2018-11-07 01:21:44 +00:00
|
|
|
/*
|
2018-12-12 00:22:44 +00:00
|
|
|
Copyright 2018-2019 Gravitational, Inc.
|
2018-11-07 01:21:44 +00:00
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2016-02-16 17:36:02 +00:00
|
|
|
package teleport
|
|
|
|
|
|
|
|
import (
|
2021-05-12 00:18:26 +00:00
|
|
|
"fmt"
|
2018-02-08 02:32:50 +00:00
|
|
|
"strings"
|
2016-02-16 17:36:02 +00:00
|
|
|
"time"
|
2021-01-29 17:37:01 +00:00
|
|
|
|
2021-05-12 00:18:26 +00:00
|
|
|
"github.com/coreos/go-semver/semver"
|
|
|
|
|
2021-01-29 17:37:01 +00:00
|
|
|
"github.com/gravitational/teleport/api/constants"
|
|
|
|
)
|
|
|
|
|
|
|
|
// The following constants have been moved to /api/constants/constants.go, and are now
|
|
|
|
// imported here for backwards compatibility. DELETE IN 7.0.0
|
|
|
|
const (
|
2021-04-14 20:39:59 +00:00
|
|
|
Local = constants.Local
|
|
|
|
OIDC = constants.OIDC
|
|
|
|
SAML = constants.SAML
|
|
|
|
Github = constants.Github
|
|
|
|
HumanDateFormatSeconds = constants.HumanDateFormatSeconds
|
|
|
|
DefaultImplicitRole = constants.DefaultImplicitRole
|
|
|
|
APIDomain = constants.APIDomain
|
|
|
|
CertificateFormatStandard = constants.CertificateFormatStandard
|
|
|
|
DurationNever = constants.DurationNever
|
|
|
|
EnhancedRecordingMinKernel = constants.EnhancedRecordingMinKernel
|
|
|
|
EnhancedRecordingCommand = constants.EnhancedRecordingCommand
|
|
|
|
EnhancedRecordingDisk = constants.EnhancedRecordingDisk
|
|
|
|
EnhancedRecordingNetwork = constants.EnhancedRecordingNetwork
|
|
|
|
KeepAliveNode = constants.KeepAliveNode
|
|
|
|
KeepAliveApp = constants.KeepAliveApp
|
|
|
|
KeepAliveDatabase = constants.KeepAliveDatabase
|
|
|
|
WindowsOS = constants.WindowsOS
|
|
|
|
LinuxOS = constants.LinuxOS
|
|
|
|
DarwinOS = constants.DarwinOS
|
|
|
|
UseOfClosedNetworkConnection = constants.UseOfClosedNetworkConnection
|
2016-02-16 17:36:02 +00:00
|
|
|
)
|
|
|
|
|
2017-03-02 19:50:35 +00:00
|
|
|
// WebAPIVersion is a current webapi version
|
|
|
|
const WebAPIVersion = "v1"
|
|
|
|
|
2016-02-16 17:36:02 +00:00
|
|
|
// ForeverTTL means that object TTL will not expire unless deleted
|
2016-03-11 01:03:01 +00:00
|
|
|
const ForeverTTL time.Duration = 0
|
|
|
|
|
2017-03-08 05:42:17 +00:00
|
|
|
const (
|
|
|
|
// SSHAuthSock is the environment variable pointing to the
|
|
|
|
// Unix socket the SSH agent is running on.
|
|
|
|
SSHAuthSock = "SSH_AUTH_SOCK"
|
|
|
|
// SSHAgentPID is the environment variable pointing to the agent
|
|
|
|
// process ID
|
|
|
|
SSHAgentPID = "SSH_AGENT_PID"
|
2017-04-07 00:16:28 +00:00
|
|
|
|
|
|
|
// SSHTeleportUser is the current Teleport user that is logged in.
|
|
|
|
SSHTeleportUser = "SSH_TELEPORT_USER"
|
|
|
|
|
|
|
|
// SSHSessionWebproxyAddr is the address the web proxy.
|
|
|
|
SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR"
|
|
|
|
|
|
|
|
// SSHTeleportClusterName is the name of the cluster this node belongs to.
|
|
|
|
SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"
|
|
|
|
|
|
|
|
// SSHTeleportHostUUID is the UUID of the host.
|
|
|
|
SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"
|
|
|
|
|
|
|
|
// SSHSessionID is the UUID of the current session.
|
|
|
|
SSHSessionID = "SSH_SESSION_ID"
|
2017-03-08 05:42:17 +00:00
|
|
|
)
|
2017-02-13 23:37:08 +00:00
|
|
|
|
2020-07-15 00:15:01 +00:00
|
|
|
const (
|
|
|
|
// HTTPNextProtoTLS is the NPN/ALPN protocol negotiated during
|
|
|
|
// HTTP/1.1.'s TLS setup.
|
|
|
|
// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
|
|
|
|
HTTPNextProtoTLS = "http/1.1"
|
|
|
|
)
|
|
|
|
|
2017-05-17 00:43:55 +00:00
|
|
|
const (
|
|
|
|
// HTTPSProxy is an environment variable pointing to a HTTPS proxy.
|
|
|
|
HTTPSProxy = "HTTPS_PROXY"
|
|
|
|
|
|
|
|
// HTTPProxy is an environment variable pointing to a HTTP proxy.
|
|
|
|
HTTPProxy = "HTTP_PROXY"
|
2018-08-20 21:01:15 +00:00
|
|
|
|
|
|
|
// NoProxy is an environment variable matching the cases
|
|
|
|
// when HTTPS_PROXY or HTTP_PROXY is ignored
|
|
|
|
NoProxy = "NO_PROXY"
|
2017-05-17 00:43:55 +00:00
|
|
|
)
|
|
|
|
|
2017-02-10 22:46:26 +00:00
|
|
|
const (
|
2017-02-13 23:37:08 +00:00
|
|
|
// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
|
|
|
|
TOTPValidityPeriod uint = 30
|
|
|
|
|
|
|
|
// TOTPSkew adds that many periods before and after to the validity window.
