2018-11-07 01:21:44 +00:00
|
|
|
/*
|
2018-12-12 00:22:44 +00:00
|
|
|
Copyright 2018-2019 Gravitational, Inc.
|
2018-11-07 01:21:44 +00:00
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2016-02-16 17:36:02 +00:00
|
|
|
package teleport
|
|
|
|
|
|
|
|
|
|
import (
|
2021-05-12 00:18:26 +00:00
|
|
|
"fmt"
|
2018-02-08 02:32:50 +00:00
|
|
|
"strings"
|
2016-02-16 17:36:02 +00:00
|
|
|
"time"
|
2021-01-29 17:37:01 +00:00
|
|
|
|
2021-05-12 00:18:26 +00:00
|
|
|
"github.com/coreos/go-semver/semver"
|
2016-02-16 17:36:02 +00:00
|
|
|
)
|
|
|
|
|
|
2017-03-02 19:50:35 +00:00
|
|
|
// WebAPIVersion is a current webapi version
|
|
|
|
|
const WebAPIVersion = "v1"
|
|
|
|
|
|
2017-03-08 05:42:17 +00:00
|
|
|
const (
|
|
|
|
|
// SSHAuthSock is the environment variable pointing to the
|
|
|
|
|
// Unix socket the SSH agent is running on.
|
|
|
|
|
SSHAuthSock = "SSH_AUTH_SOCK"
|
|
|
|
|
// SSHAgentPID is the environment variable pointing to the agent
|
|
|
|
|
// process ID
|
|
|
|
|
SSHAgentPID = "SSH_AGENT_PID"
|
2017-04-07 00:16:28 +00:00
|
|
|
|
|
|
|
|
// SSHTeleportUser is the current Teleport user that is logged in.
|
|
|
|
|
SSHTeleportUser = "SSH_TELEPORT_USER"
|
|
|
|
|
|
2023-06-14 19:47:32 +00:00
|
|
|
// SSHSessionWebProxyAddr is the address the web proxy.
|
|
|
|
|
SSHSessionWebProxyAddr = "SSH_SESSION_WEBPROXY_ADDR"
|
2017-04-07 00:16:28 +00:00
|
|
|
|
|
|
|
|
// SSHTeleportClusterName is the name of the cluster this node belongs to.
|
|
|
|
|
SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"
|
|
|
|
|
|
|
|
|
|
// SSHTeleportHostUUID is the UUID of the host.
|
|
|
|
|
SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"
|
|
|
|
|
|
|
|
|
|
// SSHSessionID is the UUID of the current session.
|
|
|
|
|
SSHSessionID = "SSH_SESSION_ID"
|
2023-05-11 20:23:01 +00:00
|
|
|
|
|
|
|
|
// EnableNonInteractiveSessionRecording can be used to record non-interactive SSH session.
|
|
|
|
|
EnableNonInteractiveSessionRecording = "SSH_TELEPORT_RECORD_NON_INTERACTIVE"
|
2017-03-08 05:42:17 +00:00
|
|
|
)
|
2017-02-13 23:37:08 +00:00
|
|
|
|
2020-07-15 00:15:01 +00:00
|
|
|
const (
|
|
|
|
|
// HTTPNextProtoTLS is the NPN/ALPN protocol negotiated during
|
|
|
|
|
// HTTP/1.1.'s TLS setup.
|
|
|
|
|
// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
|
|
|
|
|
HTTPNextProtoTLS = "http/1.1"
|
|
|
|
|
)
|
|
|
|
|
|
2017-02-10 22:46:26 +00:00
|
|
|
const (
|
2017-02-13 23:37:08 +00:00
|
|
|
// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
|
|
|
|
|
TOTPValidityPeriod uint = 30
|
|
|
|
|
|
|
|
|
|
// TOTPSkew adds that many periods before and after to the validity window.
|
|
|
|
|
TOTPSkew uint = 1
|
2017-02-10 22:46:26 +00:00
|
|
|
)
|
|
|
|
|
|
2016-03-11 01:03:01 +00:00
|
|
|
const (
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentMemory is a memory backend
|
|
|
|
|
ComponentMemory = "memory"
|
|
|
|
|
|
2017-11-25 01:09:11 +00:00
|
|
|
// ComponentAuthority is a TLS and an SSH certificate authority
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentAuthority = "ca"
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
|
// ComponentProcess is a main control process
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentProcess = "proc"
|
2017-11-25 01:09:11 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentServer is a server subcomponent of some services
|
|
|
|
|
ComponentServer = "server"
|
|
|
|
|
|
2020-12-20 03:56:03 +00:00
|
|
|
// ComponentACME is ACME protocol controller
|
|
|
|
|
ComponentACME = "acme"
|
|
|
|
|
|
2017-10-06 22:38:15 +00:00
|
|
|
// ComponentReverseTunnelServer is reverse tunnel server
|
|
|
|
|
// that together with agent establish a bi-directional SSH revers tunnel
|
2016-03-16 02:57:02 +00:00
|
|
|
// to bypass firewall restrictions
|
2017-10-06 22:38:15 +00:00
|
|
|
ComponentReverseTunnelServer = "proxy:server"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentReverseTunnelAgent is reverse tunnel agent
|
2017-10-06 22:38:15 +00:00
|
|
|
// that together with server establish a bi-directional SSH revers tunnel
|
2016-03-16 02:57:02 +00:00
|
|
|
// to bypass firewall restrictions
|
2017-10-06 22:38:15 +00:00
|
|
|
ComponentReverseTunnelAgent = "proxy:agent"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentLabel is a component label name used in reporting
|
|
|
|
|
ComponentLabel = "component"
|
|
|
|
|
|
2020-10-30 17:19:53 +00:00
|
|
|
// ComponentProxyKube is a kubernetes proxy
|
|
|
|
|
ComponentProxyKube = "proxy:kube"
|
2018-05-19 23:58:14 +00:00
|
|
|
|
2016-09-02 23:04:05 +00:00
|
|
|
// ComponentAuth is the cluster CA node (auth server API)
|
|
|
|
|
ComponentAuth = "auth"
|
|
|
|
|
|
2023-08-24 23:27:06 +00:00
|
|
|
// ComponentGRPC is gRPC server
|
Events and GRPC API
This commit introduces several key changes to
Teleport backend and API infrastructure
in order to achieve scalability improvements
on 10K+ node deployments.
Events and plain keyspace
--------------------------
New backend interface supports events,
pagination and range queries
and moves away from buckets to
plain keyspace, what better aligns
with DynamoDB and Etcd featuring similar
interfaces.
All backend implementations are
exposing Events API, allowing
multiple subscribers to consume the same
event stream and avoid polling database.
Replacing BoltDB, Dir with SQLite
-------------------------------
BoltDB backend does not support
having two processes access the database at the
same time. This prevented Teleport
using BoltDB backend to be live reloaded.
SQLite supports reads/writes by multiple
processes and makes Dir backend obsolete
as SQLite is more efficient on larger collections,
supports transactions and can detect data
corruption.
Teleport automatically migrates data from
Bolt and Dir backends into SQLite.
GRPC API and protobuf resources
-------------------------------
GRPC API has been introduced for
the auth server. The auth server now serves both GRPC
and JSON-HTTP API on the same TLS socket and uses
the same client certificate authentication.
All future API methods should use GRPC and HTTP-JSON
API is considered obsolete.
In addition to that some resources like
Server and CertificateAuthority are now
generated from protobuf service specifications in
a way that is fully backward compatible with
original JSON spec and schema, so the same resource
can be encoded and decoded from JSON, YAML
and protobuf.
All models should be refactored
into new proto specification over time.
Streaming presence service
--------------------------
In order to cut bandwidth, nodes
are sending full updates only when changes
to labels or spec have occured, otherwise
new light-weight GRPC keep alive updates are sent
over to the presence service, reducing
bandwidth usage on multi-node deployments.
In addition to that nodes are no longer polling
auth server for certificate authority rotation
updates, instead they subscribe to event updates
to detect updates as soon as they happen.
This is a new API, so the errors are inevitable,
that's why polling is still done, but
on a way slower rate.
2018-11-07 23:33:38 +00:00
|
|
|
ComponentGRPC = "grpc"
|
|
|
|
|
|
|
|
|
|
// ComponentMigrate is responsible for data migrations
|
|
|
|
|
ComponentMigrate = "migrate"
|
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentNode is SSH node (SSH server serving requests)
|
|
|
|
|
ComponentNode = "node"
|
|
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentForwardingNode is SSH node (SSH server serving requests)
|
2017-11-29 00:15:46 +00:00
|
|
|
ComponentForwardingNode = "node:forward"
|
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentProxy is SSH proxy (SSH server forwarding connections)
|
|
|
|
|
ComponentProxy = "proxy"
|
|
|
|
|
|
2022-06-02 17:08:24 +00:00
|
|
|
// ComponentProxyPeer is the proxy peering component of the proxy service
|
|
|
|
|
ComponentProxyPeer = "proxy:peer"
|
|
|
|
|
|
2020-10-19 00:09:29 +00:00
|
|
|
// ComponentApp is the application proxy service.
|
|
|
|
|
ComponentApp = "app:service"
|
|
|
|
|
|
2021-01-15 02:21:38 +00:00
|
|
|
// ComponentDatabase is the database proxy service.
|
|
|
|
|
ComponentDatabase = "db:service"
|
|
|
|
|
|
2022-09-21 12:23:06 +00:00
|
|
|
// ComponentDiscovery is the Discovery service.
|
|
|
|
|
ComponentDiscovery = "discovery:service"
|
|
|
|
|
|
2020-10-19 00:09:29 +00:00
|
|
|
// ComponentAppProxy is the application handler within the web proxy service.
|
|
|
|
|
ComponentAppProxy = "app:web"
|
|
|
|
|
|
2021-02-04 15:50:18 +00:00
|
|
|
// ComponentWebProxy is the web handler within the web proxy service.
