services

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 120 Imported by: 0

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.

* Local services are implemented in local package * Package suite contains the set of acceptance tests for services

Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source 
const (
	// RDSEngineMySQL is RDS engine name for MySQL instances.
	RDSEngineMySQL = "mysql"
	// RDSEnginePostgres is RDS engine name for Postgres instances.
	RDSEnginePostgres = "postgres"
	// RDSEngineMariaDB is RDS engine name for MariaDB instances.
	RDSEngineMariaDB = "mariadb"
	// RDSEngineAurora is RDS engine name for Aurora MySQL 5.6 compatible clusters.
	// This reached EOF on Feb 28, 2023.
	// https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.MySQL56.EOL.html
	RDSEngineAurora = "aurora"
	// RDSEngineAuroraMySQL is RDS engine name for Aurora MySQL 5.7 compatible clusters.
	RDSEngineAuroraMySQL = "aurora-mysql"
	// RDSEngineAuroraPostgres is RDS engine name for Aurora Postgres clusters.
	RDSEngineAuroraPostgres = "aurora-postgresql"
)
View Source 
const (
	// RDSEngineModeProvisioned is the RDS engine mode for provisioned Aurora clusters
	RDSEngineModeProvisioned = "provisioned"
	// RDSEngineModeServerless is the RDS engine mode for Aurora Serverless DB clusters
	RDSEngineModeServerless = "serverless"
	// RDSEngineModeParallelQuery is the RDS engine mode for Aurora MySQL clusters with parallel query enabled
	RDSEngineModeParallelQuery = "parallelquery"
	// RDSEngineModeGlobal is the RDS engine mode for Aurora Global databases
	RDSEngineModeGlobal = "global"
	// RDSEngineModeMultiMaster is the RDS engine mode for Multi-master clusters
	RDSEngineModeMultiMaster = "multimaster"
)
View Source 
const (
	// RDSProxyMySQLPort is the port that RDS Proxy listens on for MySQL connections.
	RDSProxyMySQLPort = 3306
	// RDSProxyPostgresPort is the port that RDS Proxy listens on for Postgres connections.
	RDSProxyPostgresPort = 5432
	// RDSProxySQLServerPort is the port that RDS Proxy listens on for SQL Server connections.
	RDSProxySQLServerPort = 1433
)
View Source 
const (
	// AzureEngineMySQL is the Azure engine name for MySQL single-server instances.
	AzureEngineMySQL = "Microsoft.DBforMySQL/servers"
	// AzureEngineMySQLFlex is the Azure engine name for MySQL flexible-server instances.
	AzureEngineMySQLFlex = "Microsoft.DBforMySQL/flexibleServers"
	// AzureEnginePostgres is the Azure engine name for PostgreSQL single-server instances.
	AzureEnginePostgres = "Microsoft.DBforPostgreSQL/servers"
	// AzureEnginePostgresFlex is the Azure engine name for PostgreSQL flexible-server instances.
	AzureEnginePostgresFlex = "Microsoft.DBforPostgreSQL/flexibleServers"
)
View Source 
const (
	// RedshiftServerlessWorkgroupEndpoint is the endpoint type for workgroups.
	RedshiftServerlessWorkgroupEndpoint = "workgroup"
	// RedshiftServerlessVPCEndpoint is the endpoint type for VCP endpoints.
	RedshiftServerlessVPCEndpoint = "vpc-endpoint"
)
View Source 
const (
	// UserIdentifier represents user registered identifier in the rules
	UserIdentifier = "user"
	// ResourceIdentifier represents resource registered identifier in the rules
	ResourceIdentifier = "resource"
	// ResourceLabelsIdentifier refers to the static and dynamic labels in a resource.
	ResourceLabelsIdentifier = "labels"
	// ResourceNameIdentifier refers to two different fields depending on the kind of resource:
	//   - KindNode will refer to its resource.spec.hostname field
	//   - All other kinds will refer to its resource.metadata.name field
	// It refers to two different fields because the way this shorthand is being used,
	// implies it will return the name of the resource where users identifies nodes
	// by its hostname and all other resources that can be `ls` queried is identified
	// by its metadata name.
	ResourceNameIdentifier = "name"
	// SessionIdentifier refers to a session (recording) in the rules.
	SessionIdentifier = "session"
	// SSHSessionIdentifier refers to an (active) SSH session in the rules.
	SSHSessionIdentifier = "ssh_session"
	// ImpersonateRoleIdentifier is a role to impersonate
	ImpersonateRoleIdentifier = "impersonate_role"
	// ImpersonateUserIdentifier is a user to impersonate
	ImpersonateUserIdentifier = "impersonate_user"
	// HostCertIdentifier refers to a host certificate being created.
	HostCertIdentifier = "host_cert"
	// SessionTrackerIdentifier refers to a session tracker in the rules.
	SessionTrackerIdentifier = "session_tracker"
)
View Source 
const (
	// Equal means two objects are equal
	Equal = iota
	// OnlyTimestampsDifferent is true when only timestamps are different
	OnlyTimestampsDifferent = iota
	// Different means that some fields are different
	Different = iota
)
View Source 
const (
	SortByName string = "name"
	SortByKind string = "kind"
)
View Source 
const HeadlessAuthenticationUserStubID = "stub"

HeadlessAuthenticationUserStubID is the ID of a headless authentication stub.

Variables

View Source 
var (
	// ResourceNameExpr is the identifier that specifies resource name.
	ResourceNameExpr = builder.Identifier("resource.metadata.name")
	// CertAuthorityTypeExpr is a function call that returns
	// cert authority type.
	CertAuthorityTypeExpr = builder.Identifier(`system.catype()`)
)
View Source 
var DefaultCertAuthorityRules = []types.Rule{
	types.NewRule(types.KindSession, RO()),
	types.NewRule(types.KindNode, RO()),
	types.NewRule(types.KindAuthServer, RO()),
	types.NewRule(types.KindReverseTunnel, RO()),
	types.NewRule(types.KindCertAuthority, ReadNoSecrets()),
}

DefaultCertAuthorityRules provides access the minimal set of resources needed for a certificate authority to function.

View Source 
var DefaultImplicitRules = []types.Rule{
	types.NewRule(types.KindNode, RO()),
	types.NewRule(types.KindProxy, RO()),
	types.NewRule(types.KindAuthServer, RO()),
	types.NewRule(types.KindReverseTunnel, RO()),
	types.NewRule(types.KindCertAuthority, ReadNoSecrets()),
	types.NewRule(types.KindClusterAuthPreference, RO()),
	types.NewRule(types.KindClusterName, RO()),
	types.NewRule(types.KindSSHSession, RO()),
	types.NewRule(types.KindAppServer, RO()),
	types.NewRule(types.KindRemoteCluster, RO()),
	types.NewRule(types.KindKubeServer, RO()),
	types.NewRule(types.KindDatabaseServer, RO()),
	types.NewRule(types.KindDatabase, RO()),
	types.NewRule(types.KindApp, RO()),
	types.NewRule(types.KindWindowsDesktopService, RO()),
	types.NewRule(types.KindWindowsDesktop, RO()),
	types.NewRule(types.KindKubernetesCluster, RO()),
	types.NewRule(types.KindUsageEvent, []string{types.VerbCreate}),
}

DefaultImplicitRules provides access to the default set of implicit rules assigned to all roles.

View Source 
var ErrRequiresEnterprise = &trace.AccessDeniedError{Message: "this feature requires Teleport Enterprise"}

ErrRequiresEnterprise indicates that a feature requires Teleport Enterprise.

View Source 
var ErrSessionMFANotRequired = &trace.AccessDeniedError{
	Message: "MFA is not required to access resource",
}

ErrSessionMFANotRequired indicates that per session mfa will not grant access to a resource.

View Source 
var ErrSessionMFARequired = &trace.AccessDeniedError{
	Message: "access to resource requires MFA",
}

ErrSessionMFARequired is returned by AccessChecker when access to a resource requires an MFA check.

View Source 
var ErrTrustedDeviceRequired = dtauthz.ErrTrustedDeviceRequired

ErrTrustedDeviceRequired is returned by AccessChecker when access to a resource requires a trusted device. It's an alias to dtauthz.ErrTrustedDeviceRequired.

View Source 
var StrictLockingModeAccessDenied = trace.AccessDenied("preventive lock-out due to local lock view becoming unreliable")

StrictLockingModeAccessDenied is an AccessDenied error returned when strict locking mode causes all interactions to be blocked.

View Source 
var UnifiedResourceKinds []string = []string{types.KindNode, types.KindKubeServer, types.KindDatabaseServer, types.KindAppServer, types.KindSAMLIdPServiceProvider, types.KindWindowsDesktop}

UnifiedResourceKinds is a list of all kinds that are stored in the unified resource cache.

Functions

func AccessExplicitlyDenied 

func AccessExplicitlyDenied(inner error) error

AccessExplicitlyDenied is an error type that indicates an AccessDenied error where a deny rule matched and access is explicitly denied, in contrast to cases where there is no matching deny or allow rule and access is only implicitly denied.

func AccessRequestsToLockTargets 

func AccessRequestsToLockTargets(accessRequests []string) []types.LockTarget

AccessRequestsToLockTargets converts a list of access requests to a list of LockTargets (one LockTarget per access request)

func AcquireSemaphoreWithRetry 

func AcquireSemaphoreWithRetry(ctx context.Context, req AcquireSemaphoreWithRetryConfig) (*types.SemaphoreLease, error)

AcquireSemaphoreWithRetry tries to acquire the semaphore according to the retry schedule until it succeeds or context expires.

func AddRoleDefaults 

func AddRoleDefaults(role types.Role) (types.Role, error)

AddRoleDefaults adds default role attributes to a preset role. Only attributes whose resources are not already defined (either allowing or denying) are added.

func ApplyAccessReview 

func ApplyAccessReview(req types.AccessRequest, rev types.AccessReview, author UserState) error

ApplyAccessReview attempts to apply the specified access review to the specified request.

func ApplyTraits 

func ApplyTraits(r types.Role, traits map[string][]string) (types.Role, error)

ApplyTraits applies the passed in traits to any variables within the role and returns itself.

func ApplyValueTraits 

func ApplyValueTraits(val string, traits map[string][]string) ([]string, error)

ApplyValueTraits applies the passed in traits to the variable, returns BadParameter in case if referenced variable is unsupported, returns NotFound in case if referenced trait is missing, mapped list of values otherwise, the function guarantees to return at least one value in case if return value is nil

func AssumeRoleFromAWSMetadata 

func AssumeRoleFromAWSMetadata(meta *types.AWS) types.AssumeRole

AssumeRoleFromAWSMetadata is a conversion helper function that extracts AWS IAM role ARN and external ID from AWS metadata.

func CalculateAccessCapabilities 

func CalculateAccessCapabilities(ctx context.Context, clock clockwork.Clock, clt RequestValidatorGetter, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

CalculateAccessCapabilities aggregates the requested capabilities using the supplied getter to load relevant resources.

func CertAuthoritiesEquivalent 

func CertAuthoritiesEquivalent(lhs, rhs types.CertAuthority) bool

CertAuthoritiesEquivalent checks if a pair of certificate authority resources are equivalent. This differs from normal equality only in that resource IDs are ignored.

func CertPool 

func CertPool(ca types.CertAuthority) (*x509.CertPool, error)

CertPool returns certificate pools from TLS certificates set up in the certificate authority

func CertPoolFromCertAuthorities 

func CertPoolFromCertAuthorities(cas []types.CertAuthority) (*x509.CertPool, int, error)

CertPoolFromCertAuthorities returns a certificate pool from the TLS certificates set up in the certificate authorities list, as well as the number of certificates that were added to the pool.

func CheckAndSetDefaults 

func CheckAndSetDefaults(r any) error

CheckAndSetDefaults calls [r.CheckAndSetDefaults] if r implements the method. If r does not implement, then this is a nop.

This method exists for backwards compatibility with old-style resources. Prefer using RFD 153 style resources, passing concrete types and running validations before storage writes only.

func CheckDynamicLabelsInDenyRules 

func CheckDynamicLabelsInDenyRules(r types.Role) error

CheckDynamicLabelsInDenyRules checks if any deny rules in the given role use labels prefixed with "dynamic/".

func CheckSAMLEntityDescriptor 

func CheckSAMLEntityDescriptor(entityDescriptor string) ([]*x509.Certificate, error)

CheckSAMLEntityDescriptor checks if the entity descriptor XML is valid and has at least one valid certificate.

func ClusterAuditConfigSpecFromObject 

func ClusterAuditConfigSpecFromObject(in interface{}) (*types.ClusterAuditConfigSpecV2, error)

ClusterAuditConfigSpecFromObject returns audit config spec from object.

func CompareResources 

func CompareResources[T any](resA, resB T) int

CompareResources compares two resources by all significant fields.

func CompareRuleScore 

func CompareRuleScore(r *types.Rule, o *types.Rule) bool

CompareRuleScore returns true if the first rule is more specific than the other.

* nRule matching wildcard resource is less specific than same rule matching specific resource. * Rule that has wildcard verbs is less specific than the same rules matching specific verb. * Rule that has where section is more specific than the same rule without where section. * Rule that has actions list is more specific than rule without actions list.

func CompareServers 

func CompareServers(a, b types.Resource) int

CompareServers compares two provided servers.

func ConvertGithubConnector 

func ConvertGithubConnector(c types.GithubConnector) (*types.GithubConnectorV3, error)

ConvertGithubConnector converts a GitHub auth connector so it can be sent over gRPC.

func ExtraElastiCacheLabels 

func ExtraElastiCacheLabels(cluster *elasticache.ReplicationGroup, tags []*elasticache.Tag, allNodes []*elasticache.CacheCluster, allSubnetGroups []*elasticache.CacheSubnetGroup) map[string]string

ExtraElastiCacheLabels returns a list of extra labels for provided ElastiCache cluster.

func ExtraMemoryDBLabels 

func ExtraMemoryDBLabels(cluster *memorydb.Cluster, tags []*memorydb.Tag, allSubnetGroups []*memorydb.SubnetGroup) map[string]string

ExtraMemoryDBLabels returns a list of extra labels for provided MemoryDB cluster.

func ExtractAllowedResourcesFromCert 

func ExtractAllowedResourcesFromCert(cert *ssh.Certificate) ([]types.ResourceID, error)

func ExtractFromCertificate 

func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, error)

ExtractFromCertificate will extract roles and traits from a *ssh.Certificate.

func ExtractFromIdentity 

func ExtractFromIdentity(ctx context.Context, access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error)

ExtractFromIdentity will extract roles and traits from the *x509.Certificate which Teleport passes along as a *tlsca.Identity. If roles and traits do not exist in the certificates, they are extracted from the backend.

func ExtractRolesFromCert 

func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error)

ExtractRolesFromCert extracts roles from certificate metadata extensions.

func ExtractTraitsFromCert 

func ExtractTraitsFromCert(cert *ssh.Certificate) (wrappers.Traits, error)

ExtractTraitsFromCert extracts traits from the certificate extensions.

func FilterSAMLEntityDescriptor 

func FilterSAMLEntityDescriptor(ed *saml.EntityDescriptor, quiet bool) error

FilterSAMLEntityDescriptor performs a filter in place to remove unsupported and/or insecure fields from a saml entity descriptor. Specifically, it removes acs endpoints that are either of an unsupported kind, or are using a non-https endpoint. We perform filtering rather than outright rejection because it is generally expected that a service provider will successfully support a given ACS so long as they have at least one compatible binding.

func GenerateIdPServiceProviderFromFields 

func GenerateIdPServiceProviderFromFields(name string, entityDescriptor string) (types.SAMLIdPServiceProvider, error)

GenerateIdPServiceProviderFromFields takes `name` and `entityDescriptor` fields and returns a SAMLIdPServiceProvider.

func GetAccessRequest 

func GetAccessRequest(ctx context.Context, acc DynamicAccessCore, reqID string) (types.AccessRequest, error)

GetAccessRequest is a helper function assists with loading a specific request by ID.

func GetAttributeNames 

func GetAttributeNames(attributes map[string]samltypes.Attribute) []string

GetAttributeNames returns a list of claim names from the claim values

func GetClaimNames 

func GetClaimNames(claims jose.Claims) []string

GetClaimNames returns a list of claim names from the claim values

func GetJWTSigner 

func GetJWTSigner(signer crypto.Signer, clusterName string, clock clockwork.Clock) (*jwt.Key, error)

GetJWTSigner returns the active JWT key used to sign tokens.

func GetMySQLEngineVersion 

func GetMySQLEngineVersion(labels map[string]string) string

GetMySQLEngineVersion returns MySQL engine version from provided metadata labels. An empty string is returned if label doesn't exist.

func GetRedirectURL 

func GetRedirectURL(conn types.OIDCConnector, proxyAddr string) (string, error)

GetRedirectURL gets a redirect URL for the given connector. If the connector has a redirect URL which matches the host of the given Proxy address, then that one will be returned. Otherwise, the first URL in the list will be returned.

func GetResourceDetails 

func GetResourceDetails(ctx context.Context, clusterName string, lister client.ListResourcesClient, ids []types.ResourceID) (map[string]types.ResourceDetails, error)

TODO(atburke): Remove this once teleport.e reference is switched over

func GetResourceIDsByCluster 

func GetResourceIDsByCluster(r types.AccessRequest) map[string][]types.ResourceID

TODO(atburke): Remove this once teleport.e reference is switched over

func GetResourceMarshalerKinds 

func GetResourceMarshalerKinds() []string

GetResourceMarshalerKinds lists all registered resource marshalers by kind.

func GetResourcesByResourceIDs 

func GetResourcesByResourceIDs(ctx context.Context, lister client.ListResourcesClient, resourceIDs []types.ResourceID, opts ...accessrequest.ListResourcesRequestOption) ([]types.ResourceWithLabels, error)

TODO(atburke): Remove this once teleport.e reference is switched over

func GetSAMLServiceProvider 

func GetSAMLServiceProvider(sc types.SAMLConnector, clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)

GetSAMLServiceProvider gets the SAMLConnector's service provider

func GetSSHCheckingKeys 

func GetSSHCheckingKeys(ca types.CertAuthority) [][]byte

GetSSHCheckingKeys returns SSH public keys from CA

func GetStringMapValue 

func GetStringMapValue(mapVal, keyVal interface{}) (interface{}, error)

GetStringMapValue is a helper function that returns property from map[string]string or map[string][]string the function returns empty value in case if key not found In case if map is nil, returns empty value as well

func GetTLSCerts 

func GetTLSCerts(ca types.CertAuthority) [][]byte

GetTLSCerts returns TLS certificates from CA

func GetTraitMappings 

func GetTraitMappings(cms []types.ClaimMapping) types.TraitMappingSet

GetTraitMappings gets the AccessRequestConditions' claims as a TraitMappingsSet

func GuessProxyHostAndVersion 

func GuessProxyHostAndVersion(proxies []types.Server) (string, string, error)

GuessProxyHostAndVersion tries to find the first proxy with a public address configured and return that public addr and version. If no proxies are configured, it will return a guessed value by concatenating the first proxy's hostname with default port number, and the first proxy's version will also be returned.

Returns empty value if there are no proxies.

func HasProcessForked 

func HasProcessForked(ctx context.Context) bool

HasProcessForked returns true if the Teleport process has running forked child(ren).

func InitGithubConnector 

func InitGithubConnector(c types.GithubConnector) (types.GithubConnector, error)

InitGithubConnector initializes c and returns a types.GithubConnector ready for use. InitGithubConnector must be used to initialize any uninitialized [types.GithubConnector]s before they can be used.

func IsAWSResourceAvailable 

func IsAWSResourceAvailable(r interface{}, status *string) bool

IsAWSResourceAvailable checks if the input status indicates the resource is available for use.

Note that this function checks some common values but not necessarily covers everything. For types that have other known status values, separate functions (e.g. IsRDSClusterAvailable) can be implemented.

func IsAccessExplicitlyDenied 

func IsAccessExplicitlyDenied(err error) bool

IsAccessExplicitlyDenied returns true if any of the errors in err's chain is an AccessExplicitlyDenied error.

func IsAccessListMember 

func IsAccessListMember(ctx context.Context, identity tlsca.Identity, clock clockwork.Clock, accessList *accesslist.AccessList, members AccessListMemberGetter) error

TODO(mdwn): Remove this in favor of using the access list membership checker.

func IsAccessListOwner 

func IsAccessListOwner(identity tlsca.Identity, accessList *accesslist.AccessList) error

IsAccessListOwner will return true if the user is an owner for the current list.

func IsAzureFlexServer 

func IsAzureFlexServer(db types.Database) bool

IsAzureFlexServer returns true if the database engine label matches the Azure PostgreSQL or MySQL Flex server engine name. Matching engines are "Microsoft.DBforMySQL/flexibleServers" or "Microsoft.DBforPostgreSQL/flexibleServers".

func IsDashboard 

func IsDashboard(features proto.Features) bool

IsDashboard returns a bool indicating if the cluster is a dashboard cluster. Dashboard is a cluster running on cloud infrastructure that isn't a Teleport Cloud cluster

func IsElastiCacheClusterAvailable 

func IsElastiCacheClusterAvailable(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterAvailable checks if the ElastiCache cluster is available.

func IsElastiCacheClusterSupported 

func IsElastiCacheClusterSupported(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterSupported checks whether the ElastiCache cluster is supported.

func IsMemoryDBClusterAvailable 

func IsMemoryDBClusterAvailable(cluster *memorydb.Cluster) bool

IsMemoryDBClusterAvailable checks if the MemoryDB cluster is available.

func IsMemoryDBClusterSupported 

func IsMemoryDBClusterSupported(cluster *memorydb.Cluster) bool

IsMemoryDBClusterSupported checks whether the MemoryDB cluster is supported.

func IsOpenSearchDomainAvailable 

func IsOpenSearchDomainAvailable(domain *opensearchservice.DomainStatus) bool

IsOpenSearchDomainAvailable checks if the OpenSearch domain is available.

func IsProcessReloading 

func IsProcessReloading(ctx context.Context) bool

IsProcessReloading returns true if the Teleport process is reloading.

func IsRDSClusterAvailable 

func IsRDSClusterAvailable(clusterStatus, clusterIndetifier *string) bool

IsRDSClusterAvailable checks if the RDS cluster is available.

func IsRDSClusterSupported 

func IsRDSClusterSupported(cluster *rds.DBCluster) bool

IsRDSClusterSupported checks whether the Aurora cluster is supported.

func IsRDSInstanceAvailable 

func IsRDSInstanceAvailable(instanceStatus, instanceIdentifier *string) bool

IsRDSInstanceAvailable checks if the RDS instance is available.

func IsRDSInstanceSupported 

func IsRDSInstanceSupported(instance *rds.DBInstance) bool

IsRDSInstanceSupported returns true if database supports IAM authentication. Currently, only MariaDB is being checked.

func IsRDSProxyAvailable 

func IsRDSProxyAvailable(dbProxy *rds.DBProxy) bool

IsRDSProxyAvailable checks if the RDS Proxy is available.

func IsRDSProxyCustomEndpointAvailable 

func IsRDSProxyCustomEndpointAvailable(customEndpoint *rds.DBProxyEndpoint) bool

IsRDSProxyCustomEndpointAvailable checks if the RDS Proxy custom endpoint is available.

func IsRecordAtProxy 

func IsRecordAtProxy(mode string) bool

IsRecordAtProxy returns true if recording is sync or async at proxy.

func IsRecordSync 

func IsRecordSync(mode string) bool

IsRecordSync returns true if recording is sync for proxy or node.

func IsRedshiftClusterAvailable 

func IsRedshiftClusterAvailable(cluster *redshift.Cluster) bool

IsRedshiftClusterAvailable checks if the Redshift cluster is available.

func LastFailed 

func LastFailed(x int, attempts []LoginAttempt) bool

LastFailed calculates last x successive attempts are failed

func LatestTunnelConnection 

func LatestTunnelConnection(conns []types.TunnelConnection) (types.TunnelConnection, error)

LatestTunnelConnection returns latest tunnel connection from the list of tunnel connections, if no connections found, returns NotFound error

func LockInForceAccessDenied 

func LockInForceAccessDenied(lock types.Lock) error

LockInForceAccessDenied is an AccessDenied error returned when a lock is in force.

func LockTargetsFromTLSIdentity 

func LockTargetsFromTLSIdentity(id tlsca.Identity) []types.LockTarget

LockTargetsFromTLSIdentity infers a list of LockTargets from tlsca.Identity.

func MakeAzureDatabaseLoginUsername 

func MakeAzureDatabaseLoginUsername(db types.Database, user string) string

MakeAzureDatabaseLoginUsername returns a user name appropriate for Azure database logins. Azure requires database login to be <user>@<server-name>, for example: alice@mysql-server-name. Flexible server is an exception to this format and returns the provided username unmodified.

func MakePaginatedResources 

func MakePaginatedResources(requestType string, resources []types.ResourceWithLabels) ([]*proto.PaginatedResource, error)

MakePaginatedResources converts a list of resources into a list of paginated proto representations.

func MapRoles 

func MapRoles(r types.RoleMap, remoteRoles []string) ([]string, error)

MapRoles maps local roles to remote roles

func MarshalAccessList 

func MarshalAccessList(accessList *accesslist.AccessList, opts ...MarshalOption) ([]byte, error)

MarshalAccessList marshals the access list resource to JSON.

func MarshalAccessListMember 

func MarshalAccessListMember(member *accesslist.AccessListMember, opts ...MarshalOption) ([]byte, error)

MarshalAccessListMember marshals the access list member resource to JSON.

func MarshalAccessListReview 

func MarshalAccessListReview(review *accesslist.Review, opts ...MarshalOption) ([]byte, error)

MarshalAccessListReview marshals the access list review resource to JSON.

func MarshalAccessRequest 

func MarshalAccessRequest(accessRequest types.AccessRequest, opts ...MarshalOption) ([]byte, error)

MarshalAccessRequest marshals the AccessRequest resource to JSON.

func MarshalAccessRequestAllowedPromotion 

func MarshalAccessRequestAllowedPromotion(accessListIDs *types.AccessRequestAllowedPromotions) ([]byte, error)

MarshalAccessRequestAllowedPromotion marshals the list of access list IDs to JSON.

func MarshalApp 

func MarshalApp(app types.Application, opts ...MarshalOption) ([]byte, error)

MarshalApp marshals Application resource to JSON.

func MarshalAppServer 

func MarshalAppServer(appServer types.AppServer, opts ...MarshalOption) ([]byte, error)

MarshalAppServer marshals the AppServer resource to JSON.

func MarshalAuditQuery 

func MarshalAuditQuery(in *secreports.AuditQuery, opts ...MarshalOption) ([]byte, error)

MarshalAuditQuery marshals an audit query.

func MarshalAuthPreference 

func MarshalAuthPreference(c types.AuthPreference, opts ...MarshalOption) ([]byte, error)

MarshalAuthPreference marshals the AuthPreference resource to JSON.

func MarshalCertAuthority 

func MarshalCertAuthority(certAuthority types.CertAuthority, opts ...MarshalOption) ([]byte, error)

MarshalCertAuthority marshals the CertAuthority resource to JSON.

func MarshalCertRoles 

func MarshalCertRoles(roles []string) (string, error)

MarshalCertRoles marshal roles list to OpenSSH

func MarshalClusterAuditConfig 

func MarshalClusterAuditConfig(auditConfig types.ClusterAuditConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterAuditConfig marshals the ClusterAuditConfig resource to JSON.

func MarshalClusterName 

func MarshalClusterName(clusterName types.ClusterName, opts ...MarshalOption) ([]byte, error)

MarshalClusterName marshals the ClusterName resource to JSON.

func MarshalClusterNetworkingConfig 

func MarshalClusterNetworkingConfig(netConfig types.ClusterNetworkingConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterNetworkingConfig marshals the ClusterNetworkingConfig resource to JSON.

func MarshalConnectionDiagnostic 

func MarshalConnectionDiagnostic(s types.ConnectionDiagnostic, opts ...MarshalOption) ([]byte, error)

MarshalConnectionDiagnostic marshals the ConnectionDiagnostic resource to JSON.

