config

type AppConfig struct {
	// SSH contains the configuration for the SSH server.
	// swagger:ignore
	SSH SSHConfig `json:"ssh" yaml:"ssh"`
	// ConfigServer contains the settings for fetching the user-specific configuration.
	// swagger:ignore
	ConfigServer ClientConfig `json:"configserver" yaml:"configserver"`
	// Auth contains the configuration for user authentication.
	// swagger:ignore
	Auth AuthConfig `json:"auth" yaml:"auth"`
	// Log contains the configuration for the logging level.
	// swagger:ignore
	Log LogConfig `json:"log" yaml:"log"`
	// Metrics contains the configuration for the metrics server.
	// swagger:ignore
	Metrics MetricsConfig `json:"metrics" yaml:"metrics"`
	// GeoIP contains the configuration for the GeoIP lookups.
	// swagger:ignore
	GeoIP GeoIPConfig `json:"geoip" yaml:"geoip"`
	// Audit contains the configuration for audit logging and log upload.
	// swagger:ignore
	Audit AuditLogConfig `json:"audit" yaml:"audit"`
	// Health contains the configuration for the health check service.
	Health HealthConfig `json:"health" yaml:"health"`

	// Security contains the security restrictions on what can be executed. This option can be changed from the config
	// server.
	Security SecurityConfig `json:"security" yaml:"security"`
	// Backend defines which backend to use. This option can be changed from the config server.
	Backend Backend `json:"backend" yaml:"backend" default:"docker"`
	// Docker contains the configuration for the docker backend. This option can be changed from the config server.
	Docker DockerConfig `json:"docker,omitempty" yaml:"docker"`
	// DockerRun is a placeholder for the removed DockerRun backend. Filling this with anything but nil will yield a
	// validation error.
	DockerRun interface{} `json:"dockerrun,omitempty"`
	// Kubernetes contains the configuration for the kubernetes backend. This option can be changed from the config
	// server.
	Kubernetes KubernetesConfig `json:"kubernetes,omitempty" yaml:"kubernetes"`
	// KubeRun is a placeholder for the removed DockerRun backend. Filling this with anything but nil will yield a
	// validation error.
	KubeRun interface{} `json:"kuberun,omitempty"`
	// SSHProxy is the configuration for the SSH proxy backend, which forwards requests to a backing SSH server.
	SSHProxy SSHProxyConfig `json:"sshproxy,omitempty" yaml:"sshproxy"`
}

type AuditLogConfig struct {
	// Enable turns on audit logging.
	Enable bool `json:"enable" yaml:"enable" default:"false"`
	// Format audit format
	Format AuditLogFormat `json:"format" yaml:"format" default:"none"`
	// Storage audit storage type
	Storage AuditLogStorage `json:"storage" yaml:"storage" default:"none"`
	// File audit logger configuration
	File AuditLogFileConfig `json:"file" yaml:"file"`
	// S3 configuration
	S3 AuditLogS3Config `json:"s3" yaml:"s3"`
	// Intercept configures what should be intercepted
	Intercept AuditLogInterceptConfig `json:"intercept" yaml:"intercept"`
}

type AuditLogFileConfig struct {
	Directory string `json:"directory" yaml:"directory" default:"/var/log/audit"`
}

type AuditLogFormat string

type AuditLogInterceptConfig struct {
	// Stdin signals that the standard input from the user should be captured.
	Stdin bool `json:"stdin" yaml:"stdin" default:"false"`
	// Stdout signals that the standard output to the user should be captured.
	Stdout bool `json:"stdout" yaml:"stdout" default:"false"`
	// Stderr signals that the standard error to the user should be captured.
	Stderr bool `json:"stderr" yaml:"stderr" default:"false"`
	// Passwords signals that passwords during authentication should be captured.
	Passwords bool `json:"passwords" yaml:"passwords" default:"false"`
	// Forwarding signals that the contents of forward and reverse connection forwardings should be captured.
	Forwarding bool `json:"forwarding" yaml:"forwarding" default:"false"`
}

type AuditLogS3Config struct {
	Local           string             `json:"local" yaml:"local" default:"/var/lib/audit"`
	AccessKey       string             `json:"accessKey" yaml:"accessKey"`
	SecretKey       string             `json:"secretKey" yaml:"secretKey"`
	Bucket          string             `json:"bucket" yaml:"bucket"`
	Region          string             `json:"region" yaml:"region"`
	Endpoint        string             `json:"endpoint" yaml:"endpoint"`
	CACert          string             `json:"cacert" yaml:"cacert"`
	ACL             string             `json:"acl" yaml:"acl"`
	PathStyleAccess bool               `json:"pathStyleAccess" yaml:"pathStyleAccess"`
	UploadPartSize  uint               `json:"uploadPartSize" yaml:"uploadPartSize" default:"5242880"`
	ParallelUploads uint               `json:"parallelUploads" yaml:"parallelUploads" default:"20"`
	Metadata        AuditLogS3Metadata `json:"metadata" yaml:"metadata"`
}

type AuditLogS3Metadata struct {
	IP       bool `json:"ip" yaml:"ip"`
	Username bool `json:"username" yaml:"username"`
}

type AuditLogStorage string

type AuthConfig struct {
	// PasswordAuth configures how users are authenticated with passwords. If not set, password authentication is
	// disabled.
	PasswordAuth PasswordAuthConfig `json:"password" yaml:"password"`

	// PublicKeyAuth configures how users are authenticated with their public keys. If not set, public key
	// authentication is disabled.
	PublicKeyAuth PublicKeyAuthConfig `json:"publicKey" yaml:"publicKey"`

	// KeyboardInteractiveAuth configures how users are authenticated using the keyboard-interactive (question-answer)
	// method. If this is empty, keyboard-interactive is disabled.
	KeyboardInteractiveAuth KeyboardInteractiveAuthConfig `json:"keyboardInteractive" yaml:"keyboardInteractive"`

	// GSSAPIAuth configures how users are authenticated using the GSSAPI (typically Kerberos) method. If this is empty,
	// GSSAPI authentication is disabled.
	GSSAPIAuth GSSAPIAuthConfig `json:"gssapi" yaml:"gssapi"`