|
|
|
|
TOTPSkew uint = 1
|
2017-02-10 22:46:26 +00:00
|
|
|
)
|
|
|
|
|
2016-03-11 01:03:01 +00:00
|
|
|
const (
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentMemory is a memory backend
|
|
|
|
ComponentMemory = "memory"
|
|
|
|
|
2017-11-25 01:09:11 +00:00
|
|
|
// ComponentAuthority is a TLS and an SSH certificate authority
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentAuthority = "ca"
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
// ComponentProcess is a main control process
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentProcess = "proc"
|
2017-11-25 01:09:11 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentServer is a server subcomponent of some services
|
|
|
|
ComponentServer = "server"
|
|
|
|
|
2020-12-20 03:56:03 +00:00
|
|
|
// ComponentACME is ACME protocol controller
|
|
|
|
ComponentACME = "acme"
|
|
|
|
|
2017-10-06 22:38:15 +00:00
|
|
|
// ComponentReverseTunnelServer is reverse tunnel server
|
|
|
|
// that together with agent establish a bi-directional SSH revers tunnel
|
2016-03-16 02:57:02 +00:00
|
|
|
// to bypass firewall restrictions
|
2017-10-06 22:38:15 +00:00
|
|
|
ComponentReverseTunnelServer = "proxy:server"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentReverseTunnelAgent is reverse tunnel agent
|
2017-10-06 22:38:15 +00:00
|
|
|
// that together with server establish a bi-directional SSH revers tunnel
|
2016-03-16 02:57:02 +00:00
|
|
|
// to bypass firewall restrictions
|
2017-10-06 22:38:15 +00:00
|
|
|
ComponentReverseTunnelAgent = "proxy:agent"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentLabel is a component label name used in reporting
|
|
|
|
ComponentLabel = "component"
|
|
|
|
|
2020-10-30 17:19:53 +00:00
|
|
|
// ComponentProxyKube is a kubernetes proxy
|
|
|
|
ComponentProxyKube = "proxy:kube"
|
2018-05-19 23:58:14 +00:00
|
|
|
|
2016-09-02 23:04:05 +00:00
|
|
|
// ComponentAuth is the cluster CA node (auth server API)
|
|
|
|
ComponentAuth = "auth"
|
|
|
|
|
Events and GRPC API
This commit introduces several key changes to
Teleport backend and API infrastructure
in order to achieve scalability improvements
on 10K+ node deployments.
Events and plain keyspace
--------------------------
New backend interface supports events,
pagination and range queries
and moves away from buckets to
plain keyspace, what better aligns
with DynamoDB and Etcd featuring similar
interfaces.
All backend implementations are
exposing Events API, allowing
multiple subscribers to consume the same
event stream and avoid polling database.
Replacing BoltDB, Dir with SQLite
-------------------------------
BoltDB backend does not support
having two processes access the database at the
same time. This prevented Teleport
using BoltDB backend to be live reloaded.
SQLite supports reads/writes by multiple
processes and makes Dir backend obsolete
as SQLite is more efficient on larger collections,
supports transactions and can detect data
corruption.
Teleport automatically migrates data from
Bolt and Dir backends into SQLite.
GRPC API and protobuf resources
-------------------------------
GRPC API has been introduced for
the auth server. The auth server now serves both GRPC
and JSON-HTTP API on the same TLS socket and uses
the same client certificate authentication.
All future API methods should use GRPC and HTTP-JSON
API is considered obsolete.
In addition to that some resources like
Server and CertificateAuthority are now
generated from protobuf service specifications in
a way that is fully backward compatible with
original JSON spec and schema, so the same resource
can be encoded and decoded from JSON, YAML
and protobuf.
All models should be refactored
into new proto specification over time.
Streaming presence service
--------------------------
In order to cut bandwidth, nodes
are sending full updates only when changes
to labels or spec have occured, otherwise
new light-weight GRPC keep alive updates are sent
over to the presence service, reducing
bandwidth usage on multi-node deployments.
In addition to that nodes are no longer polling
auth server for certificate authority rotation
updates, instead they subscribe to event updates
to detect updates as soon as they happen.
This is a new API, so the errors are inevitable,
that's why polling is still done, but
on a way slower rate.
2018-11-07 23:33:38 +00:00
|
|
|
// ComponentGRPC is grpc server
|
|
|
|
ComponentGRPC = "grpc"
|
|
|
|
|
|
|
|
// ComponentMigrate is responsible for data migrations
|
|
|
|
ComponentMigrate = "migrate"
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentNode is SSH node (SSH server serving requests)
|
|
|
|
ComponentNode = "node"
|
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentForwardingNode is SSH node (SSH server serving requests)
|
2017-11-29 00:15:46 +00:00
|
|
|
ComponentForwardingNode = "node:forward"
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentProxy is SSH proxy (SSH server forwarding connections)
|
|
|
|
ComponentProxy = "proxy"
|
|
|
|
|
2020-10-19 00:09:29 +00:00
|
|
|
// ComponentApp is the application proxy service.
|
|
|
|
ComponentApp = "app:service"
|
|
|
|
|
2021-01-15 02:21:38 +00:00
|
|
|
// ComponentDatabase is the database proxy service.
|
|
|
|
ComponentDatabase = "db:service"
|
|
|
|
|
2020-10-19 00:09:29 +00:00
|
|
|
// ComponentAppProxy is the application handler within the web proxy service.
|
|
|
|
ComponentAppProxy = "app:web"
|
|
|
|
|
2021-02-04 15:50:18 +00:00
|
|
|
// ComponentWebProxy is the web handler within the web proxy service.
|
|
|
|
ComponentWebProxy = "web"
|
|
|
|
|
2018-02-08 02:32:50 +00:00
|
|
|
// ComponentDiagnostic is a diagnostic service
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentDiagnostic = "diag"
|
2018-02-08 02:32:50 +00:00
|
|
|
|
2018-03-18 02:47:06 +00:00
|
|
|
// ComponentClient is a client
|
|
|
|
ComponentClient = "client"
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentTunClient is a tunnel client
|
2017-10-08 01:11:03 +00:00
|
|
|
ComponentTunClient = "client:tunnel"
|
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentCache is a cache component
|
|
|
|
ComponentCache = "cache"
|
|
|
|
|
|
|
|
// ComponentBackend is a backend component
|
|
|
|
ComponentBackend = "backend"
|
|
|
|
|
2017-10-08 01:11:03 +00:00
|
|
|
// ComponentCachingClient is a caching auth client
|
|
|
|
ComponentCachingClient = "client:cache"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2017-11-09 00:41:52 +00:00
|
|
|
// ComponentSubsystemProxy is the proxy subsystem.
