api/proto/teleport/legacy/types/types.proto

// Copyright 2021 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package types;

import "gogoproto/gogo.proto";
import "google/protobuf/timestamp.proto";
import "teleport/attestation/v1/attestation.proto";
import "teleport/legacy/types/wrappers/wrappers.proto";

option go_package = "github.com/gravitational/teleport/api/types";
option (gogoproto.goproto_getters_all) = false;
option (gogoproto.marshaler_all) = true;
option (gogoproto.unmarshaler_all) = true;

message KeepAlive {
  // Name of the resource to keep alive.
  string Name = 1 [(gogoproto.jsontag) = "server_name"];
  // Namespace is the namespace of the resource.
  string Namespace = 2 [(gogoproto.jsontag) = "namespace"];
  // LeaseID is ID of the lease.
  int64 LeaseID = 3 [(gogoproto.jsontag) = "lease_id"];
  // Expires is set to update expiry time of the resource.
  google.protobuf.Timestamp Expires = 4 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires"
  ];

  // The type of a KeepAlive. When adding a new type, please double-check
  // lib/usagereporter/teleport to see if we need any change in the resource
  // heartbeat event.
  enum KeepAliveType {
    UNKNOWN = 0;

    // "node", KindNode. For the sake of correct usage reporting, it shouldn't
    // be used for OpenSSH nodes.
    NODE = 1;
    // "app_server", KindAppServer
    APP = 2;
    // "db_server", KindDatabaseServer
    DATABASE = 3;
    // "windows_desktop_service", KindWindowsDesktopService
    WINDOWS_DESKTOP = 4;
    // "kube_server", KindKubeServer
    KUBERNETES = 5;
    // "db_service", KindDatabaseService
    DATABASE_SERVICE = 6;
  }

  // Type is the type (or kind) of the resource that's being kept alive.
  KeepAliveType Type = 9 [(gogoproto.jsontag) = "type"];
  // HostID is an optional UUID of the host the resource belongs to.
  string HostID = 10 [(gogoproto.jsontag) = "host_id,omitempty"];
}

// Metadata is resource metadata
message Metadata {
  // Name is an object name
  string Name = 1 [(gogoproto.jsontag) = "name"];
  // Namespace is object namespace. The field should be called "namespace"
  // when it returns in Teleport 2.4.
  string Namespace = 2 [(gogoproto.jsontag) = "-"];
  // Description is object description
  string Description = 3 [(gogoproto.jsontag) = "description,omitempty"];
  // Labels is a set of labels
  map<string, string> Labels = 5 [(gogoproto.jsontag) = "labels,omitempty"];
  // Expires is a global expiry time header can be set on any resource in the
  // system.
  google.protobuf.Timestamp Expires = 6 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "expires,omitempty"
  ];
  // ID is a record ID
  int64 ID = 7 [(gogoproto.jsontag) = "id,omitempty"];
}

// Rotation is a status of the rotation of the certificate authority
message Rotation {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // State could be one of "init" or "in_progress".
  string State = 1 [(gogoproto.jsontag) = "state,omitempty"];
  // Phase is the current rotation phase.
  string Phase = 2 [(gogoproto.jsontag) = "phase,omitempty"];
  // Mode sets manual or automatic rotation mode.
  string Mode = 3 [(gogoproto.jsontag) = "mode,omitempty"];
  // CurrentID is the ID of the rotation operation
  // to differentiate between rotation attempts.
  string CurrentID = 4 [(gogoproto.jsontag) = "current_id"];
  // Started is set to the time when rotation has been started
  // in case if the state of the rotation is "in_progress".
  google.protobuf.Timestamp Started = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.stdtime) = true,
    (gogoproto.jsontag) = "started,omitempty"
  ];
  // GracePeriod is a period during which old and new CA
  // are valid for checking purposes, but only new CA is issuing certificates.
  int64 GracePeriod = 6 [
    (gogoproto.jsontag) = "grace_period,omitempty",
    (gogoproto.casttype) = "Duration"
  ];
  // LastRotated specifies the last time of the completed rotation.
  google.protobuf.Timestamp LastRotated = 7 [
    (gogoproto.nullable) = false,
    (gogoproto.stdtime) = true,
    (gogoproto.jsontag) = "last_rotated,omitempty"
  ];
  // Schedule is a rotation schedule - used in
  // automatic mode to switch between phases.
  RotationSchedule Schedule = 8 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "schedule,omitempty"
  ];
}

// RotationSchedule is a rotation schedule setting time switches
// for different phases.
message RotationSchedule {
  // UpdateClients specifies time to switch to the "Update clients" phase
  google.protobuf.Timestamp UpdateClients = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.stdtime) = true,
    (gogoproto.jsontag) = "update_clients,omitempty"
  ];
  // UpdateServers specifies time to switch to the "Update servers" phase.
  google.protobuf.Timestamp UpdateServers = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.stdtime) = true,
    (gogoproto.jsontag) = "update_servers,omitempty"
  ];
  // Standby specifies time to switch to the "Standby" phase.
  google.protobuf.Timestamp Standby = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.stdtime) = true,
    (gogoproto.jsontag) = "standby,omitempty"
  ];
}

// ResourceHeader is a shared resource header
// used in cases when only type and name is known
message ResourceHeader {
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version,omitempty"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata,omitempty"
  ];
}

// DatabaseServerV3 represents a database access server.
message DatabaseServerV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is the database server resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the database server metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the database server spec.
  DatabaseServerSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// DatabaseServerSpecV3 is the database server spec.
message DatabaseServerSpecV3 {
  // Description is a free-form text describing this database server.
  //
  // DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
  string Description = 1 [
    (gogoproto.jsontag) = "description,omitempty",
    deprecated = true
  ];
  // Protocol is the database type e.g. postgres, mysql, etc.
  //
  // DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
  string Protocol = 2 [
    (gogoproto.jsontag) = "protocol",
    deprecated = true
  ];
  // URI is the database connection address.
  //
  // DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
  string URI = 3 [
    (gogoproto.jsontag) = "uri",
    deprecated = true
  ];
  // CACert is an optional base64-encoded database CA certificate.
  //
  // DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
  bytes CACert = 4 [
    (gogoproto.jsontag) = "ca_cert,omitempty",
    deprecated = true
  ];
  // AWS contains AWS specific settings for RDS/Aurora databases.
  //
  // DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
  AWS AWS = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "aws",
    deprecated = true
  ];
  // Version is the Teleport version that the server is running.
  string Version = 6 [(gogoproto.jsontag) = "version"];
  // Hostname is the database server hostname.
  string Hostname = 7 [(gogoproto.jsontag) = "hostname"];
  // HostID is the ID of the host the database server is running on.
  string HostID = 8 [(gogoproto.jsontag) = "host_id"];
  // DynamicLabels is the database server dynamic labels.
  //
  // DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
  map<string, CommandLabelV2> DynamicLabels = 9 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "dynamic_labels,omitempty",
    deprecated = true
  ];
  // Rotation contains the server CA rotation information.
  Rotation Rotation = 10 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rotation,omitempty"
  ];
  // GCP contains parameters specific to GCP Cloud SQL databases.
  //
  // DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
  GCPCloudSQL GCP = 11 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "gcp,omitempty",
    deprecated = true
  ];
  // Database is the database proxied by this database server.
  DatabaseV3 Database = 12 [(gogoproto.jsontag) = "database,omitempty"];
  // ProxyIDs is a list of proxy IDs this server is expected to be connected to.
  repeated string ProxyIDs = 13 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
}

// DatabaseV3List represents a list of databases.
message DatabaseV3List {
  // Databases is a list of database resources.
  repeated DatabaseV3 Databases = 1;
}

// DatabaseV3 represents a single proxied database.
message DatabaseV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is the database resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the database metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the database spec.
  DatabaseSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
  // Status is the database runtime information.
  DatabaseStatusV3 Status = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "status"
  ];
}

// DatabaseSpecV3 is the database spec.
message DatabaseSpecV3 {
  // Protocol is the database protocol: postgres, mysql, mongodb, etc.
  string Protocol = 1 [(gogoproto.jsontag) = "protocol"];
  // URI is the database connection endpoint.
  string URI = 2 [(gogoproto.jsontag) = "uri"];
  // CACert is the PEM-encoded database CA certificate.
  //
  // DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0.
  string CACert = 3 [
    (gogoproto.jsontag) = "ca_cert,omitempty",
    deprecated = true
  ];
  // DynamicLabels is the database dynamic labels.
  map<string, CommandLabelV2> DynamicLabels = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "dynamic_labels,omitempty"
  ];
  // AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
  AWS AWS = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "aws,omitempty"
  ];
  // GCP contains parameters specific to GCP Cloud SQL databases.
  GCPCloudSQL GCP = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "gcp,omitempty"
  ];
  // Azure contains Azure specific database metadata.
  Azure Azure = 7 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "azure,omitempty"
  ];
  // TLS is the TLS configuration used when establishing connection to target database.
  // Allows to provide custom CA cert or override server name.
  DatabaseTLS TLS = 8 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "tls,omitempty"
  ];
  // AD is the Active Directory configuration for the database.
  AD AD = 9 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "ad,omitempty"
  ];
  // MySQL is an additional section with MySQL database options.
  MySQLOptions MySQL = 10 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "mysql,omitempty"
  ];
}

// DatabaseStatusV3 contains runtime information about the database.
message DatabaseStatusV3 {
  // CACert is the auto-downloaded cloud database CA certificate.
  string CACert = 1 [(gogoproto.jsontag) = "ca_cert,omitempty"];
  // AWS is the auto-discovered AWS cloud database metadata.
  AWS AWS = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "aws"
  ];
  // MySQL is an additional section with MySQL runtime database information.
  MySQLOptions MySQL = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "mysql,omitempty"
  ];
  // ManagedUsers is a list of database users that are managed by Teleport.
  repeated string ManagedUsers = 4 [(gogoproto.jsontag) = "managed_users,omitempty"];
  // Azure is the auto-discovered Azure cloud database metadata.
  Azure Azure = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "azure"
  ];
}

// AWS contains AWS metadata about the database.
message AWS {
  // Region is a AWS cloud region.
  string Region = 1 [(gogoproto.jsontag) = "region,omitempty"];
  // Redshift contains Redshift specific metadata.
  Redshift Redshift = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "redshift,omitempty"
  ];
  // RDS contains RDS specific metadata.
  RDS RDS = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rds,omitempty"
  ];
  // AccountID is the AWS account ID this database belongs to.
  string AccountID = 4 [(gogoproto.jsontag) = "account_id,omitempty"];
  // ElastiCache contains AWS ElastiCache Redis specific metadata.
  ElastiCache ElastiCache = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "elasticache,omitempty"
  ];
  // SecretStore contains secret store configurations.
  SecretStore SecretStore = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "secret_store,omitempty"
  ];
  // MemoryDB contains AWS MemoryDB specific metadata.
  MemoryDB MemoryDB = 7 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "memorydb,omitempty"
  ];
  // RDSProxy contains AWS Proxy specific metadata.
  RDSProxy RDSProxy = 8 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rdsproxy,omitempty"
  ];
  // RedshiftServerless contains AWS Redshift Serverless specific metadata.
  RedshiftServerless RedshiftServerless = 9 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "redshift_serverless,omitempty"
  ];
  // ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
  string ExternalID = 10 [(gogoproto.jsontag) = "external_id,omitempty"];
}

// SecretStore contains secret store configurations.
message SecretStore {
  // KeyPrefix specifies the secret key prefix.
  string KeyPrefix = 1 [(gogoproto.jsontag) = "key_prefix,omitempty"];
  // KMSKeyID specifies the AWS KMS key for encryption.
  string KMSKeyID = 2 [(gogoproto.jsontag) = "kms_key_id,omitempty"];
}

// Redshift contains AWS Redshift specific database metadata.
message Redshift {
  // ClusterID is the Redshift cluster identifier.
  string ClusterID = 1 [(gogoproto.jsontag) = "cluster_id,omitempty"];
}

// RDS contains AWS RDS specific database metadata.
message RDS {
  // InstanceID is the RDS instance identifier.
  string InstanceID = 1 [(gogoproto.jsontag) = "instance_id,omitempty"];
  // ClusterID is the RDS cluster (Aurora) identifier.
  string ClusterID = 2 [(gogoproto.jsontag) = "cluster_id,omitempty"];
  // ResourceID is the RDS instance resource identifier (db-xxx).
  string ResourceID = 3 [(gogoproto.jsontag) = "resource_id,omitempty"];
  // IAMAuth indicates whether database IAM authentication is enabled.
  bool IAMAuth = 4 [(gogoproto.jsontag) = "iam_auth"];
}

// RDSProxy contains AWS RDS Proxy specific database metadata.
message RDSProxy {
  // Name is the identifier of an RDS Proxy.
  string Name = 1 [(gogoproto.jsontag) = "name,omitempty"];
  // CustomEndpointName is the identifier of an RDS Proxy custom endpoint.
  string CustomEndpointName = 2 [(gogoproto.jsontag) = "custom_endpoint_name,omitempty"];
  // ResourceID is the RDS instance resource identifier (prx-xxx).
  string ResourceID = 3 [(gogoproto.jsontag) = "resource_id,omitempty"];
}

// ElastiCache contains AWS ElastiCache Redis specific metadata.
message ElastiCache {
  // ReplicationGroupID is the Redis replication group ID.
  string ReplicationGroupID = 1 [(gogoproto.jsontag) = "replication_group_id,omitempty"];
  // UserGroupIDs is a list of user group IDs.
  repeated string UserGroupIDs = 2 [(gogoproto.jsontag) = "user_group_ids,omitempty"];
  // TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled.
  bool TransitEncryptionEnabled = 3 [(gogoproto.jsontag) = "transit_encryption_enabled,omitempty"];
  // EndpointType is the type of the endpoint.
  string EndpointType = 4 [(gogoproto.jsontag) = "endpoint_type,omitempty"];
}