func MarshalDatabase 

func MarshalDatabase(database types.Database, opts ...MarshalOption) ([]byte, error)

MarshalDatabase marshals the database resource to JSON.

func MarshalDatabaseServer 

func MarshalDatabaseServer(databaseServer types.DatabaseServer, opts ...MarshalOption) ([]byte, error)

MarshalDatabaseServer marshals the DatabaseServer resource to JSON.

func MarshalDatabaseService 

func MarshalDatabaseService(databaseService types.DatabaseService, opts ...MarshalOption) ([]byte, error)

MarshalDatabaseService marshals the DatabaseService resource to JSON.

func MarshalDevice 

func MarshalDevice(dev *types.DeviceV1) ([]byte, error)

MarshalDevice marshals a DeviceV1 resource.

func MarshalDiscoveryConfig 

func MarshalDiscoveryConfig(discoveryConfig *discoveryconfig.DiscoveryConfig, opts ...MarshalOption) ([]byte, error)

MarshalDiscoveryConfig marshals the DiscoveryCOnfig resource to JSON.

func MarshalExternalAuditStorage 

func MarshalExternalAuditStorage(externalAuditStorage *externalauditstorage.ExternalAuditStorage, opts ...MarshalOption) ([]byte, error)

MarshalExternalAuditStorage marshals the External Audit Storage resource to JSON.

func MarshalGithubConnector 

func MarshalGithubConnector(connector types.GithubConnector, opts ...MarshalOption) ([]byte, error)

MarshalGithubConnector marshals a GithubConnector resource to JSON.

func MarshalInstaller 

func MarshalInstaller(installer types.Installer, opts ...MarshalOption) ([]byte, error)

MarshalInstaller marshals the Installer resource to JSON.

func MarshalIntegration 

func MarshalIntegration(ig types.Integration, opts ...MarshalOption) ([]byte, error)

MarshalIntegration marshals the Integration resource to JSON.

func MarshalKubeCluster 

func MarshalKubeCluster(kubeCluster types.KubeCluster, opts ...MarshalOption) ([]byte, error)

MarshalKubeCluster marshals the KubeCluster resource to JSON.

func MarshalKubeServer 

func MarshalKubeServer(kubeServer types.KubeServer, opts ...MarshalOption) ([]byte, error)

MarshalKubeServer marshals the KubeServer resource to JSON.

func MarshalLicense 

func MarshalLicense(license types.License, opts ...MarshalOption) ([]byte, error)

MarshalLicense marshals the License resource to JSON.

func MarshalLock 

func MarshalLock(lock types.Lock, opts ...MarshalOption) ([]byte, error)

MarshalLock marshals the Lock resource to JSON.

func MarshalNamespace 

func MarshalNamespace(resource types.Namespace, opts ...MarshalOption) ([]byte, error)

MarshalNamespace marshals the Namespace resource to JSON.

func MarshalNetworkRestrictions 

func MarshalNetworkRestrictions(restrictions types.NetworkRestrictions, opts ...MarshalOption) ([]byte, error)

MarshalNetworkRestrictions marshals the NetworkRestrictions resource to JSON.

func MarshalOIDCConnector 

func MarshalOIDCConnector(oidcConnector types.OIDCConnector, opts ...MarshalOption) ([]byte, error)

MarshalOIDCConnector marshals the OIDCConnector resource to JSON.

func MarshalOSSGithubConnector 

func MarshalOSSGithubConnector(githubConnector types.GithubConnector, opts ...MarshalOption) ([]byte, error)

MarshalOSSGithubConnector marshals the open source variant of the GithubConnector resource to JSON.

func MarshalOktaAssignment 

func MarshalOktaAssignment(assignment types.OktaAssignment, opts ...MarshalOption) ([]byte, error)

MarshalOktaAssignment marshals the Okta assignment resource to JSON.

func MarshalOktaImportRule 

func MarshalOktaImportRule(importRule types.OktaImportRule, opts ...MarshalOption) ([]byte, error)

MarshalOktaImportRule marshals the Okta import rule resource to JSON.

func MarshalPlugin 

func MarshalPlugin(plugin types.Plugin, opts ...MarshalOption) ([]byte, error)

MarshalPlugin marshals Plugin resource to JSON.

func MarshalPluginData 

func MarshalPluginData(pluginData types.PluginData, opts ...MarshalOption) ([]byte, error)

MarshalPluginData marshals the PluginData resource to JSON.

func MarshalPluginStaticCredentials 

func MarshalPluginStaticCredentials(pluginStaticCredentials types.PluginStaticCredentials, opts ...MarshalOption) ([]byte, error)

MarshalPluginStaticCredentials marshals PluginStaticCredentials resource to JSON.

func MarshalProvisionToken 

func MarshalProvisionToken(provisionToken types.ProvisionToken, opts ...MarshalOption) ([]byte, error)

MarshalProvisionToken marshals the ProvisionToken resource to JSON.

func MarshalRemoteCluster 

func MarshalRemoteCluster(remoteCluster types.RemoteCluster, opts ...MarshalOption) ([]byte, error)

MarshalRemoteCluster marshals the RemoteCluster resource to JSON.

func MarshalResource 

func MarshalResource(resource types.Resource, opts ...MarshalOption) ([]byte, error)

MarshalResource attempts to marshal a resource dynamically, returning NotImplementedError if no marshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func MarshalReverseTunnel 

func MarshalReverseTunnel(reverseTunnel types.ReverseTunnel, opts ...MarshalOption) ([]byte, error)

MarshalReverseTunnel marshals the ReverseTunnel resource to JSON.

func MarshalRole 

func MarshalRole(role types.Role, opts ...MarshalOption) ([]byte, error)

MarshalRole marshals the Role resource to JSON.

func MarshalSAMLConnector 

func MarshalSAMLConnector(samlConnector types.SAMLConnector, opts ...MarshalOption) ([]byte, error)

MarshalSAMLConnector marshals the SAMLConnector resource to JSON.

func MarshalSAMLIdPServiceProvider 

func MarshalSAMLIdPServiceProvider(serviceProvider types.SAMLIdPServiceProvider, opts ...MarshalOption) ([]byte, error)

MarshalSAMLIdPServiceProvider marshals the SAMLIdPServiceProvider resource to JSON.

func MarshalSecurityCostLimiter 

func MarshalSecurityCostLimiter(in *secreports.CostLimiter, opts ...MarshalOption) ([]byte, error)

MarshalSecurityCostLimiter marshals a security report state.

func MarshalSecurityReport 

func MarshalSecurityReport(in *secreports.Report, opts ...MarshalOption) ([]byte, error)

MarshalSecurityReport marshals a security report.

func MarshalSecurityReportState 

func MarshalSecurityReportState(in *secreports.ReportState, opts ...MarshalOption) ([]byte, error)

MarshalSecurityReportState marshals a security report state.

func MarshalSemaphore 

func MarshalSemaphore(semaphore types.Semaphore, opts ...MarshalOption) ([]byte, error)

MarshalSemaphore marshals the Semaphore resource to JSON.

func MarshalServer 

func MarshalServer(server types.Server, opts ...MarshalOption) ([]byte, error)

MarshalServer marshals the Server resource to JSON.

func MarshalServerInfo 

func MarshalServerInfo(si types.ServerInfo, opts ...MarshalOption) ([]byte, error)

MarshalServerInfo marshals the ServerInfo resource to JSON.

func MarshalServerInfos 

func MarshalServerInfos(si []types.ServerInfo) ([]byte, error)

MarshalServerInfos marshals a list of ServerInfo resources.

func MarshalServers 

func MarshalServers(s []types.Server) ([]byte, error)

MarshalServers marshals a list of Server resources.

func MarshalSessionRecordingConfig 

func MarshalSessionRecordingConfig(recConfig types.SessionRecordingConfig, opts ...MarshalOption) ([]byte, error)

MarshalSessionRecordingConfig marshals the SessionRecordingConfig resource to JSON.

func MarshalSessionTracker 

func MarshalSessionTracker(session types.SessionTracker) ([]byte, error)

MarshalSessionTracker marshals the Session resource to JSON.

func MarshalStaticTokens 

func MarshalStaticTokens(staticToken types.StaticTokens, opts ...MarshalOption) ([]byte, error)

MarshalStaticTokens marshals the StaticTokens resource to JSON.

func MarshalTrustedCluster 

func MarshalTrustedCluster(trustedCluster types.TrustedCluster, opts ...MarshalOption) ([]byte, error)

MarshalTrustedCluster marshals the TrustedCluster resource to JSON.

func MarshalTunnelConnection 

func MarshalTunnelConnection(tunnelConnection types.TunnelConnection, opts ...MarshalOption) ([]byte, error)

MarshalTunnelConnection marshals the TunnelConnection resource to JSON.

func MarshalUIConfig 

func MarshalUIConfig(uiconfig types.UIConfig, opts ...MarshalOption) ([]byte, error)

MarshalUIConfig marshals the UIConfig resource to JSON.

func MarshalUser 

func MarshalUser(user types.User, opts ...MarshalOption) ([]byte, error)

MarshalUser marshals the User resource to JSON.

func MarshalUserGroup 

func MarshalUserGroup(group types.UserGroup, opts ...MarshalOption) ([]byte, error)

MarshalUserGroup marshals the user group resource to JSON.

func MarshalUserLoginState 

func MarshalUserLoginState(userLoginState *userloginstate.UserLoginState, opts ...MarshalOption) ([]byte, error)

MarshalUserLoginState marshals the user login state resource to JSON.

func MarshalUserToken 

func MarshalUserToken(token types.UserToken, opts ...MarshalOption) ([]byte, error)

MarshalUserToken marshals the UserToken resource to JSON.

func MarshalUserTokenSecrets 

func MarshalUserTokenSecrets(secrets types.UserTokenSecrets, opts ...MarshalOption) ([]byte, error)

MarshalUserTokenSecrets marshals the UserTokenSecrets resource to JSON.

func MarshalWebSession 

func MarshalWebSession(webSession types.WebSession, opts ...MarshalOption) ([]byte, error)

MarshalWebSession marshals the WebSession resource to JSON.

func MarshalWebToken 

func MarshalWebToken(webToken types.WebToken, opts ...MarshalOption) ([]byte, error)

MarshalWebToken serializes the web token as JSON-encoded payload

func MarshalWindowsDesktop 

func MarshalWindowsDesktop(s types.WindowsDesktop, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktop marshals the WindowsDesktop resource to JSON.

func MarshalWindowsDesktopService 

func MarshalWindowsDesktopService(s types.WindowsDesktopService, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktopService marshals the WindowsDesktopService resource to JSON.

func MatchAWSRoleARN 

func MatchAWSRoleARN(selectors []string, roleARN string) (bool, string)

MatchAWSRoleARN returns true if provided role ARN matches selectors.

func MatchAzureIdentity 

func MatchAzureIdentity(selectors []string, identity string, matchWildcard bool) (bool, string)

MatchAzureIdentity returns true if provided Azure identity matches selectors.

func MatchDatabaseName 

func MatchDatabaseName(selectors []string, name string) (bool, string)

MatchDatabaseName returns true if provided database name matches selectors.

func MatchDatabaseUser 

func MatchDatabaseUser(selectors []string, user string, matchWildcard bool) (bool, string)

MatchDatabaseUser returns true if provided database user matches selectors.

func MatchGCPServiceAccount 

func MatchGCPServiceAccount(selectors []string, account string, matchWildcard bool) (bool, string)

MatchGCPServiceAccount returns true if provided GCP service account matches selectors.

func MatchLabelGetter 

func MatchLabelGetter(selector types.Labels, labelGetter LabelGetter) (bool, string, error)

MatchLabelGetter matches selector against labelGetter. Empty selector matches nothing, wildcard matches everything.

func MatchLabels 

func MatchLabels(selector types.Labels, target map[string]string) (bool, string, error)

MatchLabels matches selector against target. Empty selector matches nothing, wildcard matches everything.

func MatchNamespace 

func MatchNamespace(selectors []string, namespace string) (bool, string)

MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything.

func MatchResourceByFilters 

func MatchResourceByFilters(resource types.ResourceWithLabels, filter MatchResourceFilter, seenMap map[ResourceSeenKey]struct{}) (bool, error)

MatchResourceByFilters returns true if all filter values given matched against the resource.

If no filters were provided, we will treat that as a match.

If a `seenMap` is provided, this will be treated as a request to filter out duplicate matches. The map will be modified in place as it adds new keys. Seen keys will return match as false.

Resource KubeService is handled differently b/c of its 1-N relationhip with service-clusters, it filters out the non-matched clusters on the kube service and the kube service is modified in place with only the matched clusters. Deduplication for resource `KubeService` is not provided but is provided for kind `KubernetesCluster`.

func MatchResourceLabels 

func MatchResourceLabels(matchers []ResourceMatcher, labels map[string]string) bool

MatchResourceLabels returns true if any of the provided selectors matches the provided database.

func MatchValidAzureIdentity 

func MatchValidAzureIdentity(identity string) bool

func MetadataFromElastiCacheCluster 

func MetadataFromElastiCacheCluster(cluster *elasticache.ReplicationGroup, endpointType string) (*types.AWS, error)

MetadataFromElastiCacheCluster creates AWS metadata for the provided ElastiCache cluster.

func MetadataFromMemoryDBCluster 

func MetadataFromMemoryDBCluster(cluster *memorydb.Cluster, endpointType string) (*types.AWS, error)

MetadataFromMemoryDBCluster creates AWS metadata for the provided MemoryDB cluster.

func MetadataFromOpenSearchDomain 

func MetadataFromOpenSearchDomain(domain *opensearchservice.DomainStatus, endpointType string) (*types.AWS, error)

MetadataFromOpenSearchDomain creates AWS metadata for the provided OpenSearch domain.

func MetadataFromRDSCluster 

func MetadataFromRDSCluster(rdsCluster *rds.DBCluster) (*types.AWS, error)

MetadataFromRDSCluster creates AWS metadata from the provided RDS cluster.

func MetadataFromRDSInstance 

func MetadataFromRDSInstance(rdsInstance *rds.DBInstance) (*types.AWS, error)

MetadataFromRDSInstance creates AWS metadata from the provided RDS instance.

func MetadataFromRDSProxy 

func MetadataFromRDSProxy(rdsProxy *rds.DBProxy) (*types.AWS, error)

MetadataFromRDSProxy creates AWS metadata from the provided RDS Proxy.

func MetadataFromRDSProxyCustomEndpoint 

func MetadataFromRDSProxyCustomEndpoint(rdsProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint) (*types.AWS, error)

MetadataFromRDSProxyCustomEndpoint creates AWS metadata from the provided RDS Proxy custom endpoint.

func MetadataFromRDSV2Cluster 

func MetadataFromRDSV2Cluster(rdsCluster *rdsTypesV2.DBCluster, rdsInstance *rdsTypesV2.DBInstance) (*types.AWS, error)

MetadataFromRDSV2Cluster creates AWS metadata from the provided RDS cluster. It uses aws sdk v2. An optional rdsTypesV2.DBInstance can be passed to fill the network configuration of the Cluster.

func MetadataFromRDSV2Instance 

func MetadataFromRDSV2Instance(rdsInstance *rdsTypesV2.DBInstance) (*types.AWS, error)

MetadataFromRDSInstance creates AWS metadata from the provided RDS instance. It uses aws sdk v2.

func MetadataFromRedshiftCluster 

func MetadataFromRedshiftCluster(cluster *redshift.Cluster) (*types.AWS, error)

MetadataFromRedshiftCluster creates AWS metadata from the provided Redshift cluster.

func MetadataFromRedshiftServerlessVPCEndpoint 

func MetadataFromRedshiftServerlessVPCEndpoint(endpoint *redshiftserverless.EndpointAccess, workgroup *redshiftserverless.Workgroup) (*types.AWS, error)

MetadataFromRedshiftServerlessVPCEndpoint creates AWS metadata for the provided Redshift Serverless VPC endpoint.

func MetadataFromRedshiftServerlessWorkgroup 

func MetadataFromRedshiftServerlessWorkgroup(workgroup *redshiftserverless.Workgroup) (*types.AWS, error)

MetadataFromRedshiftServerlessWorkgroup creates AWS metadata for the provided Redshift Serverless Workgroup.

func MustCreateProvisionToken 

func MustCreateProvisionToken(token string, roles types.SystemRoles, expires time.Time) types.ProvisionToken

MustCreateProvisionToken returns a new valid provision token or panics, used in tests

func NewAWSNodeFromEC2Instance 

func NewAWSNodeFromEC2Instance(instance ec2Types.Instance, awsCloudMetadata *types.AWSInfo) (types.Server, error)

NewAWSNodeFromEC2Instance creates a Node resource from an EC2 Instance. It has a pre-populated spec which contains info that is not available in the ec2.Instance object.

func NewAccessRequest 

func NewAccessRequest(user string, roles ...string) (types.AccessRequest, error)

NewAccessRequest assembles an AccessRequest resource.

func NewAccessRequestWithResources 

func NewAccessRequestWithResources(user string, roles []string, resourceIDs []types.ResourceID) (types.AccessRequest, error)

NewAccessRequestWithResources assembles an AccessRequest resource with requested resources.

func NewActionsParser 

func NewActionsParser(ctx RuleContext) (predicate.Parser, error)

NewActionsParser returns standard parser for 'actions' section in access rules

func NewApplicationFromKubeService 

func NewApplicationFromKubeService(service corev1.Service, clusterName, protocol string, port corev1.ServicePort) (types.Application, error)

NewApplicationFromKubeService creates application resources from kubernetes service. It transforms service fields and annotations into appropriate Teleport app fields. Service labels are copied to app labels.

func NewClusterNameWithRandomID 

func NewClusterNameWithRandomID(spec types.ClusterNameSpecV2) (types.ClusterName, error)

NewClusterNameWithRandomID creates a ClusterName, supplying a random ClusterID if the field is not provided in spec.

func NewDatabaseFromAzureManagedSQLServer 

func NewDatabaseFromAzureManagedSQLServer(server *armsql.ManagedInstance) (types.Database, error)

NewDatabaseFromAzureManagedSQLServer creates a database resource from an Azure Managed SQL server.

func NewDatabaseFromAzureMySQLFlexServer 

func NewDatabaseFromAzureMySQLFlexServer(server *armmysqlflexibleservers.Server) (types.Database, error)

NewDatabaseFromAzureMySQLFlexServer creates a database resource from an Azure MySQL Flexible server.

func NewDatabaseFromAzurePostgresFlexServer 

func NewDatabaseFromAzurePostgresFlexServer(server *armpostgresqlflexibleservers.Server) (types.Database, error)

NewDatabaseFromAzurePostgresFlexServer creates a database resource from an Azure PostgreSQL Flexible server.

func NewDatabaseFromAzureRedis 

func NewDatabaseFromAzureRedis(server *armredis.ResourceInfo) (types.Database, error)

NewDatabaseFromAzureRedis creates a database resource from an Azure Redis server.

func NewDatabaseFromAzureRedisEnterprise 

func NewDatabaseFromAzureRedisEnterprise(cluster *armredisenterprise.Cluster, database *armredisenterprise.Database) (types.Database, error)

NewDatabaseFromAzureRedisEnterprise creates a database resource from an Azure Redis Enterprise database and its parent cluster.

func NewDatabaseFromAzureSQLServer 

func NewDatabaseFromAzureSQLServer(server *armsql.Server) (types.Database, error)

NewDatabaseFromAzureSQLServer creates a database resource from an Azure SQL server.

func NewDatabaseFromAzureServer 

func NewDatabaseFromAzureServer(server *azure.DBServer) (types.Database, error)

NewDatabaseFromAzureServer creates a database resource from an AzureDB server.

func NewDatabaseFromElastiCacheConfigurationEndpoint 

func NewDatabaseFromElastiCacheConfigurationEndpoint(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromElastiCacheConfigurationEndpoint creates a database resource from ElastiCache configuration endpoint.

func NewDatabaseFromMemoryDBCluster 

func NewDatabaseFromMemoryDBCluster(cluster *memorydb.Cluster, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromMemoryDBCluster creates a database resource from a MemoryDB cluster.

func NewDatabaseFromRDSCluster 

func NewDatabaseFromRDSCluster(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSCluster creates a database resource from an RDS cluster (Aurora).

func NewDatabaseFromRDSClusterReaderEndpoint 

func NewDatabaseFromRDSClusterReaderEndpoint(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSClusterReaderEndpoint creates a database resource from an RDS cluster reader endpoint (Aurora).

func NewDatabaseFromRDSInstance 

func NewDatabaseFromRDSInstance(instance *rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSInstance creates a database resource from an RDS instance.

func NewDatabaseFromRDSProxy 

func NewDatabaseFromRDSProxy(dbProxy *rds.DBProxy, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxy creates database resource from RDS Proxy.

func NewDatabaseFromRDSProxyCustomEndpoint 

func NewDatabaseFromRDSProxyCustomEndpoint(dbProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxyCustomEndpoint creates database resource from RDS Proxy custom endpoint.

func NewDatabaseFromRDSV2Cluster 

func NewDatabaseFromRDSV2Cluster(cluster *rdsTypesV2.DBCluster, firstInstance *rdsTypesV2.DBInstance) (types.Database, error)

NewDatabaseFromRDSV2Cluster creates a database resource from an RDS cluster (Aurora). It uses aws sdk v2.

func NewDatabaseFromRDSV2Instance 

func NewDatabaseFromRDSV2Instance(instance *rdsTypesV2.DBInstance) (types.Database, error)

NewDatabaseFromRDSV2Instance creates a database resource from an RDS instance. It uses aws sdk v2.

func NewDatabaseFromRedshiftCluster 

func NewDatabaseFromRedshiftCluster(cluster *redshift.Cluster) (types.Database, error)

NewDatabaseFromRedshiftCluster creates a database resource from a Redshift cluster.

func NewDatabaseFromRedshiftServerlessVPCEndpoint 

func NewDatabaseFromRedshiftServerlessVPCEndpoint(endpoint *redshiftserverless.EndpointAccess, workgroup *redshiftserverless.Workgroup, tags []*redshiftserverless.Tag) (types.Database, error)

NewDatabaseFromRedshiftServerlessVPCEndpoint creates a database resource from a Redshift Serverless VPC endpoint.

func NewDatabaseFromRedshiftServerlessWorkgroup 

func NewDatabaseFromRedshiftServerlessWorkgroup(workgroup *redshiftserverless.Workgroup, tags []*redshiftserverless.Tag) (types.Database, error)

NewDatabaseFromRedshiftServerlessWorkgroup creates a database resource from a Redshift Serverless Workgroup.

func NewDatabasesFromElastiCacheNodeGroups 

func NewDatabasesFromElastiCacheNodeGroups(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)

NewDatabasesFromElastiCacheNodeGroups creates database resources from ElastiCache node groups.

func NewDatabasesFromElastiCacheReplicationGroup 

func NewDatabasesFromElastiCacheReplicationGroup(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)

NewDatabasesFromElastiCacheReplicationGroup creates all database resources from an ElastiCache ReplicationGroup.

func NewDatabasesFromOpenSearchDomain 

func NewDatabasesFromOpenSearchDomain(domain *opensearchservice.DomainStatus, tags []*opensearchservice.Tag) (types.Databases, error)

NewDatabasesFromOpenSearchDomain creates database resources from an OpenSearch domain.

func NewDatabasesFromRDSCluster 

func NewDatabasesFromRDSCluster(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Databases, error)

NewDatabasesFromRDSCluster creates all database resources from an RDS Aurora cluster.

func NewDatabasesFromRDSClusterCustomEndpoints 

func NewDatabasesFromRDSClusterCustomEndpoints(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Databases, error)

NewDatabasesFromRDSClusterCustomEndpoints creates database resources from RDS cluster custom endpoints (Aurora).

func NewGithubConnector 

func NewGithubConnector(name string, spec types.GithubConnectorSpecV3) (types.GithubConnector, error)

NewGithubConnector creates a new GitHub auth connector.

func NewHeadlessAuthenticationID 

func NewHeadlessAuthenticationID(pubKey []byte) string

NewHeadlessAuthenticationID returns a new SHA256 (Version 5) UUID based on the supplied ssh public key.

func NewImplicitRole 

func NewImplicitRole() types.Role

NewImplicitRole is the default implicit role that gets added to all RoleSets.

func NewKubeClusterFromAWSEKS 

func NewKubeClusterFromAWSEKS(clusterName, clusterArn string, tags map[string]*string) (types.KubeCluster, error)

NewKubeClusterFromAWSEKS creates a kube_cluster resource from an EKS cluster.

func NewKubeClusterFromAzureAKS 

func NewKubeClusterFromAzureAKS(cluster *azure.AKSCluster) (types.KubeCluster, error)

NewKubeClusterFromAzureAKS creates a kube_cluster resource from an AKSCluster.

func NewKubeClusterFromGCPGKE 

func NewKubeClusterFromGCPGKE(cluster gcp.GKECluster) (types.KubeCluster, error)

NewKubeClusterFromGCPGKE creates a kube_cluster resource from an GKE cluster.

func NewLogActionFn 

func NewLogActionFn(ctx RuleContext) interface{}

NewLogActionFn creates logger functions

func NewPresetAccessRole 

func NewPresetAccessRole() types.Role

NewPresetAccessRole creates a role for users who are allowed to initiate interactive sessions.

func NewPresetAuditorRole 

func NewPresetAuditorRole() types.Role

NewPresetAuditorRole returns a new pre-defined role for cluster auditor - someone who can review cluster events and replay sessions, but can't initiate interactive sessions or modify configuration.

func NewPresetDeviceAdminRole 

func NewPresetDeviceAdminRole() types.Role

NewPresetDeviceAdminRole returns the preset "device-admin" role, or nil for non-Enterprise builds. The role is used to administer trusted devices.

func NewPresetDeviceEnrollRole 

func NewPresetDeviceEnrollRole() types.Role

NewPresetDeviceEnrollRole returns the preset "device-enroll" role, or nil for non-Enterprise builds. The role is used to grant device enrollment powers to users.

func NewPresetEditorRole 

func NewPresetEditorRole() types.Role

NewPresetEditorRole returns a new pre-defined role for cluster editors who can edit cluster configuration resources.

func NewPresetGroupAccessRole 

func NewPresetGroupAccessRole() types.Role

NewPresetGroupAccessRole returns a new pre-defined role for group access - a role used for requesting and reviewing user group access.

func NewPresetRequesterRole 

func NewPresetRequesterRole() types.Role

NewPresetRequesterRole returns a new pre-defined role for requester. The requester will be able to request all resources.

func NewPresetRequireTrustedDeviceRole 

func NewPresetRequireTrustedDeviceRole() types.Role

NewPresetRequireTrustedDeviceRole returns the preset "require-trusted-device" role, or nil for non-Enterprise builds. The role is used as a basis for requiring trusted device access to resources.

func NewPresetReviewerRole 

func NewPresetReviewerRole() types.Role

NewPresetReviewerRole returns a new pre-defined role for reviewer. The reviewer will be able to review all access requests.

func NewSystemAutomaticAccessApproverRole 

func NewSystemAutomaticAccessApproverRole() types.Role

NewSystemAutomaticAccessApproverRole creates a new Role that is allowed to approve any Access Request. This is restricted to Teleport Enterprise, and returns nil in non-Enterproise builds.

func NewSystemAutomaticAccessBotUser 

func NewSystemAutomaticAccessBotUser() types.User

NewSystemAutomaticAccessBotUser returns a new User that has (via the the `PresetAutomaticAccessApprovalRoleName` role) the right to automatically approve any access requests.