|
|
|
|
ComponentSubsystemProxy = "subsystem:proxy"
|
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// ComponentLocalTerm is a terminal on a regular SSH node.
|
|
|
|
ComponentLocalTerm = "term:local"
|
|
|
|
|
|
|
|
// ComponentRemoteTerm is a terminal on a forwarding SSH node.
|
|
|
|
ComponentRemoteTerm = "term:remote"
|
|
|
|
|
|
|
|
// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
|
|
|
|
ComponentRemoteSubsystem = "subsystem:remote"
|
|
|
|
|
2017-11-16 02:26:35 +00:00
|
|
|
// ComponentAuditLog is audit log component
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentAuditLog = "audit"
|
2017-11-16 02:26:35 +00:00
|
|
|
|
2018-01-19 02:30:02 +00:00
|
|
|
// ComponentKeyAgent is an agent that has loaded the sessions keys and
|
|
|
|
// certificates for a user connected to a proxy.
|
|
|
|
ComponentKeyAgent = "keyagent"
|
|
|
|
|
|
|
|
// ComponentKeyStore is all sessions keys and certificates a user has on disk
|
|
|
|
// for all proxies.
|
|
|
|
ComponentKeyStore = "keystore"
|
|
|
|
|
2018-02-09 00:33:48 +00:00
|
|
|
// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
|
|
|
|
ComponentConnectProxy = "http:proxy"
|
|
|
|
|
2018-09-28 01:22:51 +00:00
|
|
|
// ComponentSOCKS is a SOCKS5 proxy.
|
|
|
|
ComponentSOCKS = "socks"
|
|
|
|
|
2018-02-14 22:55:01 +00:00
|
|
|
// ComponentKeyGen is the public/private keypair generator.
|
|
|
|
ComponentKeyGen = "keygen"
|
|
|
|
|
2019-06-18 20:35:21 +00:00
|
|
|
// ComponentFirestore represents firestore clients
|
|
|
|
ComponentFirestore = "firestore"
|
|
|
|
|
2018-02-20 01:59:08 +00:00
|
|
|
// ComponentSession is an active session.
|
|
|
|
ComponentSession = "session"
|
|
|
|
|
2018-03-04 02:26:44 +00:00
|
|
|
// ComponentDynamoDB represents dynamodb clients
|
|
|
|
ComponentDynamoDB = "dynamodb"
|
|
|
|
|
2018-02-24 01:23:09 +00:00
|
|
|
// Component pluggable authentication module (PAM)
|
|
|
|
ComponentPAM = "pam"
|
|
|
|
|
2018-03-29 20:47:53 +00:00
|
|
|
// ComponentUpload is a session recording upload server
|
|
|
|
ComponentUpload = "upload"
|
|
|
|
|
2018-08-17 20:53:49 +00:00
|
|
|
// ComponentWeb is a web server
|
|
|
|
ComponentWeb = "web"
|
|
|
|
|
2018-07-16 21:39:50 +00:00
|
|
|
// ComponentWebsocket is websocket server that the web client connects to.
|
|
|
|
ComponentWebsocket = "websocket"
|
|
|
|
|
2018-08-11 00:50:06 +00:00
|
|
|
// ComponentRBAC is role-based access control.
|
|
|
|
ComponentRBAC = "rbac"
|
|
|
|
|
2018-11-07 01:21:44 +00:00
|
|
|
// ComponentKeepAlive is keep-alive messages sent from clients to servers
|
|
|
|
// and vice versa.
|
|
|
|
ComponentKeepAlive = "keepalive"
|
|
|
|
|
2018-11-15 22:36:11 +00:00
|
|
|
// ComponentTSH is the "tsh" binary.
|
|
|
|
ComponentTSH = "tsh"
|
|
|
|
|
2018-11-16 20:23:08 +00:00
|
|
|
// ComponentKubeClient is the Kubernetes client.
|
|
|
|
ComponentKubeClient = "client:kube"
|
|
|
|
|
Events and GRPC API
This commit introduces several key changes to
Teleport backend and API infrastructure
in order to achieve scalability improvements
on 10K+ node deployments.
Events and plain keyspace
--------------------------
New backend interface supports events,
pagination and range queries
and moves away from buckets to
plain keyspace, what better aligns
with DynamoDB and Etcd featuring similar
interfaces.
All backend implementations are
exposing Events API, allowing
multiple subscribers to consume the same
event stream and avoid polling database.
Replacing BoltDB, Dir with SQLite
-------------------------------
BoltDB backend does not support
having two processes access the database at the
same time. This prevented Teleport
using BoltDB backend to be live reloaded.
SQLite supports reads/writes by multiple
processes and makes Dir backend obsolete
as SQLite is more efficient on larger collections,
supports transactions and can detect data
corruption.
Teleport automatically migrates data from
Bolt and Dir backends into SQLite.
GRPC API and protobuf resources
-------------------------------
GRPC API has been introduced for
the auth server. The auth server now serves both GRPC
and JSON-HTTP API on the same TLS socket and uses
the same client certificate authentication.
All future API methods should use GRPC and HTTP-JSON
API is considered obsolete.
In addition to that some resources like
Server and CertificateAuthority are now
generated from protobuf service specifications in
a way that is fully backward compatible with
original JSON spec and schema, so the same resource
can be encoded and decoded from JSON, YAML
and protobuf.
All models should be refactored
into new proto specification over time.
Streaming presence service
--------------------------
In order to cut bandwidth, nodes
are sending full updates only when changes
to labels or spec have occured, otherwise
new light-weight GRPC keep alive updates are sent
over to the presence service, reducing
bandwidth usage on multi-node deployments.
In addition to that nodes are no longer polling
auth server for certificate authority rotation
updates, instead they subscribe to event updates
to detect updates as soon as they happen.
This is a new API, so the errors are inevitable,
that's why polling is still done, but
on a way slower rate.
