teleport

const (
	// SSHAuthSock is the environment variable pointing to the
	// Unix socket the SSH agent is running on.
	SSHAuthSock = "SSH_AUTH_SOCK"
	// SSHAgentPID is the environment variable pointing to the agent
	// process ID
	SSHAgentPID = "SSH_AGENT_PID"

	// SSHTeleportUser is the current Teleport user that is logged in.
	SSHTeleportUser = "SSH_TELEPORT_USER"

	// SSHSessionWebProxyAddr is the address the web proxy.
	SSHSessionWebProxyAddr = "SSH_SESSION_WEBPROXY_ADDR"

	// SSHTeleportClusterName is the name of the cluster this node belongs to.
	SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"

	// SSHTeleportHostUUID is the UUID of the host.
	SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"

	// SSHSessionID is the UUID of the current session.
	SSHSessionID = "SSH_SESSION_ID"

	// EnableNonInteractiveSessionRecording can be used to record non-interactive SSH session.
	EnableNonInteractiveSessionRecording = "SSH_TELEPORT_RECORD_NON_INTERACTIVE"
)

const (
	// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
	TOTPValidityPeriod uint = 30

	// TOTPSkew adds that many periods before and after to the validity window.
	TOTPSkew uint = 1
)

const (
	// ComponentMemory is a memory backend
	ComponentMemory = "memory"

	// ComponentAuthority is a TLS and an SSH certificate authority
	ComponentAuthority = "ca"

	// ComponentProcess is a main control process
	ComponentProcess = "proc"

	// ComponentServer is a server subcomponent of some services
	ComponentServer = "server"

	// ComponentACME is ACME protocol controller
	ComponentACME = "acme"

	// ComponentReverseTunnelServer is reverse tunnel server
	// that together with agent establish a bi-directional SSH revers tunnel
	// to bypass firewall restrictions
	ComponentReverseTunnelServer = "proxy:server"

	// ComponentReverseTunnelAgent is reverse tunnel agent
	// that together with server establish a bi-directional SSH revers tunnel
	// to bypass firewall restrictions
	ComponentReverseTunnelAgent = "proxy:agent"

	// ComponentLabel is a component label name used in reporting
	ComponentLabel = "component"

	// ComponentProxyKube is a kubernetes proxy
	ComponentProxyKube = "proxy:kube"

	// ComponentAuth is the cluster CA node (auth server API)
	ComponentAuth = "auth"

	// ComponentGRPC is gRPC server
	ComponentGRPC = "grpc"

	// ComponentMigrate is responsible for data migrations
	ComponentMigrate = "migrate"

	// ComponentNode is SSH node (SSH server serving requests)
	ComponentNode = "node"

	// ComponentForwardingNode is SSH node (SSH server serving requests)
	ComponentForwardingNode = "node:forward"

	// ComponentProxy is SSH proxy (SSH server forwarding connections)
	ComponentProxy = "proxy"

	// ComponentProxyPeer is the proxy peering component of the proxy service
	ComponentProxyPeer = "proxy:peer"

	// ComponentApp is the application proxy service.
	ComponentApp = "app:service"

	// ComponentDatabase is the database proxy service.
	ComponentDatabase = "db:service"

	// ComponentDiscovery is the Discovery service.
	ComponentDiscovery = "discovery:service"

	// ComponentAppProxy is the application handler within the web proxy service.
	ComponentAppProxy = "app:web"

	// ComponentWebProxy is the web handler within the web proxy service.
	ComponentWebProxy = "web"

	// ComponentDiagnostic is a diagnostic service
	ComponentDiagnostic = "diag"

	// ComponentClient is a client
	ComponentClient = "client"

	// ComponentTunClient is a tunnel client
	ComponentTunClient = "client:tunnel"

	// ComponentCache is a cache component
	ComponentCache = "cache"

	// ComponentBackend is a backend component
	ComponentBackend = "backend"

	// ComponentSubsystemProxy is the proxy subsystem.
	ComponentSubsystemProxy = "subsystem:proxy"

	// ComponentSubsystemSFTP is the SFTP subsystem.
	ComponentSubsystemSFTP = "subsystem:sftp"

	// ComponentLocalTerm is a terminal on a regular SSH node.
	ComponentLocalTerm = "term:local"

	// ComponentRemoteTerm is a terminal on a forwarding SSH node.
	ComponentRemoteTerm = "term:remote"

	// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
	ComponentRemoteSubsystem = "subsystem:remote"

	// ComponentAuditLog is audit log component
	ComponentAuditLog = "audit"

	// ComponentKeyAgent is an agent that has loaded the sessions keys and
	// certificates for a user connected to a proxy.
	ComponentKeyAgent = "keyagent"

	// ComponentKeyStore is all sessions keys and certificates a user has on disk
	// for all proxies.
	ComponentKeyStore = "keystore"

	// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
	ComponentConnectProxy = "http:proxy"

	// ComponentSOCKS is a SOCKS5 proxy.
	ComponentSOCKS = "socks"

	// ComponentKeyGen is the public/private keypair generator.
	ComponentKeyGen = "keygen"

	// ComponentFirestore represents firestore clients
	ComponentFirestore = "firestore"

	// ComponentSession is an active session.
	ComponentSession = "session"

	// ComponentDynamoDB represents dynamodb clients
	ComponentDynamoDB = "dynamodb"

	// Component pluggable authentication module (PAM)
	ComponentPAM = "pam"

	// ComponentUpload is a session recording upload server
	ComponentUpload = "upload"

	// ComponentWeb is a web server
	ComponentWeb = "web"