This user must not:

  • Be allowed to log into the cluster
  • Show up in user lists in WebUI

TODO(tcsc): Implement/enforce above restrictions on this user

func NewSystemOktaAccessRole 

func NewSystemOktaAccessRole() types.Role

SystemOktaAccessRoleName is the name of the system role that allows access to Okta resources. This will be used by the Okta requester role to search for Okta resources.

func NewSystemOktaRequesterRole 

func NewSystemOktaRequesterRole() types.Role

SystemOktaRequesterRoleName is a name of a system role that allows for requesting access to Okta resources. This differs from the requester role in that it allows for requesting longer lived access.

func NewTOTPDevice 

func NewTOTPDevice(name, key string, addedAt time.Time) (*types.MFADevice, error)

NewTOTPDevice creates a TOTP MFADevice from the given key.

func NewWebSessionAttestationData 

func NewWebSessionAttestationData(pub crypto.PublicKey) (*keys.AttestationData, error)

NewWebSessionAttestationData creates attestation data for a web session key. Inserting data to the Auth server will allow certificates generated for the web session key to pass private key policies that are unobtainable in the web (hardware key policies). In exchange, these keys must be kept strictly in the Auth and Proxy processes and Auth storage. These keys and certs can only be retrieved by users in the form of web session cookies.

func NewWhereParser 

func NewWhereParser(ctx RuleContext) (predicate.Parser, error)

NewWhereParser returns standard parser for `where` section in access rules.

func NodeHasMissedKeepAlives 

func NodeHasMissedKeepAlives(s types.Server) bool

NodeHasMissedKeepAlives checks if node has missed its keep alive

func OIDCClaimsToTraits 

func OIDCClaimsToTraits(claims jose.Claims) map[string][]string

OIDCClaimsToTraits converts OIDC-style claims into teleport-specific trait format

func ParseShortcut 

func ParseShortcut(in string) (string, error)

ParseShortcut parses resource shortcut Generally, this should include the plural of a singular resource name or vice versa.

func ProcessForkedContext 

func ProcessForkedContext(parent context.Context) context.Context

ProcessForkedContext adds a flag to the context to indicate the Teleport process has running forked child(ren).

func ProcessReloadContext 

func ProcessReloadContext(parent context.Context) context.Context

ProcessReloadContext adds a flag to the context to indicate the Teleport process is reloading.

func RO 

func RO() []string

RO is a shortcut that returns read only verbs that provide access to secrets.

func RW 

func RW() []string

RW is a shortcut that returns all CRUD verbs.

func ReadNoSecrets 

func ReadNoSecrets() []string

ReadNoSecrets is a shortcut that returns read only verbs that do not provide access to secrets.

func RegisterGithubAuthConverter 

func RegisterGithubAuthConverter(convert GithubAuthConverter)

RegisterGithubAuthConverter registers a function to convert GitHub auth connectors.

func RegisterGithubAuthCreator 

func RegisterGithubAuthCreator(creator GithubAuthCreator)

RegisterGithubAuthCreator registers a function to create GitHub auth connectors.

func RegisterGithubAuthInitializer 

func RegisterGithubAuthInitializer(init GithubAuthInitializer)

RegisterGithubAuthInitializer registers a function to initialize GitHub auth connectors.

func RegisterResourceMarshaler 

func RegisterResourceMarshaler(kind string, marshaler ResourceMarshaler)

RegisterResourceMarshaler registers a marshaler for resources of a specific kind. WARNING!! Registering a resource Marshaler requires lib/services/local.CreateResources supports the resource kind or the standard backup/restore procedure of using `tctl get all` and then BootstrapResources in Teleport will fail.

func RegisterResourceUnmarshaler 

func RegisterResourceUnmarshaler(kind string, unmarshaler ResourceUnmarshaler)

RegisterResourceUnmarshaler registers an unmarshaler for resources of a specific kind.

func ResourceMatchersToTypes 

func ResourceMatchersToTypes(in []ResourceMatcher) []*types.DatabaseResourceMatcher

ResourceMatchersToTypes converts []]services.ResourceMatchers into []*types.ResourceMatcher

func RoleForCertAuthority 

func RoleForCertAuthority(ca types.CertAuthority) types.Role

RoleForCertAuthority creates role using types.CertAuthority.

func RoleForUser 

func RoleForUser(u types.User) types.Role

RoleForUser creates an admin role for a services.User.

Used in tests only.

func RoleFromSpec 

func RoleFromSpec(name string, spec types.RoleSpecV6) (types.Role, error)

RoleFromSpec returns new Role created from spec

func RoleMapToString 

func RoleMapToString(r types.RoleMap) string

RoleMapToString prints user friendly representation of role mapping

func RoleNameForCertAuthority 

func RoleNameForCertAuthority(name string) string

RoleNameForCertAuthority returns role name associated with a certificate authority.

func RoleNameForUser 

func RoleNameForUser(name string) string

RoleNameForUser returns role name associated with a user.

func RolesToLockTargets 

func RolesToLockTargets(roles []string) []types.LockTarget

RolesToLockTargets converts a list of roles to a list of LockTargets (one LockTarget per role).

func SAMLAssertionsToTraits 

func SAMLAssertionsToTraits(assertions saml2.AssertionInfo) map[string][]string

SAMLAssertionsToTraits converts saml assertions to traits

func ShouldDeleteServerHeartbeatsOnShutdown 

func ShouldDeleteServerHeartbeatsOnShutdown(ctx context.Context) bool

ShouldDeleteServerHeartbeatsOnShutdown checks whether server heartbeats should be deleted based on the process shutdown context.

func SimplifyAzureMatchers 

func SimplifyAzureMatchers(matchers []types.AzureMatcher) []types.AzureMatcher

SimplifyAzureMatchers returns simplified Azure Matchers. Selectors are deduplicated, wildcard in a selector reduces the selector to just the wildcard, and defaults are applied.

func TraitsToRoleMatchers 

func TraitsToRoleMatchers(ms types.TraitMappingSet, traits map[string][]string) ([]parse.Matcher, error)

TraitsToRoleMatchers maps the supplied traits to a list of role matchers. Prefer calling this function directly rather than calling TraitsToRoles and then building matchers from the resulting list since this function forces any roles which include substitutions to be literal matchers.

func TraitsToRoles 

func TraitsToRoles(ms types.TraitMappingSet, traits map[string][]string) (warnings []string, roles []string)

TraitsToRoles maps the supplied traits to a list of teleport role names. Returns the list of roles mapped from traits. `warnings` optionally contains the list of warnings potentially interesting to the user.

func TunnelConnectionStatus 

func TunnelConnectionStatus(clock clockwork.Clock, conn types.TunnelConnection, offlineThreshold time.Duration) string

TunnelConnectionStatus returns tunnel connection status based on the last heartbeat time recorded for a connection

func UnmarshalAccessList 

func UnmarshalAccessList(data []byte, opts ...MarshalOption) (*accesslist.AccessList, error)

UnmarshalAccessList unmarshals the access list resource from JSON.

func UnmarshalAccessListMember 

func UnmarshalAccessListMember(data []byte, opts ...MarshalOption) (*accesslist.AccessListMember, error)

UnmarshalAccessListMember unmarshals the access list member resource from JSON.

func UnmarshalAccessListReview 

func UnmarshalAccessListReview(data []byte, opts ...MarshalOption) (*accesslist.Review, error)

UnmarshalAccessListReview unmarshals the access list review resource from JSON.

func UnmarshalAccessRequest 

func UnmarshalAccessRequest(data []byte, opts ...MarshalOption) (types.AccessRequest, error)

UnmarshalAccessRequest unmarshals the AccessRequest resource from JSON.

func UnmarshalAccessRequestAllowedPromotion 

func UnmarshalAccessRequestAllowedPromotion(data []byte) (*types.AccessRequestAllowedPromotions, error)

UnmarshalAccessRequestAllowedPromotion unmarshals the list of access list IDs from JSON.

func UnmarshalApp 

func UnmarshalApp(data []byte, opts ...MarshalOption) (types.Application, error)

UnmarshalApp unmarshals Application resource from JSON.

func UnmarshalAppServer 

func UnmarshalAppServer(data []byte, opts ...MarshalOption) (types.AppServer, error)

UnmarshalAppServer unmarshals AppServer resource from JSON.

func UnmarshalAuditQuery 

func UnmarshalAuditQuery(data []byte, opts ...MarshalOption) (*secreports.AuditQuery, error)

UnmarshalAuditQuery unmarshals an audit query.

func UnmarshalAuthPreference 

func UnmarshalAuthPreference(bytes []byte, opts ...MarshalOption) (types.AuthPreference, error)

UnmarshalAuthPreference unmarshals the AuthPreference resource from JSON.

func UnmarshalCertAuthority 

func UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (types.CertAuthority, error)

UnmarshalCertAuthority unmarshals the CertAuthority resource to JSON.

func UnmarshalCertRoles 

func UnmarshalCertRoles(data string) ([]string, error)

UnmarshalCertRoles marshals roles list to OpenSSH format

func UnmarshalClusterAuditConfig 

func UnmarshalClusterAuditConfig(bytes []byte, opts ...MarshalOption) (types.ClusterAuditConfig, error)

UnmarshalClusterAuditConfig unmarshals the ClusterAuditConfig resource from JSON.

func UnmarshalClusterName 

func UnmarshalClusterName(bytes []byte, opts ...MarshalOption) (types.ClusterName, error)

UnmarshalClusterName unmarshals the ClusterName resource from JSON.

func UnmarshalClusterNetworkingConfig 

func UnmarshalClusterNetworkingConfig(bytes []byte, opts ...MarshalOption) (types.ClusterNetworkingConfig, error)

UnmarshalClusterNetworkingConfig unmarshals the ClusterNetworkingConfig resource from JSON.

func UnmarshalConnectionDiagnostic 

func UnmarshalConnectionDiagnostic(data []byte, opts ...MarshalOption) (types.ConnectionDiagnostic, error)

UnmarshalConnectionDiagnostic unmarshals the ConnectionDiagnostic resource from JSON.

func UnmarshalDatabase 

func UnmarshalDatabase(data []byte, opts ...MarshalOption) (types.Database, error)

UnmarshalDatabase unmarshals the database resource from JSON.

func UnmarshalDatabaseServer 

func UnmarshalDatabaseServer(data []byte, opts ...MarshalOption) (types.DatabaseServer, error)

UnmarshalDatabaseServer unmarshals the DatabaseServer resource from JSON.

func UnmarshalDatabaseService 

func UnmarshalDatabaseService(data []byte, opts ...MarshalOption) (types.DatabaseService, error)

UnmarshalDatabaseService unmarshals the DatabaseService resource from JSON.

func UnmarshalDevice 

func UnmarshalDevice(raw []byte) (*types.DeviceV1, error)

UnmarshalDevice unmarshals a DeviceV1 resource and runs CheckAndSetDefaults.

func UnmarshalDiscoveryConfig 

func UnmarshalDiscoveryConfig(data []byte, opts ...MarshalOption) (*discoveryconfig.DiscoveryConfig, error)

UnmarshalDiscoveryConfig unmarshals the DiscoveryConfig resource from JSON.

func UnmarshalExternalAuditStorage 

func UnmarshalExternalAuditStorage(data []byte, opts ...MarshalOption) (*externalauditstorage.ExternalAuditStorage, error)

UnmarshalExternalAuditStorage unmarshals the External Audit Storage resource from JSON.

func UnmarshalGithubConnector 

func UnmarshalGithubConnector(bytes []byte, opts ...MarshalOption) (types.GithubConnector, error)

UnmarshalGithubConnector unmarshals the GithubConnector resource from JSON.

func UnmarshalInstaller 

func UnmarshalInstaller(data []byte, opts ...MarshalOption) (types.Installer, error)

UnmarshalInstaller unmarshals the installer resource from JSON.

func UnmarshalIntegration 

func UnmarshalIntegration(data []byte, opts ...MarshalOption) (types.Integration, error)

UnmarshalIntegration unmarshals Integration resource from JSON.

func UnmarshalKubeCluster 

func UnmarshalKubeCluster(data []byte, opts ...MarshalOption) (types.KubeCluster, error)

UnmarshalKubeCluster unmarshals KubeCluster resource from JSON.

func UnmarshalKubeServer 

func UnmarshalKubeServer(data []byte, opts ...MarshalOption) (types.KubeServer, error)

UnmarshalKubeServer unmarshals KubeServer resource from JSON.

func UnmarshalLicense 

func UnmarshalLicense(bytes []byte) (types.License, error)

UnmarshalLicense unmarshals the License resource from JSON.

func UnmarshalLock 

func UnmarshalLock(bytes []byte, opts ...MarshalOption) (types.Lock, error)

UnmarshalLock unmarshals the Lock resource from JSON.

func UnmarshalNamespace 

func UnmarshalNamespace(data []byte, opts ...MarshalOption) (*types.Namespace, error)

UnmarshalNamespace unmarshals the Namespace resource from JSON.

func UnmarshalNetworkRestrictions 

func UnmarshalNetworkRestrictions(bytes []byte, opts ...MarshalOption) (types.NetworkRestrictions, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalOIDCConnector 

func UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (types.OIDCConnector, error)

UnmarshalOIDCConnector unmarshals the OIDCConnector resource from JSON.

func UnmarshalOSSGithubConnector 

func UnmarshalOSSGithubConnector(bytes []byte, opts ...MarshalOption) (types.GithubConnector, error)

UnmarshalOSSGithubConnector unmarshals the open source variant of the GithubConnector resource from JSON.

func UnmarshalOktaAssignment 

func UnmarshalOktaAssignment(data []byte, opts ...MarshalOption) (types.OktaAssignment, error)

UnmarshalOktaAssignment unmarshals the Okta assignment resource from JSON.

func UnmarshalOktaImportRule 

func UnmarshalOktaImportRule(data []byte, opts ...MarshalOption) (types.OktaImportRule, error)

UnmarshalOktaImportRule unmarshals Okta import rule resource from JSON.

func UnmarshalPlugin 

func UnmarshalPlugin(data []byte, opts ...MarshalOption) (types.Plugin, error)

UnmarshalPlugin unmarshals the plugin resource from JSON.

func UnmarshalPluginData 

func UnmarshalPluginData(raw []byte, opts ...MarshalOption) (types.PluginData, error)

UnmarshalPluginData unmarshals the PluginData resource from JSON.

func UnmarshalPluginStaticCredentials 

func UnmarshalPluginStaticCredentials(data []byte, opts ...MarshalOption) (types.PluginStaticCredentials, error)

UnmarshalPluginStaticCredentials unmarshals the plugin static credentials resource from JSON.

func UnmarshalProvisionToken 

func UnmarshalProvisionToken(data []byte, opts ...MarshalOption) (types.ProvisionToken, error)

UnmarshalProvisionToken unmarshals the ProvisionToken resource from JSON.

func UnmarshalRemoteCluster 

func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (types.RemoteCluster, error)

UnmarshalRemoteCluster unmarshals the RemoteCluster resource from JSON.

func UnmarshalResource 

func UnmarshalResource(kind string, raw []byte, opts ...MarshalOption) (types.Resource, error)

UnmarshalResource attempts to unmarshal a resource dynamically, returning NotImplementedError if no unmarshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func UnmarshalReverseTunnel 

func UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (types.ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalRole 

func UnmarshalRole(bytes []byte, opts ...MarshalOption) (types.Role, error)

UnmarshalRole unmarshals the Role resource from JSON.

func UnmarshalSAMLConnector 

func UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (types.SAMLConnector, error)

UnmarshalSAMLConnector unmarshals the SAMLConnector resource from JSON.

func UnmarshalSAMLIdPServiceProvider 

func UnmarshalSAMLIdPServiceProvider(data []byte, opts ...MarshalOption) (types.SAMLIdPServiceProvider, error)

UnmarshalSAMLIdPServiceProvider unmarshals SAMLIdPServiceProvider resource from JSON.

func UnmarshalSecurityCostLimiter 

func UnmarshalSecurityCostLimiter(data []byte, opts ...MarshalOption) (*secreports.CostLimiter, error)

UnmarshalSecurityCostLimiter unmarshals a security report cost limiter.

func UnmarshalSecurityReport 

func UnmarshalSecurityReport(data []byte, opts ...MarshalOption) (*secreports.Report, error)

UnmarshalSecurityReport unmarshals a security report.

func UnmarshalSecurityReportState 

func UnmarshalSecurityReportState(data []byte, opts ...MarshalOption) (*secreports.ReportState, error)

UnmarshalSecurityReportState unmarshals a security report state.

func UnmarshalSemaphore 

func UnmarshalSemaphore(bytes []byte, opts ...MarshalOption) (types.Semaphore, error)

UnmarshalSemaphore unmarshals the Semaphore resource from JSON.

func UnmarshalServer 

func UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (types.Server, error)

UnmarshalServer unmarshals the Server resource from JSON.

func UnmarshalServerInfo 

func UnmarshalServerInfo(bytes []byte, opts ...MarshalOption) (types.ServerInfo, error)

UnmarshalServerInfo unmarshals the ServerInfo resource from JSON.

func UnmarshalServerInfos 

func UnmarshalServerInfos(bytes []byte) ([]types.ServerInfo, error)

UnmarshalServerInfos unmarshals a list of ServerInfo resources.

func UnmarshalServers 

func UnmarshalServers(bytes []byte) ([]types.Server, error)

UnmarshalServers unmarshals a list of Server resources.

func UnmarshalSessionRecordingConfig 

func UnmarshalSessionRecordingConfig(bytes []byte, opts ...MarshalOption) (types.SessionRecordingConfig, error)

UnmarshalSessionRecordingConfig unmarshals the SessionRecordingConfig resource from JSON.

func UnmarshalSessionTracker 

func UnmarshalSessionTracker(bytes []byte) (types.SessionTracker, error)

UnmarshalSessionTracker unmarshals the Session resource from JSON.

func UnmarshalStaticTokens 

func UnmarshalStaticTokens(bytes []byte, opts ...MarshalOption) (types.StaticTokens, error)

UnmarshalStaticTokens unmarshals the StaticTokens resource from JSON.

func UnmarshalTrustedCluster 

func UnmarshalTrustedCluster(bytes []byte, opts ...MarshalOption) (types.TrustedCluster, error)

UnmarshalTrustedCluster unmarshals the TrustedCluster resource from JSON.

func UnmarshalTunnelConnection 

func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (types.TunnelConnection, error)

UnmarshalTunnelConnection unmarshals TunnelConnection resource from JSON or YAML, sets defaults and checks the schema

func UnmarshalUIConfig 

func UnmarshalUIConfig(data []byte, opts ...MarshalOption) (types.UIConfig, error)

UnmarshalUIConfig unmarshals the UIConfig resource from JSON.

func UnmarshalUser 

func UnmarshalUser(bytes []byte, opts ...MarshalOption) (types.User, error)

UnmarshalUser unmarshals the User resource from JSON.

func UnmarshalUserGroup 

func UnmarshalUserGroup(data []byte, opts ...MarshalOption) (types.UserGroup, error)

UnmarshalUserGroup unmarshals user group resource from JSON.

func UnmarshalUserLoginState 

func UnmarshalUserLoginState(data []byte, opts ...MarshalOption) (*userloginstate.UserLoginState, error)

UnmarshalUserLoginState unmarshals the user login state resource from JSON.

func UnmarshalUserToken 

func UnmarshalUserToken(bytes []byte, opts ...MarshalOption) (types.UserToken, error)

UnmarshalUserToken unmarshals the UserToken resource from JSON.

func UnmarshalUserTokenSecrets 

func UnmarshalUserTokenSecrets(bytes []byte, opts ...MarshalOption) (types.UserTokenSecrets, error)

UnmarshalUserTokenSecrets unmarshals the UserTokenSecrets resource from JSON.

func UnmarshalWebSession 

func UnmarshalWebSession(bytes []byte, opts ...MarshalOption) (types.WebSession, error)

UnmarshalWebSession unmarshals the WebSession resource from JSON.

func UnmarshalWebToken 

func UnmarshalWebToken(bytes []byte, opts ...MarshalOption) (types.WebToken, error)

UnmarshalWebToken interprets bytes as JSON-encoded web token value

func UnmarshalWindowsDesktop 

func UnmarshalWindowsDesktop(data []byte, opts ...MarshalOption) (types.WindowsDesktop, error)

UnmarshalWindowsDesktop unmarshals the WindowsDesktop resource from JSON.

func UnmarshalWindowsDesktopService 

func UnmarshalWindowsDesktopService(data []byte, opts ...MarshalOption) (types.WindowsDesktopService, error)

UnmarshalWindowsDesktopService unmarshals the WindowsDesktopService resource from JSON.

func UserMeetsRequirements 

func UserMeetsRequirements(identity tlsca.Identity, requires accesslist.Requires) bool

UserMeetsRequirements will return true if the user meets the requirements for the access list.

func UsernameForRemoteCluster 

func UsernameForRemoteCluster(localUsername, localClusterName string) string

UsernameForRemoteCluster returns an username that is prefixed with "remote-" and suffixed with cluster name with the hope that it does not match a real local user.

func UsersEquals 

func UsersEquals(u types.User, other types.User) bool

UsersEquals checks if the users are equal

func ValidateAccessPredicates 

func ValidateAccessPredicates(role types.Role) error

ValidateAccessPredicates checks request & review permission predicates for syntax errors. Used to help prevent users from accidentally writing incorrect predicates. This function should only be called by the auth server prior to storing new/updated roles. Normal role validation deliberately omits these checks in order to allow us to extend the available namespaces without breaking backwards compatibility with older nodes/proxies (which never need to evaluate these predicates).

func ValidateAccessRequest 

func ValidateAccessRequest(ar types.AccessRequest) error

ValidateAccessRequest validates the AccessRequest and sets default values

func ValidateAccessRequestClusterNames 

func ValidateAccessRequestClusterNames(cg ClusterGetter, ar types.AccessRequest) error

ValidateAccessRequestClusterNames checks that the clusters in the access request exist

func ValidateAccessRequestForUser 

func ValidateAccessRequestForUser(ctx context.Context, clock clockwork.Clock, getter RequestValidatorGetter, req types.AccessRequest, identity tlsca.Identity, opts ...ValidateRequestOption) error

ValidateAccessRequestForUser validates an access request against the associated users's *statically assigned* roles. If expandRoles is true, it will also expand wildcard requests, setting their role list to include all roles the user is allowed to request. Expansion should be performed before an access request is initially placed in the backend.

func ValidateAssertionConsumerService 

func ValidateAssertionConsumerService(acs saml.IndexedEndpoint) error

ValidateAssertionConsumerService checks if a given assertion consumer service is usable by teleport. Note that it is permissible for a service provider to include acs endpoints that are not compatible with teleport, so long as at least one _is_ compatible.

func ValidateAssertionConsumerServicesEndpoint 

func ValidateAssertionConsumerServicesEndpoint(acs string) error

ValidateAssertionConsumerServicesEndpoint ensures that the Assertion Consumer Service location is a valid HTTPS endpoint.

func ValidateCertAuthority 

func ValidateCertAuthority(ca types.CertAuthority) (err error)

ValidateCertAuthority validates the CertAuthority

func ValidateDatabase 

func ValidateDatabase(db types.Database) error

ValidateDatabase validates a types.Database.

func ValidateHeadlessAuthentication 

func ValidateHeadlessAuthentication(h *types.HeadlessAuthentication) error

ValidateHeadlessAuthentication verifies that the headless authentication has all of the required fields set. Headless authentication stubs will not pass this validation.

func ValidateLocalAuthSecrets 

func ValidateLocalAuthSecrets(l *types.LocalAuthSecrets) error

ValidateLocalAuthSecrets validates local auth secret members.

func ValidateNetworkRestrictions 

func ValidateNetworkRestrictions(nr *types.NetworkRestrictionsV4) error

ValidateNetworkRestrictions validates the network restrictions and sets defaults

func ValidateReverseTunnel 

func ValidateReverseTunnel(rt types.ReverseTunnel) error

ValidateReverseTunnel validates the OIDC connector and sets default values

func ValidateRole 

func ValidateRole(r types.Role, opts ...validateRoleOption) error

ValidateRole parses validates the role, and sets default values.

func ValidateRoleName 

func ValidateRoleName(role types.Role) error

ValidateRoleName checks that the role name is allowed to be created.

func ValidateSAMLConnector 

func ValidateSAMLConnector(sc types.SAMLConnector, rg RoleGetter) error

ValidateSAMLConnector validates the SAMLConnector and sets default values. If a remote to fetch roles is specified, roles will be validated to exist.

func ValidateSQLServerURI 

func ValidateSQLServerURI(uri string) error

ValidateSQLServerURI validates SQL Server URI and returns host and port.

Since Teleport only supports SQL Server authentcation using AD (self-hosted or Azure) the database URI must include: computer name, domain and port.