2018-11-07 23:33:38 +00:00
|
|
|
// ComponentBuffer is in-memory event circular buffer
|
|
|
|
// used to broadcast events to subscribers.
|
|
|
|
ComponentBuffer = "buffer"
|
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// ComponentBPF is the eBPF packagae.
|
|
|
|
ComponentBPF = "bpf"
|
|
|
|
|
|
|
|
// ComponentCgroup is the cgroup package.
|
|
|
|
ComponentCgroup = "cgroups"
|
|
|
|
|
2020-10-30 17:19:53 +00:00
|
|
|
// ComponentKube is an Kubernetes API gateway.
|
|
|
|
ComponentKube = "kubernetes"
|
|
|
|
|
2021-03-05 19:09:02 +00:00
|
|
|
// ComponentSAML is a SAML service provider.
|
|
|
|
ComponentSAML = "saml"
|
|
|
|
|
2016-12-26 06:12:23 +00:00
|
|
|
// DebugEnvVar tells tests to use verbose debug output
|
|
|
|
DebugEnvVar = "DEBUG"
|
|
|
|
|
|
|
|
// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
|
|
|
|
VerboseLogsEnvVar = "TELEPORT_DEBUG"
|
2016-09-10 04:44:04 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// IterationsEnvVar sets tests iterations to run
|
|
|
|
IterationsEnvVar = "ITERATIONS"
|
|
|
|
|
2016-09-10 04:44:04 +00:00
|
|
|
// DefaultTerminalWidth defines the default width of a server-side allocated
|
|
|
|
// pseudo TTY
|
|
|
|
DefaultTerminalWidth = 80
|
|
|
|
|
|
|
|
// DefaultTerminalHeight defines the default height of a server-side allocated
|
|
|
|
// pseudo TTY
|
|
|
|
DefaultTerminalHeight = 25
|
|
|
|
|
|
|
|
// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
|
|
|
|
// is not defined)
|
|
|
|
SafeTerminalType = "xterm"
|
2016-12-24 03:02:59 +00:00
|
|
|
|
2017-01-13 00:04:00 +00:00
|
|
|
// DataDirParameterName is the name of the data dir configuration parameter passed
|
|
|
|
// to all backends during initialization
|
|
|
|
DataDirParameterName = "data_dir"
|
2017-01-17 19:24:17 +00:00
|
|
|
|
2017-01-30 19:31:37 +00:00
|
|
|
// SSH request type to keep the connection alive. A client and a server keep
|
|
|
|
// pining each other with it:
|
|
|
|
KeepAliveReqType = "keepalive@openssh.com"
|
|
|
|
|
2017-11-13 22:55:21 +00:00
|
|
|
// RecordingProxyReqType is the name of a global request which returns if
|
|
|
|
// the proxy is recording sessions or not.
|
|
|
|
RecordingProxyReqType = "recording-proxy@teleport.com"
|
|
|
|
|
2017-08-25 03:24:47 +00:00
|
|
|
// JSON means JSON serialization format
|
|
|
|
JSON = "json"
|
2017-11-18 00:40:41 +00:00
|
|
|
|
2019-02-21 09:46:50 +00:00
|
|
|
// YAML means YAML serialization format
|
|
|
|
YAML = "yaml"
|
|
|
|
|
|
|
|
// Text means text serialization format
|
|
|
|
Text = "text"
|
|
|
|
|
2020-10-17 22:01:45 +00:00
|
|
|
// PTY is a raw pty session capture format
|
|
|
|
PTY = "pty"
|
|
|
|
|
2020-10-01 19:12:25 +00:00
|
|
|
// Names is for formatting node names in plain text
|
|
|
|
Names = "names"
|
|
|
|
|
2017-11-18 00:40:41 +00:00
|
|
|
// LinuxAdminGID is the ID of the standard adm group on linux
|
|
|
|
LinuxAdminGID = 4
|
|
|
|
|
|
|
|
// DirMaskSharedGroup is the mask for a directory accessible
|
|
|
|
// by the owner and group
|
|
|
|
DirMaskSharedGroup = 0770
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
// FileMaskOwnerOnly is the file mask that allows read write access
|
|
|
|
// to owers only
|
|
|
|
FileMaskOwnerOnly = 0600
|
|
|
|
|
|
|
|
// On means mode is on
|
|
|
|
On = "on"
|
|
|
|
|
|
|
|
// Off means mode is off
|
|
|
|
Off = "off"
|
2018-03-04 02:26:44 +00:00
|
|
|
|
|
|
|
// SchemeS3 is S3 file scheme, means upload or download to S3 like object
|
|
|
|
// storage
|
|
|
|
SchemeS3 = "s3"
|
|
|
|
|
2019-06-18 20:35:21 +00:00
|
|
|
// SchemeGCS is GCS file scheme, means upload or download to GCS like object
|
|
|
|
// storage
|
|
|
|
SchemeGCS = "gs"
|
|
|
|
|
2020-07-15 00:15:01 +00:00
|
|
|
// GCSTestURI turns on GCS tests
|
|
|
|
GCSTestURI = "TEST_GCS_URI"
|
|
|
|
|
|
|
|
// AWSRunTests turns on tests executed against AWS directly
|
|
|
|
AWSRunTests = "TEST_AWS"
|
|
|
|
|
2019-02-09 22:39:18 +00:00
|
|
|
// Region is AWS region parameter
|
|
|
|
Region = "region"
|
|
|
|
|
2019-10-09 18:58:18 +00:00
|
|
|
// Endpoint is an optional Host for non-AWS S3
|
|
|
|
Endpoint = "endpoint"
|
|
|
|
|
|
|
|
// Insecure is an optional switch to use HTTP instead of HTTPS
|
|
|
|
Insecure = "insecure"
|
|
|
|
|
|
|
|
// DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it
|
|
|
|
DisableServerSideEncryption = "disablesse"
|
|
|
|
|
2018-03-04 02:26:44 +00:00
|
|
|
// SchemeFile is a local disk file storage
|
|
|
|
SchemeFile = "file"
|
|
|
|
|
2019-07-24 22:04:13 +00:00
|
|
|
// SchemeStdout outputs audit log entries to stdout
|
|
|
|
SchemeStdout = "stdout"
|
|
|
|
|
2018-03-04 02:26:44 +00:00
|
|
|
// LogsDir is a log subdirectory for events and logs
|
|
|
|
LogsDir = "log"
|
2018-04-03 22:41:12 +00:00
|
|
|
|
|
|
|
// Syslog is a mode for syslog logging
|
|
|
|
Syslog = "syslog"
|
2018-04-08 21:37:33 +00:00
|
|
|
|
|
|
|
// HumanDateFormat is a human readable date formatting
|
|
|
|
HumanDateFormat = "Jan _2 15:04 UTC"
|
|
|
|
|
|
|
|
// HumanDateFormatMilli is a human readable date formatting with milliseconds
|
|
|
|
HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC"
|
2019-02-10 01:43:59 +00:00
|
|
|
|
|
|
|
// DebugLevel is a debug logging level name
|
|
|
|
DebugLevel = "debug"
|
2020-10-08 21:02:50 +00:00
|
|
|
|
|
|
|
// MinimumEtcdVersion is the minimum version of etcd supported by Teleport
|
|
|
|
MinimumEtcdVersion = "3.3.0"
|
2016-03-14 21:07:45 +00:00
|
|
|
)
|
2017-03-21 20:56:05 +00:00
|
|
|
|
2021-02-17 00:24:23 +00:00
|
|
|
// OTPType is the type of the One-time Password Algorithm.