|
|
|
|
|
ComponentWebProxy = "web"
|
|
|
|
|
|
2018-02-08 02:32:50 +00:00
|
|
|
// ComponentDiagnostic is a diagnostic service
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentDiagnostic = "diag"
|
2018-02-08 02:32:50 +00:00
|
|
|
|
2018-03-18 02:47:06 +00:00
|
|
|
// ComponentClient is a client
|
|
|
|
|
ComponentClient = "client"
|
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentTunClient is a tunnel client
|
2017-10-08 01:11:03 +00:00
|
|
|
ComponentTunClient = "client:tunnel"
|
|
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// ComponentCache is a cache component
|
|
|
|
|
ComponentCache = "cache"
|
|
|
|
|
|
|
|
|
|
// ComponentBackend is a backend component
|
|
|
|
|
ComponentBackend = "backend"
|
|
|
|
|
|
2017-11-09 00:41:52 +00:00
|
|
|
// ComponentSubsystemProxy is the proxy subsystem.
|
|
|
|
|
ComponentSubsystemProxy = "subsystem:proxy"
|
|
|
|
|
|
2022-07-07 20:08:26 +00:00
|
|
|
// ComponentSubsystemSFTP is the SFTP subsystem.
|
|
|
|
|
ComponentSubsystemSFTP = "subsystem:sftp"
|
|
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// ComponentLocalTerm is a terminal on a regular SSH node.
|
|
|
|
|
ComponentLocalTerm = "term:local"
|
|
|
|
|
|
|
|
|
|
// ComponentRemoteTerm is a terminal on a forwarding SSH node.
|
|
|
|
|
ComponentRemoteTerm = "term:remote"
|
|
|
|
|
|
|
|
|
|
// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
|
|
|
|
|
ComponentRemoteSubsystem = "subsystem:remote"
|
|
|
|
|
|
2017-11-16 02:26:35 +00:00
|
|
|
// ComponentAuditLog is audit log component
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentAuditLog = "audit"
|
2017-11-16 02:26:35 +00:00
|
|
|
|
2018-01-19 02:30:02 +00:00
|
|
|
// ComponentKeyAgent is an agent that has loaded the sessions keys and
|
|
|
|
|
// certificates for a user connected to a proxy.
|
|
|
|
|
ComponentKeyAgent = "keyagent"
|
|
|
|
|
|
|
|
|
|
// ComponentKeyStore is all sessions keys and certificates a user has on disk
|
|
|
|
|
// for all proxies.
|
|
|
|
|
ComponentKeyStore = "keystore"
|
|
|
|
|
|
2018-02-09 00:33:48 +00:00
|
|
|
// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
|
|
|
|
|
ComponentConnectProxy = "http:proxy"
|
|
|
|
|
|
2018-09-28 01:22:51 +00:00
|
|
|
// ComponentSOCKS is a SOCKS5 proxy.
|
|
|
|
|
ComponentSOCKS = "socks"
|
|
|
|
|
|
2018-02-14 22:55:01 +00:00
|
|
|
// ComponentKeyGen is the public/private keypair generator.
|
|
|
|
|
ComponentKeyGen = "keygen"
|
|
|
|
|
|
2019-06-18 20:35:21 +00:00
|
|
|
// ComponentFirestore represents firestore clients
|
|
|
|
|
ComponentFirestore = "firestore"
|
|
|
|
|
|
2018-02-20 01:59:08 +00:00
|
|
|
// ComponentSession is an active session.
|
|
|
|
|
ComponentSession = "session"
|
|
|
|
|
|
2018-03-04 02:26:44 +00:00
|
|
|
// ComponentDynamoDB represents dynamodb clients
|
|
|
|
|
ComponentDynamoDB = "dynamodb"
|
|
|
|
|
|
2018-02-24 01:23:09 +00:00
|
|
|
// Component pluggable authentication module (PAM)
|
|
|
|
|
ComponentPAM = "pam"
|
|
|
|
|
|
2018-03-29 20:47:53 +00:00
|
|
|
// ComponentUpload is a session recording upload server
|
|
|
|
|
ComponentUpload = "upload"
|
|
|
|
|
|
2018-08-17 20:53:49 +00:00
|
|
|
// ComponentWeb is a web server
|
|
|
|
|
ComponentWeb = "web"
|
|
|
|
|
|
2023-08-14 21:13:46 +00:00
|
|
|
// ComponentUnifiedResource is a cache of resources meant to be listed and displayed
|
|
|
|
|
// together in the web UI
|
|
|
|
|
ComponentUnifiedResource = "unified_resource"
|
|
|
|
|
|
2018-07-16 21:39:50 +00:00
|
|
|
// ComponentWebsocket is websocket server that the web client connects to.
|
|
|
|
|
ComponentWebsocket = "websocket"
|
|
|
|
|
|
2018-08-11 00:50:06 +00:00
|
|
|
// ComponentRBAC is role-based access control.
|
|
|
|
|
ComponentRBAC = "rbac"
|
|
|
|
|
|
2018-11-07 01:21:44 +00:00
|
|
|
// ComponentKeepAlive is keep-alive messages sent from clients to servers
|
|
|
|
|
// and vice versa.
|
|
|
|
|
ComponentKeepAlive = "keepalive"
|
|
|
|
|
|
2022-05-26 22:55:47 +00:00
|
|
|
// ComponentTeleport is the "teleport" binary.
|
|
|
|
|
ComponentTeleport = "teleport"
|
|
|
|
|
|
2018-11-15 22:36:11 +00:00
|
|
|
// ComponentTSH is the "tsh" binary.
|
|
|
|
|
ComponentTSH = "tsh"
|
|
|
|
|
|
Certificate renewal bot (#10099)
* Add certificate renewal bot
This adds a new `tbot` tool to continuously renew a set of
certificates after registering with a Teleport cluster using a
similar process to standard node joining.
This makes some modifications to user certificate generation to allow
for certificates that can be renewed beyond their original TTL, and
exposes new gRPC endpoints:
* `CreateBotJoinToken` creates a join token for a bot user
* `GenerateInitialRenewableUserCerts` exchanges a token for a set of
certificates with a new `renewable` flag set
A new `tctl` command, `tctl bots add`, creates a bot user and calls
`CreateBotJoinToken` to issue a token. A bot instance can then be
started using a provided command.
* Cert bot refactoring pass
* Use role requests to split renewable certs from end-user certs
* Add bot configuration file
* Use `teleport.dev/bot` label
* Remove `impersonator` flag on initial bot certs
* Remove unnecessary `renew` package
* Misc other cleanup
* Do not pass through `renewable` flag when role requests are set
This adds additional restrictions on when a certificate's `renewable`
flag is carried over to a new certificate. In particular, it now also
denies the flag when either role requests are present, or the
`disallowReissue` flag has been previously set.
In practice `disallow-reissue` would have prevented any undesired
behavior but this improves consistency and resolves a TODO.
* Various tbot UX improvements; render SSH config
* Fully flesh out config template rendering
* Fix rendering for SSH configuration templates
* Added `String()` impls for destination types
* Improve certificate renewal logging; show more detail
* Properly fall back to default (all) roles
* Add mode hints for files
* Add/update copyright headers
* Add stubs for tbot init and watch commands
* Add gRPC endpoints for managing bots
* Add `CreateBot`, `DeleteBot`, and `GetBotUsers` gRPC endpoints
* Replace `tctl bot (add|rm|ls)` implementations with gRPC calls
* Define a few new constants, `DefaultBotJoinTTL`, `BotLabel`,
`BotGenerationLabel`
* Fix outdated destination flag in example tbot command
* Bugfix pass for demo
* Fixed a few nil pointer derefs when using config from CLI args
* Properly create destination if `--destination-dir` flag is used
* Remove improper default on CLI flag
* `DestinationConfig` is now a list of pointers
* Address first wave of review feedback
Fixes the majority of smaller issues caught by reviewers, thanks all!
* Add doc comments for bot.go functions
* Return the token TTL from CreateBot
* Split initial user cert issuance from `generateUserCerts()`
Issuing initial renewable certificate ended up requiring a lot of
hacks to skip checks that prevented anonymous bots from getting
certs even though we'd verified their identity elsewhere (via token).
This reverts all those hacks and splits initial bot cert logic into a
dedicated `generateInitialRenewableUserCerts()` function which should
make the whole process much easier to follow.
* Set bot traits to silence log messages
* tbot log message consistency pass
* Resolve lints
* Add config tests
* Remove CreateBotJoinToken endpoint
Users should instead use the CreateBot/DeleteBot endpoints.
* Create a fresh private key for every impersonated identity renewal
* Hide `config` subcommand
* Rename bot label prefix to `teleport.internal/`
* Use types.NewRole() to create bot roles
* Clean up error handling in custom YAML unmarshallers
Also, add notes about the supported YAML shapes.
* Fetch proxy host via gRPC Ping() instead of GetProxies()
* Update lib/auth/bot.go
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* Fix some review comments
* Add renewable certificate generation checks (#10098)
* Add renewable certificate generation checks
This adds a new validation check for renewable certificates that
maintains a renewal counter as both a certificate extension and a
user label. This counter is used to ensure only a single certificate
lineage can exist: for example, if a renewable certificate is stolen,
only one copy of the certificate can be renewed as the generation
counter will not match
When renewing a certificate, first the generation counter presented
by the user (via their TLS identity) is compared to a value stored
with the associated user (in a new `teleport.dev/bot-generation`
label field). If they aren't equal, the renewal attempt fails.
Otherwise, the generation counter is incremented by 1, stored to the
database using a `CompareAndSwap()` to ensure atomicity, and set on
the generated certificate for use in future renewals.
* Add unit tests for the generation counter
This adds new unit tests to exercise the generation counter checks.
Additionally, it fixes two other renewable cert tests that were
failing.
