self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-22 18:23:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/roles.go
Russell Jones 904b0d0488 Added Application Access. 
Added support for an identity aware, RBAC enforcing, mutually
authenticated, web application proxy to Teleport.

* Updated services.Server to support an application servers.
* Updated services.WebSession to support application sessions.
* Added CRUD RPCs for "AppServers".
* Added CRUD RPCs for "AppSessions".
* Added RBAC support using labels for applications.
* Added JWT signer as a services.CertAuthority type.
* Added support for signing and verifying JWT tokens.
* Refactored dynamic label and heartbeat code into standalone packages.
* Added application support to web proxies and new "app_service" to
  proxy mutually authenticated connections from proxy to an internal
  application.
2020-11-03 14:32:13 -08:00

180 lines
4.9 KiB
Go
Raw Blame History

/*
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package teleport
import (
"fmt"
"strings"
"github.com/gravitational/trace"
)
// Role identifies the role of an SSH connection. Unlike "user roles"
// introduced as part of RBAC in Teleport 1.4+ these are built-in roles used
// for different Teleport components when connecting to each other.
type Role string
type Roles []Role
const (
// RoleAuth is for teleport auth server (authority, authentication and authorization)
RoleAuth Role = "Auth"
// RoleWeb is for web access users
RoleWeb Role = "Web"
// RoleNode is a role for SSH node in the cluster
RoleNode Role = "Node"
// RoleProxy is a role for SSH proxy in the cluster
RoleProxy Role = "Proxy"
// RoleAdmin is admin role
RoleAdmin Role = "Admin"
// RoleProvisionToken is a role for nodes authenticated using provisioning tokens
RoleProvisionToken Role = "ProvisionToken"
// RoleTrustedCluster is a role needed for tokens used to add trusted clusters.
RoleTrustedCluster Role = "Trusted_cluster"
// RoleSignup is for first time signing up users
RoleSignup Role = "Signup"
// RoleNop is used for actions that already using external authz mechanisms
// e.g. tokens or passwords
RoleNop Role = "Nop"
// RoleRemoteProxy is a role for remote SSH proxy in the cluster
RoleRemoteProxy Role = "RemoteProxy"
// RoleKube is a role for a kubernetes service.
RoleKube Role = "Kube"
// RoleApp is a role for a app proxy in the cluster.
RoleApp Role = "App"
)
// this constant exists for backwards compatibility reasons, needed to upgrade to 2.3
const LegacyClusterTokenType Role = "Trustedcluster"
// NewRoles return a list of roles from slice of strings
func NewRoles(in []string) (Roles, error) {
var roles Roles
for _, val := range in {
roles = append(roles, Role(val))
}
return roles, roles.Check()
}
// ParseRoles takes a comma-separated list of roles and returns a slice
// of roles, or an error if parsing failed
func ParseRoles(str string) (Roles, error) {
var roles Roles
for _, s := range strings.Split(str, ",") {
r := Role(strings.Title(strings.ToLower(strings.TrimSpace(s))))
roles = append(roles, r)
}
return roles, roles.Check()
}
// Includes returns 'true' if a given list of roles includes a given role
func (roles Roles) Include(role Role) bool {
for _, r := range roles {
if r == role {
return true
}
}
return false
}
// Slice returns roles as string slice
func (roles Roles) StringSlice() []string {
s := make([]string, 0)
for _, r := range roles {
s = append(s, r.String())
}
return s
}
// asSet returns roles as set (map).
func (roles Roles) asSet() map[Role]struct{} {
s := make(map[Role]struct{}, len(roles))
for _, r := range roles {
s[r] = struct{}{}
}
return s
}
// Equals compares two sets of roles
func (roles Roles) Equals(other Roles) bool {
rs, os := roles.asSet(), other.asSet()
if len(rs) != len(os) {
return false
}
for r := range rs {
if _, ok := os[r]; !ok {
return false
}
}
return true
}
// Check returns an error if the role set is incorrect (contains unknown roles)
func (roles Roles) Check() error {
seen := make(map[Role]struct{})
for _, role := range roles {
if err := role.Check(); err != nil {
return trace.Wrap(err)
}
if _, ok := seen[role]; ok {
return trace.BadParameter("duplicate role %q", role)
}
seen[role] = struct{}{}
}
return nil
}
// String returns comma separated string with roles
func (roles Roles) String() string {
return strings.Join(roles.StringSlice(), ",")
}
// Set sets the value of the role from string, used to integrate with CLI tools
func (r *Role) Set(v string) error {
val := Role(strings.Title(v))
if err := val.Check(); err != nil {
return trace.Wrap(err)
}
*r = val
return nil
}
// String returns debug-friendly representation of this role.
func (r *Role) String() string {
switch string(*r) {
case string(RoleSignup):
return "Password"
case string(RoleTrustedCluster), string(LegacyClusterTokenType):
return "trusted_cluster"
default:
return fmt.Sprintf("%v", string(*r))
}
}
// Check checks if this a a valid role value, returns nil
// if it's ok, false otherwise
func (r *Role) Check() error {
switch *r {
case RoleAuth, RoleWeb, RoleNode, RoleApp,
RoleAdmin, RoleProvisionToken,
RoleTrustedCluster, LegacyClusterTokenType,
RoleSignup, RoleProxy, RoleNop, RoleKube:
return nil
}
return trace.BadParameter("role %v is not registered", *r)
}
Reference in a new issue View git blame Copy permalink