// MemoryDB contains AWS MemoryDB specific metadata.
message MemoryDB {
  // ClusterName is the name of the MemoryDB cluster.
  string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name,omitempty"];
  // ACLName is the name of the ACL associated with the cluster.
  string ACLName = 2 [(gogoproto.jsontag) = "acl_name,omitempty"];
  // TLSEnabled indicates whether in-transit encryption (TLS) is enabled.
  bool TLSEnabled = 3 [(gogoproto.jsontag) = "tls_enabled,omitempty"];
  // EndpointType is the type of the endpoint.
  string EndpointType = 4 [(gogoproto.jsontag) = "endpoint_type,omitempty"];
}

// RedshiftServerless contains AWS Redshift Serverless specific metadata.
message RedshiftServerless {
  // WorkgroupName is the workgroup name.
  string WorkgroupName = 1 [(gogoproto.jsontag) = "workgroup_name,omitempty"];
  // EndpointName is the VPC endpoint name.
  string EndpointName = 2 [(gogoproto.jsontag) = "endpoint_name,omitempty"];
  // WorkgroupID is the workgroup ID.
  string WorkgroupID = 3 [(gogoproto.jsontag) = "workgroup_id,omitempty"];
}

// GCPCloudSQL contains parameters specific to GCP Cloud SQL databases.
message GCPCloudSQL {
  // ProjectID is the GCP project ID the Cloud SQL instance resides in.
  string ProjectID = 1 [(gogoproto.jsontag) = "project_id,omitempty"];
  // InstanceID is the Cloud SQL instance ID.
  string InstanceID = 2 [(gogoproto.jsontag) = "instance_id,omitempty"];
}

// Azure contains Azure specific database metadata.
message Azure {
  // Name is the Azure database server name.
  string Name = 1 [(gogoproto.jsontag) = "name,omitempty"];
  // ResourceID is the Azure fully qualified ID for the resource.
  string ResourceID = 2 [(gogoproto.jsontag) = "resource_id,omitempty"];
  // Redis contains Azure Cache for Redis specific database metadata.
  AzureRedis Redis = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "redis,omitempty"
  ];
  // IsFlexiServer is true if the database is an Azure Flexible server.
  bool IsFlexiServer = 4 [(gogoproto.jsontag) = "is_flexi_server,omitempty"];
}

// AzureRedis contains Azure Cache for Redis specific database metadata.
message AzureRedis {
  // ClusteringPolicy is the clustering policy for Redis Enterprise.
  string ClusteringPolicy = 1 [(gogoproto.jsontag) = "clustering_policy,omitempty"];
}

// AD contains Active Directory specific database configuration.
message AD {
  // KeytabFile is the path to the Kerberos keytab file.
  string KeytabFile = 1 [(gogoproto.jsontag) = "keytab_file,omitempty"];
  // Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
  string Krb5File = 2 [(gogoproto.jsontag) = "krb5_file,omitempty"];
  // Domain is the Active Directory domain the database resides in.
  string Domain = 3 [(gogoproto.jsontag) = "domain"];
  // SPN is the service principal name for the database.
  string SPN = 4 [(gogoproto.jsontag) = "spn"];
  // LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.
  string LDAPCert = 5 [(gogoproto.jsontag) = "ldap_cert,omitempty"];
  // KDCHostName is the host name for a KDC for x509 Authentication.
  string KDCHostName = 6 [(gogoproto.jsontag) = "kdc_host_name,omitempty"];
}

// DatabaseTLSMode represents the level of TLS verification performed by
// DB agent when connecting to a database.
enum DatabaseTLSMode {
  // VERIFY_FULL performs full certificate validation.
  VERIFY_FULL = 0;
  // VERIFY_CA works the same as VERIFY_FULL, but it skips the hostname check.
  VERIFY_CA = 1;
  // INSECURE accepts any certificate provided by server. This is the least secure option.
  INSECURE = 2;
}

// DatabaseTLS contains TLS configuration options.
message DatabaseTLS {
  // Mode is a TLS connection mode. See DatabaseTLSMode for details.
  DatabaseTLSMode Mode = 1 [(gogoproto.jsontag) = "mode"];
  // CACert is an optional user provided CA certificate used for verifying
  // database TLS connection.
  string CACert = 2 [(gogoproto.jsontag) = "ca_cert,omitempty"];
  // ServerName allows to provide custom hostname. This value will override the
  // servername/hostname on a certificate during validation.
  string ServerName = 3 [(gogoproto.jsontag) = "server_name,omitempty"];
}

// MySQLOptions are additional MySQL database options.
message MySQLOptions {
  // ServerVersion is the server version reported by DB proxy if the runtime information is
  // not available.
  string ServerVersion = 1 [(gogoproto.jsontag) = "server_version,omitempty"];
}

// InstanceV1 represents the state of a running teleport instance independent
// of the specific services that instance exposes.
message InstanceV1 {
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  InstanceSpecV1 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

message InstanceSpecV1 {
  // Version is the version of teleport this instance most recently advertised.
  string Version = 1 [(gogoproto.jsontag) = "version,omitempty"];

  // Services is the list of active services this instance most recently advertised.
  repeated string Services = 2 [
    (gogoproto.casttype) = "SystemRole",
    (gogoproto.jsontag) = "services,omitemtpy"
  ];

  // Hostname is the hostname this instance most recently advertised.
  string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"];

  // AuthID is the ID of the auth server that most recently observed this instance.
  string AuthID = 4 [(gogoproto.jsontag) = "auth_id,omitempty"];

  // LastSeen is the last time an auth server reported observing this instance.
  google.protobuf.Timestamp LastSeen = 5 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "last_seen,omitempty"
  ];

  // ControlLog is the log of recent important instance control events related to this instance. See comments
  // on the InstanceControlLogEntry type for details.
  repeated InstanceControlLogEntry ControlLog = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "control_log,omitempty"
  ];
}

// InstanceControlLogEntry represents an entry in a given instance's control log. The control log of
// an instance is protected by CompareAndSwap semantics, allowing entries to function as a means of
// synchronization as well as recordkeeping. For example, an auth server intending to trigger an upgrade
// for a given instance can check its control log for 'upgrade-attempt' entries. If no such entry exists,
// it can attempt to write an 'upgrade-attempt' entry of its own. If that entry successfully writes without
// hitting a CompareFailed, the auth server knows that no other auth servers will make concurrent upgrade
// attempts while that entry persists.
//
// NOTE: Due to resource size and backend throughput limitations, care should be taken to minimize the
// use and size of instance control log entries.
//
message InstanceControlLogEntry {
  // Type represents the type of control log entry this is (e.g. 'upgrade-attempt').
  string Type = 1 [(gogoproto.jsontag) = "type,omitempty"];

  // ID is a random identifier used to assist in uniquely identifying entries. This value may
  // be unique, or it may be used to associate a collection of related entries (e.g. an upgrade
  // attempt entry may use the same ID as an associated upgrade failure entry if appropriate).
  uint64 ID = 2 [(gogoproto.jsontag) = "id,omitempty"];

  // Time is the time at which the event represented by this entry occurred (used in determining
  // ordering and expiry).
  google.protobuf.Timestamp Time = 3 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "time,omitempty"
  ];

  // TTL is an optional custom time to live for this control log entry. Some control log entries
  // (e.g. an upgrade failure) may require longer than normal TTLs in order to ensure visibility.
  // If a log entry's TTL results in it having an intended expiry further in the future than the
  // expiry of the enclosing Instance resource, the instance resource's expiry will be bumped
  // to accommodate preservation of the log. Because of this fact, custom entry TTLs should be
  // used sparingly, as excess usage could result in unexpected backend growth for high churn
  // clusters.
  int64 TTL = 4 [
    (gogoproto.jsontag) = "ttl,omitempty",
    (gogoproto.casttype) = "time.Duration"
  ];

  // Labels is an arbitrary collection of key-value pairs. The expected labels are determined by the
  // type of the entry. Use of labels is preferable to adding new fields in some cases in order to
  // preserve fields across auth downgrades (this is mostly relevant for the version-control system).
  map<string, string> Labels = 5 [(gogoproto.jsontag) = "labels,omitempty"];
}

// InstanceFilter matches instance resources.
message InstanceFilter {
  // ServerID matches exactly one instance by server ID if specified.
  string ServerID = 1;

  // Version matches instance version if specified.
  string Version = 2;

  // Services matches the instance services if specified. Note that this field matches all instances which
  // expose *at least* one of the listed services. This is in contrast to service matching in version
  // directives which match instances that expose a *at most* the listed services.
  repeated string Services = 3 [(gogoproto.casttype) = "SystemRole"];
}

// ServerV2 represents a Node, App, Database, Proxy or Auth server in a Teleport cluster.
message ServerV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a server spec
  ServerSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ServerV2List is a list of servers.
// DELETE IN 8.0.0 only used in deprecated GetNodes rpc
message ServerV2List {
  // Servers is a list of servers.
  repeated ServerV2 Servers = 1;
}

// ServerSpecV2 is a specification for V2 Server
message ServerSpecV2 {
  reserved 8;

  // Addr is a host:port address where this server can be reached.
  string Addr = 1 [(gogoproto.jsontag) = "addr"];
  // PublicAddr is the public address where this server can be reached.
  // DELETE IN 15.0. (joerger) Deprecated in favor of public_addrs.
  string PublicAddr = 2 [(gogoproto.jsontag) = "public_addr,omitempty"];
  // Hostname is server hostname
  string Hostname = 3 [(gogoproto.jsontag) = "hostname"];
  // CmdLabels is server dynamic labels
  map<string, CommandLabelV2> CmdLabels = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "cmd_labels,omitempty"
  ];
  // Rotation specifies server rotation
  Rotation Rotation = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rotation,omitempty"
  ];
  // UseTunnel indicates that connections to this server should occur over a
  // reverse tunnel.
  bool UseTunnel = 6 [(gogoproto.jsontag) = "use_tunnel,omitempty"];
  // TeleportVersion is the teleport version that the server is running on
  string Version = 7 [(gogoproto.jsontag) = "version"];
  // Apps is a list of applications this server is proxying.
  //
  // DELETE IN 9.0. Deprecated, moved to AppServerSpecV3.
  repeated App Apps = 9 [
    (gogoproto.jsontag) = "apps,omitempty",
    deprecated = true
  ];
  // KubernetesClusters is a list of kubernetes clusters provided by this
  // Proxy or KubeService server.
  //
  // Important: jsontag must not be "kubernetes_clusters", because a
  // different field with that jsontag existed in 4.4:
  // https://github.com/gravitational/teleport/issues/4862
  // DELETE IN 12.0.0. Deprecated, moved to KubernetesServerSpecV3.
  repeated KubernetesCluster KubernetesClusters = 10 [(gogoproto.jsontag) = "kube_clusters,omitempty"];
  // PeerAddr is the address a proxy server is reachable at by its peer proxies.
  string PeerAddr = 11 [(gogoproto.jsontag) = "peer_addr,omitempty"];
  // ProxyIDs is a list of proxy IDs this server is expected to be connected to.
  repeated string ProxyIDs = 12 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
  // PublicAddrs is a list of public addresses where this server can be reached.
  repeated string public_addrs = 13;
}

// AppServerV3 represents a single proxied web app.
message AppServerV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is the app server resource kind. Always "app_server".
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the app server metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the app server spec.
  AppServerSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// AppServerSpecV3 is the app access server spec.
message AppServerSpecV3 {
  // Version is the Teleport version that the server is running.
  string Version = 1 [(gogoproto.jsontag) = "version"];
  // Hostname is the app server hostname.
  string Hostname = 2 [(gogoproto.jsontag) = "hostname"];
  // HostID is the app server host uuid.
  string HostID = 3 [(gogoproto.jsontag) = "host_id"];
  // Rotation contains the app server CA rotation information.
  Rotation Rotation = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rotation,omitempty"
  ];
  // App is the app proxied by this app server.
  AppV3 App = 5 [(gogoproto.jsontag) = "app"];
  // ProxyIDs is a list of proxy IDs this server is expected to be connected to.
  repeated string ProxyIDs = 6 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
}

// AppV3List represents a list of app resources.
message AppV3List {
  // Apps is a list of app resources.
  repeated AppV3 Apps = 1;
}

// AppV3 represents an app resource.
message AppV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is the app resource kind. Always "app".
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the app resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the app resource spec.
  AppSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// AppSpecV3 is the AppV3 resource spec.
message AppSpecV3 {
  // URI is the web app endpoint.
  string URI = 1 [(gogoproto.jsontag) = "uri"];
  // PublicAddr is the public address the application is accessible at.
  string PublicAddr = 2 [(gogoproto.jsontag) = "public_addr,omitempty"];
  // DynamicLabels are the app's command labels.
  map<string, CommandLabelV2> DynamicLabels = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "dynamic_labels,omitempty"
  ];
  // InsecureSkipVerify disables app's TLS certificate verification.
  bool InsecureSkipVerify = 4 [(gogoproto.jsontag) = "insecure_skip_verify"];
  // Rewrite is a list of rewriting rules to apply to requests and responses.
  Rewrite Rewrite = 5 [(gogoproto.jsontag) = "rewrite,omitempty"];
  // AWS contains additional options for AWS applications.
  AppAWS AWS = 6 [(gogoproto.jsontag) = "aws,omitempty"];
  // Cloud identifies the cloud instance the app represents.
  string Cloud = 7 [(gogoproto.jsontag) = "cloud,omitempty"];
}