|
|
|
|
type OTPType string
|
|
|
|
|
|
|
|
const (
|
|
|
|
// TOTP means Time-based One-time Password Algorithm (for Two-Factor Authentication)
|
|
|
|
TOTP = OTPType("totp")
|
|
|
|
// HOTP means HMAC-based One-time Password Algorithm (for Two-Factor Authentication)
|
|
|
|
HOTP = OTPType("hotp")
|
|
|
|
)
|
|
|
|
|
2020-03-07 01:50:16 +00:00
|
|
|
const (
|
|
|
|
// These values are from https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
|
|
|
|
|
|
// OIDCPromptSelectAccount instructs the Authorization Server to
|
|
|
|
// prompt the End-User to select a user account.
|
|
|
|
OIDCPromptSelectAccount = "select_account"
|
|
|
|
|
|
|
|
// OIDCAccessTypeOnline indicates that OIDC flow should be performed
|
|
|
|
// with Authorization server and user connected online
|
|
|
|
OIDCAccessTypeOnline = "online"
|
|
|
|
)
|
|
|
|
|
2018-02-08 02:32:50 +00:00
|
|
|
// Component generates "component:subcomponent1:subcomponent2" strings used
|
|
|
|
// in debugging
|
|
|
|
func Component(components ...string) string {
|
|
|
|
return strings.Join(components, ":")
|
|
|
|
}
|
|
|
|
|
2017-04-05 21:43:42 +00:00
|
|
|
const (
|
|
|
|
// AuthorizedKeys are public keys that check against User CAs.
|
|
|
|
AuthorizedKeys = "authorized_keys"
|
|
|
|
// KnownHosts are public keys that check against Host CAs.
|
|
|
|
KnownHosts = "known_hosts"
|
|
|
|
)
|
|
|
|
|
2017-03-21 20:56:05 +00:00
|
|
|
const (
|
2020-06-12 00:07:45 +00:00
|
|
|
// CertExtensionPermitX11Forwarding allows X11 forwarding for certificate
|
|
|
|
CertExtensionPermitX11Forwarding = "permit-X11-forwarding"
|
2017-03-21 20:56:05 +00:00
|
|
|
// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
|
|
|
|
CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
|
|
|
|
// CertExtensionPermitPTY allows user to request PTY
|
|
|
|
CertExtensionPermitPTY = "permit-pty"
|
|
|
|
// CertExtensionPermitPortForwarding allows user to request port forwarding
|
|
|
|
CertExtensionPermitPortForwarding = "permit-port-forwarding"
|
2017-05-17 17:36:25 +00:00
|
|
|
// CertExtensionTeleportRoles is used to propagate teleport roles
|
|
|
|
CertExtensionTeleportRoles = "teleport-roles"
|
2019-07-22 23:58:38 +00:00
|
|
|
// CertExtensionTeleportRouteToCluster is used to encode
|
|
|
|
// the target cluster to route to in the certificate
|
|
|
|
CertExtensionTeleportRouteToCluster = "teleport-route-to-cluster"
|
2019-08-02 00:19:49 +00:00
|
|
|
// CertExtensionTeleportTraits is used to propagate traits about the user.
|
|
|
|
CertExtensionTeleportTraits = "teleport-traits"
|
2019-11-07 05:00:32 +00:00
|
|
|
// CertExtensionTeleportActiveRequests is used to track which privilege
|
|
|
|
// escalation requests were used to construct the certificate.
|
|
|
|
CertExtensionTeleportActiveRequests = "teleport-active-requests"
|
2021-02-11 04:29:00 +00:00
|
|
|
// CertExtensionMFAVerified is used to mark certificates issued after an MFA
|
|
|
|
// check.
|
|
|
|
CertExtensionMFAVerified = "mfa-verified"
|
|
|
|
// CertExtensionClientIP is used to embed the IP of the client that created
|
|
|
|
// the certificate.
|
|
|
|
CertExtensionClientIP = "client-ip"
|
2021-03-19 23:04:43 +00:00
|
|
|
// CertExtensionImpersonator is set when one user has requested certificates
|
|
|
|
// for another user
|
|
|
|
CertExtensionImpersonator = "impersonator"
|
2017-03-21 20:56:05 +00:00
|
|
|
)
|
2017-04-13 00:04:51 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// NetIQ is an identity provider.
|
|
|
|
NetIQ = "netiq"
|
2017-05-12 19:14:44 +00:00
|
|
|
// ADFS is Microsoft Active Directory Federation Services
|
|
|
|
ADFS = "adfs"
|
2017-04-13 00:04:51 +00:00
|
|
|
)
|
2017-04-25 21:57:48 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// RemoteCommandSuccess is returned when a command has successfully executed.
|
|
|
|
RemoteCommandSuccess = 0
|
|
|
|
// RemoteCommandFailure is returned when a command has failed to execute and
|
|
|
|
// we don't have another status code for it.
|
|
|
|
RemoteCommandFailure = 255
|
|
|
|
)
|
2017-05-26 19:28:46 +00:00
|
|
|
|
|
|
|
// MaxEnvironmentFileLines is the maximum number of lines in a environment file.