* Remove certRequestGeneration() function
* Emit audit event when cert generations don't match
* Fully implement `tctl bots lock`
* Show bot name in `tctl bots ls`
* Lock bots when a cert generation mismatch is found
* Make CompareFailed respones from validateGenerationLabel() more actionable
* Update lib/services/local/users.go
Co-authored-by: Nic Klaassen <nic@goteleport.com>
* Backend changes for tbot IoT and AWS joining (#10360)
* backend changes
* add token permission check
* pass ctx from caller
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* fix comment typo
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* use UserMetadata instead of Identity in RenewableCertificateGenerationMismatch event
* Client changes for tbot IoT joining (#10397)
* client changes
* delete replaced APIs
* delete unused tbot/auth.go
* add license header
* don't unecessarily fetch host CA
* log fixes
* s/tunnelling/tunneling/
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* auth server addresses may be proxies
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* comment typo fix
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* move *Server methods out of auth_with_roles.go (#10416)
Co-authored-by: Tim Buckley <tim@goteleport.com>
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Co-authored-by: Tim Buckley <tim@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Tim Buckley <tim@goteleport.com>
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Co-authored-by: Nic Klaassen <nic@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* Address another batch of review feedback
* Addres another batch of review feedback
Add `Role.SetMetadata()`, simplify more `trace.WrapWithMessage()`
calls, clear some TODOs and lints, and address other misc feedback
items.
* Fix lint
* Add missing doc comments to SaveIdentity / LoadIdentity
* Remove pam tag from tbot build
* Update note about bot lock deletion
* Another pass of review feedback
Ensure all requestable roles exist when creating a bot, adjust the
default renewable cert TTL down to 1 hour, and check types during
`CompareAndSwapUser()`
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Co-authored-by: Nic Klaassen <nic@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2022-02-19 02:41:45 +00:00
|
|
|
// ComponentTBot is the "tbot" binary
|
|
|
|
|
ComponentTBot = "tbot"
|
|
|
|
|
|
2018-11-16 20:23:08 +00:00
|
|
|
// ComponentKubeClient is the Kubernetes client.
|
|
|
|
|
ComponentKubeClient = "client:kube"
|
|
|
|
|
|
Events and GRPC API
This commit introduces several key changes to
Teleport backend and API infrastructure
in order to achieve scalability improvements
on 10K+ node deployments.
Events and plain keyspace
--------------------------
New backend interface supports events,
pagination and range queries
and moves away from buckets to
plain keyspace, what better aligns
with DynamoDB and Etcd featuring similar
interfaces.
All backend implementations are
exposing Events API, allowing
multiple subscribers to consume the same
event stream and avoid polling database.
Replacing BoltDB, Dir with SQLite
-------------------------------
BoltDB backend does not support
having two processes access the database at the
same time. This prevented Teleport
using BoltDB backend to be live reloaded.
SQLite supports reads/writes by multiple
processes and makes Dir backend obsolete
as SQLite is more efficient on larger collections,
supports transactions and can detect data
corruption.
Teleport automatically migrates data from
Bolt and Dir backends into SQLite.
GRPC API and protobuf resources
-------------------------------
GRPC API has been introduced for
the auth server. The auth server now serves both GRPC
and JSON-HTTP API on the same TLS socket and uses
the same client certificate authentication.
All future API methods should use GRPC and HTTP-JSON
API is considered obsolete.
In addition to that some resources like
Server and CertificateAuthority are now
generated from protobuf service specifications in
a way that is fully backward compatible with
original JSON spec and schema, so the same resource
can be encoded and decoded from JSON, YAML
and protobuf.
All models should be refactored
into new proto specification over time.
Streaming presence service
--------------------------
In order to cut bandwidth, nodes
are sending full updates only when changes
to labels or spec have occured, otherwise
new light-weight GRPC keep alive updates are sent
over to the presence service, reducing
bandwidth usage on multi-node deployments.
In addition to that nodes are no longer polling
auth server for certificate authority rotation
updates, instead they subscribe to event updates
to detect updates as soon as they happen.
This is a new API, so the errors are inevitable,
that's why polling is still done, but
on a way slower rate.
2018-11-07 23:33:38 +00:00
|
|
|
// ComponentBuffer is in-memory event circular buffer
|
|
|
|
|
// used to broadcast events to subscribers.
|
|
|
|
|
ComponentBuffer = "buffer"
|
|
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// ComponentBPF is the eBPF packagae.
|
|
|
|
|
ComponentBPF = "bpf"
|
|
|
|
|
|
2021-07-14 20:27:53 +00:00
|
|
|
// ComponentRestrictedSession is restriction of user access to kernel objects
|
|
|
|
|
ComponentRestrictedSession = "restrictedsess"
|
|
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// ComponentCgroup is the cgroup package.
|
|
|
|
|
ComponentCgroup = "cgroups"
|
|
|
|
|
|
2020-10-30 17:19:53 +00:00
|
|
|
// ComponentKube is an Kubernetes API gateway.
|
|
|
|
|
ComponentKube = "kubernetes"
|
|
|
|
|
|
2021-03-05 19:09:02 +00:00
|
|
|
// ComponentSAML is a SAML service provider.
|
|
|
|
|
ComponentSAML = "saml"
|
|
|
|
|
|
2021-07-29 02:37:28 +00:00
|
|
|
// ComponentMetrics is a metrics server
|
|
|
|
|
ComponentMetrics = "metrics"
|
|
|
|
|
|
2021-08-11 22:28:19 +00:00
|
|
|
// ComponentWindowsDesktop is a Windows desktop access server.
|
|
|
|
|
ComponentWindowsDesktop = "windows_desktop"
|
|
|
|
|
|
2022-05-26 22:55:47 +00:00
|
|
|
// ComponentTracing is a tracing exporter
|
|
|
|
|
ComponentTracing = "tracing"
|
|
|
|
|
|
2022-06-01 00:37:31 +00:00
|
|
|
// ComponentInstance is an abstract component common to all services.
|
|
|
|
|
ComponentInstance = "instance"
|
|
|
|
|
|
2022-08-02 16:21:21 +00:00
|
|
|
// ComponentVersionControl is the component common to all version control operations.
|
|
|
|
|
ComponentVersionControl = "version-control"
|
|
|
|
|
|
2022-12-05 17:13:54 +00:00
|
|
|
// ComponentUsageReporting is the component responsible for reporting usage metrics.
|
|
|
|
|
ComponentUsageReporting = "usage-reporting"
|
|
|
|
|
|
2023-04-03 10:08:55 +00:00
|
|
|
// ComponentAthena represents athena clients.
|
|
|
|
|
ComponentAthena = "athena"
|
|
|
|
|
|
2023-05-06 02:14:44 +00:00
|
|
|
// ComponentProxySecureGRPC represents secure gRPC server running on Proxy (used for Kube).
|
|
|
|
|
ComponentProxySecureGRPC = "proxy:secure-grpc"
|
|
|
|
|
|
2023-06-21 01:28:56 +00:00
|
|
|
// ComponentAssist represents Teleport Assist
|
|
|
|
|
ComponentAssist = "assist"
|
|
|
|
|
|
2016-12-26 06:12:23 +00:00
|
|
|
// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
|
|
|
|
|
VerboseLogsEnvVar = "TELEPORT_DEBUG"
|
2016-09-10 04:44:04 +00:00
|
|
|
|
2018-12-12 00:22:44 +00:00
|
|
|
// IterationsEnvVar sets tests iterations to run
|
|
|
|
|
IterationsEnvVar = "ITERATIONS"
|
|
|
|
|
|
2016-09-10 04:44:04 +00:00
|
|
|
// DefaultTerminalWidth defines the default width of a server-side allocated
|
|
|
|
|
// pseudo TTY
|
|
|
|
|
DefaultTerminalWidth = 80
|
|
|
|
|
|
|
|
|
|
// DefaultTerminalHeight defines the default height of a server-side allocated
|
|
|
|
|
// pseudo TTY
|
|
|
|
|
DefaultTerminalHeight = 25
|
|
|
|
|
|
|
|
|
|
// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
|
|
|
|
|
// is not defined)
|
|
|
|
|
SafeTerminalType = "xterm"
|
2016-12-24 03:02:59 +00:00
|
|
|
|
2017-01-13 00:04:00 +00:00
|
|
|
// DataDirParameterName is the name of the data dir configuration parameter passed
|
|
|
|
|
// to all backends during initialization
|
|
|
|
|
DataDirParameterName = "data_dir"
|
2017-01-17 19:24:17 +00:00
|
|
|
|
2022-09-27 14:00:24 +00:00
|
|
|
// KeepAliveReqType is a SSH request type to keep the connection alive. A client and
|
|
|
|
|
// a server keep pining each other with it.
|
2017-01-30 19:31:37 +00:00
|
|
|
KeepAliveReqType = "keepalive@openssh.com"
|
|
|
|
|
|
2022-09-27 14:00:24 +00:00
|
|
|
// ClusterDetailsReqType is the name of a global request which returns cluster details like
|
|
|
|
|
// if the proxy is recording sessions or not and if FIPS is enabled.