// App is a specific application that a server proxies.
//
// DELETE IN 9.0. Deprecated, use AppV3.
message App {
  // Name is the name of the application.
  string Name = 1 [(gogoproto.jsontag) = "name"];
  // URI is the internal address the application is available at.
  string URI = 2 [(gogoproto.jsontag) = "uri"];
  // PublicAddr is the public address the application is accessible at.
  string PublicAddr = 3 [(gogoproto.jsontag) = "public_addr,omitempty"];
  // StaticLabels is map of static labels associated with an application.
  // Used for RBAC.
  map<string, string> StaticLabels = 4 [(gogoproto.jsontag) = "labels,omitempty"];
  // DynamicLabels is map of dynamic labels associated with an application.
  // Used for RBAC.
  map<string, CommandLabelV2> DynamicLabels = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "commands,omitempty"
  ];
  // InsecureSkipVerify disables app's TLS certificate verification.
  bool InsecureSkipVerify = 6 [(gogoproto.jsontag) = "insecure_skip_verify"];
  // Rewrite is a list of rewriting rules to apply to requests and responses.
  Rewrite Rewrite = 7 [(gogoproto.jsontag) = "rewrite,omitempty"];
  // Description is an optional free-form app description.
  string Description = 8 [(gogoproto.jsontag) = "description,omitempty"];
}

// Rewrite is a list of rewriting rules to apply to requests and responses.
message Rewrite {
  // Redirect defines a list of hosts which will be rewritten to the public
  // address of the application if they occur in the "Location" header.
  repeated string Redirect = 1 [(gogoproto.jsontag) = "redirect,omitempty"];
  // Headers is a list of headers to inject when passing the request over
  // to the application.
  repeated Header Headers = 2 [(gogoproto.jsontag) = "headers,omitempty"];
}

// Header represents a single http header passed over to the proxied application.
message Header {
  // Name is the http header name.
  string Name = 1 [(gogoproto.jsontag) = "name"];
  // Value is the http header value.
  string Value = 2 [(gogoproto.jsontag) = "value"];
}

// CommandLabelV2 is a label that has a value as a result of the
// output generated by running command, e.g. hostname
message CommandLabelV2 {
  // Period is a time between command runs
  int64 Period = 1 [
    (gogoproto.jsontag) = "period",
    (gogoproto.casttype) = "Duration"
  ];
  // Command is a command to run
  repeated string Command = 2 [(gogoproto.jsontag) = "command"];
  // Result captures standard output
  string Result = 3 [(gogoproto.jsontag) = "result"];
}

// AppAWS contains additional options for AWS applications.
message AppAWS {
  // ExternalID is the AWS External ID used when assuming roles in this app.
  string ExternalID = 1 [(gogoproto.jsontag) = "external_id,omitempty"];
}

// PrivateKeyType is the storage type of a private key.
enum PrivateKeyType {
  // RAW is a plaintext private key.
  RAW = 0;
  // PKCS11 is a private key backed by a PKCS11 device such as HSM.
  PKCS11 = 1;
  // GCP_KMS is a private key backed by GCP KMS.
  GCP_KMS = 2;
}

// SSHKeyPair is an SSH CA key pair.
message SSHKeyPair {
  // PublicKey is the SSH public key.
  bytes PublicKey = 1 [(gogoproto.jsontag) = "public_key,omitempty"];
  // PrivateKey is the SSH private key.
  bytes PrivateKey = 2 [(gogoproto.jsontag) = "private_key,omitempty"];
  // PrivateKeyType is the type of the PrivateKey.
  PrivateKeyType PrivateKeyType = 3 [(gogoproto.jsontag) = "private_key_type,omitempty"];
}

// TLSKeyPair is a TLS key pair
message TLSKeyPair {
  // Cert is a PEM encoded TLS cert
  bytes Cert = 1 [(gogoproto.jsontag) = "cert,omitempty"];
  // Key is a PEM encoded TLS key
  bytes Key = 2 [(gogoproto.jsontag) = "key,omitempty"];
  // KeyType is the type of the Key.
  PrivateKeyType KeyType = 3 [(gogoproto.jsontag) = "key_type,omitempty"];
}

// JWTKeyPair is a PEM encoded keypair used for signing JWT tokens.
message JWTKeyPair {
  // PublicKey is a PEM encoded public key.
  bytes PublicKey = 1 [(gogoproto.jsontag) = "public_key,omitempty"];
  // PrivateKey is a PEM encoded private key.
  bytes PrivateKey = 2 [(gogoproto.jsontag) = "private_key,omitempty"];
  // PrivateKeyType is the type of the PrivateKey.
  PrivateKeyType PrivateKeyType = 3 [(gogoproto.jsontag) = "private_key_type,omitempty"];
}

// CertAuthorityV2 is version 2 resource spec for Cert Authority
message CertAuthorityV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is connector metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec contains cert authority specification
  CertAuthoritySpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// CertAuthoritySpecV2 is a host or user certificate authority that
// can check and if it has private key stored as well, sign it too
message CertAuthoritySpecV2 {
  reserved 3, 4, 7, 10;
  // Type is either user or host certificate authority
  string Type = 1 [
    (gogoproto.jsontag) = "type",
    (gogoproto.casttype) = "CertAuthType"
  ];
  // DELETE IN(2.7.0) this field is deprecated,
  // as resource name matches cluster name after migrations.
  // and this property is enforced by the auth server code.
  // ClusterName identifies cluster name this authority serves,
  // for host authorities that means base hostname of all servers,
  // for user authorities that means organization name
  string ClusterName = 2 [(gogoproto.jsontag) = "cluster_name"];
  // Roles is a list of roles assumed by users signed by this CA
  repeated string Roles = 5 [(gogoproto.jsontag) = "roles,omitempty"];
  // RoleMap specifies role mappings to remote roles
  repeated RoleMapping RoleMap = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "role_map,omitempty"
  ];
  // Rotation is a status of the certificate authority rotation
  Rotation Rotation = 8 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "rotation,omitempty"
  ];
  // SigningAlg is the algorithm used for signing new SSH certificates using
  // SigningKeys.
  enum SigningAlgType {
    UNKNOWN = 0;
    RSA_SHA1 = 1;
    RSA_SHA2_256 = 2;
    RSA_SHA2_512 = 3;
  }
  SigningAlgType SigningAlg = 9 [(gogoproto.jsontag) = "signing_alg,omitempty"];
  // ActiveKeys are the CA key sets used to sign any new certificates.
  CAKeySet ActiveKeys = 11 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "active_keys,omitempty"
  ];
  // AdditionalTrustedKeys are additional CA key sets that can be used to
  // verify certificates. Certificates should be verified with
  // AdditionalTrustedKeys and ActiveKeys combined.
  CAKeySet AdditionalTrustedKeys = 12 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "additional_trusted_keys,omitempty"
  ];
}

// CAKeySet is the set of CA keys.
message CAKeySet {
  // SSH contains SSH CA key pairs.
  repeated SSHKeyPair SSH = 1 [(gogoproto.jsontag) = "ssh,omitempty"];
  // TLS contains TLS CA key/cert pairs.
  repeated TLSKeyPair TLS = 2 [(gogoproto.jsontag) = "tls,omitempty"];
  // JWT contains JWT signing key pairs.
  repeated JWTKeyPair JWT = 3 [(gogoproto.jsontag) = "jwt,omitempty"];
}

// RoleMapping provides mapping of remote roles to local roles
// for trusted clusters
message RoleMapping {
  // Remote specifies remote role name to map from
  string Remote = 1 [(gogoproto.jsontag) = "remote"];
  // Local specifies local roles to map to
  repeated string Local = 2 [(gogoproto.jsontag) = "local"];
}

// ProvisionTokenV1 is a provisioning token V1
message ProvisionTokenV1 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Roles is a list of roles associated with the token,
  // that will be converted to metadata in the SSH and X509
  // certificates issued to the user of the token
  repeated string Roles = 1 [
    (gogoproto.jsontag) = "roles",
    (gogoproto.casttype) = "SystemRole"
  ];
  // Expires is a global expiry time header can be set on any resource in the
  // system.
  google.protobuf.Timestamp Expires = 2 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires,omitempty"
  ];
  // Token is a token name
  string Token = 3 [(gogoproto.jsontag) = "token"];
}

// ProvisionTokenV2 specifies provisioning token
message ProvisionTokenV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a provisioning token V2 spec
  ProvisionTokenSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ProvisionTokenV2List is a list of provisioning tokens.
message ProvisionTokenV2List {
  // ProvisionTokens is a list of provisioning tokens.
  repeated ProvisionTokenV2 ProvisionTokens = 1;
}

// TokenRule is a rule that a joining node must match in order to use the
// associated token.
message TokenRule {
  // AWSAccount is the AWS account ID.
  string AWSAccount = 1 [(gogoproto.jsontag) = "aws_account,omitempty"];
  // AWSRegions is used for the EC2 join method and is a list of AWS regions a
  // node is allowed to join from.
  repeated string AWSRegions = 2 [(gogoproto.jsontag) = "aws_regions,omitempty"];
  // AWSRole is used for the EC2 join method and is the the ARN of the AWS
  // role that the auth server will assume in order to call the ec2 API.
  string AWSRole = 3 [(gogoproto.jsontag) = "aws_role,omitempty"];
  // AWSARN is used for the IAM join method, the AWS identity of joining nodes
  // must match this ARN. Supports wildcards "*" and "?".
  string AWSARN = 4 [(gogoproto.jsontag) = "aws_arn,omitempty"];
}

// ProvisionTokenSpecV2 is a specification for V2 token
message ProvisionTokenSpecV2 {
  // Roles is a list of roles associated with the token,
  // that will be converted to metadata in the SSH and X509
  // certificates issued to the user of the token
  repeated string Roles = 1 [
    (gogoproto.jsontag) = "roles",
    (gogoproto.casttype) = "SystemRole"
  ];
  // Allow is a list of TokenRules, nodes using this token must match one
  // allow rule to use this token.
  repeated TokenRule Allow = 2 [(gogoproto.jsontag) = "allow,omitempty"];
  // AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used
  // to join the cluster with this token.
  int64 AWSIIDTTL = 3 [
    (gogoproto.jsontag) = "aws_iid_ttl,omitempty",
    (gogoproto.casttype) = "Duration"
  ];
  // JoinMethod is the joining method required in order to use this token.
  // Supported joining methods include "token", "ec2", and "iam".
  string JoinMethod = 4 [
    (gogoproto.jsontag) = "join_method",
    (gogoproto.casttype) = "JoinMethod"
  ];
  // BotName is the name of the bot this token grants access to, if any
  string BotName = 5 [(gogoproto.jsontag) = "bot_name,omitempty"];
  // SuggestedLabels is a set of labels that resources should set when using this token to enroll
  // themselves in the cluster.
  // Currently, only node-join scripts create a configuration according to the suggestion.
  wrappers.LabelValues SuggestedLabels = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "suggested_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];
  // GitHub allows the configuration of options specific to the "github" join method.
  ProvisionTokenSpecV2GitHub GitHub = 7 [(gogoproto.jsontag) = "github,omitempty"];
  // CircleCI allows the configuration of options specific to the "circleci" join method.
  ProvisionTokenSpecV2CircleCI CircleCI = 8 [(gogoproto.jsontag) = "circleci,omitempty"];
  // SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources.
  // When an agent uses this token, the agent should monitor resources that match those labels.
  // For databases, this means adding the labels to `db_service.resources.labels`.
  // Currently, only node-join scripts create a configuration according to the suggestion.
  wrappers.LabelValues SuggestedAgentMatcherLabels = 9 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "suggested_agent_matcher_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];
  // Kubernetes allows the configuration of options specific to the "kubernetes" join method.
  ProvisionTokenSpecV2Kubernetes Kubernetes = 10 [(gogoproto.jsontag) = "kubernetes,omitempty"];
  // Azure allows the configuration of options specific to the "azure" join method.
  ProvisionTokenSpecV2Azure Azure = 11 [(gogoproto.jsontag) = "azure,omitempty"];
  // GitLab allows the configuration of options specific to the "gitlab" join method.
  ProvisionTokenSpecV2GitLab GitLab = 12 [(gogoproto.jsontag) = "gitlab,omitempty"];
}

// ProvisionTokenSpecV2Github contains the GitHub-specific part of the
// ProvisionTokenSpecV2
message ProvisionTokenSpecV2GitHub {
  // Rule includes fields mapped from `lib/githubactions.IDToken`
  // Not all fields should be included, only ones that we expect to be useful
  // when trying to create rules around which workflows should be allowed to
  // authenticate against a cluster.
  message Rule {
    // Sub also known as Subject is a string that roughly uniquely identifies
    // the workload. The format of this varies depending on the type of
    // github action run.
    string Sub = 1 [(gogoproto.jsontag) = "sub,omitempty"];
    // The repository from where the workflow is running.
    // This includes the name of the owner e.g `gravitational/teleport`
    string Repository = 2 [(gogoproto.jsontag) = "repository,omitempty"];
    // The name of the organization in which the repository is stored.
    string RepositoryOwner = 3 [(gogoproto.jsontag) = "repository_owner,omitempty"];
    // The name of the workflow.
    string Workflow = 4 [(gogoproto.jsontag) = "workflow,omitempty"];
    // The name of the environment used by the job.
    string Environment = 5 [(gogoproto.jsontag) = "environment,omitempty"];
    // The personal account that initiated the workflow run.
    string Actor = 6 [(gogoproto.jsontag) = "actor,omitempty"];
    // The git ref that triggered the workflow run.
    string Ref = 7 [(gogoproto.jsontag) = "ref,omitempty"];
    // The type of ref, for example: "branch".
    string RefType = 8 [(gogoproto.jsontag) = "ref_type,omitempty"];
  }
  // Allow is a list of TokenRules, nodes using this token must match one
  // allow rule to use this token.
  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
  // EnterpriseServerHost allows joining from runners associated with a
  // GitHub Enterprise Server instance. When unconfigured, tokens will be
  // validated against github.com, but when configured to the host of a GHES
  // instance, then the tokens will be validated against host.
  //
  // This value should be the hostname of the GHES instance, and should not
  // include the scheme or a path. The instance must be accessible over HTTPS
  // at this hostname and the certificate must be trusted by the Auth Server.
  string EnterpriseServerHost = 2 [(gogoproto.jsontag) = "enterprise_server_host,omitempty"];
}

