services

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2022 License: Apache-2.0 Imports: 79 Imported by: 0

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.

* Local services are implemented in local package * Package suite contains the set of acceptance tests for services

Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source 
const (
	// RDSEngineMySQL is RDS engine name for MySQL instances.
	RDSEngineMySQL = "mysql"
	// RDSEnginePostgres is RDS engine name for Postgres instances.
	RDSEnginePostgres = "postgres"
	// RDSEngineMariaDB is RDS engine name for MariaDB instances.
	RDSEngineMariaDB = "mariadb"
	// RDSEngineAurora is RDS engine name for Aurora MySQL 5.6 compatible clusters.
	RDSEngineAurora = "aurora"
	// RDSEngineAuroraMySQL is RDS engine name for Aurora MySQL 5.7 compatible clusters.
	RDSEngineAuroraMySQL = "aurora-mysql"
	// RDSEngineAuroraPostgres is RDS engine name for Aurora Postgres clusters.
	RDSEngineAuroraPostgres = "aurora-postgresql"
)
View Source 
const (
	// RDSEngineModeProvisioned is the RDS engine mode for provisioned Aurora clusters
	RDSEngineModeProvisioned = "provisioned"
	// RDSEngineModeServerless is the RDS engine mode for Aurora Serverless DB clusters
	RDSEngineModeServerless = "serverless"
	// RDSEngineModeParallelQuery is the RDS engine mode for Aurora MySQL clusters with parallel query enabled
	RDSEngineModeParallelQuery = "parallelquery"
	// RDSEngineModeGlobal is the RDS engine mode for Aurora Global databases
	RDSEngineModeGlobal = "global"
	// RDSEngineModeMultiMaster is the RDS engine mode for Multi-master clusters
	RDSEngineModeMultiMaster = "multimaster"
)
View Source 
const (
	// AzureEngineMySQL is the Azure engine name for MySQL single-server instances
	AzureEngineMySQL = "Microsoft.DBforMySQL/servers"
	// AzureEnginePostgres is the Azure engine name for PostgreSQL single-server instances
	AzureEnginePostgres = "Microsoft.DBforPostgreSQL/servers"
)
View Source 
const (
	// AWSMatcherRDS is the AWS matcher type for RDS databases.
	AWSMatcherRDS = "rds"
	// AWSMatcherRDSProxy is the AWS matcher type for RDS Proxy databases.
	AWSMatcherRDSProxy = "rdsproxy"
	// AWSMatcherRedshift is the AWS matcher type for Redshift databases.
	AWSMatcherRedshift = "redshift"
	// AWSMatcherElastiCache is the AWS matcher type for ElastiCache databases.
	AWSMatcherElastiCache = "elasticache"
	// AWSMatcherMemoryDB is the AWS matcher type for MemoryDB databases.
	AWSMatcherMemoryDB = "memorydb"
	// AWSMatcherEC2 is the AWS matcher type for EC2 instances.
	AWSMatcherEC2 = "ec2"
	// AzureMatcherMySQL is the Azure matcher type for Azure MySQL databases.
	AzureMatcherMySQL = "mysql"
	// AzureMatcherPostgres is the Azure matcher type for Azure Postgres databases.
	AzureMatcherPostgres = "postgres"
	// AzureMatcherRedis is the Azure matcher type for Azure Cache for Redis databases.
	AzureMatcherRedis = "redis"
)
View Source 
const (
	// UserIdentifier represents user registered identifier in the rules
	UserIdentifier = "user"
	// ResourceIdentifier represents resource registered identifier in the rules
	ResourceIdentifier = "resource"
	// ResourceLabelsIdentifier refers to the static and dynamic labels in a resource.
	ResourceLabelsIdentifier = "labels"
	// ResourceNameIdentifier refers to two different fields depending on the kind of resource:
	//   - KindNode will refer to its resource.spec.hostname field
	//   - All other kinds will refer to its resource.metadata.name field
	// It refers to two different fields because the way this shorthand is being used,
	// implies it will return the name of the resource where users identifies nodes
	// by its hostname and all other resources that can be `ls` queried is identified
	// by its metadata name.
	ResourceNameIdentifier = "name"
	// SessionIdentifier refers to a session (recording) in the rules.
	SessionIdentifier = "session"
	// SSHSessionIdentifier refers to an (active) SSH session in the rules.
	SSHSessionIdentifier = "ssh_session"
	// ImpersonateRoleIdentifier is a role to impersonate
	ImpersonateRoleIdentifier = "impersonate_role"
	// ImpersonateUserIdentifier is a user to impersonate
	ImpersonateUserIdentifier = "impersonate_user"
	// HostCertIdentifier refers to a host certificate being created.
	HostCertIdentifier = "host_cert"
	// SessionTrackerIdentifier refers to a session tracker in the rules.
	SessionTrackerIdentifier = "session_tracker"
)
View Source 
const (
	// Equal means two objects are equal
	Equal = iota
	// OnlyTimestampsDifferent is true when only timestamps are different
	OnlyTimestampsDifferent = iota
	// Different means that some fields are different
	Different = iota
)
View Source 
const (
	// EventWatcherRemoved is emitted when event watcher has been removed
	EventWatcherRemoved = iota
)

Variables

View Source 
var (
	// ResourceNameExpr is the identifier that specifies resource name.
	ResourceNameExpr = builder.Identifier("resource.metadata.name")
	// CertAuthorityTypeExpr is a function call that returns
	// cert authority type.
	CertAuthorityTypeExpr = builder.Identifier(`system.catype()`)
)
View Source 
var DefaultCertAuthorityRules = []types.Rule{
	types.NewRule(types.KindSession, RO()),
	types.NewRule(types.KindNode, RO()),
	types.NewRule(types.KindAuthServer, RO()),
	types.NewRule(types.KindReverseTunnel, RO()),
	types.NewRule(types.KindCertAuthority, ReadNoSecrets()),
}

DefaultCertAuthorityRules provides access the minimal set of resources needed for a certificate authority to function.

View Source 
var DefaultImplicitRules = []types.Rule{
	types.NewRule(types.KindNode, RO()),
	types.NewRule(types.KindProxy, RO()),
	types.NewRule(types.KindAuthServer, RO()),
	types.NewRule(types.KindReverseTunnel, RO()),
	types.NewRule(types.KindCertAuthority, ReadNoSecrets()),
	types.NewRule(types.KindClusterAuthPreference, RO()),
	types.NewRule(types.KindClusterName, RO()),
	types.NewRule(types.KindSSHSession, RO()),
	types.NewRule(types.KindAppServer, RO()),
	types.NewRule(types.KindRemoteCluster, RO()),
	types.NewRule(types.KindKubeService, RO()),
	types.NewRule(types.KindKubeServer, RO()),
	types.NewRule(types.KindDatabaseServer, RO()),
	types.NewRule(types.KindDatabase, RO()),
	types.NewRule(types.KindApp, RO()),
	types.NewRule(types.KindWindowsDesktopService, RO()),
	types.NewRule(types.KindWindowsDesktop, RO()),
	types.NewRule(types.KindKubernetesCluster, RO()),
	types.NewRule(types.KindUsageEvent, []string{types.VerbCreate}),
}

DefaultImplicitRules provides access to the default set of implicit rules assigned to all roles.

View Source 
var ErrRequiresEnterprise = trace.AccessDenied("this feature requires Teleport Enterprise")
View Source 
var ErrSessionMFARequired = trace.AccessDenied("access to resource requires MFA")

ErrSessionMFARequired is returned by AccessChecker when access to a resource requires an MFA check.

View Source 
var StrictLockingModeAccessDenied = trace.AccessDenied("preventive lock-out due to local lock view becoming unreliable")

StrictLockingModeAccessDenied is an AccessDenied error returned when strict locking mode causes all interactions to be blocked.

Functions

func AccessRequestsToLockTargets 

func AccessRequestsToLockTargets(accessRequests []string) []types.LockTarget

AccessRequestsToLockTargets converts a list of access requests to a list of LockTargets (one LockTarget per access request)

func AcquireSemaphoreWithRetry 

func AcquireSemaphoreWithRetry(ctx context.Context, req AcquireSemaphoreWithRetryConfig) (*types.SemaphoreLease, error)

AcquireSemaphoreWithRetry tries to acquire the semaphore according to the retry schedule until it succeeds or context expires.

func AddDefaultAllowRules 

func AddDefaultAllowRules(role types.Role) types.Role

AddDefaultAllowRules adds default rules to a preset role. Only rules whose resources are not already defined (either allowing or denying) are added.

func ApplyAccessReview 

func ApplyAccessReview(req types.AccessRequest, rev types.AccessReview, author types.User) error

ApplyAccessReview attempts to apply the specified access review to the specified request.

func ApplyTraits 

func ApplyTraits(r types.Role, traits map[string][]string) types.Role

ApplyTraits applies the passed in traits to any variables within the role and returns itself.

func ApplyValueTraits 

func ApplyValueTraits(val string, traits map[string][]string) ([]string, error)

ApplyValueTraits applies the passed in traits to the variable, returns BadParameter in case if referenced variable is unsupported, returns NotFound in case if referenced trait is missing, mapped list of values otherwise, the function guarantees to return at least one value in case if return value is nil

func CalculateAccessCapabilities 

func CalculateAccessCapabilities(ctx context.Context, clt RequestValidatorGetter, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

CalculateAccessCapabilities aggregates the requested capabilities using the supplied getter to load relevant resources.

func CertAuthoritiesEquivalent 

func CertAuthoritiesEquivalent(lhs, rhs types.CertAuthority) bool

CertAuthoritiesEquivalent checks if a pair of certificate authority resources are equivalent. This differs from normal equality only in that resource IDs are ignored.

func CertPool 

func CertPool(ca types.CertAuthority) (*x509.CertPool, error)

CertPool returns certificate pools from TLS certificates set up in the certificate authority

func CertPoolFromCertAuthorities 

func CertPoolFromCertAuthorities(cas []types.CertAuthority) (*x509.CertPool, int, error)

CertPoolFromCertAuthorities returns a certificate pool from the TLS certificates set up in the certificate authorities list, as well as the number of certificates that were added to the pool.

func CheckSAMLEntityDescriptor 

func CheckSAMLEntityDescriptor(entityDescriptor string) ([]*x509.Certificate, error)

CheckSAMLEntityDescriptor checks if the entity descriptor XML is valid and has at least one valid certificate.

func ClusterAuditConfigSpecFromObject 

func ClusterAuditConfigSpecFromObject(in interface{}) (*types.ClusterAuditConfigSpecV2, error)

ClusterAuditConfigSpecFromObject returns audit config spec from object.

func CompareResources 

func CompareResources(resA, resB types.Resource) int

CompareResources compares two resources by all significant fields.

func CompareRuleScore 

func CompareRuleScore(r *types.Rule, o *types.Rule) bool

CompareRuleScore returns true if the first rule is more specific than the other.

* nRule matching wildcard resource is less specific than same rule matching specific resource. * Rule that has wildcard verbs is less specific than the same rules matching specific verb. * Rule that has where section is more specific than the same rule without where section. * Rule that has actions list is more specific than rule without actions list.

func CompareServers 

func CompareServers(a, b types.Resource) int

CompareServers compares two provided servers.

func ConvertGithubConnector 

func ConvertGithubConnector(c types.GithubConnector) (*types.GithubConnectorV3, error)

GithubAuthConverter converts a GitHub auth connector so it can be sent over gRPC.

func DowngradeRoleToV4 

func DowngradeRoleToV4(r *types.RoleV5) (*types.RoleV5, error)

DowngradeToV4 converts a V5 role to V4 so that it will be compatible with older instances. Makes a shallow copy if the conversion is necessary. The passed in role will not be mutated. DELETE IN 10.0.0

func ExtraElastiCacheLabels 

func ExtraElastiCacheLabels(cluster *elasticache.ReplicationGroup, tags []*elasticache.Tag, allNodes []*elasticache.CacheCluster, allSubnetGroups []*elasticache.CacheSubnetGroup) map[string]string

ExtraElastiCacheLabels returns a list of extra labels for provided ElastiCache cluster.

func ExtraMemoryDBLabels 

func ExtraMemoryDBLabels(cluster *memorydb.Cluster, tags []*memorydb.Tag, allSubnetGroups []*memorydb.SubnetGroup) map[string]string

ExtraMemoryDBLabels returns a list of extra labels for provided MemoryDB cluster.

func ExtractAllowedResourcesFromCert 

func ExtractAllowedResourcesFromCert(cert *ssh.Certificate) ([]types.ResourceID, error)

func ExtractFromCertificate 

func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, error)

ExtractFromCertificate will extract roles and traits from a *ssh.Certificate.

func ExtractFromIdentity 

func ExtractFromIdentity(access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error)

ExtractFromIdentity will extract roles and traits from the *x509.Certificate which Teleport passes along as a *tlsca.Identity. If roles and traits do not exist in the certificates, they are extracted from the backend.

func ExtractRolesFromCert 

func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error)

ExtractRolesFromCert extracts roles from certificate metadata extensions.

func ExtractTraitsFromCert 

func ExtractTraitsFromCert(cert *ssh.Certificate) (wrappers.Traits, error)

ExtractTraitsFromCert extracts traits from the certificate extensions.

func GetAccessRequest 

func GetAccessRequest(ctx context.Context, acc DynamicAccess, reqID string) (types.AccessRequest, error)

GetAccessRequest is a helper function assists with loading a specific request by ID.

func GetAttributeNames 

func GetAttributeNames(attributes map[string]samltypes.Attribute) []string

GetAttributeNames returns a list of claim names from the claim values

func GetClaimNames 

func GetClaimNames(claims jose.Claims) []string

GetClaimNames returns a list of claim names from the claim values

func GetJWTSigner 

func GetJWTSigner(signer crypto.Signer, clusterName string, clock clockwork.Clock) (*jwt.Key, error)

GetJWTSigner returns the active JWT key used to sign tokens.

func GetMySQLEngineVersion 

func GetMySQLEngineVersion(labels map[string]string) string

GetMySQLEngineVersion returns MySQL engine version from provided metadata labels. An empty string is returned if label doesn't exist.

func GetRedirectURL 

func GetRedirectURL(conn types.OIDCConnector, proxyAddr string) (string, error)

GetRedirectURL gets a redirect URL for the given connector. If the connector has a redirect URL which matches the host of the given Proxy address, then that one will be returned. Otherwise, the first URL in the list will be returned.

func GetResourceMarshalerKinds 

func GetResourceMarshalerKinds() []string

GetResourceMarshalerKinds lists all registered resource marshalers by kind.

func GetResourcesByResourceIDs 

func GetResourcesByResourceIDs(ctx context.Context, lister ResourceLister, resourceIDs []types.ResourceID, opts ...ListResourcesRequestOption) ([]types.ResourceWithLabels, error)

func GetSAMLServiceProvider 

func GetSAMLServiceProvider(sc types.SAMLConnector, clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)

GetSAMLServiceProvider gets the SAMLConnector's service provider

func GetSSHCheckingKeys 

func GetSSHCheckingKeys(ca types.CertAuthority) [][]byte

GetSSHCheckingKeys returns SSH public keys from CA

func GetStringMapValue 

func GetStringMapValue(mapVal, keyVal interface{}) (interface{}, error)

GetStringMapValue is a helper function that returns property from map[string]string or map[string][]string the function returns empty value in case if key not found In case if map is nil, returns empty value as well

func GetTLSCerts 

func GetTLSCerts(ca types.CertAuthority) [][]byte

GetTLSCerts returns TLS certificates from CA

func GetTraitMappings 

func GetTraitMappings(cms []types.ClaimMapping) types.TraitMappingSet

GetTraitMappings gets the AccessRequestConditions' claims as a TraitMappingsSet

func GuessProxyHostAndVersion 

func GuessProxyHostAndVersion(proxies []types.Server) (string, string, error)

GuessProxyHostAndVersion tries to find the first proxy with a public address configured and return that public addr and version. If no proxies are configured, it will return a guessed value by concatenating the first proxy's hostname with default port number, and the first proxy's version will also be returned.

Returns empty value if there are no proxies.

func InitGithubConnector 

func InitGithubConnector(c types.GithubConnector) (types.GithubConnector, error)

InitGithubConnector initializes c and returns a [types.GithubConnector] ready for use. InitGithubConnector must be used to initialize any uninitialized [types.GithubConnector]s before they can be used.

func IsElastiCacheClusterAvailable 

func IsElastiCacheClusterAvailable(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterAvailable checks if the ElastiCache cluster is available.

func IsElastiCacheClusterSupported 

func IsElastiCacheClusterSupported(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterSupported checks whether the ElastiCache cluster is supported.

func IsMemoryDBClusterAvailable 

func IsMemoryDBClusterAvailable(cluster *memorydb.Cluster) bool

IsMemoryDBClusterAvailable checks if the MemoryDB cluster is available.

func IsMemoryDBClusterSupported 

func IsMemoryDBClusterSupported(cluster *memorydb.Cluster) bool

IsMemoryDBClusterSupported checks whether the MemoryDB cluster is supported.

func IsRDSClusterAvailable 

func IsRDSClusterAvailable(cluster *rds.DBCluster) bool

IsRDSClusterAvailable checks if the RDS cluster is available.

func IsRDSClusterSupported 

func IsRDSClusterSupported(cluster *rds.DBCluster) bool

IsRDSClusterSupported checks whether the Aurora cluster is supported.

func IsRDSInstanceAvailable 

func IsRDSInstanceAvailable(instance *rds.DBInstance) bool

IsRDSInstanceAvailable checks if the RDS instance is available.

func IsRDSInstanceSupported 

func IsRDSInstanceSupported(instance *rds.DBInstance) bool

IsRDSInstanceSupported returns true if database supports IAM authentication. Currently, only MariaDB is being checked.

func IsRDSProxyAvailable 

func IsRDSProxyAvailable(dbProxy *rds.DBProxy) bool

IsRDSProxyAvailable checks if the RDS Proxy is available.

func IsRDSProxyCustomEndpointAvailable 

func IsRDSProxyCustomEndpointAvailable(customEndpoint *rds.DBProxyEndpoint) bool

IsRDSProxyCustomEndpointAvailable checks if the RDS Proxy custom endpoint is available.

func IsRecordAtProxy 

func IsRecordAtProxy(mode string) bool

IsRecordAtProxy returns true if recording is sync or async at proxy.

func IsRecordSync 

func IsRecordSync(mode string) bool

IsRecordSync returns true if recording is sync for proxy or node.

func IsRedshiftClusterAvailable 

func IsRedshiftClusterAvailable(cluster *redshift.Cluster) bool

IsRedshiftClusterAvailable checks if the Redshift cluster is available.

func LastFailed 

func LastFailed(x int, attempts []LoginAttempt) bool

LastFailed calculates last x successive attempts are failed

func LatestTunnelConnection 

func LatestTunnelConnection(conns []types.TunnelConnection) (types.TunnelConnection, error)

LatestTunnelConnection returns latest tunnel connection from the list of tunnel connections, if no connections found, returns NotFound error

func LockInForceAccessDenied 

func LockInForceAccessDenied(lock types.Lock) error

LockInForceAccessDenied is an AccessDenied error returned when a lock is in force.

func LockTargetsFromTLSIdentity 

func LockTargetsFromTLSIdentity(id tlsca.Identity) []types.LockTarget

LockTargetsFromTLSIdentity infers a list of LockTargets from tlsca.Identity.