A few examples of valid URIs: - computer.ad.example.com:1433 - computer.domain.com:1433

func ValidateTrustedCluster 

func ValidateTrustedCluster(tc types.TrustedCluster, allowEmptyRolesOpts ...bool) error

ValidateTrustedCluster checks and sets Trusted Cluster defaults

func ValidateUser 

func ValidateUser(u types.User) error

ValidateUser validates the User and sets default values

func ValidateUserRoles 

func ValidateUserRoles(ctx context.Context, u types.User, roleGetter RoleGetter) error

ValidateUserRoles checks that all the roles in the user exist

func VerifyPassword 

func VerifyPassword(password []byte) error

VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in

Types

type AWSRoleARNMatcher 

type AWSRoleARNMatcher struct {
	RoleARN string
}

AWSRoleARNMatcher matches a role against AWS role ARN.

func (*AWSRoleARNMatcher) Match 

func (m *AWSRoleARNMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches AWS role ARN against provided role and condition.

func (*AWSRoleARNMatcher) String 

func (m *AWSRoleARNMatcher) String() string

String returns the matcher's string representation.

type Access 

type Access interface {
	// GetRoles returns a list of roles.
	GetRoles(ctx context.Context) ([]types.Role, error)
	// CreateRole creates a role.
	CreateRole(ctx context.Context, role types.Role) (types.Role, error)
	// UpdateRole updates an existing role.
	UpdateRole(ctx context.Context, role types.Role) (types.Role, error)
	// UpsertRole creates or updates role.
	UpsertRole(ctx context.Context, role types.Role) (types.Role, error)
	// DeleteAllRoles deletes all roles.
	DeleteAllRoles(ctx context.Context) error
	// GetRole returns role by name.
	GetRole(ctx context.Context, name string) (types.Role, error)
	// DeleteRole deletes role by name.
	DeleteRole(ctx context.Context, name string) error

	LockGetter
	// UpsertLock upserts a lock.
	UpsertLock(context.Context, types.Lock) error
	// DeleteLock deletes a lock.
	DeleteLock(context.Context, string) error
	// DeleteAllLocks deletes all/in-force locks.
	DeleteAllLocks(context.Context) error
	// ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.
	ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error
}

Access service manages roles and permissions.

type AccessCheckable 

type AccessCheckable interface {
	GetKind() string
	GetName() string
	GetMetadata() types.Metadata
	GetLabel(key string) (value string, ok bool)
	GetAllLabels() map[string]string
}

AccessCheckable is the subset of types.Resource required for the RBAC checks.

type AccessChecker 

type AccessChecker interface {
	// HasRole checks if the checker includes the role
	HasRole(role string) bool

	// RoleNames returns a list of role names
	RoleNames() []string

	// Traits returns the set of user traits
	Traits() wrappers.Traits

	// Roles returns the list underlying roles this AccessChecker is based on.
	Roles() []types.Role

	// CheckAccess checks access to the specified resource.
	CheckAccess(r AccessCheckable, state AccessState, matchers ...RoleMatcher) error

	// CheckAccessToRemoteCluster checks access to remote cluster
	CheckAccessToRemoteCluster(cluster types.RemoteCluster) error

	// CheckAccessToRule checks access to a rule within a namespace.
	CheckAccessToRule(context RuleContext, namespace string, rule string, verb string) error

	// CheckLoginDuration checks if role set can login up to given duration and
	// returns a combined list of allowed logins.
	CheckLoginDuration(ttl time.Duration) ([]string, error)

	// CheckKubeGroupsAndUsers check if role can login into kubernetes
	// and returns two lists of combined allowed groups and users
	CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) (groups []string, users []string, err error)

	// CheckAWSRoleARNs returns a list of AWS role ARNs role is allowed to assume.
	CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

	// CheckAzureIdentities returns a list of Azure identities the user is allowed to assume.
	CheckAzureIdentities(ttl time.Duration, overrideTTL bool) ([]string, error)

	// CheckGCPServiceAccounts returns a list of GCP service accounts the user is allowed to assume.
	CheckGCPServiceAccounts(ttl time.Duration, overrideTTL bool) ([]string, error)

	// CheckAccessToSAMLIdP checks access to the SAML IdP.
	//
	//nolint:revive // Because we want this to be IdP.
	CheckAccessToSAMLIdP(types.AuthPreference) error

	// AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL
	// for this role set, otherwise it returns ttl unchanged
	AdjustSessionTTL(ttl time.Duration) time.Duration

	// AdjustClientIdleTimeout adjusts requested idle timeout
	// to the lowest max allowed timeout, the most restrictive
	// option will be picked
	AdjustClientIdleTimeout(ttl time.Duration) time.Duration

	// AdjustDisconnectExpiredCert adjusts the value based on the role set
	// the most restrictive option will be picked
	AdjustDisconnectExpiredCert(disconnect bool) bool

	// CheckAgentForward checks if the role can request agent forward for this
	// user.
	CheckAgentForward(login string) error

	// CanForwardAgents returns true if this role set offers capability to forward
	// agents.
	CanForwardAgents() bool

	// CanPortForward returns true if this RoleSet can forward ports.
	CanPortForward() bool

	// DesktopClipboard returns true if the role set has enabled shared
	// clipboard for desktop sessions. Clipboard sharing is disabled if
	// one or more of the roles in the set has disabled it.
	DesktopClipboard() bool
	// RecordDesktopSession returns true if a role in the role set has enabled
	// desktop session recoring.
	RecordDesktopSession() bool
	// DesktopDirectorySharing returns true if the role set has directory sharing
	// enabled. This setting is enabled if one or more of the roles in the set has
	// enabled it.
	DesktopDirectorySharing() bool

	// MaybeCanReviewRequests attempts to guess if this RoleSet belongs
	// to a user who should be submitting access reviews. Because not all rolesets
	// are derived from statically assigned roles, this may return false positives.
	MaybeCanReviewRequests() bool

	// PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.
	PermitX11Forwarding() bool

	// CanCopyFiles returns true if the role set has enabled remote file
	// operations via SCP or SFTP. Remote file operations are disabled if
	// one or more of the roles in the set has disabled it.
	CanCopyFiles() bool

	// CertificateFormat returns the most permissive certificate format in a
	// RoleSet.
	CertificateFormat() string

	// EnhancedRecordingSet returns a set of events that will be recorded
	// for enhanced session recording.
	EnhancedRecordingSet() map[string]bool

	// CheckDatabaseNamesAndUsers returns database names and users this role
	// is allowed to use.
	CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) (names []string, users []string, err error)

	// DatabaseAutoUserMode returns whether a user should be auto-created in
	// the database.
	DatabaseAutoUserMode(types.Database) (types.CreateDatabaseUserMode, error)

	// CheckDatabaseRoles returns a list of database roles to assign, when
	// auto-user provisioning is enabled. If no user-requested roles, all
	// allowed roles are returned.
	CheckDatabaseRoles(database types.Database, userRequestedRoles []string) (roles []string, err error)

	// GetDatabasePermissions returns a set of database permissions applicable for the user.
	GetDatabasePermissions() (allow types.DatabasePermissions, deny types.DatabasePermissions)

	// CheckImpersonate checks whether current user is allowed to impersonate
	// users and roles
	CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

	// CheckImpersonateRoles checks whether the current user is allowed to
	// perform roles-only impersonation.
	CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

	// CanImpersonateSomeone returns true if this checker has any impersonation rules
	CanImpersonateSomeone() bool

	// LockingMode returns the locking mode to apply with this checker.
	LockingMode(defaultMode constants.LockingMode) constants.LockingMode

	// ExtractConditionForIdentifier returns a restrictive filter expression
	// for list queries based on the rules' `where` conditions.
	ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

	// CertificateExtensions returns the list of extensions for each role in the RoleSet
	CertificateExtensions() []*types.CertExtension

	// GetAllowedSearchAsRoles returns all of the allowed SearchAsRoles.
	GetAllowedSearchAsRoles() []string

	// GetAllowedPreviewAsRoles returns all of the allowed PreviewAsRoles.
	GetAllowedPreviewAsRoles() []string

	// MaxConnections returns the maximum number of concurrent ssh connections
	// allowed.  If MaxConnections is zero then no maximum was defined and the
	// number of concurrent connections is unconstrained.
	MaxConnections() int64

	// MaxSessions returns the maximum number of concurrent ssh sessions per
	// connection. If MaxSessions is zero then no maximum was defined and the
	// number of sessions is unconstrained.
	MaxSessions() int64

	// SessionPolicySets returns the list of SessionPolicySets for all roles.
	SessionPolicySets() []*types.SessionTrackerPolicySet

	// GetAllLogins returns all valid unix logins for the AccessChecker.
	GetAllLogins() []string

	// GetAllowedResourceIDs returns the list of allowed resources the identity for
	// the AccessChecker is allowed to access. An empty or nil list indicates that
	// there are no resource-specific restrictions.
	GetAllowedResourceIDs() []types.ResourceID

	// SessionRecordingMode returns the recording mode for a specific service.
	SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

	// HostUsers returns host user information matching a server or nil if
	// a role disallows host user creation
	HostUsers(types.Server) (*HostUsersInfo, error)

	// HostSudoers returns host sudoers entries matching a server
	HostSudoers(types.Server) ([]string, error)

	// DesktopGroups returns the desktop groups a user is allowed to create or an access denied error if a role disallows desktop user creation
	DesktopGroups(types.WindowsDesktop) ([]string, error)

	// PinSourceIP forces the same client IP for certificate generation and SSH usage
	PinSourceIP() bool

	// GetAccessState returns the AccessState for the user given their roles, the
	// cluster auth preference, and whether MFA and the user's device were
	// verified.
	GetAccessState(authPref types.AuthPreference) AccessState
	// PrivateKeyPolicy returns the enforced private key policy for this role set,
	// or the provided defaultPolicy - whichever is stricter.
	PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) (keys.PrivateKeyPolicy, error)

	// GetKubeResources returns the allowed and denied Kubernetes Resources configured
	// for a user.
	GetKubeResources(cluster types.KubeCluster) (allowed, denied []types.KubernetesResource)

	// EnumerateEntities works on a given role set to return a minimal description
	// of allowed set of entities (db_users, db_names, etc). It is biased towards
	// *allowed* entities; It is meant to describe what the user can do, rather than
	// cannot do. For that reason if the user isn't allowed to pick *any* entities,
	// the output will be empty.
	//
	// In cases where * is listed in set of allowed entities, it may be hard for
	// users to figure out the expected entity to use. For this reason the parameter
	// extraEntities provides an extra set of entities to be checked against
	// RoleSet. This extra set of entities may be sourced e.g. from user connection
	// history.
	EnumerateEntities(resource AccessCheckable, listFn roleEntitiesListFn, newMatcher roleMatcherFactoryFn, extraEntities ...string) EnumerationResult

	// EnumerateDatabaseUsers specializes EnumerateEntities to enumerate db_users.
	EnumerateDatabaseUsers(database types.Database, extraUsers ...string) (EnumerationResult, error)

	// EnumerateDatabaseNames specializes EnumerateEntities to enumerate db_names.
	EnumerateDatabaseNames(database types.Database, extraNames ...string) EnumerationResult

	// GetAllowedLoginsForResource returns all of the allowed logins for the passed resource.
	//
	// Supports the following resource types:
	//
	// - types.Server with GetKind() == types.KindNode
	//
	// - types.KindWindowsDesktop
	GetAllowedLoginsForResource(resource AccessCheckable) ([]string, error)
}

AccessChecker interface checks access to resources based on roles, traits, and allowed resources

func NewAccessChecker 

func NewAccessChecker(info *AccessInfo, localCluster string, access RoleGetter) (AccessChecker, error)

NewAccessChecker returns a new AccessChecker which can be used to check access to resources. Args:

  • `info *AccessInfo` should hold the roles, traits, and allowed resource IDs for the identity.
  • `localCluster string` should be the name of the local cluster in which access will be checked. You cannot check for access to resources in remote clusters.
  • `access RoleGetter` should be a RoleGetter which will be used to fetch the full RoleSet

func NewAccessCheckerForRemoteCluster 

func NewAccessCheckerForRemoteCluster(ctx context.Context, localAccessInfo *AccessInfo, clusterName string, access CurrentUserRoleGetter) (AccessChecker, error)

NewAccessCheckerForRemoteCluster returns an AccessChecker that can check user's access to resources that may be located in remote/leaf Teleport clusters.

func NewAccessCheckerWithRoleSet 

func NewAccessCheckerWithRoleSet(info *AccessInfo, localCluster string, roleSet RoleSet) AccessChecker

NewAccessCheckerWithRoleSet is similar to NewAccessChecker, but accepts the full RoleSet rather than a RoleGetter.

type AccessInfo 

type AccessInfo struct {
	// Roles is the list of cluster local roles for the identity.
	Roles []string
	// Traits is the set of traits for the identity.
	Traits wrappers.Traits
	// AllowedResourceIDs is the list of resource IDs the identity is allowed to
	// access. A nil or empty list indicates that no resource-specific
	// access restrictions should be applied. Used for search-based access
	// requests.
	AllowedResourceIDs []types.ResourceID
	// Username is the Teleport username.
	Username string
}

AccessInfo hold information about an identity necessary to check whether that identity has access to cluster resources. This info can come from a user or host SSH certificate, TLS certificate, or user information stored in the backend.

func AccessInfoFromLocalCertificate 

func AccessInfoFromLocalCertificate(cert *ssh.Certificate) (*AccessInfo, error)

AccessInfoFromLocalCertificate returns a new AccessInfo populated from the given ssh certificate. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromLocalIdentity 

func AccessInfoFromLocalIdentity(identity tlsca.Identity, access UserGetter) (*AccessInfo, error)

AccessInfoFromLocalIdentity returns a new AccessInfo populated from the given tlsca.Identity. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromRemoteCertificate 

func AccessInfoFromRemoteCertificate(cert *ssh.Certificate, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteCertificate returns a new AccessInfo populated from the given remote cluster user's ssh certificate. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromRemoteIdentity 

func AccessInfoFromRemoteIdentity(identity tlsca.Identity, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteIdentity returns a new AccessInfo populated from the given remote cluster user's tlsca.Identity. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromUser 

func AccessInfoFromUser(user types.User) *AccessInfo

AccessInfoFromUser return a new AccessInfo populated from the roles and traits held be the given user. This should only be used in cases where the user does not have any active access requests (initial web login, initial tbot certs, tests). TODO(mdwn): Remove this once enterprise has been moved away from this function.

func AccessInfoFromUserState 

func AccessInfoFromUserState(user UserState) *AccessInfo

AccessInfoFromUserState return a new AccessInfo populated from the roles and traits held be the given user state. This should only be used in cases where the user does not have any active access requests (initial web login, initial tbot certs, tests).

type AccessListMemberGetter 

type AccessListMemberGetter interface {
	// GetAccessListMember returns the specified access list member resource.
	// May return a DynamicAccessListError if the requested access list has an
	// implicit member list and the underlying implementation does not have
	// enough information to compute the dynamic member record.
	GetAccessListMember(ctx context.Context, accessList string, memberName string) (*accesslist.AccessListMember, error)
}

AccessListMemberGetter defines an interface that can retrieve access list members.

type AccessListMembers 

type AccessListMembers interface {
	AccessListMembersGetter

	// UpsertAccessListMember creates or updates an access list member resource.
	UpsertAccessListMember(ctx context.Context, member *accesslist.AccessListMember) (*accesslist.AccessListMember, error)
	// DeleteAccessListMember hard deletes the specified access list member resource.
	DeleteAccessListMember(ctx context.Context, accessList string, memberName string) error
	// DeleteAllAccessListMembersForAccessList hard deletes all access list members for an access list.
	DeleteAllAccessListMembersForAccessList(ctx context.Context, accessList string) error
	// DeleteAllAccessListMembers hard deletes all access list members.
	DeleteAllAccessListMembers(ctx context.Context) error
}

AccessListMembers defines an interface for managing AccessListMembers.

type AccessListMembersGetter 

type AccessListMembersGetter interface {
	AccessListMemberGetter

	// ListAccessListMembers returns a paginated list of all access list members.
	// May return a DynamicAccessListError if the requested access list has an
	// implicit member list and the underlying implementation does not have
	// enough information to compute the dynamic member list.
	ListAccessListMembers(ctx context.Context, accessListName string, pageSize int, pageToken string) (members []*accesslist.AccessListMember, nextToken string, err error)
	// ListAllAccessListMembers returns a paginated list of all access list members for all access lists.
	ListAllAccessListMembers(ctx context.Context, pageSize int, pageToken string) (members []*accesslist.AccessListMember, nextToken string, err error)
	GetAccessListMember(ctx context.Context, accessList string, memberName string) (*accesslist.AccessListMember, error)
}

AccessListMembersGetter defines an interface for reading access list members.

type AccessListMembershipChecker 

type AccessListMembershipChecker struct {
	// contains filtered or unexported fields
}

AccessListMembershipChecker will check if users are members of an access list and makes sure the user is not locked and meets membership requirements.

func NewAccessListMembershipChecker 

func NewAccessListMembershipChecker(clock clockwork.Clock, members AccessListMemberGetter, locks LockGetter) *AccessListMembershipChecker

NewAccessListMembershipChecker will create a new access list membership checker.

func (AccessListMembershipChecker) IsAccessListMember 

func (a AccessListMembershipChecker) IsAccessListMember(ctx context.Context, identity tlsca.Identity, accessList *accesslist.AccessList) error

IsAccessListMember will return true if the user is a member for the current list.

type AccessListReviews 

type AccessListReviews interface {
	// ListAccessListReviews will list access list reviews for a particular access list.
	ListAccessListReviews(ctx context.Context, accessList string, pageSize int, pageToken string) (reviews []*accesslist.Review, nextToken string, err error)

	// ListAllAccessListReviews will list access list reviews for all access lists. Only to be used by the cache.
	ListAllAccessListReviews(ctx context.Context, pageSize int, pageToken string) (reviews []*accesslist.Review, nextToken string, err error)

	// CreateAccessListReview will create a new review for an access list.
	CreateAccessListReview(ctx context.Context, review *accesslist.Review) (updatedReview *accesslist.Review, nextReviewDate time.Time, err error)

	// DeleteAccessListReview will delete an access list review from the backend.
	DeleteAccessListReview(ctx context.Context, accessListName, reviewName string) error

	// DeleteAllAccessListReviews will delete all access list reviews from all access lists.
	DeleteAllAccessListReviews(ctx context.Context) error
}

AccessListReviews defines an interface for managing Access List reviews.

type AccessLists 

type AccessLists interface {
	AccessListsGetter
	AccessListsSuggestionsGetter
	AccessListMembers
	AccessListReviews

	// UpsertAccessList creates or updates an access list resource.
	UpsertAccessList(context.Context, *accesslist.AccessList) (*accesslist.AccessList, error)
	// DeleteAccessList removes the specified access list resource.
	DeleteAccessList(context.Context, string) error
	// DeleteAllAccessLists removes all access lists.
	DeleteAllAccessLists(context.Context) error

	// UpsertAccessListWithMembers creates or updates an access list resource and its members.
	UpsertAccessListWithMembers(context.Context, *accesslist.AccessList, []*accesslist.AccessListMember) (*accesslist.AccessList, []*accesslist.AccessListMember, error)

	// AccessRequestPromote promotes an access request to an access list.
	AccessRequestPromote(ctx context.Context, req *accesslistv1.AccessRequestPromoteRequest) (*accesslistv1.AccessRequestPromoteResponse, error)
}

AccessLists defines an interface for managing AccessLists.

type AccessListsGetter 

type AccessListsGetter interface {
	AccessListMembersGetter

	// GetAccessLists returns a list of all access lists.
	GetAccessLists(context.Context) ([]*accesslist.AccessList, error)
	// ListAccessLists returns a paginated list of access lists.
	ListAccessLists(context.Context, int, string) ([]*accesslist.AccessList, string, error)
	// GetAccessList returns the specified access list resource.
	GetAccessList(context.Context, string) (*accesslist.AccessList, error)
	// GetAccessListsToReview returns access lists that the user needs to review.
	GetAccessListsToReview(context.Context) ([]*accesslist.AccessList, error)
}

AccessListsGetter defines an interface for reading access lists.

type AccessListsSuggestionsGetter 

type AccessListsSuggestionsGetter interface {
	// GetSuggestedAccessLists returns a list of access lists that are suggested for a given request.
	GetSuggestedAccessLists(ctx context.Context, accessRequestID string) ([]*accesslist.AccessList, error)
}

AccessListsSuggestionsGetter defines an interface for reading access lists suggestions.

type AccessRequestGetter 

type AccessRequestGetter interface {
	// GetAccessRequests gets all currently active access requests.
	GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
}

AccessRequestGetter defines the interface for fetching access request resources.

type AccessRequestWatcher 

type AccessRequestWatcher struct {
	// contains filtered or unexported fields
}

AccessRequestWatcher is built on top of resourceWatcher to monitor access request resources.

func NewAccessRequestWatcher 

func NewAccessRequestWatcher(ctx context.Context, cfg AccessRequestWatcherConfig) (*AccessRequestWatcher, error)

NewAccessRequestWatcher returns a new instance of AccessRequestWatcher.

func (AccessRequestWatcher) Close 

func (p AccessRequestWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (AccessRequestWatcher) Done 

func (p AccessRequestWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (AccessRequestWatcher) IsInitialized 

func (p AccessRequestWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (AccessRequestWatcher) WaitInitialization 

func (p AccessRequestWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type AccessRequestWatcherConfig 

type AccessRequestWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AccessRequestGetter is responsible for fetching access request resources.
	AccessRequestGetter
	// Filter is the filter to use to monitor access requests.
	Filter types.AccessRequestFilter
	// AccessRequestsC receives up-to-date list of all access request resources.
	AccessRequestsC chan types.AccessRequests
}

AccessRequestWatcherConfig is a AccessRequestWatcher configuration.

func (*AccessRequestWatcherConfig) CheckAndSetDefaults 

func (cfg *AccessRequestWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type AccessState 

type AccessState struct {
	// MFARequired determines whether a user's MFA requirement dynamically changes
	// based on their active role (per-role), or is static across all roles
	// (always/never).
	MFARequired MFARequired
	// MFAVerified is set when MFA has been verified by the caller.
	MFAVerified bool
	// EnableDeviceVerification enables device verification in access checks.
	// It's recommended to set this in tandem with DeviceVerified, so device
	// checks are easier to reason about and have a proper chance of succeeding.
	// Used for role-based device mode checks.
	// Defaults to false for backwards compatibility.
	EnableDeviceVerification bool
	// DeviceVerified is true if the user certificate contains all required
	// device extensions.
	// A value of true enables the caller to clear device trust checks.
	// It's recommended to set this in tandem with EnableDeviceVerification.
	// See [dtauthz.IsTLSDeviceVerified] and [dtauthz.IsSSHDeviceVerified].
	DeviceVerified bool
}

AccessState holds state for the present access attempt, including both cluster settings and user state (MFA, device trust, etc).

type AcquireSemaphoreWithRetryConfig 

type AcquireSemaphoreWithRetryConfig struct {
	Service types.Semaphores
	Request types.AcquireSemaphoreRequest
	Retry   retryutils.LinearConfig
}

AcquireSemaphoreWithRetryConfig contains parameters for trying to acquire a semaphore with a retry.

type AppGetter 

type AppGetter interface {
	// GetApps returns all application resources.
	GetApps(context.Context) ([]types.Application, error)
	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)
}

AppGetter defines interface for fetching application resources.

type AppServersGetter 

type AppServersGetter interface {
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)
}

AppServersGetter is a service that gets application servers.

type AppSession 

type AppSession interface {
	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)
	// ListAppSessions gets a paginated list of application web sessions.
	ListAppSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)
	// UpsertAppSession upserts an application web session.
	UpsertAppSession(context.Context, types.WebSession) error
	// DeleteAppSession removes an application web session.
	DeleteAppSession(context.Context, types.DeleteAppSessionRequest) error
	// DeleteAllAppSessions removes all application web sessions.
	DeleteAllAppSessions(context.Context) error
	// DeleteUserAppSessions deletes all user’s application sessions.
	DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error
}

AppSession defines application session features.

type AppWatcher 

type AppWatcher struct {
	// contains filtered or unexported fields
}

AppWatcher is built on top of resourceWatcher to monitor application resources.

func NewAppWatcher 

func NewAppWatcher(ctx context.Context, cfg AppWatcherConfig) (*AppWatcher, error)

NewAppWatcher returns a new instance of AppWatcher.

func (AppWatcher) Close 

func (p AppWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (AppWatcher) Done 

func (p AppWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (AppWatcher) IsInitialized 

func (p AppWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (AppWatcher) WaitInitialization 

func (p AppWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type AppWatcherConfig 

type AppWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AppGetter is responsible for fetching application resources.
	AppGetter
	// AppsC receives up-to-date list of all application resources.
	AppsC chan types.Apps
}

AppWatcherConfig is an AppWatcher configuration.

func (*AppWatcherConfig) CheckAndSetDefaults 

func (cfg *AppWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Apps 

type Apps interface {
	// AppGetter provides methods for fetching application resources.
	AppGetter
	// CreateApp creates a new application resource.
	CreateApp(context.Context, types.Application) error
	// UpdateApp updates an existing application resource.
	UpdateApp(context.Context, types.Application) error
	// DeleteApp removes the specified application resource.
	DeleteApp(ctx context.Context, name string) error
	// DeleteAllApps removes all database resources.
	DeleteAllApps(context.Context) error
}

Apps defines an interface for managing application resources.

type Assistant 

type Assistant interface {
	// GetAssistantMessages returns all messages with given conversation ID.
	GetAssistantMessages(ctx context.Context, req *assist.GetAssistantMessagesRequest) (*assist.GetAssistantMessagesResponse, error)

	// CreateAssistantMessage adds the message to the backend.
	CreateAssistantMessage(ctx context.Context, msg *assist.CreateAssistantMessageRequest) error

	// CreateAssistantConversation creates a new conversation entry in the backend.
	CreateAssistantConversation(ctx context.Context, req *assist.CreateAssistantConversationRequest) (*assist.CreateAssistantConversationResponse, error)

	// DeleteAssistantConversation deletes a conversation entry and associated messages from the backend.
	DeleteAssistantConversation(ctx context.Context, req *assist.DeleteAssistantConversationRequest) error

	// GetAssistantConversations returns all conversations started by a user.
	GetAssistantConversations(ctx context.Context, request *assist.GetAssistantConversationsRequest) (*assist.GetAssistantConversationsResponse, error)

	// UpdateAssistantConversationInfo updates conversation info.
	UpdateAssistantConversationInfo(ctx context.Context, msg *assist.UpdateAssistantConversationInfoRequest) error

	// IsAssistEnabled returns true if the assist is enabled or not on the auth level.
	IsAssistEnabled(ctx context.Context) (*assist.IsAssistEnabledResponse, error)
}

type AuthorityGetter 

type AuthorityGetter interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)
}

AuthorityGetter defines interface for fetching cert authority resources.

type AzureIdentityMatcher 

type AzureIdentityMatcher struct {
	Identity string
}

AzureIdentityMatcher matches a role against Azure identity.

func (*AzureIdentityMatcher) Match 

func (m *AzureIdentityMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches Azure identity against provided role and condition.

func (*AzureIdentityMatcher) String 

func (m *AzureIdentityMatcher) String() string

String returns the matcher's string representation.

type BoolPredicateParser 

type BoolPredicateParser interface {
	predicate.Parser
	EvalBoolPredicate(string) (bool, error)
}

BoolPredicateParser extends predicate.Parser with a convenience method for evaluating bool predicates.

func NewJSONBoolParser 

func NewJSONBoolParser(ctx interface{}) (BoolPredicateParser, error)

NewJSONBoolParser returns a generic parser for boolean expressions based on a json-serializable context.

func NewResourceParser 

func NewResourceParser(resource types.ResourceWithLabels) (BoolPredicateParser, error)

NewResourceParser returns a parser made for boolean expressions based on a json-serialiable resource. Customized to allow short identifiers common in all resources:

  • shorthand `name` refers to `resource.spec.hostname` for node resources or it refers to `resource.metadata.name` for all other resources eg: `name == "app-name-jenkins"`
  • shorthand `labels` refers to resource `resource.metadata.labels + resource.spec.dynamic_labels` eg: `labels.env == "prod"`

All other fields can be referenced by starting expression with identifier `resource` followed by the names of the json fields ie: `resource.spec.public_addr`.

type CertAuthorityWatcher 

type CertAuthorityWatcher struct {
	// contains filtered or unexported fields
}

CertAuthorityWatcher is built on top of resourceWatcher to monitor cert authority resources.

func NewCertAuthorityWatcher 

func NewCertAuthorityWatcher(ctx context.Context, cfg CertAuthorityWatcherConfig) (*CertAuthorityWatcher, error)

NewCertAuthorityWatcher returns a new instance of CertAuthorityWatcher.

func (CertAuthorityWatcher) Close 

func (p CertAuthorityWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (CertAuthorityWatcher) Done 

func (p CertAuthorityWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (CertAuthorityWatcher) IsInitialized 

func (p CertAuthorityWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (CertAuthorityWatcher) Subscribe 

func (c CertAuthorityWatcher) Subscribe(ctx context.Context, filter types.CertAuthorityFilter) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (CertAuthorityWatcher) WaitInitialization 

func (p CertAuthorityWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type CertAuthorityWatcherConfig 

type CertAuthorityWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AuthorityGetter is responsible for fetching cert authority resources.
	AuthorityGetter
	// Types restricts which cert authority types are retrieved via the AuthorityGetter.
	Types []types.CertAuthType
}

CertAuthorityWatcherConfig is a CertAuthorityWatcher configuration.

func (*CertAuthorityWatcherConfig) CheckAndSetDefaults 

func (cfg *CertAuthorityWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type ClusterConfiguration 

type ClusterConfiguration interface {
	// SetClusterName gets services.ClusterName from the backend.
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
	// SetClusterName sets services.ClusterName on the backend.
	SetClusterName(types.ClusterName) error
	// UpsertClusterName upserts cluster name
	UpsertClusterName(types.ClusterName) error

	// DeleteClusterName deletes cluster name resource
	DeleteClusterName() error

	// GetStaticTokens gets services.StaticTokens from the backend.
	GetStaticTokens() (types.StaticTokens, error)
	// SetStaticTokens sets services.StaticTokens on the backend.
	SetStaticTokens(types.StaticTokens) error
	// DeleteStaticTokens deletes static tokens resource
	DeleteStaticTokens() error

	// GetUIConfig gets the proxy service UI config from the backend
	GetUIConfig(context.Context) (types.UIConfig, error)
	// SetUIConfig sets the proxy service UI config from the backend
	SetUIConfig(context.Context, types.UIConfig) error
	// DeleteUIConfig deletes the proxy service UI config from the backend
	DeleteUIConfig(ctx context.Context) error

	// GetAuthPreference gets types.AuthPreference from the backend.
	GetAuthPreference(context.Context) (types.AuthPreference, error)
	// SetAuthPreference sets types.AuthPreference from the backend.
	SetAuthPreference(context.Context, types.AuthPreference) error
	// DeleteAuthPreference deletes types.AuthPreference from the backend.
	DeleteAuthPreference(ctx context.Context) error

	// GetSessionRecordingConfig gets SessionRecordingConfig from the backend.
	GetSessionRecordingConfig(context.Context, ...MarshalOption) (types.SessionRecordingConfig, error)
	// SetSessionRecordingConfig sets SessionRecordingConfig from the backend.
	SetSessionRecordingConfig(context.Context, types.SessionRecordingConfig) error
	// DeleteSessionRecordingConfig deletes SessionRecordingConfig from the backend.
	DeleteSessionRecordingConfig(ctx context.Context) error

	// GetClusterAuditConfig gets ClusterAuditConfig from the backend.
	GetClusterAuditConfig(context.Context, ...MarshalOption) (types.ClusterAuditConfig, error)
	// SetClusterAuditConfig sets ClusterAuditConfig from the backend.
	SetClusterAuditConfig(context.Context, types.ClusterAuditConfig) error
	// DeleteClusterAuditConfig deletes ClusterAuditConfig from the backend.
	DeleteClusterAuditConfig(ctx context.Context) error