	// Authz is the authorization configuration. The authorization server will receive a webhook after successful user
	// authentication to determine whether the specified user has access to the service. If not set authorization is
	// disabled. It is strongly recommended you configure AuthZ in case of oAuth2 and GSSAPI methods as these methods
	// do not verify the provided SSH username.
	Authz AuthzConfig `json:"authz" yaml:"authz"`

	// AuthTimeout is the timeout for the overall authentication call (e.g. verifying a password). If the server
	// responds with a non-200 response the call will be retried until this timeout is reached. This timeout
	// should be increased to ~180s for OAuth2 login.
	// Deprecated: please use the individual authentication methods instead.
	AuthTimeout time.Duration `json:"authTimeout" yaml:"authTimeout" default:"60s"`

	// Deprecated: please use the individual authentication configurations instead.
	HTTPClientConfiguration `json:",inline" yaml:",inline"`

	// Password is a flag to enable password authentication.
	// Deprecated: use PasswordAuth instead.
	Password *bool `json:"-" yaml:"-" comment:"Perform password authentication" default:"true"`
	// PubKey is a flag to enable public key authentication.
	// Deprecated: use PublicKeyAuth instead.
	PubKey *bool `json:"pubkey" yaml:"pubkey" comment:"Perform public key authentication" default:"true"`
}

type AuthGenericConfig struct {
	// AuthorizeEndpointURL is the endpoint configuration for the OAuth2 authorization
	AuthorizeEndpointURL string `json:"authorizeEndpointURL" yaml:"authorizeEndpointURL"`
	// TokenEndpoint is the endpoint configuration for the OAuth2 authorization
	TokenEndpoint HTTPClientConfiguration `json:"tokenEndpoint" yaml:"tokenEndpoint"`
	// RedirectURI is the URI the client is returned to. This URL should be configured to the redirect server endpoint.
	RedirectURI string `json:"redirectURI" yaml:"redirectURI"`
}

type AuthGitHubConfig struct {
	// CACert is the PEM-encoded CA certificate, or file containing a PEM-encoded CA certificate used to verify the
	// GitHub server certificate.
	CACert string `json:"cacert" yaml:"cacert" default:""`

	// URL is the base GitHub URL. Change this for GitHub Enterprise.
	URL string `json:"url" yaml:"url" default:"https://github.com"`

	// APIURL is the GitHub API URL. Change this for GitHub Enterprise.
	APIURL string `json:"apiurl" yaml:"apiurl" default:"https://api.github.com"`

	// ClientCert is a PEM containing an x509 certificate to present to the server or a file name containing the PEM.
	ClientCert string `json:"cert" yaml:"cert" comment:"Client certificate file in PEM format."`

	// ClientKey is a PEM containing a private key to use to connect the server or a file name containing the PEM.
	ClientKey string `json:"key" yaml:"key" comment:"Client key file in PEM format."`

	// TLSVersion is the minimum TLS version to use.
	TLSVersion TLSVersion `json:"tlsVersion" yaml:"tlsVersion" default:"1.3"`

	// ECDHCurves is the list of curve algorithms to support.
	ECDHCurves ECDHCurveList `json:"curves" yaml:"curves" default:"[\"x25519\",\"secp256r1\",\"secp384r1\",\"secp521r1\"]"`

	// CipherSuites is a list of supported cipher suites.
	CipherSuites CipherSuiteList `` /* 212-byte string literal not displayed */

	// EnforceUsername requires that the GitHub username and the entered SSH username match. If this is set to false
	// the configuration server has to handle the GITHUB_USER connnection parameter in order to obtain the correct
	// username as the SSH username cannot be trusted.
	EnforceUsername bool `json:"enforceUsername" yaml:"enforceUsername" default:"true"`
	// RequireOrgMembership checks if the user is part of the specified organization on GitHub. This requires the
	// read:org scope to be granted by the user. If the user does not grant this scope the authentication fails.
	RequireOrgMembership string `json:"requireOrgMembership" yaml:"requireOrgMembership"`
	// Require2FA requires the user to have two factor authentication enabled when logging in to this server. This
	// requires the read:user scope to be granted by the user. If the user does not grant this scope the authentication
	// fails.
	Require2FA bool `json:"require2FA" yaml:"require2FA"`

	// ExtraScopes asks the user to grant extra scopes to ContainerSSH. This is useful when the configuration server
	// needs these scopes to operate.
	ExtraScopes []string `json:"extraScopes" yaml:"extraScopes"`
	// EnforceScopes rejects the user authentication if the user fails to grant the scopes requested in extraScopes.
	EnforceScopes bool `json:"enforceScopes" yaml:"enforceScopes"`

	// RequestTimeout is the timeout for individual HTTP requests.
	RequestTimeout time.Duration `json:"timeout" yaml:"timeout" default:"10s"`
}

type AuthKerberosClientConfig struct {
	// Keytab is the path to the kerberos keytab. If unset it defaults to
	// the default of /etc/krb5.keytab. If this file doesn't exist and
	// kerberos authentication is requested ContainerSSH will fail to start.
	Keytab string `json:"keytab" yaml:"keytab" default:"/etc/krb5.keytab"`
	// Acceptor is the name of the keytab entry to authenticate against.
	// The value of this field needs to be in the form of `service/name`.
	//
	// The special value of `host` will authenticate clients only against
	// the service `host/hostname` where hostname is the system hostname
	// The special value of 'any' will authenticate against all keytab
	// entries regardless of name.
	Acceptor string `json:"acceptor" yaml:"acceptor" default:"any"`
	// EnforceUsername specifies whether to check that the username of the
	// authenticated user matches the SSH username entered. If set to false
	// the authorization server must be responsible for ensuring proper
	// access control.
	//
	// WARNING: If authorization is unset and this is set to false all
	// authenticated users can log in to any account!
	EnforceUsername bool `json:"enforceUsername" yaml:"enforceUsername" default:"true"`
	// CredentialCachePath is the path in which the kerberos credentials
	// will be written inside the user containers.
	CredentialCachePath string `json:"credentialCachePath" yaml:"credentialCachePath" default:"/tmp/krb5cc"`
	// ConfigPath is the path of the kerberos configuration file. This is
	// only used for password authentication.
	ConfigPath string `json:"configPath" yaml:"configPath" default:"/etc/containerssh/krb5.conf"`
	// ClockSkew is the maximum allowed clock skew for kerberos messages,
	// any messages older than this will be rejected. This value is also
	// used for the replay cache.
	ClockSkew time.Duration `json:"clockSkew" yaml:"clockSkew" default:"5m"`
}

type AuthMethod string

type AuthOAuth2ClientConfig struct {
	// Redirect is the configuration for the redirect URI server.
	Redirect OAuth2RedirectConfig `json:"redirect" yaml:"redirect"`