// ProvisionTokenSpecV2GitLab contains the GitLab-specific part of the
// ProvisionTokenSpecV2
message ProvisionTokenSpecV2GitLab {
  message Rule {
    // Sub roughly uniquely identifies the workload. Example:
    // `project_path:mygroup/my-project:ref_type:branch:ref:main`
    // project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}
    string Sub = 1 [(gogoproto.jsontag) = "sub,omitempty"];
    // Ref allows access to be limited to jobs triggered by a specific git ref.
    // Ensure this is used in combination with ref_type.
    string Ref = 2 [(gogoproto.jsontag) = "ref,omitempty"];
    // RefType allows access to be limited to jobs triggered by a specific git
    // ref type. Example:
    // `branch` or `tag`
    string RefType = 3 [(gogoproto.jsontag) = "ref_type,omitempty"];
    // NamespacePath is used to limit access to jobs in a group or user's
    // projects.
    // Example:
    // `mygroup`
    string NamespacePath = 4 [(gogoproto.jsontag) = "namespace_path,omitempty"];
    // ProjectPath is used to limit access to jobs belonging to an individual
    // project. Example:
    // `mygroup/myproject`
    string ProjectPath = 5 [(gogoproto.jsontag) = "project_path,omitempty"];
    // PipelineSource limits access by the job pipeline source type.
    // https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules
    // Example: `web`
    string PipelineSource = 6 [(gogoproto.jsontag) = "pipeline_source,omitempty"];
    // Environment limits access by the environment the job deploys to
    // (if one is associated)
    string Environment = 7 [(gogoproto.jsontag) = "environment,omitempty"];
  }
  // Allow is a list of TokenRules, nodes using this token must match one
  // allow rule to use this token.
  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
  // Domain is the domain of your GitLab instance. This will default to
  // `gitlab.com` - but can be set to the domain of your self-hosted GitLab
  // e.g `gitlab.example.com`.
  string Domain = 2 [(gogoproto.jsontag) = "domain,omitempty"];
}

// ProvisionTokenSpecV2CircleCI contains the CircleCI-specific part of the
// ProvisionTokenSpecV2
message ProvisionTokenSpecV2CircleCI {
  message Rule {
    string ProjectID = 1 [(gogoproto.jsontag) = "project_id,omitempty"];
    string ContextID = 2 [(gogoproto.jsontag) = "context_id,omitempty"];
  }
  // Allow is a list of TokenRules, nodes using this token must match one
  // allow rule to use this token.
  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
  string OrganizationID = 2 [(gogoproto.jsontag) = "organization_id,omitempty"];
}

// ProvisionTokenSpecV2Kubernetes contains the Kubernetes-specific part of the
// ProvisionTokenSpecV2
message ProvisionTokenSpecV2Kubernetes {
  // Rule is a set of properties the Kubernetes-issued token might have to be
  // allowed to use this ProvisionToken
  message Rule {
    // ServiceAccount is the namespaced name of the Kubernetes service account.
    // Its format is "namespace:service-account".
    string ServiceAccount = 1 [(gogoproto.jsontag) = "service_account,omitempty"];
  }
  // Allow is a list of Rules, nodes using this token must match one
  // allow rule to use this token.
  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
}

// ProvisionTokenSpecV2Azure contains the Azure-specific part of the
// ProvisionTokenSpecV2.
message ProvisionTokenSpecV2Azure {
  // Rule is a set of properties the Azure-issued token might have to be
  // allowed to use this ProvisionToken.
  message Rule {
    // Subscription is the Azure subscription.
    string Subscription = 1 [(gogoproto.jsontag) = "subscription,omitempty"];
    // ResourceGroups is a list of Azure resource groups the node is allowed
    // to join from.
    repeated string ResourceGroups = 2 [(gogoproto.jsontag) = "resource_groups,omitempty"];
  }
  // Allow is a list of Rules, nodes using this token must match one
  // allow rule to use this token.
  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
}

// StaticTokensV2 implements the StaticTokens interface.
message StaticTokensV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a provisioning token V2 spec
  StaticTokensSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// StaticTokensSpecV2 is the actual data we care about for StaticTokensSpecV2.
message StaticTokensSpecV2 {
  // StaticTokens is a list of tokens that can be used to add nodes to the
  // cluster.
  repeated ProvisionTokenV1 StaticTokens = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "static_tokens"
  ];
}

// ClusterNameV2 implements the ClusterName interface.
message ClusterNameV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a cluster name V2 spec
  ClusterNameSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ClusterNameSpecV2 is the actual data we care about for ClusterName.
message ClusterNameSpecV2 {
  // ClusterName is the name of the cluster. Changing this value once the
  // cluster is setup can and will cause catastrophic problems.
  string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name"];

  // ClusterID is the unique cluster ID that is set once during the first
  // auth server startup.
  string ClusterID = 2 [(gogoproto.jsontag) = "cluster_id"];
}

// ClusterAuditConfigV2 represents audit log settings in the cluster.
message ClusterAuditConfigV2 {
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a ClusterAuditConfig specification
  ClusterAuditConfigSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ClusterAuditConfigSpecV2 is the actual data we care about
// for ClusterAuditConfig.
message ClusterAuditConfigSpecV2 {
  reserved 5;
  reserved "audit_table_name";

  // Type is audit backend type
  string Type = 1 [(gogoproto.jsontag) = "type,omitempty"];
  // Region is a region setting for audit sessions used by cloud providers
  string Region = 2 [(gogoproto.jsontag) = "region,omitempty"];
  // AuditSessionsURI is a parameter where to upload sessions
  string AuditSessionsURI = 3 [(gogoproto.jsontag) = "audit_sessions_uri,omitempty"];
  // AuditEventsURI is a parameter with all supported outputs
  // for audit events
  wrappers.StringValues AuditEventsURI = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "audit_events_uri,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Strings"
  ];

  // EnableContinuousBackups is used to enable (or disable) PITR (Point-In-Time Recovery).
  bool EnableContinuousBackups = 6 [(gogoproto.jsontag) = "continuous_backups,omitempty"];
  // EnableAutoScaling is used to enable (or disable) auto scaling policy.
  bool EnableAutoScaling = 7 [(gogoproto.jsontag) = "auto_scaling,omitempty"];
  // ReadMaxCapacity is the maximum provisioned read capacity.
  int64 ReadMaxCapacity = 8 [(gogoproto.jsontag) = "read_max_capacity,omitempty"];
  // ReadMinCapacity is the minimum provisioned read capacity.
  int64 ReadMinCapacity = 9 [(gogoproto.jsontag) = "read_min_capacity,omitempty"];
  // ReadTargetValue is the ratio of consumed read to provisioned capacity.
  double ReadTargetValue = 10 [(gogoproto.jsontag) = "read_target_value,omitempty"];
  // WriteMaxCapacity is the maximum provisioned write capacity.
  int64 WriteMaxCapacity = 11 [(gogoproto.jsontag) = "write_max_capacity,omitempty"];
  // WriteMinCapacity is the minimum provisioned write capacity.
  int64 WriteMinCapacity = 12 [(gogoproto.jsontag) = "write_min_capacity,omitempty"];
  // WriteTargetValue is the ratio of consumed write to provisioned capacity.
  double WriteTargetValue = 13 [(gogoproto.jsontag) = "write_target_value,omitempty"];
  // RetentionPeriod is the retention period for audit events.
  int64 RetentionPeriod = 14 [
    (gogoproto.jsontag) = "retention_period",
    (gogoproto.casttype) = "Duration",
    (gogoproto.nullable) = true
  ];

  // FIPSEndpointState represents an AWS FIPS endpoint state.
  enum FIPSEndpointState {
    // FIPS_UNSET allows setting FIPS state for AWS S3/Dynamo using configuration files or
    // environment variables
    FIPS_UNSET = 0;
    // FIPS_ENABLED explicitly enables FIPS support for AWS S3/Dynamo
    FIPS_ENABLED = 1;
    // FIPS_DISABLED explicitly disables FIPS support for AWS S3/Dynamo
    FIPS_DISABLED = 2;
  }
  // UseFIPSEndpoint configures AWS endpoints to use FIPS.
  FIPSEndpointState UseFIPSEndpoint = 15 [(gogoproto.jsontag) = "use_fips_endpoint,omitempty"];
}

// ClusterNetworkingConfigV2 contains cluster-wide networking configuration.
message ClusterNetworkingConfigV2 {
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a ClusterNetworkingConfig specification
  ClusterNetworkingConfigSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ClusterNetworkingConfigSpecV2 is the actual data we care about
// for ClusterNetworkingConfig.
message ClusterNetworkingConfigSpecV2 {
  // ClientIdleTimeout sets global cluster default setting for client idle
  // timeouts.
  int64 ClientIdleTimeout = 1 [
    (gogoproto.jsontag) = "client_idle_timeout",
    (gogoproto.casttype) = "Duration"
  ];

  // KeepAliveInterval is the interval at which the server sends keep-alive messages
  // to the client.
  int64 KeepAliveInterval = 2 [
    (gogoproto.jsontag) = "keep_alive_interval",
    (gogoproto.casttype) = "Duration"
  ];

  // KeepAliveCountMax is the number of keep-alive messages that can be
  // missed before the server disconnects the connection to the client.
  int64 KeepAliveCountMax = 3 [(gogoproto.jsontag) = "keep_alive_count_max"];

  // SessionControlTimeout is the session control lease expiry and defines
  // the upper limit of how long a node may be out of contact with the auth
  // server before it begins terminating controlled sessions.
  int64 SessionControlTimeout = 4 [
    (gogoproto.jsontag) = "session_control_timeout",
    (gogoproto.casttype) = "Duration"
  ];

  // ClientIdleTimeoutMessage is the message sent to the user when a connection times out.
  string ClientIdleTimeoutMessage = 5 [(gogoproto.jsontag) = "idle_timeout_message"];

  // WebIdleTimeout sets global cluster default setting for the web UI idle
  // timeouts.
  int64 WebIdleTimeout = 6 [
    (gogoproto.jsontag) = "web_idle_timeout",
    (gogoproto.casttype) = "Duration"
  ];

  // ProxyListenerMode is proxy listener mode used by Teleport Proxies.
  ProxyListenerMode ProxyListenerMode = 7 [(gogoproto.jsontag) = "proxy_listener_mode,omitempty"];

  // RoutingStrategy determines the strategy used to route to nodes.
  RoutingStrategy RoutingStrategy = 8 [(gogoproto.jsontag) = "routing_strategy,omitempty"];

  // TunnelStrategyV1 determines the tunnel strategy used in the cluster.
  TunnelStrategyV1 TunnelStrategy = 9 [(gogoproto.jsontag) = "tunnel_strategy,omitempty"];

  // ProxyPingInterval defines in which interval the TLS routing ping message
  // should be sent. This is applicable only when using ping-wrapped
  // connections, regular TLS routing connections are not affected.
  int64 ProxyPingInterval = 10 [
    (gogoproto.jsontag) = "proxy_ping_interval,omitempty",
    (gogoproto.casttype) = "Duration"
  ];
}

// TunnelStrategyV1 defines possible tunnel strategy types.
message TunnelStrategyV1 {
  oneof Strategy {
    AgentMeshTunnelStrategy AgentMesh = 1 [(gogoproto.jsontag) = "agent_mesh,omitempty"];
    ProxyPeeringTunnelStrategy ProxyPeering = 2 [(gogoproto.jsontag) = "proxy_peering,omitempty"];
  }
}

// AgentMeshTunnelStrategy requires reverse tunnels to dial every proxy.
message AgentMeshTunnelStrategy {}

// ProxyPeeringTunnelStrategy requires reverse tunnels to dial a fixed number of proxies.
message ProxyPeeringTunnelStrategy {
  int64 AgentConnectionCount = 1 [(gogoproto.jsontag) = "agent_connection_count,omitempty"];
}

// ProxyListenerMode represents the cluster proxy listener mode.
enum ProxyListenerMode {
  // Separate is the proxy listener mode indicating that proxies are running
  // in separate listener mode where Teleport Proxy services use different listeners.
  Separate = 0;
  // Multiplex is the proxy listener mode indicating the proxy should use multiplex mode
  // where all proxy services are multiplexed on a single proxy port.
  Multiplex = 1;
}

// RoutingStrategy determines the strategy used to route to nodes.
enum RoutingStrategy {
  // UnambiguousMatch only routes to distinct nodes.
  UNAMBIGUOUS_MATCH = 0;

  // MostRecent routes to the most recently heartbeated node if duplicates are present.
  MOST_RECENT = 1;
}