	// GetClusterNetworkingConfig gets ClusterNetworkingConfig from the backend.
	GetClusterNetworkingConfig(context.Context, ...MarshalOption) (types.ClusterNetworkingConfig, error)
	// SetClusterNetworkingConfig sets ClusterNetworkingConfig from the backend.
	SetClusterNetworkingConfig(context.Context, types.ClusterNetworkingConfig) error
	// DeleteClusterNetworkingConfig deletes ClusterNetworkingConfig from the backend.
	DeleteClusterNetworkingConfig(ctx context.Context) error

	// GetInstallers gets all installer scripts from the backend
	GetInstallers(context.Context) ([]types.Installer, error)
	// GetInstaller gets the installer script from the backend
	GetInstaller(ctx context.Context, name string) (types.Installer, error)
	// SetInstaller sets the installer script in the backend
	SetInstaller(context.Context, types.Installer) error
	// DeleteInstaller removes the installer script from the backend
	DeleteInstaller(ctx context.Context, name string) error
	// DeleteAllInstallers removes all installer script resources from the backend
	DeleteAllInstallers(context.Context) error

	// GetClusterMaintenanceConfig loads the current maintenance config singleton.
	GetClusterMaintenanceConfig(ctx context.Context) (types.ClusterMaintenanceConfig, error)
	// UpdateClusterMaintenanceConfig updates the maintenance config singleton.
	UpdateClusterMaintenanceConfig(ctx context.Context, cfg types.ClusterMaintenanceConfig) error
	// DeleteClusterMaintenanceConfig deletes the maintenance config singleton.
	DeleteClusterMaintenanceConfig(ctx context.Context) error
}

ClusterConfiguration stores the cluster configuration in the backend. All the resources modified by this interface can only have a single instance in the backend.

type ClusterGetter 

type ClusterGetter interface {
	// GetClusterName returns the local cluster name
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
}

ClusterGetter provides access to the local cluster

type CommandLabels 

type CommandLabels map[string]types.CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) Clone 

func (c *CommandLabels) Clone() CommandLabels

Clone returns copy of the set

func (*CommandLabels) SetEnv 

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type ConnectionDiagnosticTraceAppender 

type ConnectionDiagnosticTraceAppender interface {
	// AppendDiagnosticTrace atomically adds a new trace into the ConnectionDiagnostic.
	AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)
}

ConnectionDiagnosticTraceAppender specifies methods to add Traces into a DiagnosticConnection

type ConnectionsDiagnostic 

type ConnectionsDiagnostic interface {
	// CreateConnectionDiagnostic creates a new Connection Diagnostic
	CreateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// UpdateConnectionDiagnostic updates a Connection Diagnostic
	UpdateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// GetConnectionDiagnostic receives a name and returns the Connection Diagnostic matching that name
	//
	// If not found, a `trace.NotFound` error is returned
	GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

	// ConnectionDiagnosticTraceAppender adds a method to append traces into ConnectionDiagnostics.
	ConnectionDiagnosticTraceAppender
}

ConnectionsDiagnostic defines an interface for managing Connection Diagnostics.

type Context 

type Context struct {
	// User is currently authenticated user
	User UserState
	// Resource is an optional resource, in case if the rule
	// checks access to the resource
	Resource types.Resource
	// Session is an optional session.end or windows.desktop.session.end event.
	// These events hold information about session recordings.
	Session events.AuditEvent
	// SSHSession is an optional (active) SSH session.
	SSHSession *session.Session
	// HostCert is an optional host certificate.
	HostCert *HostCertContext
	// SessionTracker is an optional session tracker, in case if the rule checks access to the tracker.
	SessionTracker types.SessionTracker
}

Context is a default rule context used in teleport

func (*Context) GetIdentifier 

func (ctx *Context) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier returns identifier defined in a context

func (*Context) GetResource 

func (ctx *Context) GetResource() (types.Resource, error)

GetResource returns resource specified in the context, returns error if not specified.

func (*Context) String 

func (ctx *Context) String() string

String returns user friendly representation of this context

type CostLimiter 

type CostLimiter interface {
	// UpsertCostLimiter upserts a security cost limiter.
	UpsertCostLimiter(ctx context.Context, item *secreports.CostLimiter) error
	// GetCostLimiter returns a security cost limiter.
	GetCostLimiter(ctx context.Context, name string) (*secreports.CostLimiter, error)
}

CostLimiter is the interface for the security cost limiter.

type CurrentUserRoleGetter 

type CurrentUserRoleGetter interface {
	// GetCurrentUserRoles returns the remote cluster roles for the current
	// user, traits have not been applied.
	GetCurrentUserRoles(context.Context) ([]types.Role, error)
	// GetCurrentUser returns the remote cluster's view of the current user.
	GetCurrentUser(context.Context) (types.User, error)
}

CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by NewAccessCheckerForRemoteCluster.

type DatabaseGetter 

type DatabaseGetter interface {
	// GetDatabases returns all database resources.
	GetDatabases(context.Context) ([]types.Database, error)
	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)
}

DatabaseGetter defines interface for fetching database resources.

type DatabaseNameMatcher 

type DatabaseNameMatcher struct {
	Name string
}

DatabaseNameMatcher matches a role against database name.

func (*DatabaseNameMatcher) Match 

func (m *DatabaseNameMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database name against provided role and condition.

func (*DatabaseNameMatcher) String 

func (m *DatabaseNameMatcher) String() string

String returns the matcher's string representation.

type DatabaseServersGetter 

type DatabaseServersGetter interface {
	GetDatabaseServers(context.Context, string, ...MarshalOption) ([]types.DatabaseServer, error)
}

DatabaseServersGetter is a service that gets database servers.

type DatabaseServices 

type DatabaseServices interface {
	// UpsertDatabaseService updates an existing DatabaseService resource.
	UpsertDatabaseService(context.Context, types.DatabaseService) (*types.KeepAlive, error)

	// DeleteDatabaseService removes the specified DatabaseService resource.
	DeleteDatabaseService(ctx context.Context, name string) error

	// DeleteAllDatabaseServices removes all DatabaseService resources.
	DeleteAllDatabaseServices(context.Context) error
}

DatabaseServices defines an interface for managing DatabaseService resources.

type DatabaseWatcher 

type DatabaseWatcher struct {
	// contains filtered or unexported fields
}

DatabaseWatcher is built on top of resourceWatcher to monitor database resources.

func NewDatabaseWatcher 

func NewDatabaseWatcher(ctx context.Context, cfg DatabaseWatcherConfig) (*DatabaseWatcher, error)

NewDatabaseWatcher returns a new instance of DatabaseWatcher.

func (DatabaseWatcher) Close 

func (p DatabaseWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (DatabaseWatcher) Done 

func (p DatabaseWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (DatabaseWatcher) IsInitialized 

func (p DatabaseWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (DatabaseWatcher) WaitInitialization 

func (p DatabaseWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type DatabaseWatcherConfig 

type DatabaseWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// DatabaseGetter is responsible for fetching database resources.
	DatabaseGetter
	// DatabasesC receives up-to-date list of all database resources.
	DatabasesC chan types.Databases
}

DatabaseWatcherConfig is a DatabaseWatcher configuration.

func (*DatabaseWatcherConfig) CheckAndSetDefaults 

func (cfg *DatabaseWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Databases 

type Databases interface {
	// DatabaseGetter provides methods for fetching database resources.
	DatabaseGetter
	// CreateDatabase creates a new database resource.
	CreateDatabase(context.Context, types.Database) error
	// UpdateDatabase updates an existing database resource.
	UpdateDatabase(context.Context, types.Database) error
	// DeleteDatabase removes the specified database resource.
	DeleteDatabase(ctx context.Context, name string) error
	// DeleteAllDatabases removes all database resources.
	DeleteAllDatabases(context.Context) error
}

Databases defines an interface for managing database resources.

type DiscoveryConfigs 

type DiscoveryConfigs interface {
	DiscoveryConfigsGetter
	// CreateDiscoveryConfig creates a new DiscoveryConfig resource.
	CreateDiscoveryConfig(context.Context, *discoveryconfig.DiscoveryConfig) (*discoveryconfig.DiscoveryConfig, error)
	// UpdateDiscoveryConfig updates an existing DiscoveryConfig resource.
	UpdateDiscoveryConfig(context.Context, *discoveryconfig.DiscoveryConfig) (*discoveryconfig.DiscoveryConfig, error)
	// UpsertDiscoveryConfig upserts a DiscoveryConfig resource.
	UpsertDiscoveryConfig(context.Context, *discoveryconfig.DiscoveryConfig) (*discoveryconfig.DiscoveryConfig, error)
	// DeleteDiscoveryConfig removes the specified DiscoveryConfig resource.
	DeleteDiscoveryConfig(ctx context.Context, name string) error
	// DeleteAllDiscoveryConfigs removes all DiscoveryConfigs.
	DeleteAllDiscoveryConfigs(context.Context) error
}

DiscoveryConfigs defines an interface for managing DiscoveryConfigs.

type DiscoveryConfigsGetter 

type DiscoveryConfigsGetter interface {
	// ListDiscoveryConfigs returns a paginated list of all DiscoveryConfig resources.
	// An optional DiscoveryGroup can be provided to filter.
	ListDiscoveryConfigs(ctx context.Context, pageSize int, nextToken string) ([]*discoveryconfig.DiscoveryConfig, string, error)
	// GetDiscoveryConfig returns the specified DiscoveryConfig resources.
	GetDiscoveryConfig(ctx context.Context, name string) (*discoveryconfig.DiscoveryConfig, error)
}

DiscoveryConfigsGetter defines methods for List/Read operations on DiscoveryConfig Resources.

type DynamicAccess 

type DynamicAccess interface {
	DynamicAccessCore
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error
	// SubmitAccessReview applies a review to a request and returns the post-application state.
	SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
	// GetAccessRequestAllowedPromotions returns suggested access lists for the given access request.
	GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
}

DynamicAccess is a service which manages dynamic RBAC. Specifically, this is the dynamic access interface implemented by remote clients.

type DynamicAccessCore 

type DynamicAccessCore interface {
	AccessRequestGetter
	// CreateAccessRequestV2 stores a new access request.
	CreateAccessRequestV2(ctx context.Context, req types.AccessRequest) (types.AccessRequest, error)
	// DeleteAccessRequest deletes an access request.
	DeleteAccessRequest(ctx context.Context, reqID string) error
}

DynamicAccessCore is the core functionality common to all DynamicAccess implementations.

type DynamicAccessExt 

type DynamicAccessExt interface {
	DynamicAccessCore
	// CreateAccessRequest stores a new access request.
	CreateAccessRequest(ctx context.Context, req types.AccessRequest) error
	// ApplyAccessReview applies a review to a request in the backend and returns the post-application state.
	ApplyAccessReview(ctx context.Context, params types.AccessReviewSubmission, checker ReviewPermissionChecker) (types.AccessRequest, error)
	// UpsertAccessRequest creates or updates an access request.
	UpsertAccessRequest(ctx context.Context, req types.AccessRequest) error
	// DeleteAllAccessRequests deletes all existent access requests.
	DeleteAllAccessRequests(ctx context.Context) error
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) (types.AccessRequest, error)
	// CreateAccessRequestAllowedPromotions creates a list of allowed access list promotions for the given access request.
	CreateAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest, accessLists *types.AccessRequestAllowedPromotions) error
	// GetAccessRequestAllowedPromotions returns a lists of allowed access list promotions for the given access request.
	GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
}

DynamicAccessExt is an extended dynamic access interface used to implement some auth server internals.

type DynamicAccessOracle 

type DynamicAccessOracle interface {
	GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
}

DynamicAccessOracle is a service capable of answering questions related to the dynamic access API. Necessary because some information (e.g. the list of roles a user is allowed to request) can not be calculated by actors with limited privileges.

type Embeddings 

type Embeddings interface {
	// GetEmbedding looks up a single embedding by its name in the backend.
	GetEmbedding(ctx context.Context, kind, resourceID string) (*embedding.Embedding, error)
	// GetEmbeddings returns all embeddings for a given kind.
	GetEmbeddings(ctx context.Context, kind string) stream.Stream[*embedding.Embedding]
	// GetEmbeddings returns all embeddings.
	GetAllEmbeddings(ctx context.Context) stream.Stream[*embedding.Embedding]
	// UpsertEmbedding creates or updates a single ai.Embedding in the backend.
	UpsertEmbedding(ctx context.Context, embedding *embedding.Embedding) (*embedding.Embedding, error)
}

Embeddings service is responsible for storing and retrieving embeddings in the backend. The backend acts as an embedding cache. Embeddings can be re-generated by an ai.Embedder.

type EmptyResource 

type EmptyResource struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata types.Metadata `json:"metadata"`
}

EmptyResource is used to represent a use case when no resource is specified in the rules matcher

func (*EmptyResource) CheckAndSetDefaults 

func (r *EmptyResource) CheckAndSetDefaults() error

func (*EmptyResource) Expiry 

func (r *EmptyResource) Expiry() time.Time

Expiry returns the expiry time for the object.

func (*EmptyResource) GetKind 

func (r *EmptyResource) GetKind() string

GetKind returns resource kind

func (*EmptyResource) GetMetadata 

func (r *EmptyResource) GetMetadata() types.Metadata

GetMetadata returns role metadata.

func (*EmptyResource) GetName 

func (r *EmptyResource) GetName() string

GetName gets the role name and is a shortcut for GetMetadata().Name.

func (*EmptyResource) GetResourceID 

func (r *EmptyResource) GetResourceID() int64

GetResourceID returns resource ID

func (*EmptyResource) GetRevision 

func (r *EmptyResource) GetRevision() string

GetRevision returns the revision

func (*EmptyResource) GetSubKind 

func (r *EmptyResource) GetSubKind() string

GetSubKind returns resource sub kind

func (*EmptyResource) GetVersion 

func (r *EmptyResource) GetVersion() string

GetVersion returns resource version

func (*EmptyResource) SetExpiry 

func (r *EmptyResource) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object.

func (*EmptyResource) SetName 

func (r *EmptyResource) SetName(s string)

SetName sets the role name and is a shortcut for SetMetadata().Name.

func (*EmptyResource) SetResourceID 

func (r *EmptyResource) SetResourceID(id int64)

SetResourceID sets resource ID

func (*EmptyResource) SetRevision 

func (r *EmptyResource) SetRevision(rev string)

SetRevision sets the revision

func (*EmptyResource) SetSubKind 

func (r *EmptyResource) SetSubKind(s string)

SetSubKind sets resource subkind

type EnumerationResult 

type EnumerationResult struct {
	// contains filtered or unexported fields
}

EnumerationResult is a result of enumerating a role set against some property, e.g. allowed names or logins.

func NewEnumerationResult 

func NewEnumerationResult() EnumerationResult

NewEnumerationResult returns new EnumerationResult.

func (*EnumerationResult) Allowed 

func (result *EnumerationResult) Allowed() []string

Allowed returns all known allowed entities.

func (*EnumerationResult) Denied 

func (result *EnumerationResult) Denied() []string

Denied returns all explicitly denied entities.

func (*EnumerationResult) WildcardAllowed 

func (result *EnumerationResult) WildcardAllowed() bool

WildcardAllowed is true if the * entity is allowed for a given rule set.

func (*EnumerationResult) WildcardDenied 

func (result *EnumerationResult) WildcardDenied() bool

WildcardDenied is true if the * entity is denied for a given rule set.

type FanoutV2 

type FanoutV2 struct {
	// contains filtered or unexported fields
}

FanoutV2 is a drop-in replacement for Fanout that offers a different set of performance characteristics. It supports variable-size buffers to better accommodate large spikes in event load, but it does so at the cost of higher levels of context-switching since all readers are notified of all events as well as higher baseline memory usage due to relying on a large shared buffer.

func NewFanoutV2 

func NewFanoutV2(cfg FanoutV2Config) *FanoutV2

NewFanoutV2 allocates a new fanout instance.

func (*FanoutV2) Close 

func (f *FanoutV2) Close() error

func (*FanoutV2) Emit 

func (f *FanoutV2) Emit(events ...types.Event)

func (*FanoutV2) NewStream 

func (f *FanoutV2) NewStream(ctx context.Context, watch types.Watch) stream.Stream[types.Event]

NewStream gets a new event stream. The provided context will form the basis of the stream's close context. Note that streams *must* be explicitly closed when completed in order to avoid performance issues.

func (*FanoutV2) NewWatcher 

func (f *FanoutV2) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

func (*FanoutV2) Reset 

func (f *FanoutV2) Reset()

func (*FanoutV2) SetInit 

func (f *FanoutV2) SetInit(kinds []types.WatchKind)

type FanoutV2Config 

type FanoutV2Config struct {
	Capacity    uint64
	GracePeriod time.Duration
	Clock       clockwork.Clock
}

func (*FanoutV2Config) SetDefaults 

func (c *FanoutV2Config) SetDefaults()

type GCPServiceAccountMatcher 

type GCPServiceAccountMatcher struct {
	// ServiceAccount is a GCP service account to match, e.g. teleport@example-123456.iam.gserviceaccount.com.
	// It can also be a wildcard *, but that is only respected for Deny rules.
	ServiceAccount string
}

GCPServiceAccountMatcher matches a role against GCP service account.

func (*GCPServiceAccountMatcher) Match 

func (m *GCPServiceAccountMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches GCP ServiceAccount against provided role and condition.

func (*GCPServiceAccountMatcher) String 

func (m *GCPServiceAccountMatcher) String() string

String returns the matcher's string representation.

type GithubAuthConverter 

type GithubAuthConverter func(types.GithubConnector) (*types.GithubConnectorV3, error)

GithubAuthConverter converts a GitHub auth connector so it can be sent over gRPC.

type GithubAuthCreator 

type GithubAuthCreator func(string, types.GithubConnectorSpecV3) (types.GithubConnector, error)

GithubAuthCreator creates a new GitHub connector.

type GithubAuthInitializer 

type GithubAuthInitializer func(types.GithubConnector) (types.GithubConnector, error)

GithubAuthInitializer initializes a GitHub auth connector.

type HeadlessAuthenticationService 

type HeadlessAuthenticationService interface {
	// GetHeadlessAuthentication gets a headless authentication.
	GetHeadlessAuthentication(ctx context.Context, username, name string) (*types.HeadlessAuthentication, error)

	// GetHeadlessAuthentications gets all headless authentications.
	GetHeadlessAuthentications(ctx context.Context) ([]*types.HeadlessAuthentication, error)

	// UpsertHeadlessAuthentication upserts a headless authentication.
	UpsertHeadlessAuthentication(ctx context.Context, ha *types.HeadlessAuthentication) error

	// CompareAndSwapHeadlessAuthentication performs a compare
	// and swap replacement on a headless authentication resource.
	CompareAndSwapHeadlessAuthentication(ctx context.Context, old, new *types.HeadlessAuthentication) (*types.HeadlessAuthentication, error)

	// DeleteHeadlessAuthentication deletes a headless authentication from the backend.
	DeleteHeadlessAuthentication(ctx context.Context, username, name string) error

	// DeleteAllHeadlessAuthentications deletes all headless authentications from the backend.
	DeleteAllHeadlessAuthentications(ctx context.Context) error
}

HeadlessAuthenticationService is responsible for headless authentication resource management

type HostCertContext 

type HostCertContext struct {
	// HostID is the host ID in the cert request.
	HostID string `json:"host_id"`
	// NodeName is the node name in the cert request.
	NodeName string `json:"node_name"`
	// Principals is the list of requested certificate principals.
	Principals []string `json:"principals"`
	// ClusterName is the name of the cluster for which the certificate should
	// be issued.
	ClusterName string `json:"cluster_name"`
	// Role is the name of the Teleport role for which the cert should be
	// issued.
	Role types.SystemRole `json:"role"`
	// TTL is the requested certificate TTL.
	TTL time.Duration `json:"ttl"`
}

HostCertContext is used to evaluate the `where` condition on a `host_cert` pseudo-resource. These resources only exist for RBAC purposes and do not exist in the database.

type HostCertParams 

type HostCertParams struct {
	// CASigner is the signer that will sign the public key of the host with the CA private key.
	CASigner ssh.Signer
	// PublicHostKey is the public key of the host
	PublicHostKey []byte
	// HostID is used by Teleport to uniquely identify a node within a cluster
	HostID string
	// Principals is a list of additional principals to add to the certificate.
	Principals []string
	// NodeName is the DNS name of the node
	NodeName string
	// ClusterName is the name of the cluster within which a node lives
	ClusterName string
	// Role identifies the role of a Teleport instance
	Role types.SystemRole
	// TTL defines how long a certificate is valid for
	TTL time.Duration
}

HostCertParams defines all parameters needed to generate a host certificate

func (HostCertParams) Check 

func (c HostCertParams) Check() error

Check checks parameters for errors

type HostUsersInfo 

type HostUsersInfo struct {
	// Groups is the list of groups to include host users in
	Groups []string
	// Mode determines if a host user should be deleted after a session
	// ends or not.
	Mode types.CreateHostUserMode
	// UID is the UID that the host user will be created with
	UID string
	// GID is the GID that the host user will be created with
	GID string
}

HostUsersInfo keeps information about groups and sudoers entries for a particular host user

type Identity 

type Identity interface {
	// CreateUser creates user, only if the user entry does not exist
	CreateUser(ctx context.Context, user types.User) (types.User, error)

	// UsersService implements most methods
	UsersService

	// AddUserLoginAttempt logs user login attempt
	AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error

	// GetUserLoginAttempts returns user login attempts
	GetUserLoginAttempts(user string) ([]LoginAttempt, error)

	// DeleteUserLoginAttempts removes all login attempts of a user. Should be
	// called after successful login.
	DeleteUserLoginAttempts(user string) error

	// GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserByOIDCIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserBySAMLIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserByGithubIdentity returns a user by its specified Github identity
	GetUserByGithubIdentity(id types.ExternalIdentity) (types.User, error)

	// UpsertPasswordHash upserts user password hash
	UpsertPasswordHash(user string, hash []byte) error

	// GetPasswordHash returns the password hash for a given user
	GetPasswordHash(user string) ([]byte, error)

	// UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again
	// during the 30 second window it's valid.
	UpsertUsedTOTPToken(user string, otpToken string) error

	// GetUsedTOTPToken returns the last successfully used TOTP token.
	GetUsedTOTPToken(user string) (string, error)

	// UpsertPassword upserts new password and OTP token
	UpsertPassword(user string, password []byte) error

	// UpsertWebauthnLocalAuth creates or updates the local auth configuration for
	// Webauthn.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	// Automatically indexes the WebAuthn user ID for lookup by
	// GetTeleportUserByWebauthnID.
	UpsertWebauthnLocalAuth(ctx context.Context, user string, wla *types.WebauthnLocalAuth) error

	// GetWebauthnLocalAuth retrieves the existing local auth configuration for
	// Webauthn, if any.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	GetWebauthnLocalAuth(ctx context.Context, user string) (*types.WebauthnLocalAuth, error)

	// GetTeleportUserByWebauthnID reads a Teleport username from a WebAuthn user
	// ID (aka user handle).
	// See UpsertWebauthnLocalAuth and types.WebauthnLocalAuth.
	GetTeleportUserByWebauthnID(ctx context.Context, webID []byte) (string, error)

	// UpsertWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication or
	// registration challenge.
	// Session data is expected to expire according to backend settings.
	UpsertWebauthnSessionData(ctx context.Context, user, sessionID string, sd *wantypes.SessionData) error

	// GetWebauthnSessionData retrieves a previously-stored session data by ID,
	// if it exists and has not expired.
	GetWebauthnSessionData(ctx context.Context, user, sessionID string) (*wantypes.SessionData, error)

	// DeleteWebauthnSessionData deletes session data by ID, if it exists and has
	// not expired.
	DeleteWebauthnSessionData(ctx context.Context, user, sessionID string) error

	// UpsertGlobalWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication challenge.
	// Session data is expected to expire according to backend settings.
	// Used for passwordless challenges.
	UpsertGlobalWebauthnSessionData(ctx context.Context, scope, id string, sd *wantypes.SessionData) error

	// GetGlobalWebauthnSessionData retrieves previously-stored session data by ID,
	// if it exists and has not expired.
	// Used for passwordless challenges.
	GetGlobalWebauthnSessionData(ctx context.Context, scope, id string) (*wantypes.SessionData, error)

	// DeleteGlobalWebauthnSessionData deletes session data by ID, if it exists
	// and has not expired.
	DeleteGlobalWebauthnSessionData(ctx context.Context, scope, id string) error

	// UpsertMFADevice upserts an MFA device for the user.
	UpsertMFADevice(ctx context.Context, user string, d *types.MFADevice) error

	// GetMFADevices gets all MFA devices for the user.
	GetMFADevices(ctx context.Context, user string, withSecrets bool) ([]*types.MFADevice, error)

	// DeleteMFADevice deletes an MFA device for the user by ID.
	DeleteMFADevice(ctx context.Context, user, id string) error

	// CreateOIDCConnector creates a new OIDC connector.
	CreateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)
	// UpdateOIDCConnector updates an existing OIDC connector.
	UpdateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)
	// UpsertOIDCConnector updates or creates an OIDC connector.
	UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

	// DeleteOIDCConnector deletes OIDC Connector
	DeleteOIDCConnector(ctx context.Context, connectorID string) error

	// GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results
	GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)

	// GetOIDCConnectors returns valid registered connectors, withSecrets adds or removes client secret from return
	// results.  Invalid Connectors are simply logged but errors are not forwarded.
	GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

	// CreateOIDCAuthRequest creates new auth request
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest, ttl time.Duration) error

	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(ctx context.Context, stateToken string) (*types.OIDCAuthRequest, error)

	// CreateSAMLConnector creates a new SAML connector.
	CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)
	// UpdateSAMLConnector updates an existing SAML connector
	UpdateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)
	// UpsertSAMLConnector updates or creates a SAML connector
	UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

	// DeleteSAMLConnector deletes OIDC Connector
	DeleteSAMLConnector(ctx context.Context, connectorID string) error

	// GetSAMLConnector returns OIDC connector data, withSecrets adds or removes secrets from return results
	GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)

	// GetSAMLConnectors returns valid registered connectors, withSecrets adds or removes secret from return results.
	// Invalid Connectors are simply logged but errors are not forwarded.
	GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

	// CreateSAMLAuthRequest creates new auth request
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest, ttl time.Duration) error

	// GetSAMLAuthRequest returns SAML auth request if found
	GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

	// CreateSSODiagnosticInfo creates new SSO diagnostic info record.
	CreateSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error

	// GetSSODiagnosticInfo returns SSO diagnostic info records.
	GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

	// CreateGithubConnector creates a new Github connector.
	CreateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)
	// UpdateGithubConnector updates an existing Github connector.
	UpdateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)
	// UpsertGithubConnector creates or updates a Github connector.
	UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

	// GetGithubConnectors returns valid Github connectors, invalid Connectors are simply logged but errors are not forwarded.
	GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

	// GetGithubConnector returns a Github connector by its name
	GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

	// DeleteGithubConnector deletes a Github connector by its name
	DeleteGithubConnector(ctx context.Context, name string) error

	// CreateGithubAuthRequest creates a new auth request for Github OAuth2 flow
	CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) error

	// GetGithubAuthRequest retrieves Github auth request by the token
	GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

	// CreateUserToken creates a new user token.
	CreateUserToken(ctx context.Context, token types.UserToken) (types.UserToken, error)

	// DeleteUserToken deletes a user token.
	DeleteUserToken(ctx context.Context, tokenID string) error

	// GetUserTokens returns all user tokens.
	GetUserTokens(ctx context.Context) ([]types.UserToken, error)

	// GetUserToken returns a user token by id.
	GetUserToken(ctx context.Context, tokenID string) (types.UserToken, error)

	// UpsertUserTokenSecrets upserts a user token secrets.
	UpsertUserTokenSecrets(ctx context.Context, secrets types.UserTokenSecrets) error

	// GetUserTokenSecrets returns a user token secrets.
	GetUserTokenSecrets(ctx context.Context, tokenID string) (types.UserTokenSecrets, error)

	// UpsertRecoveryCodes upserts a user's new recovery codes.
	UpsertRecoveryCodes(ctx context.Context, user string, recovery *types.RecoveryCodesV1) error

	// GetRecoveryCodes gets a user's recovery codes.
	GetRecoveryCodes(ctx context.Context, user string, withSecrets bool) (*types.RecoveryCodesV1, error)

	// UpsertKeyAttestationData upserts a verified public key attestation response.
	UpsertKeyAttestationData(ctx context.Context, attestationData *keys.AttestationData, ttl time.Duration) error

	// GetKeyAttestationData gets a verified public key attestation response.
	GetKeyAttestationData(ctx context.Context, pubDer []byte) (*keys.AttestationData, error)

	HeadlessAuthenticationService

	types.WebSessionsGetter
	types.WebTokensGetter

	// AppSession defines application session features.
	AppSession
	// SnowflakeSession defines Snowflake session features.
	SnowflakeSession
	// SAMLIdPSession defines SAML IdP session features.
	SAMLIdPSession
}

Identity is responsible for managing user entries and external identities

type ImplicitAccessListError 

type ImplicitAccessListError struct{}

ImplicitAccessListError indicates that an operation that only makes sense for AccessLists with an explicit Member list has been attempted on an implicit- membership AccessList

func (ImplicitAccessListError) Error 

func (ImplicitAccessListError) Error() string

Error implements the `error` interface for ImplicitAccessListError

type Integrations 

type Integrations interface {
	IntegrationsGetter
	// CreateIntegration creates a new integration resource.
	CreateIntegration(context.Context, types.Integration) (types.Integration, error)
	// UpdateIntegration updates an existing integration resource.
	UpdateIntegration(context.Context, types.Integration) (types.Integration, error)
	// DeleteIntegration removes the specified integration resource.
	DeleteIntegration(ctx context.Context, name string) error
	// DeleteAllIntegrations removes all integrations.
	DeleteAllIntegrations(context.Context) error
}

Integrations defines an interface for managing Integrations.

type IntegrationsGetter 

type IntegrationsGetter interface {
	// ListIntegrations returns a paginated list of all integration resources.
	ListIntegrations(ctx context.Context, pageSize int, nextToken string) ([]types.Integration, string, error)
	// GetIntegration returns the specified integration resources.
	GetIntegration(ctx context.Context, name string) (types.Integration, error)
}

IntegrationsGetter defines methods for List/Read operations on Integration Resources.

type IntegrationsTokenGenerator 

type IntegrationsTokenGenerator interface {
	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
	GenerateAWSOIDCToken(ctx context.Context) (string, error)
}

IntegrationsTokenGenerator defines methods to generate tokens for Integrations.

type Inventory 

type Inventory interface {
	// GetInstances iterates the full teleport server inventory.
	GetInstances(ctx context.Context, req types.InstanceFilter) stream.Stream[types.Instance]
}

Inventory is a subset of Presence dedicated to tracking the status of all teleport instances independent of any specific service.

