|
|
|
@ -58,12 +58,20 @@ func (a *ServerWithRoles) CloseContext() context.Context {
|
|
|
|
|
return a.authServer.closeCtx
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) actionWithContext(ctx *services.Context, namespace string, resource string, action string) error {
|
|
|
|
|
return a.context.Checker.CheckAccessToRule(ctx, namespace, resource, action, false)
|
|
|
|
|
func (a *ServerWithRoles) actionWithContext(ctx *services.Context, namespace, resource string, verbs ...string) error {
|
|
|
|
|
if len(verbs) == 0 {
|
|
|
|
|
return trace.BadParameter("no verbs provided for authorization check on resource %q", resource)
|
|
|
|
|
}
|
|
|
|
|
var errs []error
|
|
|
|
|
for _, verb := range verbs {
|
|
|
|
|
errs = append(errs, a.context.Checker.CheckAccessToRule(ctx, namespace, resource, verb, false))
|
|
|
|
|
}
|
|
|
|
|
return trace.NewAggregate(errs...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type actionConfig struct {
|
|
|
|
|
quiet bool
|
|
|
|
|
quiet bool
|
|
|
|
|
context Context
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type actionOption func(*actionConfig)
|
|
|
|
@ -74,12 +82,27 @@ func quietAction(quiet bool) actionOption {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) action(namespace string, resource string, action string, opts ...actionOption) error {
|
|
|
|
|
var cfg actionConfig
|
|
|
|
|
func (a *ServerWithRoles) withOptions(opts ...actionOption) actionConfig {
|
|
|
|
|
cfg := actionConfig{context: a.context}
|
|
|
|
|
for _, opt := range opts {
|
|
|
|
|
opt(&cfg)
|
|
|
|
|
}
|
|
|
|
|
return a.context.Checker.CheckAccessToRule(&services.Context{User: a.context.User}, namespace, resource, action, cfg.quiet)
|
|
|
|
|
return cfg
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c actionConfig) action(namespace, resource string, verbs ...string) error {
|
|
|
|
|
if len(verbs) == 0 {
|
|
|
|
|
return trace.BadParameter("no verbs provided for authorization check on resource %q", resource)
|
|
|
|
|
}
|
|
|
|
|
var errs []error
|
|
|
|
|
for _, verb := range verbs {
|
|
|
|
|
errs = append(errs, c.context.Checker.CheckAccessToRule(&services.Context{User: c.context.User}, namespace, resource, verb, c.quiet))
|
|
|
|
|
}
|
|
|
|
|
return trace.NewAggregate(errs...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) action(namespace, resource string, verbs ...string) error {
|
|
|
|
|
return a.withOptions().action(namespace, resource, verbs...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// currentUserAction is a special checker that allows certain actions for users
|
|
|
|
@ -219,10 +242,7 @@ func (a *ServerWithRoles) RotateCertAuthority(req RotateRequest) error {
|
|
|
|
|
if err := req.CheckAndSetDefaults(a.authServer.clock); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.RotateCertAuthority(req)
|
|
|
|
@ -248,10 +268,7 @@ func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error {
|
|
|
|
|
return trace.BadParameter("missing certificate authority")
|
|
|
|
|
}
|
|
|
|
|
ctx := &services.Context{User: a.context.User, Resource: ca}
|
|
|
|
|
if err := a.actionWithContext(ctx, apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.actionWithContext(ctx, apidefaults.Namespace, types.KindCertAuthority, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.actionWithContext(ctx, apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertCertAuthority(ca)
|
|
|
|
@ -260,20 +277,14 @@ func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error {
|
|
|
|
|
// CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority
|
|
|
|
|
// value matches the value stored in the backend.
|
|
|
|
|
func (a *ServerWithRoles) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.CompareAndSwapCertAuthority(new, existing)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) GetCertAuthorities(caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbReadNoSecrets); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbList, types.VerbReadNoSecrets); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if loadKeys {
|
|
|
|
@ -313,10 +324,7 @@ func (a *ServerWithRoles) GetClusterCACert() (*LocalCAResponse, error) {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertLocalClusterName(clusterName string) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertLocalClusterName(clusterName)
|
|
|
|
@ -381,20 +389,14 @@ func (a *ServerWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*Pa
|
|
|
|
|
|
|
|
|
|
// UpsertNodes bulk upserts nodes into the backend.