|
|
|
|
|
ClusterDetailsReqType = "cluster-details@goteleport.com"
|
|
|
|
|
|
2017-08-25 03:24:47 +00:00
|
|
|
// JSON means JSON serialization format
|
|
|
|
|
JSON = "json"
|
2017-11-18 00:40:41 +00:00
|
|
|
|
2019-02-21 09:46:50 +00:00
|
|
|
// YAML means YAML serialization format
|
|
|
|
|
YAML = "yaml"
|
|
|
|
|
|
|
|
|
|
// Text means text serialization format
|
|
|
|
|
Text = "text"
|
|
|
|
|
|
2023-04-06 23:20:00 +00:00
|
|
|
// PTY is a raw PTY session capture format
|
2020-10-17 22:01:45 +00:00
|
|
|
PTY = "pty"
|
|
|
|
|
|
2020-10-01 19:12:25 +00:00
|
|
|
// Names is for formatting node names in plain text
|
|
|
|
|
Names = "names"
|
|
|
|
|
|
2017-11-18 00:40:41 +00:00
|
|
|
// LinuxAdminGID is the ID of the standard adm group on linux
|
|
|
|
|
LinuxAdminGID = 4
|
|
|
|
|
|
|
|
|
|
// DirMaskSharedGroup is the mask for a directory accessible
|
|
|
|
|
// by the owner and group
|
2023-04-03 10:08:55 +00:00
|
|
|
DirMaskSharedGroup = 0o770
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
|
// FileMaskOwnerOnly is the file mask that allows read write access
|
|
|
|
|
// to owers only
|
2023-04-03 10:08:55 +00:00
|
|
|
FileMaskOwnerOnly = 0o600
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
|
// On means mode is on
|
|
|
|
|
On = "on"
|
|
|
|
|
|
|
|
|
|
// Off means mode is off
|
|
|
|
|
Off = "off"
|
2018-03-04 02:26:44 +00:00
|
|
|
|
2020-07-15 00:15:01 +00:00
|
|
|
// GCSTestURI turns on GCS tests
|
|
|
|
|
GCSTestURI = "TEST_GCS_URI"
|
|
|
|
|
|
2023-07-20 15:46:18 +00:00
|
|
|
// AZBlobTestURI specifies the storage account URL to use for Azure Blob
|
|
|
|
|
// Storage tests.
|
|
|
|
|
AZBlobTestURI = "TEST_AZBLOB_URI"
|
|
|
|
|
|
2020-07-15 00:15:01 +00:00
|
|
|
// AWSRunTests turns on tests executed against AWS directly
|
|
|
|
|
AWSRunTests = "TEST_AWS"
|
2023-08-16 22:37:20 +00:00
|
|
|
|
|
|
|
|
// AWSRunDBTests turns on tests executed against AWS databases directly.
|
|
|
|
|
AWSRunDBTests = "TEST_AWS_DB"
|
2020-07-15 00:15:01 +00:00
|
|
|
|
2019-02-09 22:39:18 +00:00
|
|
|
// Region is AWS region parameter
|
|
|
|
|
Region = "region"
|
|
|
|
|
|
2019-10-09 18:58:18 +00:00
|
|
|
// Endpoint is an optional Host for non-AWS S3
|
|
|
|
|
Endpoint = "endpoint"
|
|
|
|
|
|
|
|
|
|
// Insecure is an optional switch to use HTTP instead of HTTPS
|
|
|
|
|
Insecure = "insecure"
|
|
|
|
|
|
|
|
|
|
// DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it
|
|
|
|
|
DisableServerSideEncryption = "disablesse"
|
|
|
|
|
|
2021-12-14 20:31:56 +00:00
|
|
|
// ACL is the canned ACL to send to S3
|
|
|
|
|
ACL = "acl"
|
|
|
|
|
|
2021-12-06 22:46:28 +00:00
|
|
|
// SSEKMSKey is an optional switch to use an KMS CMK key for S3 SSE.
|
|
|
|
|
SSEKMSKey = "sse_kms_key"
|
|
|
|
|
|
2022-11-22 23:27:59 +00:00
|
|
|
// SchemeFile configures local disk-based file storage for audit events
|
2018-03-04 02:26:44 +00:00
|
|
|
SchemeFile = "file"
|
|
|
|
|
|
2019-07-24 22:04:13 +00:00
|
|
|
// SchemeStdout outputs audit log entries to stdout
|
|
|
|
|
SchemeStdout = "stdout"
|
|
|
|
|
|
2022-11-22 23:27:59 +00:00
|
|
|
// SchemeS3 is used for S3-like object storage
|
|
|
|
|
SchemeS3 = "s3"
|
|
|
|
|
|
|
|
|
|
// SchemeGCS is used for Google Cloud Storage
|
|
|
|
|
SchemeGCS = "gs"
|
|
|
|
|
|
2023-07-20 15:46:18 +00:00
|
|
|
// SchemeAZBlob is the Azure Blob Storage scheme, used as the scheme in the
|
|
|
|
|
// session storage URI to identify a storage account accessed over https.
|
|
|
|
|
SchemeAZBlob = "azblob"
|
|
|
|
|
|
|
|
|
|
// SchemeAZBlobHTTP is the Azure Blob Storage scheme, used as the scheme in the
|
|
|
|
|
// session storage URI to identify a storage account accessed over http.
|
|
|
|
|
SchemeAZBlobHTTP = "azblob-http"
|
|
|
|
|
|
2018-03-04 02:26:44 +00:00
|
|
|
// LogsDir is a log subdirectory for events and logs
|
|
|
|
|
LogsDir = "log"
|
2018-04-03 22:41:12 +00:00
|
|
|
|
|
|
|
|
// Syslog is a mode for syslog logging
|
|
|
|
|
Syslog = "syslog"
|
2018-04-08 21:37:33 +00:00
|
|
|
|
|
|
|
|
// HumanDateFormat is a human readable date formatting
|
|
|
|
|
HumanDateFormat = "Jan _2 15:04 UTC"
|
|
|
|
|
|
|
|
|
|
// HumanDateFormatMilli is a human readable date formatting with milliseconds
|
|
|
|
|
HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC"
|
2019-02-10 01:43:59 +00:00
|
|
|
|
|
|
|
|
// DebugLevel is a debug logging level name
|
|
|
|
|
DebugLevel = "debug"
|
2020-10-08 21:02:50 +00:00
|
|
|
|
|
|
|
|
// MinimumEtcdVersion is the minimum version of etcd supported by Teleport
|
|
|
|
|
MinimumEtcdVersion = "3.3.0"
|
2016-03-14 21:07:45 +00:00
|
|
|
)
|
2017-03-21 20:56:05 +00:00
|
|
|
|
2020-03-07 01:50:16 +00:00
|
|
|
const (
|
|
|
|
|
// These values are from https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
|
|
|
|
|
|
|
|
// OIDCPromptSelectAccount instructs the Authorization Server to
|
|
|
|
|
// prompt the End-User to select a user account.
|
|
|
|
|
OIDCPromptSelectAccount = "select_account"
|
|
|
|
|
|
|
|
|
|
// OIDCAccessTypeOnline indicates that OIDC flow should be performed
|
|
|
|
|
// with Authorization server and user connected online
|
|
|
|
|
OIDCAccessTypeOnline = "online"
|
|
|
|
|
)
|
|
|
|
|
|
2018-02-08 02:32:50 +00:00
|
|
|
// Component generates "component:subcomponent1:subcomponent2" strings used
|
|
|
|
|
// in debugging
|
|
|
|
|
func Component(components ...string) string {
|
|
|
|
|
return strings.Join(components, ":")
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-05 21:43:42 +00:00
|
|
|
const (
|
|
|
|
|
// AuthorizedKeys are public keys that check against User CAs.
|
|
|
|
|
AuthorizedKeys = "authorized_keys"
|
|
|
|
|
// KnownHosts are public keys that check against Host CAs.
|
|
|
|
|
KnownHosts = "known_hosts"
|
|
|
|
|
)
|
|
|
|
|
|
2017-03-21 20:56:05 +00:00
|
|
|
const (
|
2020-06-12 00:07:45 +00:00
|
|
|
// CertExtensionPermitX11Forwarding allows X11 forwarding for certificate
|
|
|
|
|
CertExtensionPermitX11Forwarding = "permit-X11-forwarding"
|
2017-03-21 20:56:05 +00:00
|
|
|
// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
|
|
|
|
|
CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
|
|
|
|
|
// CertExtensionPermitPTY allows user to request PTY
|
|
|
|
|
CertExtensionPermitPTY = "permit-pty"
|
|
|
|
|
// CertExtensionPermitPortForwarding allows user to request port forwarding
|
|
|
|
|
CertExtensionPermitPortForwarding = "permit-port-forwarding"
|
2017-05-17 17:36:25 +00:00
|
|
|
// CertExtensionTeleportRoles is used to propagate teleport roles
|
|
|
|
|
CertExtensionTeleportRoles = "teleport-roles"
|
2019-07-22 23:58:38 +00:00
|
|
|
// CertExtensionTeleportRouteToCluster is used to encode
|
|
|
|
|
// the target cluster to route to in the certificate
|
|
|
|
|
CertExtensionTeleportRouteToCluster = "teleport-route-to-cluster"
|
2019-08-02 00:19:49 +00:00
|
|
|
// CertExtensionTeleportTraits is used to propagate traits about the user.
|
|
|
|
|
CertExtensionTeleportTraits = "teleport-traits"
|
2019-11-07 05:00:32 +00:00
|
|
|
// CertExtensionTeleportActiveRequests is used to track which privilege
|
|
|
|
|
// escalation requests were used to construct the certificate.
|
|
|
|
|
CertExtensionTeleportActiveRequests = "teleport-active-requests"
|
2021-02-11 04:29:00 +00:00
|
|
|
// CertExtensionMFAVerified is used to mark certificates issued after an MFA
|
|
|
|
|
// check.
|
|
|
|
|
CertExtensionMFAVerified = "mfa-verified"
|
2022-12-07 17:00:38 +00:00
|
|
|
// CertExtensionPreviousIdentityExpires is the extension that stores an RFC3339
|
|
|
|
|
// timestamp representing the expiry time of the identity/cert that this
|
|
|
|
|
// identity/cert was derived from. It is used to determine a session's hard
|
|
|
|
|
// deadline in cases where both require_session_mfa and disconnect_expired_cert
|
|
|
|
|
// are enabled. See https://github.com/gravitational/teleport/issues/18544.
|
|
|
|
|
CertExtensionPreviousIdentityExpires = "prev-identity-expires"
|
2023-02-15 19:36:19 +00:00
|
|
|
// CertExtensionLoginIP is used to embed the IP of the client that created
|
2021-02-11 04:29:00 +00:00
|
|
|
// the certificate.
|
2023-02-15 19:36:19 +00:00
|
|
|
CertExtensionLoginIP = "login-ip"
|
2021-03-19 23:04:43 +00:00
|
|
|
// CertExtensionImpersonator is set when one user has requested certificates
|
|
|
|
|
// for another user
|
|
|
|
|
CertExtensionImpersonator = "impersonator"
|
Allow impersonation of roles without users (#9561)
* Allow impersonation of roles without users
This adds the ability to impersonate one or more roles without
impersonating a particular user.
