRetry

func AcquireSemaphoreWithRetry(ctx context.Context, req AcquireSemaphoreWithRetryConfig) (*types.SemaphoreLease, error)

AcquireSemaphoreWithRetry tries to acquire the semaphore according to the retry schedule until it succeeds or context expires.

func AddDefaultAllowRules

func AddDefaultAllowRules(role types.Role) types.Role

AddDefaultAllowRules adds default rules to a preset role. Only rules whose resources are not already defined (either allowing or denying) are added.

func ApplyAccessReview

func ApplyAccessReview(req types.AccessRequest, rev types.AccessReview, author types.User) error

ApplyAccessReview attempts to apply the specified access review to the specified request.

func ApplyTraits

func ApplyTraits(r types.Role, traits map[string][]string) types.Role

ApplyTraits applies the passed in traits to any variables within the role and returns itself.

func ApplyValueTraits

func ApplyValueTraits(val string, traits map[string][]string) ([]string, error)

ApplyValueTraits applies the passed in traits to the variable, returns BadParameter in case if referenced variable is unsupported, returns NotFound in case if referenced trait is missing, mapped list of values otherwise, the function guarantees to return at least one value in case if return value is nil

func CalculateAccessCapabilities

CalculateAccessCapabilities aggregates the requested capabilities using the supplied getter to load relevant resources.

func CertAuthoritiesEquivalent

func CertAuthoritiesEquivalent(lhs, rhs types.CertAuthority) bool

CertAuthoritiesEquivalent checks if a pair of certificate authority resources are equivalent. This differs from normal equality only in that resource IDs are ignored.

func CertPool

func CertPool(ca types.CertAuthority) (*x509.CertPool, error)

CertPool returns certificate pools from TLS certificates set up in the certificate authority

func CertPoolFromCertAuthorities

func CertPoolFromCertAuthorities(cas []types.CertAuthority) (*x509.CertPool, int, error)

CertPoolFromCertAuthorities returns a certificate pool from the TLS certificates set up in the certificate authorities list, as well as the number of certificates that were added to the pool.

func CheckSAMLEntityDescriptor

func CheckSAMLEntityDescriptor(entityDescriptor string) ([]*x509.Certificate, error)

CheckSAMLEntityDescriptor checks if the entity descriptor XML is valid and has at least one valid certificate.

func ClusterAuditConfigSpecFromObject

func ClusterAuditConfigSpecFromObject(in interface{}) (*types.ClusterAuditConfigSpecV2, error)

ClusterAuditConfigSpecFromObject returns audit config spec from object.

func CompareResources

func CompareResources(resA, resB types.Resource) int

CompareResources compares two resources by all significant fields.

func CompareRuleScore

func CompareRuleScore(r *types.Rule, o *types.Rule) bool

CompareRuleScore returns true if the first rule is more specific than the other.

* nRule matching wildcard resource is less specific than same rule matching specific resource. * Rule that has wildcard verbs is less specific than the same rules matching specific verb. * Rule that has where section is more specific than the same rule without where section. * Rule that has actions list is more specific than rule without actions list.

func CompareServers

func CompareServers(a, b types.Resource) int

CompareServers compares two provided servers.

func ConvertGithubConnector

func ConvertGithubConnector(c types.GithubConnector) (*types.GithubConnectorV3, error)

GithubAuthConverter converts a GitHub auth connector so it can be sent over gRPC.

func DowngradeRoleToV4

func DowngradeRoleToV4(r *types.RoleV5) (*types.RoleV5, error)

DowngradeToV4 converts a V5 role to V4 so that it will be compatible with older instances. Makes a shallow copy if the conversion is necessary. The passed in role will not be mutated. DELETE IN 10.0.0

func ExtraElastiCacheLabels

func ExtraElastiCacheLabels(cluster *elasticache.ReplicationGroup, tags []*elasticache.Tag, allNodes []*elasticache.CacheCluster, allSubnetGroups []*elasticache.CacheSubnetGroup) map[string]string

ExtraElastiCacheLabels returns a list of extra labels for provided ElastiCache cluster.

func ExtraMemoryDBLabels

func ExtraMemoryDBLabels(cluster *memorydb.Cluster, tags []*memorydb.Tag, allSubnetGroups []*memorydb.SubnetGroup) map[string]string

ExtraMemoryDBLabels returns a list of extra labels for provided MemoryDB cluster.

func ExtractAllowedResourcesFromCert

func ExtractAllowedResourcesFromCert(cert *ssh.Certificate) ([]types.ResourceID, error)

func ExtractFromCertificate

func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, error)

ExtractFromCertificate will extract roles and traits from a *ssh.Certificate.

func ExtractFromIdentity

func ExtractFromIdentity(access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error)

ExtractFromIdentity will extract roles and traits from the *x509.Certificate which Teleport passes along as a *tlsca.Identity. If roles and traits do not exist in the certificates, they are extracted from the backend.

func ExtractRolesFromCert

func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error)

ExtractRolesFromCert extracts roles from certificate metadata extensions.

func ExtractTraitsFromCert

func ExtractTraitsFromCert(cert *ssh.Certificate) (wrappers.Traits, error)

ExtractTraitsFromCert extracts traits from the certificate extensions.

func GetAccessRequest

func GetAccessRequest(ctx context.Context, acc DynamicAccess, reqID string) (types.AccessRequest, error)

GetAccessRequest is a helper function assists with loading a specific request by ID.

func GetAttributeNames

func GetAttributeNames(attributes map[string]samltypes.Attribute) []string

GetAttributeNames returns a list of claim names from the claim values

func GetClaimNames

func GetClaimNames(claims jose.Claims) []string

GetClaimNames returns a list of claim names from the claim values

func GetJWTSigner

func GetJWTSigner(signer crypto.Signer, clusterName string, clock clockwork.Clock) (*jwt.Key, error)

GetJWTSigner returns the active JWT key used to sign tokens.

func GetMySQLEngineVersion

func GetMySQLEngineVersion(labels map[string]string) string

GetMySQLEngineVersion returns MySQL engine version from provided metadata labels. An empty string is returned if label doesn't exist.

func GetRedirectURL

func GetRedirectURL(conn types.OIDCConnector, proxyAddr string) (string, error)

GetRedirectURL gets a redirect URL for the given connector. If the connector has a redirect URL which matches the host of the given Proxy address, then that one will be returned. Otherwise, the first URL in the list will be returned.

func GetResourceMarshalerKinds

func GetResourceMarshalerKinds() []string

GetResourceMarshalerKinds lists all registered resource marshalers by kind.

func GetResourcesByResourceIDs

func GetResourcesByResourceIDs(ctx context.Context, lister ResourceLister, resourceIDs []types.ResourceID, opts ...ListResourcesRequestOption) ([]types.ResourceWithLabels, error)

func GetSAMLServiceProvider

func GetSAMLServiceProvider(sc types.SAMLConnector, clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)

GetSAMLServiceProvider gets the SAMLConnector's service provider

func GetSSHCheckingKeys

func GetSSHCheckingKeys(ca types.CertAuthority) [][]byte

GetSSHCheckingKeys returns SSH public keys from CA

func GetStringMapValue

func GetStringMapValue(mapVal, keyVal interface{}) (interface{}, error)

GetStringMapValue is a helper function that returns property from map[string]string or map[string][]string the function returns empty value in case if key not found In case if map is nil, returns empty value as well

func GetTLSCerts

func GetTLSCerts(ca types.CertAuthority) [][]byte

GetTLSCerts returns TLS certificates from CA

func GetTraitMappings

func GetTraitMappings(cms []types.ClaimMapping) types.TraitMappingSet

GetTraitMappings gets the AccessRequestConditions' claims as a TraitMappingsSet

func GuessProxyHostAndVersion

func GuessProxyHostAndVersion(proxies []types.Server) (string, string, error)

GuessProxyHostAndVersion tries to find the first proxy with a public address configured and return that public addr and version. If no proxies are configured, it will return a guessed value by concatenating the first proxy's hostname with default port number, and the first proxy's version will also be returned.

Returns empty value if there are no proxies.

func InitGithubConnector

func InitGithubConnector(c types.GithubConnector) (types.GithubConnector, error)

InitGithubConnector initializes c and returns a [types.GithubConnector] ready for use. InitGithubConnector must be used to initialize any uninitialized [types.GithubConnector]s before they can be used.

func IsElastiCacheClusterAvailable

func IsElastiCacheClusterAvailable(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterAvailable checks if the ElastiCache cluster is available.

func IsElastiCacheClusterSupported

func IsElastiCacheClusterSupported(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterSupported checks whether the ElastiCache cluster is supported.

func IsMemoryDBClusterAvailable

func IsMemoryDBClusterAvailable(cluster *memorydb.Cluster) bool

IsMemoryDBClusterAvailable checks if the MemoryDB cluster is available.

func IsMemoryDBClusterSupported

func IsMemoryDBClusterSupported(cluster *memorydb.Cluster) bool

IsMemoryDBClusterSupported checks whether the MemoryDB cluster is supported.

func IsRDSClusterAvailable

func IsRDSClusterAvailable(cluster *rds.DBCluster) bool

IsRDSClusterAvailable checks if the RDS cluster is available.

func IsRDSClusterSupported

func IsRDSClusterSupported(cluster *rds.DBCluster) bool

IsRDSClusterSupported checks whether the Aurora cluster is supported.

func IsRDSInstanceAvailable

func IsRDSInstanceAvailable(instance *rds.DBInstance) bool

IsRDSInstanceAvailable checks if the RDS instance is available.

func IsRDSInstanceSupported

func IsRDSInstanceSupported(instance *rds.DBInstance) bool

IsRDSInstanceSupported returns true if database supports IAM authentication. Currently, only MariaDB is being checked.

func IsRDSProxyAvailable

func IsRDSProxyAvailable(dbProxy *rds.DBProxy) bool

IsRDSProxyAvailable checks if the RDS Proxy is available.

func IsRDSProxyCustomEndpointAvailable

func IsRDSProxyCustomEndpointAvailable(customEndpoint *rds.DBProxyEndpoint) bool

IsRDSProxyCustomEndpointAvailable checks if the RDS Proxy custom endpoint is available.

func IsRecordAtProxy

func IsRecordAtProxy(mode string) bool

IsRecordAtProxy returns true if recording is sync or async at proxy.

func IsRecordSync

func IsRecordSync(mode string) bool

IsRecordSync returns true if recording is sync for proxy or node.

func IsRedshiftClusterAvailable

func IsRedshiftClusterAvailable(cluster *redshift.Cluster) bool

IsRedshiftClusterAvailable checks if the Redshift cluster is available.

func LastFailed

func LastFailed(x int, attempts []LoginAttempt) bool

LastFailed calculates last x successive attempts are failed

func LatestTunnelConnection

func LatestTunnelConnection(conns []types.TunnelConnection) (types.TunnelConnection, error)

LatestTunnelConnection returns latest tunnel connection from the list of tunnel connections, if no connections found, returns NotFound error

func LockInForceAccessDenied

func LockInForceAccessDenied(lock types.Lock) error

LockInForceAccessDenied is an AccessDenied error returned when a lock is in force.

func LockTargetsFromTLSIdentity

func LockTargetsFromTLSIdentity(id tlsca.Identity) []types.LockTarget

LockTargetsFromTLSIdentity infers a list of LockTargets from tlsca.Identity.

func MapListResourcesResultToLeafResource

func MapListResourcesResultToLeafResource(resource types.ResourceWithLabels, hint string) (types.ResourcesWithLabels, error)

MapListResourcesResultToLeafResource is the inverse of MapResourceKindToListResourcesType, after the ListResources call it maps the result back to the kind we really want. `hint` should be the name of the desired resource kind, used to disambiguate normal SSH nodes and kubernetes services which are both returned as `types.Server`.

func MapResourceKindToListResourcesType

func MapResourceKindToListResourcesType(kind string) string

MapResourceKindToListResourcesType returns the value to use for ResourceType in a ListResourcesRequest based on the kind of resource you're searching for. Necessary because some resource kinds don't support ListResources directly, so you have to list the parent kind. Use MapListResourcesResultToLeafResource to map back to the given kind.

func MapRoles

func MapRoles(r types.RoleMap, remoteRoles []string) ([]string, error)

MapRoles maps local roles to remote roles

func MarshalAccessRequest

func MarshalAccessRequest(accessRequest types.AccessRequest, opts ...MarshalOption) ([]byte, error)

MarshalAccessRequest marshals the AccessRequest resource to JSON.

func MarshalApp

func MarshalApp(app types.Application, opts ...MarshalOption) ([]byte, error)

MarshalApp marshals Application resource to JSON.

func MarshalAppServer

func MarshalAppServer(appServer types.AppServer, opts ...MarshalOption) ([]byte, error)

MarshalAppServer marshals the AppServer resource to JSON.

func MarshalAuthPreference

func MarshalAuthPreference(c types.AuthPreference, opts ...MarshalOption) ([]byte, error)

MarshalAuthPreference marshals the AuthPreference resource to JSON.

func MarshalCertAuthority

func MarshalCertAuthority(certAuthority types.CertAuthority, opts ...MarshalOption) ([]byte, error)

MarshalCertAuthority marshals the CertAuthority resource to JSON.

func MarshalCertRoles

func MarshalCertRoles(roles []string) (string, error)

MarshalCertRoles marshal roles list to OpenSSH

func MarshalClusterAuditConfig

func MarshalClusterAuditConfig(auditConfig types.ClusterAuditConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterAuditConfig marshals the ClusterAuditConfig resource to JSON.

func MarshalClusterName

func MarshalClusterName(clusterName types.ClusterName, opts ...MarshalOption) ([]byte, error)

MarshalClusterName marshals the ClusterName resource to JSON.

func MarshalClusterNetworkingConfig

func MarshalClusterNetworkingConfig(netConfig types.ClusterNetworkingConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterNetworkingConfig marshals the ClusterNetworkingConfig resource to JSON.

func MarshalConnectionDiagnostic

func MarshalConnectionDiagnostic(s types.ConnectionDiagnostic, opts ...MarshalOption) ([]byte, error)

MarshalConnectionDiagnostic marshals the ConnectionDiagnostic resource to JSON.

func MarshalDatabase

func MarshalDatabase(database types.Database, opts ...MarshalOption) ([]byte, error)

MarshalDatabase marshals the database resource to JSON.

func MarshalDatabaseServer

func MarshalDatabaseServer(databaseServer types.DatabaseServer, opts ...MarshalOption) ([]byte, error)

MarshalDatabaseServer marshals the DatabaseServer resource to JSON.

func MarshalGithubConnector

func MarshalGithubConnector(connector types.GithubConnector, opts ...MarshalOption) ([]byte, error)

MarshalGithubConnector marshals the GithubConnector resource to JSON.

func MarshalInstaller

func MarshalInstaller(installer types.Installer, opts ...MarshalOption) ([]byte, error)

MarshalInstaller marshals the Installer resource to JSON.

func MarshalKubeCluster

func MarshalKubeCluster(kubeCluster types.KubeCluster, opts ...MarshalOption) ([]byte, error)

MarshalKubeCluster marshals the KubeCluster resource to JSON.

func MarshalKubeServer

func MarshalKubeServer(kubeServer types.KubeServer, opts ...MarshalOption) ([]byte, error)

MarshalKubeServer marshals the KubeServer resource to JSON.

func MarshalLicense

func MarshalLicense(license types.License, opts ...MarshalOption) ([]byte, error)

MarshalLicense marshals the License resource to JSON.

func MarshalLock

func MarshalLock(lock types.Lock, opts ...MarshalOption) ([]byte, error)

MarshalLock marshals the Lock resource to JSON.

func MarshalNamespace

func MarshalNamespace(resource types.Namespace, opts ...MarshalOption) ([]byte, error)

MarshalNamespace marshals the Namespace resource to JSON.

func MarshalNetworkRestrictions

func MarshalNetworkRestrictions(restrictions types.NetworkRestrictions, opts ...MarshalOption) ([]byte, error)

MarshalNetworkRestrictions marshals the NetworkRestrictions resource to JSON.

func MarshalOIDCConnector

func MarshalOIDCConnector(oidcConnector types.OIDCConnector, opts ...MarshalOption) ([]byte, error)

MarshalOIDCConnector marshals the OIDCConnector resource to JSON.

func MarshalPluginData

func MarshalPluginData(pluginData types.PluginData, opts ...MarshalOption) ([]byte, error)

MarshalPluginData marshals the PluginData resource to JSON.

func MarshalProvisionToken

func MarshalProvisionToken(provisionToken types.ProvisionToken, opts ...MarshalOption) ([]byte, error)

MarshalProvisionToken marshals the ProvisionToken resource to JSON.

func MarshalRemoteCluster

func MarshalRemoteCluster(remoteCluster types.RemoteCluster, opts ...MarshalOption) ([]byte, error)

MarshalRemoteCluster marshals the RemoteCluster resource to JSON.

func MarshalResource

func MarshalResource(resource types.Resource, opts ...MarshalOption) ([]byte, error)

MarshalResource attempts to marshal a resource dynamically, returning NotImplementedError if no marshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func MarshalReverseTunnel

func MarshalReverseTunnel(reverseTunnel types.ReverseTunnel, opts ...MarshalOption) ([]byte, error)

MarshalReverseTunnel marshals the ReverseTunnel resource to JSON.

func MarshalRole

func MarshalRole(role types.Role, opts ...MarshalOption) ([]byte, error)

MarshalRole marshals the Role resource to JSON.

func MarshalSAMLConnector

func MarshalSAMLConnector(samlConnector types.SAMLConnector, opts ...MarshalOption) ([]byte, error)

MarshalSAMLConnector marshals the SAMLConnector resource to JSON.

func MarshalSemaphore

func MarshalSemaphore(semaphore types.Semaphore, opts ...MarshalOption) ([]byte, error)

MarshalSemaphore marshals the Semaphore resource to JSON.

func MarshalServer

func MarshalServer(server types.Server, opts ...MarshalOption) ([]byte, error)

MarshalServer marshals the Server resource to JSON.

func MarshalServers

func MarshalServers(s []types.Server) ([]byte, error)