NOTE: the instance resource scales linearly with cluster size and is not cached in a traditional manner. as such, it is should not be accessed as part of the "hot path" of any normal request.

type InventoryInternal 

type InventoryInternal interface {
	Inventory

	// UpsertInstance creates or updates an instance resource.
	UpsertInstance(ctx context.Context, instance types.Instance) error
}

InventoryInternal is a subset of the PresenceInternal interface that extends inventory functionality with auth-specific internal methods.

type KubeClusterWatcher 

type KubeClusterWatcher struct {
	// contains filtered or unexported fields
}

KubeClusterWatcher is built on top of resourceWatcher to monitor kube_cluster resources.

func NewKubeClusterWatcher 

func NewKubeClusterWatcher(ctx context.Context, cfg KubeClusterWatcherConfig) (*KubeClusterWatcher, error)

NewKubeClusterWatcher returns a new instance of KubeClusterWatcher.

func (KubeClusterWatcher) Close 

func (p KubeClusterWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (KubeClusterWatcher) Done 

func (p KubeClusterWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (KubeClusterWatcher) IsInitialized 

func (p KubeClusterWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (KubeClusterWatcher) WaitInitialization 

func (p KubeClusterWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type KubeClusterWatcherConfig 

type KubeClusterWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// KubernetesGetter is responsible for fetching kube_cluster resources.
	KubernetesClusterGetter
	// KubeClustersC receives up-to-date list of all kube_cluster resources.
	KubeClustersC chan types.KubeClusters
}

KubeClusterWatcherConfig is an KubeClusterWatcher configuration.

func (*KubeClusterWatcherConfig) CheckAndSetDefaults 

func (cfg *KubeClusterWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type KubeResourcesMatcher 

type KubeResourcesMatcher struct {
	// contains filtered or unexported fields
}

KubeResourcesMatcher matches a role against any Kubernetes Resource specified. It also keeps track of the resources that did not match any of user's roles and that shouldn't be included in the resource ids because the user is not allowed to request them.

func NewKubeResourcesMatcher 

func NewKubeResourcesMatcher(resources []types.KubernetesResource) *KubeResourcesMatcher

NewKubeResourcesMatcher creates a new KubeResourcesMatcher matcher that matches a role against any Kubernetes Resource specified. It also keeps track of the resources that did not match any of user's roles and that shouldn't be included in the resource ids because the user is not allowed to request them.

func (*KubeResourcesMatcher) Match 

func (m *KubeResourcesMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches a Kubernetes resource against provided role and condition.

func (*KubeResourcesMatcher) String 

func (m *KubeResourcesMatcher) String() string

String returns the matcher's string representation.

func (*KubeResourcesMatcher) Unmatched 

func (m *KubeResourcesMatcher) Unmatched() []string

Unmatched returns the Kubernetes Resource request access that that didn't match with any `search_as_roles` kubernetes resources.

type KubeServerWatcher 

type KubeServerWatcher struct {
	// contains filtered or unexported fields
}

KubeServerWatcher is built on top of resourceWatcher to monitor kube_server resources.

func NewKubeServerWatcher 

func NewKubeServerWatcher(ctx context.Context, cfg KubeServerWatcherConfig) (*KubeServerWatcher, error)

NewKubeServerWatcher returns a new instance of KubeServerWatcher.

func (KubeServerWatcher) Close 

func (p KubeServerWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (KubeServerWatcher) Done 

func (p KubeServerWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (*KubeServerWatcher) GetKubeServersByClusterName 

func (k *KubeServerWatcher) GetKubeServersByClusterName(ctx context.Context, clusterName string) ([]types.KubeServer, error)

GetKubeServersByClusterName returns a list of kubernetes servers for the specified cluster.

func (*KubeServerWatcher) GetKubernetesServers 

func (k *KubeServerWatcher) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)

GetKubernetesServers returns a list of kubernetes servers for all clusters.

func (KubeServerWatcher) IsInitialized 

func (p KubeServerWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (KubeServerWatcher) WaitInitialization 

func (p KubeServerWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type KubeServerWatcherConfig 

type KubeServerWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// KubernetesServerGetter is responsible for fetching kube_server resources.
	KubernetesServerGetter
}

KubeServerWatcherConfig is an KubeServerWatcher configuration.

func (*KubeServerWatcherConfig) CheckAndSetDefaults 

func (cfg *KubeServerWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Kubernetes 

type Kubernetes interface {
	// KubernetesGetter provides methods for fetching kubernetes resources.
	KubernetesClusterGetter
	// CreateKubernetesCluster creates a new kubernetes cluster resource.
	CreateKubernetesCluster(context.Context, types.KubeCluster) error
	// UpdateKubernetesCluster updates an existing kubernetes cluster resource.
	UpdateKubernetesCluster(context.Context, types.KubeCluster) error
	// DeleteKubernetesCluster removes the specified kubernetes cluster resource.
	DeleteKubernetesCluster(ctx context.Context, name string) error
	// DeleteAllKubernetesClusters removes all kubernetes resources.
	DeleteAllKubernetesClusters(context.Context) error
}

Kubernetes defines an interface for managing kubernetes clusters resources.

type KubernetesClusterGetter 

type KubernetesClusterGetter interface {
	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

KubernetesClusterGetter defines interface for fetching kubernetes cluster resources.

type KubernetesResourceMatcher 

type KubernetesResourceMatcher struct {
	// contains filtered or unexported fields
}

KubernetesResourceMatcher matches a role against a Kubernetes Resource. Kind is must be stricly equal but namespace and name allow wildcards.

func NewKubernetesResourceMatcher 

func NewKubernetesResourceMatcher(resource types.KubernetesResource) *KubernetesResourceMatcher

NewKubernetesResourceMatcher creates a KubernetesResourceMatcher that checks whether the role's KubeResources match the specified condition.

func (*KubernetesResourceMatcher) Match 

func (m *KubernetesResourceMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches a Kubernetes Resource against provided role and condition.

func (*KubernetesResourceMatcher) String 

func (m *KubernetesResourceMatcher) String() string

String returns the matcher's string representation.

type KubernetesServerGetter 

type KubernetesServerGetter interface {
	// GetKubernetesServers returns all kubernetes server resources.
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)
}

KubernetesServerGetter defines interface for fetching kubernetes server resources.

type LabelGetter 

type LabelGetter interface {
	GetLabel(key string) (value string, ok bool)
	GetAllLabels() map[string]string
}

LabelGetter allows retrieving a particular label by name or retreiving all labels at once. Prefer to use GetLabel when possible to avoid unnecessary copies.

type LockGetter 

type LockGetter interface {
	// GetLock gets a lock by name.
	GetLock(ctx context.Context, name string) (types.Lock, error)
	// GetLocks gets all/in-force locks that match at least one of the targets when specified.
	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
}

LockGetter is a service that gets locks.

type LockWatcher 

type LockWatcher struct {
	// contains filtered or unexported fields
}

LockWatcher is built on top of resourceWatcher to monitor changes to locks.

func NewLockWatcher 

func NewLockWatcher(ctx context.Context, cfg LockWatcherConfig) (*LockWatcher, error)

NewLockWatcher returns a new instance of LockWatcher.

func (LockWatcher) CheckLockInForce 

func (p LockWatcher) CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error

CheckLockInForce returns an AccessDenied error if there is a lock in force matching at least one of the targets.

func (LockWatcher) Close 

func (p LockWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (LockWatcher) Done 

func (p LockWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (LockWatcher) GetCurrent 

func (p LockWatcher) GetCurrent() []types.Lock

GetCurrent returns the currently stored locks.

func (LockWatcher) IsInitialized 

func (p LockWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (LockWatcher) IsStale 

func (p LockWatcher) IsStale() bool

IsStale is used to check whether the lock watcher is stale. Used in tests.

func (LockWatcher) Subscribe 

func (p LockWatcher) Subscribe(ctx context.Context, targets ...types.LockTarget) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (LockWatcher) WaitInitialization 

func (p LockWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type LockWatcherConfig 

type LockWatcherConfig struct {
	ResourceWatcherConfig
	LockGetter
}

LockWatcherConfig is a LockWatcher configuration.

func (*LockWatcherConfig) CheckAndSetDefaults 

func (cfg *LockWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type LogAction 

type LogAction struct {
	// contains filtered or unexported fields
}

LogAction represents action that will emit log entry when specified in the actions of a matched rule

func (*LogAction) Log 

func (l *LogAction) Log(level, format string, args ...interface{}) predicate.BoolPredicate

Log logs with specified level and formatting string with arguments

type LoginAttempt 

type LoginAttempt struct {
	// Time is time of the attempt
	Time time.Time `json:"time"`
	// Success indicates whether attempt was successful
	Success bool `json:"bool"`
}

LoginAttempt represents successful or unsuccessful attempt for user to login

func (*LoginAttempt) Check 

func (la *LoginAttempt) Check() error

Check checks parameters

type MFARequired 

type MFARequired string

MFARequired determines when MFA is required for a user to access a resource. 

const (
	// MFARequiredNever means that MFA is never required for any sessions started by this user. This either
	// means both the cluster auth preference and all roles have per-session MFA off, or at least one of
	// those resources has "require_session_mfa: hardware_key_touch", which overrides per-session MFA.
	MFARequiredNever MFARequired = "never"
	// MFARequiredAlways means that MFA is required for all sessions started by a user. This either
	// means that the cluster auth preference requires per-session MFA, or all of the user's roles require
	// per-session MFA
	MFARequiredAlways MFARequired = "always"
	// MFARequiredPerRole means that MFA requirement is based on which of the user's roles
	// provides access to the session in question.
	MFARequiredPerRole MFARequired = "per-role"
)

type MarshalConfig 

type MarshalConfig struct {
	// Version specifies a particular version we should marshal resources with
	Version string

	// ID is a record ID to assign
	ID int64

	// Revision of the resource to assign.
	Revision string

	// PreserveResourceID preserves resource IDs in resource
	// specs when marshaling
	PreserveResourceID bool

	// Expires is an optional expiry time
	Expires time.Time
}

MarshalConfig specifies marshaling options

func CollectOptions 

func CollectOptions(opts []MarshalOption) (*MarshalConfig, error)

CollectOptions collects all options from functional arg and returns config

func (*MarshalConfig) GetVersion 

func (m *MarshalConfig) GetVersion() string

GetVersion returns explicitly provided version or sets latest as default

type MarshalOption 

type MarshalOption func(c *MarshalConfig) error

MarshalOption sets marshaling option

func AddOptions 

func AddOptions(opts []MarshalOption, add ...MarshalOption) []MarshalOption

AddOptions adds marshal options and returns a new copy

func PreserveResourceID 

func PreserveResourceID() MarshalOption

PreserveResourceID preserves resource ID when marshaling value

func WithExpires 

func WithExpires(expires time.Time) MarshalOption

WithExpires assigns expiry value

func WithResourceID 

func WithResourceID(id int64) MarshalOption

WithResourceID assigns ID to the resource

func WithRevision 

func WithRevision(rev string) MarshalOption

WithRevision assigns Revision to the resource

func WithVersion 

func WithVersion(v string) MarshalOption

WithVersion sets marshal version

type MatchResourceFilter 

type MatchResourceFilter struct {
	// ResourceKind is the resource kind and is used to fine tune the filtering.
	ResourceKind string
	// Labels are the labels to match.
	Labels map[string]string
	// SearchKeywords is a list of search keywords to match.
	SearchKeywords []string
	// PredicateExpression holds boolean conditions that must be matched.
	PredicateExpression string
	// Kinds is a list of resourceKinds to be used when doing a unified resource query.
	// It will filter out any kind not present in the list. If the list is not present or empty
	// then all kinds are valid and will be returned (still subject to other included filters)
	Kinds []string
}

MatchResourceFilter holds the filter values to match against a resource.

func (*MatchResourceFilter) IsSimple 

func (m *MatchResourceFilter) IsSimple() bool

IsSimple is used to short-circuit matching when a filter doesn't specify anything more specific than resource kind.

type Matcher 

type Matcher[T any] func(T) bool

Matcher is used by reconciler to match resources.

type Node 

type Node interface {
	// ResourceWithLabels provides common resource headers
	types.ResourceWithLabels
	// GetTeleportVersion returns the teleport version the server is running on
	GetTeleportVersion() string
	// GetAddr return server address
	GetAddr() string
	// GetPublicAddrs returns all public addresses where this server can be reached.
	GetPublicAddrs() []string
	// GetHostname returns server hostname
	GetHostname() string
	// GetNamespace returns server namespace
	GetNamespace() string
	// GetCmdLabels gets command labels
	GetCmdLabels() map[string]types.CommandLabel
	// GetRotation gets the state of certificate authority rotation.
	GetRotation() types.Rotation
	// GetUseTunnel gets if a reverse tunnel should be used to connect to this node.
	GetUseTunnel() bool
	// GetProxyIDs returns a list of proxy ids this server is connected to.
	GetProxyIDs() []string
}

Node is a readonly subset of the types.Server interface which users may filter by in GetNodes.

type NodeWatcher 

type NodeWatcher struct {
	// contains filtered or unexported fields
}

NodeWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of nodes.

func NewNodeWatcher 

func NewNodeWatcher(ctx context.Context, cfg NodeWatcherConfig) (*NodeWatcher, error)

NewNodeWatcher returns a new instance of NodeWatcher.

func (NodeWatcher) Close 

func (p NodeWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (NodeWatcher) Done 

func (p NodeWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (NodeWatcher) GetNodes 

func (n NodeWatcher) GetNodes(ctx context.Context, fn func(n Node) bool) []types.Server

GetNodes allows callers to retrieve a subset of nodes that match the filter provided. The returned servers are a copy and can be safely modified. It is intentionally hard to retrieve the full set of nodes to reduce the number of copies needed since the number of nodes can get quite large and doing so can be expensive.

func (NodeWatcher) IsInitialized 

func (p NodeWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (NodeWatcher) NodeCount 

func (n NodeWatcher) NodeCount() int

func (NodeWatcher) WaitInitialization 

func (p NodeWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type NodeWatcherConfig 

type NodeWatcherConfig struct {
	ResourceWatcherConfig
	// NodesGetter is used to directly fetch the list of active nodes.
	NodesGetter
}

NodeWatcherConfig is a NodeWatcher configuration.

func (*NodeWatcherConfig) CheckAndSetDefaults 

func (cfg *NodeWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type NodesGetter 

type NodesGetter interface {
	// GetNodes returns a list of registered servers.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
}

NodesGetter is a service that gets nodes.

type NodesStreamGetter 

type NodesStreamGetter interface {
	// GetNodeStream returns a list of registered servers.
	GetNodeStream(ctx context.Context, namespace string) stream.Stream[types.Server]
}

NodesStreamGetter is a service that gets nodes.

type Okta 

type Okta interface {
	OktaImportRules
	OktaAssignments
}

Okta is an Okta interface for both the rules and assignments.

type OktaAssignmentWatcher 

type OktaAssignmentWatcher struct {
	// contains filtered or unexported fields
}

OktaAssignmentWatcher is built on top of resourceWatcher to monitor Okta assignment resources.

func NewOktaAssignmentWatcher 

func NewOktaAssignmentWatcher(ctx context.Context, cfg OktaAssignmentWatcherConfig) (*OktaAssignmentWatcher, error)

NewOktaAssignmentWatcher returns a new instance of OktaAssignmentWatcher. The context here will be used to exit early from the resource watcher if needed.

func (*OktaAssignmentWatcher) Close 

func (o *OktaAssignmentWatcher) Close()

Close closes the underlying resource watcher

func (*OktaAssignmentWatcher) CollectorChan 

func (o *OktaAssignmentWatcher) CollectorChan() chan types.OktaAssignments

CollectorChan is the channel that collects the Okta assignments.

func (*OktaAssignmentWatcher) Done 

func (o *OktaAssignmentWatcher) Done() <-chan struct{}

Done returns the channel that signals watcher closer.

type OktaAssignmentWatcherConfig 

type OktaAssignmentWatcherConfig struct {
	// RWCfg is the resource watcher configuration.
	RWCfg ResourceWatcherConfig
	// OktaAssignments is responsible for fetching Okta assignments.
	OktaAssignments OktaAssignmentsGetter
	// PageSize is the number of Okta assignments to list at a time.
	PageSize int
	// OktaAssignmentsC receives up-to-date list of all Okta assignment resources.
	OktaAssignmentsC chan types.OktaAssignments
}

OktaAssignmentWatcherConfig is a OktaAssignmentWatcher configuration.

func (*OktaAssignmentWatcherConfig) CheckAndSetDefaults 

func (cfg *OktaAssignmentWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type OktaAssignments 

type OktaAssignments interface {
	OktaAssignmentsGetter

	// CreateOktaAssignment creates a new Okta assignment resource.
	CreateOktaAssignment(context.Context, types.OktaAssignment) (types.OktaAssignment, error)
	// UpdateOktaAssignment updates an existing Okta assignment resource.
	UpdateOktaAssignment(context.Context, types.OktaAssignment) (types.OktaAssignment, error)
	// UpdateOktaAssignmentStatus will update the status for an Okta assignment if the given time has passed
	// since the last transition.
	UpdateOktaAssignmentStatus(ctx context.Context, name, status string, timeHasPassed time.Duration) error
	// DeleteOktaAssignment removes the specified Okta assignment resource.
	DeleteOktaAssignment(ctx context.Context, name string) error
	// DeleteAllOktaAssignments removes all Okta assignments.
	DeleteAllOktaAssignments(context.Context) error
}

OktaAssignments defines an interface for managing OktaAssignments.

type OktaAssignmentsGetter 

type OktaAssignmentsGetter interface {
	// ListOktaAssignments returns a paginated list of all Okta assignment resources.
	ListOktaAssignments(context.Context, int, string) ([]types.OktaAssignment, string, error)
	// GetOktaAssignment returns the specified Okta assignment resources.
	GetOktaAssignment(ctx context.Context, name string) (types.OktaAssignment, error)
}

OktaAssignmentsGetter defines an interface for reading OktaAssignments.

type OktaImportRules 

type OktaImportRules interface {
	// ListOktaImportRules returns a paginated list of all Okta import rule resources.
	ListOktaImportRules(context.Context, int, string) ([]types.OktaImportRule, string, error)
	// GetOktaImportRule returns the specified Okta import rule resources.
	GetOktaImportRule(ctx context.Context, name string) (types.OktaImportRule, error)
	// CreateOktaImportRule creates a new Okta import rule resource.
	CreateOktaImportRule(context.Context, types.OktaImportRule) (types.OktaImportRule, error)
	// UpdateOktaImportRule updates an existing Okta import rule resource.
	UpdateOktaImportRule(context.Context, types.OktaImportRule) (types.OktaImportRule, error)
	// DeleteOktaImportRule removes the specified Okta import rule resource.
	DeleteOktaImportRule(ctx context.Context, name string) error
	// DeleteAllOktaImportRules removes all Okta import rules.
	DeleteAllOktaImportRules(context.Context) error
}

OktaImportRules defines an interface for managing OktaImportRules.

type PluginData 

type PluginData interface {
	PluginDataGetter

	// UpdatePluginData updates a per-resource PluginData entry.
	UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error
}

PluginData defines the interface for managing plugin data.

type PluginDataGetter 

type PluginDataGetter interface {
	// GetPluginData loads all plugin data matching the supplied filter.
	GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)
}

PluginDataGetter defines the interface for getting plugin data.

type PluginStaticCredentials 

type PluginStaticCredentials interface {
	// CreatePluginStaticCredentials will create a new plugin static credentials resource.
	CreatePluginStaticCredentials(ctx context.Context, pluginStaticCredentials types.PluginStaticCredentials) error

	// GetPluginStaticCredentials will get a plugin static credentials resource by name.
	GetPluginStaticCredentials(ctx context.Context, name string) (types.PluginStaticCredentials, error)

	// GetPluginStaticCredentialsByLabels will get a list of plugin static credentials resource by matching labels.
	GetPluginStaticCredentialsByLabels(ctx context.Context, labels map[string]string) ([]types.PluginStaticCredentials, error)

	// DeletePluginStaticCredentials will delete a plugin static credentials resource.
	DeletePluginStaticCredentials(ctx context.Context, name string) error
}

PluginStaticCredentials is the plugin static credentials service

type Plugins 

type Plugins interface {
	CreatePlugin(ctx context.Context, plugin types.Plugin) error
	DeleteAllPlugins(ctx context.Context) error
	DeletePlugin(ctx context.Context, name string) error
	GetPlugin(ctx context.Context, name string, withSecrets bool) (types.Plugin, error)
	GetPlugins(ctx context.Context, withSecrets bool) ([]types.Plugin, error)
	ListPlugins(ctx context.Context, limit int, startKey string, withSecrets bool) ([]types.Plugin, string, error)
	HasPluginType(ctx context.Context, pluginType types.PluginType) (bool, error)
	SetPluginCredentials(ctx context.Context, name string, creds types.PluginCredentials) error
	SetPluginStatus(ctx context.Context, name string, creds types.PluginStatus) error
}

Plugins is the plugin service

type Presence 

type Presence interface {
	// Inventory is a subset of Presence dedicated to tracking the status of all
	// teleport instances independent of any specific service.
	Inventory

	// Semaphores is responsible for semaphore handling
	types.Semaphores

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// NodesGetter gets nodes
	NodesGetter

	// DeleteAllNodes deletes all nodes in a namespace.
	DeleteAllNodes(ctx context.Context, namespace string) error

	// DeleteNode deletes node in a namespace
	DeleteNode(ctx context.Context, namespace, name string) error

	// UpsertNode registers node presence, permanently if TTL is 0 or for the
	// specified duration with second resolution if it's >= 1 second.
	UpsertNode(ctx context.Context, server types.Server) (*types.KeepAlive, error)

	// GetAuthServers returns a list of registered servers
	GetAuthServers() ([]types.Server, error)

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(ctx context.Context, server types.Server) error

	// DeleteAuthServer deletes auth server by name
	DeleteAuthServer(name string) error

	// DeleteAllAuthServers deletes all auth servers
	DeleteAllAuthServers() error

	// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(ctx context.Context, server types.Server) error

	// ProxyGetter gets a list of proxies
	ProxyGetter

	// DeleteProxy deletes proxy by name
	DeleteProxy(ctx context.Context, name string) error

	// DeleteAllProxies deletes all proxies
	DeleteAllProxies() error

	// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
	UpsertReverseTunnel(tunnel types.ReverseTunnel) error

	// GetReverseTunnel returns reverse tunnel by name
	GetReverseTunnel(name string, opts ...MarshalOption) (types.ReverseTunnel, error)

	// GetReverseTunnels returns a list of registered servers
	GetReverseTunnels(ctx context.Context, opts ...MarshalOption) ([]types.ReverseTunnel, error)

	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
	DeleteReverseTunnel(domainName string) error

	// DeleteAllReverseTunnels deletes all reverse tunnels
	DeleteAllReverseTunnels() error

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// DeleteAllNamespaces deletes all namespaces
	DeleteAllNamespaces() error

	// UpsertNamespace upserts namespace
	UpsertNamespace(types.Namespace) error

	// DeleteNamespace deletes namespace by name
	DeleteNamespace(name string) error

	// GetServerInfos returns a stream of ServerInfos.
	GetServerInfos(ctx context.Context) stream.Stream[types.ServerInfo]

	// GetServerInfo returns a ServerInfo by name.
	GetServerInfo(ctx context.Context, name string) (types.ServerInfo, error)

	// UpsertServerInfo upserts a ServerInfo.
	UpsertServerInfo(ctx context.Context, si types.ServerInfo) error

	// DeleteServerInfo deletes a ServerInfo by name.
	DeleteServerInfo(ctx context.Context, name string) error

	// DeleteAllServerInfos deletes all ServerInfos.
	DeleteAllServerInfos(ctx context.Context) error

	// UpsertTrustedCluster creates or updates a TrustedCluster in the backend.
	UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)

	// GetTrustedCluster returns a single TrustedCluster by name.
	GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

	// GetTrustedClusters returns all TrustedClusters in the backend.
	GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

	// DeleteTrustedCluster removes a TrustedCluster from the backend by name.
	DeleteTrustedCluster(ctx context.Context, name string) error

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(types.TunnelConnection) error

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...MarshalOption) ([]types.TunnelConnection, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...MarshalOption) ([]types.TunnelConnection, error)

	// DeleteTunnelConnection deletes tunnel connection by name
	DeleteTunnelConnection(clusterName string, connName string) error

	// DeleteTunnelConnections deletes all tunnel connections for cluster
	DeleteTunnelConnections(clusterName string) error

	// DeleteAllTunnelConnections deletes all tunnel connections for cluster
	DeleteAllTunnelConnections() error

	// CreateRemoteCluster creates a remote cluster
	CreateRemoteCluster(types.RemoteCluster) error

	// UpdateRemoteCluster updates a remote cluster
	UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// DeleteRemoteCluster deletes remote cluster by name
	DeleteRemoteCluster(ctx context.Context, clusterName string) error

	// DeleteAllRemoteClusters deletes all remote clusters
	DeleteAllRemoteClusters() error

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(context.Context, string) ([]types.AppServer, error)
	// UpsertApplicationServer registers an application server.
	UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error)
	// DeleteApplicationServer deletes specified application server.
	DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllApplicationServers removes all registered application servers.
	DeleteAllApplicationServers(context.Context, string) error