	// ClientID is the public identifier for the ContainerSSH installation.
	ClientID string `json:"clientId" yaml:"clientId"`
	// ClientSecret is the OAuth2 secret value needed to obtain the access token.
	ClientSecret string `json:"clientSecret" yaml:"clientSecret"`

	// Provider is the provider to use for authentication
	Provider OAuth2ProviderName `json:"provider" yaml:"provider"`

	// GitHub is the configuration for the GitHub provider.
	GitHub AuthGitHubConfig `json:"github" yaml:"github"`

	// OIDC is the configuration for the OpenID Connect provider.
	OIDC AuthOIDCConfig `json:"oidc" yaml:"oidc"`

	// Generic is a generic OAuth2 authentication without OIDC userinfo. This method cannot verify the username.
	Generic AuthGenericConfig `json:"generic" yaml:"generic"`

	// QRCodeClients contains a list of strings that are used to identify SSH clients that can display an ASCII QR Code
	// for the device authorization flow. Each string is compiled as regular expressions and are used to match against
	// the client version string.
	//
	// This is done primarily because OpenSSH cuts off the sent text and mangles the drawing characters, so it cannot
	// be used to display a QR code.
	QRCodeClients []string `json:"qrCodeClients" yaml:"qrCodeClients"`

	// DeviceFlowClients is a list of clients that can use the device flow without sending keyboard-interactive
	// questions.
	DeviceFlowClients []string `json:"deviceFlowClients" yaml:"deviceFlowClients"`

	// AuthTimeout is the timeout for the overall authentication call. If the server
	// responds with a non-200 response the call will be retried until this timeout is reached.
	AuthTimeout time.Duration `json:"authTimeout" yaml:"authTimeout" default:"120s"`
}

type AuthOIDCConfig struct {
	HTTPClientConfiguration `json:",inline" yaml:",inline"`

	// DeviceFlow enables or disables using the OIDC device flow.
	DeviceFlow bool `json:"deviceFlow" yaml:"deviceFlow"`
	// AuthorizationCodeFlow enables or disables the OIDC authorization code flow.
	AuthorizationCodeFlow bool `json:"authorizationCodeFlow" yaml:"authorizationCodeFlow"`

	// UsernameField indicates the userinfo field that should be taken as the username.
	UsernameField string `json:"usernameField" yaml:"usernameField" default:"sub"`

	// RedirectURI is the URI the client is returned to. This URL should be configured to the redirect server endpoint.
	RedirectURI string `json:"redirectURI" yaml:"redirectURI"`
}

type AuthWebhookClientConfig struct {
	HTTPClientConfiguration `json:",inline" yaml:",inline"`

	// AuthTimeout is the timeout for the overall authentication call (e.g. verifying a password). If the server
	// responds with a non-200 response the call will be retried until this timeout is reached.
	AuthTimeout time.Duration `json:"authTimeout" yaml:"authTimeout" default:"60s"`
}

type AuthzConfig struct {
	Method AuthzMethod `json:"method" yaml:"method" default:""`

	Webhook AuthWebhookClientConfig `json:"webhook" yaml:"webhook"`
}

type AuthzMethod string

type Backend string

type CipherSuite string

type CipherSuiteList []CipherSuite

type ClientConfig struct {
	HTTPClientConfiguration `json:",inline" yaml:",inline"`

	// TransmitSensitiveMetadata enables sending sensitive metadata fields to the configuration webhook server.
	// If disabled, sensitive metadata fields are sanitized from the webhook request.
	TransmitSensitiveMetadata bool `json:"transmitSensitiveMetadata" yaml:"transmitSensitiveMetadata"`
}

type CommandConfig struct {
	// Mode configures how to treat command execution (exec) requests by SSH clients.
	Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
	// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified commands to be
	// executed. Note that the match an exact match is performed to avoid shell injections, etc.
	Allow []string `json:"allow" yaml:"allow"`
}

type DockerConfig struct {
	// Connection configures how to connect to dockerd
	Connection DockerConnectionConfig `json:"connection" yaml:"connection"`
	// Execution drives how the container and the workload are executed
	Execution DockerExecutionConfig `json:"execution" yaml:"execution"`
	// Timeouts configures the various timeouts when interacting with dockerd.
	Timeouts DockerTimeoutConfig `json:"timeouts" yaml:"timeouts"`
}

type DockerConnectionConfig struct {
	// Host is the docker connect URL.
	Host string `json:"host" yaml:"host" default:"unix:///var/run/docker.sock"`
	// CaCert is the CA certificate for Docker connection embedded in the configuration in PEM format.
	CaCert string `json:"cacert" yaml:"cacert"`
	// Cert is the client certificate in PEM format embedded in the configuration.
	Cert string `json:"cert" yaml:"cert"`
	// Key is the client key in PEM format embedded in the configuration.
	Key string `json:"key" yaml:"key"`
}

type DockerExecutionConfig struct {
	// DockerLaunchConfig contains the Docker-specific launch configuration.
	DockerLaunchConfig `json:",inline" yaml:",inline"`

	// Auth contains the image registry authentication config
	Auth *types.AuthConfig `json:"auth" yaml:"auth"`