	// ComponentUnifiedResource is a cache of resources meant to be listed and displayed
	// together in the web UI
	ComponentUnifiedResource = "unified_resource"

	// ComponentWebsocket is websocket server that the web client connects to.
	ComponentWebsocket = "websocket"

	// ComponentRBAC is role-based access control.
	ComponentRBAC = "rbac"

	// ComponentKeepAlive is keep-alive messages sent from clients to servers
	// and vice versa.
	ComponentKeepAlive = "keepalive"

	// ComponentTeleport is the "teleport" binary.
	ComponentTeleport = "teleport"

	// ComponentTSH is the "tsh" binary.
	ComponentTSH = "tsh"

	// ComponentTCTL is the "tctl" binary.
	ComponentTCTL = "tctl"

	// ComponentTBot is the "tbot" binary
	ComponentTBot = "tbot"

	// ComponentKubeClient is the Kubernetes client.
	ComponentKubeClient = "client:kube"

	// ComponentBuffer is in-memory event circular buffer
	// used to broadcast events to subscribers.
	ComponentBuffer = "buffer"

	// ComponentBPF is the eBPF packagae.
	ComponentBPF = "bpf"

	// ComponentCgroup is the cgroup package.
	ComponentCgroup = "cgroups"

	// ComponentKube is an Kubernetes API gateway.
	ComponentKube = "kubernetes"

	// ComponentSAML is a SAML service provider.
	ComponentSAML = "saml"

	// ComponentMetrics is a metrics server
	ComponentMetrics = "metrics"

	// ComponentWindowsDesktop is a Windows desktop access server.
	ComponentWindowsDesktop = "windows_desktop"

	// ComponentTracing is a tracing exporter
	ComponentTracing = "tracing"

	// ComponentInstance is an abstract component common to all services.
	ComponentInstance = "instance"

	// ComponentVersionControl is the component common to all version control operations.
	ComponentVersionControl = "version-control"

	// ComponentUsageReporting is the component responsible for reporting usage metrics.
	ComponentUsageReporting = "usage-reporting"

	// ComponentAthena represents athena clients.
	ComponentAthena = "athena"

	// ComponentProxySecureGRPC represents secure gRPC server running on Proxy (used for Kube).
	ComponentProxySecureGRPC = "proxy:secure-grpc"

	// ComponentAssist represents Teleport Assist
	ComponentAssist = "assist"

	// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
	VerboseLogsEnvVar = "TELEPORT_DEBUG"

	// IterationsEnvVar sets tests iterations to run
	IterationsEnvVar = "ITERATIONS"

	// DefaultTerminalWidth defines the default width of a server-side allocated
	// pseudo TTY
	DefaultTerminalWidth = 80

	// DefaultTerminalHeight defines the default height of a server-side allocated
	// pseudo TTY
	DefaultTerminalHeight = 25

	// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
	// is not defined)
	SafeTerminalType = "xterm"

	// DataDirParameterName is the name of the data dir configuration parameter passed
	// to all backends during initialization
	DataDirParameterName = "data_dir"

	// KeepAliveReqType is a SSH request type to keep the connection alive. A client and
	// a server keep pining each other with it.
	KeepAliveReqType = "keepalive@openssh.com"

	// ClusterDetailsReqType is the name of a global request which returns cluster details like
	// if the proxy is recording sessions or not and if FIPS is enabled.
	ClusterDetailsReqType = "cluster-details@goteleport.com"

	// JSON means JSON serialization format
	JSON = "json"

	// YAML means YAML serialization format
	YAML = "yaml"

	// Text means text serialization format
	Text = "text"

	// PTY is a raw PTY session capture format
	PTY = "pty"

	// Names is for formatting node names in plain text
	Names = "names"

	// LinuxAdminGID is the ID of the standard adm group on linux
	LinuxAdminGID = 4

	// DirMaskSharedGroup is the mask for a directory accessible
	// by the owner and group
	DirMaskSharedGroup = 0o770

	// FileMaskOwnerOnly is the file mask that allows read write access
	// to owers only
	FileMaskOwnerOnly = 0o600

	// On means mode is on
	On = "on"

	// Off means mode is off
	Off = "off"

	// GCSTestURI turns on GCS tests
	GCSTestURI = "TEST_GCS_URI"

	// AZBlobTestURI specifies the storage account URL to use for Azure Blob
	// Storage tests.
	AZBlobTestURI = "TEST_AZBLOB_URI"

	// AWSRunTests turns on tests executed against AWS directly
	AWSRunTests = "TEST_AWS"

	// AWSRunDBTests turns on tests executed against AWS databases directly.
	AWSRunDBTests = "TEST_AWS_DB"

	// Region is AWS region parameter
	Region = "region"

	// Endpoint is an optional Host for non-AWS S3
	Endpoint = "endpoint"

	// Insecure is an optional switch to use HTTP instead of HTTPS
	Insecure = "insecure"

	// DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it
	DisableServerSideEncryption = "disablesse"

	// ACL is the canned ACL to send to S3
	ACL = "acl"

	// SSEKMSKey is an optional switch to use an KMS CMK key for S3 SSE.
	SSEKMSKey = "sse_kms_key"

	// SchemeFile configures local disk-based file storage for audit events
	SchemeFile = "file"

	// SchemeStdout outputs audit log entries to stdout
	SchemeStdout = "stdout"

	// SchemeS3 is used for S3-like object storage
	SchemeS3 = "s3"

	// SchemeGCS is used for Google Cloud Storage
	SchemeGCS = "gs"