func MapListResourcesResultToLeafResource 

func MapListResourcesResultToLeafResource(resource types.ResourceWithLabels, hint string) (types.ResourcesWithLabels, error)

MapListResourcesResultToLeafResource is the inverse of MapResourceKindToListResourcesType, after the ListResources call it maps the result back to the kind we really want. `hint` should be the name of the desired resource kind, used to disambiguate normal SSH nodes and kubernetes services which are both returned as `types.Server`.

func MapResourceKindToListResourcesType 

func MapResourceKindToListResourcesType(kind string) string

MapResourceKindToListResourcesType returns the value to use for ResourceType in a ListResourcesRequest based on the kind of resource you're searching for. Necessary because some resource kinds don't support ListResources directly, so you have to list the parent kind. Use MapListResourcesResultToLeafResource to map back to the given kind.

func MapRoles 

func MapRoles(r types.RoleMap, remoteRoles []string) ([]string, error)

MapRoles maps local roles to remote roles

func MarshalAccessRequest 

func MarshalAccessRequest(accessRequest types.AccessRequest, opts ...MarshalOption) ([]byte, error)

MarshalAccessRequest marshals the AccessRequest resource to JSON.

func MarshalApp 

func MarshalApp(app types.Application, opts ...MarshalOption) ([]byte, error)

MarshalApp marshals Application resource to JSON.

func MarshalAppServer 

func MarshalAppServer(appServer types.AppServer, opts ...MarshalOption) ([]byte, error)

MarshalAppServer marshals the AppServer resource to JSON.

func MarshalAuthPreference 

func MarshalAuthPreference(c types.AuthPreference, opts ...MarshalOption) ([]byte, error)

MarshalAuthPreference marshals the AuthPreference resource to JSON.

func MarshalCertAuthority 

func MarshalCertAuthority(certAuthority types.CertAuthority, opts ...MarshalOption) ([]byte, error)

MarshalCertAuthority marshals the CertAuthority resource to JSON.

func MarshalCertRoles 

func MarshalCertRoles(roles []string) (string, error)

MarshalCertRoles marshal roles list to OpenSSH

func MarshalClusterAuditConfig 

func MarshalClusterAuditConfig(auditConfig types.ClusterAuditConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterAuditConfig marshals the ClusterAuditConfig resource to JSON.

func MarshalClusterName 

func MarshalClusterName(clusterName types.ClusterName, opts ...MarshalOption) ([]byte, error)

MarshalClusterName marshals the ClusterName resource to JSON.

func MarshalClusterNetworkingConfig 

func MarshalClusterNetworkingConfig(netConfig types.ClusterNetworkingConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterNetworkingConfig marshals the ClusterNetworkingConfig resource to JSON.

func MarshalConnectionDiagnostic 

func MarshalConnectionDiagnostic(s types.ConnectionDiagnostic, opts ...MarshalOption) ([]byte, error)

MarshalConnectionDiagnostic marshals the ConnectionDiagnostic resource to JSON.

func MarshalDatabase 

func MarshalDatabase(database types.Database, opts ...MarshalOption) ([]byte, error)

MarshalDatabase marshals the database resource to JSON.

func MarshalDatabaseServer 

func MarshalDatabaseServer(databaseServer types.DatabaseServer, opts ...MarshalOption) ([]byte, error)

MarshalDatabaseServer marshals the DatabaseServer resource to JSON.

func MarshalGithubConnector 

func MarshalGithubConnector(connector types.GithubConnector, opts ...MarshalOption) ([]byte, error)

MarshalGithubConnector marshals the GithubConnector resource to JSON.

func MarshalInstaller 

func MarshalInstaller(installer types.Installer, opts ...MarshalOption) ([]byte, error)

MarshalInstaller marshals the Installer resource to JSON.

func MarshalKubeCluster 

func MarshalKubeCluster(kubeCluster types.KubeCluster, opts ...MarshalOption) ([]byte, error)

MarshalKubeCluster marshals the KubeCluster resource to JSON.

func MarshalKubeServer 

func MarshalKubeServer(kubeServer types.KubeServer, opts ...MarshalOption) ([]byte, error)

MarshalKubeServer marshals the KubeServer resource to JSON.

func MarshalLicense 

func MarshalLicense(license types.License, opts ...MarshalOption) ([]byte, error)

MarshalLicense marshals the License resource to JSON.

func MarshalLock 

func MarshalLock(lock types.Lock, opts ...MarshalOption) ([]byte, error)

MarshalLock marshals the Lock resource to JSON.

func MarshalNamespace 

func MarshalNamespace(resource types.Namespace, opts ...MarshalOption) ([]byte, error)

MarshalNamespace marshals the Namespace resource to JSON.

func MarshalNetworkRestrictions 

func MarshalNetworkRestrictions(restrictions types.NetworkRestrictions, opts ...MarshalOption) ([]byte, error)

MarshalNetworkRestrictions marshals the NetworkRestrictions resource to JSON.

func MarshalOIDCConnector 

func MarshalOIDCConnector(oidcConnector types.OIDCConnector, opts ...MarshalOption) ([]byte, error)

MarshalOIDCConnector marshals the OIDCConnector resource to JSON.

func MarshalPluginData 

func MarshalPluginData(pluginData types.PluginData, opts ...MarshalOption) ([]byte, error)

MarshalPluginData marshals the PluginData resource to JSON.

func MarshalProvisionToken 

func MarshalProvisionToken(provisionToken types.ProvisionToken, opts ...MarshalOption) ([]byte, error)

MarshalProvisionToken marshals the ProvisionToken resource to JSON.

func MarshalRemoteCluster 

func MarshalRemoteCluster(remoteCluster types.RemoteCluster, opts ...MarshalOption) ([]byte, error)

MarshalRemoteCluster marshals the RemoteCluster resource to JSON.

func MarshalResource 

func MarshalResource(resource types.Resource, opts ...MarshalOption) ([]byte, error)

MarshalResource attempts to marshal a resource dynamically, returning NotImplementedError if no marshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func MarshalReverseTunnel 

func MarshalReverseTunnel(reverseTunnel types.ReverseTunnel, opts ...MarshalOption) ([]byte, error)

MarshalReverseTunnel marshals the ReverseTunnel resource to JSON.

func MarshalRole 

func MarshalRole(role types.Role, opts ...MarshalOption) ([]byte, error)

MarshalRole marshals the Role resource to JSON.

func MarshalSAMLConnector 

func MarshalSAMLConnector(samlConnector types.SAMLConnector, opts ...MarshalOption) ([]byte, error)

MarshalSAMLConnector marshals the SAMLConnector resource to JSON.

func MarshalSemaphore 

func MarshalSemaphore(semaphore types.Semaphore, opts ...MarshalOption) ([]byte, error)

MarshalSemaphore marshals the Semaphore resource to JSON.

func MarshalServer 

func MarshalServer(server types.Server, opts ...MarshalOption) ([]byte, error)

MarshalServer marshals the Server resource to JSON.

func MarshalServers 

func MarshalServers(s []types.Server) ([]byte, error)

MarshalServers marshals a list of Server resources.

func MarshalSessionRecordingConfig 

func MarshalSessionRecordingConfig(recConfig types.SessionRecordingConfig, opts ...MarshalOption) ([]byte, error)

MarshalSessionRecordingConfig marshals the SessionRecordingConfig resource to JSON.

func MarshalSessionTracker 

func MarshalSessionTracker(session types.SessionTracker) ([]byte, error)

MarshalSessionTracker marshals the Session resource to JSON.

func MarshalStaticTokens 

func MarshalStaticTokens(staticToken types.StaticTokens, opts ...MarshalOption) ([]byte, error)

MarshalStaticTokens marshals the StaticTokens resource to JSON.

func MarshalTrustedCluster 

func MarshalTrustedCluster(trustedCluster types.TrustedCluster, opts ...MarshalOption) ([]byte, error)

MarshalTrustedCluster marshals the TrustedCluster resource to JSON.

func MarshalTunnelConnection 

func MarshalTunnelConnection(tunnelConnection types.TunnelConnection, opts ...MarshalOption) ([]byte, error)

MarshalTunnelConnection marshals the TunnelConnection resource to JSON.

func MarshalUser 

func MarshalUser(user types.User, opts ...MarshalOption) ([]byte, error)

MarshalUser marshals the User resource to JSON.

func MarshalUserToken 

func MarshalUserToken(token types.UserToken, opts ...MarshalOption) ([]byte, error)

MarshalUserToken marshals the UserToken resource to JSON.

func MarshalUserTokenSecrets 

func MarshalUserTokenSecrets(secrets types.UserTokenSecrets, opts ...MarshalOption) ([]byte, error)

MarshalUserTokenSecrets marshals the ResetPasswordTokenSecrets resource to JSON.

func MarshalWebSession 

func MarshalWebSession(webSession types.WebSession, opts ...MarshalOption) ([]byte, error)

MarshalWebSession marshals the WebSession resource to JSON.

func MarshalWebToken 

func MarshalWebToken(webToken types.WebToken, opts ...MarshalOption) ([]byte, error)

MarshalWebToken serializes the web token as JSON-encoded payload

func MarshalWindowsDesktop 

func MarshalWindowsDesktop(s types.WindowsDesktop, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktop marshals the WindowsDesktop resource to JSON.

func MarshalWindowsDesktopService 

func MarshalWindowsDesktopService(s types.WindowsDesktopService, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktopService marshals the WindowsDesktopService resource to JSON.

func MatchAWSRoleARN 

func MatchAWSRoleARN(selectors []string, roleARN string) (bool, string)

MatchAWSRoleARN returns true if provided role ARN matches selectors.

func MatchDatabaseName 

func MatchDatabaseName(selectors []string, name string) (bool, string)

MatchDatabaseName returns true if provided database name matches selectors.

func MatchDatabaseUser 

func MatchDatabaseUser(selectors []string, user string) (bool, string)

MatchDatabaseUser returns true if provided database user matches selectors.

func MatchLabels 

func MatchLabels(selector types.Labels, target map[string]string) (bool, string, error)

MatchLabels matches selector against target. Empty selector matches nothing, wildcard matches everything.

func MatchNamespace 

func MatchNamespace(selectors []string, namespace string) (bool, string)

MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything.

func MatchResourceByFilters 

func MatchResourceByFilters(resource types.ResourceWithLabels, filter MatchResourceFilter, seenMap map[ResourceSeenKey]struct{}) (bool, error)

MatchResourceByFilters returns true if all filter values given matched against the resource.

If no filters were provided, we will treat that as a match.

If a `seenMap` is provided, this will be treated as a request to filter out duplicate matches. The map will be modified in place as it adds new keys. Seen keys will return match as false.

Resource KubeService is handled differently b/c of its 1-N relationhip with service-clusters, it filters out the non-matched clusters on the kube service and the kube service is modified in place with only the matched clusters. Deduplication for resource `KubeService` is not provided but is provided for kind `KubernetesCluster`.

func MatchResourceLabels 

func MatchResourceLabels(matchers []ResourceMatcher, resource types.ResourceWithLabels) bool

MatchResourceLabels returns true if any of the provided selectors matches the provided database.

func MetadataFromElastiCacheCluster 

func MetadataFromElastiCacheCluster(cluster *elasticache.ReplicationGroup, endpointType string) (*types.AWS, error)

MetadataFromElastiCacheCluster creates AWS metadata for the provided ElastiCache cluster.

func MetadataFromMemoryDBCluster 

func MetadataFromMemoryDBCluster(cluster *memorydb.Cluster, endpointType string) (*types.AWS, error)

MetadataFromMemoryDBCluster creates AWS metadata for the providec MemoryDB cluster.

func MetadataFromRDSCluster 

func MetadataFromRDSCluster(rdsCluster *rds.DBCluster) (*types.AWS, error)

MetadataFromRDSCluster creates AWS metadata from the provided RDS cluster.

func MetadataFromRDSInstance 

func MetadataFromRDSInstance(rdsInstance *rds.DBInstance) (*types.AWS, error)

MetadataFromRDSInstance creates AWS metadata from the provided RDS instance.

func MetadataFromRDSProxy 

func MetadataFromRDSProxy(rdsProxy *rds.DBProxy) (*types.AWS, error)

MetadataFromRDSProxy creates AWS metadata from the provided RDS Proxy.

func MetadataFromRDSProxyCustomEndpoint 

func MetadataFromRDSProxyCustomEndpoint(rdsProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint) (*types.AWS, error)

MetadataFromRDSProxyCustomEndpoint creates AWS metadata from the provided RDS Proxy custom endpoint.

func MetadataFromRedshiftCluster 

func MetadataFromRedshiftCluster(cluster *redshift.Cluster) (*types.AWS, error)

MetadataFromRedshiftCluster creates AWS metadata from the provided Redshift cluster.

func MustCreateProvisionToken 

func MustCreateProvisionToken(token string, roles types.SystemRoles, expires time.Time) types.ProvisionToken

MustCreateProvisionToken returns a new valid provision token or panics, used in tests

func NewAccessRequest 

func NewAccessRequest(user string, roles ...string) (types.AccessRequest, error)

NewAccessRequest assembles an AccessRequest resource.

func NewAccessRequestWithResources 

func NewAccessRequestWithResources(user string, roles []string, resourceIDs []types.ResourceID) (types.AccessRequest, error)

NewAccessRequestWithResources assembles an AccessRequest resource with requested resources.

func NewActionsParser 

func NewActionsParser(ctx RuleContext) (predicate.Parser, error)

NewActionsParser returns standard parser for 'actions' section in access rules

func NewClusterNameWithRandomID 

func NewClusterNameWithRandomID(spec types.ClusterNameSpecV2) (types.ClusterName, error)

NewClusterNameWithRandomID creates a ClusterName, supplying a random ClusterID if the field is not provided in spec.

func NewDatabaseFromAzureRedis 

func NewDatabaseFromAzureRedis(server *armredis.ResourceInfo) (types.Database, error)

NewDatabaseFromAzureRedis creates a database resource from an Azure Redis server.

func NewDatabaseFromAzureRedisEnterprise 

func NewDatabaseFromAzureRedisEnterprise(cluster *armredisenterprise.Cluster, database *armredisenterprise.Database) (types.Database, error)

NewDatabaseFromAzureRedisEnterprise creates a database resource from an Azure Redis Enterprise database and its parent cluster.

func NewDatabaseFromAzureServer 

func NewDatabaseFromAzureServer(server *azure.DBServer) (types.Database, error)

NewDatabaseFromAzureServer creates a database resource from an AzureDB server.

func NewDatabaseFromElastiCacheConfigurationEndpoint 

func NewDatabaseFromElastiCacheConfigurationEndpoint(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromElastiCacheConfigurationEndpoint creates a database resource from ElastiCache configuration endpoint.

func NewDatabaseFromMemoryDBCluster 

func NewDatabaseFromMemoryDBCluster(cluster *memorydb.Cluster, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromMemoryDBCluster creates a database resource from a MemoryDB cluster.

func NewDatabaseFromRDSCluster 

func NewDatabaseFromRDSCluster(cluster *rds.DBCluster) (types.Database, error)

NewDatabaseFromRDSCluster creates a database resource from an RDS cluster (Aurora).

func NewDatabaseFromRDSClusterReaderEndpoint 

func NewDatabaseFromRDSClusterReaderEndpoint(cluster *rds.DBCluster) (types.Database, error)

NewDatabaseFromRDSClusterReaderEndpoint creates a database resource from an RDS cluster reader endpoint (Aurora).

func NewDatabaseFromRDSInstance 

func NewDatabaseFromRDSInstance(instance *rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSInstance creates a database resource from an RDS instance.

func NewDatabaseFromRDSProxy 

func NewDatabaseFromRDSProxy(dbProxy *rds.DBProxy, port int64, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxy creates database resource from RDS Proxy.

func NewDatabaseFromRDSProxyCustomEndpoint 

func NewDatabaseFromRDSProxyCustomEndpoint(dbProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint, port int64, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxyCustomEndpiont creates database resource from RDS Proxy custom endpoint.

func NewDatabaseFromRedshiftCluster 

func NewDatabaseFromRedshiftCluster(cluster *redshift.Cluster) (types.Database, error)

NewDatabaseFromRedshiftCluster creates a database resource from a Redshift cluster.

func NewDatabasesFromElastiCacheNodeGroups 

func NewDatabasesFromElastiCacheNodeGroups(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)

NewDatabasesFromElastiCacheNodeGroups creates database resources from ElastiCache node groups.

func NewDatabasesFromRDSClusterCustomEndpoints 

func NewDatabasesFromRDSClusterCustomEndpoints(cluster *rds.DBCluster) (types.Databases, error)

NewDatabasesFromRDSClusterCustomEndpoints creates database resources from RDS cluster custom endpoints (Aurora).

func NewGithubConnector 

func NewGithubConnector(name string, spec types.GithubConnectorSpecV3) (types.GithubConnector, error)

NewGithubConnector creates a new GitHub auth connector.

func NewImplicitRole 

func NewImplicitRole() types.Role

NewImplicitRole is the default implicit role that gets added to all RoleSets.

func NewKubeClusterFromAWSEKS 

func NewKubeClusterFromAWSEKS(cluster *eks.Cluster) (types.KubeCluster, error)

NewKubeClusterFromAWSEKS creates a kube_cluster resource from an EKS cluster.

func NewKubeClusterFromAzureAKS 

func NewKubeClusterFromAzureAKS(cluster *azure.AKSCluster) (types.KubeCluster, error)

NewKubeClusterFromAzureAKS creates a kube_cluster resource from an AKSCluster.

func NewKubeClusterFromGCPGKE 

func NewKubeClusterFromGCPGKE(cluster gcp.GKECluster) (types.KubeCluster, error)

NewKubeClusterFromGCPGKE creates a kube_cluster resource from an GKE cluster.

func NewLogActionFn 

func NewLogActionFn(ctx RuleContext) interface{}

NewLogActionFn creates logger functions

func NewPresetAccessRole 

func NewPresetAccessRole() types.Role

NewPresetAccessRole creates a role for users who are allowed to initiate interactive sessions.

func NewPresetAuditorRole 

func NewPresetAuditorRole() types.Role

NewPresetAuditorRole returns a new pre-defined role for cluster auditor - someone who can review cluster events and replay sessions, but can't initiate interactive sessions or modify configuration.

func NewPresetEditorRole 

func NewPresetEditorRole() types.Role

NewPresetEditorRole returns a new pre-defined role for cluster editors who can edit cluster configuration resources.

func NewTOTPDevice 

func NewTOTPDevice(name, key string, addedAt time.Time) (*types.MFADevice, error)

NewTOTPDevice creates a TOTP MFADevice from the given key.

func NewWhereParser 

func NewWhereParser(ctx RuleContext) (predicate.Parser, error)

NewWhereParser returns standard parser for `where` section in access rules.

func NodeHasMissedKeepAlives 

func NodeHasMissedKeepAlives(s types.Server) bool

NodeHasMissedKeepAlives checks if node has missed its keep alive

func OIDCClaimsToTraits 

func OIDCClaimsToTraits(claims jose.Claims) map[string][]string

OIDCClaimsToTraits converts OIDC-style claims into teleport-specific trait format

func ParseShortcut 

func ParseShortcut(in string) (string, error)

ParseShortcut parses resource shortcut

func RO 

func RO() []string

RO is a shortcut that returns read only verbs that provide access to secrets.

func RW 

func RW() []string

RW is a shortcut that returns all verbs.

func ReadNoSecrets 

func ReadNoSecrets() []string

ReadNoSecrets is a shortcut that returns read only verbs that do not provide access to secrets.

func RegisterGithubAuthConverter 

func RegisterGithubAuthConverter(convert GithubAuthConverter)

RegisterGithubAuthCreator registers a function to convert GitHub auth connectors.

func RegisterGithubAuthCreator 

func RegisterGithubAuthCreator(creator GithubAuthCreator)

RegisterGithubAuthCreator registers a function to create GitHub auth connectors.

func RegisterGithubAuthInitializer 

func RegisterGithubAuthInitializer(init GithubAuthInitializer)

RegisterGithubAuthCreator registers a function to initialize GitHub auth connectors.

func RegisterResourceMarshaler 

func RegisterResourceMarshaler(kind string, marshaler ResourceMarshaler)

RegisterResourceMarshaler registers a marshaler for resources of a specific kind.

func RegisterResourceUnmarshaler 

func RegisterResourceUnmarshaler(kind string, unmarshaler ResourceUnmarshaler)

RegisterResourceUnmarshaler registers an unmarshaler for resources of a specific kind.

func RoleForCertAuthority 

func RoleForCertAuthority(ca types.CertAuthority) types.Role

RoleForCertAuthority creates role using types.CertAuthority.

func RoleForUser 

func RoleForUser(u types.User) types.Role

RoleForUser creates an admin role for a services.User.