In Teleport today, when creating an impersonator role, both users and
roles must be specified as impersonation is fundamentally tied to an
existing Teleport user:
```yaml
allow:
impersonate:
users: ['jenkins']
roles: ['jenkins']
```
This is inconvenient for two reasons:
1. A user must exist for each set of roles you'd like to
impersonate, creating a UX burden.
2. It makes it difficult to use impersonation to reduce one's
permissions as you always inherit all of the roles granted to the
target user.
For the [certificate bot][bot] we'd instead like to use impersonation
to generate end-user (impersonated) certificates with a reduced set
of permissions. For example, given the following role:
```yaml
allow:
impersonate:
roles: ['jenkins', 'deploy']
```
We can then use `GenerateUserCerts` to issue certifices for a subset
of the allowed roles, e.g. one set of certificates with only the
`jenkins` role attached, and another with only `deploy`.
To that end, this patch:
1. Removes the requirement that roles define both `users` and
`roles` in impersonate conditions
2. Introduces a new `RoleRequests` field in `UserCertsRequest`
3. Modifies `generateUserCerts` to gather `roles` from
`RoleRequests` if allowed by an `allow` (with no `users`)
[bot]: https://github.com/gravitational/teleport/pull/7986
* Add `determineDesiredRolesAndTraits`; audit log on role impersonation
This splits initial role and trait determination into a new function,
`determineDesiredRolesAndTraits`, to improve control flow and clarity
given the new branches introduced for role impersonation.
Additionally, this moves the call to `CheckRoleImpersonation` down
to match regular user impersonation's flow, and emits an audit log
event on failure.
* Formatting fix
* Unit testing for role requests
This adds a new set of unit tests for role requests.
Also discovered the `impersonator` field wasn't being set for
role impersonation, so it's now set to the user's own username.
In other words, role impersonation will appear (in the audit log and
elsewhere) as self-impersonation.
* Clean up testing users between runs
* Deny most reimpersonation cases and add tests
This attempts to deny most cases of reimpersonation, where an
impersonated certificate might be used to generate certificates for
other roles the user is allowed to impersonate.
One test case is currently failing pending a solution.
* Add new DisallowReissue certificate extension
This adds a new DisallowReissue certificate extension that, if set,
prevents that identity from interacting with `GenerateUserCerts`.
This flag is always set when RoleRequests are used to prevent
unintended privilege escalation (while avoiding breaking changes to
Teleport's existing certificate generation behavior).
* Fix test lints
* Fix typo
* Fix test doc typo, add testcase for user impersonation misuse
* Apply suggestions from code review
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Accept context in CreateRole per review feedback
* Fix misleading comment
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2022-01-14 22:15:13 +00:00
|
|
|
// CertExtensionDisallowReissue is set when a certificate should not be allowed
|
|
|
|
|
// to request future certificates.
|
|
|
|
|
CertExtensionDisallowReissue = "disallow-reissue"
|
Certificate renewal bot (#10099)
* Add certificate renewal bot
This adds a new `tbot` tool to continuously renew a set of
certificates after registering with a Teleport cluster using a
similar process to standard node joining.
This makes some modifications to user certificate generation to allow
for certificates that can be renewed beyond their original TTL, and
exposes new gRPC endpoints:
* `CreateBotJoinToken` creates a join token for a bot user
* `GenerateInitialRenewableUserCerts` exchanges a token for a set of
certificates with a new `renewable` flag set
A new `tctl` command, `tctl bots add`, creates a bot user and calls
`CreateBotJoinToken` to issue a token. A bot instance can then be
started using a provided command.
* Cert bot refactoring pass
* Use role requests to split renewable certs from end-user certs
* Add bot configuration file
* Use `teleport.dev/bot` label
* Remove `impersonator` flag on initial bot certs
* Remove unnecessary `renew` package
* Misc other cleanup
* Do not pass through `renewable` flag when role requests are set
This adds additional restrictions on when a certificate's `renewable`
flag is carried over to a new certificate. In particular, it now also
denies the flag when either role requests are present, or the
`disallowReissue` flag has been previously set.
In practice `disallow-reissue` would have prevented any undesired
behavior but this improves consistency and resolves a TODO.
* Various tbot UX improvements; render SSH config
* Fully flesh out config template rendering
* Fix rendering for SSH configuration templates
* Added `String()` impls for destination types
* Improve certificate renewal logging; show more detail
* Properly fall back to default (all) roles
* Add mode hints for files
* Add/update copyright headers
* Add stubs for tbot init and watch commands
* Add gRPC endpoints for managing bots
* Add `CreateBot`, `DeleteBot`, and `GetBotUsers` gRPC endpoints
* Replace `tctl bot (add|rm|ls)` implementations with gRPC calls
* Define a few new constants, `DefaultBotJoinTTL`, `BotLabel`,
`BotGenerationLabel`
* Fix outdated destination flag in example tbot command
* Bugfix pass for demo
* Fixed a few nil pointer derefs when using config from CLI args
* Properly create destination if `--destination-dir` flag is used
* Remove improper default on CLI flag
* `DestinationConfig` is now a list of pointers
* Address first wave of review feedback
Fixes the majority of smaller issues caught by reviewers, thanks all!
* Add doc comments for bot.go functions
* Return the token TTL from CreateBot
* Split initial user cert issuance from `generateUserCerts()`
Issuing initial renewable certificate ended up requiring a lot of
hacks to skip checks that prevented anonymous bots from getting
certs even though we'd verified their identity elsewhere (via token).
This reverts all those hacks and splits initial bot cert logic into a
dedicated `generateInitialRenewableUserCerts()` function which should
make the whole process much easier to follow.
* Set bot traits to silence log messages
* tbot log message consistency pass
* Resolve lints
* Add config tests
* Remove CreateBotJoinToken endpoint
Users should instead use the CreateBot/DeleteBot endpoints.
* Create a fresh private key for every impersonated identity renewal
* Hide `config` subcommand
* Rename bot label prefix to `teleport.internal/`
* Use types.NewRole() to create bot roles
* Clean up error handling in custom YAML unmarshallers
Also, add notes about the supported YAML shapes.
* Fetch proxy host via gRPC Ping() instead of GetProxies()
* Update lib/auth/bot.go
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* Fix some review comments
* Add renewable certificate generation checks (#10098)
* Add renewable certificate generation checks
This adds a new validation check for renewable certificates that
maintains a renewal counter as both a certificate extension and a
user label. This counter is used to ensure only a single certificate
lineage can exist: for example, if a renewable certificate is stolen,
only one copy of the certificate can be renewed as the generation
counter will not match
When renewing a certificate, first the generation counter presented
by the user (via their TLS identity) is compared to a value stored
with the associated user (in a new `teleport.dev/bot-generation`
label field). If they aren't equal, the renewal attempt fails.
Otherwise, the generation counter is incremented by 1, stored to the
database using a `CompareAndSwap()` to ensure atomicity, and set on
the generated certificate for use in future renewals.
* Add unit tests for the generation counter
This adds new unit tests to exercise the generation counter checks.
Additionally, it fixes two other renewable cert tests that were
failing.
* Remove certRequestGeneration() function
* Emit audit event when cert generations don't match
* Fully implement `tctl bots lock`
* Show bot name in `tctl bots ls`
* Lock bots when a cert generation mismatch is found
* Make CompareFailed respones from validateGenerationLabel() more actionable
* Update lib/services/local/users.go
Co-authored-by: Nic Klaassen <nic@goteleport.com>
* Backend changes for tbot IoT and AWS joining (#10360)
* backend changes
* add token permission check
* pass ctx from caller
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* fix comment typo
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* use UserMetadata instead of Identity in RenewableCertificateGenerationMismatch event
* Client changes for tbot IoT joining (#10397)
* client changes
* delete replaced APIs
* delete unused tbot/auth.go
* add license header
* don't unecessarily fetch host CA
* log fixes
* s/tunnelling/tunneling/
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* auth server addresses may be proxies
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* comment typo fix
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* move *Server methods out of auth_with_roles.go (#10416)
Co-authored-by: Tim Buckley <tim@goteleport.com>
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Co-authored-by: Tim Buckley <tim@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Tim Buckley <tim@goteleport.com>
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Co-authored-by: Nic Klaassen <nic@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* Address another batch of review feedback
* Addres another batch of review feedback
Add `Role.SetMetadata()`, simplify more `trace.WrapWithMessage()`
calls, clear some TODOs and lints, and address other misc feedback
items.