MarshalServers marshals a list of Server resources.

func MarshalSessionRecordingConfig

func MarshalSessionRecordingConfig(recConfig types.SessionRecordingConfig, opts ...MarshalOption) ([]byte, error)

MarshalSessionRecordingConfig marshals the SessionRecordingConfig resource to JSON.

func MarshalSessionTracker

func MarshalSessionTracker(session types.SessionTracker) ([]byte, error)

MarshalSessionTracker marshals the Session resource to JSON.

func MarshalStaticTokens

func MarshalStaticTokens(staticToken types.StaticTokens, opts ...MarshalOption) ([]byte, error)

MarshalStaticTokens marshals the StaticTokens resource to JSON.

func MarshalTrustedCluster

func MarshalTrustedCluster(trustedCluster types.TrustedCluster, opts ...MarshalOption) ([]byte, error)

MarshalTrustedCluster marshals the TrustedCluster resource to JSON.

func MarshalTunnelConnection

func MarshalTunnelConnection(tunnelConnection types.TunnelConnection, opts ...MarshalOption) ([]byte, error)

MarshalTunnelConnection marshals the TunnelConnection resource to JSON.

func MarshalUser

func MarshalUser(user types.User, opts ...MarshalOption) ([]byte, error)

MarshalUser marshals the User resource to JSON.

func MarshalUserToken

func MarshalUserToken(token types.UserToken, opts ...MarshalOption) ([]byte, error)

MarshalUserToken marshals the UserToken resource to JSON.

func MarshalUserTokenSecrets

func MarshalUserTokenSecrets(secrets types.UserTokenSecrets, opts ...MarshalOption) ([]byte, error)

MarshalUserTokenSecrets marshals the ResetPasswordTokenSecrets resource to JSON.

func MarshalWebSession

func MarshalWebSession(webSession types.WebSession, opts ...MarshalOption) ([]byte, error)

MarshalWebSession marshals the WebSession resource to JSON.

func MarshalWebToken

func MarshalWebToken(webToken types.WebToken, opts ...MarshalOption) ([]byte, error)

MarshalWebToken serializes the web token as JSON-encoded payload

func MarshalWindowsDesktop

func MarshalWindowsDesktop(s types.WindowsDesktop, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktop marshals the WindowsDesktop resource to JSON.

func MarshalWindowsDesktopService

func MarshalWindowsDesktopService(s types.WindowsDesktopService, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktopService marshals the WindowsDesktopService resource to JSON.

func MatchAWSRoleARN

func MatchAWSRoleARN(selectors []string, roleARN string) (bool, string)

MatchAWSRoleARN returns true if provided role ARN matches selectors.

func MatchDatabaseName

func MatchDatabaseName(selectors []string, name string) (bool, string)

MatchDatabaseName returns true if provided database name matches selectors.

func MatchDatabaseUser

func MatchDatabaseUser(selectors []string, user string) (bool, string)

MatchDatabaseUser returns true if provided database user matches selectors.

func MatchLabels

func MatchLabels(selector types.Labels, target map[string]string) (bool, string, error)

MatchLabels matches selector against target. Empty selector matches nothing, wildcard matches everything.

func MatchNamespace

func MatchNamespace(selectors []string, namespace string) (bool, string)

MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything.

func MatchResourceByFilters

func MatchResourceByFilters(resource types.ResourceWithLabels, filter MatchResourceFilter, seenMap map[ResourceSeenKey]struct{}) (bool, error)

MatchResourceByFilters returns true if all filter values given matched against the resource.

If no filters were provided, we will treat that as a match.

If a `seenMap` is provided, this will be treated as a request to filter out duplicate matches. The map will be modified in place as it adds new keys. Seen keys will return match as false.

Resource KubeService is handled differently b/c of its 1-N relationhip with service-clusters, it filters out the non-matched clusters on the kube service and the kube service is modified in place with only the matched clusters. Deduplication for resource `KubeService` is not provided but is provided for kind `KubernetesCluster`.

func MatchResourceLabels

func MatchResourceLabels(matchers []ResourceMatcher, resource types.ResourceWithLabels) bool

MatchResourceLabels returns true if any of the provided selectors matches the provided database.

func MetadataFromElastiCacheCluster

func MetadataFromElastiCacheCluster(cluster *elasticache.ReplicationGroup, endpointType string) (*types.AWS, error)

MetadataFromElastiCacheCluster creates AWS metadata for the provided ElastiCache cluster.

func MetadataFromMemoryDBCluster

func MetadataFromMemoryDBCluster(cluster *memorydb.Cluster, endpointType string) (*types.AWS, error)

MetadataFromMemoryDBCluster creates AWS metadata for the providec MemoryDB cluster.

func MetadataFromRDSCluster

func MetadataFromRDSCluster(rdsCluster *rds.DBCluster) (*types.AWS, error)

MetadataFromRDSCluster creates AWS metadata from the provided RDS cluster.

func MetadataFromRDSInstance

func MetadataFromRDSInstance(rdsInstance *rds.DBInstance) (*types.AWS, error)

MetadataFromRDSInstance creates AWS metadata from the provided RDS instance.

func MetadataFromRDSProxy

func MetadataFromRDSProxy(rdsProxy *rds.DBProxy) (*types.AWS, error)

MetadataFromRDSProxy creates AWS metadata from the provided RDS Proxy.

func MetadataFromRDSProxyCustomEndpoint

func MetadataFromRDSProxyCustomEndpoint(rdsProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint) (*types.AWS, error)

MetadataFromRDSProxyCustomEndpoint creates AWS metadata from the provided RDS Proxy custom endpoint.

func MetadataFromRedshiftCluster

func MetadataFromRedshiftCluster(cluster *redshift.Cluster) (*types.AWS, error)

MetadataFromRedshiftCluster creates AWS metadata from the provided Redshift cluster.

func MustCreateProvisionToken

func MustCreateProvisionToken(token string, roles types.SystemRoles, expires time.Time) types.ProvisionToken

MustCreateProvisionToken returns a new valid provision token or panics, used in tests

func NewAccessRequest

func NewAccessRequest(user string, roles ...string) (types.AccessRequest, error)

NewAccessRequest assembles an AccessRequest resource.

func NewAccessRequestWithResources

func NewAccessRequestWithResources(user string, roles []string, resourceIDs []types.ResourceID) (types.AccessRequest, error)

NewAccessRequestWithResources assembles an AccessRequest resource with requested resources.

func NewActionsParser

func NewActionsParser(ctx RuleContext) (predicate.Parser, error)

NewActionsParser returns standard parser for 'actions' section in access rules

func NewClusterNameWithRandomID

func NewClusterNameWithRandomID(spec types.ClusterNameSpecV2) (types.ClusterName, error)

NewClusterNameWithRandomID creates a ClusterName, supplying a random ClusterID if the field is not provided in spec.

func NewDatabaseFromAzureRedis

func NewDatabaseFromAzureRedis(server *armredis.ResourceInfo) (types.Database, error)

NewDatabaseFromAzureRedis creates a database resource from an Azure Redis server.

func NewDatabaseFromAzureRedisEnterprise

func NewDatabaseFromAzureRedisEnterprise(cluster *armredisenterprise.Cluster, database *armredisenterprise.Database) (types.Database, error)

NewDatabaseFromAzureRedisEnterprise creates a database resource from an Azure Redis Enterprise database and its parent cluster.

func NewDatabaseFromAzureServer

func NewDatabaseFromAzureServer(server *azure.DBServer) (types.Database, error)

NewDatabaseFromAzureServer creates a database resource from an AzureDB server.

func NewDatabaseFromElastiCacheConfigurationEndpoint

func NewDatabaseFromElastiCacheConfigurationEndpoint(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromElastiCacheConfigurationEndpoint creates a database resource from ElastiCache configuration endpoint.

func NewDatabaseFromMemoryDBCluster

func NewDatabaseFromMemoryDBCluster(cluster *memorydb.Cluster, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromMemoryDBCluster creates a database resource from a MemoryDB cluster.

func NewDatabaseFromRDSCluster

func NewDatabaseFromRDSCluster(cluster *rds.DBCluster) (types.Database, error)

NewDatabaseFromRDSCluster creates a database resource from an RDS cluster (Aurora).

func NewDatabaseFromRDSClusterReaderEndpoint

func NewDatabaseFromRDSClusterReaderEndpoint(cluster *rds.DBCluster) (types.Database, error)

NewDatabaseFromRDSClusterReaderEndpoint creates a database resource from an RDS cluster reader endpoint (Aurora).

func NewDatabaseFromRDSInstance

func NewDatabaseFromRDSInstance(instance *rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSInstance creates a database resource from an RDS instance.

func NewDatabaseFromRDSProxy

func NewDatabaseFromRDSProxy(dbProxy *rds.DBProxy, port int64, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxy creates database resource from RDS Proxy.

func NewDatabaseFromRDSProxyCustomEndpoint

func NewDatabaseFromRDSProxyCustomEndpoint(dbProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint, port int64, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxyCustomEndpiont creates database resource from RDS Proxy custom endpoint.

func NewDatabaseFromRedshiftCluster

func NewDatabaseFromRedshiftCluster(cluster *redshift.Cluster) (types.Database, error)

NewDatabaseFromRedshiftCluster creates a database resource from a Redshift cluster.

func NewDatabasesFromElastiCacheNodeGroups

func NewDatabasesFromElastiCacheNodeGroups(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)

NewDatabasesFromElastiCacheNodeGroups creates database resources from ElastiCache node groups.

func NewDatabasesFromRDSClusterCustomEndpoints

func NewDatabasesFromRDSClusterCustomEndpoints(cluster *rds.DBCluster) (types.Databases, error)

NewDatabasesFromRDSClusterCustomEndpoints creates database resources from RDS cluster custom endpoints (Aurora).

func NewGithubConnector

func NewGithubConnector(name string, spec types.GithubConnectorSpecV3) (types.GithubConnector, error)

NewGithubConnector creates a new GitHub auth connector.

func NewImplicitRole

func NewImplicitRole() types.Role

NewImplicitRole is the default implicit role that gets added to all RoleSets.

func NewKubeClusterFromAWSEKS

func NewKubeClusterFromAWSEKS(cluster *eks.Cluster) (types.KubeCluster, error)

NewKubeClusterFromAWSEKS creates a kube_cluster resource from an EKS cluster.

func NewKubeClusterFromAzureAKS

func NewKubeClusterFromAzureAKS(cluster *azure.AKSCluster) (types.KubeCluster, error)

NewKubeClusterFromAzureAKS creates a kube_cluster resource from an AKSCluster.

func NewKubeClusterFromGCPGKE

func NewKubeClusterFromGCPGKE(cluster gcp.GKECluster) (types.KubeCluster, error)

NewKubeClusterFromGCPGKE creates a kube_cluster resource from an GKE cluster.

func NewLogActionFn

func NewLogActionFn(ctx RuleContext) interface{}

NewLogActionFn creates logger functions

func NewPresetAccessRole

func NewPresetAccessRole() types.Role

NewPresetAccessRole creates a role for users who are allowed to initiate interactive sessions.

func NewPresetAuditorRole

func NewPresetAuditorRole() types.Role

NewPresetAuditorRole returns a new pre-defined role for cluster auditor - someone who can review cluster events and replay sessions, but can't initiate interactive sessions or modify configuration.

func NewPresetEditorRole

func NewPresetEditorRole() types.Role

NewPresetEditorRole returns a new pre-defined role for cluster editors who can edit cluster configuration resources.

func NewTOTPDevice

func NewTOTPDevice(name, key string, addedAt time.Time) (*types.MFADevice, error)

NewTOTPDevice creates a TOTP MFADevice from the given key.

func NewWhereParser

func NewWhereParser(ctx RuleContext) (predicate.Parser, error)

NewWhereParser returns standard parser for `where` section in access rules.

func NodeHasMissedKeepAlives

func NodeHasMissedKeepAlives(s types.Server) bool

NodeHasMissedKeepAlives checks if node has missed its keep alive

func OIDCClaimsToTraits

func OIDCClaimsToTraits(claims jose.Claims) map[string][]string

OIDCClaimsToTraits converts OIDC-style claims into teleport-specific trait format

func ParseShortcut

func ParseShortcut(in string) (string, error)

ParseShortcut parses resource shortcut

func RO

func RO() []string

RO is a shortcut that returns read only verbs that provide access to secrets.

func RW

func RW() []string

RW is a shortcut that returns all verbs.

func ReadNoSecrets

func ReadNoSecrets() []string

ReadNoSecrets is a shortcut that returns read only verbs that do not provide access to secrets.

func RegisterGithubAuthConverter

func RegisterGithubAuthConverter(convert GithubAuthConverter)

RegisterGithubAuthCreator registers a function to convert GitHub auth connectors.

func RegisterGithubAuthCreator

func RegisterGithubAuthCreator(creator GithubAuthCreator)

RegisterGithubAuthCreator registers a function to create GitHub auth connectors.

func RegisterGithubAuthInitializer

func RegisterGithubAuthInitializer(init GithubAuthInitializer)

RegisterGithubAuthCreator registers a function to initialize GitHub auth connectors.

func RegisterResourceMarshaler

func RegisterResourceMarshaler(kind string, marshaler ResourceMarshaler)

RegisterResourceMarshaler registers a marshaler for resources of a specific kind.

func RegisterResourceUnmarshaler

func RegisterResourceUnmarshaler(kind string, unmarshaler ResourceUnmarshaler)

RegisterResourceUnmarshaler registers an unmarshaler for resources of a specific kind.

func RoleForCertAuthority

func RoleForCertAuthority(ca types.CertAuthority) types.Role

RoleForCertAuthority creates role using types.CertAuthority.

func RoleForUser

func RoleForUser(u types.User) types.Role

RoleForUser creates an admin role for a services.User.

Used in tests only.

func RoleFromSpec

func RoleFromSpec(name string, spec types.RoleSpecV5) (types.Role, error)

RoleFromSpec returns new Role created from spec

func RoleMapToString

func RoleMapToString(r types.RoleMap) string

RoleMapToString prints user friendly representation of role mapping

func RoleNameForCertAuthority

func RoleNameForCertAuthority(name string) string

RoleNameForCertAuthority returns role name associated with a certificate authority.

func RoleNameForUser

func RoleNameForUser(name string) string

RoleNameForUser returns role name associated with a user.

func RolesToLockTargets

func RolesToLockTargets(roles []string) []types.LockTarget

RolesToLockTargets converts a list of roles to a list of LockTargets (one LockTarget per role).

func SAMLAssertionsToTraits

func SAMLAssertionsToTraits(assertions saml2.AssertionInfo) map[string][]string

SAMLAssertionsToTraits converts saml assertions to traits

func TraitsToRoleMatchers

func TraitsToRoleMatchers(ms types.TraitMappingSet, traits map[string][]string) ([]parse.Matcher, error)

TraitsToRoleMatchers maps the supplied traits to a list of role matchers. Prefer calling this function directly rather than calling TraitsToRoles and then building matchers from the resulting list since this function forces any roles which include substitutions to be literal matchers.

func TraitsToRoles

func TraitsToRoles(ms types.TraitMappingSet, traits map[string][]string) (warnings []string, roles []string)

TraitsToRoles maps the supplied traits to a list of teleport role names. Returns the list of roles mapped from traits. `warnings` optionally contains the list of warnings potentially interesting to the user.

func TunnelConnectionStatus

func TunnelConnectionStatus(clock clockwork.Clock, conn types.TunnelConnection, offlineThreshold time.Duration) string

TunnelConnectionStatus returns tunnel connection status based on the last heartbeat time recorded for a connection

func UnmarshalAccessRequest

func UnmarshalAccessRequest(data []byte, opts ...MarshalOption) (types.AccessRequest, error)

UnmarshalAccessRequest unmarshals the AccessRequest resource from JSON.

func UnmarshalApp

func UnmarshalApp(data []byte, opts ...MarshalOption) (types.Application, error)

UnmarshalApp unmarshals Application resource from JSON.

func UnmarshalAppServer

func UnmarshalAppServer(data []byte, opts ...MarshalOption) (types.AppServer, error)

UnmarshalAppServer unmarshals AppServer resource from JSON.

func UnmarshalAuthPreference

func UnmarshalAuthPreference(bytes []byte, opts ...MarshalOption) (types.AuthPreference, error)

UnmarshalAuthPreference unmarshals the AuthPreference resource from JSON.

func UnmarshalCertAuthority

func UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (types.CertAuthority, error)

UnmarshalCertAuthority unmarshals the CertAuthority resource to JSON.

func UnmarshalCertRoles

func UnmarshalCertRoles(data string) ([]string, error)

UnmarshalCertRoles marshals roles list to OpenSSH format

func UnmarshalClusterAuditConfig

func UnmarshalClusterAuditConfig(bytes []byte, opts ...MarshalOption) (types.ClusterAuditConfig, error)

UnmarshalClusterAuditConfig unmarshals the ClusterAuditConfig resource from JSON.

func UnmarshalClusterName

func UnmarshalClusterName(bytes []byte, opts ...MarshalOption) (types.ClusterName, error)

UnmarshalClusterName unmarshals the ClusterName resource from JSON.

func UnmarshalClusterNetworkingConfig

func UnmarshalClusterNetworkingConfig(bytes []byte, opts ...MarshalOption) (types.ClusterNetworkingConfig, error)

UnmarshalClusterNetworkingConfig unmarshals the ClusterNetworkingConfig resource from JSON.

func UnmarshalConnectionDiagnostic

func UnmarshalConnectionDiagnostic(data []byte, opts ...MarshalOption) (types.ConnectionDiagnostic, error)

UnmarshalConnectionDiagnostic unmarshals the ConnectionDiagnostic resource from JSON.

func UnmarshalDatabase

func UnmarshalDatabase(data []byte, opts ...MarshalOption) (types.Database, error)

UnmarshalDatabase unmarshals the database resource from JSON.

func UnmarshalDatabaseServer

func UnmarshalDatabaseServer(data []byte, opts ...MarshalOption) (types.DatabaseServer, error)