Used in tests only.

func RoleFromSpec 

func RoleFromSpec(name string, spec types.RoleSpecV5) (types.Role, error)

RoleFromSpec returns new Role created from spec

func RoleMapToString 

func RoleMapToString(r types.RoleMap) string

RoleMapToString prints user friendly representation of role mapping

func RoleNameForCertAuthority 

func RoleNameForCertAuthority(name string) string

RoleNameForCertAuthority returns role name associated with a certificate authority.

func RoleNameForUser 

func RoleNameForUser(name string) string

RoleNameForUser returns role name associated with a user.

func RolesToLockTargets 

func RolesToLockTargets(roles []string) []types.LockTarget

RolesToLockTargets converts a list of roles to a list of LockTargets (one LockTarget per role).

func SAMLAssertionsToTraits 

func SAMLAssertionsToTraits(assertions saml2.AssertionInfo) map[string][]string

SAMLAssertionsToTraits converts saml assertions to traits

func TraitsToRoleMatchers 

func TraitsToRoleMatchers(ms types.TraitMappingSet, traits map[string][]string) ([]parse.Matcher, error)

TraitsToRoleMatchers maps the supplied traits to a list of role matchers. Prefer calling this function directly rather than calling TraitsToRoles and then building matchers from the resulting list since this function forces any roles which include substitutions to be literal matchers.

func TraitsToRoles 

func TraitsToRoles(ms types.TraitMappingSet, traits map[string][]string) (warnings []string, roles []string)

TraitsToRoles maps the supplied traits to a list of teleport role names. Returns the list of roles mapped from traits. `warnings` optionally contains the list of warnings potentially interesting to the user.

func TunnelConnectionStatus 

func TunnelConnectionStatus(clock clockwork.Clock, conn types.TunnelConnection, offlineThreshold time.Duration) string

TunnelConnectionStatus returns tunnel connection status based on the last heartbeat time recorded for a connection

func UnmarshalAccessRequest 

func UnmarshalAccessRequest(data []byte, opts ...MarshalOption) (types.AccessRequest, error)

UnmarshalAccessRequest unmarshals the AccessRequest resource from JSON.

func UnmarshalApp 

func UnmarshalApp(data []byte, opts ...MarshalOption) (types.Application, error)

UnmarshalApp unmarshals Application resource from JSON.

func UnmarshalAppServer 

func UnmarshalAppServer(data []byte, opts ...MarshalOption) (types.AppServer, error)

UnmarshalAppServer unmarshals AppServer resource from JSON.

func UnmarshalAuthPreference 

func UnmarshalAuthPreference(bytes []byte, opts ...MarshalOption) (types.AuthPreference, error)

UnmarshalAuthPreference unmarshals the AuthPreference resource from JSON.

func UnmarshalCertAuthority 

func UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (types.CertAuthority, error)

UnmarshalCertAuthority unmarshals the CertAuthority resource to JSON.

func UnmarshalCertRoles 

func UnmarshalCertRoles(data string) ([]string, error)

UnmarshalCertRoles marshals roles list to OpenSSH format

func UnmarshalClusterAuditConfig 

func UnmarshalClusterAuditConfig(bytes []byte, opts ...MarshalOption) (types.ClusterAuditConfig, error)

UnmarshalClusterAuditConfig unmarshals the ClusterAuditConfig resource from JSON.

func UnmarshalClusterName 

func UnmarshalClusterName(bytes []byte, opts ...MarshalOption) (types.ClusterName, error)

UnmarshalClusterName unmarshals the ClusterName resource from JSON.

func UnmarshalClusterNetworkingConfig 

func UnmarshalClusterNetworkingConfig(bytes []byte, opts ...MarshalOption) (types.ClusterNetworkingConfig, error)

UnmarshalClusterNetworkingConfig unmarshals the ClusterNetworkingConfig resource from JSON.

func UnmarshalConnectionDiagnostic 

func UnmarshalConnectionDiagnostic(data []byte, opts ...MarshalOption) (types.ConnectionDiagnostic, error)

UnmarshalConnectionDiagnostic unmarshals the ConnectionDiagnostic resource from JSON.

func UnmarshalDatabase 

func UnmarshalDatabase(data []byte, opts ...MarshalOption) (types.Database, error)

UnmarshalDatabase unmarshals the database resource from JSON.

func UnmarshalDatabaseServer 

func UnmarshalDatabaseServer(data []byte, opts ...MarshalOption) (types.DatabaseServer, error)

UnmarshalDatabaseServer unmarshals the DatabaseServer resource from JSON.

func UnmarshalGithubConnector 

func UnmarshalGithubConnector(bytes []byte) (types.GithubConnector, error)

UnmarshalGithubConnector unmarshals the GithubConnector resource from JSON.

func UnmarshalInstaller 

func UnmarshalInstaller(data []byte, opts ...MarshalOption) (types.Installer, error)

UnmarshalInstaller unmarshals the installer resource from JSON.

func UnmarshalKubeCluster 

func UnmarshalKubeCluster(data []byte, opts ...MarshalOption) (types.KubeCluster, error)

UnmarshalKubeCluster unmarshals KubeCluster resource from JSON.

func UnmarshalKubeServer 

func UnmarshalKubeServer(data []byte, opts ...MarshalOption) (types.KubeServer, error)

UnmarshalKubeServer unmarshals KubeServer resource from JSON.

func UnmarshalLicense 

func UnmarshalLicense(bytes []byte) (types.License, error)

UnmarshalLicense unmarshals the License resource from JSON.

func UnmarshalLock 

func UnmarshalLock(bytes []byte, opts ...MarshalOption) (types.Lock, error)

UnmarshalLock unmarshals the Lock resource from JSON.

func UnmarshalNamespace 

func UnmarshalNamespace(data []byte, opts ...MarshalOption) (*types.Namespace, error)

UnmarshalNamespace unmarshals the Namespace resource from JSON.

func UnmarshalNetworkRestrictions 

func UnmarshalNetworkRestrictions(bytes []byte, opts ...MarshalOption) (types.NetworkRestrictions, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalOIDCConnector 

func UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (types.OIDCConnector, error)

UnmarshalOIDCConnector unmarshals the OIDCConnector resource from JSON.

func UnmarshalPluginData 

func UnmarshalPluginData(raw []byte, opts ...MarshalOption) (types.PluginData, error)

UnmarshalPluginData unmarshals the PluginData resource from JSON.

func UnmarshalProvisionToken 

func UnmarshalProvisionToken(data []byte, opts ...MarshalOption) (types.ProvisionToken, error)

UnmarshalProvisionToken unmarshals the ProvisionToken resource from JSON.

func UnmarshalRemoteCluster 

func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (types.RemoteCluster, error)

UnmarshalRemoteCluster unmarshals the RemoteCluster resource from JSON.

func UnmarshalResource 

func UnmarshalResource(kind string, raw []byte, opts ...MarshalOption) (types.Resource, error)

UnmarshalResource attempts to unmarshal a resource dynamically, returning NotImplementedError if no unmarshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func UnmarshalReverseTunnel 

func UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (types.ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalRole 

func UnmarshalRole(bytes []byte, opts ...MarshalOption) (types.Role, error)

UnmarshalRole unmarshals the Role resource from JSON.

func UnmarshalSAMLConnector 

func UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (types.SAMLConnector, error)

UnmarshalSAMLConnector unmarshals the SAMLConnector resource from JSON.

func UnmarshalSemaphore 

func UnmarshalSemaphore(bytes []byte, opts ...MarshalOption) (types.Semaphore, error)

UnmarshalSemaphore unmarshals the Semaphore resource from JSON.

func UnmarshalServer 

func UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (types.Server, error)

UnmarshalServer unmarshals the Server resource from JSON.

func UnmarshalServers 

func UnmarshalServers(bytes []byte) ([]types.Server, error)

UnmarshalServers unmarshals a list of Server resources.

func UnmarshalSessionRecordingConfig 

func UnmarshalSessionRecordingConfig(bytes []byte, opts ...MarshalOption) (types.SessionRecordingConfig, error)

UnmarshalSessionRecordingConfig unmarshals the SessionRecordingConfig resource from JSON.

func UnmarshalSessionTracker 

func UnmarshalSessionTracker(bytes []byte) (types.SessionTracker, error)

UnmarshalSessionTracker unmarshals the Session resource from JSON.

func UnmarshalStaticTokens 

func UnmarshalStaticTokens(bytes []byte, opts ...MarshalOption) (types.StaticTokens, error)

UnmarshalStaticTokens unmarshals the StaticTokens resource from JSON.

func UnmarshalTrustedCluster 

func UnmarshalTrustedCluster(bytes []byte, opts ...MarshalOption) (types.TrustedCluster, error)

UnmarshalTrustedCluster unmarshals the TrustedCluster resource from JSON.

func UnmarshalTunnelConnection 

func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (types.TunnelConnection, error)

UnmarshalTunnelConnection unmarshals TunnelConnection resource from JSON or YAML, sets defaults and checks the schema

func UnmarshalUser 

func UnmarshalUser(bytes []byte, opts ...MarshalOption) (types.User, error)

UnmarshalUser unmarshals the User resource from JSON.

func UnmarshalUserToken 

func UnmarshalUserToken(bytes []byte, opts ...MarshalOption) (types.UserToken, error)

UnmarshalUserToken unmarshals the UserToken resource from JSON.

func UnmarshalUserTokenSecrets 

func UnmarshalUserTokenSecrets(bytes []byte, opts ...MarshalOption) (types.UserTokenSecrets, error)

UnmarshalUserTokenSecrets unmarshals the ResetPasswordTokenSecrets resource from JSON.

func UnmarshalWebSession 

func UnmarshalWebSession(bytes []byte, opts ...MarshalOption) (types.WebSession, error)

UnmarshalWebSession unmarshals the WebSession resource from JSON.

func UnmarshalWebToken 

func UnmarshalWebToken(bytes []byte, opts ...MarshalOption) (types.WebToken, error)

UnmarshalWebToken interprets bytes as JSON-encoded web token value

func UnmarshalWindowsDesktop 

func UnmarshalWindowsDesktop(data []byte, opts ...MarshalOption) (types.WindowsDesktop, error)

UnmarshalWindowsDesktop unmarshals the WindowsDesktop resource from JSON.

func UnmarshalWindowsDesktopService 

func UnmarshalWindowsDesktopService(data []byte, opts ...MarshalOption) (types.WindowsDesktopService, error)

UnmarshalWindowsDesktopService unmarshals the WindowsDesktopService resource from JSON.

func UsersEquals 

func UsersEquals(u types.User, other types.User) bool

UsersEquals checks if the users are equal

func ValidateAccessPredicates 

func ValidateAccessPredicates(role types.Role) error

ValidateAccessPredicates checks request & review permission predicates for syntax errors. Used to help prevent users from accidentally writing incorrect predicates. This function should only be called by the auth server prior to storing new/updated roles. Normal role validation deliberately omits these checks in order to allow us to extend the available namespaces without breaking backwards compatibility with older nodes/proxies (which never need to evaluate these predicates).

func ValidateAccessRequest 

func ValidateAccessRequest(ar types.AccessRequest) error

ValidateAccessRequest validates the AccessRequest and sets default values

func ValidateAccessRequestForUser 

func ValidateAccessRequestForUser(ctx context.Context, getter RequestValidatorGetter, req types.AccessRequest, opts ...ValidateRequestOption) error

ValidateAccessRequestForUser validates an access request against the associated users's *statically assigned* roles. If expandRoles is true, it will also expand wildcard requests, setting their role list to include all roles the user is allowed to request. Expansion should be performed before an access request is initially placed in the backend.

func ValidateCertAuthority 

func ValidateCertAuthority(ca types.CertAuthority) (err error)

ValidateCertAuthority validates the CertAuthority

func ValidateDatabase 

func ValidateDatabase(db types.Database) error

ValidateDatabase validates a types.Database.

func ValidateLocalAuthSecrets 

func ValidateLocalAuthSecrets(l *types.LocalAuthSecrets) error

ValidateLocalAuthSecrets validates local auth secret members.

func ValidateNetworkRestrictions 

func ValidateNetworkRestrictions(nr *types.NetworkRestrictionsV4) error

ValidateNetworkRestrictions validates the network restrictions and sets defaults

func ValidateReverseTunnel 

func ValidateReverseTunnel(rt types.ReverseTunnel) error

ValidateReverseTunnel validates the OIDC connector and sets default values

func ValidateRole 

func ValidateRole(r types.Role) error

ValidateRole parses validates the role, and sets default values.

func ValidateRoleName 

func ValidateRoleName(role types.Role) error

ValidateRoleName checks that the role name is allowed to be created.

func ValidateSAMLConnector 

func ValidateSAMLConnector(sc types.SAMLConnector, rg RoleGetter) error

ValidateSAMLConnector validates the SAMLConnector and sets default values. If a remote to fetch roles is specified, roles will be validated to exist.

func ValidateTrustedCluster 

func ValidateTrustedCluster(tc types.TrustedCluster, allowEmptyRolesOpts ...bool) error

ValidateTrustedCluster checks and sets Trusted Cluster defaults

func ValidateUser 

func ValidateUser(u types.User) error

ValidateUser validates the User and sets default values

func ValidateUserRoles 

func ValidateUserRoles(ctx context.Context, u types.User, roleGetter RoleGetter) error

ValidateUserRoles checks that all the roles in the user exist

func VerifyPassword 

func VerifyPassword(password []byte) error

VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in

Types

type AWSMatcher 

type AWSMatcher struct {
	// Types are AWS database types to match, "rds" or "redshift".
	Types []string
	// Regions are AWS regions to query for databases.
	Regions []string
	// Tags are AWS tags to match.
	Tags types.Labels
	// Params are passed to AWS when executing the SSM document
	Params InstallerParams
	// SSM provides options to use when sending a document command to
	// an EC2 node
	SSM *AWSSSM
}

AWSMatcher matches AWS databases.

type AWSRoleARNMatcher 

type AWSRoleARNMatcher struct {
	RoleARN string
}

AWSRoleARNMatcher matches a role against AWS role ARN.

func (*AWSRoleARNMatcher) Match 

func (m *AWSRoleARNMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database account name against provided role and condition.

func (*AWSRoleARNMatcher) String 

func (m *AWSRoleARNMatcher) String() string

String returns the matcher's string representation.

type AWSSSM 

type AWSSSM struct {
	// DocumentName is the name of the document to use when executing an
	// SSM command
	DocumentName string
}

AWSSSM provides options to use when executing SSM documents

type Access 

type Access interface {
	// GetRoles returns a list of roles.
	GetRoles(ctx context.Context) ([]types.Role, error)
	// CreateRole creates a role.
	CreateRole(ctx context.Context, role types.Role) error
	// UpsertRole creates or updates role.
	UpsertRole(ctx context.Context, role types.Role) error
	// DeleteAllRoles deletes all roles.
	DeleteAllRoles() error
	// GetRole returns role by name.
	GetRole(ctx context.Context, name string) (types.Role, error)
	// DeleteRole deletes role by name.
	DeleteRole(ctx context.Context, name string) error

	LockGetter
	// UpsertLock upserts a lock.
	UpsertLock(context.Context, types.Lock) error
	// DeleteLock deletes a lock.
	DeleteLock(context.Context, string) error
	// DeleteLock deletes all/in-force locks.
	DeleteAllLocks(context.Context) error
	// ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.
	ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error
}

Access service manages roles and permissions.

type AccessCheckable 

type AccessCheckable interface {
	GetKind() string
	GetName() string
	GetMetadata() types.Metadata
	GetAllLabels() map[string]string
}

AccessCheckable is the subset of types.Resource required for the RBAC checks.

type AccessChecker 

type AccessChecker interface {
	// HasRole checks if the checker includes the role
	HasRole(role string) bool

	// RoleNames returns a list of role names
	RoleNames() []string

	// Roles returns the list underlying roles this AccessChecker is based on.
	Roles() []types.Role

	// CheckAccess checks access to the specified resource.
	CheckAccess(r AccessCheckable, mfa AccessMFAParams, matchers ...RoleMatcher) error

	// CheckAccessToRemoteCluster checks access to remote cluster
	CheckAccessToRemoteCluster(cluster types.RemoteCluster) error

	// CheckAccessToRule checks access to a rule within a namespace.
	CheckAccessToRule(context RuleContext, namespace string, rule string, verb string, silent bool) error

	// CheckLoginDuration checks if role set can login up to given duration and
	// returns a combined list of allowed logins.
	CheckLoginDuration(ttl time.Duration) ([]string, error)

	// CheckKubeGroupsAndUsers check if role can login into kubernetes
	// and returns two lists of combined allowed groups and users
	CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) (groups []string, users []string, err error)

	// CheckAWSRoleARNs returns a list of AWS role ARNs role is allowed to assume.
	CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

	// AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL
	// for this role set, otherwise it returns ttl unchanged
	AdjustSessionTTL(ttl time.Duration) time.Duration

	// AdjustClientIdleTimeout adjusts requested idle timeout
	// to the lowest max allowed timeout, the most restrictive
	// option will be picked
	AdjustClientIdleTimeout(ttl time.Duration) time.Duration

	// AdjustDisconnectExpiredCert adjusts the value based on the role set
	// the most restrictive option will be picked
	AdjustDisconnectExpiredCert(disconnect bool) bool

	// CheckAgentForward checks if the role can request agent forward for this
	// user.
	CheckAgentForward(login string) error

	// CanForwardAgents returns true if this role set offers capability to forward
	// agents.
	CanForwardAgents() bool

	// CanPortForward returns true if this RoleSet can forward ports.
	CanPortForward() bool

	// DesktopClipboard returns true if the role set has enabled shared
	// clipboard for desktop sessions. Clipboard sharing is disabled if
	// one or more of the roles in the set has disabled it.
	DesktopClipboard() bool
	// RecordDesktopSession returns true if a role in the role set has enabled
	// desktop session recoring.
	RecordDesktopSession() bool
	// DesktopDirectorySharing returns true if the role set has directory sharing
	// enabled. This setting is enabled if one or more of the roles in the set has
	// enabled it.
	DesktopDirectorySharing() bool