// SessionRecordingConfigV2 contains session recording configuration.
message SessionRecordingConfigV2 {
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a SessionRecordingConfig specification
  SessionRecordingConfigSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// SessionRecordingConfigSpecV2 is the actual data we care about
// for SessionRecordingConfig.
message SessionRecordingConfigSpecV2 {
  // Mode controls where (or if) the session is recorded.
  string Mode = 1 [(gogoproto.jsontag) = "mode"];

  // ProxyChecksHostKeys is used to control if the proxy will check host keys
  // when in recording mode.
  BoolValue ProxyChecksHostKeys = 2 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "proxy_checks_host_keys",
    (gogoproto.customtype) = "BoolOption"
  ];
}

// AuthPreferenceV2 implements the AuthPreference interface.
message AuthPreferenceV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is an AuthPreference specification
  AuthPreferenceSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// AuthPreferenceSpecV2 is the actual data we care about for AuthPreference.
message AuthPreferenceSpecV2 {
  // Type is the type of authentication.
  string Type = 1 [(gogoproto.jsontag) = "type"];

  // SecondFactor is the type of second factor.
  string SecondFactor = 2 [
    (gogoproto.jsontag) = "second_factor,omitempty",
    (gogoproto.casttype) = "github.com/gravitational/teleport/api/constants.SecondFactorType"
  ];

  // ConnectorName is the name of the OIDC or SAML connector. If this value is
  // not set the first connector in the backend will be used.
  string ConnectorName = 3 [(gogoproto.jsontag) = "connector_name,omitempty"];

  // U2F are the settings for the U2F device.
  U2F U2F = 4 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "u2f,omitempty"
  ];

  // RequireSessionMFA causes all sessions in this cluster to require MFA
  // checks.
  //
  // DELETE IN 13.0.0 in favor of RequireMFAType
  bool RequireSessionMFA = 5 [(gogoproto.jsontag) = "-"];

  // DisconnectExpiredCert provides disconnect expired certificate setting -
  // if true, connections with expired client certificates will get disconnected
  BoolValue DisconnectExpiredCert = 6 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "disconnect_expired_cert,omitempty",
    (gogoproto.customtype) = "BoolOption"
  ];

  // AllowLocalAuth is true if local authentication is enabled.
  BoolValue AllowLocalAuth = 7 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "allow_local_auth,omitempty",
    (gogoproto.customtype) = "BoolOption"
  ];

  string MessageOfTheDay = 8 [(gogoproto.jsontag) = "message_of_the_day,omitempty"];

  // LockingMode is the cluster-wide locking mode default.
  string LockingMode = 9 [
    (gogoproto.jsontag) = "locking_mode,omitempty",
    (gogoproto.casttype) = "github.com/gravitational/teleport/api/constants.LockingMode"
  ];

  // Webauthn are the settings for server-side Web Authentication support.
  Webauthn Webauthn = 10 [(gogoproto.jsontag) = "webauthn,omitempty"];

  // AllowPasswordless enables/disables passwordless support.
  // Passwordless requires Webauthn to work.
  // Defaults to true if the Webauthn is configured, defaults to false
  // otherwise.
  BoolValue AllowPasswordless = 11 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "allow_passwordless,omitempty",
    (gogoproto.customtype) = "BoolOption"
  ];

  // RequireMFAType is the type of MFA requirement enforced for this cluster.
  RequireMFAType RequireMFAType = 12 [(gogoproto.jsontag) = "require_session_mfa,omitempty"];

  // DeviceTrust holds settings related to trusted device verification.
  // Requires Teleport Enterprise.
  DeviceTrust DeviceTrust = 13 [(gogoproto.jsontag) = "device_trust,omitempty"];

  // IDP is a set of options related to accessing IdPs within Teleport.
  // Requires Teleport Enterprise.
  IdPOptions IDP = 14 [(gogoproto.jsontag) = "idp,omitempty"];

  // AllowHeadless enables/disables headless support.
  // Headless authentication requires Webauthn to work.
  // Defaults to true if the Webauthn is configured, defaults to false
  // otherwise.
  BoolValue AllowHeadless = 15 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "allow_headless,omitempty",
    (gogoproto.customtype) = "BoolOption"
  ];

  // DefaultSessionTTL is the TTL to use for user certs when
  // an explicit TTL is not requested.
  int64 DefaultSessionTTL = 16 [
    (gogoproto.jsontag) = "default_session_ttl,omitempty",
    (gogoproto.casttype) = "Duration"
  ];
}

// U2F defines settings for U2F device.
// Deprecated: U2F is transparently converted to WebAuthn by Teleport. Prefer
// using WebAuthn instead.
message U2F {
  // AppID returns the application ID for universal second factor.
  string AppID = 1 [(gogoproto.jsontag) = "app_id,omitempty"];

  // Facets returns the facets for universal second factor.
  // Deprecated: Kept for backwards compatibility reasons, but Facets have no
  // effect since Teleport v10, when Webauthn replaced the U2F implementation.
  repeated string Facets = 2 [(gogoproto.jsontag) = "facets,omitempty"];

  // DeviceAttestationCAs contains the trusted attestation CAs for U2F
  // devices.
  repeated string DeviceAttestationCAs = 3 [(gogoproto.jsontag) = "device_attestation_cas,omitempty"];
}

// Webauthn defines user-visible settings for server-side Web Authentication
// support.
message Webauthn {
  // RPID is the ID of the Relying Party.
  // It should be set to the domain name of the Teleport installation.
  //
  // IMPORTANT: RPID must never change in the lifetime of the cluster, because
  // it's recorded in the registration data on the WebAuthn device. If the
  // RPID changes, all existing WebAuthn key registrations will become invalid
  // and all users who use WebAuthn as the second factor will need to
  // re-register.
  string RPID = 1 [(gogoproto.jsontag) = "rp_id,omitempty"];
  // Allow list of device attestation CAs in PEM format.
  // If present, only devices whose attestation certificates match the
  // certificates specified here may be registered (existing registrations are
  // unchanged).
  // If supplied in conjunction with AttestationDeniedCAs, then both
  // conditions need to be true for registration to be allowed (the device
  // MUST match an allowed CA and MUST NOT match a denied CA).
  // By default all devices are allowed.
  repeated string AttestationAllowedCAs = 2 [(gogoproto.jsontag) = "attestation_allowed_cas,omitempty"];
  // Deny list of device attestation CAs in PEM format.
  // If present, only devices whose attestation certificates don't match the
  // certificates specified here may be registered (existing registrations are
  // unchanged).
  // If supplied in conjunction with AttestationAllowedCAs, then both
  // conditions need to be true for registration to be allowed (the device
  // MUST match an allowed CA and MUST NOT match a denied CA).
  // By default no devices are denied.
  repeated string AttestationDeniedCAs = 3 [(gogoproto.jsontag) = "attestation_denied_cas,omitempty"];
  reserved 4; // bool Disabled
}

// DeviceTrust holds settings related to trusted device verification.
// Requires Teleport Enterprise.
message DeviceTrust {
  // Mode of verification for trusted devices.
  //
  // The following modes are supported:
  //
  // - "off": disables both device authentication and authorization.
  // - "optional": allows both device authentication and authorization, but
  //   doesn't enforce the presence of device extensions for sensitive
  //   endpoints.
  // - "required": enforces the presence of device extensions for sensitive
  //   endpoints.
  //
  // Mode is always "off" for OSS.
  // Defaults to "optional" for Enterprise.
  string Mode = 1 [(gogoproto.jsontag) = "mode,omitempty"];
}

// Namespace represents namespace resource specification
message Namespace {
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a namespace spec
  NamespaceSpec Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// NamespaceSpec is a namespace specification
message NamespaceSpec {}

message UserTokenV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is a resource sub kind, used to define the type of user token.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is an resource specification
  UserTokenSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// UserTokenUsage contains additional information about the intended usage of a user token.
enum UserTokenUsage {
  // Default value that implies token usage was not set.
  USER_TOKEN_USAGE_UNSPECIFIED = 0;
  // USER_TOKEN_RECOVER_PASSWORD is a request to recover password.
  USER_TOKEN_RECOVER_PASSWORD = 1;
  // USER_TOKEN_RECOVER_MFA is a request to recover a MFA.
  USER_TOKEN_RECOVER_MFA = 2;
  // USER_TOKEN_RENEWAL_BOT is a request to generate certificates
  // for a bot user.
  USER_TOKEN_RENEWAL_BOT = 3;
}

message UserTokenSpecV3 {
  // User is user name associated with this token
  string User = 1 [(gogoproto.jsontag) = "user"];
  // URL is this token URL
  string URL = 2 [(gogoproto.jsontag) = "url"];
  // Usage is an optional field that provides more information about how this token will be used.
  UserTokenUsage Usage = 3 [(gogoproto.jsontag) = "usage,omitempty"];
  // Created holds information about when the token was created
  google.protobuf.Timestamp Created = 4 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "created,omitempty"
  ];
}

message UserTokenSecretsV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is an resource specification
  UserTokenSecretsSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

message UserTokenSecretsSpecV3 {
  // OTPKey is is a secret value of one time password secret generator
  string OTPKey = 1 [(gogoproto.jsontag) = "opt_key"];
  // OTPKey is is a secret value of one time password secret generator
  string QRCode = 2 [(gogoproto.jsontag) = "qr_code,omitempty"];
  // Created holds information about when the token was created
  google.protobuf.Timestamp Created = 3 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "created,omitempty"
  ];
}

// AccessRequest represents an access request resource specification
message AccessRequestV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is AccessRequest metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is an AccessRequest specification
  AccessRequestSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// AccessReviewThreshold describes a filter used to match access reviews,
// as well as approval/denial counts which trigger state-transitions.  This type
// can be used to describe policies such as "can be approved by 2 admins"
// or "can be denied by any non-contractor".
message AccessReviewThreshold {
  // Name is the optional human-readable name of the threshold.
  string Name = 1 [(gogoproto.jsontag) = "name,omitempty"];
  // Filter is an optional predicate used to determine which reviews
  // count toward this threshold.
  string Filter = 2 [(gogoproto.jsontag) = "filter,omitempty"];
  // Approve is the number of matching approvals needed for state-transition.
  uint32 Approve = 3 [(gogoproto.jsontag) = "approve,omitempty"];
  // Deny is the number of denials needed for state-transition.
  uint32 Deny = 4 [(gogoproto.jsontag) = "deny,omitempty"];
}

// AccessReview is a review to be applied to an access request.
message AccessReview {
  // Author is the teleport username of the review author.
  string Author = 1 [(gogoproto.jsontag) = "author"];
  // Roles is a list used for role-subselection (not yet fully supported).
  repeated string Roles = 2 [(gogoproto.jsontag) = "roles,omitempty"];
  // ProposedState is the proposed state (must be APPROVED or DENIED).
  RequestState ProposedState = 3 [(gogoproto.jsontag) = "proposed_state,omitempty"];
  // Reason is an optional human-readable reason for why the above state
  // is being proposed.
  string Reason = 4 [(gogoproto.jsontag) = "reason,omitempty"];
  // Created is the time at which the review was created.
  google.protobuf.Timestamp Created = 5 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "created,omitempty"
  ];
  // Annotations is the proposed value of the request's resolve_annotations field.
  wrappers.LabelValues Annotations = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "annotations,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // ThresholdIndexes stores the indexes of thresholds which this review matches
  // (internal use only).
  repeated uint32 ThresholdIndexes = 7 [(gogoproto.jsontag) = "i,omitempty"];
}

// AccessReviewSubmission encodes the necessary parameters for submitting
// a new access review.
message AccessReviewSubmission {
  // RequestID is the unique ID of the request to be reviewed.
  string RequestID = 1 [(gogoproto.jsontag) = "id,omitempty"];

  // Review is the review to be applied.
  AccessReview Review = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "review,omitempty"
  ];
}

// RequestState represents the state of a request for escalated privilege.
enum RequestState {
  // NONE variant exists to allow RequestState to be explicitly omitted
  // in certain circumstances (e.g. in an AccessRequestFilter).
  NONE = 0;
  // PENDING variant is the default for newly created requests.
  PENDING = 1;
  // APPROVED variant indicates that a request has been accepted by
  // an administrating party.
  APPROVED = 2;
  // DENIED variant indicates that a request has been rejected by
  // an administrating party.
  DENIED = 3;
}

// ThresholdIndexSet encodes a list of threshold indexes. One of the listed thresholds
// must pass for the set to be considered to have passed (i.e. this is an `or` operator).
message ThresholdIndexSet {
  // Indexes are the indexes of thresholds which relate to the role.
  repeated uint32 Indexes = 1 [(gogoproto.jsontag) = "i,omitempty"];
}

// ThresholdIndexSets is a list of threshold index sets.  Each of the individual
// sets must pass (i.e. this is an `and` operator).
message ThresholdIndexSets {
  // Sets are the sets that make up this group.
  repeated ThresholdIndexSet Sets = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "s,omitempty"
  ];
}

// AccessRequestSpec is the specification for AccessRequest
message AccessRequestSpecV3 {
  // User is the name of the user to whom the roles will be applied.
  string User = 1 [(gogoproto.jsontag) = "user"];
  // Roles is the name of the roles being requested.
  repeated string Roles = 2 [(gogoproto.jsontag) = "roles"];
  // State is the current state of this access request.
  RequestState State = 3 [(gogoproto.jsontag) = "state,omitempty"];
  // Created encodes the time at which the request was registered with the auth
  // server.
  google.protobuf.Timestamp Created = 4 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "created,omitempty"
  ];
  // Expires constrains the maximum lifetime of any login session for which this
  // request is active.
  google.protobuf.Timestamp Expires = 5 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires,omitempty"
  ];