	// Mode influences how commands are executed.
	//
	// - If DockerExecutionModeConnection is chosen (default) a new container is launched per connection. In this mode
	//   sessions are executed using the "docker exec" functionality and the main container console runs a script that
	//   waits for a termination signal.
	// - If DockerExecutionModeSession is chosen a new container is launched per session, leading to potentially multiple
	//   containers per connection. In this mode the program is launched directly as the main process of the container.
	//   When configuring this mode you should explicitly configure the "cmd" option to an empty list if you want the
	//   default command in the container to launch.
	Mode DockerExecutionMode `json:"mode" yaml:"mode" default:"connection"`

	// IdleCommand is the command that runs as the first process in the container in DockerExecutionModeConnection. Ignored in DockerExecutionModeSession.
	IdleCommand []string `` /* 199-byte string literal not displayed */
	// ShellCommand is the command used for launching shells when the container is in DockerExecutionModeConnection. Ignored in DockerExecutionModeSession.
	ShellCommand []string `json:"shellCommand" yaml:"shellCommand" comment:"Run this command as a default shell." default:"[\"/bin/bash\"]"`
	// AgentPath contains the path to the ContainerSSH Guest Agent.
	AgentPath string `json:"agentPath" yaml:"agentPath" default:"/usr/bin/containerssh-agent"`
	// DisableAgent enables using the ContainerSSH Guest Agent.
	DisableAgent bool `json:"disableAgent" yaml:"disableAgent"`
	// Subsystems contains a map of subsystem names and their corresponding binaries in the container.
	Subsystems map[string]string `` /* 133-byte string literal not displayed */

	// ImagePullPolicy controls when to pull container images.
	ImagePullPolicy DockerImagePullPolicy `json:"imagePullPolicy" yaml:"imagePullPolicy" comment:"Image pull policy" default:"IfNotPresent"`

	// ExposeAuthMetadataAsEnv lets you expose the authentication metadata (e.g. GITHUB_TOKEN) as an environment variable
	// in the container. In contrast to the environment variables set in the SSH connection these environment variables
	// are available to all processes in the container, including the idle command.
	ExposeAuthMetadataAsEnv bool `json:"exposeAuthMetadataAsEnv" yaml:"exposeAuthMetadataAsEnv"`
}

type DockerExecutionMode string

type DockerImagePullPolicy string

type DockerLaunchConfig struct {
	// ContainerConfig contains container-specific configuration options.
	ContainerConfig *container.Config `` /* 135-byte string literal not displayed */
	// HostConfig contains the host-specific configuration options.
	HostConfig *container.HostConfig `json:"host" yaml:"host" comment:"Host configuration"`
	// NetworkConfig contains the network settings.
	NetworkConfig *network.NetworkingConfig `json:"network" yaml:"network" comment:"Network configuration"`
	// Platform contains the platform specification.
	Platform *specs.Platform `json:"platform" yaml:"platform" comment:"Platform specification"`
	// ContainerName is the name of the container to launch. It is recommended to leave this empty, otherwise
	// ContainerSSH may not be able to start the container if a container with the same name already exists.
	ContainerName string `json:"containername" yaml:"containername" comment:"Name for the container to be launched"`
}

type DockerTimeoutConfig struct {
	// ContainerStart is the maximum time starting a container may take.
	ContainerStart time.Duration `json:"containerStart" yaml:"containerStart" default:"60s"`
	// ContainerStop is the maximum time to wait for a container to stop. This should always be set higher than the Docker StopTimeout.
	ContainerStop time.Duration `json:"containerStop" yaml:"containerStop" default:"60s"`
	// CommandStart sets the maximum time starting a command may take.
	CommandStart time.Duration `json:"commandStart" yaml:"commandStart" default:"60s"`
	// Signal sets the maximum time sending a signal may take.
	Signal time.Duration `json:"signal" yaml:"signal" default:"60s"`
	// Signal sets the maximum time setting the window size may take.
	Window time.Duration `json:"window" yaml:"window" default:"60s"`
	// HTTP
	HTTP time.Duration `json:"http" yaml:"http" default:"15s"`
}

type ECDHCurve string

type ECDHCurveList []ECDHCurve

type ForwardingConfig struct {
	// ReverseForwardingMode configures how to treat reverse port forwarding requests from the container to the client.
	ReverseForwardingMode SecurityExecutionPolicy `json:"reverseForwardingMode" yaml:"reverseForwardingMode" default:"disable"`

	// ForwardingMode configures how to treat port forwarding requests from the client to the container. Enabling this setting also allows using ContainerSSH as a SOCKs proxy.
	ForwardingMode SecurityExecutionPolicy `json:"forwardingMode" yaml:"forwardingMode" default:"disable"`

	// SocketForwardingMode configures how to treat connection requests from the client to a unix socket in the container.
	SocketForwardingMode SecurityExecutionPolicy `json:"socketForwardingMode" yaml:"socketForwardingMode" default:"disable"`

	// SocketListenMode configures how to treat requests to listen for connections to a unix socket in the container.
	SocketListenMode SecurityExecutionPolicy `json:"socketListenMode" yaml:"socketListenMode" default:"disable"`

	// X11forwardingMode configures how to treat X11 forwarding requests from the container to the client
	X11ForwardingMode SecurityExecutionPolicy `json:"x11ForwardingMode" yaml:"x11ForwardingMode" default:"disable"`
}

type GSSAPIAuthConfig struct {
	// Method is the authenticator to use for GSSAPI authentication.
	Method GSSAPIAuthMethod `json:"method" yaml:"method"`

	// Kerberos configures GSSAPI for Kerberos authentication.
	Kerberos AuthKerberosClientConfig `json:"kerberos" yaml:"kerberos"`
}

type GSSAPIAuthMethod string

type GeoIPConfig struct {
	Provider   GeoIPProvider `yaml:"provider" json:"provider" default:"dummy"`
	GeoIP2File string        `yaml:"maxmind-geoip2-file" json:"maxmind-geoip2-file" default:"/var/lib/GeoIP/GeoIP2-Country.mmdb"`
}

type GeoIPProvider string

type HTTPClientCerts struct {
	// CACertPool contains the certificate pool used for verifying the server identity.
	CACertPool *x509.CertPool
	// Cert is the client certificate to authenticate to the server with, if any.
	Cert *tls.Certificate
}

type HTTPClientConfiguration struct {
	// URL is the base URL for requests.
	URL string `json:"url" yaml:"url" comment:"Base URL of the server to connect."`