|
|
|
|
|
func (a *ServerWithRoles) UpsertNodes(namespace string, servers []types.Server) error {
|
|
|
|
|
if err := a.action(namespace, types.KindNode, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(namespace, types.KindNode, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(namespace, types.KindNode, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertNodes(namespace, servers)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error) {
|
|
|
|
|
if err := a.action(s.GetNamespace(), types.KindNode, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(s.GetNamespace(), types.KindNode, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(s.GetNamespace(), types.KindNode, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertNode(ctx, s)
|
|
|
|
@ -487,14 +489,12 @@ func (a *ServerWithRoles) NewWatcher(ctx context.Context, watch types.Watch) (ty
|
|
|
|
|
// complicated logic.
|
|
|
|
|
switch kind.Kind {
|
|
|
|
|
case types.KindCertAuthority:
|
|
|
|
|
verb := types.VerbReadNoSecrets
|
|
|
|
|
if kind.LoadSecrets {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbReadNoSecrets); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
verb = types.VerbRead
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, verb); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
case types.KindAccessRequest:
|
|
|
|
|
var filter types.AccessRequestFilter
|
|
|
|
@ -705,20 +705,14 @@ func (a *ServerWithRoles) filterAndListNodes(ctx context.Context, namespace stri
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertAuthServer(s types.Server) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertAuthServer(s)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) GetAuthServers() ([]types.Server, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetAuthServers()
|
|
|
|
@ -741,20 +735,14 @@ func (a *ServerWithRoles) DeleteAuthServer(name string) error {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertProxy(s types.Server) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertProxy(s)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) GetProxies() ([]types.Server, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetProxies()
|
|
|
|
@ -777,10 +765,7 @@ func (a *ServerWithRoles) DeleteProxy(name string) error {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertReverseTunnel(r types.ReverseTunnel) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertReverseTunnel(r)
|
|
|
|
@ -794,10 +779,7 @@ func (a *ServerWithRoles) GetReverseTunnel(name string, opts ...services.Marshal
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) GetReverseTunnels(opts ...services.MarshalOption) ([]types.ReverseTunnel, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetReverseTunnels(opts...)
|
|
|
|
@ -818,10 +800,7 @@ func (a *ServerWithRoles) DeleteToken(ctx context.Context, token string) error {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) GetTokens(ctx context.Context, opts ...services.MarshalOption) ([]types.ProvisionToken, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetTokens(ctx, opts...)
|
|
|
|
@ -835,10 +814,7 @@ func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.Pro
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.ProvisionToken) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertToken(ctx, token)
|
|
|
|
@ -1038,7 +1014,7 @@ type webTokensWithRoles struct {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type accessChecker interface {
|
|
|
|
|
action(namespace, resource, action string, opts ...actionOption) error
|
|
|
|
|
action(namespace, resource string, verbs ...string) error
|
|
|
|
|
currentUserAction(user string) error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1049,8 +1025,8 @@ func (a *ServerWithRoles) GetAccessRequests(ctx context.Context, filter types.Ac
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// users with read + list permissions can get all requests
|
|
|
|
|
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList, quietAction(true)) == nil {
|
|
|
|
|
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead, quietAction(true)) == nil {
|
|
|
|
|
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList) == nil {
|
|
|
|
|
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead) == nil {
|
|
|
|
|
return a.authServer.GetAccessRequests(ctx, filter)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -1162,10 +1138,7 @@ func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.A
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -1179,12 +1152,12 @@ func (a *ServerWithRoles) GetPluginData(ctx context.Context, filter types.Plugin
|
|
|
|
|
case types.KindAccessRequest:
|
|
|
|
|
// for backwards compatibility, we allow list/read against access requests to also grant list/read for
|
|
|
|
|
// access request related plugin data.
|
|
|
|
|
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList, quietAction(true)) != nil {
|
|
|
|
|
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList) != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAccessPluginData, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead, quietAction(true)) != nil {
|
|
|
|
|
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead) != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAccessPluginData, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
@ -1201,7 +1174,7 @@ func (a *ServerWithRoles) UpdatePluginData(ctx context.Context, params types.Plu
|
|
|
|
|
case types.KindAccessRequest:
|
|
|
|
|
// for backwards compatibility, we allow update against access requests to also grant update for
|
|
|
|
|
// access request related plugin data.