	// SchemeAZBlob is the Azure Blob Storage scheme, used as the scheme in the
	// session storage URI to identify a storage account accessed over https.
	SchemeAZBlob = "azblob"

	// SchemeAZBlobHTTP is the Azure Blob Storage scheme, used as the scheme in the
	// session storage URI to identify a storage account accessed over http.
	SchemeAZBlobHTTP = "azblob-http"

	// LogsDir is a log subdirectory for events and logs
	LogsDir = "log"

	// Syslog is a mode for syslog logging
	Syslog = "syslog"

	// HumanDateFormat is a human readable date formatting
	HumanDateFormat = "Jan _2 15:04 UTC"

	// HumanDateFormatMilli is a human readable date formatting with milliseconds
	HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC"

	// DebugLevel is a debug logging level name
	DebugLevel = "debug"

	// MinimumEtcdVersion is the minimum version of etcd supported by Teleport
	MinimumEtcdVersion = "3.3.0"
)

const (

	// OIDCPromptSelectAccount instructs the Authorization Server to
	// prompt the End-User to select a user account.
	OIDCPromptSelectAccount = "select_account"

	// OIDCAccessTypeOnline indicates that OIDC flow should be performed
	// with Authorization server and user connected online
	OIDCAccessTypeOnline = "online"
)

const (
	// AuthorizedKeys are public keys that check against User CAs.
	AuthorizedKeys = "authorized_keys"
	// KnownHosts are public keys that check against Host CAs.
	KnownHosts = "known_hosts"
)

const (
	// CertExtensionPermitX11Forwarding allows X11 forwarding for certificate
	CertExtensionPermitX11Forwarding = "permit-X11-forwarding"
	// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
	CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
	// CertExtensionPermitPTY allows user to request PTY
	CertExtensionPermitPTY = "permit-pty"
	// CertExtensionPermitPortForwarding allows user to request port forwarding
	CertExtensionPermitPortForwarding = "permit-port-forwarding"
	// CertExtensionTeleportRoles is used to propagate teleport roles
	CertExtensionTeleportRoles = "teleport-roles"
	// CertExtensionTeleportRouteToCluster is used to encode
	// the target cluster to route to in the certificate
	CertExtensionTeleportRouteToCluster = "teleport-route-to-cluster"
	// CertExtensionTeleportTraits is used to propagate traits about the user.
	CertExtensionTeleportTraits = "teleport-traits"
	// CertExtensionTeleportActiveRequests is used to track which privilege
	// escalation requests were used to construct the certificate.
	CertExtensionTeleportActiveRequests = "teleport-active-requests"
	// CertExtensionMFAVerified is used to mark certificates issued after an MFA
	// check.
	CertExtensionMFAVerified = "mfa-verified"
	// CertExtensionPreviousIdentityExpires is the extension that stores an RFC3339
	// timestamp representing the expiry time of the identity/cert that this
	// identity/cert was derived from. It is used to determine a session's hard
	// deadline in cases where both require_session_mfa and disconnect_expired_cert
	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
	CertExtensionPreviousIdentityExpires = "prev-identity-expires"
	// CertExtensionLoginIP is used to embed the IP of the client that created
	// the certificate.
	CertExtensionLoginIP = "login-ip"
	// CertExtensionImpersonator is set when one user has requested certificates
	// for another user
	CertExtensionImpersonator = "impersonator"
	// CertExtensionDisallowReissue is set when a certificate should not be allowed
	// to request future certificates.
	CertExtensionDisallowReissue = "disallow-reissue"
	// CertExtensionRenewable is a flag to indicate the certificate may be
	// renewed.
	CertExtensionRenewable = "renewable"
	// CertExtensionGeneration counts the number of times a certificate has
	// been renewed.
	CertExtensionGeneration = "generation"
	// CertExtensionAllowedResources lists the resources which this certificate
	// should be allowed to access
	CertExtensionAllowedResources = "teleport-allowed-resources"
	// CertExtensionConnectionDiagnosticID contains the ID of the ConnectionDiagnostic.
	// The Node/Agent will append connection traces to this diagnostic instance.
	CertExtensionConnectionDiagnosticID = "teleport-connection-diagnostic-id"
	// CertExtensionPrivateKeyPolicy is used to mark certificates with their supported
	// private key policy.
	CertExtensionPrivateKeyPolicy = "private-key-policy"
	// CertExtensionDeviceID is the trusted device identifier.
	CertExtensionDeviceID = "teleport-device-id"
	// CertExtensionDeviceAssetTag is the device inventory identifier.
	CertExtensionDeviceAssetTag = "teleport-device-asset-tag"
	// CertExtensionDeviceCredentialID is the identifier for the credential used
	// by the device to authenticate itself.
	CertExtensionDeviceCredentialID = "teleport-device-credential-id"
	// CertExtensionBotName indicates the name of the Machine ID bot this
	// certificate was issued to, if any.
	CertExtensionBotName = "bot-name@goteleport.com"

	// CertCriticalOptionSourceAddress is a critical option that defines IP addresses (in CIDR notation)
	// from which this certificate is accepted for authentication.
	// See: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD.
	CertCriticalOptionSourceAddress = "source-address"
)

const (
	// NetIQ is an identity provider.
	NetIQ = "netiq"
	// ADFS is Microsoft Active Directory Federation Services
	ADFS = "adfs"
	// Ping is the common backend for all Ping Identity-branded identity
	// providers (including PingOne, PingFederate, etc).
	Ping = "ping"
	// Okta should be used for Okta OIDC providers.
	Okta = "okta"
	// JumpCloud is an identity provider.
	JumpCloud = "jumpcloud"
)

const (
	// RemoteCommandSuccess is returned when a command has successfully executed.
	RemoteCommandSuccess = 0
	// RemoteCommandFailure is returned when a command has failed to execute and
	// we don't have another status code for it.
	RemoteCommandFailure = 255
	// HomeDirNotFound is returned when a the "teleport checkhomedir" command cannot
	// find the user's home directory.
	HomeDirNotFound = 254
)

const (
	// CertificateFormatOldSSH is used to make Teleport interoperate with older
	// versions of OpenSSH.
	CertificateFormatOldSSH = "oldssh"