	// AllowRedirects sets if the client should honor HTTP redirects. Defaults to false.
	AllowRedirects bool `json:"allowRedirects" yaml:"allowRedirects" comment:""`

	// Timeout is the time the client should wait for a response.
	Timeout time.Duration `json:"timeout" yaml:"timeout" comment:"HTTP call timeout." default:"2s"`

	// CACert is either the CA certificate to expect on the server in PEM format
	//         or the name of a file containing the PEM.
	CACert string `json:"cacert" yaml:"cacert" comment:"CA certificate in PEM format to use for host verification."`

	// ClientCert is a PEM containing an x509 certificate to present to the server or a file name containing the PEM.
	ClientCert string `json:"cert" yaml:"cert" comment:"Client certificate file in PEM format."`

	// ClientKey is a PEM containing a private key to use to connect the server or a file name containing the PEM.
	ClientKey string `json:"key" yaml:"key" comment:"Client key file in PEM format."`

	// TLSVersion is the minimum TLS version to use.
	TLSVersion TLSVersion `json:"tlsVersion" yaml:"tlsVersion" default:"1.3"`

	// ECDHCurves is the list of curve algorithms to support.
	ECDHCurves ECDHCurveList `json:"curves" yaml:"curves" default:"[\"x25519\",\"secp256r1\",\"secp384r1\",\"secp521r1\"]"`

	// CipherSuites is a list of supported cipher suites.
	CipherSuites CipherSuiteList `` /* 212-byte string literal not displayed */

	// RequestEncoding is the means by which the request body is encoded. It defaults to JSON encoding.
	RequestEncoding RequestEncoding `json:"-" yaml:"-"`
}

type HTTPServerCerts struct {
	// Cert is the server certificate.
	Cert *tls.Certificate
	// ClientCAPool contains the CA certificate pool to verify client certificates against, if any.
	ClientCAPool *x509.CertPool
}

type HTTPServerConfiguration struct {
	// Listen contains the IP and port to listen on.
	Listen string `json:"listen" yaml:"listen" default:"0.0.0.0:8080"`
	// Key contains either a file name to a private key, or the private key itself in PEM format to use as a server key.
	Key string `json:"key" yaml:"key"`
	// Cert contains either a file to a certificate, or the certificate itself in PEM format to use as a server
	// certificate.
	Cert string `json:"cert" yaml:"cert"`
	// ClientCACert contains either a file or a certificate in PEM format to verify the connecting clients by.
	ClientCACert string `json:"clientcacert" yaml:"clientcacert"`

	// TLSVersion is the minimum TLS version to use.
	TLSVersion TLSVersion `json:"tlsVersion" yaml:"tlsVersion" default:"1.3"`

	// ECDHCurves is the list of curve algorithms to support.
	ECDHCurves ECDHCurveList `json:"curves" yaml:"curves" default:"[\"x25519\",\"secp256r1\",\"secp384r1\",\"secp521r1\"]"`

	// CipherSuites is a list of supported cipher suites.
	CipherSuites CipherSuiteList `` /* 212-byte string literal not displayed */
}

type HealthConfig struct {
	Enable                  bool `json:"enable" yaml:"enable"`
	HTTPServerConfiguration `json:",inline" yaml:",inline" default:"{\"listen\":\"0.0.0.0:7000\"}"`
	Client                  HTTPClientConfiguration `json:"client" yaml:"client" default:"{\"url\":\"http://127.0.0.1:7000/\"}"`
}

type KeyboardInteractiveAuthConfig struct {
	// Method is the authenticator to use for public keys.
	Method KeyboardInteractiveAuthMethod `json:"method" yaml:"method" default:""`

	// Webhook configures the oAuth2 authenticator for keyboard-interactive authentication.
	OAuth2 AuthOAuth2ClientConfig `json:"oauth2" yaml:"oauth2"`
}

type KeyboardInteractiveAuthMethod string

type KubernetesConfig struct {
	// Connection configures the connection to the Kubernetes cluster.
	Connection KubernetesConnectionConfig `json:"connection,omitempty" yaml:"connection" comment:"Kubernetes configuration options"`
	// Pod contains the spec and specific settings for creating the pod.
	Pod KubernetesPodConfig `json:"pod,omitempty" yaml:"pod" comment:"Container configuration"`
	// Timeout specifies how long to wait for the Pod to come up.
	Timeouts KubernetesTimeoutConfig `json:"timeouts,omitempty" yaml:"timeouts" comment:"Timeout for pod creation"`
}

type KubernetesConnectionConfig struct {
	// Host is a host string, a host:port pair, or a URL to the Kubernetes apiserver. Defaults to kubernetes.default.svc.
	Host string `` /* 148-byte string literal not displayed */
	// APIPath is a sub-path that points to the API root. Defaults to /api
	APIPath string `json:"path,omitempty" yaml:"path" comment:"APIPath is a sub-path that points to an API root." default:"/api"`

	// Username is the username for basic authentication.
	Username string `json:"username,omitempty" yaml:"username" comment:"Username for basic authentication"`
	// Password is the password for basic authentication.
	Password string `json:"password,omitempty" yaml:"password" comment:"Password for basic authentication"`

	// ServerName sets the server name to be set in the SNI and used by the client for TLS verification.
	ServerName string `` /* 162-byte string literal not displayed */

	// CertFile points to a file that contains the client certificate used for authentication.
	CertFile string `` /* 129-byte string literal not displayed */
	// KeyFile points to a file that contains the client key used for authentication.
	KeyFile string `json:"keyFile,omitempty" yaml:"keyFile" comment:"File containing client key for TLS client certificate authentication"`
	// CAFile points to a file that contains the CA certificate for authentication.
	CAFile string `json:"cacertFile,omitempty" yaml:"cacertFile" comment:"File containing trusted root certificates for the server"`