UnmarshalDatabaseServer unmarshals the DatabaseServer resource from JSON.

func UnmarshalGithubConnector

func UnmarshalGithubConnector(bytes []byte) (types.GithubConnector, error)

UnmarshalGithubConnector unmarshals the GithubConnector resource from JSON.

func UnmarshalInstaller

func UnmarshalInstaller(data []byte, opts ...MarshalOption) (types.Installer, error)

UnmarshalInstaller unmarshals the installer resource from JSON.

func UnmarshalKubeCluster

func UnmarshalKubeCluster(data []byte, opts ...MarshalOption) (types.KubeCluster, error)

UnmarshalKubeCluster unmarshals KubeCluster resource from JSON.

func UnmarshalKubeServer

func UnmarshalKubeServer(data []byte, opts ...MarshalOption) (types.KubeServer, error)

UnmarshalKubeServer unmarshals KubeServer resource from JSON.

func UnmarshalLicense

func UnmarshalLicense(bytes []byte) (types.License, error)

UnmarshalLicense unmarshals the License resource from JSON.

func UnmarshalLock

func UnmarshalLock(bytes []byte, opts ...MarshalOption) (types.Lock, error)

UnmarshalLock unmarshals the Lock resource from JSON.

func UnmarshalNamespace

func UnmarshalNamespace(data []byte, opts ...MarshalOption) (*types.Namespace, error)

UnmarshalNamespace unmarshals the Namespace resource from JSON.

func UnmarshalNetworkRestrictions

func UnmarshalNetworkRestrictions(bytes []byte, opts ...MarshalOption) (types.NetworkRestrictions, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalOIDCConnector

func UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (types.OIDCConnector, error)

UnmarshalOIDCConnector unmarshals the OIDCConnector resource from JSON.

func UnmarshalPluginData

func UnmarshalPluginData(raw []byte, opts ...MarshalOption) (types.PluginData, error)

UnmarshalPluginData unmarshals the PluginData resource from JSON.

func UnmarshalProvisionToken

func UnmarshalProvisionToken(data []byte, opts ...MarshalOption) (types.ProvisionToken, error)

UnmarshalProvisionToken unmarshals the ProvisionToken resource from JSON.

func UnmarshalRemoteCluster

func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (types.RemoteCluster, error)

UnmarshalRemoteCluster unmarshals the RemoteCluster resource from JSON.

func UnmarshalResource

func UnmarshalResource(kind string, raw []byte, opts ...MarshalOption) (types.Resource, error)

UnmarshalResource attempts to unmarshal a resource dynamically, returning NotImplementedError if no unmarshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func UnmarshalReverseTunnel

func UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (types.ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalRole

func UnmarshalRole(bytes []byte, opts ...MarshalOption) (types.Role, error)

UnmarshalRole unmarshals the Role resource from JSON.

func UnmarshalSAMLConnector

func UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (types.SAMLConnector, error)

UnmarshalSAMLConnector unmarshals the SAMLConnector resource from JSON.

func UnmarshalSemaphore

func UnmarshalSemaphore(bytes []byte, opts ...MarshalOption) (types.Semaphore, error)

UnmarshalSemaphore unmarshals the Semaphore resource from JSON.

func UnmarshalServer

func UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (types.Server, error)

UnmarshalServer unmarshals the Server resource from JSON.

func UnmarshalServers

func UnmarshalServers(bytes []byte) ([]types.Server, error)

UnmarshalServers unmarshals a list of Server resources.

func UnmarshalSessionRecordingConfig

func UnmarshalSessionRecordingConfig(bytes []byte, opts ...MarshalOption) (types.SessionRecordingConfig, error)

UnmarshalSessionRecordingConfig unmarshals the SessionRecordingConfig resource from JSON.

func UnmarshalSessionTracker

func UnmarshalSessionTracker(bytes []byte) (types.SessionTracker, error)

UnmarshalSessionTracker unmarshals the Session resource from JSON.

func UnmarshalStaticTokens

func UnmarshalStaticTokens(bytes []byte, opts ...MarshalOption) (types.StaticTokens, error)

UnmarshalStaticTokens unmarshals the StaticTokens resource from JSON.

func UnmarshalTrustedCluster

func UnmarshalTrustedCluster(bytes []byte, opts ...MarshalOption) (types.TrustedCluster, error)

UnmarshalTrustedCluster unmarshals the TrustedCluster resource from JSON.

func UnmarshalTunnelConnection

func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (types.TunnelConnection, error)

UnmarshalTunnelConnection unmarshals TunnelConnection resource from JSON or YAML, sets defaults and checks the schema

func UnmarshalUser

func UnmarshalUser(bytes []byte, opts ...MarshalOption) (types.User, error)

UnmarshalUser unmarshals the User resource from JSON.

func UnmarshalUserToken

func UnmarshalUserToken(bytes []byte, opts ...MarshalOption) (types.UserToken, error)

UnmarshalUserToken unmarshals the UserToken resource from JSON.

func UnmarshalUserTokenSecrets

func UnmarshalUserTokenSecrets(bytes []byte, opts ...MarshalOption) (types.UserTokenSecrets, error)

UnmarshalUserTokenSecrets unmarshals the ResetPasswordTokenSecrets resource from JSON.

func UnmarshalWebSession

func UnmarshalWebSession(bytes []byte, opts ...MarshalOption) (types.WebSession, error)

UnmarshalWebSession unmarshals the WebSession resource from JSON.

func UnmarshalWebToken

func UnmarshalWebToken(bytes []byte, opts ...MarshalOption) (types.WebToken, error)

UnmarshalWebToken interprets bytes as JSON-encoded web token value

func UnmarshalWindowsDesktop

func UnmarshalWindowsDesktop(data []byte, opts ...MarshalOption) (types.WindowsDesktop, error)

UnmarshalWindowsDesktop unmarshals the WindowsDesktop resource from JSON.

func UnmarshalWindowsDesktopService

func UnmarshalWindowsDesktopService(data []byte, opts ...MarshalOption) (types.WindowsDesktopService, error)

UnmarshalWindowsDesktopService unmarshals the WindowsDesktopService resource from JSON.

func UsersEquals

func UsersEquals(u types.User, other types.User) bool

UsersEquals checks if the users are equal

func ValidateAccessPredicates

func ValidateAccessPredicates(role types.Role) error

ValidateAccessPredicates checks request & review permission predicates for syntax errors. Used to help prevent users from accidentally writing incorrect predicates. This function should only be called by the auth server prior to storing new/updated roles. Normal role validation deliberately omits these checks in order to allow us to extend the available namespaces without breaking backwards compatibility with older nodes/proxies (which never need to evaluate these predicates).

func ValidateAccessRequest

func ValidateAccessRequest(ar types.AccessRequest) error

ValidateAccessRequest validates the AccessRequest and sets default values

func ValidateAccessRequestForUser

func ValidateAccessRequestForUser(ctx context.Context, getter RequestValidatorGetter, req types.AccessRequest, opts ...ValidateRequestOption) error

ValidateAccessRequestForUser validates an access request against the associated users's *statically assigned* roles. If expandRoles is true, it will also expand wildcard requests, setting their role list to include all roles the user is allowed to request. Expansion should be performed before an access request is initially placed in the backend.

func ValidateCertAuthority

func ValidateCertAuthority(ca types.CertAuthority) (err error)

ValidateCertAuthority validates the CertAuthority

func ValidateDatabase

func ValidateDatabase(db types.Database) error

ValidateDatabase validates a types.Database.

func ValidateLocalAuthSecrets

func ValidateLocalAuthSecrets(l *types.LocalAuthSecrets) error

ValidateLocalAuthSecrets validates local auth secret members.

func ValidateNetworkRestrictions

func ValidateNetworkRestrictions(nr *types.NetworkRestrictionsV4) error

ValidateNetworkRestrictions validates the network restrictions and sets defaults

func ValidateReverseTunnel

func ValidateReverseTunnel(rt types.ReverseTunnel) error

ValidateReverseTunnel validates the OIDC connector and sets default values

func ValidateRole

func ValidateRole(r types.Role) error

ValidateRole parses validates the role, and sets default values.

func ValidateRoleName

func ValidateRoleName(role types.Role) error

ValidateRoleName checks that the role name is allowed to be created.

func ValidateSAMLConnector

func ValidateSAMLConnector(sc types.SAMLConnector, rg RoleGetter) error

ValidateSAMLConnector validates the SAMLConnector and sets default values. If a remote to fetch roles is specified, roles will be validated to exist.

func ValidateTrustedCluster

func ValidateTrustedCluster(tc types.TrustedCluster, allowEmptyRolesOpts ...bool) error

ValidateTrustedCluster checks and sets Trusted Cluster defaults

func ValidateUser

func ValidateUser(u types.User) error

ValidateUser validates the User and sets default values

func ValidateUserRoles

func ValidateUserRoles(ctx context.Context, u types.User, roleGetter RoleGetter) error

ValidateUserRoles checks that all the roles in the user exist

func VerifyPassword

func VerifyPassword(password []byte) error

VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in

Types

type AWSMatcher

type AWSMatcher struct {
	// Types are AWS database types to match, "rds" or "redshift".
	Types []string
	// Regions are AWS regions to query for databases.
	Regions []string
	// Tags are AWS tags to match.
	Tags types.Labels
	// Params are passed to AWS when executing the SSM document
	Params InstallerParams
	// SSM provides options to use when sending a document command to
	// an EC2 node
	SSM *AWSSSM
}

AWSMatcher matches AWS databases.

type AWSRoleARNMatcher

type AWSRoleARNMatcher struct {
	RoleARN string
}

AWSRoleARNMatcher matches a role against AWS role ARN.

func (*AWSRoleARNMatcher) Match

func (m *AWSRoleARNMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database account name against provided role and condition.

func (*AWSRoleARNMatcher) String

func (m *AWSRoleARNMatcher) String() string

String returns the matcher's string representation.

type AWSSSM

type AWSSSM struct {
	// DocumentName is the name of the document to use when executing an
	// SSM command
	DocumentName string
}

AWSSSM provides options to use when executing SSM documents

type Access

type Access interface {
	// GetRoles returns a list of roles.
	GetRoles(ctx context.Context) ([]types.Role, error)
	// CreateRole creates a role.
	CreateRole(ctx context.Context, role types.Role) error
	// UpsertRole creates or updates role.
	UpsertRole(ctx context.Context, role types.Role) error
	// DeleteAllRoles deletes all roles.
	DeleteAllRoles() error
	// GetRole returns role by name.
	GetRole(ctx context.Context, name string) (types.Role, error)
	// DeleteRole deletes role by name.
	DeleteRole(ctx context.Context, name string) error

	LockGetter
	// UpsertLock upserts a lock.
	UpsertLock(context.Context, types.Lock) error
	// DeleteLock deletes a lock.
	DeleteLock(context.Context, string) error
	// DeleteLock deletes all/in-force locks.
	DeleteAllLocks(context.Context) error
	// ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.
	ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error
}

Access service manages roles and permissions.

type AccessCheckable

type AccessCheckable interface {
	GetKind() string
	GetName() string
	GetMetadata() types.Metadata
	GetAllLabels() map[string]string
}

AccessCheckable is the subset of types.Resource required for the RBAC checks.

type AccessChecker

type AccessChecker interface {
	// HasRole checks if the checker includes the role
	HasRole(role string) bool

	// RoleNames returns a list of role names
	RoleNames() []string

	// Roles returns the list underlying roles this AccessChecker is based on.
	Roles() []types.Role

	// CheckAccess checks access to the specified resource.
	CheckAccess(r AccessCheckable, mfa AccessMFAParams, matchers ...RoleMatcher) error

	// CheckAccessToRemoteCluster checks access to remote cluster
	CheckAccessToRemoteCluster(cluster types.RemoteCluster) error

	// CheckAccessToRule checks access to a rule within a namespace.
	CheckAccessToRule(context RuleContext, namespace string, rule string, verb string, silent bool) error

	// CheckLoginDuration checks if role set can login up to given duration and
	// returns a combined list of allowed logins.
	CheckLoginDuration(ttl time.Duration) ([]string, error)

	// CheckKubeGroupsAndUsers check if role can login into kubernetes
	// and returns two lists of combined allowed groups and users
	CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) (groups []string, users []string, err error)

	// CheckAWSRoleARNs returns a list of AWS role ARNs role is allowed to assume.
	CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

	// AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL
	// for this role set, otherwise it returns ttl unchanged
	AdjustSessionTTL(ttl time.Duration) time.Duration

	// AdjustClientIdleTimeout adjusts requested idle timeout
	// to the lowest max allowed timeout, the most restrictive
	// option will be picked
	AdjustClientIdleTimeout(ttl time.Duration) time.Duration

	// AdjustDisconnectExpiredCert adjusts the value based on the role set
	// the most restrictive option will be picked
	AdjustDisconnectExpiredCert(disconnect bool) bool

	// CheckAgentForward checks if the role can request agent forward for this
	// user.
	CheckAgentForward(login string) error

	// CanForwardAgents returns true if this role set offers capability to forward
	// agents.
	CanForwardAgents() bool

	// CanPortForward returns true if this RoleSet can forward ports.
	CanPortForward() bool

	// DesktopClipboard returns true if the role set has enabled shared
	// clipboard for desktop sessions. Clipboard sharing is disabled if
	// one or more of the roles in the set has disabled it.
	DesktopClipboard() bool
	// RecordDesktopSession returns true if a role in the role set has enabled
	// desktop session recoring.
	RecordDesktopSession() bool
	// DesktopDirectorySharing returns true if the role set has directory sharing
	// enabled. This setting is enabled if one or more of the roles in the set has
	// enabled it.
	DesktopDirectorySharing() bool

	// MaybeCanReviewRequests attempts to guess if this RoleSet belongs
	// to a user who should be submitting access reviews. Because not all rolesets
	// are derived from statically assigned roles, this may return false positives.
	MaybeCanReviewRequests() bool

	// PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.
	PermitX11Forwarding() bool

	// CanCopyFiles returns true if the role set has enabled remote file
	// operations via SCP or SFTP. Remote file operations are disabled if
	// one or more of the roles in the set has disabled it.
	CanCopyFiles() bool

	// CertificateFormat returns the most permissive certificate format in a
	// RoleSet.
	CertificateFormat() string

	// EnhancedRecordingSet returns a set of events that will be recorded
	// for enhanced session recording.
	EnhancedRecordingSet() map[string]bool

	// CheckDatabaseNamesAndUsers returns database names and users this role
	// is allowed to use.
	CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) (names []string, users []string, err error)

	// CheckImpersonate checks whether current user is allowed to impersonate
	// users and roles
	CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

	// CheckImpersonateRoles checks whether the current user is allowed to
	// perform roles-only impersonation.
	CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

	// CanImpersonateSomeone returns true if this checker has any impersonation rules
	CanImpersonateSomeone() bool

	// LockingMode returns the locking mode to apply with this checker.
	LockingMode(defaultMode constants.LockingMode) constants.LockingMode

	// ExtractConditionForIdentifier returns a restrictive filter expression
	// for list queries based on the rules' `where` conditions.
	ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

	// CertificateExtensions returns the list of extensions for each role in the RoleSet
	CertificateExtensions() []*types.CertExtension

	// GetAllowedSearchAsRoles returns all of the allowed SearchAsRoles.
	GetAllowedSearchAsRoles() []string

	// GetAllowedPreviewAsRoles returns all of the allowed PreviewAsRoles.
	GetAllowedPreviewAsRoles() []string

	// MaxConnections returns the maximum number of concurrent ssh connections
	// allowed.  If MaxConnections is zero then no maximum was defined and the
	// number of concurrent connections is unconstrained.
	MaxConnections() int64

	// MaxSessions returns the maximum number of concurrent ssh sessions per
	// connection. If MaxSessions is zero then no maximum was defined and the
	// number of sessions is unconstrained.
	MaxSessions() int64

	// SessionPolicySets returns the list of SessionPolicySets for all roles.
	SessionPolicySets() []*types.SessionTrackerPolicySet

	// GetAllLogins returns all valid unix logins for the AccessChecker.
	GetAllLogins() []string

	// GetAllowedResourceIDs returns the list of allowed resources the identity for
	// the AccessChecker is allowed to access. An empty or nil list indicates that
	// there are no resource-specific restrictions.
	GetAllowedResourceIDs() []types.ResourceID

	// SessionRecordingMode returns the recording mode for a specific service.
	SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

	// HostUsers returns host user information matching a server or nil if
	// a role disallows host user creation
	HostUsers(types.Server) (*HostUsersInfo, error)

	// PinSourceIP forces the same client IP for certificate generation and SSH usage
	PinSourceIP() bool

	// MFAParams returns MFA params for the given use given their roles, the cluster
	// auth preference, and whether mfa has been verified.
	MFAParams(authPrefMFARequirement types.RequireMFAType) AccessMFAParams
	// PrivateKeyPolicy returns the enforced private key policy for this role set,
	// or the provided defaultPolicy - whichever is stricter.
	PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) keys.PrivateKeyPolicy
}

AccessChecker interface checks access to resources based on roles, traits, and allowed resources

func NewAccessChecker

func NewAccessChecker(info *AccessInfo, localCluster string, access RoleGetter) (AccessChecker, error)

NewAccessChecker returns a new AccessChecker which can be used to check access to resources. Args:

  • `info *AccessInfo` should hold the roles, traits, and allowed resource IDs for the identity.
  • `localCluster string` should be the name of the local cluster in which access will be checked. You cannot check for access to resources in remote clusters.
  • `access RoleGetter` should be a RoleGetter which will be used to fetch the full RoleSet

func NewAccessCheckerWithRoleSet

func NewAccessCheckerWithRoleSet(info *AccessInfo, localCluster string, roleSet RoleSet) AccessChecker

NewAccessCheckerWithRoleSet is similar to NewAccessChecker, but accepts the full RoleSet rather than a RoleGetter.