	// MaybeCanReviewRequests attempts to guess if this RoleSet belongs
	// to a user who should be submitting access reviews. Because not all rolesets
	// are derived from statically assigned roles, this may return false positives.
	MaybeCanReviewRequests() bool

	// PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.
	PermitX11Forwarding() bool

	// CanCopyFiles returns true if the role set has enabled remote file
	// operations via SCP or SFTP. Remote file operations are disabled if
	// one or more of the roles in the set has disabled it.
	CanCopyFiles() bool

	// CertificateFormat returns the most permissive certificate format in a
	// RoleSet.
	CertificateFormat() string

	// EnhancedRecordingSet returns a set of events that will be recorded
	// for enhanced session recording.
	EnhancedRecordingSet() map[string]bool

	// CheckDatabaseNamesAndUsers returns database names and users this role
	// is allowed to use.
	CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) (names []string, users []string, err error)

	// CheckImpersonate checks whether current user is allowed to impersonate
	// users and roles
	CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

	// CheckImpersonateRoles checks whether the current user is allowed to
	// perform roles-only impersonation.
	CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

	// CanImpersonateSomeone returns true if this checker has any impersonation rules
	CanImpersonateSomeone() bool

	// LockingMode returns the locking mode to apply with this checker.
	LockingMode(defaultMode constants.LockingMode) constants.LockingMode

	// ExtractConditionForIdentifier returns a restrictive filter expression
	// for list queries based on the rules' `where` conditions.
	ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

	// CertificateExtensions returns the list of extensions for each role in the RoleSet
	CertificateExtensions() []*types.CertExtension

	// GetAllowedSearchAsRoles returns all of the allowed SearchAsRoles.
	GetAllowedSearchAsRoles() []string

	// GetAllowedPreviewAsRoles returns all of the allowed PreviewAsRoles.
	GetAllowedPreviewAsRoles() []string

	// MaxConnections returns the maximum number of concurrent ssh connections
	// allowed.  If MaxConnections is zero then no maximum was defined and the
	// number of concurrent connections is unconstrained.
	MaxConnections() int64

	// MaxSessions returns the maximum number of concurrent ssh sessions per
	// connection. If MaxSessions is zero then no maximum was defined and the
	// number of sessions is unconstrained.
	MaxSessions() int64

	// SessionPolicySets returns the list of SessionPolicySets for all roles.
	SessionPolicySets() []*types.SessionTrackerPolicySet

	// GetAllLogins returns all valid unix logins for the AccessChecker.
	GetAllLogins() []string

	// GetAllowedResourceIDs returns the list of allowed resources the identity for
	// the AccessChecker is allowed to access. An empty or nil list indicates that
	// there are no resource-specific restrictions.
	GetAllowedResourceIDs() []types.ResourceID

	// SessionRecordingMode returns the recording mode for a specific service.
	SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

	// HostUsers returns host user information matching a server or nil if
	// a role disallows host user creation
	HostUsers(types.Server) (*HostUsersInfo, error)

	// PinSourceIP forces the same client IP for certificate generation and SSH usage
	PinSourceIP() bool

	// MFAParams returns MFA params for the given use given their roles, the cluster
	// auth preference, and whether mfa has been verified.
	MFAParams(authPrefMFARequirement types.RequireMFAType) AccessMFAParams
	// PrivateKeyPolicy returns the enforced private key policy for this role set,
	// or the provided defaultPolicy - whichever is stricter.
	PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) keys.PrivateKeyPolicy
}

AccessChecker interface checks access to resources based on roles, traits, and allowed resources

func NewAccessChecker 

func NewAccessChecker(info *AccessInfo, localCluster string, access RoleGetter) (AccessChecker, error)

NewAccessChecker returns a new AccessChecker which can be used to check access to resources. Args:

  • `info *AccessInfo` should hold the roles, traits, and allowed resource IDs for the identity.
  • `localCluster string` should be the name of the local cluster in which access will be checked. You cannot check for access to resources in remote clusters.
  • `access RoleGetter` should be a RoleGetter which will be used to fetch the full RoleSet

func NewAccessCheckerWithRoleSet 

func NewAccessCheckerWithRoleSet(info *AccessInfo, localCluster string, roleSet RoleSet) AccessChecker

NewAccessCheckerWithRoleSet is similar to NewAccessChecker, but accepts the full RoleSet rather than a RoleGetter.

type AccessInfo 

type AccessInfo struct {
	// Roles is the list of cluster local roles for the identity.
	Roles []string
	// Traits is the set of traits for the identity.
	Traits wrappers.Traits
	// AllowedResourceIDs is the list of resource IDs the identity is allowed to
	// access. A nil or empty list indicates that no resource-specific
	// access restrictions should be applied. Used for search-based access
	// requests.
	AllowedResourceIDs []types.ResourceID
}

AccessInfo hold information about an identity necessary to check whether that identity has access to cluster resources. This info can come from a user or host SSH certificate, TLS certificate, or user information stored in the backend.

func AccessInfoFromLocalCertificate 

func AccessInfoFromLocalCertificate(cert *ssh.Certificate) (*AccessInfo, error)

AccessInfoFromLocalCertificate returns a new AccessInfo populated from the given ssh certificate. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromLocalIdentity 

func AccessInfoFromLocalIdentity(identity tlsca.Identity, access UserGetter) (*AccessInfo, error)

AccessInfoFromLocalIdentity returns a new AccessInfo populated from the given tlsca.Identity. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromRemoteCertificate 

func AccessInfoFromRemoteCertificate(cert *ssh.Certificate, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteCertificate returns a new AccessInfo populated from the given remote cluster user's ssh certificate. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromRemoteIdentity 

func AccessInfoFromRemoteIdentity(identity tlsca.Identity, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteIdentity returns a new AccessInfo populated from the given remote cluster user's tlsca.Identity. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromUser 

func AccessInfoFromUser(user types.User) *AccessInfo

AccessInfoFromUser return a new AccessInfo populated from the roles and traits held be the given user. This should only be used in cases where the user does not have any active access requests (initial web login, initial tbot certs, tests).

type AccessMFAParams 

type AccessMFAParams struct {
	// Required determines whether a user's MFA requirement dynamically changes based on
	// their active role (per-role), or is static across all roles (always/never).
	Required MFARequired
	// Verified is set when MFA has been verified by the caller.
	Verified bool
}

AccessMFAParams contains MFA-related parameters for methods that check access.

type AcquireSemaphoreWithRetryConfig 

type AcquireSemaphoreWithRetryConfig struct {
	Service types.Semaphores
	Request types.AcquireSemaphoreRequest
	Retry   retryutils.LinearConfig
}

AcquireSemaphoreWithRetryConfig contains parameters for trying to acquire a semaphore with a retry.

type AppGetter 

type AppGetter interface {
	// GetApps returns all application resources.
	GetApps(context.Context) ([]types.Application, error)
	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)
}

AppGetter defines interface for fetching application resources.

type AppSession 

type AppSession interface {
	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)
	// GetAppSessions gets all application web sessions.
	GetAppSessions(context.Context) ([]types.WebSession, error)
	// UpsertAppSession upserts an application web session.
	UpsertAppSession(context.Context, types.WebSession) error
	// DeleteAppSession removes an application web session.
	DeleteAppSession(context.Context, types.DeleteAppSessionRequest) error
	// DeleteAllAppSessions removes all application web sessions.
	DeleteAllAppSessions(context.Context) error
	// DeleteUserAppSessions deletes all user’s application sessions.
	DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error
}

AppSession defines application session features.

type AppWatcher 

type AppWatcher struct {
	// contains filtered or unexported fields
}

AppWatcher is built on top of resourceWatcher to monitor application resources.

func NewAppWatcher 

func NewAppWatcher(ctx context.Context, cfg AppWatcherConfig) (*AppWatcher, error)

NewAppWatcher returns a new instance of AppWatcher.

func (AppWatcher) Close 

func (p AppWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (AppWatcher) Done 

func (p AppWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (AppWatcher) IsInitialized 

func (p AppWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (AppWatcher) WaitInitialization 

func (p AppWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type AppWatcherConfig 

type AppWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AppGetter is responsible for fetching application resources.
	AppGetter
	// AppsC receives up-to-date list of all application resources.
	AppsC chan types.Apps
}

AppWatcherConfig is an AppWatcher configuration.

func (*AppWatcherConfig) CheckAndSetDefaults 

func (cfg *AppWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Apps 

type Apps interface {
	// AppGetter provides methods for fetching application resources.
	AppGetter
	// CreateApp creates a new application resource.
	CreateApp(context.Context, types.Application) error
	// UpdateApp updates an existing application resource.
	UpdateApp(context.Context, types.Application) error
	// DeleteApp removes the specified application resource.
	DeleteApp(ctx context.Context, name string) error
	// DeleteAllApps removes all database resources.
	DeleteAllApps(context.Context) error
}

Apps defines an interface for managing application resources.

type AuthorityGetter 

type AuthorityGetter interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...MarshalOption) ([]types.CertAuthority, error)
}

AuthorityGetter defines interface for fetching cert authority resources.

type AzureMatcher 

type AzureMatcher struct {
	// Subscriptions are Azure subscriptions to query for resources.
	Subscriptions []string
	// ResourceGroups are Azure resource groups to query for resources.
	ResourceGroups []string
	// Types are Azure resource types to match, for example "mysql" or "postgres".
	Types []string
	// Regions are Azure regions to query for databases.
	Regions []string
	// ResourceTags are Azure tags to match.
	ResourceTags types.Labels
}

AzureMatcher matches Azure databases.

type BoolPredicateParser 

type BoolPredicateParser interface {
	predicate.Parser
	EvalBoolPredicate(string) (bool, error)
}

BoolPredicateParser extends predicate.Parser with a convenience method for evaluating bool predicates.

func NewJSONBoolParser 

func NewJSONBoolParser(ctx interface{}) (BoolPredicateParser, error)

NewJSONBoolParser returns a generic parser for boolean expressions based on a json-serializable context.

func NewResourceParser 

func NewResourceParser(resource types.ResourceWithLabels) (BoolPredicateParser, error)

NewResourceParser returns a parser made for boolean expressions based on a json-serialiable resource. Customized to allow short identifiers common in all resources:

  • shorthand `name` refers to `resource.spec.hostname` for node resources or it refers to `resource.metadata.name` for all other resources eg: `name == "app-name-jenkins"`
  • shorthand `labels` refers to resource `resource.metadata.labels + resource.spec.dynamic_labels` eg: `labels.env == "prod"`

All other fields can be referenced by starting expression with identifier `resource` followed by the names of the json fields ie: `resource.spec.public_addr`.

type CertAuthorityWatcher 

type CertAuthorityWatcher struct {
	// contains filtered or unexported fields
}

CertAuthorityWatcher is built on top of resourceWatcher to monitor cert authority resources.

func NewCertAuthorityWatcher 

func NewCertAuthorityWatcher(ctx context.Context, cfg CertAuthorityWatcherConfig) (*CertAuthorityWatcher, error)

NewCertAuthorityWatcher returns a new instance of CertAuthorityWatcher.

func (CertAuthorityWatcher) Close 

func (p CertAuthorityWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (CertAuthorityWatcher) Done 

func (p CertAuthorityWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (CertAuthorityWatcher) IsInitialized 

func (p CertAuthorityWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (CertAuthorityWatcher) Subscribe 

func (c CertAuthorityWatcher) Subscribe(ctx context.Context, filter types.CertAuthorityFilter) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (CertAuthorityWatcher) WaitInitialization 

func (p CertAuthorityWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type CertAuthorityWatcherConfig 

type CertAuthorityWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AuthorityGetter is responsible for fetching cert authority resources.
	AuthorityGetter
	// Types restricts which cert authority types are retrieved via the AuthorityGetter.
	Types []types.CertAuthType
}

CertAuthorityWatcherConfig is a CertAuthorityWatcher configuration.

func (*CertAuthorityWatcherConfig) CheckAndSetDefaults 

func (cfg *CertAuthorityWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type ChangePasswordReq 

type ChangePasswordReq struct {
	// User is user ID
	User string
	// OldPassword is user current password
	OldPassword []byte `json:"old_password"`
	// NewPassword is user new password
	NewPassword []byte `json:"new_password"`
	// SecondFactorToken is user 2nd factor token
	SecondFactorToken string `json:"second_factor_token"`
	// WebauthnResponse is Webauthn sign response
	WebauthnResponse *wanlib.CredentialAssertionResponse `json:"webauthn_response"`
}

ChangePasswordReq defines a request to change user password

type ClusterConfiguration 

type ClusterConfiguration interface {
	// SetClusterName gets services.ClusterName from the backend.
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
	// SetClusterName sets services.ClusterName on the backend.
	SetClusterName(types.ClusterName) error
	// UpsertClusterName upserts cluster name
	UpsertClusterName(types.ClusterName) error

	// DeleteClusterName deletes cluster name resource
	DeleteClusterName() error

	// GetStaticTokens gets services.StaticTokens from the backend.
	GetStaticTokens() (types.StaticTokens, error)
	// SetStaticTokens sets services.StaticTokens on the backend.
	SetStaticTokens(types.StaticTokens) error
	// DeleteStaticTokens deletes static tokens resource
	DeleteStaticTokens() error

	// GetAuthPreference gets types.AuthPreference from the backend.
	GetAuthPreference(context.Context) (types.AuthPreference, error)
	// SetAuthPreference sets types.AuthPreference from the backend.
	SetAuthPreference(context.Context, types.AuthPreference) error
	// DeleteAuthPreference deletes types.AuthPreference from the backend.
	DeleteAuthPreference(ctx context.Context) error

	// GetSessionRecordingConfig gets SessionRecordingConfig from the backend.
	GetSessionRecordingConfig(context.Context, ...MarshalOption) (types.SessionRecordingConfig, error)
	// SetSessionRecordingConfig sets SessionRecordingConfig from the backend.
	SetSessionRecordingConfig(context.Context, types.SessionRecordingConfig) error
	// DeleteSessionRecordingConfig deletes SessionRecordingConfig from the backend.
	DeleteSessionRecordingConfig(ctx context.Context) error

	// GetClusterAuditConfig gets ClusterAuditConfig from the backend.
	GetClusterAuditConfig(context.Context, ...MarshalOption) (types.ClusterAuditConfig, error)
	// SetClusterAuditConfig sets ClusterAuditConfig from the backend.
	SetClusterAuditConfig(context.Context, types.ClusterAuditConfig) error
	// DeleteClusterAuditConfig deletes ClusterAuditConfig from the backend.
	DeleteClusterAuditConfig(ctx context.Context) error

	// GetClusterNetworkingConfig gets ClusterNetworkingConfig from the backend.
	GetClusterNetworkingConfig(context.Context, ...MarshalOption) (types.ClusterNetworkingConfig, error)
	// SetClusterNetworkingConfig sets ClusterNetworkingConfig from the backend.
	SetClusterNetworkingConfig(context.Context, types.ClusterNetworkingConfig) error
	// DeleteClusterNetworkingConfig deletes ClusterNetworkingConfig from the backend.
	DeleteClusterNetworkingConfig(ctx context.Context) error

	// GetInstallers gets all installer scripts from the backend
	GetInstallers(context.Context) ([]types.Installer, error)
	// GetInstaller gets the installer script from the backend
	GetInstaller(ctx context.Context, name string) (types.Installer, error)
	// SetInstaller sets the installer script in the backend
	SetInstaller(context.Context, types.Installer) error
	// DeleteInstaller removes the installer script from the backend
	DeleteInstaller(ctx context.Context, name string) error
	// DeleteAllInstallers removes all installer script resources from the backend
	DeleteAllInstallers(context.Context) error
}

ClusterConfiguration stores the cluster configuration in the backend. All the resources modified by this interface can only have a single instance in the backend.

type CommandLabels 

type CommandLabels map[string]types.CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) Clone 

func (c *CommandLabels) Clone() CommandLabels

Clone returns copy of the set

func (*CommandLabels) SetEnv 

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type ConnectionDiagnosticTraceAppender 

type ConnectionDiagnosticTraceAppender interface {
	// AppendDiagnosticTrace atomically adds a new trace into the ConnectionDiagnostic.
	AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)
}

ConnectionDiagnosticTraceAppender specifies methods to add Traces into a DiagnosticConnection

type ConnectionsDiagnostic 

type ConnectionsDiagnostic interface {
	// CreateConnectionDiagnostic creates a new Connection Diagnostic
	CreateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// UpdateConnectionDiagnostic updates a Connection Diagnostic
	UpdateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// GetConnectionDiagnostic receives a name and returns the Connection Diagnostic matching that name
	//
	// If not found, a `trace.NotFound` error is returned
	GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

	// ConnectionDiagnosticTraceAppender adds a method to append traces into ConnectionDiagnostics.
	ConnectionDiagnosticTraceAppender
}

ConnectionsDiagnostic defines an interface for managing Connection Diagnostics.

type Context 

type Context struct {
	// User is currently authenticated user
	User types.User
	// Resource is an optional resource, in case if the rule
	// checks access to the resource
	Resource types.Resource
	// Session is an optional session.end or windows.desktop.session.end event.
	// These events hold information about session recordings.
	Session events.AuditEvent
	// SSHSession is an optional (active) SSH session.
	SSHSession *session.Session
	// HostCert is an optional host certificate.
	HostCert *HostCertContext
	// SessionTracker is an optional session tracker, in case if the rule checks access to the tracker.
	SessionTracker types.SessionTracker
}

Context is a default rule context used in teleport

func (*Context) GetIdentifier 

func (ctx *Context) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier returns identifier defined in a context

func (*Context) GetResource 

func (ctx *Context) GetResource() (types.Resource, error)

GetResource returns resource specified in the context, returns error if not specified.

func (*Context) String 

func (ctx *Context) String() string

String returns user friendly representation of this context

type CurrentUserRoleGetter 

type CurrentUserRoleGetter interface {
	GetCurrentUser(context.Context) (types.User, error)
	GetCurrentUserRoles(context.Context) ([]types.Role, error)
	RoleGetter
}

CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by FetchAllClusterRoles.

type DatabaseGetter 

type DatabaseGetter interface {
	// GetDatabases returns all database resources.
	GetDatabases(context.Context) ([]types.Database, error)
	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)
}

DatabaseGetter defines interface for fetching database resources.

type DatabaseNameMatcher 

type DatabaseNameMatcher struct {
	Name string
}

DatabaseNameMatcher matches a role against database name.

func (*DatabaseNameMatcher) Match 

func (m *DatabaseNameMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database name against provided role and condition.

func (*DatabaseNameMatcher) String 

func (m *DatabaseNameMatcher) String() string

String returns the matcher's string representation.

type DatabaseUserMatcher 

type DatabaseUserMatcher struct {
	User string
}

DatabaseUserMatcher matches a role against database account name.

func (*DatabaseUserMatcher) Match 

func (m *DatabaseUserMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database account name against provided role and condition.

func (*DatabaseUserMatcher) String 

func (m *DatabaseUserMatcher) String() string

String returns the matcher's string representation.

type DatabaseWatcher 

type DatabaseWatcher struct {
	// contains filtered or unexported fields
}

DatabaseWatcher is built on top of resourceWatcher to monitor database resources.