	// CertificateFormatUnspecified is used to check if the format was specified
	// or not.
	CertificateFormatUnspecified = ""
)

const (
	// TraitInternalPrefix is the role variable prefix that indicates it's for
	// local accounts.
	TraitInternalPrefix = "internal"

	// TraitExternalPrefix is the role variable prefix that indicates the data comes from an external identity provider.
	TraitExternalPrefix = "external"

	// TraitTeams is the name of the role variable use to store team
	// membership information
	TraitTeams = "github_teams"

	// TraitJWT is the name of the trait containing JWT header for app access.
	TraitJWT = "jwt"

	// TraitInternalLoginsVariable is the variable used to store allowed
	// logins for local accounts.
	TraitInternalLoginsVariable = "{{internal.logins}}"

	// TraitInternalWindowsLoginsVariable is the variable used to store
	// allowed Windows Desktop logins for local accounts.
	TraitInternalWindowsLoginsVariable = "{{internal.windows_logins}}"

	// TraitInternalKubeGroupsVariable is the variable used to store allowed
	// kubernetes groups for local accounts.
	TraitInternalKubeGroupsVariable = "{{internal.kubernetes_groups}}"

	// TraitInternalKubeUsersVariable is the variable used to store allowed
	// kubernetes users for local accounts.
	TraitInternalKubeUsersVariable = "{{internal.kubernetes_users}}"

	// TraitInternalDBNamesVariable is the variable used to store allowed
	// database names for local accounts.
	TraitInternalDBNamesVariable = "{{internal.db_names}}"

	// TraitInternalDBUsersVariable is the variable used to store allowed
	// database users for local accounts.
	TraitInternalDBUsersVariable = "{{internal.db_users}}"

	// TraitInternalDBRolesVariable is the variable used to store allowed
	// database roles for automatic database user provisioning.
	TraitInternalDBRolesVariable = "{{internal.db_roles}}"

	// TraitInternalAWSRoleARNs is the variable used to store allowed AWS
	// role ARNs for local accounts.
	TraitInternalAWSRoleARNs = "{{internal.aws_role_arns}}"

	// TraitInternalAzureIdentities is the variable used to store allowed
	// Azure identities for local accounts.
	TraitInternalAzureIdentities = "{{internal.azure_identities}}"

	// TraitInternalGCPServiceAccounts is the variable used to store allowed
	// GCP service accounts for local accounts.
	TraitInternalGCPServiceAccounts = "{{internal.gcp_service_accounts}}"

	// TraitInternalJWTVariable is the variable used to store JWT token for
	// app sessions.
	TraitInternalJWTVariable = "{{internal.jwt}}"
)

const (
	// PresetEditorRoleName is a name of a preset role that allows
	// editing cluster configuration.
	PresetEditorRoleName = "editor"

	// PresetAccessRoleName is a name of a preset role that allows
	// accessing cluster resources.
	PresetAccessRoleName = "access"

	// PresetAuditorRoleName is a name of a preset role that allows
	// reading cluster events and playing back session records.
	PresetAuditorRoleName = "auditor"

	// PresetReviewerRoleName is a name of a preset role that allows
	// for reviewing access requests.
	PresetReviewerRoleName = "reviewer"

	// PresetRequesterRoleName is a name of a preset role that allows
	// for requesting access to resources.
	PresetRequesterRoleName = "requester"

	// PresetGroupAccessRoleName is a name of a preset role that allows
	// access to all user groups.
	PresetGroupAccessRoleName = "group-access"

	// PresetDeviceAdminRoleName is the name of the "device-admin" role.
	// The role is used to administer trusted devices.
	PresetDeviceAdminRoleName = "device-admin"

	// PresetDeviceEnrollRoleName is the name of the "device-enroll" role.
	// The role is used to grant device enrollment powers to users.
	PresetDeviceEnrollRoleName = "device-enroll"

	// PresetRequireTrustedDeviceRoleName is the name of the
	// "require-trusted-device" role.
	// The role is used as a basis for requiring trusted device access to
	// resources.
	PresetRequireTrustedDeviceRoleName = "require-trusted-device"

	// SystemAutomaticAccessApprovalRoleName names a preset role that may
	// automatically approve any Role Access Request
	SystemAutomaticAccessApprovalRoleName = "@teleport-access-approver"

	// ConnectMyComputerRoleNamePrefix is the prefix used for roles prepared for individual users
	// during the setup of Connect My Computer. The prefix is followed by the name of the cluster
	// user. See teleterm.connectmycomputer.RoleSetup.
	ConnectMyComputerRoleNamePrefix = "connect-my-computer-"

	// SystemOktaRequesterRoleName is a name of a system role that allows
	// for requesting access to Okta resources. This differs from the requester role
	// in that it allows for requesting longer lived access.
	SystemOktaRequesterRoleName = "okta-requester"