* Fix lint
* Add missing doc comments to SaveIdentity / LoadIdentity
* Remove pam tag from tbot build
* Update note about bot lock deletion
* Another pass of review feedback
Ensure all requestable roles exist when creating a bot, adjust the
default renewable cert TTL down to 1 hour, and check types during
`CompareAndSwapUser()`
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Co-authored-by: Nic Klaassen <nic@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2022-02-19 02:41:45 +00:00
|
|
|
// CertExtensionRenewable is a flag to indicate the certificate may be
|
|
|
|
|
// renewed.
|
|
|
|
|
CertExtensionRenewable = "renewable"
|
|
|
|
|
// CertExtensionGeneration counts the number of times a certificate has
|
|
|
|
|
// been renewed.
|
|
|
|
|
CertExtensionGeneration = "generation"
|
2022-05-27 16:23:18 +00:00
|
|
|
// CertExtensionAllowedResources lists the resources which this certificate
|
|
|
|
|
// should be allowed to access
|
2022-06-03 00:04:44 +00:00
|
|
|
CertExtensionAllowedResources = "teleport-allowed-resources"
|
2022-09-02 08:17:21 +00:00
|
|
|
// CertExtensionConnectionDiagnosticID contains the ID of the ConnectionDiagnostic.
|
|
|
|
|
// The Node/Agent will append connection traces to this diagnostic instance.
|
|
|
|
|
CertExtensionConnectionDiagnosticID = "teleport-connection-diagnostic-id"
|
2022-09-30 23:27:48 +00:00
|
|
|
// CertExtensionPrivateKeyPolicy is used to mark certificates with their supported
|
|
|
|
|
// private key policy.
|
|
|
|
|
CertExtensionPrivateKeyPolicy = "private-key-policy"
|
2022-12-15 15:10:31 +00:00
|
|
|
// CertExtensionDeviceID is the trusted device identifier.
|
|
|
|
|
CertExtensionDeviceID = "teleport-device-id"
|
|
|
|
|
// CertExtensionDeviceAssetTag is the device inventory identifier.
|
|
|
|
|
CertExtensionDeviceAssetTag = "teleport-device-asset-tag"
|
|
|
|
|
// CertExtensionDeviceCredentialID is the identifier for the credential used
|
|
|
|
|
// by the device to authenticate itself.
|
|
|
|
|
CertExtensionDeviceCredentialID = "teleport-device-credential-id"
|
2023-04-23 17:09:49 +00:00
|
|
|
|
|
|
|
|
// CertCriticalOptionSourceAddress is a critical option that defines IP addresses (in CIDR notation)
|
|
|
|
|
// from which this certificate is accepted for authentication.
|
|
|
|
|
// See: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD.
|
|
|
|
|
CertCriticalOptionSourceAddress = "source-address"
|
2017-03-21 20:56:05 +00:00
|
|
|
)
|
2017-04-13 00:04:51 +00:00
|
|
|
|
2022-05-17 16:30:19 +00:00
|
|
|
// Note: when adding new providers to this list, consider updating the help message for --provider flag
|
|
|
|
|
// for `tctl sso configure oidc` and `tctl sso configure saml` commands
|
|
|
|
|
// as well as docs at https://goteleport.com/docs/enterprise/sso/#provider-specific-workarounds
|
2017-04-13 00:04:51 +00:00
|
|
|
const (
|
|
|
|
|
// NetIQ is an identity provider.
|
|
|
|
|
NetIQ = "netiq"
|
2017-05-12 19:14:44 +00:00
|
|
|
// ADFS is Microsoft Active Directory Federation Services
|
|
|
|
|
ADFS = "adfs"
|
2021-06-16 16:00:33 +00:00
|
|
|
// Ping is the common backend for all Ping Identity-branded identity
|
|
|
|
|
// providers (including PingOne, PingFederate, etc).
|
|
|
|
|
Ping = "ping"
|
2022-04-13 22:58:58 +00:00
|
|
|
// Okta should be used for Okta OIDC providers.
|
|
|
|
|
Okta = "okta"
|
2022-04-07 17:54:08 +00:00
|
|
|
// JumpCloud is an identity provider.
|
|
|
|
|
JumpCloud = "jumpcloud"
|
2017-04-13 00:04:51 +00:00
|
|
|
)
|
2017-04-25 21:57:48 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// RemoteCommandSuccess is returned when a command has successfully executed.
|
|
|
|
|
RemoteCommandSuccess = 0
|
|
|
|
|
// RemoteCommandFailure is returned when a command has failed to execute and
|
|
|
|
|
// we don't have another status code for it.
|
|
|
|
|
RemoteCommandFailure = 255
|
2022-02-16 23:51:02 +00:00
|
|
|
// HomeDirNotFound is returned when a the "teleport checkhomedir" command cannot
|
|
|
|
|
// find the user's home directory.
|
|
|
|
|
HomeDirNotFound = 254
|
2017-04-25 21:57:48 +00:00
|
|
|
)
|
2017-05-26 19:28:46 +00:00
|
|
|
|
|
|
|
|
// MaxEnvironmentFileLines is the maximum number of lines in a environment file.
|
|
|
|
|
const MaxEnvironmentFileLines = 1000
|
2017-06-20 00:20:21 +00:00
|
|
|
|
2020-01-30 21:18:43 +00:00
|
|
|
// MaxResourceSize is the maximum size (in bytes) of a serialized resource. This limit is
|
2020-05-06 17:11:06 +00:00
|
|
|
// typically only enforced against resources that are likely to arbitrarily grow (e.g. PluginData).
|
2020-01-30 21:18:43 +00:00
|
|
|
const MaxResourceSize = 1000000
|
|
|
|
|
|
2021-03-01 14:24:22 +00:00
|
|
|
// MaxHTTPRequestSize is the maximum accepted size (in bytes) of the body of
|
|
|
|
|
// a received HTTP request. This limit is meant to be used with utils.ReadAtMost
|
|
|
|
|
// to prevent resource exhaustion attacks.
|
|
|
|
|
const MaxHTTPRequestSize = 10 * 1024 * 1024
|
|
|
|
|
|
|
|
|
|
// MaxHTTPResponseSize is the maximum accepted size (in bytes) of the body of
|
|
|
|
|
// a received HTTP response. This limit is meant to be used with utils.ReadAtMost
|
|
|
|
|
// to prevent resource exhaustion attacks.
|
|
|
|
|
const MaxHTTPResponseSize = 10 * 1024 * 1024
|
|
|
|
|
|
2017-06-20 00:20:21 +00:00
|
|
|
const (
|
2018-01-06 02:28:31 +00:00
|
|
|
// CertificateFormatOldSSH is used to make Teleport interoperate with older
|
2017-06-20 00:20:21 +00:00
|
|
|
// versions of OpenSSH.
|
2018-01-06 02:28:31 +00:00
|
|
|
CertificateFormatOldSSH = "oldssh"
|
2017-06-20 00:20:21 +00:00
|
|
|
|
2018-01-06 02:28:31 +00:00
|
|
|
// CertificateFormatUnspecified is used to check if the format was specified
|
|
|
|
|
// or not.
|
|
|
|
|
CertificateFormatUnspecified = ""
|
2017-06-20 00:20:21 +00:00
|
|
|
)
|
2017-07-24 22:18:46 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// TraitInternalPrefix is the role variable prefix that indicates it's for
|
|
|
|
|
// local accounts.
|
|
|
|
|
TraitInternalPrefix = "internal"
|
|
|
|
|
|
2021-03-30 15:30:34 +00:00
|
|
|
// TraitExternalPrefix is the role variable prefix that indicates the data comes from an external identity provider.
|
|
|
|
|
TraitExternalPrefix = "external"
|
|
|
|
|
|
2021-12-31 12:06:41 +00:00
|
|
|
// TraitTeams is the name of the role variable use to store team
|
|
|
|
|
// membership information
|
|
|
|
|
TraitTeams = "github_teams"
|
|
|
|
|
|
2022-05-11 22:15:11 +00:00
|
|
|
// TraitJWT is the name of the trait containing JWT header for app access.
|
|
|
|
|
TraitJWT = "jwt"
|
|
|
|
|
|
2018-08-06 23:46:19 +00:00
|
|
|
// TraitInternalLoginsVariable is the variable used to store allowed
|
2017-07-24 22:18:46 +00:00
|
|
|
// logins for local accounts.
|
2018-08-06 23:46:19 +00:00
|
|
|
TraitInternalLoginsVariable = "{{internal.logins}}"
|
|
|
|
|
|
2021-10-13 15:39:31 +00:00
|
|
|
// TraitInternalWindowsLoginsVariable is the variable used to store
|
|
|
|
|
// allowed Windows Desktop logins for local accounts.
|
|
|
|
|
TraitInternalWindowsLoginsVariable = "{{internal.windows_logins}}"
|
|
|
|
|
|
2018-08-06 23:46:19 +00:00
|
|
|
// TraitInternalKubeGroupsVariable is the variable used to store allowed
|
|
|
|
|
// kubernetes groups for local accounts.
|
|
|
|
|
TraitInternalKubeGroupsVariable = "{{internal.kubernetes_groups}}"
|
2020-04-16 00:04:46 +00:00
|
|
|
|
|
|
|
|
// TraitInternalKubeUsersVariable is the variable used to store allowed
|
|
|
|
|
// kubernetes users for local accounts.
|
|
|
|
|
TraitInternalKubeUsersVariable = "{{internal.kubernetes_users}}"
|
2021-01-15 02:21:38 +00:00
|
|
|
|
|
|
|
|
// TraitInternalDBNamesVariable is the variable used to store allowed
|
|
|
|
|
// database names for local accounts.
|
|
|
|
|
TraitInternalDBNamesVariable = "{{internal.db_names}}"
|
|
|
|
|
|
|
|
|
|
// TraitInternalDBUsersVariable is the variable used to store allowed
|
|
|
|
|
// database users for local accounts.
|
|
|
|
|
TraitInternalDBUsersVariable = "{{internal.db_users}}"
|
2022-04-20 20:50:07 +00:00
|
|
|
|
2023-05-18 23:22:14 +00:00
|
|
|
// TraitInternalDBRolesVariable is the variable used to store allowed
|
|
|
|
|
// database roles for automatic database user provisioning.
|
|
|
|
|
TraitInternalDBRolesVariable = "{{internal.db_roles}}"
|
|
|
|
|
|
2022-04-20 20:50:07 +00:00
|
|
|
// TraitInternalAWSRoleARNs is the variable used to store allowed AWS
|
|
|
|
|
// role ARNs for local accounts.