	// CertData contains a PEM-encoded certificate for TLS client certificate authentication.
	CertData string `json:"cert,omitempty" yaml:"cert" comment:"PEM-encoded certificate for TLS client certificate authentication"`
	// KeyData contains a PEM-encoded client key for TLS client certificate authentication.
	KeyData string `json:"key,omitempty" yaml:"key" comment:"PEM-encoded client key for TLS client certificate authentication"`
	// CAData contains a PEM-encoded trusted root certificates for the server.
	CAData string `json:"cacert,omitempty" yaml:"cacert" comment:"PEM-encoded trusted root certificates for the server"`

	// BearerToken contains a bearer (service) token for authentication.
	BearerToken string `json:"bearerToken,omitempty" yaml:"bearerToken" comment:"Bearer (service token) authentication"`
	// BearerTokenFile points to a file containing a bearer (service) token for authentication.
	// Set to /var/run/secrets/kubernetes.io/serviceaccount/token to use service token in a Kubernetes kubeConfigCluster.
	BearerTokenFile string `` /* 221-byte string literal not displayed */

	// QPS indicates the maximum QPS to the master from this client. Defaults to 5.
	QPS float32 `json:"qps,omitempty" yaml:"qps" comment:"QPS indicates the maximum QPS to the master from this client." default:"5"`
	// Burst indicates the maximum burst for throttle.
	Burst int `json:"burst,omitempty" yaml:"burst" comment:"Maximum burst for throttle." default:"10"`
}

type KubernetesExecutionMode string

type KubernetesPodConfig struct {
	// Metadata configures the pod metadata.
	Metadata metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" default:"{\"namespace\":\"default\",\"generateName\":\"containerssh-\"}"`
	// Spec contains the pod specification to launch.
	Spec v1.PodSpec `` /* 173-byte string literal not displayed */

	// ConsoleContainerNumber specifies the container to attach the running process to. Defaults to 0.
	ConsoleContainerNumber int `` /* 139-byte string literal not displayed */

	// IdleCommand contains the command to run as the first process in the container. Other commands are executed using the "exec" method.
	IdleCommand []string `` /* 209-byte string literal not displayed */
	// ShellCommand is the command used for launching shells when the container. Required in KubernetesExecutionModeConnection and when the agent is used.
	ShellCommand []string `json:"shellCommand,omitempty" yaml:"shellCommand" comment:"Run this command as a default shell." default:"[\"/bin/bash\"]"`
	// AgentPath contains the path to the ContainerSSH Guest Agent.
	AgentPath string `json:"agentPath,omitempty" yaml:"agentPath" default:"/usr/bin/containerssh-agent"`
	// DisableAgent disables using the ContainerSSH Guest Agent.
	DisableAgent bool `json:"disableAgent,omitempty" yaml:"disableAgent"`
	// Subsystems contains a map of subsystem names and the executable to launch.
	Subsystems map[string]string `` /* 143-byte string literal not displayed */

	// Mode influences how commands are executed.
	//
	// - If KubernetesExecutionModeConnection is chosen (default) a new pod is launched per connection. In this mode
	//   sessions are executed using the "docker exec" functionality and the main container console runs a script that
	//   waits for a termination signal.
	// - If KubernetesExecutionModeSession is chosen a new pod is launched per session, leading to potentially multiple
	//   pods per connection. In this mode the program is launched directly as the main process of the container.
	//   When configuring this mode you should explicitly configure the "cmd" option to an empty list if you want the
	//   default command in the container to launch.
	Mode KubernetesExecutionMode `json:"mode,omitempty" yaml:"mode" default:"connection"`

	// ExposeAuthMetadataAsEnv causes the specified metadata entries received from the authentication process to be
	// exposed as environment variables. They are provided as a map, where the key is the authentication metadata entry
	// name and the value is the environment variable. The default is to expose no authentication metadata.
	ExposeAuthMetadataAsEnv map[string]string `json:"exposeAuthMetadataAsEnv" yaml:"exposeAuthMetadataAsEnv"`

	// ExposeAuthMetadataAsLabels causes the specified metadata entries received from the authentication process to be
	// exposed in the pod labels. They are provided as a map, where the key is the authentication metadata entry name
	// and the value is the label name. The label name must conform to Kubernetes label name requirements or the pod
	// will not start. The default is to expose no labels.
	ExposeAuthMetadataAsLabels map[string]string `json:"exposeAuthMetadataAsLabels" yaml:"exposeAuthMetadataAsLabels"`

	// ExposeAuthMetadataAsAnnotations causes the specified metadata entries received from the authentication process to
	// be exposed in the pod annotations. They are provided as a map, where the key is the authentication metadata entry
	// name and the value is the annotation name. The annotation name must conform to Kubernetes annotation name
	// requirements or the pod will not start. The default is to expose no annotations.
	ExposeAuthMetadataAsAnnotations map[string]string `json:"exposeAuthMetadataAsAnnotations" yaml:"exposeAuthMetadataAsAnnotations"`
}

type KubernetesTimeoutConfig struct {
	// PodStart is the timeout for creating and starting the pod.
	PodStart time.Duration `json:"podStart,omitempty" yaml:"podStart" default:"60s"`
	// PodStop is the timeout for stopping and removing the pod.
	PodStop time.Duration `json:"podStop,omitempty" yaml:"podStop" default:"60s"`
	// CommandStart sets the maximum time starting a command may take.
	CommandStart time.Duration `json:"commandStart,omitempty" yaml:"commandStart" default:"60s"`
	// Signal sets the maximum time sending a signal may take.
	Signal time.Duration `json:"signal,omitempty" yaml:"signal" default:"60s"`
	// Signal sets the maximum time setting the window size may take.
	Window time.Duration `json:"window,omitempty" yaml:"window" default:"60s"`
	// HTTP configures the timeout for HTTP calls
	HTTP time.Duration `json:"http,omitempty" yaml:"http" default:"15s"`
}

type LogConfig struct {
	// Level describes the minimum level to log at
	Level LogLevel `json:"level" yaml:"level" default:"5"`

	// Format describes the log message format
	Format LogFormat `json:"format" yaml:"format" default:"ljson"`