	// SystemOktaAccessRoleName is the name of the system role that allows
	// access to Okta resources. This will be used by the Okta requester role to
	// search for Okta resources.
	SystemOktaAccessRoleName = "okta-access"
)

const (
	// RemoteClusterStatusOffline indicates that cluster is considered as
	// offline, since it has missed a series of heartbeats
	RemoteClusterStatusOffline = "offline"
	// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
	// at expected interval
	RemoteClusterStatusOnline = "online"
)

const (
	// SharedDirMode is a mode for a directory shared with group
	SharedDirMode = 0o750

	// PrivateDirMode is a mode for private directories
	PrivateDirMode = 0o700
)

const (
	// SessionEvent is sent by servers to clients when an audit event occurs on
	// the session.
	SessionEvent = "x-teleport-event"

	// VersionRequest is sent by clients to server requesting the Teleport
	// version they are running.
	VersionRequest = "x-teleport-version"

	// ForceTerminateRequest is an SSH request to forcefully terminate a session.
	ForceTerminateRequest = "x-teleport-force-terminate"

	// TerminalSizeRequest is a request for the terminal size of the session.
	TerminalSizeRequest = "x-teleport-terminal-size"

	// MFAPresenceRequest is an SSH request to notify clients that MFA presence is required for a session.
	MFAPresenceRequest = "x-teleport-mfa-presence"

	// EnvSSHJoinMode is the SSH environment variable that contains the requested participant mode.
	EnvSSHJoinMode = "TELEPORT_SSH_JOIN_MODE"

	// EnvSSHSessionReason is a reason attached to started sessions meant to describe their intent.
	EnvSSHSessionReason = "TELEPORT_SESSION_REASON"

	// EnvSSHSessionInvited is an environment variable listning people invited to a session.
	EnvSSHSessionInvited = "TELEPORT_SESSION_JOIN_MODE"

	// EnvSSHSessionDisplayParticipantRequirements is set to true or false to indicate if participant
	// requirement information should be printed.
	EnvSSHSessionDisplayParticipantRequirements = "TELEPORT_SESSION_PARTICIPANT_REQUIREMENTS"

	// SSHSessionJoinPrincipal is the SSH principal used when joining sessions.
	// This starts with a hyphen so it isn't a valid unix login.
	SSHSessionJoinPrincipal = "-teleport-internal-join"
)

const (
	// EnvKubeConfig is environment variable for kubeconfig
	EnvKubeConfig = "KUBECONFIG"

	// KubeConfigDir is a default directory where k8s stores its user local config
	KubeConfigDir = ".kube"

	// KubeConfigFile is a default filename where k8s stores its user local config
	KubeConfigFile = "config"

	// KubeRunTests turns on kubernetes tests
	KubeRunTests = "TEST_KUBE"

	// KubeSystemAuthenticated is a builtin group that allows
	// any user to access common API methods, e.g. discovery methods
	// required for initial client usage
	KubeSystemAuthenticated = "system:authenticated"

	// UsageKubeOnly specifies certificate usage metadata
	// that limits certificate to be only used for kubernetes proxying
	UsageKubeOnly = "usage:kube"

	// UsageAppOnly specifies a certificate metadata that only allows it to be
	// used for proxying applications.
	UsageAppsOnly = "usage:apps"

	// UsageDatabaseOnly specifies certificate usage metadata that only allows
	// it to be used for proxying database connections.
	UsageDatabaseOnly = "usage:db"

	// UsageWindowsDesktopOnly specifies certificate usage metadata that limits
	// certificate to be only used for Windows desktop access
	UsageWindowsDesktopOnly = "usage:windows_desktop"
)

const (
	// NodeIsAmbiguous serves as an identifying error string indicating that
	// the proxy subsystem found multiple nodes matching the specified hostname.
	NodeIsAmbiguous = "err-node-is-ambiguous"

	// MaxLeases serves as an identifying error string indicating that the
	// semaphore system is rejecting an acquisition attempt due to max
	// leases having already been reached.
	MaxLeases = "err-max-leases"
)

const (
	// OpenBrowserLinux is the command used to open a web browser on Linux.
	OpenBrowserLinux = "xdg-open"

	// OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin.
	OpenBrowserDarwin = "open"

	// OpenBrowserWindows is the command used to open a web browser on Windows.
	OpenBrowserWindows = "rundll32.exe"

	// BrowserNone is the string used to suppress the opening of a browser in
	// response to 'tsh login' commands.
	BrowserNone = "none"
)

const (
	// ExecSubCommand is the sub-command Teleport uses to re-exec itself for
	// command execution (exec and shells).
	ExecSubCommand = "exec"

	// ForwardSubCommand is the sub-command Teleport uses to re-exec itself
	// for port forwarding.
	ForwardSubCommand = "forwardv2"

	// CheckHomeDirSubCommand is the sub-command Teleport uses to re-exec itself
	// to check if the user's home directory exists.
	CheckHomeDirSubCommand = "checkhomedir"

	// ParkSubCommand is the sub-command Teleport uses to re-exec itself as a
	// specific UID to prevent the matching user from being deleted before
	// spawning the intended child process.
	ParkSubCommand = "park"

	// SFTPSubCommand is the sub-command Teleport uses to re-exec itself to
	// handle SFTP connections.
	SFTPSubCommand = "sftp"

	// WaitSubCommand is the sub-command Teleport uses to wait
	// until a domain name stops resolving. Its main use is to ensure no
	// auth instances are still running the previous major version.
	WaitSubCommand = "wait"
)

const (
	// ChanDirectTCPIP is a SSH channel of type "direct-tcpip".
	ChanDirectTCPIP = "direct-tcpip"