|
|
|
|
|
TraitInternalAWSRoleARNs = "{{internal.aws_role_arns}}"
|
2022-05-11 22:15:11 +00:00
|
|
|
|
2022-12-12 19:34:53 +00:00
|
|
|
// TraitInternalAzureIdentities is the variable used to store allowed
|
|
|
|
|
// Azure identities for local accounts.
|
|
|
|
|
TraitInternalAzureIdentities = "{{internal.azure_identities}}"
|
|
|
|
|
|
2023-01-11 12:33:40 +00:00
|
|
|
// TraitInternalGCPServiceAccounts is the variable used to store allowed
|
|
|
|
|
// GCP service accounts for local accounts.
|
|
|
|
|
TraitInternalGCPServiceAccounts = "{{internal.gcp_service_accounts}}"
|
|
|
|
|
|
2022-05-11 22:15:11 +00:00
|
|
|
// TraitInternalJWTVariable is the variable used to store JWT token for
|
|
|
|
|
// app sessions.
|
|
|
|
|
TraitInternalJWTVariable = "{{internal.jwt}}"
|
2017-07-24 22:18:46 +00:00
|
|
|
)
|
|
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// SCP is Secure Copy.
|
|
|
|
|
const SCP = "scp"
|
|
|
|
|
|
2021-01-29 17:37:01 +00:00
|
|
|
// AdminRoleName is the name of the default admin role for all local users if
|
2021-03-12 04:23:06 +00:00
|
|
|
// another role is not explicitly assigned
|
2017-09-05 19:20:57 +00:00
|
|
|
const AdminRoleName = "admin"
|
2017-08-16 00:27:51 +00:00
|
|
|
|
2021-03-12 04:23:06 +00:00
|
|
|
const (
|
|
|
|
|
// PresetEditorRoleName is a name of a preset role that allows
|
|
|
|
|
// editing cluster configuration.
|
|
|
|
|
PresetEditorRoleName = "editor"
|
|
|
|
|
|
|
|
|
|
// PresetAccessRoleName is a name of a preset role that allows
|
|
|
|
|
// accessing cluster resources.
|
|
|
|
|
PresetAccessRoleName = "access"
|
|
|
|
|
|
|
|
|
|
// PresetAuditorRoleName is a name of a preset role that allows
|
|
|
|
|
// reading cluster events and playing back session records.
|
|
|
|
|
PresetAuditorRoleName = "auditor"
|
2023-05-26 21:13:26 +00:00
|
|
|
|
2023-06-20 17:21:16 +00:00
|
|
|
// PresetReviewerRoleName is a name of a preset role that allows
|
|
|
|
|
// for reviewing access requests.
|
|
|
|
|
PresetReviewerRoleName = "reviewer"
|
|
|
|
|
|
|
|
|
|
// PresetRequesterRoleName is a name of a preset role that allows
|
|
|
|
|
// for requesting access to resources.
|
|
|
|
|
PresetRequesterRoleName = "requester"
|
|
|
|
|
|
2023-05-26 21:13:26 +00:00
|
|
|
// PresetGroupAccessRoleName is a name of a preset role that allows
|
|
|
|
|
// access to all user groups.
|
|
|
|
|
PresetGroupAccessRoleName = "group-access"
|
2023-06-24 00:25:05 +00:00
|
|
|
|
2023-08-23 13:15:36 +00:00
|
|
|
// PresetDeviceAdminRoleName is the name of the "device-admin" role.
|
|
|
|
|
// The role is used to administer trusted devices.
|
|
|
|
|
PresetDeviceAdminRoleName = "device-admin"
|
|
|
|
|
|
|
|
|
|
// PresetDeviceEnrollRoleName is the name of the "device-enroll" role.
|
|
|
|
|
// The role is used to grant device enrollment powers to users.
|
|
|
|
|
PresetDeviceEnrollRoleName = "device-enroll"
|
|
|
|
|
|
|
|
|
|
// PresetRequireTrustedDeviceRoleName is the name of the
|
|
|
|
|
// "require-trusted-device" role.
|
|
|
|
|
// The role is used as a basis for requiring trusted device access to
|
|
|
|
|
// resources.
|
|
|
|
|
PresetRequireTrustedDeviceRoleName = "require-trusted-device"
|
|
|
|
|
|
2023-06-24 00:25:05 +00:00
|
|
|
// SystemAutomaticAccessApprovalRoleName names a preset role that may
|
|
|
|
|
// automatically approve any Role Access Request
|
|
|
|
|
SystemAutomaticAccessApprovalRoleName = "@teleport-access-approver"
|
2023-07-20 11:42:22 +00:00
|
|
|
|
|
|
|
|
// ConnectMyComputerRoleNamePrefix is the prefix used for roles prepared for individual users
|
|
|
|
|
// during the setup of Connect My Computer. The prefix is followed by the name of the cluster
|
|
|
|
|
// user. See [teleterm.connectmycomputer.RoleSetup].
|
|
|
|
|
ConnectMyComputerRoleNamePrefix = "connect-my-computer-"
|
2021-03-12 04:23:06 +00:00
|
|
|
)
|
|
|
|
|
|
2023-02-09 19:23:29 +00:00
|
|
|
var PresetRoles = []string{PresetEditorRoleName, PresetAccessRoleName, PresetAuditorRoleName}
|
|
|
|
|
|
2023-06-24 00:25:05 +00:00
|
|
|
const (
|
|
|
|
|
// SystemAccessApproverUserName names a Teleport user that acts as
|
|
|
|
|
// an Access Request approver for access plugins
|
|
|
|
|
SystemAccessApproverUserName = "@teleport-access-approval-bot"
|
|
|
|
|
)
|
|
|
|
|
|
2018-11-08 22:34:44 +00:00
|
|
|
// MinClientVersion is the minimum client version required by the server.
|
2021-05-12 00:18:26 +00:00
|
|
|
var MinClientVersion string
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
// Per https://github.com/gravitational/teleport/blob/master/rfd/0012-teleport-versioning.md,
|
|
|
|
|
// only one major version backwards is supported for clients.
|
|
|
|
|
ver := semver.New(Version)
|
|
|
|
|
MinClientVersion = fmt.Sprintf("%d.0.0", ver.Major-1)
|
|
|
|
|
}
|
2018-11-08 22:34:44 +00:00
|
|
|
|
2017-12-28 02:51:46 +00:00
|
|
|
const (
|
|
|
|
|
// RemoteClusterStatusOffline indicates that cluster is considered as
|
|
|
|
|
// offline, since it has missed a series of heartbeats
|
|
|
|
|
RemoteClusterStatusOffline = "offline"
|
|
|
|
|
// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
|
|
|
|
|
// at expected interval
|
|
|
|
|
RemoteClusterStatusOnline = "online"
|
|
|
|
|
)
|
2018-01-22 20:25:11 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// SharedDirMode is a mode for a directory shared with group
|
2023-04-03 10:08:55 +00:00
|
|
|
SharedDirMode = 0o750
|
2018-05-19 23:58:14 +00:00
|
|
|
|
|
|
|
|
// PrivateDirMode is a mode for private directories
|
2023-04-03 10:08:55 +00:00
|
|
|
PrivateDirMode = 0o700
|
2018-01-22 20:25:11 +00:00
|
|
|
)
|
2018-05-04 00:36:08 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// SessionEvent is sent by servers to clients when an audit event occurs on
|
|
|
|
|
// the session.
|
|
|
|
|
SessionEvent = "x-teleport-event"
|
2019-09-09 23:56:26 +00:00
|
|
|
|
|
|
|
|
// VersionRequest is sent by clients to server requesting the Teleport
|
|
|
|
|
// version they are running.
|
|
|
|
|
VersionRequest = "x-teleport-version"
|
2022-02-15 16:02:10 +00:00
|
|
|
|
|
|
|
|
// ForceTerminateRequest is an SSH request to forcefully terminate a session.
|
|
|
|
|
ForceTerminateRequest = "x-teleport-force-terminate"
|
|
|
|
|
|
2022-05-05 19:42:57 +00:00
|
|
|
// TerminalSizeRequest is a request for the terminal size of the session.
|
|
|
|
|
TerminalSizeRequest = "x-teleport-terminal-size"
|
|
|
|
|
|
2022-02-15 16:02:10 +00:00
|
|
|
// MFAPresenceRequest is an SSH request to notify clients that MFA presence is required for a session.
|
|
|
|
|
MFAPresenceRequest = "x-teleport-mfa-presence"
|
|
|
|
|
|
|
|
|
|
// EnvSSHJoinMode is the SSH environment variable that contains the requested participant mode.
|
|
|
|
|
EnvSSHJoinMode = "TELEPORT_SSH_JOIN_MODE"
|
|
|
|
|
|
|
|
|
|
// EnvSSHSessionReason is a reason attached to started sessions meant to describe their intent.
|
|
|
|
|
EnvSSHSessionReason = "TELEPORT_SESSION_REASON"
|
|
|
|
|
|
|
|
|
|
// EnvSSHSessionInvited is an environment variable listning people invited to a session.
|
|
|
|
|
EnvSSHSessionInvited = "TELEPORT_SESSION_JOIN_MODE"
|
2022-03-10 23:04:12 +00:00
|
|
|
|
|
|
|
|
// EnvSSHSessionDisplayParticipantRequirements is set to true or false to indicate if participant
|
|
|
|
|
// requirement information should be printed.
|
|
|
|
|
EnvSSHSessionDisplayParticipantRequirements = "TELEPORT_SESSION_PARTICIPANT_REQUIREMENTS"
|
2022-05-05 19:42:57 +00:00
|
|
|
|
|
|
|
|
// SSHSessionJoinPrincipal is the SSH principal used when joining sessions.
|
|
|
|
|
// This starts with a hyphen so it isn't a valid unix login.