type AccessInfo

type AccessInfo struct {
	// Roles is the list of cluster local roles for the identity.
	Roles []string
	// Traits is the set of traits for the identity.
	Traits wrappers.Traits
	// AllowedResourceIDs is the list of resource IDs the identity is allowed to
	// access. A nil or empty list indicates that no resource-specific
	// access restrictions should be applied. Used for search-based access
	// requests.
	AllowedResourceIDs []types.ResourceID
}

AccessInfo hold information about an identity necessary to check whether that identity has access to cluster resources. This info can come from a user or host SSH certificate, TLS certificate, or user information stored in the backend.

func AccessInfoFromLocalCertificate

func AccessInfoFromLocalCertificate(cert *ssh.Certificate) (*AccessInfo, error)

AccessInfoFromLocalCertificate returns a new AccessInfo populated from the given ssh certificate. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromLocalIdentity

func AccessInfoFromLocalIdentity(identity tlsca.Identity, access UserGetter) (*AccessInfo, error)

AccessInfoFromLocalIdentity returns a new AccessInfo populated from the given tlsca.Identity. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromRemoteCertificate

func AccessInfoFromRemoteCertificate(cert *ssh.Certificate, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteCertificate returns a new AccessInfo populated from the given remote cluster user's ssh certificate. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromRemoteIdentity

func AccessInfoFromRemoteIdentity(identity tlsca.Identity, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteIdentity returns a new AccessInfo populated from the given remote cluster user's tlsca.Identity. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromUser

func AccessInfoFromUser(user types.User) *AccessInfo

AccessInfoFromUser return a new AccessInfo populated from the roles and traits held be the given user. This should only be used in cases where the user does not have any active access requests (initial web login, initial tbot certs, tests).

type AccessMFAParams

type AccessMFAParams struct {
	// Required determines whether a user's MFA requirement dynamically changes based on
	// their active role (per-role), or is static across all roles (always/never).
	Required MFARequired
	// Verified is set when MFA has been verified by the caller.
	Verified bool
}

AccessMFAParams contains MFA-related parameters for methods that check access.

type AcquireSemaphoreWithRetryConfig

type AcquireSemaphoreWithRetryConfig struct {
	Service types.Semaphores
	Request types.AcquireSemaphoreRequest
	Retry   retryutils.LinearConfig
}

AcquireSemaphoreWithRetryConfig contains parameters for trying to acquire a semaphore with a retry.

type AppGetter

type AppGetter interface {
	// GetApps returns all application resources.
	GetApps(context.Context) ([]types.Application, error)
	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)
}

AppGetter defines interface for fetching application resources.

type AppSession

type AppSession interface {
	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)
	// GetAppSessions gets all application web sessions.
	GetAppSessions(context.Context) ([]types.WebSession, error)
	// UpsertAppSession upserts an application web session.
	UpsertAppSession(context.Context, types.WebSession) error
	// DeleteAppSession removes an application web session.
	DeleteAppSession(context.Context, types.DeleteAppSessionRequest) error
	// DeleteAllAppSessions removes all application web sessions.
	DeleteAllAppSessions(context.Context) error
	// DeleteUserAppSessions deletes all user’s application sessions.
	DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error
}

AppSession defines application session features.

type AppWatcher

type AppWatcher struct {
	// contains filtered or unexported fields
}

AppWatcher is built on top of resourceWatcher to monitor application resources.

func NewAppWatcher

func NewAppWatcher(ctx context.Context, cfg AppWatcherConfig) (*AppWatcher, error)

NewAppWatcher returns a new instance of AppWatcher.

func (AppWatcher) Close

func (p AppWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (AppWatcher) Done

func (p AppWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (AppWatcher) IsInitialized

func (p AppWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (AppWatcher) WaitInitialization

func (p AppWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type AppWatcherConfig

type AppWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AppGetter is responsible for fetching application resources.
	AppGetter
	// AppsC receives up-to-date list of all application resources.
	AppsC chan types.Apps
}

AppWatcherConfig is an AppWatcher configuration.

func (*AppWatcherConfig) CheckAndSetDefaults

func (cfg *AppWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Apps

type Apps interface {
	// AppGetter provides methods for fetching application resources.
	AppGetter
	// CreateApp creates a new application resource.
	CreateApp(context.Context, types.Application) error
	// UpdateApp updates an existing application resource.
	UpdateApp(context.Context, types.Application) error
	// DeleteApp removes the specified application resource.
	DeleteApp(ctx context.Context, name string) error
	// DeleteAllApps removes all database resources.
	DeleteAllApps(context.Context) error
}

Apps defines an interface for managing application resources.

type AuthorityGetter

type AuthorityGetter interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...MarshalOption) ([]types.CertAuthority, error)
}

AuthorityGetter defines interface for fetching cert authority resources.

type AzureMatcher

type AzureMatcher struct {
	// Subscriptions are Azure subscriptions to query for resources.
	Subscriptions []string
	// ResourceGroups are Azure resource groups to query for resources.
	ResourceGroups []string
	// Types are Azure resource types to match, for example "mysql" or "postgres".
	Types []string
	// Regions are Azure regions to query for databases.
	Regions []string
	// ResourceTags are Azure tags to match.
	ResourceTags types.Labels
}

AzureMatcher matches Azure databases.

type BoolPredicateParser

type BoolPredicateParser interface {
	predicate.Parser
	EvalBoolPredicate(string) (bool, error)
}

BoolPredicateParser extends predicate.Parser with a convenience method for evaluating bool predicates.

func NewJSONBoolParser

func NewJSONBoolParser(ctx interface{}) (BoolPredicateParser, error)

NewJSONBoolParser returns a generic parser for boolean expressions based on a json-serializable context.

func NewResourceParser

func NewResourceParser(resource types.ResourceWithLabels) (BoolPredicateParser, error)

NewResourceParser returns a parser made for boolean expressions based on a json-serialiable resource. Customized to allow short identifiers common in all resources:

  • shorthand `name` refers to `resource.spec.hostname` for node resources or it refers to `resource.metadata.name` for all other resources eg: `name == "app-name-jenkins"`
  • shorthand `labels` refers to resource `resource.metadata.labels + resource.spec.dynamic_labels` eg: `labels.env == "prod"`

All other fields can be referenced by starting expression with identifier `resource` followed by the names of the json fields ie: `resource.spec.public_addr`.

type CertAuthorityWatcher

type CertAuthorityWatcher struct {
	// contains filtered or unexported fields
}

CertAuthorityWatcher is built on top of resourceWatcher to monitor cert authority resources.

func NewCertAuthorityWatcher

func NewCertAuthorityWatcher(ctx context.Context, cfg CertAuthorityWatcherConfig) (*CertAuthorityWatcher, error)

NewCertAuthorityWatcher returns a new instance of CertAuthorityWatcher.

func (CertAuthorityWatcher) Close

func (p CertAuthorityWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (CertAuthorityWatcher) Done

func (p CertAuthorityWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (CertAuthorityWatcher) IsInitialized

func (p CertAuthorityWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (CertAuthorityWatcher) Subscribe

func (c CertAuthorityWatcher) Subscribe(ctx context.Context, filter types.CertAuthorityFilter) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (CertAuthorityWatcher) WaitInitialization

func (p CertAuthorityWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type CertAuthorityWatcherConfig

type CertAuthorityWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AuthorityGetter is responsible for fetching cert authority resources.
	AuthorityGetter
	// Types restricts which cert authority types are retrieved via the AuthorityGetter.
	Types []types.CertAuthType
}

CertAuthorityWatcherConfig is a CertAuthorityWatcher configuration.

func (*CertAuthorityWatcherConfig) CheckAndSetDefaults

func (cfg *CertAuthorityWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type ChangePasswordReq

type ChangePasswordReq struct {
	// User is user ID
	User string
	// OldPassword is user current password
	OldPassword []byte `json:"old_password"`
	// NewPassword is user new password
	NewPassword []byte `json:"new_password"`
	// SecondFactorToken is user 2nd factor token
	SecondFactorToken string `json:"second_factor_token"`
	// WebauthnResponse is Webauthn sign response
	WebauthnResponse *wanlib.CredentialAssertionResponse `json:"webauthn_response"`
}

ChangePasswordReq defines a request to change user password

type ClusterConfiguration

type ClusterConfiguration interface {
	// SetClusterName gets services.ClusterName from the backend.
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
	// SetClusterName sets services.ClusterName on the backend.
	SetClusterName(types.ClusterName) error
	// UpsertClusterName upserts cluster name
	UpsertClusterName(types.ClusterName) error

	// DeleteClusterName deletes cluster name resource
	DeleteClusterName() error

	// GetStaticTokens gets services.StaticTokens from the backend.
	GetStaticTokens() (types.StaticTokens, error)
	// SetStaticTokens sets services.StaticTokens on the backend.
	SetStaticTokens(types.StaticTokens) error
	// DeleteStaticTokens deletes static tokens resource
	DeleteStaticTokens() error

	// GetAuthPreference gets types.AuthPreference from the backend.
	GetAuthPreference(context.Context) (types.AuthPreference, error)
	// SetAuthPreference sets types.AuthPreference from the backend.
	SetAuthPreference(context.Context, types.AuthPreference) error
	// DeleteAuthPreference deletes types.AuthPreference from the backend.
	DeleteAuthPreference(ctx context.Context) error

	// GetSessionRecordingConfig gets SessionRecordingConfig from the backend.
	GetSessionRecordingConfig(context.Context, ...MarshalOption) (types.SessionRecordingConfig, error)
	// SetSessionRecordingConfig sets SessionRecordingConfig from the backend.
	SetSessionRecordingConfig(context.Context, types.SessionRecordingConfig) error
	// DeleteSessionRecordingConfig deletes SessionRecordingConfig from the backend.
	DeleteSessionRecordingConfig(ctx context.Context) error

	// GetClusterAuditConfig gets ClusterAuditConfig from the backend.
	GetClusterAuditConfig(context.Context, ...MarshalOption) (types.ClusterAuditConfig, error)
	// SetClusterAuditConfig sets ClusterAuditConfig from the backend.
	SetClusterAuditConfig(context.Context, types.ClusterAuditConfig) error
	// DeleteClusterAuditConfig deletes ClusterAuditConfig from the backend.
	DeleteClusterAuditConfig(ctx context.Context) error

	// GetClusterNetworkingConfig gets ClusterNetworkingConfig from the backend.
	GetClusterNetworkingConfig(context.Context, ...MarshalOption) (types.ClusterNetworkingConfig, error)
	// SetClusterNetworkingConfig sets ClusterNetworkingConfig from the backend.
	SetClusterNetworkingConfig(context.Context, types.ClusterNetworkingConfig) error
	// DeleteClusterNetworkingConfig deletes ClusterNetworkingConfig from the backend.
	DeleteClusterNetworkingConfig(ctx context.Context) error

	// GetInstallers gets all installer scripts from the backend
	GetInstallers(context.Context) ([]types.Installer, error)
	// GetInstaller gets the installer script from the backend
	GetInstaller(ctx context.Context, name string) (types.Installer, error)
	// SetInstaller sets the installer script in the backend
	SetInstaller(context.Context, types.Installer) error
	// DeleteInstaller removes the installer script from the backend
	DeleteInstaller(ctx context.Context, name string) error
	// DeleteAllInstallers removes all installer script resources from the backend
	DeleteAllInstallers(context.Context) error
}

ClusterConfiguration stores the cluster configuration in the backend. All the resources modified by this interface can only have a single instance in the backend.

type CommandLabels

type CommandLabels map[string]types.CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) Clone

func (c *CommandLabels) Clone() CommandLabels

Clone returns copy of the set

func (*CommandLabels) SetEnv

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type ConnectionDiagnosticTraceAppender

type ConnectionDiagnosticTraceAppender interface {
	// AppendDiagnosticTrace atomically adds a new trace into the ConnectionDiagnostic.
	AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)
}

ConnectionDiagnosticTraceAppender specifies methods to add Traces into a DiagnosticConnection

type ConnectionsDiagnostic

type ConnectionsDiagnostic interface {
	// CreateConnectionDiagnostic creates a new Connection Diagnostic
	CreateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// UpdateConnectionDiagnostic updates a Connection Diagnostic
	UpdateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// GetConnectionDiagnostic receives a name and returns the Connection Diagnostic matching that name
	//
	// If not found, a `trace.NotFound` error is returned
	GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

	// ConnectionDiagnosticTraceAppender adds a method to append traces into ConnectionDiagnostics.
	ConnectionDiagnosticTraceAppender
}

ConnectionsDiagnostic defines an interface for managing Connection Diagnostics.

type Context

type Context struct {
	// User is currently authenticated user
	User types.User
	// Resource is an optional resource, in case if the rule
	// checks access to the resource
	Resource types.Resource
	// Session is an optional session.end or windows.desktop.session.end event.
	// These events hold information about session recordings.
	Session events.AuditEvent
	// SSHSession is an optional (active) SSH session.
	SSHSession *session.Session
	// HostCert is an optional host certificate.
	HostCert *HostCertContext
	// SessionTracker is an optional session tracker, in case if the rule checks access to the tracker.
	SessionTracker types.SessionTracker
}

Context is a default rule context used in teleport

func (*Context) GetIdentifier

func (ctx *Context) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier returns identifier defined in a context

func (*Context) GetResource

func (ctx *Context) GetResource() (types.Resource, error)

GetResource returns resource specified in the context, returns error if not specified.

func (*Context) String

func (ctx *Context) String() string

String returns user friendly representation of this context

type CurrentUserRoleGetter

type CurrentUserRoleGetter interface {
	GetCurrentUser(context.Context) (types.User, error)
	GetCurrentUserRoles(context.Context) ([]types.Role, error)
	RoleGetter
}

CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by FetchAllClusterRoles.

type DatabaseGetter

type DatabaseGetter interface {
	// GetDatabases returns all database resources.
	GetDatabases(context.Context) ([]types.Database, error)
	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)
}

DatabaseGetter defines interface for fetching database resources.

type DatabaseNameMatcher

type DatabaseNameMatcher struct {
	Name string
}

DatabaseNameMatcher matches a role against database name.

func (*DatabaseNameMatcher) Match

func (m *DatabaseNameMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database name against provided role and condition.

func (*DatabaseNameMatcher) String

func (m *DatabaseNameMatcher) String() string

String returns the matcher's string representation.

type DatabaseUserMatcher

type DatabaseUserMatcher struct {
	User string
}

DatabaseUserMatcher matches a role against database account name.

func (*DatabaseUserMatcher) Match

func (m *DatabaseUserMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database account name against provided role and condition.

func (*DatabaseUserMatcher) String

func (m *DatabaseUserMatcher) String() string

String returns the matcher's string representation.

type DatabaseWatcher

type DatabaseWatcher struct {
	// contains filtered or unexported fields
}

DatabaseWatcher is built on top of resourceWatcher to monitor database resources.

func NewDatabaseWatcher

func NewDatabaseWatcher(ctx context.Context, cfg DatabaseWatcherConfig) (*DatabaseWatcher, error)

NewDatabaseWatcher returns a new instance of DatabaseWatcher.

func (DatabaseWatcher) Close

func (p DatabaseWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (DatabaseWatcher) Done

func (p DatabaseWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (DatabaseWatcher) IsInitialized

func (p DatabaseWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (DatabaseWatcher) WaitInitialization

func (p DatabaseWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type DatabaseWatcherConfig

type DatabaseWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// DatabaseGetter is responsible for fetching database resources.
	DatabaseGetter
	// DatabasesC receives up-to-date list of all database resources.
	DatabasesC chan types.Databases
}

DatabaseWatcherConfig is a DatabaseWatcher configuration.

func (*DatabaseWatcherConfig) CheckAndSetDefaults

func (cfg *DatabaseWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Databases

type Databases interface {
	// DatabaseGetter provides methods for fetching database resources.
	DatabaseGetter
	// CreateDatabase creates a new database resource.
	CreateDatabase(context.Context, types.Database) error
	// UpdateDatabase updates an existing database resource.
	UpdateDatabase(context.Context, types.Database) error
	// DeleteDatabase removes the specified database resource.
	DeleteDatabase(ctx context.Context, name string) error
	// DeleteAllDatabases removes all database resources.
	DeleteAllDatabases(context.Context) error
}

Databases defines an interface for managing database resources.

type DynamicAccess

type DynamicAccess interface {
	DynamicAccessCore
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error
	// SubmitAccessReview applies a review to a request and returns the post-application state.
	SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
}

DynamicAccess is a service which manages dynamic RBAC. Specifically, this is the dynamic access interface implemented by remote clients.

type DynamicAccessCore

type DynamicAccessCore interface {
	// CreateAccessRequest stores a new access request.
	CreateAccessRequest(ctx context.Context, req types.AccessRequest) error
	// GetAccessRequests gets all currently active access requests.
	GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
	// DeleteAccessRequest deletes an access request.
	DeleteAccessRequest(ctx context.Context, reqID string) error
	// GetPluginData loads all plugin data matching the supplied filter.
	GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)
	// UpdatePluginData updates a per-resource PluginData entry.
	UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error
}

DynamicAccessCore is the core functionality common to all DynamicAccess implementations.

type DynamicAccessExt

type DynamicAccessExt interface {
	DynamicAccessCore
	// ApplyAccessReview applies a review to a request in the backend and returns the post-application state.
	ApplyAccessReview(ctx context.Context, params types.AccessReviewSubmission, checker ReviewPermissionChecker) (types.AccessRequest, error)
	// UpsertAccessRequest creates or updates an access request.
	UpsertAccessRequest(ctx context.Context, req types.AccessRequest) error
	// DeleteAllAccessRequests deletes all existent access requests.
	DeleteAllAccessRequests(ctx context.Context) error
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) (types.AccessRequest, error)
}

DynamicAccessExt is an extended dynamic access interface used to implement some auth server internals.

type DynamicAccessOracle

type DynamicAccessOracle interface {
	GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
}

DynamicAccessOracle is a service capable of answering questions related to the dynamic access API. Necessary because some information (e.g. the list of roles a user is allowed to request) can not be calculated by actors with limited privileges.

type EmptyResource

type EmptyResource struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata types.Metadata `json:"metadata"`
}