func NewDatabaseWatcher 

func NewDatabaseWatcher(ctx context.Context, cfg DatabaseWatcherConfig) (*DatabaseWatcher, error)

NewDatabaseWatcher returns a new instance of DatabaseWatcher.

func (DatabaseWatcher) Close 

func (p DatabaseWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (DatabaseWatcher) Done 

func (p DatabaseWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (DatabaseWatcher) IsInitialized 

func (p DatabaseWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (DatabaseWatcher) WaitInitialization 

func (p DatabaseWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type DatabaseWatcherConfig 

type DatabaseWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// DatabaseGetter is responsible for fetching database resources.
	DatabaseGetter
	// DatabasesC receives up-to-date list of all database resources.
	DatabasesC chan types.Databases
}

DatabaseWatcherConfig is a DatabaseWatcher configuration.

func (*DatabaseWatcherConfig) CheckAndSetDefaults 

func (cfg *DatabaseWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Databases 

type Databases interface {
	// DatabaseGetter provides methods for fetching database resources.
	DatabaseGetter
	// CreateDatabase creates a new database resource.
	CreateDatabase(context.Context, types.Database) error
	// UpdateDatabase updates an existing database resource.
	UpdateDatabase(context.Context, types.Database) error
	// DeleteDatabase removes the specified database resource.
	DeleteDatabase(ctx context.Context, name string) error
	// DeleteAllDatabases removes all database resources.
	DeleteAllDatabases(context.Context) error
}

Databases defines an interface for managing database resources.

type DynamicAccess 

type DynamicAccess interface {
	DynamicAccessCore
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error
	// SubmitAccessReview applies a review to a request and returns the post-application state.
	SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
}

DynamicAccess is a service which manages dynamic RBAC. Specifically, this is the dynamic access interface implemented by remote clients.

type DynamicAccessCore 

type DynamicAccessCore interface {
	// CreateAccessRequest stores a new access request.
	CreateAccessRequest(ctx context.Context, req types.AccessRequest) error
	// GetAccessRequests gets all currently active access requests.
	GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
	// DeleteAccessRequest deletes an access request.
	DeleteAccessRequest(ctx context.Context, reqID string) error
	// GetPluginData loads all plugin data matching the supplied filter.
	GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)
	// UpdatePluginData updates a per-resource PluginData entry.
	UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error
}

DynamicAccessCore is the core functionality common to all DynamicAccess implementations.

type DynamicAccessExt 

type DynamicAccessExt interface {
	DynamicAccessCore
	// ApplyAccessReview applies a review to a request in the backend and returns the post-application state.
	ApplyAccessReview(ctx context.Context, params types.AccessReviewSubmission, checker ReviewPermissionChecker) (types.AccessRequest, error)
	// UpsertAccessRequest creates or updates an access request.
	UpsertAccessRequest(ctx context.Context, req types.AccessRequest) error
	// DeleteAllAccessRequests deletes all existent access requests.
	DeleteAllAccessRequests(ctx context.Context) error
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) (types.AccessRequest, error)
}

DynamicAccessExt is an extended dynamic access interface used to implement some auth server internals.

type DynamicAccessOracle 

type DynamicAccessOracle interface {
	GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
}

DynamicAccessOracle is a service capable of answering questions related to the dynamic access API. Necessary because some information (e.g. the list of roles a user is allowed to request) can not be calculated by actors with limited privileges.

type EmptyResource 

type EmptyResource struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata types.Metadata `json:"metadata"`
}

EmptyResource is used to represent a use case when no resource is specified in the rules matcher

func (*EmptyResource) CheckAndSetDefaults 

func (r *EmptyResource) CheckAndSetDefaults() error

func (*EmptyResource) Expiry 

func (r *EmptyResource) Expiry() time.Time

Expiry returns the expiry time for the object.

func (*EmptyResource) GetKind 

func (r *EmptyResource) GetKind() string

GetKind returns resource kind

func (*EmptyResource) GetMetadata 

func (r *EmptyResource) GetMetadata() types.Metadata

GetMetadata returns role metadata.

func (*EmptyResource) GetName 

func (r *EmptyResource) GetName() string

GetName gets the role name and is a shortcut for GetMetadata().Name.

func (*EmptyResource) GetResourceID 

func (r *EmptyResource) GetResourceID() int64

GetResourceID returns resource ID

func (*EmptyResource) GetSubKind 

func (r *EmptyResource) GetSubKind() string

GetSubKind returns resource sub kind

func (*EmptyResource) GetVersion 

func (r *EmptyResource) GetVersion() string

GetVersion returns resource version

func (*EmptyResource) SetExpiry 

func (r *EmptyResource) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object.

func (*EmptyResource) SetName 

func (r *EmptyResource) SetName(s string)

SetName sets the role name and is a shortcut for SetMetadata().Name.

func (*EmptyResource) SetResourceID 

func (r *EmptyResource) SetResourceID(id int64)

SetResourceID sets resource ID

func (*EmptyResource) SetSubKind 

func (r *EmptyResource) SetSubKind(s string)

SetSubKind sets resource subkind

type Enforcer 

type Enforcer interface {
	// GetLicenseCheckResult returns the license status in a heartbeat.
	GetLicenseCheckResult(ctx context.Context) (*types.Heartbeat, error)
}

Enforcer defines interface for fetching license status.

type EnumerationResult 

type EnumerationResult struct {
	// contains filtered or unexported fields
}

EnumerationResult is a result of enumerating a role set against some property, e.g. allowed names or logins.

func NewEnumerationResult 

func NewEnumerationResult() EnumerationResult

NewEnumerationResult returns new EnumerationResult.

func (*EnumerationResult) Allowed 

func (result *EnumerationResult) Allowed() []string

Allowed returns all known allowed users.

func (*EnumerationResult) Denied 

func (result *EnumerationResult) Denied() []string

Denied returns all explicitly denied users.

func (*EnumerationResult) WildcardAllowed 

func (result *EnumerationResult) WildcardAllowed() bool

WildcardAllowed is true if there * username allowed for given rule set.

func (*EnumerationResult) WildcardDenied 

func (result *EnumerationResult) WildcardDenied() bool

WildcardDenied is true if there * username deny for given rule set.

type Fanout 

type Fanout struct {
	// contains filtered or unexported fields
}

Fanout is a helper which allows a stream of events to be fanned-out to many watchers. Used by the cache layer to forward events.

func NewFanout 

func NewFanout(eventsCh ...chan FanoutEvent) *Fanout

NewFanout creates a new Fanout instance in an uninitialized state. Until initialized, watchers will be queued but no events will be sent.

func (*Fanout) Close 

func (f *Fanout) Close()

Close permanently closes the fanout. Existing watchers will be closed and no new watchers will be added.

func (*Fanout) Emit 

func (f *Fanout) Emit(events ...types.Event)

Emit broadcasts events to all matching watchers that have been attached to this fanout instance.

func (*Fanout) Len 

func (f *Fanout) Len() int

Len returns a total count of watchers

func (*Fanout) NewWatcher 

func (f *Fanout) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher attaches a new watcher to this fanout instance.

func (*Fanout) Reset 

func (f *Fanout) Reset()

Reset closes all attached watchers and places the fanout instance into an uninitialized state. Reset may be called on an uninitialized fanout instance to remove "queued" watchers.

func (*Fanout) SetInit 

func (f *Fanout) SetInit()

SetInit sets Fanout into an initialized state, sending OpInit events to any watchers which were added prior to initialization.

type FanoutEvent 

type FanoutEvent struct {
	// Kind is event kind
	Kind int
}

FanoutEvent is used in tests

type FanoutSet 

type FanoutSet struct {
	// contains filtered or unexported fields
}

FanoutSet is a collection of separate Fanout instances. It exposes an identical API, and "load balances" watcher registration across the enclosed instances. In very large clusters it is possible for tens of thousands of nodes to simultaneously request watchers. This can cause serious contention issues. FanoutSet is a simple but effective solution to that problem.

func NewFanoutSet 

func NewFanoutSet() *FanoutSet

NewFanoutSet creates a new FanoutSet instance in an uninitialized state. Until initialized, watchers will be queued but no events will be sent.

func (*FanoutSet) Close 

func (s *FanoutSet) Close()

Close permanently closes the fanout. Existing watchers will be closed and no new watchers will be added.

func (*FanoutSet) Emit 

func (s *FanoutSet) Emit(events ...types.Event)

Emit broadcasts events to all matching watchers that have been attached to this fanout set.

func (*FanoutSet) NewWatcher 

func (s *FanoutSet) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher attaches a new watcher to a fanout instance.

func (*FanoutSet) Reset 

func (s *FanoutSet) Reset()

Reset closes all attached watchers and places the fanout instances into an uninitialized state. Reset may be called on an uninitialized fanout set to remove "queued" watchers.

func (*FanoutSet) SetInit 

func (s *FanoutSet) SetInit()

SetInit sets the Fanout instances into an initialized state, sending OpInit events to any watchers which were added prior to initialization.

type GCPMatcher 

type GCPMatcher struct {
	// Types are GKE resource types to match: "gke".
	Types []string `yaml:"types,omitempty"`
	// Locations are GCP locations to search resources for.
	Locations []string `yaml:"locations,omitempty"`
	// Tags are GCP labels to match.
	Tags types.Labels `yaml:"tags,omitempty"`
	// ProjectIDs are the GCP project IDs where the resources are deployed.
	ProjectIDs []string `yaml:"project_ids,omitempty"`
}

GCPMatcher matches GCP resources.

type GithubAuthConverter 

type GithubAuthConverter func(types.GithubConnector) (*types.GithubConnectorV3, error)

GithubAuthConverter converts a GitHub auth connector so it can be sent over gRPC.

type GithubAuthCreator 

type GithubAuthCreator func(string, types.GithubConnectorSpecV3) (types.GithubConnector, error)

GithubAuthCreator creates a new GitHub connector.

type GithubAuthInitializer 

type GithubAuthInitializer func(types.GithubConnector) (types.GithubConnector, error)

GithubAuthInitializer initializes a GitHub auth connector.

type HostCertContext 

type HostCertContext struct {
	// HostID is the host ID in the cert request.
	HostID string `json:"host_id"`
	// NodeName is the node name in the cert request.
	NodeName string `json:"node_name"`
	// Principals is the list of requested certificate principals.
	Principals []string `json:"principals"`
	// ClusterName is the name of the cluster for which the certificate should
	// be issued.
	ClusterName string `json:"cluster_name"`
	// Role is the name of the Teleport role for which the cert should be
	// issued.
	Role types.SystemRole `json:"role"`
	// TTL is the requested certificate TTL.
	TTL time.Duration `json:"ttl"`
}

HostCertContext is used to evaluate the `where` condition on a `host_cert` pseudo-resource. These resources only exist for RBAC purposes and do not exist in the database.

type HostCertParams 

type HostCertParams struct {
	// CASigner is the signer that will sign the public key of the host with the CA private key.
	CASigner ssh.Signer
	// PublicHostKey is the public key of the host
	PublicHostKey []byte
	// HostID is used by Teleport to uniquely identify a node within a cluster
	HostID string
	// Principals is a list of additional principals to add to the certificate.
	Principals []string
	// NodeName is the DNS name of the node
	NodeName string
	// ClusterName is the name of the cluster within which a node lives
	ClusterName string
	// Role identifies the role of a Teleport instance
	Role types.SystemRole
	// TTL defines how long a certificate is valid for
	TTL time.Duration
}

HostCertParams defines all parameters needed to generate a host certificate

func (HostCertParams) Check 

func (c HostCertParams) Check() error

Check checks parameters for errors

type HostUsersInfo 

type HostUsersInfo struct {
	// Groups is the list of groups to include host users in
	Groups []string
	// Sudoers is a list of entries for a users sudoers file
	Sudoers []string
}

HostUsersInfo keeps information about groups and sudoers entries for a particular host user

type Identity 

type Identity interface {
	// CreateUser creates user, only if the user entry does not exist
	CreateUser(user types.User) error

	// UsersService implements most methods
	UsersService

	// AddUserLoginAttempt logs user login attempt
	AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error

	// GetUserLoginAttempts returns user login attempts
	GetUserLoginAttempts(user string) ([]LoginAttempt, error)

	// DeleteUserLoginAttempts removes all login attempts of a user. Should be
	// called after successful login.
	DeleteUserLoginAttempts(user string) error

	// GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserByOIDCIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserBySAMLIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserByGithubIdentity returns a user by its specified Github identity
	GetUserByGithubIdentity(id types.ExternalIdentity) (types.User, error)

	// UpsertPasswordHash upserts user password hash
	UpsertPasswordHash(user string, hash []byte) error

	// GetPasswordHash returns the password hash for a given user
	GetPasswordHash(user string) ([]byte, error)

	// UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again
	// during the 30 second window it's valid.
	UpsertUsedTOTPToken(user string, otpToken string) error

	// GetUsedTOTPToken returns the last successfully used TOTP token.
	GetUsedTOTPToken(user string) (string, error)

	// UpsertPassword upserts new password and OTP token
	UpsertPassword(user string, password []byte) error

	// UpsertWebauthnLocalAuth creates or updates the local auth configuration for
	// Webauthn.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	// Automatically indexes the WebAuthn user ID for lookup by
	// GetTeleportUserByWebauthnID.
	UpsertWebauthnLocalAuth(ctx context.Context, user string, wla *types.WebauthnLocalAuth) error

	// GetWebauthnLocalAuth retrieves the existing local auth configuration for
	// Webauthn, if any.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	GetWebauthnLocalAuth(ctx context.Context, user string) (*types.WebauthnLocalAuth, error)

	// GetTeleportUserByWebauthnID reads a Teleport username from a WebAuthn user
	// ID (aka user handle).
	// See UpsertWebauthnLocalAuth and types.WebauthnLocalAuth.
	GetTeleportUserByWebauthnID(ctx context.Context, webID []byte) (string, error)

	// UpsertWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication or
	// registration challenge.
	// Session data is expected to expire according to backend settings.
	UpsertWebauthnSessionData(ctx context.Context, user, sessionID string, sd *wantypes.SessionData) error

	// GetWebauthnSessionData retrieves a previously-stored session data by ID,
	// if it exists and has not expired.
	GetWebauthnSessionData(ctx context.Context, user, sessionID string) (*wantypes.SessionData, error)

	// DeleteWebauthnSessionData deletes session data by ID, if it exists and has
	// not expired.
	DeleteWebauthnSessionData(ctx context.Context, user, sessionID string) error

	// UpsertGlobalWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication challenge.
	// Session data is expected to expire according to backend settings.
	// Used for passwordless challenges.
	UpsertGlobalWebauthnSessionData(ctx context.Context, scope, id string, sd *wantypes.SessionData) error

	// GetGlobalWebauthnSessionData retrieves previously-stored session data by ID,
	// if it exists and has not expired.
	// Used for passwordless challenges.
	GetGlobalWebauthnSessionData(ctx context.Context, scope, id string) (*wantypes.SessionData, error)

	// DeleteGlobalWebauthnSessionData deletes session data by ID, if it exists
	// and has not expired.
	DeleteGlobalWebauthnSessionData(ctx context.Context, scope, id string) error

	// UpsertMFADevice upserts an MFA device for the user.
	UpsertMFADevice(ctx context.Context, user string, d *types.MFADevice) error

	// GetMFADevices gets all MFA devices for the user.
	GetMFADevices(ctx context.Context, user string, withSecrets bool) ([]*types.MFADevice, error)

	// DeleteMFADevice deletes an MFA device for the user by ID.
	DeleteMFADevice(ctx context.Context, user, id string) error

	// UpsertOIDCConnector upserts OIDC Connector
	UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error

	// DeleteOIDCConnector deletes OIDC Connector
	DeleteOIDCConnector(ctx context.Context, connectorID string) error

	// GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results
	GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)

	// GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results
	GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

	// CreateOIDCAuthRequest creates new auth request
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest, ttl time.Duration) error

	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(ctx context.Context, stateToken string) (*types.OIDCAuthRequest, error)

	// UpsertSAMLConnector upserts SAML Connector
	UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error

	// DeleteSAMLConnector deletes OIDC Connector
	DeleteSAMLConnector(ctx context.Context, connectorID string) error

	// GetSAMLConnector returns OIDC connector data, withSecrets adds or removes secrets from return results
	GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)

	// GetSAMLConnectors returns registered connectors, withSecrets adds or removes secret from return results
	GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

	// CreateSAMLAuthRequest creates new auth request
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest, ttl time.Duration) error

	// GetSAMLAuthRequest returns SAML auth request if found
	GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

	// CreateSSODiagnosticInfo creates new SSO diagnostic info record.
	CreateSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error

	// GetSSODiagnosticInfo returns SSO diagnostic info records.
	GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

	// UpsertGithubConnector creates or updates a new Github connector
	UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error

	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

	// GetGithubConnector returns a Github connector by its name
	GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

	// DeleteGithubConnector deletes a Github connector by its name
	DeleteGithubConnector(ctx context.Context, name string) error

	// CreateGithubAuthRequest creates a new auth request for Github OAuth2 flow
	CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) error

	// GetGithubAuthRequest retrieves Github auth request by the token
	GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

	// CreateUserToken creates a new user token.
	CreateUserToken(ctx context.Context, token types.UserToken) (types.UserToken, error)

	// DeleteUserToken deletes a user token.
	DeleteUserToken(ctx context.Context, tokenID string) error

	// GetUserTokens returns all user tokens.
	GetUserTokens(ctx context.Context) ([]types.UserToken, error)

	// GetUserToken returns a user token by id.
	GetUserToken(ctx context.Context, tokenID string) (types.UserToken, error)

	// UpsertUserTokenSecrets upserts a user token secrets.
	UpsertUserTokenSecrets(ctx context.Context, secrets types.UserTokenSecrets) error

	// GetUserTokenSecrets returns a user token secrets.
	GetUserTokenSecrets(ctx context.Context, tokenID string) (types.UserTokenSecrets, error)

	// UpsertRecoveryCodes upserts a user's new recovery codes.
	UpsertRecoveryCodes(ctx context.Context, user string, recovery *types.RecoveryCodesV1) error

	// GetRecoveryCodes gets a user's recovery codes.
	GetRecoveryCodes(ctx context.Context, user string, withSecrets bool) (*types.RecoveryCodesV1, error)

	// CreateUserRecoveryAttempt logs user recovery attempt.
	CreateUserRecoveryAttempt(ctx context.Context, user string, attempt *types.RecoveryAttempt) error

	// GetUserRecoveryAttempts returns user recovery attempts sorted by oldest to latest time.
	GetUserRecoveryAttempts(ctx context.Context, user string) ([]*types.RecoveryAttempt, error)

	// DeleteUserRecoveryAttempts removes all recovery attempts of a user.
	DeleteUserRecoveryAttempts(ctx context.Context, user string) error

	// UpsertKeyAttestationData upserts a verified public key attestation response.
	UpsertKeyAttestationData(ctx context.Context, attestationData *keys.AttestationData, ttl time.Duration) error

	// GetKeyAttestationData gets a verified public key attestation response.
	GetKeyAttestationData(ctx context.Context, publicKey crypto.PublicKey) (*keys.AttestationData, error)

	types.WebSessionsGetter
	types.WebTokensGetter

	// AppSession defines application session features.
	AppSession
	// SnowflakeSession defines Snowflake session features.
	SnowflakeSession
}