	// ChanSession is a SSH channel of type "session".
	ChanSession = "session"
)

const (
	// GetHomeDirSubsystem is an SSH subsystem request that Teleport
	// uses to get the home directory of a remote user.
	GetHomeDirSubsystem = "gethomedir"

	// SFTPSubsystem is the SFTP SSH subsystem.
	SFTPSubsystem = "sftp"
)

const (
	// internal application being proxied.
	AppJWTHeader = "teleport-jwt-assertion"

	// HostHeader is the name of the Host header.
	HostHeader = "Host"
)

const (
	// KubeSessionDisplayParticipantRequirementsQueryParam is the query parameter used to
	// indicate that the client wants to display the participant requirements
	// for the given session.
	KubeSessionDisplayParticipantRequirementsQueryParam = "displayParticipantRequirements"
	// KubeSessionReasonQueryParam is the query parameter used to indicate the reason
	// for the session request.
	KubeSessionReasonQueryParam = "reason"
	// KubeSessionInvitedQueryParam is the query parameter used to indicate the users
	// to invite to the session.
	KubeSessionInvitedQueryParam = "invite"
)

const (
	// MetricGenerateRequests counts how many generate server keys requests
	// are issued over time
	MetricGenerateRequests = "auth_generate_requests_total"

	// MetricGenerateRequestsThrottled measures how many generate requests
	// are throttled
	MetricGenerateRequestsThrottled = "auth_generate_requests_throttled_total"

	// MetricGenerateRequestsCurrent measures current in-flight requests
	MetricGenerateRequestsCurrent = "auth_generate_requests"

	// MetricGenerateRequestsHistogram measures generate requests latency
	MetricGenerateRequestsHistogram = "auth_generate_seconds"

	// MetricServerInteractiveSessions measures interactive sessions in flight
	MetricServerInteractiveSessions = "server_interactive_sessions_total"

	// MetricProxySSHSessions measures sessions in flight on the proxy
	MetricProxySSHSessions = "proxy_ssh_sessions_total"

	// MetricRemoteClusters measures connected remote clusters
	MetricRemoteClusters = "remote_clusters"

	// MetricTrustedClusters counts trusted clusters
	MetricTrustedClusters = "trusted_clusters"

	// MetricClusterNameNotFound counts times a cluster name was not found
	MetricClusterNameNotFound = "cluster_name_not_found_total"

	// MetricFailedLoginAttempts counts failed login attempts
	MetricFailedLoginAttempts = "failed_login_attempts_total"

	// MetricConnectToNodeAttempts counts ssh attempts
	MetricConnectToNodeAttempts = "connect_to_node_attempts_total"

	// MetricFailedConnectToNodeAttempts counts failed ssh attempts
	MetricFailedConnectToNodeAttempts = "failed_connect_to_node_attempts_total"

	// MetricUserMaxConcurrentSessionsHit counts number of times a user exceeded their max concurrent ssh connections
	MetricUserMaxConcurrentSessionsHit = "user_max_concurrent_sessions_hit_total"

	// MetricProxyConnectionLimitHit counts the number of times the proxy connection limit was exceeded
	MetricProxyConnectionLimitHit = "proxy_connection_limit_exceeded_total"

	// MetricUserLoginCount counts user logins
	MetricUserLoginCount = "user_login_total"

	// MetricHeartbeatConnectionsReceived counts heartbeat connections received by auth
	MetricHeartbeatConnectionsReceived = "heartbeat_connections_received_total"

	// MetricCertificateMismatch counts login failures due to certificate mismatch
	MetricCertificateMismatch = "certificate_mismatch_total"

	// MetricHeartbeatsMissed counts the nodes that failed to heartbeat
	MetricHeartbeatsMissed = "heartbeats_missed_total"

	// MetricWatcherEventsEmitted counts watcher events that are emitted
	MetricWatcherEventsEmitted = "watcher_events"

	// MetricWatcherEventSizes measures the size of watcher events that are emitted
	MetricWatcherEventSizes = "watcher_event_sizes"

	// MetricMissingSSHTunnels returns the number of missing SSH tunnels for this proxy.
	MetricMissingSSHTunnels = "proxy_missing_ssh_tunnels"

	// MetricMigrations tracks for each migration if it is active or not.
	MetricMigrations = "migrations"

	// TagMigration is a metric tag for a migration
	TagMigration = "migration"

	// MetricIncompleteSessionUploads returns the number of incomplete session uploads
	MetricIncompleteSessionUploads = "incomplete_session_uploads_total"

	// TagCluster is a metric tag for a cluster
	TagCluster = "cluster"

	// MetricTotalInstances provides an instance count
	MetricTotalInstances = "total_instances"

	// MetricEnrolledInUpgrades provides total number of instances that advertise an upgrader.
	MetricEnrolledInUpgrades = "enrolled_in_upgrades"

	// MetricUpgraderCounts provides instance count per-upgrader.
	MetricUpgraderCounts = "upgrader_counts"

	// TagUpgrader is a metric tag for upgraders.
	TagUpgrader = "upgrader"

	// MetricsAccessRequestsCreated provides total number of created access requests.
	MetricAccessRequestsCreated = "access_requests_created"
	// TagRoles is a number of roles requested as a part of access request.
	TagRoles = "roles"
	// TagResources is a number of resources requested as a part of access request.
	TagResources = "resources"