EmptyResource is used to represent a use case when no resource is specified in the rules matcher

func (*EmptyResource) CheckAndSetDefaults

func (r *EmptyResource) CheckAndSetDefaults() error

func (*EmptyResource) Expiry

func (r *EmptyResource) Expiry() time.Time

Expiry returns the expiry time for the object.

func (*EmptyResource) GetKind

func (r *EmptyResource) GetKind() string

GetKind returns resource kind

func (*EmptyResource) GetMetadata

func (r *EmptyResource) GetMetadata() types.Metadata

GetMetadata returns role metadata.

func (*EmptyResource) GetName

func (r *EmptyResource) GetName() string

GetName gets the role name and is a shortcut for GetMetadata().Name.

func (*EmptyResource) GetResourceID

func (r *EmptyResource) GetResourceID() int64

GetResourceID returns resource ID

func (*EmptyResource) GetSubKind

func (r *EmptyResource) GetSubKind() string

GetSubKind returns resource sub kind

func (*EmptyResource) GetVersion

func (r *EmptyResource) GetVersion() string

GetVersion returns resource version

func (*EmptyResource) SetExpiry

func (r *EmptyResource) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object.

func (*EmptyResource) SetName

func (r *EmptyResource) SetName(s string)

SetName sets the role name and is a shortcut for SetMetadata().Name.

func (*EmptyResource) SetResourceID

func (r *EmptyResource) SetResourceID(id int64)

SetResourceID sets resource ID

func (*EmptyResource) SetSubKind

func (r *EmptyResource) SetSubKind(s string)

SetSubKind sets resource subkind

type Enforcer

type Enforcer interface {
	// GetLicenseCheckResult returns the license status in a heartbeat.
	GetLicenseCheckResult(ctx context.Context) (*types.Heartbeat, error)
}

Enforcer defines interface for fetching license status.

type EnumerationResult

type EnumerationResult struct {
	// contains filtered or unexported fields
}

EnumerationResult is a result of enumerating a role set against some property, e.g. allowed names or logins.

func NewEnumerationResult

func NewEnumerationResult() EnumerationResult

NewEnumerationResult returns new EnumerationResult.

func (*EnumerationResult) Allowed

func (result *EnumerationResult) Allowed() []string

Allowed returns all known allowed users.

func (*EnumerationResult) Denied

func (result *EnumerationResult) Denied() []string

Denied returns all explicitly denied users.

func (*EnumerationResult) WildcardAllowed

func (result *EnumerationResult) WildcardAllowed() bool

WildcardAllowed is true if there * username allowed for given rule set.

func (*EnumerationResult) WildcardDenied

func (result *EnumerationResult) WildcardDenied() bool

WildcardDenied is true if there * username deny for given rule set.

type Fanout

type Fanout struct {
	// contains filtered or unexported fields
}

Fanout is a helper which allows a stream of events to be fanned-out to many watchers. Used by the cache layer to forward events.

func NewFanout

func NewFanout(eventsCh ...chan FanoutEvent) *Fanout

NewFanout creates a new Fanout instance in an uninitialized state. Until initialized, watchers will be queued but no events will be sent.

func (*Fanout) Close

func (f *Fanout) Close()

Close permanently closes the fanout. Existing watchers will be closed and no new watchers will be added.

func (*Fanout) Emit

func (f *Fanout) Emit(events ...types.Event)

Emit broadcasts events to all matching watchers that have been attached to this fanout instance.

func (*Fanout) Len

func (f *Fanout) Len() int

Len returns a total count of watchers

func (*Fanout) NewWatcher

func (f *Fanout) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher attaches a new watcher to this fanout instance.

func (*Fanout) Reset

func (f *Fanout) Reset()

Reset closes all attached watchers and places the fanout instance into an uninitialized state. Reset may be called on an uninitialized fanout instance to remove "queued" watchers.

func (*Fanout) SetInit

func (f *Fanout) SetInit()

SetInit sets Fanout into an initialized state, sending OpInit events to any watchers which were added prior to initialization.

type FanoutEvent

type FanoutEvent struct {
	// Kind is event kind
	Kind int
}

FanoutEvent is used in tests

type FanoutSet

type FanoutSet struct {
	// contains filtered or unexported fields
}

FanoutSet is a collection of separate Fanout instances. It exposes an identical API, and "load balances" watcher registration across the enclosed instances. In very large clusters it is possible for tens of thousands of nodes to simultaneously request watchers. This can cause serious contention issues. FanoutSet is a simple but effective solution to that problem.

func NewFanoutSet

func NewFanoutSet() *FanoutSet

NewFanoutSet creates a new FanoutSet instance in an uninitialized state. Until initialized, watchers will be queued but no events will be sent.

func (*FanoutSet) Close

func (s *FanoutSet) Close()

Close permanently closes the fanout. Existing watchers will be closed and no new watchers will be added.

func (*FanoutSet) Emit

func (s *FanoutSet) Emit(events ...types.Event)

Emit broadcasts events to all matching watchers that have been attached to this fanout set.

func (*FanoutSet) NewWatcher

func (s *FanoutSet) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher attaches a new watcher to a fanout instance.

func (*FanoutSet) Reset

func (s *FanoutSet) Reset()

Reset closes all attached watchers and places the fanout instances into an uninitialized state. Reset may be called on an uninitialized fanout set to remove "queued" watchers.

func (*FanoutSet) SetInit

func (s *FanoutSet) SetInit()

SetInit sets the Fanout instances into an initialized state, sending OpInit events to any watchers which were added prior to initialization.

type GCPMatcher

type GCPMatcher struct {
	// Types are GKE resource types to match: "gke".
	Types []string `yaml:"types,omitempty"`
	// Locations are GCP locations to search resources for.
	Locations []string `yaml:"locations,omitempty"`
	// Tags are GCP labels to match.
	Tags types.Labels `yaml:"tags,omitempty"`
	// ProjectIDs are the GCP project IDs where the resources are deployed.
	ProjectIDs []string `yaml:"project_ids,omitempty"`
}

GCPMatcher matches GCP resources.

type GithubAuthConverter

type GithubAuthConverter func(types.GithubConnector) (*types.GithubConnectorV3, error)

GithubAuthConverter converts a GitHub auth connector so it can be sent over gRPC.

type GithubAuthCreator

type GithubAuthCreator func(string, types.GithubConnectorSpecV3) (types.GithubConnector, error)

GithubAuthCreator creates a new GitHub connector.

type GithubAuthInitializer

type GithubAuthInitializer func(types.GithubConnector) (types.GithubConnector, error)

GithubAuthInitializer initializes a GitHub auth connector.

type HostCertContext

type HostCertContext struct {
	// HostID is the host ID in the cert request.
	HostID string `json:"host_id"`
	// NodeName is the node name in the cert request.
	NodeName string `json:"node_name"`
	// Principals is the list of requested certificate principals.
	Principals []string `json:"principals"`
	// ClusterName is the name of the cluster for which the certificate should
	// be issued.
	ClusterName string `json:"cluster_name"`
	// Role is the name of the Teleport role for which the cert should be
	// issued.
	Role types.SystemRole `json:"role"`
	// TTL is the requested certificate TTL.
	TTL time.Duration `json:"ttl"`
}

HostCertContext is used to evaluate the `where` condition on a `host_cert` pseudo-resource. These resources only exist for RBAC purposes and do not exist in the database.

type HostCertParams

type HostCertParams struct {
	// CASigner is the signer that will sign the public key of the host with the CA private key.
	CASigner ssh.Signer
	// PublicHostKey is the public key of the host
	PublicHostKey []byte
	// HostID is used by Teleport to uniquely identify a node within a cluster
	HostID string
	// Principals is a list of additional principals to add to the certificate.
	Principals []string
	// NodeName is the DNS name of the node
	NodeName string
	// ClusterName is the name of the cluster within which a node lives
	ClusterName string
	// Role identifies the role of a Teleport instance
	Role types.SystemRole
	// TTL defines how long a certificate is valid for
	TTL time.Duration
}

HostCertParams defines all parameters needed to generate a host certificate

func (HostCertParams) Check

func (c HostCertParams) Check() error

Check checks parameters for errors

type HostUsersInfo

type HostUsersInfo struct {
	// Groups is the list of groups to include host users in
	Groups []string
	// Sudoers is a list of entries for a users sudoers file
	Sudoers []string
}

HostUsersInfo keeps information about groups and sudoers entries for a particular host user

type Identity

type Identity interface {
	// CreateUser creates user, only if the user entry does not exist
	CreateUser(user types.User) error

	// UsersService implements most methods
	UsersService

	// AddUserLoginAttempt logs user login attempt
	AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error

	// GetUserLoginAttempts returns user login attempts
	GetUserLoginAttempts(user string) ([]LoginAttempt, error)

	// DeleteUserLoginAttempts removes all login attempts of a user. Should be
	// called after successful login.
	DeleteUserLoginAttempts(user string) error

	// GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserByOIDCIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserBySAMLIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserByGithubIdentity returns a user by its specified Github identity
	GetUserByGithubIdentity(id types.ExternalIdentity) (types.User, error)

	// UpsertPasswordHash upserts user password hash
	UpsertPasswordHash(user string, hash []byte) error

	// GetPasswordHash returns the password hash for a given user
	GetPasswordHash(user string) ([]byte, error)

	// UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again
	// during the 30 second window it's valid.
	UpsertUsedTOTPToken(user string, otpToken string) error

	// GetUsedTOTPToken returns the last successfully used TOTP token.
	GetUsedTOTPToken(user string) (string, error)

	// UpsertPassword upserts new password and OTP token
	UpsertPassword(user string, password []byte) error

	// UpsertWebauthnLocalAuth creates or updates the local auth configuration for
	// Webauthn.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	// Automatically indexes the WebAuthn user ID for lookup by
	// GetTeleportUserByWebauthnID.
	UpsertWebauthnLocalAuth(ctx context.Context, user string, wla *types.WebauthnLocalAuth) error

	// GetWebauthnLocalAuth retrieves the existing local auth configuration for
	// Webauthn, if any.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	GetWebauthnLocalAuth(ctx context.Context, user string) (*types.WebauthnLocalAuth, error)

	// GetTeleportUserByWebauthnID reads a Teleport username from a WebAuthn user
	// ID (aka user handle).
	// See UpsertWebauthnLocalAuth and types.WebauthnLocalAuth.
	GetTeleportUserByWebauthnID(ctx context.Context, webID []byte) (string, error)

	// UpsertWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication or
	// registration challenge.
	// Session data is expected to expire according to backend settings.
	UpsertWebauthnSessionData(ctx context.Context, user, sessionID string, sd *wantypes.SessionData) error

	// GetWebauthnSessionData retrieves a previously-stored session data by ID,
	// if it exists and has not expired.
	GetWebauthnSessionData(ctx context.Context, user, sessionID string) (*wantypes.SessionData, error)

	// DeleteWebauthnSessionData deletes session data by ID, if it exists and has
	// not expired.
	DeleteWebauthnSessionData(ctx context.Context, user, sessionID string) error

	// UpsertGlobalWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication challenge.
	// Session data is expected to expire according to backend settings.
	// Used for passwordless challenges.
	UpsertGlobalWebauthnSessionData(ctx context.Context, scope, id string, sd *wantypes.SessionData) error

	// GetGlobalWebauthnSessionData retrieves previously-stored session data by ID,
	// if it exists and has not expired.
	// Used for passwordless challenges.
	GetGlobalWebauthnSessionData(ctx context.Context, scope, id string) (*wantypes.SessionData, error)

	// DeleteGlobalWebauthnSessionData deletes session data by ID, if it exists
	// and has not expired.
	DeleteGlobalWebauthnSessionData(ctx context.Context, scope, id string) error

	// UpsertMFADevice upserts an MFA device for the user.
	UpsertMFADevice(ctx context.Context, user string, d *types.MFADevice) error

	// GetMFADevices gets all MFA devices for the user.
	GetMFADevices(ctx context.Context, user string, withSecrets bool) ([]*types.MFADevice, error)

	// DeleteMFADevice deletes an MFA device for the user by ID.
	DeleteMFADevice(ctx context.Context, user, id string) error

	// UpsertOIDCConnector upserts OIDC Connector
	UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error

	// DeleteOIDCConnector deletes OIDC Connector
	DeleteOIDCConnector(ctx context.Context, connectorID string) error

	// GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results
	GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)

	// GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results
	GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

	// CreateOIDCAuthRequest creates new auth request
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest, ttl time.Duration) error

	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(ctx context.Context, stateToken string) (*types.OIDCAuthRequest, error)

	// UpsertSAMLConnector upserts SAML Connector
	UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error

	// DeleteSAMLConnector deletes OIDC Connector
	DeleteSAMLConnector(ctx context.Context, connectorID string) error

	// GetSAMLConnector returns OIDC connector data, withSecrets adds or removes secrets from return results
	GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)

	// GetSAMLConnectors returns registered connectors, withSecrets adds or removes secret from return results
	GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

	// CreateSAMLAuthRequest creates new auth request
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest, ttl time.Duration) error

	// GetSAMLAuthRequest returns SAML auth request if found
	GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

	// CreateSSODiagnosticInfo creates new SSO diagnostic info record.
	CreateSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error

	// GetSSODiagnosticInfo returns SSO diagnostic info records.
	GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

	// UpsertGithubConnector creates or updates a new Github connector
	UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error

	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

	// GetGithubConnector returns a Github connector by its name
	GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

	// DeleteGithubConnector deletes a Github connector by its name
	DeleteGithubConnector(ctx context.Context, name string) error

	// CreateGithubAuthRequest creates a new auth request for Github OAuth2 flow
	CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) error

	// GetGithubAuthRequest retrieves Github auth request by the token
	GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

	// CreateUserToken creates a new user token.
	CreateUserToken(ctx context.Context, token types.UserToken) (types.UserToken, error)

	// DeleteUserToken deletes a user token.
	DeleteUserToken(ctx context.Context, tokenID string) error

	// GetUserTokens returns all user tokens.
	GetUserTokens(ctx context.Context) ([]types.UserToken, error)

	// GetUserToken returns a user token by id.
	GetUserToken(ctx context.Context, tokenID string) (types.UserToken, error)

	// UpsertUserTokenSecrets upserts a user token secrets.
	UpsertUserTokenSecrets(ctx context.Context, secrets types.UserTokenSecrets) error

	// GetUserTokenSecrets returns a user token secrets.
	GetUserTokenSecrets(ctx context.Context, tokenID string) (types.UserTokenSecrets, error)

	// UpsertRecoveryCodes upserts a user's new recovery codes.
	UpsertRecoveryCodes(ctx context.Context, user string, recovery *types.RecoveryCodesV1) error

	// GetRecoveryCodes gets a user's recovery codes.
	GetRecoveryCodes(ctx context.Context, user string, withSecrets bool) (*types.RecoveryCodesV1, error)

	// CreateUserRecoveryAttempt logs user recovery attempt.
	CreateUserRecoveryAttempt(ctx context.Context, user string, attempt *types.RecoveryAttempt) error

	// GetUserRecoveryAttempts returns user recovery attempts sorted by oldest to latest time.
	GetUserRecoveryAttempts(ctx context.Context, user string) ([]*types.RecoveryAttempt, error)

	// DeleteUserRecoveryAttempts removes all recovery attempts of a user.
	DeleteUserRecoveryAttempts(ctx context.Context, user string) error

	// UpsertKeyAttestationData upserts a verified public key attestation response.
	UpsertKeyAttestationData(ctx context.Context, attestationData *keys.AttestationData, ttl time.Duration) error

	// GetKeyAttestationData gets a verified public key attestation response.
	GetKeyAttestationData(ctx context.Context, publicKey crypto.PublicKey) (*keys.AttestationData, error)

	types.WebSessionsGetter
	types.WebTokensGetter

	// AppSession defines application session features.
	AppSession
	// SnowflakeSession defines Snowflake session features.
	SnowflakeSession
}

Identity is responsible for managing user entries and external identities

type InstallerParams

type InstallerParams struct {
	// JoinMethod is the method to use when joining the cluster
	JoinMethod types.JoinMethod
	// JoinToken is the token to use when joining the cluster
	JoinToken string
	// ScriptName is the name of the teleport script for the EC2
	// instance to execute
	ScriptName string
}

InstallerParams are passed to the AWS SSM document

type KubeClusterWatcher

type KubeClusterWatcher struct {
	// contains filtered or unexported fields
}

KubeClusterWatcher is built on top of resourceWatcher to monitor kube_cluster resources.

func NewKubeClusterWatcher

func NewKubeClusterWatcher(ctx context.Context, cfg KubeClusterWatcherConfig) (*KubeClusterWatcher, error)

NewKubeClusterWatcher returns a new instance of KubeClusterWatcher.

func (KubeClusterWatcher) Close

func (p KubeClusterWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (KubeClusterWatcher) Done

func (p KubeClusterWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (KubeClusterWatcher) IsInitialized

func (p KubeClusterWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (KubeClusterWatcher) WaitInitialization

func (p KubeClusterWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type KubeClusterWatcherConfig

type KubeClusterWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// KubernetesGetter is responsible for fetching kube_cluster resources.
	KubernetesGetter
	// KubeClustersC receives up-to-date list of all kube_cluster resources.
	KubeClustersC chan types.KubeClusters
}

KubeClusterWatcherConfig is an KubeClusterWatcher configuration.

func (*KubeClusterWatcherConfig) CheckAndSetDefaults

func (cfg *KubeClusterWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Kubernetes

type Kubernetes interface {
	// KubernetesGetter provides methods for fetching kubernetes resources.
	KubernetesGetter
	// CreateKubernetesCluster creates a new kubernetes cluster resource.
	CreateKubernetesCluster(context.Context, types.KubeCluster) error
	// UpdateKubernetesCluster updates an existing kubernetes cluster resource.
	UpdateKubernetesCluster(context.Context, types.KubeCluster) error
	// DeleteKubernetesCluster removes the specified kubernetes cluster resource.
	DeleteKubernetesCluster(ctx context.Context, name string) error
	// DeleteAllKubernetesClusters removes all kubernetes resources.
	DeleteAllKubernetesClusters(context.Context) error
}

Kubernetes defines an interface for managing kubernetes clusters resources.