|
|
|
|
|
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbUpdate, quietAction(true)) != nil {
|
|
|
|
|
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbUpdate) != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindAccessPluginData, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
@ -1279,10 +1252,7 @@ func (a *ServerWithRoles) GetUsers(withSecrets bool) ([]types.User, error) {
|
|
|
|
|
return nil, trace.AccessDenied("this request can be only executed by an admin")
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -1623,10 +1593,7 @@ func (a *ServerWithRoles) UpdateUser(ctx context.Context, user types.User) error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertUser(u types.User) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1905,10 +1872,7 @@ func (a *ServerWithRoles) EmitAuditEvent(ctx context.Context, event apievents.Au
|
|
|
|
|
|
|
|
|
|
// CreateAuditStream creates audit event stream
|
|
|
|
|
func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
role, ok := a.context.Identity.(BuiltinRole)
|
|
|
|
@ -1928,10 +1892,7 @@ func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID)
|
|
|
|
|
|
|
|
|
|
// ResumeAuditStream resumes the stream that has been created
|
|
|
|
|
func (a *ServerWithRoles) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
role, ok := a.context.Identity.(BuiltinRole)
|
|
|
|
@ -1994,20 +1955,14 @@ func (s *streamWithRoles) EmitAuditEvent(ctx context.Context, event apievents.Au
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) EmitAuditEventLegacy(event events.Event, fields events.EventFields) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.alog.EmitAuditEventLegacy(event, fields)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) PostSessionSlice(slice events.SessionSlice) error {
|
|
|
|
|
if err := a.action(slice.Namespace, types.KindEvent, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(slice.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(slice.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.alog.PostSessionSlice(slice)
|
|
|
|
@ -2017,10 +1972,7 @@ func (a *ServerWithRoles) UploadSessionRecording(r events.SessionRecording) erro
|
|
|
|
|
if err := r.CheckAndSetDefaults(); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(r.Namespace, types.KindEvent, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(r.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(r.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.alog.UploadSessionRecording(r)
|
|
|
|
@ -2044,10 +1996,7 @@ func (a *ServerWithRoles) GetSessionEvents(namespace string, sid session.ID, aft
|
|
|
|
|
|
|
|
|
|
// GetNamespaces returns a list of namespaces
|
|
|
|
|
func (a *ServerWithRoles) GetNamespaces() ([]types.Namespace, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetNamespaces()
|
|
|
|
@ -2063,10 +2012,7 @@ func (a *ServerWithRoles) GetNamespace(name string) (*types.Namespace, error) {
|
|
|
|
|
|
|
|
|
|
// UpsertNamespace upserts namespace
|
|
|
|
|
func (a *ServerWithRoles) UpsertNamespace(ns types.Namespace) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertNamespace(ns)
|
|
|
|
@ -2082,10 +2028,7 @@ func (a *ServerWithRoles) DeleteNamespace(name string) error {
|
|
|
|
|
|
|
|
|
|
// GetRoles returns a list of roles
|
|
|
|
|
func (a *ServerWithRoles) GetRoles(ctx context.Context) ([]types.Role, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetRoles(ctx)
|
|
|
|
@ -2098,10 +2041,7 @@ func (a *ServerWithRoles) CreateRole(role types.Role) error {
|
|
|
|
|
|
|
|
|
|
// UpsertRole creates or updates role.
|
|
|
|
|
func (a *ServerWithRoles) UpsertRole(ctx context.Context, role types.Role) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2198,10 +2138,7 @@ func (a *ServerWithRoles) DeleteStaticTokens() error {
|
|
|
|
|
|
|
|
|
|
// SetClusterConfig sets cluster level configuration.
|
|
|
|
|
func (a *ServerWithRoles) SetClusterConfig(c types.ClusterConfig) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterConfig, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterConfig, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterConfig, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.SetClusterConfig(c)
|
|
|
|
@ -2217,10 +2154,7 @@ func (a *ServerWithRoles) GetClusterName(opts ...services.MarshalOption) (types.