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(context.Context, string, ...MarshalOption) ([]types.DatabaseServer, error)
	// UpsertDatabaseServer creates or updates a new database proxy server.
	UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error)
	// DeleteDatabaseServer removes the specified database proxy server.
	DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllDatabaseServers removes all database proxy servers.
	DeleteAllDatabaseServers(context.Context, string) error

	// KeepAliveServer updates TTL of the server resource in the backend.
	KeepAliveServer(ctx context.Context, h types.KeepAlive) error

	// GetKubernetesServers returns a list of registered kubernetes servers.
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// DeleteKubernetesServer deletes a named kubernetes servers.
	DeleteKubernetesServer(ctx context.Context, hostID, name string) error

	// DeleteAllKubernetesServers deletes all registered kubernetes servers.
	DeleteAllKubernetesServers(context.Context) error

	// UpsertKubernetesServer registers an kubernetes server.
	UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error)

	// GetWindowsDesktopServices returns all registered Windows desktop services.
	GetWindowsDesktopServices(context.Context) ([]types.WindowsDesktopService, error)
	// GetWindowsDesktopService returns a Windows desktop service by name
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
	// UpsertWindowsDesktopService creates or updates a new Windows desktop service.
	UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error)
	// DeleteWindowsDesktopService removes the specified Windows desktop service.
	DeleteWindowsDesktopService(ctx context.Context, name string) error
	// DeleteAllWindowsDesktopServices removes all Windows desktop services.
	DeleteAllWindowsDesktopServices(context.Context) error

	// ListResources returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

type PresenceInternal 

type PresenceInternal interface {
	Presence
	InventoryInternal
}

PresenceInternal extends the Presence interface with auth-specific internal methods.

type Provisioner 

type Provisioner interface {
	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ctx context.Context, token types.ProvisionToken) error

	// CreateToken adds provisioning tokens for the auth server
	CreateToken(ctx context.Context, token types.ProvisionToken) error

	// GetToken finds and returns token by id
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// DeleteToken deletes provisioning token
	// Imlementations must guarantee that this returns trace.NotFound error if the token doesn't exist
	DeleteToken(ctx context.Context, token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// GetTokens returns all non-expired tokens
	GetTokens(ctx context.Context) ([]types.ProvisionToken, error)
}

Provisioner governs adding new nodes to the cluster

type ProxyGetter 

type ProxyGetter interface {
	// GetProxies returns a list of registered proxies.
	GetProxies() ([]types.Server, error)
}

ProxyGetter is a service that gets proxies.

type ProxyWatcher 

type ProxyWatcher struct {
	// contains filtered or unexported fields
}

ProxyWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of proxies.

func NewProxyWatcher 

func NewProxyWatcher(ctx context.Context, cfg ProxyWatcherConfig) (*ProxyWatcher, error)

NewProxyWatcher returns a new instance of ProxyWatcher.

func (ProxyWatcher) Close 

func (p ProxyWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (ProxyWatcher) Done 

func (p ProxyWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (ProxyWatcher) GetCurrent 

func (p ProxyWatcher) GetCurrent() []types.Server

GetCurrent returns the currently stored proxies.

func (ProxyWatcher) IsInitialized 

func (p ProxyWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (ProxyWatcher) WaitInitialization 

func (p ProxyWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type ProxyWatcherConfig 

type ProxyWatcherConfig struct {
	ResourceWatcherConfig
	// ProxyGetter is used to directly fetch the list of active proxies.
	ProxyGetter
	// ProxyDiffer is used to decide whether a put operation on an existing proxy should
	// trigger a event.
	ProxyDiffer func(old, new types.Server) bool
	// ProxiesC is a channel used to report the current proxy set. It receives
	// a fresh list at startup and subsequently a list of all known proxies
	// whenever an addition or deletion is detected.
	ProxiesC chan []types.Server
}

ProxyWatcherConfig is a ProxyWatcher configuration.

func (*ProxyWatcherConfig) CheckAndSetDefaults 

func (cfg *ProxyWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Reconciled 

type Reconciled interface {
	GetName() string
}

Reconciled holds the common information required by any subject of the Reconciler.

type Reconciler 

type Reconciler[T Reconciled] struct {
	// contains filtered or unexported fields
}

Reconciler reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

It's used in combination with watchers by agents (app, database, desktop) to enable dynamically registered resources.

func NewReconciler 

func NewReconciler[T Reconciled](cfg ReconcilerConfig[T]) (*Reconciler[T], error)

NewReconciler creates a new reconciler with provided configuration.

func (*Reconciler[T]) Reconcile 

func (r *Reconciler[T]) Reconcile(ctx context.Context) error

Reconcile reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

type ReconcilerConfig 

type ReconcilerConfig[T Reconciled] struct {
	// Matcher is used to match resources.
	Matcher Matcher[T]
	// GetCurrentResources returns currently registered resources.
	GetCurrentResources func() map[string]T
	// GetNewResources returns resources to compare current resources against.
	GetNewResources func() map[string]T
	// OnCreate is called when a new resource is detected.
	OnCreate func(context.Context, T) error
	// OnUpdate is called when an existing resource is updated.
	OnUpdate func(ctx context.Context, new, old T) error
	// OnDelete is called when an existing resource is deleted.
	OnDelete func(context.Context, T) error
	// Log is the reconciler's logger.
	Log logrus.FieldLogger
}

ReconcilerConfig is the resource reconciler configuration.

func (*ReconcilerConfig[T]) CheckAndSetDefaults 

func (c *ReconcilerConfig[T]) CheckAndSetDefaults() error

CheckAndSetDefaults validates the reconciler configuration and sets defaults.

type Ref 

type Ref struct {
	Kind    string
	SubKind string
	Name    string
}

Ref is a resource reference. Typically of the form kind/name, but sometimes of the form kind/subkind/name.

func ParseRef 

func ParseRef(ref string) (*Ref, error)

ParseRef parses resource reference eg daemonsets/ds1

func (*Ref) Set 

func (r *Ref) Set(v string) error

Set sets the name of the resource

func (*Ref) String 

func (r *Ref) String() string

type Refs 

type Refs []Ref

Refs is a set of resource references

func ParseRefs 

func ParseRefs(refs string) (Refs, error)

ParseRefs parses a comma-separated string of resource references (eg "users/alice,users/bob")

func (*Refs) IsAll 

func (r *Refs) IsAll() bool

IsAll checks if refs is special wildcard case `all`.

func (*Refs) Set 

func (r *Refs) Set(v string) error

Set sets the value of `r` from a comma-separated string of resource references (in-place equivalent of `ParseRefs`).

func (*Refs) String 

func (r *Refs) String() string

type RequestIDs 

type RequestIDs struct {
	AccessRequests []string `json:"access_requests,omitempty"`
}

RequestIDs is a collection of IDs for privilege escalation requests.

func (*RequestIDs) Check 

func (r *RequestIDs) Check() error

func (*RequestIDs) IsEmpty 

func (r *RequestIDs) IsEmpty() bool

func (*RequestIDs) Marshal 

func (r *RequestIDs) Marshal() ([]byte, error)

func (*RequestIDs) Unmarshal 

func (r *RequestIDs) Unmarshal(data []byte) error

type RequestValidator 

type RequestValidator struct {
	Roles struct {
		AllowRequest, DenyRequest []parse.Matcher
		AllowSearch, DenySearch   []string
	}
	Annotations struct {
		Allow, Deny map[string][]string
	}
	ThresholdMatchers []struct {
		Matchers   []parse.Matcher
		Thresholds []types.AccessReviewThreshold
	}
	SuggestedReviewers  []string
	MaxDurationMatchers []struct {
		Matchers    []parse.Matcher
		MaxDuration time.Duration
	}
	// contains filtered or unexported fields
}

RequestValidator a helper for validating access requests. a user's statically assigned roles are "added" to the validator via the push() method, which extracts all the relevant rules, performs variable substitutions, and builds a set of simple Allow/Deny datastructures. These, in turn, are used to validate and expand the access request.

func NewRequestValidator 

func NewRequestValidator(ctx context.Context, clock clockwork.Clock, getter RequestValidatorGetter, username string, opts ...ValidateRequestOption) (RequestValidator, error)

NewRequestValidator configures a new RequestValidator for the specified user.

func (*RequestValidator) CanRequestRole 

func (m *RequestValidator) CanRequestRole(name string) bool

CanRequestRole checks if a given role can be requested.

func (*RequestValidator) CanSearchAsRole 

func (m *RequestValidator) CanSearchAsRole(name string) bool

CanSearchAsRole check if a given role can be requested through a search-based access request

func (*RequestValidator) GetRequestableRoles 

func (m *RequestValidator) GetRequestableRoles() ([]string, error)

GetRequestableRoles gets the list of all existent roles which the user is able to request. This operation is expensive since it loads all existent roles in order to determine the role list. Prefer calling CanRequestRole when checking against a known role list.

func (*RequestValidator) SystemAnnotations 

func (m *RequestValidator) SystemAnnotations() map[string][]string

SystemAnnotations calculates the system annotations for a pending access request.

func (*RequestValidator) Validate 

func (m *RequestValidator) Validate(ctx context.Context, req types.AccessRequest, identity tlsca.Identity) error

Validate validates an access request and potentially modifies it depending on how the validator was configured.

type RequestValidatorGetter 

type RequestValidatorGetter interface {
	UserLoginStatesGetter
	UserGetter
	RoleGetter
	client.ListResourcesClient
	GetRoles(ctx context.Context) ([]types.Role, error)
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
}

RequestValidatorGetter is the interface required by the request validation functions used to get necessary resources.

type ResourceAccess 

type ResourceAccess struct {
	List   bool `json:"list"`
	Read   bool `json:"read"`
	Edit   bool `json:"edit"`
	Create bool `json:"create"`
	Delete bool `json:"remove"`
	Use    bool `json:"use"`
}

type ResourceGetter 

type ResourceGetter interface {
	NodesGetter
	DatabaseServersGetter
	AppServersGetter
	WindowsDesktopGetter
	KubernetesServerGetter
	SAMLIdpServiceProviderGetter
}

ResourceGetter is an interface that provides a way to fetch all the resources that can be stored in the UnifiedResourceCache

type ResourceMarshaler 

type ResourceMarshaler func(types.Resource, ...MarshalOption) ([]byte, error)

ResourceMarshaler handles marshaling of a specific resource type.

type ResourceMatcher 

type ResourceMatcher struct {
	// Labels match resource labels.
	Labels types.Labels
	// AWS contains AWS specific settings.
	AWS ResourceMatcherAWS
}

ResourceMatcher matches cluster resources.

type ResourceMatcherAWS 

type ResourceMatcherAWS struct {
	// AssumeRoleARN is the AWS role to assume for accessing the resource.
	AssumeRoleARN string
	// ExternalID is an optional AWS external ID used to enable assuming an AWS
	// role across accounts.
	ExternalID string
}

ResourceMatcherAWS contains AWS specific settings.

type ResourceSeenKey 

type ResourceSeenKey struct {
	// contains filtered or unexported fields
}

ResourceSeenKey is used as a key for a map that keeps track of unique resource names and address. Currently "addr" only applies to resource Application.

type ResourceUnmarshaler 

type ResourceUnmarshaler func([]byte, ...MarshalOption) (types.Resource, error)

ResourceUnmarshaler handles unmarshaling of a specific resource type.

type ResourceWatcherConfig 

type ResourceWatcherConfig struct {
	// Component is a component used in logs.
	Component string
	// Log is a logger.
	Log logrus.FieldLogger
	// MaxRetryPeriod is the maximum retry period on failed watchers.
	MaxRetryPeriod time.Duration
	// Clock is used to control time.
	Clock clockwork.Clock
	// Client is used to create new watchers.
	Client types.Events
	// MaxStaleness is a maximum acceptable staleness for the locally maintained
	// resources, zero implies no staleness detection.
	MaxStaleness time.Duration
	// ResetC is a channel to notify of internal watcher reset (used in tests).
	ResetC chan time.Duration
	// QueueSize is an optional queue size
	QueueSize int
}

ResourceWatcherConfig configures resource watcher.

func (*ResourceWatcherConfig) CheckAndSetDefaults 

func (cfg *ResourceWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Restrictions 

type Restrictions interface {
	GetNetworkRestrictions(context.Context) (types.NetworkRestrictions, error)
	SetNetworkRestrictions(context.Context, types.NetworkRestrictions) error
	DeleteNetworkRestrictions(context.Context) error
}

type ReviewPermissionChecker 

type ReviewPermissionChecker struct {
	UserState UserState
	Roles     struct {
		// allow/deny mappings sort role matches into lists based on their
		// constraining predicate (where) expression.
		AllowReview, DenyReview map[string][]parse.Matcher
	}
}

ReviewPermissionChecker is a helper for validating whether a user is allowed to review specific access requests.

func NewReviewPermissionChecker 

func NewReviewPermissionChecker(
	ctx context.Context,
	getter RequestValidatorGetter,
	username string,
	identity *tlsca.Identity,
) (ReviewPermissionChecker, error)

func (*ReviewPermissionChecker) CanReviewRequest 

func (c *ReviewPermissionChecker) CanReviewRequest(req types.AccessRequest) (bool, error)

CanReviewRequest checks if the user is allowed to review the specified request. note that the ability to review a request does not necessarily imply that any specific approval/denial thresholds will actually match the user's review. Matching one or more thresholds is not a pre-requisite for review submission.

func (*ReviewPermissionChecker) HasAllowDirectives 

func (c *ReviewPermissionChecker) HasAllowDirectives() bool

HasAllowDirectives checks if any allow directives exist. A user with no allow directives will never be able to review any requests.

type RoleGetter 

type RoleGetter interface {
	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)
}

RoleGetter is an interface that defines GetRole method

type RoleMatcher 

type RoleMatcher interface {
	Match(types.Role, types.RoleConditionType) (bool, error)
}

RoleMatcher defines an interface for a generic role matcher.

func NewDatabaseUserMatcher 

func NewDatabaseUserMatcher(db types.Database, user string) RoleMatcher

NewDatabaseUserMatcher creates a RoleMatcher that checks whether the role's database users match the specified condition.

func NewKubernetesClusterLabelMatcher 

func NewKubernetesClusterLabelMatcher(clustersLabels map[string]string, userTraits wrappers.Traits) RoleMatcher

NewKubernetesClusterLabelMatcher creates a RoleMatcher that checks whether a role's Kubernetes service labels match.

func NewLoginMatcher 

func NewLoginMatcher(login string) RoleMatcher

NewLoginMatcher creates a RoleMatcher that checks whether the role's logins match the specified condition.

func NewWindowsLoginMatcher 

func NewWindowsLoginMatcher(login string) RoleMatcher

NewWindowsLoginMatcher creates a RoleMatcher that checks whether the role's Windows desktop logins match the specified condition.

type RoleMatcherFunc 

type RoleMatcherFunc func(types.Role, types.RoleConditionType) (bool, error)

RoleMatcherFunc is a convenience type for creating a role matcher from a function.

func (RoleMatcherFunc) Match 

func (f RoleMatcherFunc) Match(role types.Role, condition types.RoleConditionType) (bool, error)

type RoleMatchers 

type RoleMatchers []RoleMatcher

RoleMatchers defines a list of matchers.

func (RoleMatchers) MatchAll 

func (m RoleMatchers) MatchAll(role types.Role, condition types.RoleConditionType) (bool, error)

MatchAll returns true if all matchers in the set match.

func (RoleMatchers) MatchAny 

func (m RoleMatchers) MatchAny(role types.Role, condition types.RoleConditionType) (bool, RoleMatcher, error)

MatchAny returns true if at least one of the matchers in the set matches.

If the result is true, returns matcher that matched.

type RoleSet 

type RoleSet []types.Role

RoleSet is a set of roles that implements access control functionality

func FetchRoleList 

func FetchRoleList(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoleList fetches roles by their names, applies the traits to role variables, and returns the list

func FetchRoles 

func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoles fetches roles by their names, applies the traits to role variables, and returns the RoleSet. Adds runtime roles like the default implicit role to RoleSet.

func NewRoleSet 

func NewRoleSet(roles ...types.Role) RoleSet

NewRoleSet returns new RoleSet based on the roles

func RoleSetFromSpec 

func RoleSetFromSpec(name string, spec types.RoleSpecV6) (RoleSet, error)

RoleSetFromSpec returns a new RoleSet from spec

func (RoleSet) AdjustClientIdleTimeout 

func (set RoleSet) AdjustClientIdleTimeout(timeout time.Duration) time.Duration

AdjustClientIdleTimeout adjusts requested idle timeout to the lowest max allowed timeout, the most restrictive option will be picked, negative values will be assumed as 0

func (RoleSet) AdjustDisconnectExpiredCert 

func (set RoleSet) AdjustDisconnectExpiredCert(disconnect bool) bool

AdjustDisconnectExpiredCert adjusts the value based on the role set the most restrictive option will be picked

func (RoleSet) AdjustSessionTTL 

func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration

AdjustSessionTTL will reduce the requested ttl to the lowest max allowed TTL for this role set, otherwise it returns ttl unchanged

func (RoleSet) CanCopyFiles 

func (set RoleSet) CanCopyFiles() bool

CanCopyFiles returns true if the role set has enabled remote file operations via SCP or SFTP. Remote file operations are disabled if one or more of the roles in the set has disabled it.

func (RoleSet) CanForwardAgents 

func (set RoleSet) CanForwardAgents() bool

CanForwardAgents returns true if role set allows forwarding agents.

func (RoleSet) CanImpersonateSomeone 

func (set RoleSet) CanImpersonateSomeone() bool

CanImpersonateSomeone returns true if this checker has any impersonation rules

func (RoleSet) CanPortForward 

func (set RoleSet) CanPortForward() bool

CanPortForward returns true if a role in the RoleSet allows port forwarding.

func (RoleSet) CertificateExtensions 

func (set RoleSet) CertificateExtensions() []*types.CertExtension

CertificateExtensions returns the list of extensions for each role in the RoleSet

func (RoleSet) CertificateFormat 

func (set RoleSet) CertificateFormat() string

CertificateFormat returns the most permissive certificate format in a RoleSet.

func (RoleSet) CheckAWSRoleARNs 

func (set RoleSet) CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckAWSRoleARNs returns a list of AWS role ARNs this role set is allowed to assume.

func (RoleSet) CheckAccessToRule 

func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string) error

CheckAccessToRule checks if the RoleSet provides access in the given namespace to the specified resource and verb. silent controls whether the access violations are logged.

func (RoleSet) CheckAccessToSAMLIdP 

func (set RoleSet) CheckAccessToSAMLIdP(authPref types.AuthPreference) error

CheckAccessToSAMLIdP checks access to the SAML IdP.

func (RoleSet) CheckAgentForward 

func (set RoleSet) CheckAgentForward(login string) error

CheckAgentForward checks if the role can request to forward the SSH agent for this user.

func (RoleSet) CheckAzureIdentities 

func (set RoleSet) CheckAzureIdentities(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckAzureIdentities returns a list of Azure identities the user is allowed to assume.

func (RoleSet) CheckDatabaseNamesAndUsers 

func (set RoleSet) CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) ([]string, []string, error)

CheckDatabaseNamesAndUsers checks if the role has any allowed database names or users.

func (RoleSet) CheckGCPServiceAccounts 

func (set RoleSet) CheckGCPServiceAccounts(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckGCPServiceAccounts returns a list of GCP service accounts this role set is allowed to assume.

func (RoleSet) CheckImpersonate 

func (set RoleSet) CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

CheckImpersonate returns nil if this role set can impersonate a user and their roles, returns AccessDenied otherwise CheckImpersonate checks whether current user is allowed to impersonate users and roles

func (RoleSet) CheckImpersonateRoles 

func (set RoleSet) CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

CheckImpersonateRoles validates that the current user can perform role-only impersonation of the given roles. Role-only impersonation requires an allow rule with roles but no users (and no user-less deny rules). All requested roles must be allowed for the check to succeed.

func (RoleSet) CheckKubeGroupsAndUsers 

func (set RoleSet) CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) ([]string, []string, error)

CheckKubeGroupsAndUsers check if role can login into kubernetes and returns two lists of allowed groups and users

func (RoleSet) CheckLoginDuration 

func (set RoleSet) CheckLoginDuration(ttl time.Duration) ([]string, error)

CheckLoginDuration checks if role set can login up to given duration and returns a combined list of allowed logins.

func (RoleSet) DesktopClipboard 

func (set RoleSet) DesktopClipboard() bool

DesktopClipboard returns true if the role set has enabled shared clipboard for desktop sessions. Clipboard sharing is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) DesktopDirectorySharing 

func (set RoleSet) DesktopDirectorySharing() bool

DesktopDirectorySharing returns true if the role set has directory sharing enabled. This setting is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) EnhancedRecordingSet 

func (set RoleSet) EnhancedRecordingSet() map[string]bool

EnhancedRecordingSet returns the set of enhanced session recording events to capture for thi role set.

func (RoleSet) ExtractConditionForIdentifier 

func (set RoleSet) ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

ExtractConditionForIdentifier returns a restrictive filter expression for list queries based on the rules' `where` conditions.

func (RoleSet) GetAccessState 

func (set RoleSet) GetAccessState(authPref types.AuthPreference) AccessState

GetAccessState returns the AccessState, setting [AccessState.MFARequired] according to the user's roles and cluster auth preference.

func (RoleSet) GetAllLogins 

func (set RoleSet) GetAllLogins() []string

GetAllLogins returns all valid unix logins for the RoleSet.

func (RoleSet) GetAllowedPreviewAsRoles 

func (set RoleSet) GetAllowedPreviewAsRoles() []string

GetAllowedPreviewAsRoles returns all PreviewAsRoles for this RoleSet.

func (RoleSet) GetAllowedSearchAsRoles 

func (set RoleSet) GetAllowedSearchAsRoles() []string

GetSearchAsRoles returns all SearchAsRoles for this RoleSet.

func (RoleSet) GetCreateDatabaseUserMode 

func (set RoleSet) GetCreateDatabaseUserMode() types.CreateDatabaseUserMode

GetCreateDatabaseUserMode returns the create database user mode of the rule set.

func (RoleSet) GetKubeResources 

func (set RoleSet) GetKubeResources(cluster types.KubeCluster, userTraits wrappers.Traits) (allowed, denied []types.KubernetesResource)

GetKubeResources returns allowed and denied list of Kubernetes Resources configured in the RoleSet.

func (RoleSet) GetLoginsForTTL 

func (set RoleSet) GetLoginsForTTL(ttl time.Duration) (logins []string, matchedTTL bool)

GetLoginsForTTL collects all logins that are valid for the given TTL. The matchedTTL value indicates whether the TTL is within scope of *any* role. This helps to distinguish between TTLs which are categorically invalid, and TTLs which are theoretically valid but happen to grant no logins.

func (RoleSet) GuessIfAccessIsPossible 

func (set RoleSet) GuessIfAccessIsPossible(ctx RuleContext, namespace string, resource string, verb string) error

GuessIfAccessIsPossible guesses if access is possible for an entire category of resources. It responds the question: "is it possible that there is a resource of this kind that the current user can access?". GuessIfAccessIsPossible is used, mainly, for UI decisions ("should the tab for resource X appear"?). Most callers should use CheckAccessToRule instead.

func (RoleSet) HasRole 

func (set RoleSet) HasRole(role string) bool

HasRole checks if the role set has the role

func (RoleSet) LockingMode 

func (set RoleSet) LockingMode(defaultMode constants.LockingMode) constants.LockingMode

LockingMode returns the locking mode to apply with this RoleSet.

func (RoleSet) MaxConnections 

func (set RoleSet) MaxConnections() int64

MaxConnections returns the maximum number of concurrent ssh connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxKubernetesConnections 

func (set RoleSet) MaxKubernetesConnections() int64

MaxConnections returns the maximum number of concurrent Kubernetes connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxSessions 

func (set RoleSet) MaxSessions() int64

MaxSessions returns the maximum number of concurrent ssh sessions per connection. If MaxSessions is zero then no maximum was defined and the number of sessions is unconstrained.

func (RoleSet) MaybeCanReviewRequests 

func (set RoleSet) MaybeCanReviewRequests() bool

MaybeCanReviewRequests attempts to guess if this RoleSet belongs to a user who should be submitting access reviews. Because not all rolesets are derived from statically assigned roles, this may return false positives.

func (RoleSet) PermitX11Forwarding 

func (set RoleSet) PermitX11Forwarding() bool

PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.

func (RoleSet) PinSourceIP 

func (set RoleSet) PinSourceIP() bool

PinSourceIP determines if the role set should use source IP pinning. If one or more roles in the set requires IP pinning then it will be enabled.

func (RoleSet) PrivateKeyPolicy 

func (set RoleSet) PrivateKeyPolicy(authPreferencePolicy keys.PrivateKeyPolicy) (keys.PrivateKeyPolicy, error)

PrivateKeyPolicy returns the enforced private key policy for this role set.

func (RoleSet) RecordDesktopSession 

func (set RoleSet) RecordDesktopSession() bool

RecordDesktopSession returns true if the role set has enabled desktop session recording. Recording is considered enabled if at least one role in the set has enabled it.

func (RoleSet) RoleNames 

func (set RoleSet) RoleNames() []string

RoleNames returns a slice with role names. Removes runtime roles like the default implicit role.

func (RoleSet) Roles 

func (set RoleSet) Roles() []types.Role

Roles returns the list underlying roles this RoleSet is based on.

func (RoleSet) SessionPolicySets 

func (set RoleSet) SessionPolicySets() []*types.SessionTrackerPolicySet

SessionPolicySets returns the list of SessionPolicySets for all roles.

func (RoleSet) SessionRecordingMode 

func (set RoleSet) SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

SessionRecordingMode returns the recording mode for a specific service.

func (RoleSet) String 

func (set RoleSet) String() string

func (RoleSet) WithoutImplicit 

func (set RoleSet) WithoutImplicit() (out RoleSet)

WithoutImplicit returns this role set with default implicit role filtered out.

type RotationGetter 

type RotationGetter func(role types.SystemRole) (*types.Rotation, error)

RotationGetter returns the rotation state.

type RuleContext 

type RuleContext interface {
	// GetIdentifier returns identifier defined in a context
	GetIdentifier(fields []string) (interface{}, error)
	// GetResource returns resource if specified in the context,
	// if unspecified, returns error.
	GetResource() (types.Resource, error)
}

RuleContext specifies context passed to the rule processing matcher, and contains information about current session, e.g. current user

type RuleSet 

type RuleSet map[string][]types.Rule

RuleSet maps resource to a set of rules defined for it

func MakeRuleSet 

func MakeRuleSet(rules []types.Rule) RuleSet

MakeRuleSet creates a new rule set from a list

func (RuleSet) Match 

func (set RuleSet) Match(whereParser predicate.Parser, actionsParser predicate.Parser, resource string, verb string) (bool, error)

Match tests if the resource name and verb are in a given list of rules. More specific rules will be matched first. See Rule.IsMoreSpecificThan for exact specs on whether the rule is more or less specific.