type KubernetesGetter

type KubernetesGetter interface {
	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

KubernetesGetter defines interface for fetching kubernetes cluster resources.

type ListResourcesRequestOption

type ListResourcesRequestOption func(*proto.ListResourcesRequest)

type LockGetter

type LockGetter interface {
	// GetLock gets a lock by name.
	GetLock(ctx context.Context, name string) (types.Lock, error)
	// GetLocks gets all/in-force locks that match at least one of the targets when specified.
	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
}

LockGetter is a service that gets locks.

type LockWatcher

type LockWatcher struct {
	// contains filtered or unexported fields
}

LockWatcher is built on top of resourceWatcher to monitor changes to locks.

func NewLockWatcher

func NewLockWatcher(ctx context.Context, cfg LockWatcherConfig) (*LockWatcher, error)

NewLockWatcher returns a new instance of LockWatcher.

func (LockWatcher) CheckLockInForce

func (p LockWatcher) CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error

CheckLockInForce returns an AccessDenied error if there is a lock in force matching at at least one of the targets.

func (LockWatcher) Close

func (p LockWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (LockWatcher) Done

func (p LockWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (LockWatcher) GetCurrent

func (p LockWatcher) GetCurrent() []types.Lock

GetCurrent returns the currently stored locks.

func (LockWatcher) IsInitialized

func (p LockWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (LockWatcher) Subscribe

func (p LockWatcher) Subscribe(ctx context.Context, targets ...types.LockTarget) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (LockWatcher) WaitInitialization

func (p LockWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type LockWatcherConfig

type LockWatcherConfig struct {
	ResourceWatcherConfig
	LockGetter
}

LockWatcherConfig is a LockWatcher configuration.

func (*LockWatcherConfig) CheckAndSetDefaults

func (cfg *LockWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type LogAction

type LogAction struct {
	// contains filtered or unexported fields
}

LogAction represents action that will emit log entry when specified in the actions of a matched rule

func (*LogAction) Log

func (l *LogAction) Log(level, format string, args ...interface{}) predicate.BoolPredicate

Log logs with specified level and formatting string with arguments

type LoginAttempt

type LoginAttempt struct {
	// Time is time of the attempt
	Time time.Time `json:"time"`
	// Success indicates whether attempt was successful
	Success bool `json:"bool"`
}

LoginAttempt represents successful or unsuccessful attempt for user to login

func (*LoginAttempt) Check

func (la *LoginAttempt) Check() error

Check checks parameters

type MFARequired

type MFARequired string

MFARequired determines when MFA is required for a user to access a resource.

const (
	// MFARequiredNever means that MFA is never required for any sessions started by this user. This either
	// means both the cluster auth preference and all roles have per-session MFA off, or at least one of
	// those resources has "require_session_mfa: hardware_key_touch", which overrides per-session MFA.
	MFARequiredNever MFARequired = "never"
	// MFARequiredAlways means that MFA is required for all sessions started by a user. This either
	// means that the cluster auth preference requires per-session MFA, or all of the user's roles require
	// per-session MFA
	MFARequiredAlways MFARequired = "always"
	// MFARequiredPerRole means that MFA requirement is based on which of the user's roles
	// provides access to the session in question.
	MFARequiredPerRole MFARequired = "per-role"
)

type MarshalConfig

type MarshalConfig struct {
	// Version specifies particular version we should marshal resources with
	Version string

	// ID is a record ID to assign
	ID int64

	// PreserveResourceID preserves resource IDs in resource
	// specs when marshaling
	PreserveResourceID bool

	// Expires is an optional expiry time
	Expires time.Time
}

MarshalConfig specifies marshaling options

func CollectOptions

func CollectOptions(opts []MarshalOption) (*MarshalConfig, error)

CollectOptions collects all options from functional arg and returns config

func (*MarshalConfig) GetVersion

func (m *MarshalConfig) GetVersion() string

GetVersion returns explicitly provided version or sets latest as default

type MarshalOption

type MarshalOption func(c *MarshalConfig) error

MarshalOption sets marshaling option

func AddOptions

func AddOptions(opts []MarshalOption, add ...MarshalOption) []MarshalOption

AddOptions adds marshal options and returns a new copy

func PreserveResourceID

func PreserveResourceID() MarshalOption

PreserveResourceID preserves resource ID when marshaling value

func WithExpires

func WithExpires(expires time.Time) MarshalOption

WithExpires assigns expiry value

func WithResourceID

func WithResourceID(id int64) MarshalOption

WithResourceID assigns ID to the resource

func WithVersion

func WithVersion(v string) MarshalOption

WithVersion sets marshal version

type MatchResourceFilter

type MatchResourceFilter struct {
	// ResourceKind is the resource kind and is used to fine tune the filtering.
	ResourceKind string
	// Labels are the labels to match.
	Labels map[string]string
	// SearchKeywords is a list of search keywords to match.
	SearchKeywords []string
	// PredicateExpression holds boolean conditions that must be matched.
	PredicateExpression string
}

MatchResourceFilter holds the filter values to match against a resource.

type Matcher

type Matcher func(types.ResourceWithLabels) bool

Matcher is used by reconciler to match resources.

type Node

type Node interface {
	// ResourceWithLabels provides common resource headers
	types.ResourceWithLabels
	// GetTeleportVersion returns the teleport version the server is running on
	GetTeleportVersion() string
	// GetAddr return server address
	GetAddr() string
	// GetHostname returns server hostname
	GetHostname() string
	// GetNamespace returns server namespace
	GetNamespace() string
	// GetCmdLabels gets command labels
	GetCmdLabels() map[string]types.CommandLabel
	// GetPublicAddr is an optional field that returns the public address this cluster can be reached at.
	GetPublicAddr() string
	// GetRotation gets the state of certificate authority rotation.
	GetRotation() types.Rotation
	// GetUseTunnel gets if a reverse tunnel should be used to connect to this node.
	GetUseTunnel() bool
	// GetProxyID returns a list of proxy ids this server is connected to.
	GetProxyIDs() []string
}

Node is a readonly subset of the types.Server interface which users may filter by in GetNodes.

type NodeWatcher

type NodeWatcher struct {
	// contains filtered or unexported fields
}

NodeWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of nodes.

func NewNodeWatcher

func NewNodeWatcher(ctx context.Context, cfg NodeWatcherConfig) (*NodeWatcher, error)

NewNodeWatcher returns a new instance of NodeWatcher.

func (NodeWatcher) Close

func (p NodeWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (NodeWatcher) Done

func (p NodeWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (NodeWatcher) GetNodes

func (n NodeWatcher) GetNodes(fn func(n Node) bool) []types.Server

GetNodes allows callers to retrieve a subset of nodes that match the filter provided. The returned servers are a copy and can be safely modified. It is intentionally hard to retrieve the full set of nodes to reduce the number of copies needed since the number of nodes can get quite large and doing so can be expensive.

func (NodeWatcher) IsInitialized

func (p NodeWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (NodeWatcher) NodeCount

func (n NodeWatcher) NodeCount() int

func (NodeWatcher) WaitInitialization

func (p NodeWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type NodeWatcherConfig

type NodeWatcherConfig struct {
	ResourceWatcherConfig
	// NodesGetter is used to directly fetch the list of active nodes.
	NodesGetter
}

NodeWatcherConfig is a NodeWatcher configuration.

func (*NodeWatcherConfig) CheckAndSetDefaults

func (cfg *NodeWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type NodesGetter

type NodesGetter interface {
	// GetNodes returns a list of registered servers.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
}

NodesGetter is a service that gets nodes.

type Presence

type Presence interface {
	// Semaphores is responsible for semaphore handling
	types.Semaphores

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// NodesGetter gets nodes
	NodesGetter

	// DeleteAllNodes deletes all nodes in a namespace.
	DeleteAllNodes(ctx context.Context, namespace string) error

	// DeleteNode deletes node in a namespace
	DeleteNode(ctx context.Context, namespace, name string) error

	// UpsertNode registers node presence, permanently if TTL is 0 or for the
	// specified duration with second resolution if it's >= 1 second.
	UpsertNode(ctx context.Context, server types.Server) (*types.KeepAlive, error)

	// DELETE IN: 5.1.0
	//
	// This logic has been moved to KeepAliveServer.
	//
	// KeepAliveNode updates node TTL in the storage
	KeepAliveNode(ctx context.Context, h types.KeepAlive) error

	// GetAuthServers returns a list of registered servers
	GetAuthServers() ([]types.Server, error)

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(server types.Server) error

	// DeleteAuthServer deletes auth server by name
	DeleteAuthServer(name string) error

	// DeleteAllAuthServers deletes all auth servers
	DeleteAllAuthServers() error

	// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(server types.Server) error

	// ProxyGetter gets a list of proxies
	ProxyGetter

	// DeleteProxy deletes proxy by name
	DeleteProxy(name string) error

	// DeleteAllProxies deletes all proxies
	DeleteAllProxies() error

	// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
	UpsertReverseTunnel(tunnel types.ReverseTunnel) error

	// GetReverseTunnel returns reverse tunnel by name
	GetReverseTunnel(name string, opts ...MarshalOption) (types.ReverseTunnel, error)

	// GetReverseTunnels returns a list of registered servers
	GetReverseTunnels(ctx context.Context, opts ...MarshalOption) ([]types.ReverseTunnel, error)

	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
	DeleteReverseTunnel(domainName string) error

	// DeleteAllReverseTunnels deletes all reverse tunnels
	DeleteAllReverseTunnels() error

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// DeleteAllNamespaces deletes all namespaces
	DeleteAllNamespaces() error

	// UpsertNamespace upserts namespace
	UpsertNamespace(types.Namespace) error

	// DeleteNamespace deletes namespace by name
	DeleteNamespace(name string) error

	// UpsertTrustedCluster creates or updates a TrustedCluster in the backend.
	UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)

	// GetTrustedCluster returns a single TrustedCluster by name.
	GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

	// GetTrustedClusters returns all TrustedClusters in the backend.
	GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

	// DeleteTrustedCluster removes a TrustedCluster from the backend by name.
	DeleteTrustedCluster(ctx context.Context, name string) error

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(types.TunnelConnection) error

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...MarshalOption) ([]types.TunnelConnection, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...MarshalOption) ([]types.TunnelConnection, error)

	// DeleteTunnelConnection deletes tunnel connection by name
	DeleteTunnelConnection(clusterName string, connName string) error

	// DeleteTunnelConnections deletes all tunnel connections for cluster
	DeleteTunnelConnections(clusterName string) error

	// DeleteAllTunnelConnections deletes all tunnel connections for cluster
	DeleteAllTunnelConnections() error

	// CreateRemoteCluster creates a remote cluster
	CreateRemoteCluster(types.RemoteCluster) error

	// UpdateRemoteCluster updates a remote cluster
	UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// DeleteRemoteCluster deletes remote cluster by name
	DeleteRemoteCluster(clusterName string) error

	// DeleteAllRemoteClusters deletes all remote clusters
	DeleteAllRemoteClusters() error

	// UpsertKubeService registers kubernetes service presence.
	// DELETE in 11.0. Deprecated, use UpsertKubeServiceV2
	UpsertKubeService(context.Context, types.Server) error

	// UpsertKubeServiceV2 registers kubernetes service presence
	UpsertKubeServiceV2(context.Context, types.Server) (*types.KeepAlive, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(context.Context, string) ([]types.AppServer, error)
	// UpsertApplicationServer registers an application server.
	UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error)
	// DeleteApplicationServer deletes specified application server.
	DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllApplicationServers removes all registered application servers.
	DeleteAllApplicationServers(context.Context, string) error

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(context.Context, string, ...MarshalOption) ([]types.DatabaseServer, error)
	// UpsertDatabaseServer creates or updates a new database proxy server.
	UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error)
	// DeleteDatabaseServer removes the specified database proxy server.
	DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllDatabaseServers removes all database proxy servers.
	DeleteAllDatabaseServers(context.Context, string) error

	// KeepAliveServer updates TTL of the server resource in the backend.
	KeepAliveServer(ctx context.Context, h types.KeepAlive) error

	// GetKubeServices returns a list of registered kubernetes services.
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// DeleteKubeService deletes a named kubernetes service.
	// DELETE IN 13.0. Deprecated, use DeleteKubernetesServer.
	DeleteKubeService(ctx context.Context, name string) error

	// DeleteAllKubeServices deletes all registered kubernetes services.
	// DELETE IN 13.0. Deprecated, use DeleteAllKubernetesServers.
	DeleteAllKubeServices(context.Context) error

	// GetKubernetesServers returns a list of registered kubernetes servers.
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// DeleteKubernetesServer deletes a named kubernetes servers.
	DeleteKubernetesServer(ctx context.Context, hostID, name string) error

	// DeleteAllKubernetesServers deletes all registered kubernetes servers.
	DeleteAllKubernetesServers(context.Context) error

	// UpsertKubernetesServer registers an kubernetes server.
	UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error)

	// GetWindowsDesktopServices returns all registered Windows desktop services.
	GetWindowsDesktopServices(context.Context) ([]types.WindowsDesktopService, error)
	// GetWindowsDesktopService returns a Windows desktop service by name
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
	// UpsertWindowsDesktopService creates or updates a new Windows desktop service.
	UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error)
	// DeleteWindowsDesktopService removes the specified Windows desktop service.
	DeleteWindowsDesktopService(ctx context.Context, name string) error
	// DeleteAllWindowsDesktopServices removes all Windows desktop services.
	DeleteAllWindowsDesktopServices(context.Context) error

	// ListResoures returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

type Provisioner

type Provisioner interface {
	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ctx context.Context, token types.ProvisionToken) error

	// CreateToken adds provisioning tokens for the auth server
	CreateToken(ctx context.Context, token types.ProvisionToken) error

	// GetToken finds and returns token by id
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// DeleteToken deletes provisioning token
	// Imlementations must guarantee that this returns trace.NotFound error if the token doesn't exist
	DeleteToken(ctx context.Context, token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// GetTokens returns all non-expired tokens
	GetTokens(ctx context.Context) ([]types.ProvisionToken, error)
}

Provisioner governs adding new nodes to the cluster

type ProxyGetter

type ProxyGetter interface {
	// GetProxies returns a list of registered proxies.
	GetProxies() ([]types.Server, error)
}

ProxyGetter is a service that gets proxies.

type ProxyWatcher

type ProxyWatcher struct {
	// contains filtered or unexported fields
}

ProxyWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of proxies.

func NewProxyWatcher

func NewProxyWatcher(ctx context.Context, cfg ProxyWatcherConfig) (*ProxyWatcher, error)

NewProxyWatcher returns a new instance of ProxyWatcher.

func (ProxyWatcher) Close

func (p ProxyWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (ProxyWatcher) Done

func (p ProxyWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (ProxyWatcher) GetCurrent

func (p ProxyWatcher) GetCurrent() []types.Server

GetCurrent returns the currently stored proxies.

func (ProxyWatcher) IsInitialized

func (p ProxyWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (ProxyWatcher) WaitInitialization

func (p ProxyWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type ProxyWatcherConfig

type ProxyWatcherConfig struct {
	ResourceWatcherConfig
	// ProxyGetter is used to directly fetch the list of active proxies.
	ProxyGetter
	// ProxyDiffer is used to decide whether a put operation on an existing proxy should
	// trigger a event.
	ProxyDiffer func(old, new types.Server) bool
	// ProxiesC is a channel used to report the current proxy set. It receives
	// a fresh list at startup and subsequently a list of all known proxies
	// whenever an addition or deletion is detected.
	ProxiesC chan []types.Server
}

ProxyWatcherConfig is a ProxyWatcher configuration.

func (*ProxyWatcherConfig) CheckAndSetDefaults

func (cfg *ProxyWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type RDSEndpointType

type RDSEndpointType string

RDSEndpointType specifies the endpoint type for RDS clusters.

const (
	// RDSEndpointTypePrimary is the endpoint that specifies the connection for the primary instance of the RDS cluster.
	RDSEndpointTypePrimary RDSEndpointType = "primary"
	// RDSEndpointTypeReader is the endpoint that load-balances connections across the Aurora Replicas that are
	// available in an RDS cluster.
	RDSEndpointTypeReader RDSEndpointType = "reader"
	// RDSEndpointTypeCustom is the endpoint that specifies one of the custom endpoints associated with the RDS cluster.
	RDSEndpointTypeCustom RDSEndpointType = "custom"
	// RDSEndpointTypeInstance is the endpoint of an RDS DB instance.
	RDSEndpointTypeInstance RDSEndpointType = "instance"
)

type Reconciler

type Reconciler struct {
	// contains filtered or unexported fields
}

Reconciler reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

It's used in combination with watchers by agents (app, database, desktop) to enable dynamically registered resources.

func NewReconciler

func NewReconciler(cfg ReconcilerConfig) (*Reconciler, error)

NewReconciler creates a new reconciler with provided configuration.

func (*Reconciler) Reconcile

func (r *Reconciler) Reconcile(ctx context.Context) error

Reconcile reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

type ReconcilerConfig

type ReconcilerConfig struct {
	// Matcher is used to match resources.
	Matcher Matcher
	// GetCurrentResources returns currently registered resources.
	GetCurrentResources func() types.ResourcesWithLabelsMap
	// GetNewResources returns resources to compare current resources against.
	GetNewResources func() types.ResourcesWithLabelsMap
	// OnCreate is called when a new resource is detected.
	OnCreate func(context.Context, types.ResourceWithLabels) error
	// OnUpdate is called when an existing resource is updated.
	OnUpdate func(context.Context, types.ResourceWithLabels) error
	// OnDelete is called when an existing resource is deleted.
	OnDelete func(context.Context, types.ResourceWithLabels) error
	// Log is the reconciler's logger.
	Log logrus.FieldLogger
}

ReconcilerConfig is the resource reconciler configuration.

func (*ReconcilerConfig) CheckAndSetDefaults

func (c *ReconcilerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults validates the reconciler configuration and sets defaults.

type Ref

type Ref struct {
	Kind    string
	SubKind string
	Name    string
}

Ref is a resource reference. Typically of the form kind/name, but sometimes of the form kind/subkind/name.