|
|
|
|
|
|
|
|
|
|
// SetClusterName sets the name of the cluster. SetClusterName can only be called once.
|
|
|
|
|
func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.SetClusterName(c)
|
|
|
|
@ -2228,10 +2162,7 @@ func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error {
|
|
|
|
|
|
|
|
|
|
// UpsertClusterName sets the name of the cluster.
|
|
|
|
|
func (a *ServerWithRoles) UpsertClusterName(c types.ClusterName) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertClusterName(c)
|
|
|
|
@ -2247,10 +2178,7 @@ func (a *ServerWithRoles) GetStaticTokens() (types.StaticTokens, error) {
|
|
|
|
|
|
|
|
|
|
// SetStaticTokens sets the list of static tokens used to provision nodes.
|
|
|
|
|
func (a *ServerWithRoles) SetStaticTokens(s types.StaticTokens) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindStaticTokens, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindStaticTokens, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindStaticTokens, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.SetStaticTokens(s)
|
|
|
|
@ -2272,10 +2200,8 @@ func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref typ
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, verb := range verbsToReplaceResourceWithOrigin(storedAuthPref) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterAuthPreference, verb); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterAuthPreference, verbsToReplaceResourceWithOrigin(storedAuthPref)...); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return a.authServer.SetAuthPreference(ctx, newAuthPref)
|
|
|
|
@ -2336,10 +2262,8 @@ func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNet
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, verb := range verbsToReplaceResourceWithOrigin(storedNetConfig) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterNetworkingConfig, verb); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindClusterNetworkingConfig, verbsToReplaceResourceWithOrigin(storedNetConfig)...); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return a.authServer.SetClusterNetworkingConfig(ctx, newNetConfig)
|
|
|
|
@ -2382,10 +2306,8 @@ func (a *ServerWithRoles) SetSessionRecordingConfig(ctx context.Context, newRecC
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, verb := range verbsToReplaceResourceWithOrigin(storedRecConfig) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSessionRecordingConfig, verb); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSessionRecordingConfig, verbsToReplaceResourceWithOrigin(storedRecConfig)...); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return a.authServer.SetSessionRecordingConfig(ctx, newRecConfig)
|
|
|
|
@ -2444,10 +2366,7 @@ func (a *ServerWithRoles) DeleteAllUsers() error {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2464,10 +2383,7 @@ func (a *ServerWithRoles) GetTrustedCluster(ctx context.Context, name string) (t
|
|
|
|
|
|
|
|
|
|
// UpsertTrustedCluster creates or updates a trusted cluster.
|
|
|
|
|
func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2489,10 +2405,7 @@ func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) UpsertTunnelConnection(conn types.TunnelConnection) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertTunnelConnection(conn)
|
|
|
|
@ -2520,20 +2433,14 @@ func (a *ServerWithRoles) DeleteTunnelConnection(clusterName string, connName st
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) DeleteTunnelConnections(clusterName string) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.DeleteTunnelConnections(clusterName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllTunnelConnections() error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.DeleteAllTunnelConnections()
|
|
|
|
@ -2601,10 +2508,7 @@ func (a *ServerWithRoles) DeleteRemoteCluster(clusterName string) error {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllRemoteClusters() error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRemoteCluster, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRemoteCluster, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindRemoteCluster, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.DeleteAllRemoteClusters()
|
|
|
|
@ -2612,10 +2516,7 @@ func (a *ServerWithRoles) DeleteAllRemoteClusters() error {
|
|
|
|
|
|
|
|
|
|
// AcquireSemaphore acquires lease with requested resources from semaphore.
|
|
|
|
|
func (a *ServerWithRoles) AcquireSemaphore(ctx context.Context, params types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.AcquireSemaphore(ctx, params)
|
|
|
|
@ -2639,10 +2540,7 @@ func (a *ServerWithRoles) CancelSemaphoreLease(ctx context.Context, lease types.
|
|
|
|
|
|
|
|
|
|
// GetSemaphores returns a list of all semaphores matching the supplied filter.
|
|
|
|
|
func (a *ServerWithRoles) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbReadNoSecrets); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbList); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbReadNoSecrets, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetSemaphores(ctx, filter)
|
|
|
|
@ -2668,10 +2566,7 @@ func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
|
|
|
|
|
|
|
|
|
|
// GetDatabaseServers returns all registered database servers.