	// UserCertificatesCreated provides total number of user certificates generated.
	MetricUserCertificatesGenerated = "user_certificates_generated"
	// TagPrivateKeyPolicy is a private key policy associated with a user's certificates.
	TagPrivateKeyPolicy = "private_key_policy"
)

const (
	// MetricProcessCPUSecondsTotal measures CPU seconds consumed by process
	MetricProcessCPUSecondsTotal = "process_cpu_seconds_total"
	// MetricProcessMaxFDs shows maximum amount of file descriptors allowed for the process
	MetricProcessMaxFDs = "process_max_fds"
	// MetricProcessOpenFDs shows process open file descriptors
	MetricProcessOpenFDs = "process_open_fds"
	// MetricProcessResidentMemoryBytes measures bytes consumed by process resident memory
	MetricProcessResidentMemoryBytes = "process_resident_memory_bytes"
	// MetricProcessStartTimeSeconds measures process start time
	MetricProcessStartTimeSeconds = "process_start_time_seconds"
)

const (
	// MetricGoThreads is amount of system threads used by Go runtime
	MetricGoThreads = "go_threads"

	// MetricGoGoroutines measures current number of goroutines
	MetricGoGoroutines = "go_goroutines"

	// MetricGoInfo provides information about Go runtime version
	MetricGoInfo = "go_info"

	// MetricGoAllocBytes measures allocated memory bytes
	MetricGoAllocBytes = "go_memstats_alloc_bytes"

	// MetricGoHeapAllocBytes measures heap bytes allocated by Go runtime
	MetricGoHeapAllocBytes = "go_memstats_heap_alloc_bytes"

	// MetricGoHeapObjects measures count of heap objects created by Go runtime
	MetricGoHeapObjects = "go_memstats_heap_objects"
)

const (
	// MetricBackendWatchers is a metric with backend watchers
	MetricBackendWatchers = "backend_watchers_total"

	// MetricBackendWatcherQueues is a metric with backend watcher queues sizes
	MetricBackendWatcherQueues = "backend_watcher_queues_total"

	// MetricBackendRequests measures count of backend requests
	MetricBackendRequests = "backend_requests"

	// MetricBackendReadHistogram measures histogram of backend read latencies
	MetricBackendReadHistogram = "backend_read_seconds"

	// MetricBackendWriteHistogram measures histogram of backend write latencies
	MetricBackendWriteHistogram = "backend_write_seconds"

	// MetricBackendBatchWriteHistogram measures histogram of backend batch write latencies
	MetricBackendBatchWriteHistogram = "backend_batch_write_seconds"

	// MetricBackendBatchReadHistogram measures histogram of backend batch read latencies
	MetricBackendBatchReadHistogram = "backend_batch_read_seconds"

	// MetricBackendWriteRequests measures backend write requests count
	MetricBackendWriteRequests = "backend_write_requests_total"

	// MetricBackendWriteFailedRequests measures failed backend write requests count
	MetricBackendWriteFailedRequests = "backend_write_requests_failed_total"

	// MetricBackendBatchWriteRequests measures batch backend writes count
	MetricBackendBatchWriteRequests = "backend_batch_write_requests_total"

	// MetricBackendBatchFailedWriteRequests measures failed batch backend requests count
	MetricBackendBatchFailedWriteRequests = "backend_batch_write_requests_failed_total"

	// MetricBackendReadRequests measures backend read requests count
	MetricBackendReadRequests = "backend_read_requests_total"

	// MetricBackendFailedReadRequests measures failed backend read requests count
	MetricBackendFailedReadRequests = "backend_read_requests_failed_total"

	// MetricBackendBatchReadRequests measures batch backend read requests count
	MetricBackendBatchReadRequests = "backend_batch_read_requests_total"

	// MetricBackendBatchFailedReadRequests measures failed backend batch read requests count
	MetricBackendBatchFailedReadRequests = "backend_batch_read_requests_failed_total"

	// MetricLostCommandEvents measures the number of command events that were lost
	MetricLostCommandEvents = "bpf_lost_command_events"

	// MetricLostDiskEvents measures the number of disk events that were lost.
	MetricLostDiskEvents = "bpf_lost_disk_events"

	// MetricLostNetworkEvents measures the number of network events that were lost.
	MetricLostNetworkEvents = "bpf_lost_network_events"

	// MetricLostRestrictedEvents measures the number of restricted events that were lost
	MetricLostRestrictedEvents = "bpf_lost_restricted_events"

	// MetricState tracks the state of the teleport process.
	MetricState = "process_state"

	// MetricNamespace defines the teleport prometheus namespace
	MetricNamespace = "teleport"

	// MetricConnectedResources tracks the number and type of resources connected via keepalives
	MetricConnectedResources = "connected_resources"

	// MetricBuildInfo tracks build information
	MetricBuildInfo = "build_info"

	// MetricCacheEventsReceived tracks the total number of events received by a cache
	MetricCacheEventsReceived = "cache_events"

	// MetricStaleCacheEventsReceived tracks the number of stale events received by a cache
	MetricStaleCacheEventsReceived = "cache_stale_events"

	// MetricRegisteredServers tracks the number of Teleport servers that have successfully registered with the Teleport cluster and have not reached the end of their ttl
	MetricRegisteredServers = "registered_servers"

	// MetricRegisteredServersByInstallMethods tracks the number of Teleport servers, and their installation method,
	// that have successfully registered with the Teleport cluster and have not reached the end of their ttl
	MetricRegisteredServersByInstallMethods = "registered_servers_by_install_methods"

	// MetricReverseSSHTunnels defines the number of connected SSH reverse tunnels to the proxy
	MetricReverseSSHTunnels = "reverse_tunnels_connected"

	// MetricHostedPluginStatus tracks the current status
	// (as defined by types.PluginStatus) for a plugin instance
	MetricHostedPluginStatus = "hosted_plugin_status"