func ParseRef

func ParseRef(ref string) (*Ref, error)

ParseRef parses resource reference eg daemonsets/ds1

func (*Ref) Set

func (r *Ref) Set(v string) error

Set sets the name of the resource

func (*Ref) String

func (r *Ref) String() string

type Refs

type Refs []Ref

Refs is a set of resource references

func ParseRefs

func ParseRefs(refs string) (Refs, error)

ParseRefs parses a comma-separated string of resource references (eg "users/alice,users/bob")

func (*Refs) IsAll

func (r *Refs) IsAll() bool

IsAll checks if refs is special wildcard case `all`.

func (*Refs) Set

func (r *Refs) Set(v string) error

Set sets the value of `r` from a comma-separated string of resource references (in-place equivalent of `ParseRefs`).

func (*Refs) String

func (r *Refs) String() string

type RequestIDs

type RequestIDs struct {
	AccessRequests []string `json:"access_requests,omitempty"`
}

RequestIDs is a collection of IDs for privilege escalation requests.

func (*RequestIDs) Check

func (r *RequestIDs) Check() error

func (*RequestIDs) IsEmpty

func (r *RequestIDs) IsEmpty() bool

func (*RequestIDs) Marshal

func (r *RequestIDs) Marshal() ([]byte, error)

func (*RequestIDs) Unmarshal

func (r *RequestIDs) Unmarshal(data []byte) error

type RequestValidator

type RequestValidator struct {
	Roles struct {
		AllowRequest, DenyRequest []parse.Matcher
		AllowSearch, DenySearch   []string
	}
	Annotations struct {
		Allow, Deny map[string][]string
	}
	ThresholdMatchers []struct {
		Matchers   []parse.Matcher
		Thresholds []types.AccessReviewThreshold
	}
	SuggestedReviewers []string
	// contains filtered or unexported fields
}

RequestValidator a helper for validating access requests. a user's statically assigned roles are are "added" to the validator via the push() method, which extracts all the relevant rules, peforms variable substitutions, and builds a set of simple Allow/Deny datastructures. These, in turn, are used to validate and expand the access request.

func NewRequestValidator

func NewRequestValidator(ctx context.Context, getter RequestValidatorGetter, username string, opts ...ValidateRequestOption) (RequestValidator, error)

NewRequestValidator configures a new RequestValidor for the specified user.

func (*RequestValidator) CanRequestRole

func (m *RequestValidator) CanRequestRole(name string) bool

CanRequestRole checks if a given role can be requested.

func (*RequestValidator) CanSearchAsRole

func (m *RequestValidator) CanSearchAsRole(name string) bool

CanSearchAsRole check if a given role can be requested through a search-based access request

func (*RequestValidator) GetRequestableRoles

func (m *RequestValidator) GetRequestableRoles() ([]string, error)

GetRequestableRoles gets the list of all existent roles which the user is able to request. This operation is expensive since it loads all existent roles in order to determine the role list. Prefer calling CanRequestRole when checking againt a known role list.

func (*RequestValidator) SystemAnnotations

func (m *RequestValidator) SystemAnnotations() map[string][]string

SystemAnnotations calculates the system annotations for a pending access request.

func (*RequestValidator) Validate

func (m *RequestValidator) Validate(ctx context.Context, req types.AccessRequest) error

Validate validates an access request and potentially modifies it depending on how the validator was configured.

type RequestValidatorGetter

type RequestValidatorGetter interface {
	UserGetter
	RoleGetter
	ResourceLister
	GetRoles(ctx context.Context) ([]types.Role, error)
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
}

RequestValidatorGetter is the interface required by the request validation functions used to get necessary resources.

type ResourceLister

type ResourceLister interface {
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

ResourceLister is an interface which can list resources.

type ResourceMarshaler

type ResourceMarshaler func(types.Resource, ...MarshalOption) ([]byte, error)

ResourceMarshaler handles marshaling of a specific resource type.

type ResourceMatcher

type ResourceMatcher struct {
	// Labels match resource labels.
	Labels types.Labels
}

ResourceMatcher matches cluster resources.

type ResourceSeenKey

type ResourceSeenKey struct {
	// contains filtered or unexported fields
}

ResourceSeenKey is used as a key for a map that keeps track of unique resource names and address. Currently "addr" only applies to resource Application.

type ResourceUnmarshaler

type ResourceUnmarshaler func([]byte, ...MarshalOption) (types.Resource, error)

ResourceUnmarshaler handles unmarshaling of a specific resource type.

type ResourceWatcherConfig

type ResourceWatcherConfig struct {
	// Component is a component used in logs.
	Component string
	// Log is a logger.
	Log logrus.FieldLogger
	// MaxRetryPeriod is the maximum retry period on failed watchers.
	MaxRetryPeriod time.Duration
	// Clock is used to control time.
	Clock clockwork.Clock
	// Client is used to create new watchers.
	Client types.Events
	// MaxStaleness is a maximum acceptable staleness for the locally maintained
	// resources, zero implies no staleness detection.
	MaxStaleness time.Duration
	// ResetC is a channel to notify of internal watcher reset (used in tests).
	ResetC chan time.Duration
}

ResourceWatcherConfig configures resource watcher.

func (*ResourceWatcherConfig) CheckAndSetDefaults

func (cfg *ResourceWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Restrictions

type Restrictions interface {
	GetNetworkRestrictions(context.Context) (types.NetworkRestrictions, error)
	SetNetworkRestrictions(context.Context, types.NetworkRestrictions) error
	DeleteNetworkRestrictions(context.Context) error
}

type ReviewPermissionChecker

type ReviewPermissionChecker struct {
	User  types.User
	Roles struct {
		// allow/deny mappings sort role matches into lists based on their
		// constraining predicate (where) expression.
		AllowReview, DenyReview map[string][]parse.Matcher
	}
}

ReviewPermissionChecker is a helper for validating whether or not a user is allowed to review specific access requests.

func NewReviewPermissionChecker

func NewReviewPermissionChecker(ctx context.Context, getter RequestValidatorGetter, username string) (ReviewPermissionChecker, error)

func (*ReviewPermissionChecker) CanReviewRequest

func (c *ReviewPermissionChecker) CanReviewRequest(req types.AccessRequest) (bool, error)

CanReviewRequest checks if the user is allowed to review the specified request. note that the ability to review a request does not necessarily imply that any specific approval/denial thresholds will actually match the user's review. Matching one or more thresholds is not a pre-requisite for review submission.

func (*ReviewPermissionChecker) HasAllowDirectives

func (c *ReviewPermissionChecker) HasAllowDirectives() bool

HasAllowDirectives checks if any allow directives exist. A user with no allow directives will never be able to review any requests.

type RoleGetter

type RoleGetter interface {
	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)
}

RoleGetter is an interface that defines GetRole method

type RoleMatcher

type RoleMatcher interface {
	Match(types.Role, types.RoleConditionType) (bool, error)
}

RoleMatcher defines an interface for a generic role matcher.

func NewKubernetesClusterLabelMatcher

func NewKubernetesClusterLabelMatcher(clustersLabels map[string]string) RoleMatcher

NewKubernetesClusterLabelMatcher creates a RoleMatcher that checks whether a role's Kubernetes service labels match.

func NewLoginMatcher

func NewLoginMatcher(login string) RoleMatcher

NewLoginMatcher creates a RoleMatcher that checks whether the role's logins match the specified condition.

func NewWindowsLoginMatcher

func NewWindowsLoginMatcher(login string) RoleMatcher

NewWindowsLoginMatcher creates a RoleMatcher that checks whether the role's Windows desktop logins match the specified condition.

type RoleMatchers

type RoleMatchers []RoleMatcher

RoleMatchers defines a list of matchers.

func (RoleMatchers) MatchAll

func (m RoleMatchers) MatchAll(role types.Role, condition types.RoleConditionType) (bool, error)

MatchAll returns true if all matchers in the set match.

func (RoleMatchers) MatchAny

func (m RoleMatchers) MatchAny(role types.Role, condition types.RoleConditionType) (bool, RoleMatcher, error)

MatchAny returns true if at least one of the matchers in the set matches.

If the result is true, returns matcher that matched.

type RoleSet

type RoleSet []types.Role

RoleSet is a set of roles that implements access control functionality

func FetchAllClusterRoles

func FetchAllClusterRoles(ctx context.Context, access CurrentUserRoleGetter, defaultRoleNames []string, defaultTraits wrappers.Traits) (RoleSet, error)

FetchAllClusterRoles fetches all roles available to the user on the specified cluster, applies traits, and adds runtime roles like the default implicit role to RoleSet.

func FetchRoleList

func FetchRoleList(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoleList fetches roles by their names, applies the traits to role variables, and returns the list

func FetchRoles

func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoles fetches roles by their names, applies the traits to role variables, and returns the RoleSet. Adds runtime roles like the default implicit role to RoleSet.

func NewRoleSet

func NewRoleSet(roles ...types.Role) RoleSet

NewRoleSet returns new RoleSet based on the roles

func RoleSetFromSpec

func RoleSetFromSpec(name string, spec types.RoleSpecV5) (RoleSet, error)

RoleSetFromSpec returns a new RoleSet from spec

func (RoleSet) AdjustClientIdleTimeout

func (set RoleSet) AdjustClientIdleTimeout(timeout time.Duration) time.Duration

AdjustClientIdleTimeout adjusts requested idle timeout to the lowest max allowed timeout, the most restrictive option will be picked, negative values will be assumed as 0

func (RoleSet) AdjustDisconnectExpiredCert

func (set RoleSet) AdjustDisconnectExpiredCert(disconnect bool) bool

AdjustDisconnectExpiredCert adjusts the value based on the role set the most restrictive option will be picked

func (RoleSet) AdjustSessionTTL

func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration

AdjustSessionTTL will reduce the requested ttl to the lowest max allowed TTL for this role set, otherwise it returns ttl unchanged

func (RoleSet) CanCopyFiles

func (set RoleSet) CanCopyFiles() bool

CanCopyFiles returns true if the role set has enabled remote file operations via SCP or SFTP. Remote file operations are disabled if one or more of the roles in the set has disabled it.

func (RoleSet) CanForwardAgents

func (set RoleSet) CanForwardAgents() bool

CanForwardAgents returns true if role set allows forwarding agents.

func (RoleSet) CanImpersonateSomeone

func (set RoleSet) CanImpersonateSomeone() bool

CanImpersonateSomeone returns true if this checker has any impersonation rules

func (RoleSet) CanPortForward

func (set RoleSet) CanPortForward() bool

CanPortForward returns true if a role in the RoleSet allows port forwarding.

func (RoleSet) CertificateExtensions

func (set RoleSet) CertificateExtensions() []*types.CertExtension

CertificateExtensions returns the list of extensions for each role in the RoleSet

func (RoleSet) CertificateFormat

func (set RoleSet) CertificateFormat() string

CertificateFormat returns the most permissive certificate format in a RoleSet.

func (RoleSet) CheckAWSRoleARNs

func (set RoleSet) CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckAWSRoleARNs returns a list of AWS role ARNs this role set is allowed to assume.

func (RoleSet) CheckAccessToRemoteCluster

func (set RoleSet) CheckAccessToRemoteCluster(rc types.RemoteCluster) error

CheckAccessToRemoteCluster checks if a role has access to remote cluster. Deny rules are checked first then allow rules. Access to a cluster is determined by namespaces, labels, and logins.

func (RoleSet) CheckAccessToRule

func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string, silent bool) error

CheckAccessToRule checks if the RoleSet provides access in the given namespace to the specified resource and verb. silent controls whether the access violations are logged.

func (RoleSet) CheckAgentForward

func (set RoleSet) CheckAgentForward(login string) error

CheckAgentForward checks if the role can request to forward the SSH agent for this user.

func (RoleSet) CheckDatabaseNamesAndUsers

func (set RoleSet) CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) ([]string, []string, error)

CheckDatabaseNamesAndUsers checks if the role has any allowed database names or users.

func (RoleSet) CheckImpersonate

func (set RoleSet) CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

CheckImpersonate returns nil if this role set can impersonate a user and their roles, returns AccessDenied otherwise CheckImpersonate checks whether current user is allowed to impersonate users and roles

func (RoleSet) CheckImpersonateRoles

func (set RoleSet) CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

CheckImpersonateRoles validates that the current user can perform role-only impersonation of the given roles. Role-only impersonation requires an allow rule with roles but no users (and no user-less deny rules). All requested roles must be allowed for the check to succeed.

func (RoleSet) CheckKubeGroupsAndUsers

func (set RoleSet) CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) ([]string, []string, error)

CheckKubeGroupsAndUsers check if role can login into kubernetes and returns two lists of allowed groups and users

func (RoleSet) CheckLoginDuration

func (set RoleSet) CheckLoginDuration(ttl time.Duration) ([]string, error)

CheckLoginDuration checks if role set can login up to given duration and returns a combined list of allowed logins.

func (RoleSet) DesktopClipboard

func (set RoleSet) DesktopClipboard() bool

DesktopClipboard returns true if the role set has enabled shared clipboard for desktop sessions. Clipboard sharing is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) DesktopDirectorySharing

func (set RoleSet) DesktopDirectorySharing() bool

DesktopDirectorySharing returns true if the role set has directory sharing enabled. This setting is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) EnhancedRecordingSet

func (set RoleSet) EnhancedRecordingSet() map[string]bool

EnhancedRecordingSet returns the set of enhanced session recording events to capture for thi role set.

func (RoleSet) EnumerateDatabaseUsers

func (set RoleSet) EnumerateDatabaseUsers(database types.Database, extraUsers ...string) EnumerationResult

EnumerateDatabaseUsers works on a given role set to return a minimal description of allowed set of usernames. It is biased towards *allowed* usernames; It is meant to describe what the user can do, rather than cannot do. For that reason if the user isn't allowed to pick *any* entities, the output will be empty.

In cases where * is listed in set of allowed users, it may be hard for users to figure out the expected username. For this reason the parameter extraUsers provides an extra set of users to be checked against RoleSet. This extra set of users may be sourced e.g. from user connection history.

func (RoleSet) EnumerateServerLogins

func (set RoleSet) EnumerateServerLogins(server types.Server) EnumerationResult

EnumerateServerLogins works on a given role set to return a minimal description of allowed set of logins. The wildcard selector is ignored, since it is now allowed for server logins

func (RoleSet) ExtractConditionForIdentifier

func (set RoleSet) ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

ExtractConditionForIdentifier returns a restrictive filter expression for list queries based on the rules' `where` conditions.

func (RoleSet) GetAllLogins

func (set RoleSet) GetAllLogins() []string

GetAllLogins returns all valid unix logins for the RoleSet.

func (RoleSet) GetAllowedPreviewAsRoles

func (set RoleSet) GetAllowedPreviewAsRoles() []string

GetAllowedPreviewAsRoles returns all PreviewAsRoles for this RoleSet.

func (RoleSet) GetAllowedSearchAsRoles

func (set RoleSet) GetAllowedSearchAsRoles() []string

GetSearchAsRoles returns all SearchAsRoles for this RoleSet.

func (RoleSet) GetLoginsForTTL

func (set RoleSet) GetLoginsForTTL(ttl time.Duration) (logins []string, matchedTTL bool)

GetLoginsForTTL collects all logins that are valid for the given TTL. The matchedTTL value indicates whether the TTL is within scope of *any* role. This helps to distinguish between TTLs which are categorically invalid, and TTLs which are theoretically valid but happen to grant no logins.

func (RoleSet) GuessIfAccessIsPossible

func (set RoleSet) GuessIfAccessIsPossible(ctx RuleContext, namespace string, resource string, verb string, silent bool) error

GuessIfAccessIsPossible guesses if access is possible for an entire category of resources. It responds the question: "is it possible that there is a resource of this kind that the current user can access?". GuessIfAccessIsPossible is used, mainly, for UI decisions ("should the tab for resource X appear"?). Most callers should use CheckAccessToRule instead.

func (RoleSet) HasRole

func (set RoleSet) HasRole(role string) bool

HasRole checks if the role set has the role

func (RoleSet) HostUsers

func (set RoleSet) HostUsers(s types.Server) (*HostUsersInfo, error)

HostUsers returns host user information matching a server or nil if a role disallows host user creation

func (RoleSet) LockingMode

func (set RoleSet) LockingMode(defaultMode constants.LockingMode) constants.LockingMode

LockingMode returns the locking mode to apply with this RoleSet.

func (RoleSet) MFAParams

func (set RoleSet) MFAParams(authPrefRequirement types.RequireMFAType) (params AccessMFAParams)

MFAParams returns MFA params for the given user given their roles, the cluster auth preference, and whether mfa has been verified.

func (RoleSet) MaxConnections

func (set RoleSet) MaxConnections() int64

MaxConnections returns the maximum number of concurrent ssh connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxKubernetesConnections

func (set RoleSet) MaxKubernetesConnections() int64

MaxConnections returns the maximum number of concurrent Kubernetes connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxSessions

func (set RoleSet) MaxSessions() int64

MaxSessions returns the maximum number of concurrent ssh sessions per connection. If MaxSessions is zero then no maximum was defined and the number of sessions is unconstrained.

func (RoleSet) MaybeCanReviewRequests

func (set RoleSet) MaybeCanReviewRequests() bool

MaybeCanReviewRequests attempts to guess if this RoleSet belongs to a user who should be submitting access reviews. Because not all rolesets are derived from statically assigned roles, this may return false positives.

func (RoleSet) PermitX11Forwarding

func (set RoleSet) PermitX11Forwarding() bool

PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.

func (RoleSet) PinSourceIP

func (set RoleSet) PinSourceIP() bool

PinSourceIP determines if the role set should use source IP pinning. If one or more roles in the set requires IP pinning then it will be enabled.

func (RoleSet) PrivateKeyPolicy

func (set RoleSet) PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) keys.PrivateKeyPolicy

PrivateKeyPolicy returns the enforced private key policy for this role set.

func (RoleSet) RecordDesktopSession

func (set RoleSet) RecordDesktopSession() bool

RecordDesktopSession returns true if the role set has enabled desktop session recording. Recording is considered enabled if at least one role in the set has enabled it.

func (RoleSet) RoleNames

func (set RoleSet) RoleNames() []string

RoleNames returns a slice with role names. Removes runtime roles like the default implicit role.

func (RoleSet) Roles

func (set RoleSet) Roles() []types.Role

Roles returns the list underlying roles this RoleSet is based on.

func (RoleSet) SessionPolicySets

func (set RoleSet) SessionPolicySets() []*types.SessionTrackerPolicySet

SessionPolicySets returns the list of SessionPolicySets for all roles.

func (RoleSet) SessionRecordingMode

func (set RoleSet) SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

SessionRecordingMode returns the recording mode for a specific service.

func (RoleSet) String

func (set RoleSet) String() string

func (RoleSet) WithoutImplicit

func (set RoleSet) WithoutImplicit() (out RoleSet)

WithoutImplicit returns this role set with default implicit role filtered out.

type RotationGetter

type RotationGetter func(role types.SystemRole) (*types.Rotation, error)

RotationGetter returns the rotation state.

type RuleContext

type RuleContext interface {
	// GetIdentifier returns identifier defined in a context
	GetIdentifier(fields []string) (interface{}, error)
	// GetResource returns resource if specified in the context,
	// if unspecified, returns error.
	GetResource() (types.Resource, error)
}

RuleContext specifies context passed to the rule processing matcher, and contains information about current session, e.g. current user

type RuleSet

type RuleSet map[string][]types.Rule

RuleSet maps resource to a set of rules defined for it

func MakeRuleSet

func MakeRuleSet(rules []types.Rule) RuleSet

MakeRuleSet creates a new rule set from a list

func (RuleSet) Match

func (set RuleSet) Match(whereParser predicate.Parser, actionsParser predicate.Parser, resource string, verb string) (bool, error)

Match tests if the resource name and verb are in a given list of rules. More specific rules will be matched first. See Rule.IsMoreSpecificThan for exact specs on whether the rule is more or less specific.