|
|
|
|
|
func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error) {
|
|
|
|
|
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(namespace, types.KindDatabaseServer, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
servers, err := a.authServer.GetDatabaseServers(ctx, namespace, opts...)
|
|
|
|
@ -2696,10 +2591,7 @@ func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace stri
|
|
|
|
|
|
|
|
|
|
// UpsertDatabaseServer creates or updates a new database proxy server.
|
|
|
|
|
func (a *ServerWithRoles) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error) {
|
|
|
|
|
if err := a.action(server.GetNamespace(), types.KindDatabaseServer, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(server.GetNamespace(), types.KindDatabaseServer, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(server.GetNamespace(), types.KindDatabaseServer, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertDatabaseServer(ctx, server)
|
|
|
|
@ -2715,10 +2607,7 @@ func (a *ServerWithRoles) DeleteDatabaseServer(ctx context.Context, namespace, h
|
|
|
|
|
|
|
|
|
|
// DeleteAllDatabaseServers removes all registered database proxy servers.
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespace string) error {
|
|
|
|
|
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(namespace, types.KindDatabaseServer, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.DeleteAllDatabaseServers(ctx, namespace)
|
|
|
|
@ -2781,10 +2670,7 @@ func (a *ServerWithRoles) canImpersonateBuiltinRole(role types.SystemRole) error
|
|
|
|
|
|
|
|
|
|
// GetAppServers gets all application servers.
|
|
|
|
|
func (a *ServerWithRoles) GetAppServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.Server, error) {
|
|
|
|
|
if err := a.action(namespace, types.KindAppServer, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(namespace, types.KindAppServer, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(namespace, types.KindAppServer, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2819,10 +2705,7 @@ func (a *ServerWithRoles) GetAppServers(ctx context.Context, namespace string, o
|
|
|
|
|
|
|
|
|
|
// UpsertAppServer adds an application server.
|
|
|
|
|
func (a *ServerWithRoles) UpsertAppServer(ctx context.Context, server types.Server) (*types.KeepAlive, error) {
|
|
|
|
|
if err := a.action(server.GetNamespace(), types.KindAppServer, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(server.GetNamespace(), types.KindAppServer, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(server.GetNamespace(), types.KindAppServer, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2843,10 +2726,7 @@ func (a *ServerWithRoles) DeleteAppServer(ctx context.Context, namespace string,
|
|
|
|
|
|
|
|
|
|
// DeleteAllAppServers removes all application servers.
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllAppServers(ctx context.Context, namespace string) error {
|
|
|
|
|
if err := a.action(namespace, types.KindAppServer, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(namespace, types.KindAppServer, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(namespace, types.KindAppServer, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2873,10 +2753,7 @@ func (a *ServerWithRoles) GetAppSession(ctx context.Context, req types.GetAppSes
|
|
|
|
|
|
|
|
|
|
// GetAppSessions gets all application web sessions.
|
|
|
|
|
func (a *ServerWithRoles) GetAppSessions(ctx context.Context) ([]types.WebSession, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2926,10 +2803,7 @@ func (a *ServerWithRoles) DeleteAppSession(ctx context.Context, req types.Delete
|
|
|
|
|
|
|
|
|
|
// DeleteAllAppSessions removes all application web sessions.
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllAppSessions(ctx context.Context) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2963,10 +2837,7 @@ func (a *ServerWithRoles) WaitForDelivery(context.Context) error {
|
|
|
|
|
// UpsertKubeService creates or updates a Server representing a teleport
|
|
|
|
|
// kubernetes service.
|
|
|
|
|
func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s types.Server) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -2995,10 +2866,7 @@ func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s types.Server)
|
|
|
|
|
// GetKubeServices returns all Servers representing teleport kubernetes
|
|
|
|
|
// services.
|
|
|
|
|
func (a *ServerWithRoles) GetKubeServices(ctx context.Context) ([]types.Server, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
servers, err := a.authServer.GetKubeServices(ctx)
|
|
|
|
@ -3054,10 +2922,7 @@ func (a *ServerWithRoles) GetNetworkRestrictions(ctx context.Context) (types.Net
|
|
|
|
|
|
|
|
|
|
// SetNetworkRestrictions updates the network restrictions.