	// Destination is the target to write the log messages to.
	Destination LogDestination `json:"destination" yaml:"destination" default:"stdout"`

	// File is the log file to write to if Destination is set to "file".
	File string `json:"file" yaml:"file" default:"/var/log/containerssh/containerssh.log"`

	// Syslog configures the syslog destination.
	Syslog SyslogConfig `json:"syslog" yaml:"syslog"`

	// T is the Go test for logging purposes.
	T *testing.T `json:"-" yaml:"-"`

	// Stdout is the standard output used by the LogDestinationStdout destination.
	Stdout io.Writer `json:"-" yaml:"-"`
}

type LogDestination string

type LogFacility int

type LogFacilityString string

type LogFormat string

type LogLevel int8

type LogLevelString string

type MetricsConfig struct {
	HTTPServerConfiguration `json:",inline" yaml:",inline" default:"{\"listen\":\"0.0.0.0:9100\"}"`

	Enable bool   `yaml:"enable" json:"enable" comment:"Enable metrics server." default:"false"`
	Path   string `yaml:"path" json:"path" comment:"Path to run the Metrics endpoint on." default:"/metrics"`
}

type OAuth2ProviderName string

type OAuth2RedirectConfig struct {
	HTTPServerConfiguration `json:",inline" yaml:",inline"`

	// Webroot is a directory which contains all files that should be served as part of the return page
	// the user lands on when completing the oAuth2 authentication process. The webroot must contain an
	// index.html file, which will be served on the root URL. The files are read for each request and are not cached. If
	// the webroot is left empty the default ContainerSSH return page is presented.
	Webroot string `json:"webroot" yaml:"webroot"`
}

type PasswordAuthConfig struct {
	// Method is the authenticator to use for passwords.
	Method PasswordAuthMethod `json:"method" yaml:"method" default:""`

	// Webhook configures the webhook authenticator for password authentication.
	Webhook AuthWebhookClientConfig `json:"webhook" yaml:"webhook"`

	// Kerberos configures the Kerberos authenticator for password authentication.
	Kerberos AuthKerberosClientConfig `json:"kerberos" yaml:"kerberos"`
}

type PasswordAuthMethod string

type PublicKeyAuthConfig struct {
	// Method is the authenticator to use for public keys.
	Method PublicKeyAuthMethod `json:"method" yaml:"method" default:""`

	// Webhook configures the webhook authenticator for public key authentication.
	Webhook AuthWebhookClientConfig `json:"webhook" yaml:"webhook"`
}

type PublicKeyAuthMethod string

type Request struct {
	// Metadata is the metadata received from the authentication server.
	metadata.ConnectionAuthenticatedMetadata `json:",inline"`
}

type RequestEncoding string

type Response struct {
	// Body is the configuration response body.
	//
	// in: body
	// required: true
	Body ResponseBody
}

type ResponseBody struct {
	// Metadata is the metadata received from the authentication server.
	metadata.ConnectionAuthenticatedMetadata `json:",inline"`

	// Config is the configuration structure to be passed back from the config server.
	//
	// required: true
	Config AppConfig `json:"config"`
}

type SSHCipher string

type SSHCipherList []SSHCipher

type SSHConfig struct {
	// Listen is the listen address for the SSH server
	Listen string `json:"listen" yaml:"listen" default:"0.0.0.0:2222"`
	// ServerVersion is the version sent to the client.
	//               Must be in the format of "SSH-protoversion-softwareversion SPACE comments".
	//               See https://tools.ietf.org/html/rfc4253#page-4 section 4.2. Protocol Version Exchange
	//               The trailing CR and LF characters should NOT be added to this string.
	ServerVersion SSHServerVersion `json:"serverVersion" yaml:"serverVersion" default:"SSH-2.0-ContainerSSH"`
	// Ciphers are the ciphers offered to the client.
	Ciphers SSHCipherList `` /* 208-byte string literal not displayed */
	// KexAlgorithms are the key exchange algorithms offered to the client.
	KexAlgorithms SSHKexList `` /* 176-byte string literal not displayed */
	// MACs are the SSHMAC algorithms offered to the client.
	MACs SSHMACList `json:"macs" yaml:"macs" default:"[\"hmac-sha2-256-etm@openssh.com\",\"hmac-sha2-256\"]" comment:"SSHMAC algorithms to use"`
	// Banner is the banner sent to the client on connecting.
	Banner string `json:"banner" yaml:"banner" comment:"Host banner to show after the username" default:""`
	// HostKeys are the host keys either in PEM format, or filenames to load.
	HostKeys []string `json:"hostkeys" yaml:"hostkeys" comment:"Host keys in PEM format or files to load PEM host keys from."`
	// ClientAliveInterval is the duration between keep alive messages that
	// ContainerSSH will send to each client. If the duration is 0 or unset
	// it disables the feature.
	ClientAliveInterval time.Duration `json:"clientAliveInterval" yaml:"clientAliveInterval" comment:"Inverval to send keepalive packets to the client"`
	// ClientAliveCountMax is the number of keepalive messages that is
	// allowed to be sent without a response being received. If this number
	// is exceeded the connection is considered dead
	ClientAliveCountMax int `json:"clientAliveCountMax" yaml:"clientAliveCountMax" default:"3" comment:"Maximum number of failed keepalives"`
}