|
|
|
|
const MaxEnvironmentFileLines = 1000
|
2017-06-20 00:20:21 +00:00
|
|
|
|
2020-01-30 21:18:43 +00:00
|
|
|
// MaxResourceSize is the maximum size (in bytes) of a serialized resource. This limit is
|
2020-05-06 17:11:06 +00:00
|
|
|
// typically only enforced against resources that are likely to arbitrarily grow (e.g. PluginData).
|
2020-01-30 21:18:43 +00:00
|
|
|
const MaxResourceSize = 1000000
|
|
|
|
|
2021-03-01 14:24:22 +00:00
|
|
|
// MaxHTTPRequestSize is the maximum accepted size (in bytes) of the body of
|
|
|
|
// a received HTTP request. This limit is meant to be used with utils.ReadAtMost
|
|
|
|
// to prevent resource exhaustion attacks.
|
|
|
|
const MaxHTTPRequestSize = 10 * 1024 * 1024
|
|
|
|
|
|
|
|
// MaxHTTPResponseSize is the maximum accepted size (in bytes) of the body of
|
|
|
|
// a received HTTP response. This limit is meant to be used with utils.ReadAtMost
|
|
|
|
// to prevent resource exhaustion attacks.
|
|
|
|
const MaxHTTPResponseSize = 10 * 1024 * 1024
|
|
|
|
|
2017-06-20 00:20:21 +00:00
|
|
|
const (
|
2018-01-06 02:28:31 +00:00
|
|
|
// CertificateFormatOldSSH is used to make Teleport interoperate with older
|
2017-06-20 00:20:21 +00:00
|
|
|
// versions of OpenSSH.
|
2018-01-06 02:28:31 +00:00
|
|
|
CertificateFormatOldSSH = "oldssh"
|
2017-06-20 00:20:21 +00:00
|
|
|
|
2018-01-06 02:28:31 +00:00
|
|
|
// CertificateFormatUnspecified is used to check if the format was specified
|
|
|
|
// or not.
|
|
|
|
CertificateFormatUnspecified = ""
|
2017-06-20 00:20:21 +00:00
|
|
|
)
|
2017-07-24 22:18:46 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// TraitInternalPrefix is the role variable prefix that indicates it's for
|
|
|
|
// local accounts.
|
|
|
|
TraitInternalPrefix = "internal"
|
|
|
|
|
2021-03-30 15:30:34 +00:00
|
|
|
// TraitExternalPrefix is the role variable prefix that indicates the data comes from an external identity provider.
|
|
|
|
TraitExternalPrefix = "external"
|
|
|
|
|
2017-07-24 22:18:46 +00:00
|
|
|
// TraitLogins is the name the role variable used to store
|
|
|
|
// allowed logins.
|
|
|
|
TraitLogins = "logins"
|
|
|
|
|
2018-08-06 23:46:19 +00:00
|
|
|
// TraitKubeGroups is the name the role variable used to store
|
|
|
|
// allowed kubernetes groups
|
|
|
|
TraitKubeGroups = "kubernetes_groups"
|
|
|
|
|
Adds support for kubernetes_users, extend interpolation (#3404) (#3418)
This commit fixes #3369, refs #3374
It adds support for kuberenetes_users section in roles,
allowing Teleport proxy to impersonate user identities.
It also extends variable interpolation syntax by adding
suffix and prefix to variables and function `email.local`:
Example:
```yaml
kind: role
version: v3
metadata:
name: admin
spec:
allow:
# extract email local part from the email claim
logins: ['{{email.local(external.email)}}']
# impersonate a kubernetes user with IAM prefix
kubernetes_users: ['IAM#{{external.email}}']
# the deny section uses the identical format as the 'allow' section.
# the deny rules always override allow rules.
deny: {}
```
Some notes on email.local behavior:
* This is the only function supported in the template variables for now
* In case if the email.local will encounter invalid email address,
it will interpolate to empty value, will be removed from resulting
output.
Changes in impersonation behavior:
* By default, if no kubernetes_users is set, which is a majority of cases,
user will impersonate themselves, which is the backwards-compatible behavior.
* As long as at least one `kubernetes_users` is set, the forwarder will start
limiting the list of users allowed by the client to impersonate.
* If the users' role set does not include actual user name, it will be rejected,
otherwise there will be no way to exclude the user from the list).
* If the `kuberentes_users` role set includes only one user
(quite frequently that's the real intent), teleport will default to it,
otherwise it will refuse to select.
This will enable the use case when `kubernetes_users` has just one field to
link the user identity with the IAM role, for example `IAM#{{external.email}}`
* Previous versions of the forwarding proxy were denying all external
impersonation headers, this commit allows 'Impesrsonate-User' and
'Impersonate-Group' header values that are allowed by role set.
* Previous versions of the forwarding proxy ignored 'Deny' section of the roles
when applied to impersonation, this commit fixes that - roles with deny
kubernetes_users and kubernetes_groups section will not allow
impersonation of those users and groups.
2020-03-08 00:32:37 +00:00
|
|
|
// TraitKubeUsers is the name the role variable used to store
|
|
|
|
// allowed kubernetes users
|
|
|
|
TraitKubeUsers = "kubernetes_users"
|
|
|
|
|
2021-01-15 02:21:38 +00:00
|
|
|
// TraitDBNames is the name of the role variable used to store
|
|
|
|
// allowed database names.
|
|
|
|
TraitDBNames = "db_names"
|
|
|
|
|
|
|
|
// TraitDBUsers is the name of the role variable used to store
|
|
|
|
// allowed database users.
|
|
|
|
TraitDBUsers = "db_users"
|
|
|
|
|
2018-08-06 23:46:19 +00:00
|
|
|
// TraitInternalLoginsVariable is the variable used to store allowed
|
2017-07-24 22:18:46 +00:00
|
|
|
// logins for local accounts.
|
2018-08-06 23:46:19 +00:00
|
|
|
TraitInternalLoginsVariable = "{{internal.logins}}"
|
|
|
|
|
|
|
|
// TraitInternalKubeGroupsVariable is the variable used to store allowed
|
|
|
|
// kubernetes groups for local accounts.