  // RequestReason is an optional message explaining the reason for the request.
  string RequestReason = 6 [(gogoproto.jsontag) = "request_reason,omitempty"];

  // ResolveReason is an optional message explaining the reason for the resolution
  // of the request (approval, denial, etc...).
  string ResolveReason = 7 [(gogoproto.jsontag) = "resolve_reason,omitempty"];

  // ResolveAnnotations is a set of arbitrary values received from plugins or other
  // resolving parties during approval/denial.  Importantly, these annotations are
  // included in the access_request.update event, allowing plugins to propagate
  // arbitrary structured data to the audit log.
  wrappers.LabelValues ResolveAnnotations = 8 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "resolve_annotations,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // SystemAnnotations is a set of programmatically generated annotations attached
  // to pending access requests by teleport.  These annotations are generated by
  // applying variable interpolation to the RoleConditions.Request.Annotations block
  // of a user's role(s).  These annotations serve as a mechanism for administrators
  // to pass extra information to plugins when they process pending access requests.
  wrappers.LabelValues SystemAnnotations = 9 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "system_annotations,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // Thresholds is a list of review thresholds relevant to this request.  Order must be
  // preserved, as thresholds are referenced by index (internal use only).
  repeated AccessReviewThreshold Thresholds = 10 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "thresholds,omitempty"
  ];

  // RoleThresholdMapping encodes the relationship between the requested roles and
  // the review threshold requirements for the given role (internal use only).
  // By storing a representation of which thresholds must pass for each requested role, we
  // both eliminate the need to cache the requestor's roles directly, and allow future
  // versions of teleport to become smarter about calculating more granular requirements
  // in a backwards-compatible manner (i.e. calculation can become smarter in minor releases).
  // Storing this relationship on the request is necessary in order to avoid unexpected or
  // inconsistent behavior due to review submission timing.
  map<string, ThresholdIndexSets> RoleThresholdMapping = 11 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rtm,omitempty"
  ];

  // Reviews is a list of reviews applied to this request (internal use only).
  repeated AccessReview Reviews = 12 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "reviews,omitempty"
  ];

  // SuggestedReviewers is a list of reviewer suggestions.  These can be teleport usernames, but
  // that is not a requirement.
  repeated string SuggestedReviewers = 13 [(gogoproto.jsontag) = "suggested_reviewers,omitempty"];

  // RequestedResourceIDs is a set of resources to which access is being requested.
  repeated ResourceID RequestedResourceIDs = 14 [
    (gogoproto.jsontag) = "resource_ids,omitempty",
    (gogoproto.nullable) = false
  ];

  // LoginHint is used as a hint for search-based access requests to select
  // roles based on the login the user is attempting.
  string LoginHint = 15 [(gogoproto.jsontag) = "login_hint,omitempty"];

  // DryRun indicates that the request should not actually be created, the
  // auth server should only validate the access request.
  bool DryRun = 16 [(gogoproto.jsontag) = "dry_run,omitempty"];
}

// AccessRequestFilter encodes filter params for access requests.
message AccessRequestFilter {
  // ID specifies a request ID if set.
  string ID = 1 [(gogoproto.jsontag) = "id,omitempty"];
  // User specifies a username if set.
  string User = 2 [(gogoproto.jsontag) = "user,omitempty"];
  // RequestState filters for requests in a specific state.
  RequestState State = 3 [(gogoproto.jsontag) = "state,omitempty"];
}

// AccessCapabilities is a summary of capabilities that a user
// is granted via their dynamic access privileges which may not be
// calculable by directly examining the user's own static roles.
message AccessCapabilities {
  // RequestableRoles is a list of existent roles which the user is allowed to request.
  repeated string RequestableRoles = 1 [(gogoproto.jsontag) = "requestable_roles,omitempty"];
  // SuggestedReviewers is a list of all reviewers which are suggested by the user's roles.
  repeated string SuggestedReviewers = 2 [(gogoproto.jsontag) = "suggested_reviewers,omitempty"];
  // ApplicableRolesForResources is a list of the roles applicable for access to a given set of resources.
  repeated string ApplicableRolesForResources = 3 [(gogoproto.jsontag) = "applicable_roles,omitempty"];
}

// AccessCapabilitiesRequest encodes parameters for the GetAccessCapabilities method.
message AccessCapabilitiesRequest {
  // User is the name of the user whose capabilities we are interested in (defaults to
  // the caller's own username).
  string User = 1 [(gogoproto.jsontag) = "user,omitempty"];
  // RequestableRoles is a flag indicating that we would like to view the list of roles
  // that the user is able to request.
  bool RequestableRoles = 2 [(gogoproto.jsontag) = "requestable_roles,omitempty"];
  // SuggestedReviewers is a flag indicating that we would like to view the list of all
  // reviewers which are suggested by the user's roles.
  bool SuggestedReviewers = 3 [(gogoproto.jsontag) = "suggested_reviewers,omitempty"];
  // ResourceIDs is the list of the ResourceIDs of the resources we would like to view
  // the necessary roles for.
  repeated ResourceID ResourceIDs = 4 [
    (gogoproto.jsontag) = "resource_ids,omitempty",
    (gogoproto.nullable) = false
  ];
}

// ResourceID is a unique identifier for a teleport resource.
message ResourceID {
  // ClusterName is the name of the cluster the resource is in.
  string ClusterName = 1 [(gogoproto.jsontag) = "cluster"];
  // Kind is the resource kind.
  string Kind = 2 [(gogoproto.jsontag) = "kind"];
  // Name is the name of the specific resource.
  string Name = 3 [(gogoproto.jsontag) = "name"];
  // SubResourceName is the resource belonging to resource identified by "Name"
  // that the user is allowed to access to.
  // When granting access to a subresource, access to other resources is limited.
  // Currently it just supports resources of Kind=pod and the format is the following
  // "<kube_namespace>/<kube_pod>".
  string SubResourceName = 4 [(gogoproto.jsontag) = "sub_resource,omitempty"];
}

// PluginData stores a collection of values associated with a specific resource.
message PluginDataV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is PluginData metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a PluginData specification
  PluginDataSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// PluginDataEntry wraps a mapping of arbitrary string values used by
// plugins to store per-resource information.
message PluginDataEntry {
  // Data is a mapping of arbitrary string values.
  map<string, string> Data = 1 [(gogoproto.jsontag) = "data,omitempty"];
}

// PluginData stores a collection of values associated with a specific resource.
message PluginDataSpecV3 {
  // Entries is a collection of PluginData values organized by plugin name.
  map<string, PluginDataEntry> Entries = 1 [(gogoproto.jsontag) = "entries"];
}

// NOTE: PluginDataFilter and PluginDataUpdateParams currently only target AccessRequest resources
// since those are the only resources currently managed via plugin.  Support for additional resource
// kinds may be added in a backwards-compatible manner by adding a `Kind` field which defaults
// to `access_request` if unspecified.

// PluginDataFilter encodes filter params for plugin data.
message PluginDataFilter {
  // Kind is the kind of resource that the target plugin data
  // is associated with.
  string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];
  // Resource matches a specific resource name if set.
  string Resource = 2 [(gogoproto.jsontag) = "resource,omitempty"];
  // Plugin matches a specific plugin name if set.
  string Plugin = 3 [(gogoproto.jsontag) = "plugin,omitempty"];
}

// PluginDataUpdateParams encodes parameters for updating a PluginData field.
message PluginDataUpdateParams {
  // Kind is the kind of resource that the target plugin data
  // is associated with.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // Resource indicates the name of the target resource.
  string Resource = 2 [(gogoproto.jsontag) = "resource"];
  // Plugin is the name of the plugin that owns the data.
  string Plugin = 3 [(gogoproto.jsontag) = "plugin"];
  // Set indicates the fields which should be set by this operation.
  map<string, string> Set = 4 [(gogoproto.jsontag) = "set,omitempty"];
  // Expect optionally indicates the expected state of fields prior to this update.
  map<string, string> Expect = 5 [(gogoproto.jsontag) = "expect,omitempty"];
}

// RoleV6 represents role resource specification
message RoleV6 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a role specification
  RoleSpecV6 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// RoleSpecV6 is role specification for RoleV6.
message RoleSpecV6 {
  // Options is for OpenSSH options like agent forwarding.
  RoleOptions Options = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "options,omitempty"
  ];
  // Allow is the set of conditions evaluated to grant access.
  RoleConditions Allow = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "allow,omitempty"
  ];
  // Deny is the set of conditions evaluated to deny access. Deny takes priority
  // over allow.
  RoleConditions Deny = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "deny,omitempty"
  ];
}

// RoleOptions is a set of role options
message RoleOptions {
  // ForwardAgent is SSH agent forwarding.
  bool ForwardAgent = 1 [
    (gogoproto.jsontag) = "forward_agent",
    (gogoproto.casttype) = "Bool"
  ];

  // MaxSessionTTL defines how long a SSH session can last for.
  int64 MaxSessionTTL = 2 [
    (gogoproto.jsontag) = "max_session_ttl,omitempty",
    (gogoproto.casttype) = "Duration"
  ];

  // PortForwarding defines if the certificate will have
  // "permit-port-forwarding"
  // in the certificate. PortForwarding is "yes" if not set,
  // that's why this is a pointer
  BoolValue PortForwarding = 3 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "port_forwarding,omitempty",
    (gogoproto.customtype) = "BoolOption"
  ];

  // CertificateFormat defines the format of the user certificate to allow
  // compatibility with older versions of OpenSSH.
  string CertificateFormat = 4 [(gogoproto.jsontag) = "cert_format"];

  // ClientIdleTimeout sets disconnect clients on idle timeout behavior,
  // if set to 0 means do not disconnect, otherwise is set to the idle
  // duration.
  int64 ClientIdleTimeout = 5 [
    (gogoproto.jsontag) = "client_idle_timeout,omitempty",
    (gogoproto.casttype) = "Duration"
  ];

  // DisconnectExpiredCert sets disconnect clients on expired certificates.
  bool DisconnectExpiredCert = 6 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "disconnect_expired_cert,omitempty",
    (gogoproto.casttype) = "Bool"
  ];

  // BPF defines what events to record for the BPF-based session recorder.
  repeated string BPF = 7 [(gogoproto.jsontag) = "enhanced_recording,omitempty"];

  // PermitX11Forwarding authorizes use of X11 forwarding.
  bool PermitX11Forwarding = 8 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "permit_x11_forwarding,omitempty",
    (gogoproto.casttype) = "Bool"
  ];

  // MaxConnections defines the maximum number of
  // concurrent connections a user may hold.
  int64 MaxConnections = 9 [(gogoproto.jsontag) = "max_connections,omitempty"];

  // MaxSessions defines the maximum number of
  // concurrent sessions per connection.
  int64 MaxSessions = 10 [(gogoproto.jsontag) = "max_sessions,omitempty"];

  // RequestAccess defines the access request strategy (optional|note|always)
  // where optional is the default.
  string RequestAccess = 11 [
    (gogoproto.jsontag) = "request_access,omitempty",
    (gogoproto.casttype) = "RequestStrategy"
  ];

  // RequestPrompt is an optional message which tells users what they aught to
  string RequestPrompt = 12 [(gogoproto.jsontag) = "request_prompt,omitempty"];

  // RequireSessionMFA specifies whether a user is required to do an MFA
  // check for every session.
  //
  // DELETE IN 13.0.0 in favor of RequireMFAType
  bool RequireSessionMFA = 13 [(gogoproto.jsontag) = "-"];

  // Lock specifies the locking mode (strict|best_effort) to be applied with
  // the role.
  string Lock = 14 [
    (gogoproto.jsontag) = "lock,omitempty",
    (gogoproto.casttype) = "github.com/gravitational/teleport/api/constants.LockingMode"
  ];

  // RecordDesktopSession indicates whether desktop access sessions should be recorded.
  // It defaults to true unless explicitly set to false.
  RecordSession RecordSession = 15 [(gogoproto.jsontag) = "record_session"];

  // DesktopClipboard indicates whether clipboard sharing is allowed between the user's
  // workstation and the remote desktop. It defaults to true unless explicitly set to
  // false.
  BoolValue DesktopClipboard = 16 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "desktop_clipboard",
    (gogoproto.customtype) = "BoolOption"
  ];

  // CertExtensions specifies the key/values
  repeated CertExtension CertExtensions = 17 [(gogoproto.jsontag) = "cert_extensions,omitempty"];

  // MaxKubernetesConnections defines the maximum number of concurrent
  // Kubernetes sessions a user may hold.
  int64 MaxKubernetesConnections = 18 [(gogoproto.jsontag) = "max_kubernetes_connections,omitempty"];

  // DesktopDirectorySharing indicates whether directory sharing is allowed between the user's
  // workstation and the remote desktop. It defaults to false unless explicitly set to
  // true.
  BoolValue DesktopDirectorySharing = 19 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "desktop_directory_sharing",
    (gogoproto.customtype) = "BoolOption"
  ];

  // CreateHostUser allows users to be automatically created on a host
  BoolValue CreateHostUser = 20 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "create_host_user",
    (gogoproto.customtype) = "BoolOption"
  ];

  // PinSourceIP forces the same client IP for certificate generation and usage
  bool PinSourceIP = 21 [
    (gogoproto.jsontag) = "pin_source_ip",
    (gogoproto.casttype) = "Bool"
  ];

  // SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed
  // over an SSH session. It defaults to true unless explicitly set to false.
  BoolValue SSHFileCopy = 22 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "ssh_file_copy",
    (gogoproto.customtype) = "BoolOption"
  ];