Identity is responsible for managing user entries and external identities

type InstallerParams 

type InstallerParams struct {
	// JoinMethod is the method to use when joining the cluster
	JoinMethod types.JoinMethod
	// JoinToken is the token to use when joining the cluster
	JoinToken string
	// ScriptName is the name of the teleport script for the EC2
	// instance to execute
	ScriptName string
}

InstallerParams are passed to the AWS SSM document

type KubeClusterWatcher 

type KubeClusterWatcher struct {
	// contains filtered or unexported fields
}

KubeClusterWatcher is built on top of resourceWatcher to monitor kube_cluster resources.

func NewKubeClusterWatcher 

func NewKubeClusterWatcher(ctx context.Context, cfg KubeClusterWatcherConfig) (*KubeClusterWatcher, error)

NewKubeClusterWatcher returns a new instance of KubeClusterWatcher.

func (KubeClusterWatcher) Close 

func (p KubeClusterWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (KubeClusterWatcher) Done 

func (p KubeClusterWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (KubeClusterWatcher) IsInitialized 

func (p KubeClusterWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (KubeClusterWatcher) WaitInitialization 

func (p KubeClusterWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type KubeClusterWatcherConfig 

type KubeClusterWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// KubernetesGetter is responsible for fetching kube_cluster resources.
	KubernetesGetter
	// KubeClustersC receives up-to-date list of all kube_cluster resources.
	KubeClustersC chan types.KubeClusters
}

KubeClusterWatcherConfig is an KubeClusterWatcher configuration.

func (*KubeClusterWatcherConfig) CheckAndSetDefaults 

func (cfg *KubeClusterWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Kubernetes 

type Kubernetes interface {
	// KubernetesGetter provides methods for fetching kubernetes resources.
	KubernetesGetter
	// CreateKubernetesCluster creates a new kubernetes cluster resource.
	CreateKubernetesCluster(context.Context, types.KubeCluster) error
	// UpdateKubernetesCluster updates an existing kubernetes cluster resource.
	UpdateKubernetesCluster(context.Context, types.KubeCluster) error
	// DeleteKubernetesCluster removes the specified kubernetes cluster resource.
	DeleteKubernetesCluster(ctx context.Context, name string) error
	// DeleteAllKubernetesClusters removes all kubernetes resources.
	DeleteAllKubernetesClusters(context.Context) error
}

Kubernetes defines an interface for managing kubernetes clusters resources.

type KubernetesGetter 

type KubernetesGetter interface {
	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

KubernetesGetter defines interface for fetching kubernetes cluster resources.

type ListResourcesRequestOption 

type ListResourcesRequestOption func(*proto.ListResourcesRequest)

type LockGetter 

type LockGetter interface {
	// GetLock gets a lock by name.
	GetLock(ctx context.Context, name string) (types.Lock, error)
	// GetLocks gets all/in-force locks that match at least one of the targets when specified.
	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
}

LockGetter is a service that gets locks.

type LockWatcher 

type LockWatcher struct {
	// contains filtered or unexported fields
}

LockWatcher is built on top of resourceWatcher to monitor changes to locks.

func NewLockWatcher 

func NewLockWatcher(ctx context.Context, cfg LockWatcherConfig) (*LockWatcher, error)

NewLockWatcher returns a new instance of LockWatcher.

func (LockWatcher) CheckLockInForce 

func (p LockWatcher) CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error

CheckLockInForce returns an AccessDenied error if there is a lock in force matching at at least one of the targets.

func (LockWatcher) Close 

func (p LockWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (LockWatcher) Done 

func (p LockWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (LockWatcher) GetCurrent 

func (p LockWatcher) GetCurrent() []types.Lock

GetCurrent returns the currently stored locks.

func (LockWatcher) IsInitialized 

func (p LockWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (LockWatcher) Subscribe 

func (p LockWatcher) Subscribe(ctx context.Context, targets ...types.LockTarget) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (LockWatcher) WaitInitialization 

func (p LockWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type LockWatcherConfig 

type LockWatcherConfig struct {
	ResourceWatcherConfig
	LockGetter
}

LockWatcherConfig is a LockWatcher configuration.

func (*LockWatcherConfig) CheckAndSetDefaults 

func (cfg *LockWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type LogAction 

type LogAction struct {
	// contains filtered or unexported fields
}

LogAction represents action that will emit log entry when specified in the actions of a matched rule

func (*LogAction) Log 

func (l *LogAction) Log(level, format string, args ...interface{}) predicate.BoolPredicate

Log logs with specified level and formatting string with arguments

type LoginAttempt 

type LoginAttempt struct {
	// Time is time of the attempt
	Time time.Time `json:"time"`
	// Success indicates whether attempt was successful
	Success bool `json:"bool"`
}

LoginAttempt represents successful or unsuccessful attempt for user to login

func (*LoginAttempt) Check 

func (la *LoginAttempt) Check() error

Check checks parameters

type MFARequired 

type MFARequired string

MFARequired determines when MFA is required for a user to access a resource. 

const (
	// MFARequiredNever means that MFA is never required for any sessions started by this user. This either
	// means both the cluster auth preference and all roles have per-session MFA off, or at least one of
	// those resources has "require_session_mfa: hardware_key_touch", which overrides per-session MFA.
	MFARequiredNever MFARequired = "never"
	// MFARequiredAlways means that MFA is required for all sessions started by a user. This either
	// means that the cluster auth preference requires per-session MFA, or all of the user's roles require
	// per-session MFA
	MFARequiredAlways MFARequired = "always"
	// MFARequiredPerRole means that MFA requirement is based on which of the user's roles
	// provides access to the session in question.
	MFARequiredPerRole MFARequired = "per-role"
)

type MarshalConfig 

type MarshalConfig struct {
	// Version specifies particular version we should marshal resources with
	Version string

	// ID is a record ID to assign
	ID int64

	// PreserveResourceID preserves resource IDs in resource
	// specs when marshaling
	PreserveResourceID bool

	// Expires is an optional expiry time
	Expires time.Time
}

MarshalConfig specifies marshaling options

func CollectOptions 

func CollectOptions(opts []MarshalOption) (*MarshalConfig, error)

CollectOptions collects all options from functional arg and returns config

func (*MarshalConfig) GetVersion 

func (m *MarshalConfig) GetVersion() string

GetVersion returns explicitly provided version or sets latest as default

type MarshalOption 

type MarshalOption func(c *MarshalConfig) error

MarshalOption sets marshaling option

func AddOptions 

func AddOptions(opts []MarshalOption, add ...MarshalOption) []MarshalOption

AddOptions adds marshal options and returns a new copy

func PreserveResourceID 

func PreserveResourceID() MarshalOption

PreserveResourceID preserves resource ID when marshaling value

func WithExpires 

func WithExpires(expires time.Time) MarshalOption

WithExpires assigns expiry value

func WithResourceID 

func WithResourceID(id int64) MarshalOption

WithResourceID assigns ID to the resource

func WithVersion 

func WithVersion(v string) MarshalOption

WithVersion sets marshal version

type MatchResourceFilter 

type MatchResourceFilter struct {
	// ResourceKind is the resource kind and is used to fine tune the filtering.
	ResourceKind string
	// Labels are the labels to match.
	Labels map[string]string
	// SearchKeywords is a list of search keywords to match.
	SearchKeywords []string
	// PredicateExpression holds boolean conditions that must be matched.
	PredicateExpression string
}

MatchResourceFilter holds the filter values to match against a resource.

type Matcher 

type Matcher func(types.ResourceWithLabels) bool

Matcher is used by reconciler to match resources.

type Node 

type Node interface {
	// ResourceWithLabels provides common resource headers
	types.ResourceWithLabels
	// GetTeleportVersion returns the teleport version the server is running on
	GetTeleportVersion() string
	// GetAddr return server address
	GetAddr() string
	// GetHostname returns server hostname
	GetHostname() string
	// GetNamespace returns server namespace
	GetNamespace() string
	// GetCmdLabels gets command labels
	GetCmdLabels() map[string]types.CommandLabel
	// GetPublicAddr is an optional field that returns the public address this cluster can be reached at.
	GetPublicAddr() string
	// GetRotation gets the state of certificate authority rotation.
	GetRotation() types.Rotation
	// GetUseTunnel gets if a reverse tunnel should be used to connect to this node.
	GetUseTunnel() bool
	// GetProxyID returns a list of proxy ids this server is connected to.
	GetProxyIDs() []string
}

Node is a readonly subset of the types.Server interface which users may filter by in GetNodes.

type NodeWatcher 

type NodeWatcher struct {
	// contains filtered or unexported fields
}

NodeWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of nodes.

func NewNodeWatcher 

func NewNodeWatcher(ctx context.Context, cfg NodeWatcherConfig) (*NodeWatcher, error)

NewNodeWatcher returns a new instance of NodeWatcher.

func (NodeWatcher) Close 

func (p NodeWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (NodeWatcher) Done 

func (p NodeWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (NodeWatcher) GetNodes 

func (n NodeWatcher) GetNodes(fn func(n Node) bool) []types.Server

GetNodes allows callers to retrieve a subset of nodes that match the filter provided. The returned servers are a copy and can be safely modified. It is intentionally hard to retrieve the full set of nodes to reduce the number of copies needed since the number of nodes can get quite large and doing so can be expensive.

func (NodeWatcher) IsInitialized 

func (p NodeWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (NodeWatcher) NodeCount 

func (n NodeWatcher) NodeCount() int

func (NodeWatcher) WaitInitialization 

func (p NodeWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type NodeWatcherConfig 

type NodeWatcherConfig struct {
	ResourceWatcherConfig
	// NodesGetter is used to directly fetch the list of active nodes.
	NodesGetter
}

NodeWatcherConfig is a NodeWatcher configuration.

func (*NodeWatcherConfig) CheckAndSetDefaults 

func (cfg *NodeWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type NodesGetter 

type NodesGetter interface {
	// GetNodes returns a list of registered servers.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
}

NodesGetter is a service that gets nodes.

type Presence 

type Presence interface {
	// Semaphores is responsible for semaphore handling
	types.Semaphores

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// NodesGetter gets nodes
	NodesGetter

	// DeleteAllNodes deletes all nodes in a namespace.
	DeleteAllNodes(ctx context.Context, namespace string) error

	// DeleteNode deletes node in a namespace
	DeleteNode(ctx context.Context, namespace, name string) error

	// UpsertNode registers node presence, permanently if TTL is 0 or for the
	// specified duration with second resolution if it's >= 1 second.
	UpsertNode(ctx context.Context, server types.Server) (*types.KeepAlive, error)

	// DELETE IN: 5.1.0
	//
	// This logic has been moved to KeepAliveServer.
	//
	// KeepAliveNode updates node TTL in the storage
	KeepAliveNode(ctx context.Context, h types.KeepAlive) error

	// GetAuthServers returns a list of registered servers
	GetAuthServers() ([]types.Server, error)

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(server types.Server) error

	// DeleteAuthServer deletes auth server by name
	DeleteAuthServer(name string) error

	// DeleteAllAuthServers deletes all auth servers
	DeleteAllAuthServers() error

	// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(server types.Server) error

	// ProxyGetter gets a list of proxies
	ProxyGetter

	// DeleteProxy deletes proxy by name
	DeleteProxy(name string) error

	// DeleteAllProxies deletes all proxies
	DeleteAllProxies() error

	// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
	UpsertReverseTunnel(tunnel types.ReverseTunnel) error

	// GetReverseTunnel returns reverse tunnel by name
	GetReverseTunnel(name string, opts ...MarshalOption) (types.ReverseTunnel, error)

	// GetReverseTunnels returns a list of registered servers
	GetReverseTunnels(ctx context.Context, opts ...MarshalOption) ([]types.ReverseTunnel, error)

	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
	DeleteReverseTunnel(domainName string) error

	// DeleteAllReverseTunnels deletes all reverse tunnels
	DeleteAllReverseTunnels() error

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// DeleteAllNamespaces deletes all namespaces
	DeleteAllNamespaces() error

	// UpsertNamespace upserts namespace
	UpsertNamespace(types.Namespace) error

	// DeleteNamespace deletes namespace by name
	DeleteNamespace(name string) error

	// UpsertTrustedCluster creates or updates a TrustedCluster in the backend.
	UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)

	// GetTrustedCluster returns a single TrustedCluster by name.
	GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

	// GetTrustedClusters returns all TrustedClusters in the backend.
	GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

	// DeleteTrustedCluster removes a TrustedCluster from the backend by name.
	DeleteTrustedCluster(ctx context.Context, name string) error

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(types.TunnelConnection) error

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...MarshalOption) ([]types.TunnelConnection, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...MarshalOption) ([]types.TunnelConnection, error)

	// DeleteTunnelConnection deletes tunnel connection by name
	DeleteTunnelConnection(clusterName string, connName string) error

	// DeleteTunnelConnections deletes all tunnel connections for cluster
	DeleteTunnelConnections(clusterName string) error

	// DeleteAllTunnelConnections deletes all tunnel connections for cluster
	DeleteAllTunnelConnections() error

	// CreateRemoteCluster creates a remote cluster
	CreateRemoteCluster(types.RemoteCluster) error

	// UpdateRemoteCluster updates a remote cluster
	UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// DeleteRemoteCluster deletes remote cluster by name
	DeleteRemoteCluster(clusterName string) error

	// DeleteAllRemoteClusters deletes all remote clusters
	DeleteAllRemoteClusters() error

	// UpsertKubeService registers kubernetes service presence.
	// DELETE in 11.0. Deprecated, use UpsertKubeServiceV2
	UpsertKubeService(context.Context, types.Server) error

	// UpsertKubeServiceV2 registers kubernetes service presence
	UpsertKubeServiceV2(context.Context, types.Server) (*types.KeepAlive, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(context.Context, string) ([]types.AppServer, error)
	// UpsertApplicationServer registers an application server.
	UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error)
	// DeleteApplicationServer deletes specified application server.
	DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllApplicationServers removes all registered application servers.
	DeleteAllApplicationServers(context.Context, string) error

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(context.Context, string, ...MarshalOption) ([]types.DatabaseServer, error)
	// UpsertDatabaseServer creates or updates a new database proxy server.
	UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error)
	// DeleteDatabaseServer removes the specified database proxy server.
	DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllDatabaseServers removes all database proxy servers.
	DeleteAllDatabaseServers(context.Context, string) error

	// KeepAliveServer updates TTL of the server resource in the backend.
	KeepAliveServer(ctx context.Context, h types.KeepAlive) error

	// GetKubeServices returns a list of registered kubernetes services.
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// DeleteKubeService deletes a named kubernetes service.
	// DELETE IN 13.0. Deprecated, use DeleteKubernetesServer.
	DeleteKubeService(ctx context.Context, name string) error

	// DeleteAllKubeServices deletes all registered kubernetes services.
	// DELETE IN 13.0. Deprecated, use DeleteAllKubernetesServers.
	DeleteAllKubeServices(context.Context) error

	// GetKubernetesServers returns a list of registered kubernetes servers.
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// DeleteKubernetesServer deletes a named kubernetes servers.
	DeleteKubernetesServer(ctx context.Context, hostID, name string) error

	// DeleteAllKubernetesServers deletes all registered kubernetes servers.
	DeleteAllKubernetesServers(context.Context) error

	// UpsertKubernetesServer registers an kubernetes server.
	UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error)

	// GetWindowsDesktopServices returns all registered Windows desktop services.
	GetWindowsDesktopServices(context.Context) ([]types.WindowsDesktopService, error)
	// GetWindowsDesktopService returns a Windows desktop service by name
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
	// UpsertWindowsDesktopService creates or updates a new Windows desktop service.
	UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error)
	// DeleteWindowsDesktopService removes the specified Windows desktop service.
	DeleteWindowsDesktopService(ctx context.Context, name string) error
	// DeleteAllWindowsDesktopServices removes all Windows desktop services.
	DeleteAllWindowsDesktopServices(context.Context) error

	// ListResoures returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

type Provisioner 

type Provisioner interface {
	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ctx context.Context, token types.ProvisionToken) error

	// CreateToken adds provisioning tokens for the auth server
	CreateToken(ctx context.Context, token types.ProvisionToken) error

	// GetToken finds and returns token by id
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// DeleteToken deletes provisioning token
	// Imlementations must guarantee that this returns trace.NotFound error if the token doesn't exist
	DeleteToken(ctx context.Context, token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// GetTokens returns all non-expired tokens
	GetTokens(ctx context.Context) ([]types.ProvisionToken, error)
}

Provisioner governs adding new nodes to the cluster

type ProxyGetter 

type ProxyGetter interface {
	// GetProxies returns a list of registered proxies.
	GetProxies() ([]types.Server, error)
}

ProxyGetter is a service that gets proxies.

type ProxyWatcher 

type ProxyWatcher struct {
	// contains filtered or unexported fields
}

ProxyWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of proxies.

func NewProxyWatcher 

func NewProxyWatcher(ctx context.Context, cfg ProxyWatcherConfig) (*ProxyWatcher, error)

NewProxyWatcher returns a new instance of ProxyWatcher.

func (ProxyWatcher) Close 

func (p ProxyWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (ProxyWatcher) Done 

func (p ProxyWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (ProxyWatcher) GetCurrent 

func (p ProxyWatcher) GetCurrent() []types.Server

GetCurrent returns the currently stored proxies.

func (ProxyWatcher) IsInitialized 

func (p ProxyWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (ProxyWatcher) WaitInitialization 

func (p ProxyWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type ProxyWatcherConfig 

type ProxyWatcherConfig struct {
	ResourceWatcherConfig
	// ProxyGetter is used to directly fetch the list of active proxies.
	ProxyGetter
	// ProxyDiffer is used to decide whether a put operation on an existing proxy should
	// trigger a event.
	ProxyDiffer func(old, new types.Server) bool
	// ProxiesC is a channel used to report the current proxy set. It receives
	// a fresh list at startup and subsequently a list of all known proxies
	// whenever an addition or deletion is detected.
	ProxiesC chan []types.Server
}

ProxyWatcherConfig is a ProxyWatcher configuration.

func (*ProxyWatcherConfig) CheckAndSetDefaults 

func (cfg *ProxyWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type RDSEndpointType 

type RDSEndpointType string

RDSEndpointType specifies the endpoint type for RDS clusters. 

const (
	// RDSEndpointTypePrimary is the endpoint that specifies the connection for the primary instance of the RDS cluster.
	RDSEndpointTypePrimary RDSEndpointType = "primary"
	// RDSEndpointTypeReader is the endpoint that load-balances connections across the Aurora Replicas that are
	// available in an RDS cluster.
	RDSEndpointTypeReader RDSEndpointType = "reader"
	// RDSEndpointTypeCustom is the endpoint that specifies one of the custom endpoints associated with the RDS cluster.
	RDSEndpointTypeCustom RDSEndpointType = "custom"
	// RDSEndpointTypeInstance is the endpoint of an RDS DB instance.
	RDSEndpointTypeInstance RDSEndpointType = "instance"
)

type Reconciler 

type Reconciler struct {
	// contains filtered or unexported fields
}

Reconciler reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

It's used in combination with watchers by agents (app, database, desktop) to enable dynamically registered resources.

func NewReconciler 

func NewReconciler(cfg ReconcilerConfig) (*Reconciler, error)

NewReconciler creates a new reconciler with provided configuration.