type SSHKex string

type SSHKexList []SSHKex

type SSHKeyAlgo string

type SSHKeyAlgoList []SSHKeyAlgo

type SSHMAC string

type SSHMACList []SSHMAC

type SSHProxyAllowedHostKeyFingerprints []string

type SSHProxyClientVersion string

type SSHProxyConfig struct {
	// Server is the IP address or hostname of the backing server.
	Server string `json:"server" yaml:"server"`
	// Port is the TCP port to connect to.
	Port uint16 `json:"port" yaml:"port" default:"22"`
	// UsernamePassThrough means that the username should be taken from the connecting client.
	UsernamePassThrough bool `json:"usernamePassThrough" yaml:"usernamePassThrough"`
	// Username is the username to pass to the backing SSH server for authentication.
	Username string `json:"username" yaml:"username"`
	// Password is the password to offer to the backing SSH server for authentication.
	Password string `json:"password" yaml:"password"`
	// PrivateKey is the private key to use for authenticating with the backing server.
	PrivateKey string `json:"privateKey" yaml:"privateKey"`
	// AllowedHostKeyFingerprints lists which fingerprints we accept
	AllowedHostKeyFingerprints SSHProxyAllowedHostKeyFingerprints `json:"allowedHostKeyFingerprints" yaml:"allowedHostKeyFingerprints"`
	// Ciphers are the ciphers supported for the backend connection.
	Ciphers SSHCipherList `` /* 205-byte string literal not displayed */
	// KexAlgorithms are the key exchange algorithms for the backend connection.
	KexAlgorithms SSHKexList `` /* 176-byte string literal not displayed */
	// MACs are the MAC algorithms for the backend connection.
	MACs SSHMACList `json:"macs" yaml:"macs" default:"[\"hmac-sha2-256-etm@openssh.com\",\"hmac-sha2-256\"]" comment:"MAC algorithms to use"`
	// HostKeyAlgorithms is a list of algorithms for host keys. The server can offer multiple host keys and this list
	// are the ones we want to accept. The fingerprints for the accepted algorithms should be added to
	// AllowedHostKeyFingerprints.
	HostKeyAlgorithms SSHKeyAlgoList `` /* 329-byte string literal not displayed */
	// Timeout is the time ContainerSSH is willing to wait for the backing connection to be established.
	Timeout time.Duration `json:"timeout" yaml:"timeout" default:"60s"`
	// ClientVersion is the version sent to the server.
	//               Must be in the format of "SSH-protoversion-softwareversion SPACE comments".
	//               See https://tools.ietf.org/html/rfc4253#page-4 section 4.2. Protocol Version Exchange
	//               The trailing CR and LF characters should NOT be added to this string.
	ClientVersion SSHProxyClientVersion `json:"clientVersion" yaml:"clientVersion" default:"SSH-2.0-ContainerSSH"`
}

type SSHServerVersion string

type SecurityConfig struct {
	// DefaultMode sets the default execution policy for all other commands. It is recommended to set this to "disable"
	// if for restricted setups to avoid accidentally allowing new features coming in with version upgrades.
	DefaultMode SecurityExecutionPolicy `json:"defaultMode" yaml:"defaultMode"`

	// ForceCommand behaves similar to the OpenSSH ForceCommand option. When set this command overrides any command
	// requested by the client and executes this command instead. The original command supplied by the client will be
	// set in the `SSH_ORIGINAL_COMMAND` environment variable.
	//
	// Setting ForceCommand changes subsystem requests into exec requests for the backends.
	ForceCommand string `json:"forceCommand" yaml:"forceCommand"`

	// Env controls whether to allow or block setting environment variables.
	Env SecurityEnvConfig `json:"env" yaml:"env"`
	// Command controls whether to allow or block command ("exec") requests via SSh.
	Command CommandConfig `json:"command" yaml:"command"`
	// Shell controls whether to allow or block shell requests via SSh.
	Shell SecurityShellConfig `json:"shell" yaml:"shell"`
	// Subsystem controls whether to allow or block subsystem requests via SSH.
	Subsystem SubsystemConfig `json:"subsystem" yaml:"subsystem"`

	// Forwarding controls whether to allow or block connection, port or socket forwarding
	Forwarding ForwardingConfig `json:"forwarding" yaml:"forwarding"`

	// TTY controls how to treat TTY/PTY requests by clients.
	TTY SecurityTTYConfig `json:"tty" yaml:"tty"`

	// Signal configures how to handle signal requests to running programs.
	Signal SecuritySignalConfig `json:"signal" yaml:"signal"`

	// MaxSessions drives how many session channels can be open at the same time for a single network connection.
	// -1 means unlimited. It is strongly recommended to configure this to a sane value, e.g. 10.
	MaxSessions int `json:"maxSessions" yaml:"maxSessions" default:"-1"`
}

type SecurityEnvConfig struct {
	// Mode configures how to treat environment variable requests by SSH clients.
	Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
	// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified environment variables to be
	// set.
	Allow []string `json:"allow" yaml:"allow"`
	// Allow takes effect when Mode is not ExecutionPolicyDisable and disallows the specified environment variables to
	// be set.
	Deny []string `json:"deny" yaml:"deny"`
}

type SecurityExecutionPolicy string

type SecurityShellConfig struct {
	// Mode configures how to treat shell requests by SSH clients.
	Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
}

type SecuritySignalConfig struct {
	// Mode configures how to treat signal requests to running programs
	Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
	// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified signals to be forwarded.
	Allow []string `json:"allow" yaml:"allow"`
	// Allow takes effect when Mode is not ExecutionPolicyDisable and disallows the specified signals to be forwarded.
	Deny []string `json:"deny" allow:"deny"`
}

type SecurityTTYConfig struct {
	// Mode configures how to treat TTY/PTY requests by SSH clients.
	Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
}

type SubsystemConfig struct {
	// Mode configures how to treat subsystem requests by SSH clients.
	Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
	// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified subsystems to be
	// executed.
	Allow []string `json:"allow" yaml:"allow"`
	// Allow takes effect when Mode is not ExecutionPolicyDisable and disallows the specified subsystems to be executed.
	Deny []string `json:"deny" yaml:"deny"`
}

type SyslogConfig struct {
	// Destination is the socket to send logs to. Can be a local path to unix sockets as well as UDP destinations.
	Destination string `json:"destination" yaml:"destination" default:"/dev/log"`
	// Facility logs to the specified syslog facility.
	Facility LogFacilityString `json:"facility" yaml:"facility" default:"auth"`
	// Tag is the syslog tag to log with.
	Tag string `json:"tag" yaml:"tag" default:"ContainerSSH"`
	// Pid is a setting to append the current process ID to the tag.
	Pid bool `json:"pid" yaml:"pid" default:"false"`

	// Connection is the connection to the Syslog server. This is only present after Validate has been called.
	Connection net.Conn `json:"-" yaml:"-"`
}

type TLSVersion string