mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 09:44:51 +00:00
3c670d5d58
* Add monorepo * Add reset/passwd capability for local users (#3287) * Add UserTokens to allow password resets * Pass context down through ChangePasswordWithToken * Rename UserToken to ResetPasswordToken * Add auto formatting for proto files * Add common Marshaller interfaces to reset password token * Allow enterprise "tctl" reuse OSS user methods (#3344) * Pass localAuthEnabled flag to UI (#3412) * Added LocalAuthEnabled prop to WebConfigAuthSetting struct in webconfig.go * Added LocalAuthEnabled state as part of webCfg in apiserver.go * update e-refs * Fix a regression bug after merge * Update tctl CLI output msgs (#3442) * Use local user client when resolving user roles * Update webapps ref * Add and retrieve fields from Cluster struct (#3476) * Set Teleport versions for node, auth, proxy init heartbeat * Add and retrieve fields NodeCount, PublicURL, AuthVersion from Clusters * Remove debug logging to avoid log pollution when getting public_addr of proxy * Create helper func GuessProxyHost to get the public_addr of a proxy host * Refactor newResetPasswordToken to use GuessProxyHost and remove publicUrl func * Remove webapps submodule * Add webassets submodule * Replace webapps sub-module reference with webassets * Update webassets path in Makefile * Update webassets 1b11b26 Simplify and clean up Makefile (#62) https://github.com/gravitational/webapps/commit/1b11b26 * Retrieve cluster details for user context (#3515) * Let GuessProxyHost also return proxy's version * Unit test GuessProxyHostAndVersion & GetClusterDetails * Update webassets 4dfef4e Fix build pipeline (#66) https://github.com/gravitational/webapps/commit/4dfef4e * Update e-ref * Update webassets 0647568 Fix OSS redirects https://github.com/gravitational/webapps/commit/0647568 * update e-ref * Update webassets e0f4189 Address security audit warnings Updates "minimist" package which is used by 7y old "optimist". https://github.com/gravitational/webapps/commit/e0f4189 * Add new attr to Session struct (#3574) * Add fields ServerHostname and ServerAddr * Set these fields on newSession * Ensure webassets submodule during build * Update e-ref * Ensure webassets before running unit-tests * Update E-ref Co-authored-by: Lisa Kim <lisa@gravitational.com> Co-authored-by: Pierre Beaucamp <pierre@gravitational.com> Co-authored-by: Jenkins <jenkins@gravitational.io>
167 lines
4.5 KiB
Go
167 lines
4.5 KiB
Go
/*
|
|
Copyright 2015 Gravitational, Inc.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
package teleport
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/gravitational/trace"
|
|
)
|
|
|
|
// Role identifies the role of an SSH connection. Unlike "user roles"
|
|
// introduced as part of RBAC in Teleport 1.4+ these are built-in roles used
|
|
// for different Teleport components when connecting to each other.
|
|
type Role string
|
|
type Roles []Role
|
|
|
|
const (
|
|
// RoleAuth is for teleport auth server (authority, authentication and authorization)
|
|
RoleAuth Role = "Auth"
|
|
// RoleWeb is for web access users
|
|
RoleWeb Role = "Web"
|
|
// RoleNode is a role for SSH node in the cluster
|
|
RoleNode Role = "Node"
|
|
// RoleProxy is a role for SSH proxy in the cluster
|
|
RoleProxy Role = "Proxy"
|
|
// RoleAdmin is admin role
|
|
RoleAdmin Role = "Admin"
|
|
// RoleProvisionToken is a role for nodes authenticated using provisioning tokens
|
|
RoleProvisionToken Role = "ProvisionToken"
|
|
// RoleTrustedCluster is a role needed for tokens used to add trusted clusters.