|
|
|
|
|
func (a *ServerWithRoles) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNetworkRestrictions, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNetworkRestrictions, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindNetworkRestrictions, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.SetNetworkRestrictions(ctx, nr)
|
|
|
|
@ -3146,10 +3011,7 @@ func (a *ServerWithRoles) GetLock(ctx context.Context, name string) (types.Lock,
|
|
|
|
|
|
|
|
|
|
// GetLocks gets all/in-force locks that match at least one of the targets when specified.
|
|
|
|
|
func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.GetLocks(ctx, inForceOnly, targets...)
|
|
|
|
@ -3157,10 +3019,7 @@ func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, target
|
|
|
|
|
|
|
|
|
|
// UpsertLock upserts a lock.
|
|
|
|
|
func (a *ServerWithRoles) UpsertLock(ctx context.Context, lock types.Lock) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertLock(ctx, lock)
|
|
|
|
@ -3259,10 +3118,7 @@ func (a *ServerWithRoles) GetDatabase(ctx context.Context, name string) (types.D
|
|
|
|
|
|
|
|
|
|
// GetDatabases returns all database resources.
|
|
|
|
|
func (a *ServerWithRoles) GetDatabases(ctx context.Context) (result []types.Database, err error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
// Filter out databases user doesn't have access to.
|
|
|
|
@ -3296,10 +3152,7 @@ func (a *ServerWithRoles) DeleteDatabase(ctx context.Context, name string) error
|
|
|
|
|
|
|
|
|
|
// DeleteAllDatabases removes all database resources.
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
// Make sure to only delete databases user has access to.
|
|
|
|
@ -3319,10 +3172,7 @@ func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error {
|
|
|
|
|
|
|
|
|
|
// GetWindowsDesktopServices returns all registered windows desktop services.
|
|
|
|
|
func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
services, err := a.authServer.GetWindowsDesktopServices(ctx)
|
|
|
|
@ -3334,10 +3184,7 @@ func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]type
|
|
|
|
|
|
|
|
|
|
// UpsertWindowsDesktopService creates or updates a new windows desktop service.
|
|
|
|
|
func (a *ServerWithRoles) UpsertWindowsDesktopService(ctx context.Context, s types.WindowsDesktopService) (*types.KeepAlive, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbCreate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertWindowsDesktopService(ctx, s)
|
|
|
|
@ -3353,10 +3200,7 @@ func (a *ServerWithRoles) DeleteWindowsDesktopService(ctx context.Context, name
|
|
|
|
|
|
|
|
|
|
// DeleteAllWindowsDesktopServices removes all registered windows desktop services.
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.DeleteAllWindowsDesktopServices(ctx)
|
|
|
|
@ -3364,10 +3208,7 @@ func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) e
|
|
|
|
|
|
|
|
|
|
// GetWindowsDesktops returns all registered windows desktop hosts.
|
|
|
|
|
func (a *ServerWithRoles) GetWindowsDesktops(ctx context.Context) ([]types.WindowsDesktop, error) {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbRead); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList, types.VerbRead); err != nil {
|
|
|
|
|
return nil, trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
hosts, err := a.authServer.GetWindowsDesktops(ctx)
|
|
|
|
@ -3391,10 +3232,7 @@ func (a *ServerWithRoles) GetWindowsDesktop(ctx context.Context, name string) (t
|
|
|
|
|
|
|
|
|
|
// UpsertWindowsDesktop creates or updates a new windows desktop host.
|
|
|
|
|
func (a *ServerWithRoles) UpsertWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbCreate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbUpdate); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbCreate, types.VerbUpdate); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.UpsertWindowsDesktop(ctx, s)
|
|
|
|
@ -3410,10 +3248,7 @@ func (a *ServerWithRoles) DeleteWindowsDesktop(ctx context.Context, name string)
|
|
|
|
|
|
|
|
|
|
// DeleteAllWindowsDesktops removes all registered windows desktop hosts.
|
|
|
|
|
func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbDelete); err != nil {
|
|
|
|
|
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList, types.VerbDelete); err != nil {
|
|
|
|
|
return trace.Wrap(err)
|
|
|
|
|
}
|
|
|
|
|
return a.authServer.DeleteAllWindowsDesktops(ctx)
|
|
|
|
|