func (*Reconciler) Reconcile 

func (r *Reconciler) Reconcile(ctx context.Context) error

Reconcile reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

type ReconcilerConfig 

type ReconcilerConfig struct {
	// Matcher is used to match resources.
	Matcher Matcher
	// GetCurrentResources returns currently registered resources.
	GetCurrentResources func() types.ResourcesWithLabelsMap
	// GetNewResources returns resources to compare current resources against.
	GetNewResources func() types.ResourcesWithLabelsMap
	// OnCreate is called when a new resource is detected.
	OnCreate func(context.Context, types.ResourceWithLabels) error
	// OnUpdate is called when an existing resource is updated.
	OnUpdate func(context.Context, types.ResourceWithLabels) error
	// OnDelete is called when an existing resource is deleted.
	OnDelete func(context.Context, types.ResourceWithLabels) error
	// Log is the reconciler's logger.
	Log logrus.FieldLogger
}

ReconcilerConfig is the resource reconciler configuration.

func (*ReconcilerConfig) CheckAndSetDefaults 

func (c *ReconcilerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults validates the reconciler configuration and sets defaults.

type Ref 

type Ref struct {
	Kind    string
	SubKind string
	Name    string
}

Ref is a resource reference. Typically of the form kind/name, but sometimes of the form kind/subkind/name.

func ParseRef 

func ParseRef(ref string) (*Ref, error)

ParseRef parses resource reference eg daemonsets/ds1

func (*Ref) Set 

func (r *Ref) Set(v string) error

Set sets the name of the resource

func (*Ref) String 

func (r *Ref) String() string

type Refs 

type Refs []Ref

Refs is a set of resource references

func ParseRefs 

func ParseRefs(refs string) (Refs, error)

ParseRefs parses a comma-separated string of resource references (eg "users/alice,users/bob")

func (*Refs) IsAll 

func (r *Refs) IsAll() bool

IsAll checks if refs is special wildcard case `all`.

func (*Refs) Set 

func (r *Refs) Set(v string) error

Set sets the value of `r` from a comma-separated string of resource references (in-place equivalent of `ParseRefs`).

func (*Refs) String 

func (r *Refs) String() string

type RequestIDs 

type RequestIDs struct {
	AccessRequests []string `json:"access_requests,omitempty"`
}

RequestIDs is a collection of IDs for privilege escalation requests.

func (*RequestIDs) Check 

func (r *RequestIDs) Check() error

func (*RequestIDs) IsEmpty 

func (r *RequestIDs) IsEmpty() bool

func (*RequestIDs) Marshal 

func (r *RequestIDs) Marshal() ([]byte, error)

func (*RequestIDs) Unmarshal 

func (r *RequestIDs) Unmarshal(data []byte) error

type RequestValidator 

type RequestValidator struct {
	Roles struct {
		AllowRequest, DenyRequest []parse.Matcher
		AllowSearch, DenySearch   []string
	}
	Annotations struct {
		Allow, Deny map[string][]string
	}
	ThresholdMatchers []struct {
		Matchers   []parse.Matcher
		Thresholds []types.AccessReviewThreshold
	}
	SuggestedReviewers []string
	// contains filtered or unexported fields
}

RequestValidator a helper for validating access requests. a user's statically assigned roles are are "added" to the validator via the push() method, which extracts all the relevant rules, peforms variable substitutions, and builds a set of simple Allow/Deny datastructures. These, in turn, are used to validate and expand the access request.

func NewRequestValidator 

func NewRequestValidator(ctx context.Context, getter RequestValidatorGetter, username string, opts ...ValidateRequestOption) (RequestValidator, error)

NewRequestValidator configures a new RequestValidor for the specified user.

func (*RequestValidator) CanRequestRole 

func (m *RequestValidator) CanRequestRole(name string) bool

CanRequestRole checks if a given role can be requested.

func (*RequestValidator) CanSearchAsRole 

func (m *RequestValidator) CanSearchAsRole(name string) bool

CanSearchAsRole check if a given role can be requested through a search-based access request

func (*RequestValidator) GetRequestableRoles 

func (m *RequestValidator) GetRequestableRoles() ([]string, error)

GetRequestableRoles gets the list of all existent roles which the user is able to request. This operation is expensive since it loads all existent roles in order to determine the role list. Prefer calling CanRequestRole when checking againt a known role list.

func (*RequestValidator) SystemAnnotations 

func (m *RequestValidator) SystemAnnotations() map[string][]string

SystemAnnotations calculates the system annotations for a pending access request.

func (*RequestValidator) Validate 

func (m *RequestValidator) Validate(ctx context.Context, req types.AccessRequest) error

Validate validates an access request and potentially modifies it depending on how the validator was configured.

type RequestValidatorGetter 

type RequestValidatorGetter interface {
	UserGetter
	RoleGetter
	ResourceLister
	GetRoles(ctx context.Context) ([]types.Role, error)
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
}

RequestValidatorGetter is the interface required by the request validation functions used to get necessary resources.

type ResourceLister 

type ResourceLister interface {
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

ResourceLister is an interface which can list resources.

type ResourceMarshaler 

type ResourceMarshaler func(types.Resource, ...MarshalOption) ([]byte, error)

ResourceMarshaler handles marshaling of a specific resource type.

type ResourceMatcher 

type ResourceMatcher struct {
	// Labels match resource labels.
	Labels types.Labels
}

ResourceMatcher matches cluster resources.

type ResourceSeenKey 

type ResourceSeenKey struct {
	// contains filtered or unexported fields
}

ResourceSeenKey is used as a key for a map that keeps track of unique resource names and address. Currently "addr" only applies to resource Application.

type ResourceUnmarshaler 

type ResourceUnmarshaler func([]byte, ...MarshalOption) (types.Resource, error)

ResourceUnmarshaler handles unmarshaling of a specific resource type.

type ResourceWatcherConfig 

type ResourceWatcherConfig struct {
	// Component is a component used in logs.
	Component string
	// Log is a logger.
	Log logrus.FieldLogger
	// MaxRetryPeriod is the maximum retry period on failed watchers.
	MaxRetryPeriod time.Duration
	// Clock is used to control time.
	Clock clockwork.Clock
	// Client is used to create new watchers.
	Client types.Events
	// MaxStaleness is a maximum acceptable staleness for the locally maintained
	// resources, zero implies no staleness detection.
	MaxStaleness time.Duration
	// ResetC is a channel to notify of internal watcher reset (used in tests).
	ResetC chan time.Duration
}

ResourceWatcherConfig configures resource watcher.

func (*ResourceWatcherConfig) CheckAndSetDefaults 

func (cfg *ResourceWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Restrictions 

type Restrictions interface {
	GetNetworkRestrictions(context.Context) (types.NetworkRestrictions, error)
	SetNetworkRestrictions(context.Context, types.NetworkRestrictions) error
	DeleteNetworkRestrictions(context.Context) error
}

type ReviewPermissionChecker 

type ReviewPermissionChecker struct {
	User  types.User
	Roles struct {
		// allow/deny mappings sort role matches into lists based on their
		// constraining predicate (where) expression.
		AllowReview, DenyReview map[string][]parse.Matcher
	}
}

ReviewPermissionChecker is a helper for validating whether or not a user is allowed to review specific access requests.

func NewReviewPermissionChecker 

func NewReviewPermissionChecker(ctx context.Context, getter RequestValidatorGetter, username string) (ReviewPermissionChecker, error)

func (*ReviewPermissionChecker) CanReviewRequest 

func (c *ReviewPermissionChecker) CanReviewRequest(req types.AccessRequest) (bool, error)

CanReviewRequest checks if the user is allowed to review the specified request. note that the ability to review a request does not necessarily imply that any specific approval/denial thresholds will actually match the user's review. Matching one or more thresholds is not a pre-requisite for review submission.

func (*ReviewPermissionChecker) HasAllowDirectives 

func (c *ReviewPermissionChecker) HasAllowDirectives() bool

HasAllowDirectives checks if any allow directives exist. A user with no allow directives will never be able to review any requests.

type RoleGetter 

type RoleGetter interface {
	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)
}

RoleGetter is an interface that defines GetRole method

type RoleMatcher 

type RoleMatcher interface {
	Match(types.Role, types.RoleConditionType) (bool, error)
}

RoleMatcher defines an interface for a generic role matcher.

func NewKubernetesClusterLabelMatcher 

func NewKubernetesClusterLabelMatcher(clustersLabels map[string]string) RoleMatcher

NewKubernetesClusterLabelMatcher creates a RoleMatcher that checks whether a role's Kubernetes service labels match.

func NewLoginMatcher 

func NewLoginMatcher(login string) RoleMatcher

NewLoginMatcher creates a RoleMatcher that checks whether the role's logins match the specified condition.

func NewWindowsLoginMatcher 

func NewWindowsLoginMatcher(login string) RoleMatcher

NewWindowsLoginMatcher creates a RoleMatcher that checks whether the role's Windows desktop logins match the specified condition.

type RoleMatchers 

type RoleMatchers []RoleMatcher

RoleMatchers defines a list of matchers.

func (RoleMatchers) MatchAll 

func (m RoleMatchers) MatchAll(role types.Role, condition types.RoleConditionType) (bool, error)

MatchAll returns true if all matchers in the set match.

func (RoleMatchers) MatchAny 

func (m RoleMatchers) MatchAny(role types.Role, condition types.RoleConditionType) (bool, RoleMatcher, error)

MatchAny returns true if at least one of the matchers in the set matches.

If the result is true, returns matcher that matched.

type RoleSet 

type RoleSet []types.Role

RoleSet is a set of roles that implements access control functionality

func FetchAllClusterRoles 

func FetchAllClusterRoles(ctx context.Context, access CurrentUserRoleGetter, defaultRoleNames []string, defaultTraits wrappers.Traits) (RoleSet, error)

FetchAllClusterRoles fetches all roles available to the user on the specified cluster, applies traits, and adds runtime roles like the default implicit role to RoleSet.

func FetchRoleList 

func FetchRoleList(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoleList fetches roles by their names, applies the traits to role variables, and returns the list

func FetchRoles 

func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoles fetches roles by their names, applies the traits to role variables, and returns the RoleSet. Adds runtime roles like the default implicit role to RoleSet.

func NewRoleSet 

func NewRoleSet(roles ...types.Role) RoleSet

NewRoleSet returns new RoleSet based on the roles

func RoleSetFromSpec 

func RoleSetFromSpec(name string, spec types.RoleSpecV5) (RoleSet, error)

RoleSetFromSpec returns a new RoleSet from spec

func (RoleSet) AdjustClientIdleTimeout 

func (set RoleSet) AdjustClientIdleTimeout(timeout time.Duration) time.Duration

AdjustClientIdleTimeout adjusts requested idle timeout to the lowest max allowed timeout, the most restrictive option will be picked, negative values will be assumed as 0

func (RoleSet) AdjustDisconnectExpiredCert 

func (set RoleSet) AdjustDisconnectExpiredCert(disconnect bool) bool

AdjustDisconnectExpiredCert adjusts the value based on the role set the most restrictive option will be picked

func (RoleSet) AdjustSessionTTL 

func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration

AdjustSessionTTL will reduce the requested ttl to the lowest max allowed TTL for this role set, otherwise it returns ttl unchanged

func (RoleSet) CanCopyFiles 

func (set RoleSet) CanCopyFiles() bool

CanCopyFiles returns true if the role set has enabled remote file operations via SCP or SFTP. Remote file operations are disabled if one or more of the roles in the set has disabled it.

func (RoleSet) CanForwardAgents 

func (set RoleSet) CanForwardAgents() bool

CanForwardAgents returns true if role set allows forwarding agents.

func (RoleSet) CanImpersonateSomeone 

func (set RoleSet) CanImpersonateSomeone() bool

CanImpersonateSomeone returns true if this checker has any impersonation rules

func (RoleSet) CanPortForward 

func (set RoleSet) CanPortForward() bool

CanPortForward returns true if a role in the RoleSet allows port forwarding.

func (RoleSet) CertificateExtensions 

func (set RoleSet) CertificateExtensions() []*types.CertExtension

CertificateExtensions returns the list of extensions for each role in the RoleSet

func (RoleSet) CertificateFormat 

func (set RoleSet) CertificateFormat() string

CertificateFormat returns the most permissive certificate format in a RoleSet.

func (RoleSet) CheckAWSRoleARNs 

func (set RoleSet) CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckAWSRoleARNs returns a list of AWS role ARNs this role set is allowed to assume.

func (RoleSet) CheckAccessToRemoteCluster 

func (set RoleSet) CheckAccessToRemoteCluster(rc types.RemoteCluster) error

CheckAccessToRemoteCluster checks if a role has access to remote cluster. Deny rules are checked first then allow rules. Access to a cluster is determined by namespaces, labels, and logins.

func (RoleSet) CheckAccessToRule 

func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string, silent bool) error

CheckAccessToRule checks if the RoleSet provides access in the given namespace to the specified resource and verb. silent controls whether the access violations are logged.

func (RoleSet) CheckAgentForward 

func (set RoleSet) CheckAgentForward(login string) error

CheckAgentForward checks if the role can request to forward the SSH agent for this user.

func (RoleSet) CheckDatabaseNamesAndUsers 

func (set RoleSet) CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) ([]string, []string, error)

CheckDatabaseNamesAndUsers checks if the role has any allowed database names or users.

func (RoleSet) CheckImpersonate 

func (set RoleSet) CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

CheckImpersonate returns nil if this role set can impersonate a user and their roles, returns AccessDenied otherwise CheckImpersonate checks whether current user is allowed to impersonate users and roles

func (RoleSet) CheckImpersonateRoles 

func (set RoleSet) CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

CheckImpersonateRoles validates that the current user can perform role-only impersonation of the given roles. Role-only impersonation requires an allow rule with roles but no users (and no user-less deny rules). All requested roles must be allowed for the check to succeed.

func (RoleSet) CheckKubeGroupsAndUsers 

func (set RoleSet) CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) ([]string, []string, error)

CheckKubeGroupsAndUsers check if role can login into kubernetes and returns two lists of allowed groups and users

func (RoleSet) CheckLoginDuration 

func (set RoleSet) CheckLoginDuration(ttl time.Duration) ([]string, error)

CheckLoginDuration checks if role set can login up to given duration and returns a combined list of allowed logins.

func (RoleSet) DesktopClipboard 

func (set RoleSet) DesktopClipboard() bool

DesktopClipboard returns true if the role set has enabled shared clipboard for desktop sessions. Clipboard sharing is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) DesktopDirectorySharing 

func (set RoleSet) DesktopDirectorySharing() bool

DesktopDirectorySharing returns true if the role set has directory sharing enabled. This setting is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) EnhancedRecordingSet 

func (set RoleSet) EnhancedRecordingSet() map[string]bool

EnhancedRecordingSet returns the set of enhanced session recording events to capture for thi role set.

func (RoleSet) EnumerateDatabaseUsers 

func (set RoleSet) EnumerateDatabaseUsers(database types.Database, extraUsers ...string) EnumerationResult

EnumerateDatabaseUsers works on a given role set to return a minimal description of allowed set of usernames. It is biased towards *allowed* usernames; It is meant to describe what the user can do, rather than cannot do. For that reason if the user isn't allowed to pick *any* entities, the output will be empty.

In cases where * is listed in set of allowed users, it may be hard for users to figure out the expected username. For this reason the parameter extraUsers provides an extra set of users to be checked against RoleSet. This extra set of users may be sourced e.g. from user connection history.

func (RoleSet) EnumerateServerLogins 

func (set RoleSet) EnumerateServerLogins(server types.Server) EnumerationResult

EnumerateServerLogins works on a given role set to return a minimal description of allowed set of logins. The wildcard selector is ignored, since it is now allowed for server logins

func (RoleSet) ExtractConditionForIdentifier 

func (set RoleSet) ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

ExtractConditionForIdentifier returns a restrictive filter expression for list queries based on the rules' `where` conditions.

func (RoleSet) GetAllLogins 

func (set RoleSet) GetAllLogins() []string

GetAllLogins returns all valid unix logins for the RoleSet.

func (RoleSet) GetAllowedPreviewAsRoles 

func (set RoleSet) GetAllowedPreviewAsRoles() []string

GetAllowedPreviewAsRoles returns all PreviewAsRoles for this RoleSet.

func (RoleSet) GetAllowedSearchAsRoles 

func (set RoleSet) GetAllowedSearchAsRoles() []string

GetSearchAsRoles returns all SearchAsRoles for this RoleSet.

func (RoleSet) GetLoginsForTTL 

func (set RoleSet) GetLoginsForTTL(ttl time.Duration) (logins []string, matchedTTL bool)

GetLoginsForTTL collects all logins that are valid for the given TTL. The matchedTTL value indicates whether the TTL is within scope of *any* role. This helps to distinguish between TTLs which are categorically invalid, and TTLs which are theoretically valid but happen to grant no logins.

func (RoleSet) GuessIfAccessIsPossible 

func (set RoleSet) GuessIfAccessIsPossible(ctx RuleContext, namespace string, resource string, verb string, silent bool) error

GuessIfAccessIsPossible guesses if access is possible for an entire category of resources. It responds the question: "is it possible that there is a resource of this kind that the current user can access?". GuessIfAccessIsPossible is used, mainly, for UI decisions ("should the tab for resource X appear"?). Most callers should use CheckAccessToRule instead.

func (RoleSet) HasRole 

func (set RoleSet) HasRole(role string) bool

HasRole checks if the role set has the role

func (RoleSet) HostUsers 

func (set RoleSet) HostUsers(s types.Server) (*HostUsersInfo, error)

HostUsers returns host user information matching a server or nil if a role disallows host user creation

func (RoleSet) LockingMode 

func (set RoleSet) LockingMode(defaultMode constants.LockingMode) constants.LockingMode

LockingMode returns the locking mode to apply with this RoleSet.

func (RoleSet) MFAParams 

func (set RoleSet) MFAParams(authPrefRequirement types.RequireMFAType) (params AccessMFAParams)

MFAParams returns MFA params for the given user given their roles, the cluster auth preference, and whether mfa has been verified.

func (RoleSet) MaxConnections 

func (set RoleSet) MaxConnections() int64

MaxConnections returns the maximum number of concurrent ssh connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxKubernetesConnections 

func (set RoleSet) MaxKubernetesConnections() int64

MaxConnections returns the maximum number of concurrent Kubernetes connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxSessions 

func (set RoleSet) MaxSessions() int64

MaxSessions returns the maximum number of concurrent ssh sessions per connection. If MaxSessions is zero then no maximum was defined and the number of sessions is unconstrained.

func (RoleSet) MaybeCanReviewRequests 

func (set RoleSet) MaybeCanReviewRequests() bool

MaybeCanReviewRequests attempts to guess if this RoleSet belongs to a user who should be submitting access reviews. Because not all rolesets are derived from statically assigned roles, this may return false positives.

func (RoleSet) PermitX11Forwarding 

func (set RoleSet) PermitX11Forwarding() bool

PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.

func (RoleSet) PinSourceIP 

func (set RoleSet) PinSourceIP() bool

PinSourceIP determines if the role set should use source IP pinning. If one or more roles in the set requires IP pinning then it will be enabled.

func (RoleSet) PrivateKeyPolicy 

func (set RoleSet) PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) keys.PrivateKeyPolicy

PrivateKeyPolicy returns the enforced private key policy for this role set.

func (RoleSet) RecordDesktopSession 

func (set RoleSet) RecordDesktopSession() bool

RecordDesktopSession returns true if the role set has enabled desktop session recording. Recording is considered enabled if at least one role in the set has enabled it.

func (RoleSet) RoleNames 

func (set RoleSet) RoleNames() []string

RoleNames returns a slice with role names. Removes runtime roles like the default implicit role.

func (RoleSet) Roles 

func (set RoleSet) Roles() []types.Role

Roles returns the list underlying roles this RoleSet is based on.

func (RoleSet) SessionPolicySets 

func (set RoleSet) SessionPolicySets() []*types.SessionTrackerPolicySet

SessionPolicySets returns the list of SessionPolicySets for all roles.

func (RoleSet) SessionRecordingMode 

func (set RoleSet) SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

SessionRecordingMode returns the recording mode for a specific service.

func (RoleSet) String 

func (set RoleSet) String() string

func (RoleSet) WithoutImplicit 

func (set RoleSet) WithoutImplicit() (out RoleSet)

WithoutImplicit returns this role set with default implicit role filtered out.

type RotationGetter 

type RotationGetter func(role types.SystemRole) (*types.Rotation, error)

RotationGetter returns the rotation state.

type RuleContext 

type RuleContext interface {
	// GetIdentifier returns identifier defined in a context
	GetIdentifier(fields []string) (interface{}, error)
	// GetResource returns resource if specified in the context,
	// if unspecified, returns error.
	GetResource() (types.Resource, error)
}

RuleContext specifies context passed to the rule processing matcher, and contains information about current session, e.g. current user

type RuleSet 

type RuleSet map[string][]types.Rule

RuleSet maps resource to a set of rules defined for it

func MakeRuleSet 

func MakeRuleSet(rules []types.Rule) RuleSet

MakeRuleSet creates a new rule set from a list

func (RuleSet) Match 

func (set RuleSet) Match(whereParser predicate.Parser, actionsParser predicate.Parser, resource string, verb string) (bool, error)

Match tests if the resource name and verb are in a given list of rules. More specific rules will be matched first. See Rule.IsMoreSpecificThan for exact specs on whether the rule is more or less specific.