Specifying order solves the problem on having multiple rules, e.g. one wildcard rule can override more specific rules with 'where' sections that can have 'actions' lists with side effects that will not be triggered otherwise.

func (RuleSet) Slice 

func (set RuleSet) Slice() []types.Rule

Slice returns slice from a set

type SAMLIdPServiceProviders 

type SAMLIdPServiceProviders interface {
	SAMLIdpServiceProviderGetter
	// GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.
	GetSAMLIdPServiceProvider(ctx context.Context, name string) (types.SAMLIdPServiceProvider, error)
	// CreateSAMLIdPServiceProvider creates a new SAML IdP service provider resource.
	CreateSAMLIdPServiceProvider(context.Context, types.SAMLIdPServiceProvider) error
	// UpdateSAMLIdPServiceProvider updates an existing SAML IdP service provider resource.
	UpdateSAMLIdPServiceProvider(context.Context, types.SAMLIdPServiceProvider) error
	// DeleteSAMLIdPServiceProvider removes the specified SAML IdP service provider resource.
	DeleteSAMLIdPServiceProvider(ctx context.Context, name string) error
	// DeleteAllSAMLIdPServiceProviders removes all SAML IdP service providers.
	DeleteAllSAMLIdPServiceProviders(context.Context) error
}

SAMLIdPServiceProviders defines an interface for managing SAML IdP service providers.

type SAMLIdPSession 

type SAMLIdPSession interface {
	// GetSAMLIdPSession gets a SAML IdP session.
	GetSAMLIdPSession(context.Context, types.GetSAMLIdPSessionRequest) (types.WebSession, error)
	// ListSAMLIdPSessions gets a paginated list of SAML IdP sessions.
	ListSAMLIdPSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)
	// UpsertSAMLIdPSession upserts a SAML IdP session.
	UpsertSAMLIdPSession(context.Context, types.WebSession) error
	// DeleteSAMLIdPSession removes a SAML IdP session.
	DeleteSAMLIdPSession(context.Context, types.DeleteSAMLIdPSessionRequest) error
	// DeleteAllSAMLIdPSessions removes all SAML IdP sessions.
	DeleteAllSAMLIdPSessions(context.Context) error
	// DeleteUserSAMLIdPSessions deletes all of a user's SAML IdP sessions.
	DeleteUserSAMLIdPSessions(ctx context.Context, user string) error
}

SAMLIdPSession defines SAML IdP session features.

type SAMLIdpServiceProviderGetter 

type SAMLIdpServiceProviderGetter interface {
	ListSAMLIdPServiceProviders(ctx context.Context, pageSize int, nextKey string) ([]types.SAMLIdPServiceProvider, string, error)
}

SAMLIdpServiceProviderGetter defines interface for fetching SAMLIdPServiceProvider resources.

type SCIM 

type SCIM interface {
	ListSCIMResources(context.Context, *scimpb.ListSCIMResourcesRequest) (*scimpb.ResourceList, error)
	GetSCIMResource(context.Context, *scimpb.GetSCIMResourceRequest) (*scimpb.Resource, error)
	UpdateSCIMResource(context.Context, *scimpb.UpdateSCIMResourceRequest) (*scimpb.Resource, error)
	CreateSCIMResource(context.Context, *scimpb.CreateSCIMResourceRequest) (*scimpb.Resource, error)
}

SCIM is an internal abstraction for the SCIM provisioning service, allowing clients running over GRPC and local clients to interact with the service in the same way.

type SecReports 

type SecReports interface {
	SecurityAuditQueryGetter
	// UpsertSecurityAuditQuery upserts an audit query.
	UpsertSecurityAuditQuery(ctx context.Context, in *secreports.AuditQuery) error
	// DeleteSecurityAuditQuery deletes an audit query.
	DeleteSecurityAuditQuery(ctx context.Context, name string) error
	// DeleteAllSecurityAuditQueries deletes all audit queries.
	DeleteAllSecurityAuditQueries(context.Context) error

	SecurityReportGetter
	// UpsertSecurityReport upserts a security report.
	UpsertSecurityReport(ctx context.Context, item *secreports.Report) error
	// DeleteSecurityReport deletes a security report.
	DeleteSecurityReport(ctx context.Context, name string) error
	// DeleteAllSecurityReports deletes all audit queries.
	DeleteAllSecurityReports(context.Context) error

	SecurityReportStateGetter
	// UpsertSecurityReportsState upserts a security report state.
	UpsertSecurityReportsState(ctx context.Context, item *secreports.ReportState) error
	// DeleteSecurityReportsState deletes all audit queries.
	DeleteSecurityReportsState(ctx context.Context, name string) error
	// DeleteAllSecurityReportsStates deletes all audit queries.
	DeleteAllSecurityReportsStates(context.Context) error
}

SecReports is the interface for the SecReports service.

type SecurityAuditQueryGetter 

type SecurityAuditQueryGetter interface {
	// GetSecurityAuditQuery returns an audit query.
	GetSecurityAuditQuery(ctx context.Context, name string) (*secreports.AuditQuery, error)
	// GetSecurityAuditQueries returns all audit queries.
	GetSecurityAuditQueries(context.Context) ([]*secreports.AuditQuery, error)
	// ListSecurityAuditQueries lists audit queries.
	ListSecurityAuditQueries(context.Context, int, string) ([]*secreports.AuditQuery, string, error)
}

SecurityAuditQueryGetter is the interface for audit query getters.

type SecurityReportGetter 

type SecurityReportGetter interface {
	// GetSecurityReport returns a security report.
	GetSecurityReport(ctx context.Context, name string) (*secreports.Report, error)
	// GetSecurityReports returns a security report.
	GetSecurityReports(ctx context.Context) ([]*secreports.Report, error)
	// ListSecurityReports lists security reports.
	ListSecurityReports(ctx context.Context, i int, token string) ([]*secreports.Report, string, error)
}

SecurityReportGetter is the interface for security report getters.

type SecurityReportStateGetter 

type SecurityReportStateGetter interface {
	// GetSecurityReportState returns a security report state.
	GetSecurityReportState(ctx context.Context, name string) (*secreports.ReportState, error)
	// GetSecurityReportsStates returns security report states.
	GetSecurityReportsStates(context.Context) ([]*secreports.ReportState, error)
	// ListSecurityReportsStates  lists security report states.
	ListSecurityReportsStates(context.Context, int, string) ([]*secreports.ReportState, string, error)
}

SecurityReportStateGetter is the interface for security report state getters.

type SemaphoreLock 

type SemaphoreLock struct {
	// contains filtered or unexported fields
}

SemaphoreLock provides a convenient interface for managing semaphore lease keepalive operations.

func AcquireSemaphoreLock 

func AcquireSemaphoreLock(ctx context.Context, cfg SemaphoreLockConfig) (*SemaphoreLock, error)

AcquireSemaphoreLock attempts to acquire and hold a semaphore lease. If successfully acquired, background keepalive processes are started and an associated lock handle is returned. Canceling the supplied context releases the semaphore.

func (*SemaphoreLock) Done 

func (l *SemaphoreLock) Done() <-chan struct{}

Done signals that lease keepalive operations have stopped.

func (*SemaphoreLock) Renewed 

func (l *SemaphoreLock) Renewed() <-chan struct{}

Renewed notifies on next successful lease keepalive. Used in tests to block until next renewal.

func (*SemaphoreLock) Stop 

func (l *SemaphoreLock) Stop()

Stop stops associated lease keepalive.

func (*SemaphoreLock) Wait 

func (l *SemaphoreLock) Wait() error

Wait blocks until the final result is available. Note that this method may block longer than desired since cancellation of the parent context triggers the *start* of the release operation.

type SemaphoreLockConfig 

type SemaphoreLockConfig struct {
	// Service is the service against which all semaphore
	// operations are performed.
	Service types.Semaphores
	// Expiry is an optional lease expiry parameter.
	Expiry time.Duration
	// TickRate is the rate at which lease renewals are attempted
	// and defaults to 1/2 expiry.  Used to accelerate tests.
	TickRate time.Duration
	// Params holds the semaphore lease acquisition parameters.
	Params types.AcquireSemaphoreRequest
	// Clock used to alter time in tests
	Clock clockwork.Clock
}

func (*SemaphoreLockConfig) CheckAndSetDefaults 

func (l *SemaphoreLockConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default parameters

type Services 

type Services interface {
	UsersService
	Provisioner
	Trust
	types.Events
	ClusterConfiguration
	Access
	DynamicAccessCore
	Presence
	Restrictions
	Apps
	Databases
	DatabaseServices
	Kubernetes
	AppSession
	SnowflakeSession
	SAMLIdPSession
	types.WebSessionsGetter
	types.WebTokensGetter
	WindowsDesktops
	SAMLIdPServiceProviders
	UserGroups
	Integrations

	OktaClient() Okta
	AccessListClient() AccessLists
	UserLoginStateClient() UserLoginStates
	DiscoveryConfigClient() DiscoveryConfigs
	SecReportsClient() *secreport.Client
}

Services collects all services

type SessionTrackerService 

type SessionTrackerService interface {
	// GetActiveSessionTrackers returns a list of active session trackers.
	GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

	// GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.
	GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

	// GetSessionTracker returns the current state of a session tracker for an active session.
	GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

	// CreateSessionTracker creates a tracker resource for an active session.
	CreateSessionTracker(ctx context.Context, st types.SessionTracker) (types.SessionTracker, error)

	// UpdateSessionTracker updates a tracker resource for an active session.
	UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

	// RemoveSessionTracker removes a tracker resource for an active session.
	RemoveSessionTracker(ctx context.Context, sessionID string) error

	// UpdatePresence updates the presence status of a user in a session.
	UpdatePresence(ctx context.Context, sessionID, user string) error
}

SessionTrackerService is a realtime session service that has information about sessions that are in-flight in the cluster at the moment.

type SnowflakeSession 

type SnowflakeSession interface {
	// GetSnowflakeSession gets a Snowflake web session.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)
	// GetSnowflakeSessions gets all Snowflake web sessions.
	GetSnowflakeSessions(context.Context) ([]types.WebSession, error)
	// UpsertSnowflakeSession upserts a Snowflake web session.
	UpsertSnowflakeSession(context.Context, types.WebSession) error
	// DeleteSnowflakeSession removes a Snowflake web session.
	DeleteSnowflakeSession(context.Context, types.DeleteSnowflakeSessionRequest) error
	// DeleteAllSnowflakeSessions removes all Snowflake web sessions.
	DeleteAllSnowflakeSessions(context.Context) error
}

SnowflakeSession defines Snowflake session features.

type SortedLoginAttempts 

type SortedLoginAttempts []LoginAttempt

SortedLoginAttempts sorts login attempts by time

func (SortedLoginAttempts) Len 

func (s SortedLoginAttempts) Len() int

Len returns length of a role list

func (SortedLoginAttempts) Less 

func (s SortedLoginAttempts) Less(i, j int) bool

Less stacks latest attempts to the end of the list

func (SortedLoginAttempts) Swap 

func (s SortedLoginAttempts) Swap(i, j int)

Swap swaps two attempts

type SortedReverseTunnels 

type SortedReverseTunnels []types.ReverseTunnel

SortedReverseTunnels sorts reverse tunnels by cluster name

func (SortedReverseTunnels) Len 

func (s SortedReverseTunnels) Len() int

func (SortedReverseTunnels) Less 

func (s SortedReverseTunnels) Less(i, j int) bool

func (SortedReverseTunnels) Swap 

func (s SortedReverseTunnels) Swap(i, j int)

type SortedRoles 

type SortedRoles []types.Role

SortedRoles sorts roles by name

func (SortedRoles) Len 

func (s SortedRoles) Len() int

Len returns length of a role list

func (SortedRoles) Less 

func (s SortedRoles) Less(i, j int) bool

Less compares roles by name

func (SortedRoles) Swap 

func (s SortedRoles) Swap(i, j int)

Swap swaps two roles in a list

type SortedServers 

type SortedServers []types.Server

SortedServers is a sort wrapper that sorts servers by name

func (SortedServers) Len 

func (s SortedServers) Len() int

func (SortedServers) Less 

func (s SortedServers) Less(i, j int) bool

func (SortedServers) Swap 

func (s SortedServers) Swap(i, j int)

type Status 

type Status interface {
	// GetClusterAlerts loads all matching cluster alerts.
	GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

	// UpsertClusterAlert creates the specified alert, overwriting any preexisting alert with the same ID.
	UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error

	// CreateAlertAck marks a cluster alert as acknowledged.
	CreateAlertAck(ctx context.Context, ack types.AlertAcknowledgement) error

	// GetAlertAcks gets active alert ackowledgements.
	GetAlertAcks(ctx context.Context) ([]types.AlertAcknowledgement, error)

	// ClearAlertAcks clears alert acknowledgments.
	ClearAlertAcks(ctx context.Context, req proto.ClearAlertAcksRequest) error
}

Status defines an interface for managing cluster status info.

type StatusInternal 

type StatusInternal interface {
	Status

	// DeleteClusterAlert deletes the cluster alert with the specified ID.
	DeleteClusterAlert(ctx context.Context, alertID string) error
}

StatusInternal extends Status with auth-internal methods.

type Trust 

type Trust interface {
	// AuthorityGetter retrieves certificate authorities
	AuthorityGetter

	// CreateCertAuthority inserts a new certificate authority
	CreateCertAuthority(ctx context.Context, ca types.CertAuthority) error

	// UpsertCertAuthority updates or inserts a new certificate authority
	UpsertCertAuthority(ctx context.Context, ca types.CertAuthority) error

	// CompareAndSwapCertAuthority updates the cert authority value
	// if existing value matches existing parameter,
	// returns nil if succeeds, trace.CompareFailed otherwise
	CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

	// DeleteCertAuthority deletes particular certificate authority
	DeleteCertAuthority(ctx context.Context, id types.CertAuthID) error

	// DeleteAllCertAuthorities deletes cert authorities of a certain type
	DeleteAllCertAuthorities(caType types.CertAuthType) error

	// ActivateCertAuthority moves a CertAuthority from the deactivated list to
	// the normal list.
	ActivateCertAuthority(id types.CertAuthID) error

	// DeactivateCertAuthority moves a CertAuthority from the normal list to
	// the deactivated list.
	DeactivateCertAuthority(id types.CertAuthID) error

	// UpdateUserCARoleMap updates the role map of the userCA of the specified existing cluster.
	UpdateUserCARoleMap(ctx context.Context, name string, roleMap types.RoleMap, activated bool) error
}

Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

type UnifiedResourceCache 

type UnifiedResourceCache struct {
	ResourceGetter
	// contains filtered or unexported fields
}

UnifiedResourceCache contains a representation of all resources that are displayable in the UI

func NewUnifiedResourceCache 

func NewUnifiedResourceCache(ctx context.Context, cfg UnifiedResourceCacheConfig) (*UnifiedResourceCache, error)

NewUnifiedResourceCache creates a new memory cache that holds the unified resources

func (*UnifiedResourceCache) GetUnifiedResources 

func (c *UnifiedResourceCache) GetUnifiedResources(ctx context.Context) ([]types.ResourceWithLabels, error)

GetUnifiedResources returns a list of all resources stored in the current unifiedResourceCollector tree in ascending order

func (*UnifiedResourceCache) GetUnifiedResourcesByIDs 

func (c *UnifiedResourceCache) GetUnifiedResourcesByIDs(ctx context.Context, ids []string, matchFn func(types.ResourceWithLabels) (bool, error)) ([]types.ResourceWithLabels, error)

GetUnifiedResourcesByIDs will take a list of ids and return any items found in the unifiedResourceCache tree by id and that return true from matchFn

func (*UnifiedResourceCache) IsInitialized 

func (c *UnifiedResourceCache) IsInitialized() bool

IsInitialized is used to check that the cache has done its initial sync

func (*UnifiedResourceCache) IterateUnifiedResources 

func (c *UnifiedResourceCache) IterateUnifiedResources(ctx context.Context, matchFn func(types.ResourceWithLabels) (bool, error), req *proto.ListUnifiedResourcesRequest) ([]types.ResourceWithLabels, string, error)

type UnifiedResourceCacheConfig 

type UnifiedResourceCacheConfig struct {
	// BTreeDegree is a degree of B-Tree, 2 for example, will create a
	// 2-3-4 tree (each node contains 1-3 items and 2-4 children).
	BTreeDegree int
	// Clock is a clock for time-related operations
	Clock clockwork.Clock
	// Component is a logging component
	Component string
	ResourceWatcherConfig
	ResourceGetter
}

UnifiedResourceCacheConfig is used to configure a UnifiedResourceCache

func (*UnifiedResourceCacheConfig) CheckAndSetDefaults 

func (cfg *UnifiedResourceCacheConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type UnknownResource 

type UnknownResource struct {
	types.ResourceHeader
	// Raw is raw representation of the resource
	Raw []byte
}

UnknownResource is used to detect resources

func (*UnknownResource) UnmarshalJSON 

func (u *UnknownResource) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals header and captures raw state

type UserACL 

type UserACL struct {
	// RecordedSessions defines access to recorded sessions.
	RecordedSessions ResourceAccess `json:"recordedSessions"`
	// ActiveSessions defines access to active sessions.
	ActiveSessions ResourceAccess `json:"activeSessions"`
	// AuthConnectors defines access to auth.connectors.
	AuthConnectors ResourceAccess `json:"authConnectors"`
	// Roles defines access to roles.
	Roles ResourceAccess `json:"roles"`
	// Users defines access to users.
	Users ResourceAccess `json:"users"`
	// TrustedClusters defines access to trusted clusters.
	TrustedClusters ResourceAccess `json:"trustedClusters"`
	// Events defines access to audit logs.
	Events ResourceAccess `json:"events"`
	// Tokens defines access to tokens.
	Tokens ResourceAccess `json:"tokens"`
	// Nodes defines access to nodes.
	Nodes ResourceAccess `json:"nodes"`
	// AppServers defines access to application servers
	AppServers ResourceAccess `json:"appServers"`
	// DBServers defines access to database servers.
	DBServers ResourceAccess `json:"dbServers"`
	// DB defines access to database resource.
	DB ResourceAccess `json:"db"`
	// KubeServers defines access to kubernetes servers.
	KubeServers ResourceAccess `json:"kubeServers"`
	// Desktops defines access to desktops.
	Desktops ResourceAccess `json:"desktops"`
	// AccessRequests defines access to access requests.
	AccessRequests ResourceAccess `json:"accessRequests"`
	// Billing defines access to billing information.
	Billing ResourceAccess `json:"billing"`
	// ConnectionDiagnostic defines access to connection diagnostics.
	ConnectionDiagnostic ResourceAccess `json:"connectionDiagnostic"`
	// Clipboard defines whether the user can use a shared clipboard during windows desktop sessions.
	Clipboard bool `json:"clipboard"`
	// DesktopSessionRecording defines whether the user's desktop sessions are being recorded.
	DesktopSessionRecording bool `json:"desktopSessionRecording"`
	// DirectorySharing defines whether a user is permitted to share a directory during windows desktop sessions.
	DirectorySharing bool `json:"directorySharing"`
	// Download defines whether the user has access to download Teleport Enterprise Binaries
	Download ResourceAccess `json:"download"`
	// Download defines whether the user has access to download the license
	License ResourceAccess `json:"license"`
	// Plugins defines whether the user has access to manage hosted plugin instances
	Plugins ResourceAccess `json:"plugins"`
	// Integrations defines whether the user has access to manage integrations.
	Integrations ResourceAccess `json:"integrations"`
	// DeviceTrust defines access to device trust.
	DeviceTrust ResourceAccess `json:"deviceTrust"`
	// Locks defines access to locking resources.
	Locks ResourceAccess `json:"lock"`
	// Assist defines access to assist feature.
	Assist ResourceAccess `json:"assist"`
	// SAMLIdpServiceProvider defines access to `saml_idp_service_provider` objects.
	SAMLIdpServiceProvider ResourceAccess `json:"samlIdpServiceProvider"`
	// AccessList defines access to access list management.
	AccessList ResourceAccess `json:"accessList"`
	// DiscoveryConfig defines whether the user has access to manage DiscoveryConfigs.
	DiscoveryConfig ResourceAccess `json:"discoverConfigs"`
	// AuditQuery defines access to audit query management.
	AuditQuery ResourceAccess `json:"auditQuery"`
	// SecurityReport defines access to security reports.
	SecurityReport ResourceAccess `json:"securityReport"`
	// ExternalAuditStorage defines access to manage ExternalAuditStorage
	ExternalAuditStorage ResourceAccess `json:"externalAuditStorage"`
	// AccessGraph defines access to access graph.
	AccessGraph ResourceAccess `json:"accessGraph"`
	// Bots defines access to manage Bots.
	Bots ResourceAccess `json:"bots"`
}

UserACL is derived from a user's role set and includes information as to what features the user is allowed to use.

func NewUserACL 

func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, desktopRecordingEnabled, accessMonitoringEnabled bool) UserACL

NewUserACL builds an ACL for a user based on their roles.

type UserCertParams 

type UserCertParams struct {
	// CASigner is the signer that will sign the public key of the user with the CA private key
	CASigner ssh.Signer
	// PublicUserKey is the public key of the user
	PublicUserKey []byte
	// TTL defines how long a certificate is valid for
	TTL time.Duration
	// Username is teleport username
	Username string
	// Impersonator is set when a user requests certificate for another user
	Impersonator string
	// AllowedLogins is a list of SSH principals
	AllowedLogins []string
	// PermitX11Forwarding permits X11 forwarding for this cert
	PermitX11Forwarding bool
	// PermitAgentForwarding permits agent forwarding for this cert
	PermitAgentForwarding bool
	// PermitPortForwarding permits port forwarding.
	PermitPortForwarding bool
	// PermitFileCopying permits the use of SCP/SFTP.
	PermitFileCopying bool
	// Roles is a list of roles assigned to this user
	Roles []string
	// CertificateFormat is the format of the SSH certificate.
	CertificateFormat string
	// RouteToCluster specifies the target cluster
	// if present in the certificate, will be used
	// to route the requests to
	RouteToCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
	// ActiveRequests tracks privilege escalation requests applied during
	// certificate construction.
	ActiveRequests RequestIDs
	// MFAVerified is the UUID of an MFA device when this Identity was
	// confirmed immediately after an MFA check.
	MFAVerified string
	// PreviousIdentityExpires is the expiry time of the identity/cert that this
	// identity/cert was derived from. It is used to determine a session's hard
	// deadline in cases where both require_session_mfa and disconnect_expired_cert
	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
	PreviousIdentityExpires time.Time
	// LoginIP is an observed IP of the client on the moment of certificate creation.
	LoginIP string
	// PinnedIP is an IP from which client must communicate with Teleport.
	PinnedIP string
	// DisallowReissue flags that any attempt to request new certificates while
	// authenticated with this cert should be denied.
	DisallowReissue bool
	// CertificateExtensions are user configured ssh key extensions
	CertificateExtensions []*types.CertExtension
	// Renewable indicates this certificate is renewable.
	Renewable bool
	// Generation counts the number of times a certificate has been renewed.
	Generation uint64
	// BotName is set to the name of the bot, if the user is a Machine ID bot user.
	// Empty for human users.
	BotName string
	// AllowedResourceIDs lists the resources the user should be able to access.
	AllowedResourceIDs string
	// ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
	ConnectionDiagnosticID string
	// PrivateKeyPolicy is the private key policy supported by this certificate.
	PrivateKeyPolicy keys.PrivateKeyPolicy
	// DeviceID is the trusted device identifier.
	DeviceID string
	// DeviceAssetTag is the device inventory identifier.
	DeviceAssetTag string
	// DeviceCredentialID is the identifier for the credential used by the device
	// to authenticate itself.
	DeviceCredentialID string
}

UserCertParams defines OpenSSH user certificate parameters

func (*UserCertParams) CheckAndSetDefaults 

func (c *UserCertParams) CheckAndSetDefaults() error

CheckAndSetDefaults checks the user certificate parameters

type UserGetter 

type UserGetter interface {
	// GetUser returns a user by name
	GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}

UserGetter is responsible for getting users

type UserGroups 

type UserGroups interface {
	// ListUserGroups returns a paginated list of all user group resources.
	ListUserGroups(context.Context, int, string) ([]types.UserGroup, string, error)
	// GetUserGroup returns the specified user group resources.
	GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)
	// CreateUserGroup creates a new user group resource.
	CreateUserGroup(context.Context, types.UserGroup) error
	// UpdateUserGroup updates an existing user group resource.
	UpdateUserGroup(context.Context, types.UserGroup) error
	// DeleteUserGroup removes the specified user group resource.
	DeleteUserGroup(ctx context.Context, name string) error
	// DeleteAllUserGroups removes all user groups.
	DeleteAllUserGroups(context.Context) error
}

UserGroups defines an interface for managing UserGroups.

type UserLoginStates 

type UserLoginStates interface {
	UserLoginStatesGetter

	// UpsertUserLoginState creates or updates a user login state resource.
	UpsertUserLoginState(context.Context, *userloginstate.UserLoginState) (*userloginstate.UserLoginState, error)

	// DeleteUserLoginState removes the specified user login state resource.
	DeleteUserLoginState(context.Context, string) error

	// DeleteAllUserLoginStates removes all user login state resources.
	DeleteAllUserLoginStates(context.Context) error
}

UserLoginStates is the interface for managing with user login states.

type UserLoginStatesGetter 

type UserLoginStatesGetter interface {
	// GetUserLoginStates returns the all user login state resources.
	GetUserLoginStates(context.Context) ([]*userloginstate.UserLoginState, error)

	// GetUserLoginState returns the specified user login state resource.
	GetUserLoginState(context.Context, string) (*userloginstate.UserLoginState, error)
}

UserLoginStatesGetter is the interface for reading user login states.

type UserOrLoginStateGetter 

type UserOrLoginStateGetter interface {
	UserLoginStatesGetter
	UserGetter
}

UserOrLoginStateGetter defines an interface that can get user login states or users.

type UserPreferences 

type UserPreferences interface {
	// GetUserPreferences returns the user preferences for a given user.
	GetUserPreferences(ctx context.Context, username string) (*userpreferencesv1.UserPreferences, error)
	// UpsertUserPreferences creates or updates user preferences for a given username.
	UpsertUserPreferences(ctx context.Context, username string, prefs *userpreferencesv1.UserPreferences) error
}

UserPreferences is the interface for managing user preferences.

type UserState 

type UserState interface {
	// GetName returns the username associated with the user state.
	GetName() string

	// GetRoles returns the roles associated with the user's current state.
	GetRoles() []string

	// GetTraits returns the traits associated with the user's current sate.
	GetTraits() map[string][]string

	// GetUserType returns the user type for the user login state.
	GetUserType() types.UserType

	// IsBot returns true if the user belongs to a bot.
	IsBot() bool
}

UserState is a representation of a user's current state.

func GetUserOrLoginState 

func GetUserOrLoginState(ctx context.Context, getter UserOrLoginStateGetter, username string) (UserState, error)

GetUserOrLoginState will return the given user or the login state associated with the user.

type Users 

type Users []types.User

Users represents a slice of users, makes it sort compatible (sorts by username)

func (Users) Len 

func (u Users) Len() int

func (Users) Less 

func (u Users) Less(i, j int) bool

func (Users) Swap 

func (u Users) Swap(i, j int)

type UsersService 

type UsersService interface {
	UserGetter
	// UpdateUser updates an existing user.
	UpdateUser(ctx context.Context, user types.User) (types.User, error)
	// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
	// the result to storage. Return `false` from `fn` to avoid storage changes.
	// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
	// Returns the storage user.
	UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
	// UpsertUser updates parameters about user
	UpsertUser(ctx context.Context, user types.User) (types.User, error)
	// CompareAndSwapUser updates an existing user, but fails if the user does
	// not match an expected backend value.
	CompareAndSwapUser(ctx context.Context, new, existing types.User) error
	// DeleteUser deletes a user with all the keys from the backend
	DeleteUser(ctx context.Context, user string) error
	// GetUsers returns a list of users registered with the local auth server
	GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
	// ListUsers returns a page of users.
	ListUsers(ctx context.Context, pageSize int, nextToken string, withSecrets bool) ([]types.User, string, error)
	// DeleteAllUsers deletes all users
	DeleteAllUsers(ctx context.Context) error
}

UsersService is responsible for basic user management

type ValidateRequestOption 

type ValidateRequestOption func(*RequestValidator)

func ExpandVars 

func ExpandVars(expand bool) ValidateRequestOption

ExpandVars toggles variable expansion during request validation. Variable expansion includes expanding wildcard requests, setting system annotations, and gathering threshold information. Variable expansion should be run by the auth server prior to storing an access request for the first time.

type WindowsDesktopGetter 

type WindowsDesktopGetter interface {
	GetWindowsDesktops(context.Context, types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)
}

WindowsDesktopGetter is an interface for fetching WindowsDesktop resources.

type WindowsDesktops 

type WindowsDesktops interface {
	WindowsDesktopGetter
	CreateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpsertWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error
	DeleteWindowsDesktop(ctx context.Context, hostID, name string) error
	DeleteAllWindowsDesktops(context.Context) error
	ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
	ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
}

WindowsDesktops defines an interface for managing Windows desktop hosts.

Source Files

View all Source files

Directories

Path Synopsis
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
 Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
generic

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.