|
|
|
|
TraitInternalKubeGroupsVariable = "{{internal.kubernetes_groups}}"
|
2020-04-16 00:04:46 +00:00
|
|
|
|
|
|
|
// TraitInternalKubeUsersVariable is the variable used to store allowed
|
|
|
|
// kubernetes users for local accounts.
|
|
|
|
TraitInternalKubeUsersVariable = "{{internal.kubernetes_users}}"
|
2021-01-15 02:21:38 +00:00
|
|
|
|
|
|
|
// TraitInternalDBNamesVariable is the variable used to store allowed
|
|
|
|
// database names for local accounts.
|
|
|
|
TraitInternalDBNamesVariable = "{{internal.db_names}}"
|
|
|
|
|
|
|
|
// TraitInternalDBUsersVariable is the variable used to store allowed
|
|
|
|
// database users for local accounts.
|
|
|
|
TraitInternalDBUsersVariable = "{{internal.db_users}}"
|
2017-07-24 22:18:46 +00:00
|
|
|
)
|
|
|
|
|
2019-01-17 02:55:59 +00:00
|
|
|
const (
|
|
|
|
// GSuiteIssuerURL is issuer URL used for GSuite provider
|
|
|
|
GSuiteIssuerURL = "https://accounts.google.com"
|
|
|
|
// GSuiteGroupsEndpoint is gsuite API endpoint
|
|
|
|
GSuiteGroupsEndpoint = "https://www.googleapis.com/admin/directory/v1/groups"
|
|
|
|
// GSuiteGroupsScope is a scope to get access to admin groups API
|
|
|
|
GSuiteGroupsScope = "https://www.googleapis.com/auth/admin.directory.group.readonly"
|
2019-11-03 20:55:03 +00:00
|
|
|
// GSuiteDomainClaim is the domain name claim for GSuite
|
|
|
|
GSuiteDomainClaim = "hd"
|
2019-01-17 02:55:59 +00:00
|
|
|
)
|
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// SCP is Secure Copy.
|
|
|
|
const SCP = "scp"
|
|
|
|
|
2017-09-08 00:35:05 +00:00
|
|
|
// Root is *nix system administrator account name.
|
|
|
|
const Root = "root"
|
|
|
|
|
2021-01-29 17:37:01 +00:00
|
|
|
// AdminRoleName is the name of the default admin role for all local users if
|
2021-03-12 04:23:06 +00:00
|
|
|
// another role is not explicitly assigned
|
2017-09-05 19:20:57 +00:00
|
|
|
const AdminRoleName = "admin"
|
2017-08-16 00:27:51 +00:00
|
|
|
|
2021-03-12 04:23:06 +00:00
|
|
|
const (
|
|
|
|
// PresetEditorRoleName is a name of a preset role that allows
|
|
|
|
// editing cluster configuration.
|
|
|
|
PresetEditorRoleName = "editor"
|
|
|
|
|
|
|
|
// PresetAccessRoleName is a name of a preset role that allows
|
|
|
|
// accessing cluster resources.
|
|
|
|
PresetAccessRoleName = "access"
|
|
|
|
|
|
|
|
// PresetAuditorRoleName is a name of a preset role that allows
|
|
|
|
// reading cluster events and playing back session records.
|
|
|
|
PresetAuditorRoleName = "auditor"
|
|
|
|
)
|
|
|
|
|
2021-01-27 18:20:16 +00:00
|
|
|
// OSSMigratedV6 is a label to mark migrated OSS users and resources
|
|
|
|
const OSSMigratedV6 = "migrate-v6.0"
|
|
|
|
|
2018-11-08 22:34:44 +00:00
|
|
|
// MinClientVersion is the minimum client version required by the server.
|
2021-05-12 00:18:26 +00:00
|
|
|
var MinClientVersion string
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
// Per https://github.com/gravitational/teleport/blob/master/rfd/0012-teleport-versioning.md,
|
|
|
|
// only one major version backwards is supported for clients.
|
|
|
|
ver := semver.New(Version)
|
|
|
|
MinClientVersion = fmt.Sprintf("%d.0.0", ver.Major-1)
|
|
|
|
}
|
2018-11-08 22:34:44 +00:00
|
|
|
|
2017-12-28 02:51:46 +00:00
|
|
|
const (
|
|
|
|
// RemoteClusterStatusOffline indicates that cluster is considered as
|
|
|
|
// offline, since it has missed a series of heartbeats
|
|
|
|
RemoteClusterStatusOffline = "offline"
|
|
|
|
// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
|
|
|
|
// at expected interval
|
|
|
|
RemoteClusterStatusOnline = "online"
|
|
|
|
)
|
2018-01-22 20:25:11 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// SharedDirMode is a mode for a directory shared with group
|
|
|
|
SharedDirMode = 0750
|
2018-05-19 23:58:14 +00:00
|
|
|
|
|
|
|
// PrivateDirMode is a mode for private directories
|
|
|
|
PrivateDirMode = 0700
|
2018-01-22 20:25:11 +00:00
|
|
|
)
|
2018-05-04 00:36:08 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// SessionEvent is sent by servers to clients when an audit event occurs on
|
|
|
|
// the session.
|
|
|
|
SessionEvent = "x-teleport-event"
|
2019-09-09 23:56:26 +00:00
|
|
|
|
|
|
|
// VersionRequest is sent by clients to server requesting the Teleport
|
|
|
|
// version they are running.
|
|
|
|
VersionRequest = "x-teleport-version"
|
2018-05-04 00:36:08 +00:00
|
|
|
)
|
2018-05-19 23:58:14 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// EnvKubeConfig is environment variable for kubeconfig
|
|
|
|
EnvKubeConfig = "KUBECONFIG"
|
|
|
|
|
|
|
|
// KubeConfigDir is a default directory where k8s stores its user local config
|
|
|
|
KubeConfigDir = ".kube"
|
|
|
|
|
|
|
|
// KubeConfigFile is a default filename where k8s stores its user local config
|
|
|
|
KubeConfigFile = "config"
|
|
|
|
|
|
|
|
// EnvHome is home environment variable
|
|
|
|
EnvHome = "HOME"
|
|
|
|
|
2018-07-25 20:56:14 +00:00
|
|
|
// EnvUserProfile is the home directory environment variable on Windows.