Specifying order solves the problem on having multiple rules, e.g. one wildcard rule can override more specific rules with 'where' sections that can have 'actions' lists with side effects that will not be triggered otherwise.

func (RuleSet) Slice 

func (set RuleSet) Slice() []types.Rule

Slice returns slice from a set

type SemaphoreLock 

type SemaphoreLock struct {
	// contains filtered or unexported fields
}

SemaphoreLock provides a convenient interface for managing semaphore lease keepalive operations.

func AcquireSemaphoreLock 

func AcquireSemaphoreLock(ctx context.Context, cfg SemaphoreLockConfig) (*SemaphoreLock, error)

AcquireSemaphoreLock attempts to acquire and hold a semaphore lease. If successfully acquired, background keepalive processes are started and an associated lock handle is returned. Canceling the supplied context releases the semaphore.

func (*SemaphoreLock) Done 

func (l *SemaphoreLock) Done() <-chan struct{}

Done signals that lease keepalive operations have stopped.

func (*SemaphoreLock) Renewed 

func (l *SemaphoreLock) Renewed() <-chan struct{}

Renewed notifies on next successful lease keepalive. Used in tests to block until next renewal.

func (*SemaphoreLock) Stop 

func (l *SemaphoreLock) Stop()

Stop stops associated lease keepalive.

func (*SemaphoreLock) Wait 

func (l *SemaphoreLock) Wait() error

Wait blocks until the final result is available. Note that this method may block longer than desired since cancellation of the parent context triggers the *start* of the release operation.

type SemaphoreLockConfig 

type SemaphoreLockConfig struct {
	// Service is the service against which all semaphore
	// operations are performed.
	Service types.Semaphores
	// Expiry is an optional lease expiry parameter.
	Expiry time.Duration
	// TickRate is the rate at which lease renewals are attempted
	// and defaults to 1/2 expiry.  Used to accelerate tests.
	TickRate time.Duration
	// Params holds the semaphore lease acquisition parameters.
	Params types.AcquireSemaphoreRequest
	// Clock used to alter time in tests
	Clock clockwork.Clock
}

func (*SemaphoreLockConfig) CheckAndSetDefaults 

func (l *SemaphoreLockConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default parameters

type Services 

type Services interface {
	UsersService
	Provisioner
	Trust
	types.Events
	ClusterConfiguration
	Access
	DynamicAccessCore
	Presence
	Restrictions
	Apps
	Databases
	Kubernetes
	AppSession
	SnowflakeSession
	types.WebSessionsGetter
	types.WebTokensGetter
	WindowsDesktops
}

Services collects all services

type SessionTrackerService 

type SessionTrackerService interface {
	// GetActiveSessionTrackers returns a list of active session trackers.
	GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

	// GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.
	GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

	// GetSessionTracker returns the current state of a session tracker for an active session.
	GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

	// CreateSessionTracker creates a tracker resource for an active session.
	CreateSessionTracker(ctx context.Context, st types.SessionTracker) (types.SessionTracker, error)

	// UpdateSessionTracker updates a tracker resource for an active session.
	UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

	// RemoveSessionTracker removes a tracker resource for an active session.
	RemoveSessionTracker(ctx context.Context, sessionID string) error

	// UpdatePresence updates the presence status of a user in a session.
	UpdatePresence(ctx context.Context, sessionID, user string) error
}

SessionTrackerService is a realtime session service that has information about sessions that are in-flight in the cluster at the moment.

type SnowflakeSession 

type SnowflakeSession interface {
	// GetSnowflakeSession gets a Snowflake web session.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)
	// GetSnowflakeSessions gets all Snowflake web sessions.
	GetSnowflakeSessions(context.Context) ([]types.WebSession, error)
	// UpsertSnowflakeSession upserts a Snowflake web session.
	UpsertSnowflakeSession(context.Context, types.WebSession) error
	// DeleteSnowflakeSession removes a Snowflake web session.
	DeleteSnowflakeSession(context.Context, types.DeleteSnowflakeSessionRequest) error
	// DeleteAllSnowflakeSessions removes all Snowflake web sessions.
	DeleteAllSnowflakeSessions(context.Context) error
}

SnowflakeSession defines Snowflake session features.

type SortedLoginAttempts 

type SortedLoginAttempts []LoginAttempt

SortedLoginAttempts sorts login attempts by time

func (SortedLoginAttempts) Len 

func (s SortedLoginAttempts) Len() int

Len returns length of a role list

func (SortedLoginAttempts) Less 

func (s SortedLoginAttempts) Less(i, j int) bool

Less stacks latest attempts to the end of the list

func (SortedLoginAttempts) Swap 

func (s SortedLoginAttempts) Swap(i, j int)

Swap swaps two attempts

type SortedReverseTunnels 

type SortedReverseTunnels []types.ReverseTunnel

SortedReverseTunnels sorts reverse tunnels by cluster name

func (SortedReverseTunnels) Len 

func (s SortedReverseTunnels) Len() int

func (SortedReverseTunnels) Less 

func (s SortedReverseTunnels) Less(i, j int) bool

func (SortedReverseTunnels) Swap 

func (s SortedReverseTunnels) Swap(i, j int)

type SortedRoles 

type SortedRoles []types.Role

SortedRoles sorts roles by name

func (SortedRoles) Len 

func (s SortedRoles) Len() int

Len returns length of a role list

func (SortedRoles) Less 

func (s SortedRoles) Less(i, j int) bool

Less compares roles by name

func (SortedRoles) Swap 

func (s SortedRoles) Swap(i, j int)

Swap swaps two roles in a list

type SortedServers 

type SortedServers []types.Server

SortedServers is a sort wrapper that sorts servers by name

func (SortedServers) Len 

func (s SortedServers) Len() int

func (SortedServers) Less 

func (s SortedServers) Less(i, j int) bool

func (SortedServers) Swap 

func (s SortedServers) Swap(i, j int)

type Status 

type Status interface {
	// GetClusterAlerts loads all matching cluster alerts.
	GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

	// UpsertClusterAlert creates the specified alert, overwriting any preexising alert with the same ID.
	UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error
}

Status defines an interface for managing cluster status info.

type StatusInternal 

type StatusInternal interface {
	Status

	// DeleteClusterAlert deletes the cluster alert with the specified ID.
	DeleteClusterAlert(ctx context.Context, alertID string) error
}

StatusInternal extends Status with auth-internal methods.

type Trust 

type Trust interface {
	// AuthorityGetter retrieves certificate authorities
	AuthorityGetter

	// CreateCertAuthority inserts a new certificate authority
	CreateCertAuthority(ca types.CertAuthority) error

	// UpsertCertAuthority updates or inserts a new certificate authority
	UpsertCertAuthority(ca types.CertAuthority) error

	// CompareAndSwapCertAuthority updates the cert authority value
	// if existing value matches existing parameter,
	// returns nil if succeeds, trace.CompareFailed otherwise
	CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

	// DeleteCertAuthority deletes particular certificate authority
	DeleteCertAuthority(id types.CertAuthID) error

	// DeleteAllCertAuthorities deletes cert authorities of a certain type
	DeleteAllCertAuthorities(caType types.CertAuthType) error

	// ActivateCertAuthority moves a CertAuthority from the deactivated list to
	// the normal list.
	ActivateCertAuthority(id types.CertAuthID) error

	// DeactivateCertAuthority moves a CertAuthority from the normal list to
	// the deactivated list.
	DeactivateCertAuthority(id types.CertAuthID) error
}

Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

type UnknownResource 

type UnknownResource struct {
	types.ResourceHeader
	// Raw is raw representation of the resource
	Raw []byte
}

UnknownResource is used to detect resources

func (*UnknownResource) UnmarshalJSON 

func (u *UnknownResource) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals header and captures raw state

type UsageAnonymizable 

type UsageAnonymizable interface {
	// Anonymize uses the given anonymizer to anonymize the event and converts
	// it into a partially filled SubmitEventRequest.
	Anonymize(utils.Anonymizer) prehogv1.SubmitEventRequest
}

UsageAnonymizable is an event that can be anonymized.

func ConvertUsageEvent 

func ConvertUsageEvent(event *usageevents.UsageEventOneOf, identityUsername string) (UsageAnonymizable, error)

ConvertUsageEvent converts a usage event from an API object into an anonymizable event. All events that can be submitted externally via the Auth API need to be defined here.

type UsageReporter 

type UsageReporter interface {
	// SubmitAnonymizedUsageEvent submits a usage event. The payload will be
	// anonymized by the reporter implementation.
	SubmitAnonymizedUsageEvents(event ...UsageAnonymizable) error
}

UsageReporter is a service that accepts Teleport usage events.

type UsageResourceCreate 

type UsageResourceCreate prehogv1.ResourceCreateEvent

UsageResourceCreate is an event emitted when various resource types have been created.

func (*UsageResourceCreate) Anonymize 

func (u *UsageResourceCreate) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageSSOCreate 

type UsageSSOCreate prehogv1.SSOCreateEvent

UsageSSOCreate is emitted when an SSO connector has been created.

func (*UsageSSOCreate) Anonymize 

func (u *UsageSSOCreate) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageSessionStart 

type UsageSessionStart prehogv1.SessionStartEvent

UsageSessionStart is an event emitted when some Teleport session has started (ssh, etc).

func (*UsageSessionStart) Anonymize 

func (u *UsageSessionStart) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIBannerClick 

type UsageUIBannerClick prehogv1.UIBannerClickEvent

UsageUIBannerClick is a UI event sent when a banner is clicked.

func (*UsageUIBannerClick) Anonymize 

func (u *UsageUIBannerClick) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIOnboardAddFirstResourceClickEvent 

type UsageUIOnboardAddFirstResourceClickEvent prehogv1.UIOnboardAddFirstResourceClickEvent

UsageUIOnboardAddFirstResourceClickEvent is a UI event sent when a user clicks the "add first resource" button.

func (*UsageUIOnboardAddFirstResourceClickEvent) Anonymize 

func (u *UsageUIOnboardAddFirstResourceClickEvent) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIOnboardAddFirstResourceLaterClickEvent 

type UsageUIOnboardAddFirstResourceLaterClickEvent prehogv1.UIOnboardAddFirstResourceLaterClickEvent

UsageUIOnboardAddFirstResourceLaterClickEvent is a UI event sent when a user clicks the "add first resource later" button.

func (*UsageUIOnboardAddFirstResourceLaterClickEvent) Anonymize 

func (u *UsageUIOnboardAddFirstResourceLaterClickEvent) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIOnboardCompleteGoToDashboardClickEvent 

type UsageUIOnboardCompleteGoToDashboardClickEvent prehogv1.UIOnboardCompleteGoToDashboardClickEvent

UsageUIOnboardCompleteGoToDashboardClickEvent is a UI event sent when onboarding is complete.

func (*UsageUIOnboardCompleteGoToDashboardClickEvent) Anonymize 

func (u *UsageUIOnboardCompleteGoToDashboardClickEvent) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIOnboardGetStartedClickEvent 

type UsageUIOnboardGetStartedClickEvent prehogv1.UIOnboardGetStartedClickEvent

UsageUIOnboardGetStartedClickEvent is a UI event sent when the "get started" button is clicked.

func (*UsageUIOnboardGetStartedClickEvent) Anonymize 

func (u *UsageUIOnboardGetStartedClickEvent) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIOnboardRegisterChallengeSubmit 

type UsageUIOnboardRegisterChallengeSubmit prehogv1.UIOnboardRegisterChallengeSubmitEvent

UsageUIOnboardRegisterChallengeSubmit is a UI event sent during registration when the MFA challenge is completed.

func (*UsageUIOnboardRegisterChallengeSubmit) Anonymize 

func (u *UsageUIOnboardRegisterChallengeSubmit) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIOnboardSetCredentialSubmit 

type UsageUIOnboardSetCredentialSubmit prehogv1.UIOnboardSetCredentialSubmitEvent

UsageUIOnboardSetCredentialSubmit is an UI event sent during registration when the user configures login credentials.

func (*UsageUIOnboardSetCredentialSubmit) Anonymize 

func (u *UsageUIOnboardSetCredentialSubmit) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUIRecoveryCodesContinueClick 

type UsageUIRecoveryCodesContinueClick prehogv1.UIRecoveryCodesContinueClickEvent

UsageUIRecoveryCodesContinueClick is a UI event sent when a user configures recovery codes.

func (*UsageUIRecoveryCodesContinueClick) Anonymize 

func (u *UsageUIRecoveryCodesContinueClick) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UsageUserLogin 

type UsageUserLogin prehogv1.UserLoginEvent

UsageUserLogin is an event emitted when a user logs into Teleport, potentially via SSO.

func (*UsageUserLogin) Anonymize 

func (u *UsageUserLogin) Anonymize(a utils.Anonymizer) prehogv1.SubmitEventRequest

type UserCertParams 

type UserCertParams struct {
	// CASigner is the signer that will sign the public key of the user with the CA private key
	CASigner ssh.Signer
	// PublicUserKey is the public key of the user
	PublicUserKey []byte
	// TTL defines how long a certificate is valid for
	TTL time.Duration
	// Username is teleport username
	Username string
	// Impersonator is set when a user requests certificate for another user
	Impersonator string
	// AllowedLogins is a list of SSH principals
	AllowedLogins []string
	// PermitX11Forwarding permits X11 forwarding for this cert
	PermitX11Forwarding bool
	// PermitAgentForwarding permits agent forwarding for this cert
	PermitAgentForwarding bool
	// PermitPortForwarding permits port forwarding.
	PermitPortForwarding bool
	// PermitFileCopying permits the use of SCP/SFTP.
	PermitFileCopying bool
	// Roles is a list of roles assigned to this user
	Roles []string
	// CertificateFormat is the format of the SSH certificate.
	CertificateFormat string
	// RouteToCluster specifies the target cluster
	// if present in the certificate, will be used
	// to route the requests to
	RouteToCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
	// ActiveRequests tracks privilege escalation requests applied during
	// certificate construction.
	ActiveRequests RequestIDs
	// MFAVerified is the UUID of an MFA device when this Identity was
	// confirmed immediately after an MFA check.
	MFAVerified string
	// PreviousIdentityExpires is the expiry time of the identity/cert that this
	// identity/cert was derived from. It is used to determine a session's hard
	// deadline in cases where both require_session_mfa and disconnect_expired_cert
	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
	PreviousIdentityExpires time.Time
	// ClientIP is an IP of the client to embed in the certificate.
	ClientIP string
	// SourceIP is an IP that certificate should be pinned to.
	SourceIP string
	// DisallowReissue flags that any attempt to request new certificates while
	// authenticated with this cert should be denied.
	DisallowReissue bool
	// CertificateExtensions are user configured ssh key extensions
	CertificateExtensions []*types.CertExtension
	// Renewable indicates this certificate is renewable
	Renewable bool
	// Generation counts the number of times a certificate has been renewed.
	Generation uint64
	// AllowedResourceIDs lists the resources the user should be able to access.
	AllowedResourceIDs string
	// ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
	ConnectionDiagnosticID string
	// PrivateKeyPolicy is the private key policy supported by this certificate.
	PrivateKeyPolicy keys.PrivateKeyPolicy
}

UserCertParams defines OpenSSH user certificate parameters

func (*UserCertParams) CheckAndSetDefaults 

func (c *UserCertParams) CheckAndSetDefaults() error

CheckAndSetDefaults checks the user certificate parameters

type UserGetter 

type UserGetter interface {
	// GetUser returns a user by name
	GetUser(user string, withSecrets bool) (types.User, error)
}

UserGetter is responsible for getting users

type Users 

type Users []types.User

Users represents a slice of users, makes it sort compatible (sorts by username)

func (Users) Len 

func (u Users) Len() int

func (Users) Less 

func (u Users) Less(i, j int) bool

func (Users) Swap 

func (u Users) Swap(i, j int)

type UsersService 

type UsersService interface {
	UserGetter
	// UpdateUser updates an existing user.
	UpdateUser(ctx context.Context, user types.User) error
	// UpsertUser updates parameters about user
	UpsertUser(user types.User) error
	// CompareAndSwapUser updates an existing user, but fails if the user does
	// not match an expected backend value.
	CompareAndSwapUser(ctx context.Context, new, existing types.User) error
	// DeleteUser deletes a user with all the keys from the backend
	DeleteUser(ctx context.Context, user string) error
	// GetUsers returns a list of users registered with the local auth server
	GetUsers(withSecrets bool) ([]types.User, error)
	// DeleteAllUsers deletes all users
	DeleteAllUsers() error
}

UsersService is responsible for basic user management

type ValidateRequestOption 

type ValidateRequestOption func(*RequestValidator)

func ExpandVars 

func ExpandVars(expand bool) ValidateRequestOption

ExpandVars toggles variable expansion during request validation. Variable expansion includes expanding wildcard requests, setting system annotations, and gathering threshold information. Variable expansion should be run by the auth server prior to storing an access request for the first time.

type WindowsDesktops 

type WindowsDesktops interface {
	GetWindowsDesktops(context.Context, types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)
	CreateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpsertWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error
	DeleteWindowsDesktop(ctx context.Context, hostID, name string) error
	DeleteAllWindowsDesktops(context.Context) error
	ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
	ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
}

WindowsDesktops defines an interface for managing Windows desktop hosts.

Source Files

View all Source files

Directories

Path Synopsis
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
 Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.