|
|
|
|
|
SSHSessionJoinPrincipal = "-teleport-internal-join"
|
2018-05-04 00:36:08 +00:00
|
|
|
)
|
2018-05-19 23:58:14 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// EnvKubeConfig is environment variable for kubeconfig
|
|
|
|
|
EnvKubeConfig = "KUBECONFIG"
|
|
|
|
|
|
|
|
|
|
// KubeConfigDir is a default directory where k8s stores its user local config
|
|
|
|
|
KubeConfigDir = ".kube"
|
|
|
|
|
|
|
|
|
|
// KubeConfigFile is a default filename where k8s stores its user local config
|
|
|
|
|
KubeConfigFile = "config"
|
|
|
|
|
|
2018-06-10 00:21:14 +00:00
|
|
|
// KubeRunTests turns on kubernetes tests
|
|
|
|
|
KubeRunTests = "TEST_KUBE"
|
|
|
|
|
|
2019-03-25 02:25:58 +00:00
|
|
|
// KubeSystemAuthenticated is a builtin group that allows
|
|
|
|
|
// any user to access common API methods, e.g. discovery methods
|
|
|
|
|
// required for initial client usage
|
|
|
|
|
KubeSystemAuthenticated = "system:authenticated"
|
|
|
|
|
|
2018-06-18 00:53:02 +00:00
|
|
|
// UsageKubeOnly specifies certificate usage metadata
|
|
|
|
|
// that limits certificate to be only used for kubernetes proxying
|
|
|
|
|
UsageKubeOnly = "usage:kube"
|
2020-10-19 00:09:29 +00:00
|
|
|
|
|
|
|
|
// UsageAppOnly specifies a certificate metadata that only allows it to be
|
|
|
|
|
// used for proxying applications.
|
|
|
|
|
UsageAppsOnly = "usage:apps"
|
2021-01-15 02:21:38 +00:00
|
|
|
|
|
|
|
|
// UsageDatabaseOnly specifies certificate usage metadata that only allows
|
|
|
|
|
// it to be used for proxying database connections.
|
|
|
|
|
UsageDatabaseOnly = "usage:db"
|
2021-08-11 22:28:19 +00:00
|
|
|
|
|
|
|
|
// UsageWindowsDesktopOnly specifies certificate usage metadata that limits
|
|
|
|
|
// certificate to be only used for Windows desktop access
|
|
|
|
|
UsageWindowsDesktopOnly = "usage:windows_desktop"
|
2018-06-18 00:53:02 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2020-02-24 18:41:45 +00:00
|
|
|
// NodeIsAmbiguous serves as an identifying error string indicating that
|
|
|
|
|
// the proxy subsystem found multiple nodes matching the specified hostname.
|
|
|
|
|
NodeIsAmbiguous = "err-node-is-ambiguous"
|
2020-08-25 19:02:16 +00:00
|
|
|
|
|
|
|
|
// MaxLeases serves as an identifying error string indicating that the
|
|
|
|
|
// semaphore system is rejecting an acquisition attempt due to max
|
|
|
|
|
// leases having already been reached.
|
|
|
|
|
MaxLeases = "err-max-leases"
|
2018-05-19 23:58:14 +00:00
|
|
|
)
|
2018-07-25 20:56:14 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// OpenBrowserLinux is the command used to open a web browser on Linux.
|
2019-01-31 13:14:47 +00:00
|
|
|
OpenBrowserLinux = "xdg-open"
|
2018-07-25 20:56:14 +00:00
|
|
|
|
|
|
|
|
// OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin.
|
|
|
|
|
OpenBrowserDarwin = "open"
|
|
|
|
|
|
|
|
|
|
// OpenBrowserWindows is the command used to open a web browser on Windows.
|
|
|
|
|
OpenBrowserWindows = "rundll32.exe"
|
2020-05-13 20:23:26 +00:00
|
|
|
|
|
|
|
|
// BrowserNone is the string used to suppress the opening of a browser in
|
|
|
|
|
// response to 'tsh login' commands.
|
|
|
|
|
BrowserNone = "none"
|
2018-07-25 20:56:14 +00:00
|
|
|
)
|
2019-02-28 00:55:57 +00:00
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
const (
|
2020-02-12 21:29:30 +00:00
|
|
|
// ExecSubCommand is the sub-command Teleport uses to re-exec itself for
|
|
|
|
|
// command execution (exec and shells).
|
2019-11-16 00:39:40 +00:00
|
|
|
ExecSubCommand = "exec"
|
2020-02-12 21:29:30 +00:00
|
|
|
|
|
|
|
|
// ForwardSubCommand is the sub-command Teleport uses to re-exec itself
|
|
|
|
|
// for port forwarding.
|
|
|
|
|
ForwardSubCommand = "forward"
|
2022-02-16 23:51:02 +00:00
|
|
|
|
|
|
|
|
// CheckHomeDirSubCommand is the sub-command Teleport uses to re-exec itself
|
|
|
|
|
// to check if the user's home directory exists.
|
|
|
|
|
CheckHomeDirSubCommand = "checkhomedir"
|
2022-06-08 12:24:13 +00:00
|
|
|
|
|
|
|
|
// ParkSubCommand is the sub-command Teleport uses to re-exec itself as a
|
|
|
|
|
// specific UID to prevent the matching user from being deleted before
|
|
|
|
|
// spawning the intended child process.
|
|
|
|
|
ParkSubCommand = "park"
|
2022-07-07 20:08:26 +00:00
|
|
|
|
|
|
|
|
// SFTPSubCommand is the sub-command Teleport uses to re-exec itself to
|
|
|
|
|
// handle SFTP connections.
|
|
|
|
|
SFTPSubCommand = "sftp"
|
2023-01-10 16:46:00 +00:00
|
|
|
|
|
|
|
|
// WaitSubCommand is the sub-command Teleport uses to wait
|
|
|
|
|
// until a domain name stops resolving. Its main use is to ensure no
|
|
|
|
|
// auth instances are still running the previous major version.
|
|
|
|
|
WaitSubCommand = "wait"
|
2020-02-12 21:29:30 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// ChanDirectTCPIP is a SSH channel of type "direct-tcpip".
|
|
|
|
|
ChanDirectTCPIP = "direct-tcpip"
|
|
|
|
|
|
|
|
|
|
// ChanSession is a SSH channel of type "session".
|
|
|
|
|
ChanSession = "session"
|
2019-11-16 00:39:40 +00:00
|
|
|
)
|
|
|
|
|
|
2022-09-28 16:37:18 +00:00
|
|
|
const (
|
|
|
|
|
// GetHomeDirSubsystem is an SSH subsystem request that Teleport
|
|
|
|
|
// uses to get the home directory of a remote user.
|
|
|
|
|
GetHomeDirSubsystem = "gethomedir"
|
2023-04-28 19:16:06 +00:00
|
|
|
|
|
|
|
|
// SFTPSubsystem is the SFTP SSH subsystem.
|
|
|
|
|
SFTPSubsystem = "sftp"
|
2022-09-28 16:37:18 +00:00
|
|
|
)
|
|
|
|
|
|
2020-04-14 22:11:53 +00:00
|
|
|
// A principal name for use in SSH certificates.
|
|
|
|
|
type Principal string
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// The localhost domain, for talking to a proxy or node on the same
|
|
|
|
|
// machine.
|
|
|
|
|
PrincipalLocalhost Principal = "localhost"
|
|
|
|
|
// The IPv4 loopback address, for talking to a proxy or node on the same
|
|
|
|
|
// machine.
|
|
|
|
|
PrincipalLoopbackV4 Principal = "127.0.0.1"
|
|
|
|
|
// The IPv6 loopback address, for talking to a proxy or node on the same
|
|
|
|
|
// machine.
|
|
|
|
|
PrincipalLoopbackV6 Principal = "::1"
|
|
|
|
|
)
|
2020-05-05 23:49:32 +00:00
|
|
|
|
|
|
|
|
// UserSystem defines a user as system.
|
|
|
|
|
const UserSystem = "system"
|
2020-10-19 00:09:29 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// internal application being proxied.
|
|
|
|
|
AppJWTHeader = "teleport-jwt-assertion"
|
|
|
|
|
|
2021-05-06 18:24:49 +00:00
|
|
|
// HostHeader is the name of the Host header.
|
|
|
|
|
HostHeader = "Host"
|
2020-10-19 00:09:29 +00:00
|
|
|
)
|
2021-02-11 04:29:00 +00:00
|
|
|
|
|
|
|
|
// UserSingleUseCertTTL is a TTL for per-connection user certificates.
|
|
|
|
|
const UserSingleUseCertTTL = time.Minute
|
2021-02-18 12:25:46 +00:00
|
|
|
|
|
|
|
|
// StandardHTTPSPort is the default port used for the https URI scheme,
|
|
|
|
|
// cf. RFC 7230 § 2.7.2.
|
|
|
|
|
const StandardHTTPSPort = 443
|
2022-09-01 16:05:03 +00:00
|
|
|
|
2023-04-03 10:14:15 +00:00
|
|
|
const (
|
|
|
|
|
// KubeSessionDisplayParticipantRequirementsQueryParam is the query parameter used to
|
|
|
|
|
// indicate that the client wants to display the participant requirements
|
|
|
|
|
// for the given session.
|
|
|
|
|
KubeSessionDisplayParticipantRequirementsQueryParam = "displayParticipantRequirements"
|
|
|
|
|
// KubeSessionReasonQueryParam is the query parameter used to indicate the reason
|
|
|
|
|
// for the session request.
|
|
|
|
|
KubeSessionReasonQueryParam = "reason"
|
|
|
|
|
// KubeSessionInvitedQueryParam is the query parameter used to indicate the users
|
|
|
|
|
// to invite to the session.
|
|
|
|
|
KubeSessionInvitedQueryParam = "invite"
|
|
|
|
|
)
|
2023-07-28 16:04:22 +00:00
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// KubeLegacyProxySuffix is the suffix used for legacy proxy services when
|
|
|
|
|
// generating their names Server names.
|
|
|
|
|
KubeLegacyProxySuffix = "-proxy_service"
|
|
|
|
|
)
|