	// MetricTeleportServices tracks which services are currently running in the current Teleport Process.
	MetricTeleportServices = "services"

	// TagRange is a tag specifying backend requests
	TagRange = "range"

	// TagReq is a tag specifying backend request type
	TagReq = "req"

	// TagTrue is a tag value to mark true values
	TagTrue = "true"

	// TagFalse is a tag value to mark false values
	TagFalse = "false"

	// TagResource is a tag specifying the resource for an event
	TagResource = "resource"

	// TagVersion is a prometheus label for version of Teleport built
	TagVersion = "version"

	// TagGitref is a prometheus label for the gitref of Teleport built
	TagGitref = "gitref"

	// TagGoVersion is a prometheus label for version of Go used to build Teleport
	TagGoVersion = "goversion"

	// TagCacheComponent is a prometheus label for the cache component
	TagCacheComponent = "cache_component"

	// TagType is a prometheus label for type of resource or tunnel connected
	TagType = "type"

	// TagServer is a prometheus label to indicate what server the metric is tied to
	TagServer = "server"

	// TagClient is a prometheus label to indicate what client the metric is tied to
	TagClient = "client"

	// TagInstallMethods is a prometheus label to indicate what installation methods
	// were used for the agent.
	// This value comes from UpstreamInventoryAgentMetadata (sourced in lib/inventory/metadata.fetchInstallMethods).
	TagInstallMethods = "install_methods"

	// TagServiceName is the prometheus label to indicate what services are running in the current proxy.
	// Those services are monitored using the Supervisor.
	// Only a subset of services are monitored. See [lib/service.metricsServicesRunningMap]
	// Eg, discovery_service
	TagServiceName = "service_name"
)

const (
	// MetricUsageEventsSubmitted is a count of usage events that have been generated.
	MetricUsageEventsSubmitted = "usage_events_submitted_total"

	// MetricUsageBatches is a count of batches enqueued for submission.
	MetricUsageBatches = "usage_batches_total"

	// MetricUsageEventsRequeued is a count of events that were requeued after a
	// submission failed.
	MetricUsageEventsRequeued = "usage_events_requeued_total"

	// MetricUsageBatchSubmissionDuration is a histogram of durations it took to
	// submit a batch.
	MetricUsageBatchSubmissionDuration = "usage_batch_submission_duration_seconds"

	// MetricUsageBatchesSubmitted is a count of event batches successfully
	// submitted.
	MetricUsageBatchesSubmitted = "usage_batch_submitted_total"

	// MetricUsageBatchesFailed is a count of event batches that failed to
	// submit.
	MetricUsageBatchesFailed = "usage_batch_failed_total"

	// MetricUsageEventsDropped is a count of events dropped due to the
	// submission buffer reaching a length limit.
	MetricUsageEventsDropped = "usage_events_dropped_total"
)

const (
	// MetricParquetlogConsumerBatchPorcessingDuration is a histogram of durations it
	// took to process single batch of events.
	MetricParquetlogConsumerBatchPorcessingDuration = "audit_parquetlog_batch_processing_seconds"
	// MetricParquetlogConsumerS3FlushDuration is a histogram of durations it took to
	// flush and close parquet files on s3.
	MetricParquetlogConsumerS3FlushDuration = "audit_parquetlog_s3_flush_seconds"
	// MetricParquetlogConsumerDeleteEventsDuration is a histogram of durations it
	// took to delete events from SQS.
	MetricParquetlogConsumerDeleteEventsDuration = "audit_parquetlog_delete_events_seconds"
	// MetricParquetlogConsumerBatchSize is a histogram of sizes of single batch of events.
	MetricParquetlogConsumerBatchSize = "audit_parquetlog_batch_size"
	// MetricParquetlogConsumerBatchCount is a count of number of events in single batch.
	MetricParquetlogConsumerBatchCount = "audit_parquetlog_batch_count"
	// MetricParquetlogConsumerLastProcessedTimestamp is a timestamp of last finished consumer execution.
	MetricParquetlogConsumerLastProcessedTimestamp = "audit_parquetlog_last_processed_timestamp"
	// MetricParquetlogConsumerOldestProcessedMessage is age of oldest processed message.
	MetricParquetlogConsumerOldestProcessedMessage = "audit_parquetlog_age_oldest_processed_message"
	// MetricAthenaConsumerCollectFailed is a count of number of errors received from sqs collect.
	MetricParquetlogConsumerCollectFailed = "audit_parquetlog_errors_from_collect_count"
)

const AdminRoleName = "admin"

const (
	// HTTPNextProtoTLS is the NPN/ALPN protocol negotiated during
	// HTTP/1.1.'s TLS setup.
	// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
	HTTPNextProtoTLS = "http/1.1"
)

const (
	// KubeLegacyProxySuffix is the suffix used for legacy proxy services when
	// generating their names Server names.
	KubeLegacyProxySuffix = "-proxy_service"
)

const MaxEnvironmentFileLines = 1000

const MaxHTTPRequestSize = 10 * 1024 * 1024

const MaxHTTPResponseSize = 10 * 1024 * 1024

const MaxResourceSize = 1000000

const SCP = "scp"

const StandardHTTPSPort = 443

const (
	// SystemAccessApproverUserName names a Teleport user that acts as
	// an Access Request approver for access plugins
	SystemAccessApproverUserName = "@teleport-access-approval-bot"
)

const UserSingleUseCertTTL = time.Minute

const UserSystem = "system"

const Version = api.Version

const WebAPIVersion = "v1"