  // RequireMFAType is the type of MFA requirement enforced for this user.
  RequireMFAType RequireMFAType = 23 [(gogoproto.jsontag) = "require_session_mfa,omitempty"];

  // DeviceTrustMode is the device authorization mode used for the resources
  // associated with the role.
  // See DeviceTrust.Mode.
  // Reserved for future use, not yet used by Teleport.
  string DeviceTrustMode = 24 [(gogoproto.jsontag) = "device_trust_mode,omitempty"];

  // IDP is a set of options related to accessing IdPs within Teleport.
  // Requires Teleport Enterprise.
  IdPOptions IDP = 25 [(gogoproto.jsontag) = "idp,omitempty"];

  // CreateDesktopUser allows users to be automatically created on a Windows desktop
  BoolValue CreateDesktopUser = 26 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "create_desktop_user",
    (gogoproto.customtype) = "BoolOption"
  ];
}

message RecordSession {
  // Desktop indicates whether desktop sessions should be recorded.
  // It defaults to true unless explicitly set to false.
  BoolValue Desktop = 1 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "desktop",
    (gogoproto.customtype) = "BoolOption"
  ];

  // Default indicates the default value for the services.
  string Default = 2 [
    (gogoproto.jsontag) = "default,omitempty",
    (gogoproto.casttype) = "github.com/gravitational/teleport/api/constants.SessionRecordingMode"
  ];

  // SSH indicates the session mode used on SSH sessions.
  string SSH = 3 [
    (gogoproto.jsontag) = "ssh,omitempty",
    (gogoproto.casttype) = "github.com/gravitational/teleport/api/constants.SessionRecordingMode"
  ];
}

// CertExtensionMode specifies the type of extension to use in the cert.
enum CertExtensionMode {
  // EXTENSION represents a cert extension that may or may not be
  // honored by the server.
  EXTENSION = 0;
}

// CertExtensionType represents the certificate type the extension is for.
// Currently only ssh is supported.
enum CertExtensionType {
  // SSH is used when extending an ssh certificate
  SSH = 0;
}

// CertExtension represents a key/value for a certificate extension
message CertExtension {
  // Type represents the certificate type being extended, only ssh
  // is supported at this time.
  CertExtensionType Type = 1 [(gogoproto.jsontag) = "type"];
  // Mode is the type of extension to be used -- currently
  // critical-option is not supported
  CertExtensionMode Mode = 2 [(gogoproto.jsontag) = "mode"];
  // Name specifies the key to be used in the cert extension.
  string Name = 3 [(gogoproto.jsontag) = "name"];
  // Value specifies the value to be used in the cert extension.
  string Value = 4 [(gogoproto.jsontag) = "value"];
}

// RoleConditions is a set of conditions that must all match to be allowed or
// denied access.
message RoleConditions {
  // Logins is a list of *nix system logins.
  repeated string Logins = 1 [(gogoproto.jsontag) = "logins,omitempty"];

  // Namespaces is a list of namespaces (used to partition a cluster). The
  // field should be called "namespaces" when it returns in Teleport 2.4.
  repeated string Namespaces = 2 [(gogoproto.jsontag) = "-"];

  // NodeLabels is a map of node labels (used to dynamically grant access to
  // nodes).
  wrappers.LabelValues NodeLabels = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "node_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // Rules is a list of rules and their access levels. Rules are a high level
  // construct used for access control.
  repeated Rule Rules = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rules,omitempty"
  ];

  // KubeGroups is a list of kubernetes groups
  repeated string KubeGroups = 5 [(gogoproto.jsontag) = "kubernetes_groups,omitempty"];

  AccessRequestConditions Request = 6 [(gogoproto.jsontag) = "request,omitempty"];

  // KubeUsers is an optional kubernetes users to impersonate
  repeated string KubeUsers = 7 [(gogoproto.jsontag) = "kubernetes_users,omitempty"];

  // AppLabels is a map of labels used as part of the RBAC system.
  wrappers.LabelValues AppLabels = 8 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "app_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // ClusterLabels is a map of node labels (used to dynamically grant access to
  // clusters).
  wrappers.LabelValues ClusterLabels = 9 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "cluster_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // KubernetesLabels is a map of kubernetes cluster labels used for RBAC.
  wrappers.LabelValues KubernetesLabels = 10 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "kubernetes_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // DatabaseLabels are used in RBAC system to allow/deny access to databases.
  wrappers.LabelValues DatabaseLabels = 11 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "db_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // DatabaseNames is a list of database names this role is allowed to connect to.
  repeated string DatabaseNames = 12 [(gogoproto.jsontag) = "db_names,omitempty"];
  // DatabaseUsers is a list of databases users this role is allowed to connect as.
  repeated string DatabaseUsers = 13 [(gogoproto.jsontag) = "db_users,omitempty"];

  // Impersonate specifies what users and roles this role is allowed to impersonate
  // by issuing certificates or other possible means.
  ImpersonateConditions Impersonate = 14 [(gogoproto.jsontag) = "impersonate,omitempty"];

  // ReviewRequests defines conditions for submitting access reviews.
  AccessReviewConditions ReviewRequests = 15 [(gogoproto.jsontag) = "review_requests,omitempty"];

  // AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
  repeated string AWSRoleARNs = 16 [(gogoproto.jsontag) = "aws_role_arns,omitempty"];

  // WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
  repeated string WindowsDesktopLogins = 17 [(gogoproto.jsontag) = "windows_desktop_logins,omitempty"];

  // WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
  wrappers.LabelValues WindowsDesktopLabels = 18 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "windows_desktop_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // RequireSessionJoin specifies policies for required users to start a session.
  repeated SessionRequirePolicy RequireSessionJoin = 19 [(gogoproto.jsontag) = "require_session_join,omitempty"];

  // JoinSessions specifies policies to allow users to join other sessions.
  repeated SessionJoinPolicy JoinSessions = 20 [(gogoproto.jsontag) = "join_sessions,omitempty"];

  // HostGroups is a list of groups for created users to be added to
  repeated string HostGroups = 21 [(gogoproto.jsontag) = "host_groups,omitempty"];
  // HostSudoers is a list of entries to include in a users sudoer file
  repeated string HostSudoers = 22 [(gogoproto.jsontag) = "host_sudoers,omitempty"];

  // AzureIdentities is a list of Azure identities this role is allowed to assume.
  repeated string AzureIdentities = 23 [(gogoproto.jsontag) = "azure_identities,omitempty"];

  // KubernetesResources is the Kubernetes Resources this Role grants access to.
  repeated KubernetesResource KubernetesResources = 24 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "kubernetes_resources,omitempty"
  ];

  // GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
  repeated string GCPServiceAccounts = 25 [(gogoproto.jsontag) = "gcp_service_accounts,omitempty"];

  // DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.
  wrappers.LabelValues DatabaseServiceLabels = 26 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "db_service_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // GroupLabels is a map of labels used as part of the RBAC system.
  wrappers.LabelValues GroupLabels = 27 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "group_labels,omitempty",
    (gogoproto.customtype) = "Labels"
  ];

  // DesktopGroups is a list of groups for created desktop users to be added to
  repeated string DesktopGroups = 28 [(gogoproto.jsontag) = "desktop_groups,omitempty"];
}

// KubernetesResource is the Kubernetes resource identifier.
message KubernetesResource {
  // Kind specifies the Kubernetes Resource type.
  // At the moment only "pod" is supported.
  string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];
  // Namespace is the resource namespace.
  // It supports wildcards.
  string Namespace = 2 [(gogoproto.jsontag) = "namespace,omitempty"];
  // Name is the resource name.
  // It supports wildcards.
  string Name = 3 [(gogoproto.jsontag) = "name,omitempty"];
}

// SessionRequirePolicy a requirement policy that needs to be fulfilled to grant access.
message SessionRequirePolicy {
  // Name is the name of the policy.
  string Name = 1 [(gogoproto.jsontag) = "name"];

  // Filter is a predicate that determines what users count towards this policy.
  string Filter = 2 [(gogoproto.jsontag) = "filter"];

  // Kinds are the session kinds this policy applies to.
  repeated string Kinds = 3 [(gogoproto.jsontag) = "kinds"];

  // Count is the amount of people that need to be matched for this policy to be fulfilled.
  int32 Count = 4 [(gogoproto.jsontag) = "count"];

  // Modes is the list of modes that may be used to fulfill this policy.
  repeated string Modes = 5 [(gogoproto.jsontag) = "modes"];

  // OnLeave is the behaviour that's used when the policy is no longer fulfilled
  // for a live session.
  string OnLeave = 6 [(gogoproto.jsontag) = "on_leave"];
}

// SessionJoinPolicy defines a policy that allows a user to join sessions.
message SessionJoinPolicy {
  // Name is the name of the policy.
  string Name = 1 [(gogoproto.jsontag) = "name"];

  // Roles is a list of roles that you can join the session of.
  repeated string Roles = 2 [(gogoproto.jsontag) = "roles"];

  // Kinds are the session kinds this policy applies to.
  repeated string Kinds = 3 [(gogoproto.jsontag) = "kinds"];

  // Modes is a list of permitted participant modes for this policy.
  repeated string Modes = 4 [(gogoproto.jsontag) = "modes"];
}

// AccessRequestConditions is a matcher for allow/deny restrictions on
// access-requests.
message AccessRequestConditions {
  // Roles is the name of roles which will match the request rule.
  repeated string Roles = 1 [(gogoproto.jsontag) = "roles,omitempty"];

  // ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
  repeated ClaimMapping ClaimsToRoles = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "claims_to_roles,omitempty"
  ];

  // Annotations is a collection of annotations to be programmatically
  // appended to pending access requests at the time of their creation.
  // These annotations serve as a mechanism to propagate extra information
  // to plugins.  Since these annotations support variable interpolation
  // syntax, they also offer a mechanism for forwarding claims from an
  // external identity provider, to a plugin via `{{external.trait_name}}`
  // style substitutions.
  wrappers.LabelValues Annotations = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "annotations,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // Thresholds is a list of thresholds, one of which must be met in order for reviews
  // to trigger a state-transition.  If no thresholds are provided, a default threshold
  // of 1 for approval and denial is used.
  repeated AccessReviewThreshold Thresholds = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "thresholds,omitempty"
  ];

  // SuggestedReviewers is a list of reviewer suggestions.  These can be teleport usernames, but
  // that is not a requirement.
  repeated string SuggestedReviewers = 5 [(gogoproto.jsontag) = "suggested_reviewers,omitempty"];

  // SearchAsRoles is a list of extra roles which should apply to a user while
  // they are searching for resources as part of a Resource Access Request, and
  // defines the underlying roles which will be requested as part of any
  // Resource Access Request.
  repeated string SearchAsRoles = 6 [(gogoproto.jsontag) = "search_as_roles,omitempty"];
}

// AccessReviewConditions is a matcher for allow/deny restrictions on
// access reviews.
message AccessReviewConditions {
  // Roles is the name of roles which may be reviewed.
  repeated string Roles = 1 [(gogoproto.jsontag) = "roles,omitempty"];

  // ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
  repeated ClaimMapping ClaimsToRoles = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "claims_to_roles,omitempty"
  ];

  // Where is an optional predicate which further limits which requests are
  // reviewable.
  string Where = 3 [(gogoproto.jsontag) = "where,omitempty"];

  // PreviewAsRoles is a list of extra roles which should apply to a reviewer
  // while they are viewing a Resource Access Request for the purposes of
  // viewing details such as the hostname and labels of requested resources.
  repeated string PreviewAsRoles = 4 [(gogoproto.jsontag) = "preview_as_roles,omitempty"];
}

// ClaimMapping maps a claim to teleport roles.
message ClaimMapping {
  // Claim is a claim name.
  string Claim = 1 [(gogoproto.jsontag) = "claim"];
  // Value is a claim value to match.
  string Value = 2 [(gogoproto.jsontag) = "value"];
  // Roles is a list of static teleport roles to match.
  repeated string Roles = 3 [(gogoproto.jsontag) = "roles,omitempty"];
}

// TraitMapping maps a trait to teleport roles.
message TraitMapping {
  // Trait is a trait name.
  string Trait = 1 [(gogoproto.jsontag) = "trait"];
  // Value is a trait value to match.
  string Value = 2 [(gogoproto.jsontag) = "value"];
  // Roles is a list of static teleport roles to match.
  repeated string Roles = 3 [(gogoproto.jsontag) = "roles,omitempty"];
}

// Rule represents allow or deny rule that is executed to check
// if user or service have access to resource
message Rule {
  // Resources is a list of resources
  repeated string Resources = 1 [(gogoproto.jsontag) = "resources,omitempty"];
  // Verbs is a list of verbs
  repeated string Verbs = 2 [(gogoproto.jsontag) = "verbs,omitempty"];
  // Where specifies optional advanced matcher
  string Where = 3 [(gogoproto.jsontag) = "where,omitempty"];
  // Actions specifies optional actions taken when this rule matches
  repeated string Actions = 4 [(gogoproto.jsontag) = "actions,omitempty"];
}

// ImpersonateConditions specifies whether users are allowed
// to issue certificates for other users or groups.
message ImpersonateConditions {
  // Users is a list of resources this role is allowed to impersonate,
  // could be an empty list or a Wildcard pattern
  repeated string Users = 1 [(gogoproto.jsontag) = "users,omitempty"];
  // Roles is a list of resources this role is allowed to impersonate
  repeated string Roles = 2 [(gogoproto.jsontag) = "roles,omitempty"];
  // Where specifies optional advanced matcher
  string Where = 3 [(gogoproto.jsontag) = "where,omitempty"];
}

// BoolValue is a wrapper around bool, used in cases
// whenever bool value can have different default value when missing
message BoolValue {
  bool Value = 1;
}