|
|
|
|
EnvUserProfile = "USERPROFILE"
|
|
|
|
|
2018-05-19 23:58:14 +00:00
|
|
|
// KubeCAPath is a hardcode of mounted CA inside every pod of K8s
|
|
|
|
KubeCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
|
|
|
|
|
2018-06-10 00:21:14 +00:00
|
|
|
// KubeRunTests turns on kubernetes tests
|
|
|
|
KubeRunTests = "TEST_KUBE"
|
|
|
|
|
2019-03-25 02:25:58 +00:00
|
|
|
// KubeSystemAuthenticated is a builtin group that allows
|
|
|
|
// any user to access common API methods, e.g. discovery methods
|
|
|
|
// required for initial client usage
|
|
|
|
KubeSystemAuthenticated = "system:authenticated"
|
|
|
|
|
2018-06-18 00:53:02 +00:00
|
|
|
// UsageKubeOnly specifies certificate usage metadata
|
|
|
|
// that limits certificate to be only used for kubernetes proxying
|
|
|
|
UsageKubeOnly = "usage:kube"
|
2020-10-19 00:09:29 +00:00
|
|
|
|
|
|
|
// UsageAppOnly specifies a certificate metadata that only allows it to be
|
|
|
|
// used for proxying applications.
|
|
|
|
UsageAppsOnly = "usage:apps"
|
2021-01-15 02:21:38 +00:00
|
|
|
|
|
|
|
// UsageDatabaseOnly specifies certificate usage metadata that only allows
|
|
|
|
// it to be used for proxying database connections.
|
|
|
|
UsageDatabaseOnly = "usage:db"
|
2018-06-18 00:53:02 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2020-02-24 18:41:45 +00:00
|
|
|
// NodeIsAmbiguous serves as an identifying error string indicating that
|
|
|
|
// the proxy subsystem found multiple nodes matching the specified hostname.
|
|
|
|
NodeIsAmbiguous = "err-node-is-ambiguous"
|
2020-08-25 19:02:16 +00:00
|
|
|
|
|
|
|
// MaxLeases serves as an identifying error string indicating that the
|
|
|
|
// semaphore system is rejecting an acquisition attempt due to max
|
|
|
|
// leases having already been reached.
|
|
|
|
MaxLeases = "err-max-leases"
|
2018-05-19 23:58:14 +00:00
|
|
|
)
|
2018-07-25 20:56:14 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// OpenBrowserLinux is the command used to open a web browser on Linux.
|
2019-01-31 13:14:47 +00:00
|
|
|
OpenBrowserLinux = "xdg-open"
|
2018-07-25 20:56:14 +00:00
|
|
|
|
|
|
|
// OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin.
|
|
|
|
OpenBrowserDarwin = "open"
|
|
|
|
|
|
|
|
// OpenBrowserWindows is the command used to open a web browser on Windows.
|
|
|
|
OpenBrowserWindows = "rundll32.exe"
|
2020-05-13 20:23:26 +00:00
|
|
|
|
|
|
|
// BrowserNone is the string used to suppress the opening of a browser in
|
|
|
|
// response to 'tsh login' commands.
|
|
|
|
BrowserNone = "none"
|
2018-07-25 20:56:14 +00:00
|
|
|
)
|
2019-02-28 00:55:57 +00:00
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
const (
|
2020-02-12 21:29:30 +00:00
|
|
|
// ExecSubCommand is the sub-command Teleport uses to re-exec itself for
|
|
|
|
// command execution (exec and shells).
|
2019-11-16 00:39:40 +00:00
|
|
|
ExecSubCommand = "exec"
|
2020-02-12 21:29:30 +00:00
|
|
|
|
|
|
|
// ForwardSubCommand is the sub-command Teleport uses to re-exec itself
|
|
|
|
// for port forwarding.
|
|
|
|
ForwardSubCommand = "forward"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// ChanDirectTCPIP is a SSH channel of type "direct-tcpip".
|
|
|
|
ChanDirectTCPIP = "direct-tcpip"
|
|
|
|
|
|
|
|
// ChanSession is a SSH channel of type "session".
|
|
|
|
ChanSession = "session"
|
2019-11-16 00:39:40 +00:00
|
|
|
)
|
|
|
|
|
2019-02-28 00:55:57 +00:00
|
|
|
// RSAKeySize is the size of the RSA key.
|
|
|
|
const RSAKeySize = 2048
|
2020-04-14 22:11:53 +00:00
|
|
|
|
|
|
|
// A principal name for use in SSH certificates.
|
|
|
|
type Principal string
|
|
|
|
|
|
|
|
const (
|
|
|
|
// The localhost domain, for talking to a proxy or node on the same
|
|
|
|
// machine.
|
|
|
|
PrincipalLocalhost Principal = "localhost"
|
|
|
|
// The IPv4 loopback address, for talking to a proxy or node on the same
|
|
|
|
// machine.
|
|
|
|
PrincipalLoopbackV4 Principal = "127.0.0.1"
|
|
|
|
// The IPv6 loopback address, for talking to a proxy or node on the same
|
|
|
|
// machine.
|
|
|
|
PrincipalLoopbackV6 Principal = "::1"
|
|
|
|
)
|
2020-05-05 23:49:32 +00:00
|
|
|
|
|
|
|
// UserSystem defines a user as system.
|
|
|
|
const UserSystem = "system"
|
2020-10-19 00:09:29 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// internal application being proxied.
|
|
|
|
AppJWTHeader = "teleport-jwt-assertion"
|
|
|
|
|
|
|
|
// AppCFHeader is a compatibility header.
|
|
|
|
AppCFHeader = "cf-access-token"
|
2021-05-06 18:24:49 +00:00
|
|
|
|
|
|
|
// HostHeader is the name of the Host header.
|
|
|
|
HostHeader = "Host"
|
2020-10-19 00:09:29 +00:00
|
|
|
)
|
2021-02-11 04:29:00 +00:00
|
|
|
|
|
|
|
// UserSingleUseCertTTL is a TTL for per-connection user certificates.
|
|
|
|
const UserSingleUseCertTTL = time.Minute
|
2021-02-18 12:25:46 +00:00
|
|
|
|
|
|
|
// StandardHTTPSPort is the default port used for the https URI scheme,
|
|
|
|
// cf. RFC 7230 § 2.7.2.
|
|
|
|
const StandardHTTPSPort = 443
|