Specifying order solves the problem on having multiple rules, e.g. one wildcard rule can override more specific rules with 'where' sections that can have 'actions' lists with side effects that will not be triggered otherwise.

func (RuleSet) Slice

func (set RuleSet) Slice() []types.Rule

Slice returns slice from a set

type SemaphoreLock

type SemaphoreLock struct {
	// contains filtered or unexported fields
}

SemaphoreLock provides a convenient interface for managing semaphore lease keepalive operations.

func AcquireSemaphoreLock

func AcquireSemaphoreLock(ctx context.Context, cfg SemaphoreLockConfig) (*SemaphoreLock, error)

AcquireSemaphoreLock attempts to acquire and hold a semaphore lease. If successfully acquired, background keepalive processes are started and an associated lock handle is returned. Canceling the supplied context releases the semaphore.

func (*SemaphoreLock) Done

func (l *SemaphoreLock) Done() <-chan struct{}

Done signals that lease keepalive operations have stopped.

func (*SemaphoreLock) Renewed

func (l *SemaphoreLock) Renewed() <-chan struct{}

Renewed notifies on next successful lease keepalive. Used in tests to block until next renewal.

func (*SemaphoreLock) Stop

func (l *SemaphoreLock) Stop()

Stop stops associated lease keepalive.

func (*SemaphoreLock) Wait

func (l *SemaphoreLock) Wait() error

Wait blocks until the final result is available. Note that this method may block longer than desired since cancellation of the parent context triggers the *start* of the release operation.

type SemaphoreLockConfig

type SemaphoreLockConfig struct {
	// Service is the service against which all semaphore
	// operations are performed.
	Service types.Semaphores
	// Expiry is an optional lease expiry parameter.
	Expiry time.Duration
	// TickRate is the rate at which lease renewals are attempted
	// and defaults to 1/2 expiry.  Used to accelerate tests.
	TickRate time.Duration
	// Params holds the semaphore lease acquisition parameters.
	Params types.AcquireSemaphoreRequest
	// Clock used to alter time in tests
	Clock clockwork.Clock
}

func (*SemaphoreLockConfig) CheckAndSetDefaults

func (l *SemaphoreLockConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default parameters

type SessionTrackerService

type SessionTrackerService interface {
	// GetActiveSessionTrackers returns a list of active session trackers.
	GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

	// GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.
	GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

	// GetSessionTracker returns the current state of a session tracker for an active session.
	GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

	// CreateSessionTracker creates a tracker resource for an active session.
	CreateSessionTracker(ctx context.Context, st types.SessionTracker) (types.SessionTracker, error)

	// UpdateSessionTracker updates a tracker resource for an active session.
	UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

	// RemoveSessionTracker removes a tracker resource for an active session.
	RemoveSessionTracker(ctx context.Context, sessionID string) error

	// UpdatePresence updates the presence status of a user in a session.
	UpdatePresence(ctx context.Context, sessionID, user string) error
}

SessionTrackerService is a realtime session service that has information about sessions that are in-flight in the cluster at the moment.

type SnowflakeSession

type SnowflakeSession interface {
	// GetSnowflakeSession gets a Snowflake web session.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)
	// GetSnowflakeSessions gets all Snowflake web sessions.
	GetSnowflakeSessions(context.Context) ([]types.WebSession, error)
	// UpsertSnowflakeSession upserts a Snowflake web session.
	UpsertSnowflakeSession(context.Context, types.WebSession) error
	// DeleteSnowflakeSession removes a Snowflake web session.
	DeleteSnowflakeSession(context.Context, types.DeleteSnowflakeSessionRequest) error
	// DeleteAllSnowflakeSessions removes all Snowflake web sessions.
	DeleteAllSnowflakeSessions(context.Context) error
}

SnowflakeSession defines Snowflake session features.

type SortedLoginAttempts

type SortedLoginAttempts []LoginAttempt

SortedLoginAttempts sorts login attempts by time

func (SortedLoginAttempts) Len

func (s SortedLoginAttempts) Len() int

Len returns length of a role list

func (SortedLoginAttempts) Less

func (s SortedLoginAttempts) Less(i, j int) bool

Less stacks latest attempts to the end of the list

func (SortedLoginAttempts) Swap

func (s SortedLoginAttempts) Swap(i, j int)

Swap swaps two attempts

type SortedReverseTunnels

type SortedReverseTunnels []types.ReverseTunnel

SortedReverseTunnels sorts reverse tunnels by cluster name

func (SortedReverseTunnels) Len

func (s SortedReverseTunnels) Len() int

func (SortedReverseTunnels) Less

func (s SortedReverseTunnels) Less(i, j int) bool

func (SortedReverseTunnels) Swap

func (s SortedReverseTunnels) Swap(i, j int)

type SortedRoles

type SortedRoles []types.Role

SortedRoles sorts roles by name

func (SortedRoles) Len

func (s SortedRoles) Len() int

Len returns length of a role list

func (SortedRoles) Less

func (s SortedRoles) Less(i, j int) bool

Less compares roles by name

func (SortedRoles) Swap

func (s SortedRoles) Swap(i, j int)

Swap swaps two roles in a list

type SortedServers

type SortedServers []types.Server

SortedServers is a sort wrapper that sorts servers by name

func (SortedServers) Len

func (s SortedServers) Len() int

func (SortedServers) Less

func (s SortedServers) Less(i, j int) bool

func (SortedServers) Swap

func (s SortedServers) Swap(i, j int)

type Status

type Status interface {
	// GetClusterAlerts loads all matching cluster alerts.
	GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

	// UpsertClusterAlert creates the specified alert, overwriting any preexising alert with the same ID.
	UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error
}

Status defines an interface for managing cluster status info.

type StatusInternal

type StatusInternal interface {
	Status

	// DeleteClusterAlert deletes the cluster alert with the specified ID.
	DeleteClusterAlert(ctx context.Context, alertID string) error
}

StatusInternal extends Status with auth-internal methods.

type Trust

type Trust interface {
	// AuthorityGetter retrieves certificate authorities
	AuthorityGetter

	// CreateCertAuthority inserts a new certificate authority
	CreateCertAuthority(ca types.CertAuthority) error

	// UpsertCertAuthority updates or inserts a new certificate authority
	UpsertCertAuthority(ca types.CertAuthority) error

	// CompareAndSwapCertAuthority updates the cert authority value
	// if existing value matches existing parameter,
	// returns nil if succeeds, trace.CompareFailed otherwise
	CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

	// DeleteCertAuthority deletes particular certificate authority
	DeleteCertAuthority(id types.CertAuthID) error

	// DeleteAllCertAuthorities deletes cert authorities of a certain type
	DeleteAllCertAuthorities(caType types.CertAuthType) error

	// ActivateCertAuthority moves a CertAuthority from the deactivated list to
	// the normal list.
	ActivateCertAuthority(id types.CertAuthID) error

	// DeactivateCertAuthority moves a CertAuthority from the normal list to
	// the deactivated list.
	DeactivateCertAuthority(id types.CertAuthID) error
}

Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

type UnknownResource

type UnknownResource struct {
	types.ResourceHeader
	// Raw is raw representation of the resource
	Raw []byte
}

UnknownResource is used to detect resources

func (*UnknownResource) UnmarshalJSON

func (u *UnknownResource) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals header and captures raw state

type UsageAnonymizable

type UsageAnonymizable interface {
	// Anonymize uses the given anonymizer to anonymize the event and converts
	// it into a partially filled SubmitEventRequest.
	Anonymize(utils.Anonymizer) prehogv1.SubmitEventRequest
}

UsageAnonymizable is an event that can be anonymized.

func ConvertUsageEvent

func ConvertUsageEvent(event *usageevents.UsageEventOneOf, identityUsername string) (UsageAnonymizable, error)

ConvertUsageEvent converts a usage event from an API object into an anonymizable event. All events that can be submitted externally via the Auth API need to be defined here.

type UsageReporter

type UsageReporter interface {
	// SubmitAnonymizedUsageEvent submits a usage event. The payload will be
	// anonymized by the reporter implementation.
	SubmitAnonymizedUsageEvents(event ...UsageAnonymizable) error
}

UsageReporter is a service that accepts Teleport usage events.

type UsageResourceCreate

type UsageResourceCreate prehogv1.ResourceCreateEvent

UsageResourceCreate is an event emitted when various resource types have been created.

func (*UsageResourceCreate) Anonymize

type UsageSSOCreate

type UsageSSOCreate prehogv1.SSOCreateEvent

UsageSSOCreate is emitted when an SSO connector has been created.

func (*UsageSSOCreate) Anonymize

type UsageSessionStart

type UsageSessionStart prehogv1.SessionStartEvent

UsageSessionStart is an event emitted when some Teleport session has started (ssh, etc).

func (*UsageSessionStart) Anonymize

type UsageUIBannerClick

type UsageUIBannerClick prehogv1.UIBannerClickEvent

UsageUIBannerClick is a UI event sent when a banner is clicked.

func (*UsageUIBannerClick) Anonymize

type UsageUIOnboardAddFirstResourceClickEvent

type UsageUIOnboardAddFirstResourceClickEvent prehogv1.UIOnboardAddFirstResourceClickEvent

UsageUIOnboardAddFirstResourceClickEvent is a UI event sent when a user clicks the "add first resource" button.

func (*UsageUIOnboardAddFirstResourceClickEvent) Anonymize

type UsageUIOnboardAddFirstResourceLaterClickEvent

type UsageUIOnboardAddFirstResourceLaterClickEvent prehogv1.UIOnboardAddFirstResourceLaterClickEvent

UsageUIOnboardAddFirstResourceLaterClickEvent is a UI event sent when a user clicks the "add first resource later" button.

func (*UsageUIOnboardAddFirstResourceLaterClickEvent) Anonymize

type UsageUIOnboardCompleteGoToDashboardClickEvent

type UsageUIOnboardCompleteGoToDashboardClickEvent prehogv1.UIOnboardCompleteGoToDashboardClickEvent

UsageUIOnboardCompleteGoToDashboardClickEvent is a UI event sent when onboarding is complete.

func (*UsageUIOnboardCompleteGoToDashboardClickEvent) Anonymize

type UsageUIOnboardGetStartedClickEvent

type UsageUIOnboardGetStartedClickEvent prehogv1.UIOnboardGetStartedClickEvent

UsageUIOnboardGetStartedClickEvent is a UI event sent when the "get started" button is clicked.

func (*UsageUIOnboardGetStartedClickEvent) Anonymize

type UsageUIOnboardRegisterChallengeSubmit

type UsageUIOnboardRegisterChallengeSubmit prehogv1.UIOnboardRegisterChallengeSubmitEvent

UsageUIOnboardRegisterChallengeSubmit is a UI event sent during registration when the MFA challenge is completed.

func (*UsageUIOnboardRegisterChallengeSubmit) Anonymize

type UsageUIOnboardSetCredentialSubmit

type UsageUIOnboardSetCredentialSubmit prehogv1.UIOnboardSetCredentialSubmitEvent

UsageUIOnboardSetCredentialSubmit is an UI event sent during registration when the user configures login credentials.

func (*UsageUIOnboardSetCredentialSubmit) Anonymize

type UsageUIRecoveryCodesContinueClick

type UsageUIRecoveryCodesContinueClick prehogv1.UIRecoveryCodesContinueClickEvent

UsageUIRecoveryCodesContinueClick is a UI event sent when a user configures recovery codes.

func (*UsageUIRecoveryCodesContinueClick) Anonymize

type UsageUserLogin

type UsageUserLogin prehogv1.UserLoginEvent

UsageUserLogin is an event emitted when a user logs into Teleport, potentially via SSO.

func (*UsageUserLogin) Anonymize

type UserCertParams

type UserCertParams struct {
	// CASigner is the signer that will sign the public key of the user with the CA private key
	CASigner ssh.Signer
	// PublicUserKey is the public key of the user
	PublicUserKey []byte
	// TTL defines how long a certificate is valid for
	TTL time.Duration
	// Username is teleport username
	Username string
	// Impersonator is set when a user requests certificate for another user
	Impersonator string
	// AllowedLogins is a list of SSH principals
	AllowedLogins []string
	// PermitX11Forwarding permits X11 forwarding for this cert
	PermitX11Forwarding bool
	// PermitAgentForwarding permits agent forwarding for this cert
	PermitAgentForwarding bool
	// PermitPortForwarding permits port forwarding.
	PermitPortForwarding bool
	// PermitFileCopying permits the use of SCP/SFTP.
	PermitFileCopying bool
	// Roles is a list of roles assigned to this user
	Roles []string
	// CertificateFormat is the format of the SSH certificate.
	CertificateFormat string
	// RouteToCluster specifies the target cluster
	// if present in the certificate, will be used
	// to route the requests to
	RouteToCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
	// ActiveRequests tracks privilege escalation requests applied during
	// certificate construction.
	ActiveRequests RequestIDs
	// MFAVerified is the UUID of an MFA device when this Identity was
	// confirmed immediately after an MFA check.
	MFAVerified string
	// PreviousIdentityExpires is the expiry time of the identity/cert that this
	// identity/cert was derived from. It is used to determine a session's hard
	// deadline in cases where both require_session_mfa and disconnect_expired_cert
	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
	PreviousIdentityExpires time.Time
	// ClientIP is an IP of the client to embed in the certificate.
	ClientIP string
	// SourceIP is an IP that certificate should be pinned to.
	SourceIP string
	// DisallowReissue flags that any attempt to request new certificates while
	// authenticated with this cert should be denied.
	DisallowReissue bool
	// CertificateExtensions are user configured ssh key extensions
	CertificateExtensions []*types.CertExtension
	// Renewable indicates this certificate is renewable
	Renewable bool
	// Generation counts the number of times a certificate has been renewed.
	Generation uint64
	// AllowedResourceIDs lists the resources the user should be able to access.
	AllowedResourceIDs string
	// ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
	ConnectionDiagnosticID string
	// PrivateKeyPolicy is the private key policy supported by this certificate.
	PrivateKeyPolicy keys.PrivateKeyPolicy
}

UserCertParams defines OpenSSH user certificate parameters

func (*UserCertParams) CheckAndSetDefaults

func (c *UserCertParams) CheckAndSetDefaults() error

CheckAndSetDefaults checks the user certificate parameters

type UserGetter

type UserGetter interface {
	// GetUser returns a user by name
	GetUser(user string, withSecrets bool) (types.User, error)
}

UserGetter is responsible for getting users

type Users

type Users []types.User

Users represents a slice of users, makes it sort compatible (sorts by username)

func (Users) Len

func (u Users) Len() int

func (Users) Less

func (u Users) Less(i, j int) bool

func (Users) Swap

func (u Users) Swap(i, j int)

type UsersService

type UsersService interface {
	UserGetter
	// UpdateUser updates an existing user.
	UpdateUser(ctx context.Context, user types.User) error
	// UpsertUser updates parameters about user
	UpsertUser(user types.User) error
	// CompareAndSwapUser updates an existing user, but fails if the user does
	// not match an expected backend value.
	CompareAndSwapUser(ctx context.Context, new, existing types.User) error
	// DeleteUser deletes a user with all the keys from the backend
	DeleteUser(ctx context.Context, user string) error
	// GetUsers returns a list of users registered with the local auth server
	GetUsers(withSecrets bool) ([]types.User, error)
	// DeleteAllUsers deletes all users
	DeleteAllUsers() error
}

UsersService is responsible for basic user management

type ValidateRequestOption

type ValidateRequestOption func(*RequestValidator)

func ExpandVars

func ExpandVars(expand bool) ValidateRequestOption

ExpandVars toggles variable expansion during request validation. Variable expansion includes expanding wildcard requests, setting system annotations, and gathering threshold information. Variable expansion should be run by the auth server prior to storing an access request for the first time.

type WindowsDesktops

type WindowsDesktops interface {
	GetWindowsDesktops(context.Context, types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)
	CreateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpsertWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error
	DeleteWindowsDesktop(ctx context.Context, hostID, name string) error
	DeleteAllWindowsDesktops(context.Context) error
	ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
	ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
}

WindowsDesktops defines an interface for managing Windows desktop hosts.

Directories

Path Synopsis
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL