common

type CLIConf struct {
	// UserHost contains "[login]@hostname" argument to SSH command
	UserHost string
	// Commands to execute on a remote host
	RemoteCommand []string
	// DesiredRoles indicates one or more roles which should be requested.
	DesiredRoles string
	// RequestReason indicates the reason for an access request.
	RequestReason string
	// SuggestedReviewers is a list of suggested request reviewers.
	SuggestedReviewers string
	// NoWait can be used with an access request to exit without waiting for a request resolution.
	NoWait bool
	// RequestedResourceIDs is a list of resources to request access to.
	RequestedResourceIDs []string
	// RequestID is an access request ID
	RequestID string
	// RequestIDs is a list of access request IDs
	RequestIDs []string
	// ReviewReason indicates the reason for an access review.
	ReviewReason string
	// ReviewableRequests indicates that only requests which can be reviewed should
	// be listed.
	ReviewableRequests bool
	// SuggestedRequests indicates that only requests which suggest the current user
	// as a reviewer should be listed.
	SuggestedRequests bool
	// MyRequests indicates that only requests created by the current user
	// should be listed.
	MyRequests bool
	// Approve/Deny indicates the desired review kind.
	Approve, Deny bool
	// AssumeStartTimeRaw format is RFC3339
	AssumeStartTimeRaw string
	// ResourceKind is the resource kind to search for
	ResourceKind string
	// Username is the Teleport user's username (to login into proxies)
	Username string
	// ExplicitUsername is true if Username was initially set by the end-user
	// (for example, using command-line flags).
	ExplicitUsername bool
	// Proxy keeps the hostname:port of the Teleport proxy to use
	Proxy string
	// TTL defines how long a session must be active (in minutes)
	MinsToLive int32
	// SSH Port on a remote SSH host
	NodePort int32
	// Login on a remote SSH host
	NodeLogin string
	// InsecureSkipVerify bypasses verification of HTTPS certificate when talking to web proxy
	InsecureSkipVerify bool
	// SessionID identifies the session tsh is operating on.
	// For `tsh join`, it is the ID of the session to join.
	// For `tsh play`, it is either the ID of the session to play,
	// or the path to a local session file which has already been
	// downloaded.
	SessionID string
	// Src:dest parameter for SCP
	CopySpec []string
	// -r flag for scp
	RecursiveCopy bool
	// -L flag for ssh. Local port forwarding like 'ssh -L 80:remote.host:80 -L 443:remote.host:443'
	LocalForwardPorts []string
	// DynamicForwardedPorts is port forwarding using SOCKS5. It is similar to
	// "ssh -D 8080 example.com".
	DynamicForwardedPorts []string
	// ForwardAgent agent to target node. Equivalent of -A for OpenSSH.
	ForwardAgent bool
	// ProxyJump is an optional -J flag pointing to the list of jumphosts,
	// it is an equivalent of --proxy flag in tsh interpretation
	ProxyJump string
	// --local flag for ssh
	LocalExec bool
	// SiteName specifies remote site to login to.
	SiteName string
	// KubernetesCluster specifies the kubernetes cluster to login to.
	KubernetesCluster string

	// DaemonAddr is the daemon listening address.
	DaemonAddr string
	// DaemonCertsDir is the directory containing certs used to create secure gRPC connection with daemon service
	DaemonCertsDir string
	// DaemonPrehogAddr is the URL where prehog events should be submitted.
	DaemonPrehogAddr string
	// DaemonKubeconfigsDir is the directory "Directory containing kubeconfig
	// for Kubernetes Access.
	DaemonKubeconfigsDir string
	// DaemonAgentsDir contains agent config files and data directories for Connect My Computer.
	DaemonAgentsDir string
	// DaemonPid is the PID to be stopped by tsh daemon stop.
	DaemonPid int

	// DatabaseService specifies the database proxy server to log into.
	DatabaseService string
	// DatabaseUser specifies database user to embed in the certificate.
	DatabaseUser string
	// DatabaseName specifies database name to embed in the certificate.
	DatabaseName string
	// DatabaseRoles specifies database roles to embed in the certificate.
	DatabaseRoles string
	// AppName specifies proxied application name.
	AppName string
	// Interactive, when set to true, launches remote command with the terminal attached
	Interactive bool
	// Quiet mode, -q command (disables progress printing)
	Quiet bool
	// Namespace is used to select cluster namespace
	Namespace string
	// NoCache is used to turn off client cache for nodes discovery
	NoCache bool
	// BenchDuration is a duration for the benchmark
	BenchDuration time.Duration
	// BenchRate is a requests per second rate to maintain
	BenchRate int
	// BenchInteractive indicates that we should create interactive session
	BenchInteractive bool
	// BenchRandom indicates that we should connect to a random host each time
	BenchRandom bool
	// BenchExport exports the latency profile
	BenchExport bool
	// BenchExportPath saves the latency profile in provided path
	BenchExportPath string
	// BenchMaxSessions is the maximum number of sessions to open
	BenchMaxSessions int
	// BenchTicks ticks per half distance
	BenchTicks int32
	// BenchValueScale value at which to scale the values recorded
	BenchValueScale float64
	// Context is a context to control execution
	Context context.Context
	// IdentityFileIn is an argument to -i flag (path to the private key+cert file)
	IdentityFileIn string
	// Compatibility flags, --compat, specifies OpenSSH compatibility flags.
	Compatibility string
	// CertificateFormat defines the format of the user SSH certificate.
	CertificateFormat string
	// IdentityFileOut is an argument to --out flag
	IdentityFileOut string
	// IdentityFormat (used for --format flag for 'tsh login') defines which
	// format to use with --out to store a freshly retrieved certificate
	IdentityFormat identityfile.Format
	// IdentityOverwrite when true will overwrite any existing identity file at
	// IdentityFileOut. When false, user will be prompted before overwriting
	// any files.
	IdentityOverwrite bool

	// BindAddr is an address in the form of host:port to bind to
	// during `tsh login` command
	BindAddr string
	// CallbackAddr is the optional base URL to give to the user when performing
	// SSO redirect flows.
	CallbackAddr string

	// AuthConnector is the name of the connector to use.
	AuthConnector string

	// MFAMode is the preferred mode for MFA/Passwordless assertions.
	MFAMode string

	// SkipVersionCheck skips version checking for client and server
	SkipVersionCheck bool

	// Options is a list of OpenSSH options in the format used in the
	// configuration file.
	Options []string

	// Verbose is used to print extra output.
	Verbose bool

	// Format is used to change the format of output
	Format  string
	OutFile string

	// PlaySpeed controls the playback speed for tsh play.
	PlaySpeed string

	// SearchKeywords is a list of search keywords to match against resource field values.
	SearchKeywords string

	// PredicateExpression defines boolean conditions that will be matched against the resource.
	PredicateExpression string

	// Labels is used to hold labels passed via --labels=k1=v2,k2=v2,,, flag for resource filtering.
	// explicitly passed --labels overrides user@labels positional arg form.
	// NOTE: no command currently supports both, try to keep it that way.
	Labels string

	// NoRemoteExec will not execute a remote command after connecting to a host,
	// will block instead. Useful when port forwarding. Equivalent of -N for OpenSSH.
	NoRemoteExec bool

	// X11ForwardingUntrusted will set up untrusted X11 forwarding for the session ('ssh -X')
	X11ForwardingUntrusted bool

	// X11Forwarding will set up trusted X11 forwarding for the session ('ssh -Y')
	X11ForwardingTrusted bool

	// X11ForwardingTimeout can optionally set to set a timeout for untrusted X11 forwarding.
	X11ForwardingTimeout time.Duration

	// Debug sends debug logs to stdout.
	Debug bool

	// Browser can be used to pass the name of a browser to override the system default
	// (not currently implemented), or set to 'none' to suppress browser opening entirely.
	Browser string

	// UseLocalSSHAgent set to false will prevent this client from attempting to
	// connect to the local ssh-agent (or similar) socket at $SSH_AUTH_SOCK.
	//
	// Deprecated in favor of `AddKeysToAgent`.
	UseLocalSSHAgent bool

	// AddKeysToAgent specifies the behavior of how certs are handled.
	AddKeysToAgent string

	// EnableEscapeSequences will scan stdin for SSH escape sequences during
	// command/shell execution. This also requires stdin to be an interactive
	// terminal.
	EnableEscapeSequences bool

	// PreserveAttrs preserves access/modification times from the original file.
	PreserveAttrs bool

	// RequestTTL is the expiration time of the Access Request (how long it
	// will await approval).
	RequestTTL time.Duration

	// SessionTTL is the expiration time for the elevated certificate that will
	// be issued if the Access Request is approved.
	SessionTTL time.Duration

	// MaxDuration specifies how long the access will be granted for.
	MaxDuration time.Duration

	// OverrideStdout allows to switch standard output source for resource command. Used in tests.
	OverrideStdout io.Writer

	// MockSSOLogin used in tests to override sso login handler in teleport client.
	MockSSOLogin client.SSOLoginFunc

	// MockHeadlessLogin used in tests to override Headless login handler in teleport client.
	MockHeadlessLogin client.SSHLoginFunc

	// HomePath is where tsh stores profiles
	HomePath string

	// GlobalTshConfigPath is a path to global TSH config. Can be overridden with TELEPORT_GLOBAL_TSH_CONFIG.
	GlobalTshConfigPath string

	// LocalProxyPort is a port used by local proxy listener.
	LocalProxyPort string
	// LocalProxyTunnel specifies whether local proxy will open auth'd tunnel.
	LocalProxyTunnel bool

	// Exec is the command to run via tsh aws.
	Exec string
	// AWSRole is Amazon Role ARN or role name that will be used for AWS CLI access.
	AWSRole string
	// AWSCommandArgs contains arguments that will be forwarded to AWS CLI binary.
	AWSCommandArgs []string
	// AWSEndpointURLMode is an AWS proxy mode that serves an AWS endpoint URL
	// proxy instead of an HTTPS proxy.
	AWSEndpointURLMode bool

	// AzureIdentity is Azure identity that will be used for Azure CLI access.
	AzureIdentity string
	// AzureCommandArgs contains arguments that will be forwarded to Azure CLI binary.
	AzureCommandArgs []string

	// GCPServiceAccount is GCP service account name that will be used for GCP CLI access.
	GCPServiceAccount string
	// GCPCommandArgs contains arguments that will be forwarded to GCP CLI binary.
	GCPCommandArgs []string

	// Reason is the reason for starting an ssh or kube session.
	Reason string

	// Invited is a list of invited users to an ssh or kube session.
	Invited []string

	// JoinMode is the participant mode someone is joining a session as.
	JoinMode string

	// SessionKinds is the kind of active sessions to list.
	SessionKinds []string

	// TSHConfig is the loaded tsh configuration file ~/.tsh/config/config.yaml.
	TSHConfig TSHConfig

	// ListAll specifies if an ls command should return results from all clusters and proxies.
	ListAll bool

	// SampleTraces indicates whether traces should be sampled.
	SampleTraces bool

	// TraceExporter is a manually provided URI to send traces to instead of
	// forwarding them to the Auth service.
	TraceExporter string

	// TracingProvider is the provider to use to create tracers, from which spans can be created.
	TracingProvider oteltrace.TracerProvider

	// FromUTC is the start time to use for the range of sessions listed by the session recordings listing command
	FromUTC string

	// ToUTC is the start time to use for the range of sessions listed by the session recordings listing command
	ToUTC string

	// KubeConfigPath is the location of the Kubeconfig for the current test.
	// Setting this value allows Teleport tests to run `tsh login` commands in
	// parallel.
	// It shouldn't be used outside testing.
	KubeConfigPath string

	// Headless uses headless login for the client session.
	Headless bool

	// MlockMode determines whether the process memory will be locked, and whether errors will be enforced.
	// Allowed values include false, strict, and best_effort.
	MlockMode string

	// HeadlessAuthenticationID is the ID of a headless authentication.
	HeadlessAuthenticationID string

	// DTAuthnRunCeremony allows tests to override the default device
	// authentication function.
	// Defaults to [dtauthn.NewCeremony().Run].
	DTAuthnRunCeremony client.DTAuthnRunCeremonyFunc

	// WebauthnLogin allows tests to override the Webauthn Login func.
	// Defaults to [wancli.Login].
	WebauthnLogin client.WebauthnLoginFunc

	// LeafClusterName is the optional name of a leaf cluster to connect to instead
	LeafClusterName string

	// PIVSlot specifies a specific PIV slot to use with hardware key support.
	PIVSlot string

	// SSHLogDir is the directory to log the output of multiple SSH commands to.
	// If not set, no logs will be created.
	SSHLogDir string

	// DisableSSHResumption disables transparent SSH connection resumption.
	DisableSSHResumption bool
	// contains filtered or unexported fields
}

type CliOption func(*CLIConf) error

type DefaultRemoteExecutor struct{}

type ExecOptions struct {
	StreamOptions
	resource.FilenameOptions

	ResourceName     string
	Command          []string
	EnforceNamespace bool

	Builder         func() *resource.Builder
	ExecutablePodFn polymorphichelpers.AttachablePodForObjectFunc

	Pod           *corev1.Pod
	Executor      RemoteExecutor
	PodClient     coreclient.PodsGetter
	GetPodTimeout time.Duration
	Config        *restclient.Config
	// contains filtered or unexported fields
}

type ExtraProxyHeaders struct {
	// Proxy is the domain of the proxy for these set of Headers, can contain globs.
	Proxy string `yaml:"proxy"`
	// Headers are the http header key values.
	Headers map[string]string `yaml:"headers,omitempty"`
}

type Options struct {
	// AddKeysToAgent specifies whether keys should be automatically added to a
	// running SSH agent. Supported options values are "yes".
	AddKeysToAgent bool

	// ForwardAgent specifies whether the connection to the authentication
	// agent will be forwarded to the remote machine. Supported option values
	// are "yes", "no", and "local".
	ForwardAgent client.AgentForwardingMode

	// RequestTTY specifies whether to request a pseudo-tty for the session.
	// Supported option values are "yes" and "no".
	RequestTTY bool

	// StrictHostKeyChecking is used control if tsh will automatically add host
	// keys to the ~/.tsh/known_hosts file. Supported option values are "yes"
	// and "no".
	StrictHostKeyChecking bool

	// ForwardX11 specifies whether X11 forwarding should be enabled for
	// ssh sessions started by the client. Supported option values are "yes".
	//
	// When this option is to true, ForwardX11Trusted will default to true.
	ForwardX11 bool

	// ForwardX11Trusted determines what trust mode should be used for X11Forwarding.
	// Supported option values are "yes" and "no"
	//
	// When set to yes, X11 forwarding will always be in trusted mode if requested.
	// When set to no, X11 forwarding will default to untrusted mode, unless used with
	// the -Y flag
	ForwardX11Trusted *bool

	// ForwardX11Timeout specifies a timeout in seconds after which X11 forwarding
	// attempts will be rejected when in untrusted forwarding mode.
	ForwardX11Timeout time.Duration
}

type ProxyTemplate struct {
	// Template is a regular expression that full hostname is matched against.
	Template string `yaml:"template"`
	// Proxy is the proxy address. Can refer to regex groups from the template.
	Proxy string `yaml:"proxy"`
	// Host is optional hostname. Can refer to regex groups from the template.
	Host string `yaml:"host"`
	// Cluster is optional cluster name. Can refer to regex groups from the template.
	Cluster string `yaml:"cluster"`
	// contains filtered or unexported fields
}

type ProxyTemplates []*ProxyTemplate

type RemoteExecutor interface {
	Execute(ctx context.Context, method string, url *url.URL, config *restclient.Config, stdin io.Reader, stdout, stderr io.Writer, tty bool, terminalSizeQueue remotecommand.TerminalSizeQueue) error
}

type StreamOptions struct {
	Namespace     string
	PodName       string
	ContainerName string
	Stdin         bool
	TTY           bool
	// minimize unnecessary output
	Quiet bool

	genericclioptions.IOStreams
	// contains filtered or unexported fields
}

type TSHConfig struct {
	// ExtraHeaders are additional http headers to be included in
	// webclient requests.
	ExtraHeaders []ExtraProxyHeaders `yaml:"add_headers,omitempty"`
	// ProxyTemplates describe rules for parsing out proxy out of full hostnames.
	ProxyTemplates ProxyTemplates `yaml:"proxy_templates,omitempty"`
	// Aliases are custom commands extending baseline tsh functionality.
	Aliases map[string]string `yaml:"aliases,omitempty"`
}