|
|
RoleTrustedCluster Role = "Trusted_cluster"
|
|
// RoleSignup is for first time signing up users
|
|
RoleSignup Role = "Signup"
|
|
// RoleNop is used for actions that already using external authz mechanisms
|
|
// e.g. tokens or passwords
|
|
RoleNop Role = "Nop"
|
|
// RoleRemoteProxy is a role for remote SSH proxy in the cluster
|
|
RoleRemoteProxy Role = "RemoteProxy"
|
|
)
|
|
|
|
// this constant exists for backwards compatibility reasons, needed to upgrade to 2.3
|
|
const LegacyClusterTokenType Role = "Trustedcluster"
|
|
|
|
// NewRoles return a list of roles from slice of strings
|
|
func NewRoles(in []string) (Roles, error) {
|
|
var roles Roles
|
|
for _, val := range in {
|
|
role := Role(val)
|
|
if err := role.Check(); err != nil {
|
|
return nil, trace.Wrap(err)
|
|
}
|
|
roles = append(roles, role)
|
|
}
|
|
return roles, nil
|
|
}
|
|
|
|
// ParseRoles takes a comma-separated list of roles and returns a slice
|
|
// of roles, or an error if parsing failed
|
|
func ParseRoles(str string) (roles Roles, err error) {
|
|
for _, s := range strings.Split(str, ",") {
|
|
r := Role(strings.Title(strings.ToLower(strings.TrimSpace(s))))
|
|
if err = r.Check(); err != nil {
|
|
return nil, trace.Wrap(err)
|
|
}
|
|
roles = append(roles, r)
|
|
}
|
|
return roles, nil
|
|
}
|
|
|
|
// Includes returns 'true' if a given list of roles includes a given role
|
|
func (roles Roles) Include(role Role) bool {
|
|
for _, r := range roles {
|
|
if r == role {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Slice returns roles as string slice
|
|
func (roles Roles) StringSlice() []string {
|
|
s := make([]string, 0)
|
|
for _, r := range roles {
|
|
s = append(s, r.String())
|
|
}
|
|
return s
|
|
}
|
|
|
|
// Equals compares two sets of roles
|
|
func (roles Roles) Equals(other Roles) bool {
|
|
if len(roles) != len(other) {
|
|
return false
|
|
}
|
|
for _, r := range roles {
|
|
if !other.Include(r) {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
// Check returns an error if the role set is incorrect (contains unknown roles)
|
|
func (roles Roles) Check() (err error) {
|
|
for _, role := range roles {
|
|
if err = role.Check(); err != nil {
|
|
return trace.Wrap(err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// String returns comma separated string with roles
|
|
func (roles Roles) String() string {
|
|
return strings.Join(roles.StringSlice(), ",")
|
|
}
|
|
|
|
// Set sets the value of the role from string, used to integrate with CLI tools
|
|
func (r *Role) Set(v string) error {
|
|
val := Role(strings.Title(v))
|
|
if err := val.Check(); err != nil {
|
|
return trace.Wrap(err)
|
|
}
|
|
*r = val
|
|
return nil
|
|
}
|
|
|
|
// String returns debug-friendly representation of this role.
|
|
func (r *Role) String() string {
|
|
switch string(*r) {
|
|
case string(RoleSignup):
|
|
return "Password"
|
|
case string(RoleTrustedCluster), string(LegacyClusterTokenType):
|
|
return "trusted_cluster"
|
|
default:
|
|
return fmt.Sprintf("%v", string(*r))
|
|
}
|
|
}
|
|
|
|
// Check checks if this a a valid role value, returns nil
|
|
// if it's ok, false otherwise
|
|
func (r *Role) Check() error {
|
|
switch *r {
|
|
case RoleAuth, RoleWeb, RoleNode,
|
|
RoleAdmin, RoleProvisionToken,
|
|
RoleTrustedCluster, LegacyClusterTokenType,
|
|
RoleSignup, RoleProxy, RoleNop:
|
|
return nil
|
|
}
|
|
return trace.BadParameter("role %v is not registered", *r)
|
|
}
|