// UserV2 is version 2 resource spec of the user
message UserV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a user specification
  UserSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// UserSpecV2 is a specification for V2 user
message UserSpecV2 {
  // OIDCIdentities lists associated OpenID Connect identities
  // that let user log in using externally verified identity
  repeated ExternalIdentity OIDCIdentities = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "oidc_identities,omitempty"
  ];

  // SAMLIdentities lists associated SAML identities
  // that let user log in using externally verified identity
  repeated ExternalIdentity SAMLIdentities = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "saml_identities,omitempty"
  ];

  // GithubIdentities list associated Github OAuth2 identities
  // that let user log in using externally verified identity
  repeated ExternalIdentity GithubIdentities = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "github_identities,omitempty"
  ];

  // Roles is a list of roles assigned to user
  repeated string Roles = 4 [(gogoproto.jsontag) = "roles,omitempty"];

  // Traits are key/value pairs received from an identity provider (through
  // OIDC claims or SAML assertions) or from a system administrator for local
  // accounts. Traits are used to populate role variables.
  wrappers.LabelValues Traits = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "traits,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // Status is a login status of the user
  LoginStatus Status = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "status,omitempty"
  ];

  // Expires if set sets TTL on the user
  google.protobuf.Timestamp Expires = 7 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires"
  ];

  // CreatedBy holds information about agent or person created this user
  CreatedBy CreatedBy = 8 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "created_by,omitempty"
  ];

  // LocalAuths hold sensitive data necessary for performing local
  // authentication
  LocalAuthSecrets LocalAuth = 9 [(gogoproto.jsontag) = "local_auth,omitempty"];
}

// ExternalIdentity is OpenID Connect/SAML or Github identity that is linked
// to particular user and connector and lets user to log in using external
// credentials, e.g. google
message ExternalIdentity {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
  string ConnectorID = 1 [(gogoproto.jsontag) = "connector_id,omitempty"];

  // Username is username supplied by external identity provider
  string Username = 2 [(gogoproto.jsontag) = "username,omitempty"];
}

// LoginStatus is a login status of the user
message LoginStatus {
  // IsLocked tells us if user is locked
  bool IsLocked = 1 [(gogoproto.jsontag) = "is_locked"];
  // LockedMessage contains the message in case if user is locked
  string LockedMessage = 2 [(gogoproto.jsontag) = "locked_message,omitempty"];
  // LockedTime contains time when user was locked
  google.protobuf.Timestamp LockedTime = 3 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "locked_time,omitempty"
  ];
  // LockExpires contains time when this lock will expire
  google.protobuf.Timestamp LockExpires = 4 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "lock_expires,omitempty"
  ];
  // RecoveryAttemptLockExpires contains the time when this lock will expire
  // from reaching MaxAccountRecoveryAttempts. This field is used to determine
  // if a user got locked from recovery attempts.
  google.protobuf.Timestamp RecoveryAttemptLockExpires = 5 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "recovery_attempt_lock_expires,omitempty"
  ];
}

// CreatedBy holds information about the person or agent who created the user
message CreatedBy {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Identity if present means that user was automatically created by identity
  ConnectorRef Connector = 1 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "connector,omitempty"
  ];
  // Time specifies when user was created
  google.protobuf.Timestamp Time = 2 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "time"
  ];
  // User holds information about user
  UserRef User = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "user"
  ];
}

// LocalAuthSecrets holds sensitive data used to authenticate a local user.
message LocalAuthSecrets {
  // PasswordHash encodes a combined salt & hash for password verification.
  bytes PasswordHash = 1 [(gogoproto.jsontag) = "password_hash,omitempty"];

  // Deprecated 2nd factor fields, use MFA below instead.
  string TOTPKey = 2 [(gogoproto.jsontag) = "totp_key,omitempty"];
  reserved 3; // U2FRegistrationData U2FRegistration
  reserved 4; // uint32 U2FCounter

  repeated MFADevice MFA = 5 [(gogoproto.jsontag) = "mfa,omitempty"];
  // Webauthn holds settings necessary for webauthn local auth.
  // May be null for legacy users or users that haven't yet used webauthn as
  // their second factor.
  WebauthnLocalAuth Webauthn = 6 [(gogoproto.jsontag) = "webauthn,omitempty"];
}

// MFADevice is a multi-factor authentication device, such as a security key or
// an OTP app.
message MFADevice {
  // Boilerplate for implementing the Resource interface.
  string kind = 1;
  string sub_kind = 2;
  string version = 3;
  Metadata metadata = 4 [(gogoproto.nullable) = false];

  // ID is a UUID of this device.
  string id = 5;

  google.protobuf.Timestamp added_at = 6 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false
  ];
  google.protobuf.Timestamp last_used = 7 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false
  ];

  oneof device {
    TOTPDevice totp = 8;
    U2FDevice u2f = 9;
    WebauthnDevice webauthn = 10;
  }
}

// TOTPDevice holds the TOTP-specific fields of MFADevice.
message TOTPDevice {
  string key = 1;
}

// U2FDevice holds the U2F-specific fields of MFADevice.
message U2FDevice {
  // KeyHandle uniquely identifies a key on a device
  bytes key_handle = 1;
  // PubKey is an DER encoded ecdsa public key
  bytes pub_key = 2;
  // Counter is the latest seen value of the U2F usage counter.
  uint32 counter = 3;
}

// WebauthnDevice holds Webauthn-specific fields of MFADevice.
message WebauthnDevice {
  // Credential ID for the authenticator.
  bytes credential_id = 1;
  // Public key encoded in CBOR format.
  // Webauthn support various key algorithms; CBOR encoding is used to reflect
  // those choices.
  // See https://w3c.github.io/webauthn/#sctn-alg-identifier for a starter
  // reference.
  bytes public_key_cbor = 2;
  // Attestation format used by the authenticator, if any.
  string attestation_type = 3;
  // AAGUID is the globally unique identifier of the authenticator model.
  // Zeroed for U2F devices.
  bytes aaguid = 4;
  // Signature counter for login operations.
  // Actual counter values received from the authenticator are expected to be
  // higher than the previously-stored value.
  uint32 signature_counter = 5;
  // Raw attestation object, as returned by the authentication during
  // registration.
  // Absent for legacy entries (Teleport 8.x).
  bytes attestation_object = 6;
  // True if a resident key was requested during registration.
  // Marks passwordless-capable devices.
  // (Note that resident_key=true represents the server-side / Relying Party
  // view of the registration process; the authenticator alone can determine
  // if a key is truly resident.)
  bool resident_key = 7;
  // Relying Party ID used by the credential.
  // Recorded on registration for new credentials, or on first successful
  // authentication for "old" credentials (created before the field existed).
  // Ideally, this is always the same as the configured RPID.
  // If an RPID change does happen, this helps Teleport detect it and react
  // accordingly.
  string credential_rp_id = 8;
}

// WebauthnLocalAuth holds settings necessary for local webauthn use.
message WebauthnLocalAuth {
  // UserID is the random user handle generated for the user.
  // See https://www.w3.org/TR/webauthn-2/#sctn-user-handle-privacy.
  bytes UserID = 1 [(gogoproto.jsontag) = "user_id,omitempty"];
}

// ConnectorRef holds information about OIDC connector
message ConnectorRef {
  // Type is connector type
  string Type = 1 [(gogoproto.jsontag) = "type"];
  // ID is connector ID
  string ID = 2 [(gogoproto.jsontag) = "id"];
  // Identity is external identity of the user
  string Identity = 3 [(gogoproto.jsontag) = "identity"];
}

// UserRef holds references to user
message UserRef {
  // Name is name of the user
  string Name = 1 [(gogoproto.jsontag) = "name"];
}

// ReverseTunnelV2 is version 2 of the resource spec of the reverse tunnel
message ReverseTunnelV2 {
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is a resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a reverse tunnel specification
  ReverseTunnelSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ReverseTunnelSpecV2 is a specification for V2 reverse tunnel
message ReverseTunnelSpecV2 {
  // ClusterName is a domain name of remote cluster we are connecting to
  string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name"];
  // DialAddrs is a list of remote address to establish a connection to
  // it's always SSH over TCP
  repeated string DialAddrs = 2 [(gogoproto.jsontag) = "dial_addrs,omitempty"];
  // Type is the type of reverse tunnel, either proxy or node.
  string Type = 3 [
    (gogoproto.jsontag) = "type",
    (gogoproto.casttype) = "TunnelType"
  ];
}

// TunnelConnectionV2 is version 2 of the resource spec of the tunnel connection
message TunnelConnectionV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is a resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a tunnel specification
  TunnelConnectionSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// TunnelConnectionSpecV2 is a specification for V2 tunnel connection
message TunnelConnectionSpecV2 {
  // ClusterName is a name of the cluster
  string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name"];
  // ProxyName is the name of the proxy server
  string ProxyName = 2 [(gogoproto.jsontag) = "proxy_name"];
  // LastHeartbeat is a time of the last heartbeat
  google.protobuf.Timestamp LastHeartbeat = 3 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "last_heartbeat,omitempty"
  ];
  // Type is the type of reverse tunnel, either proxy or node.
  string Type = 4 [
    (gogoproto.jsontag) = "type",
    (gogoproto.casttype) = "TunnelType"
  ];
}

// SemaphoreFilter encodes semaphore filtering params.
// A semaphore filter matches a semaphore if all nonzero fields
// match the corresponding semaphore fields (e.g. a filter which
// specifies only `kind=foo` would match all semaphores of
// kind `foo`).
message SemaphoreFilter {
  // SemaphoreKind is the kind of the semaphore.
  string SemaphoreKind = 1 [(gogoproto.jsontag) = "kind"];
  // SemaphoreName is the name of the semaphore.
  string SemaphoreName = 2 [(gogoproto.jsontag) = "name"];
}

// AcquireSemaphoreRequest holds semaphore lease acquisition parameters.
message AcquireSemaphoreRequest {
  // SemaphoreKind is the kind of the semaphore.
  string SemaphoreKind = 1 [(gogoproto.jsontag) = "kind"];
  // SemaphoreName is the name of the semaphore.
  string SemaphoreName = 2 [(gogoproto.jsontag) = "name"];
  // MaxLeases is the maximum number of concurrent leases.  If acquisition
  // would cause more than MaxLeases to exist, acquisition must fail.
  int64 MaxLeases = 3 [(gogoproto.jsontag) = "max_resources"];
  // Expires is the time at which this lease expires.
  google.protobuf.Timestamp Expires = 4 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires"
  ];
  // Holder identifies the entity holding the lease.
  string Holder = 5 [(gogoproto.jsontag) = "holder"];
}

// SemaphoreLease represents lease acquired for semaphore
message SemaphoreLease {
  // SemaphoreKind is the kind of the semaphore.
  string SemaphoreKind = 1 [(gogoproto.jsontag) = "kind"];
  // SemaphoreName is the name of the semaphore.
  string SemaphoreName = 2 [(gogoproto.jsontag) = "name"];
  // LeaseID uniquely identifies this lease.
  string LeaseID = 3 [(gogoproto.jsontag) = "lease_id"];
  // Expires is the time at which this lease expires.
  google.protobuf.Timestamp Expires = 5 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires"
  ];
}

// SemaphoreLeaseRef identifies an existent lease.
message SemaphoreLeaseRef {
  // LeaseID is the unique ID of the lease.
  string LeaseID = 1 [(gogoproto.jsontag) = "lease_id"];
  // Expires is the time at which the lease expires.
  google.protobuf.Timestamp Expires = 2 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires"
  ];
  // Holder identifies the lease holder.
  string Holder = 3 [(gogoproto.jsontag) = "holder"];
}

// SemaphoreV3 implements Semaphore interface
message SemaphoreV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is Semaphore metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a lease V3 spec
  SemaphoreSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// SemaphoreSpecV3 contains the data about lease
message SemaphoreSpecV3 {
  // Leases is a list of all currently acquired leases.
  repeated SemaphoreLeaseRef Leases = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "leases"
  ];
}

// WebSessionV2 represents an application or UI web session.
message WebSessionV2 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is a resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a tunnel specification.
  WebSessionSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// WebSessionSpecV2 is a specification for web session.
message WebSessionSpecV2 {
  // User is the identity of the user to which the web session belongs.
  string User = 1 [(gogoproto.jsontag) = "user"];
  // Pub is the SSH certificate for the user.
  bytes Pub = 2 [(gogoproto.jsontag) = "pub"];
  // Priv is the SSH private key for the user.
  bytes Priv = 3 [(gogoproto.jsontag) = "priv,omitempty"];
  // TLSCert is the TLS certificate for the user.
  bytes TLSCert = 4 [(gogoproto.jsontag) = "tls_cert,omitempty"];
  // BearerToken is a token that is paired with the session cookie for
  // authentication. It is periodically rotated so a stolen cookie itself
  // is not enough to steal a session. In addition it is used for CSRF
  // mitigation.
  string BearerToken = 5 [(gogoproto.jsontag) = "bearer_token"];
  // BearerTokenExpires is the absolute time when the token expires.
  google.protobuf.Timestamp BearerTokenExpires = 6 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "bearer_token_expires"
  ];
  // Expires is the absolute time when the session expires.
  google.protobuf.Timestamp Expires = 7 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires"
  ];
  // LoginTime is the time this user recently logged in.
  google.protobuf.Timestamp LoginTime = 8 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "login_time"
  ];
  // IdleTimeout is the max time a user can be inactive in a session.
  int64 IdleTimeout = 9 [
    (gogoproto.jsontag) = "idle_timeout",
    (gogoproto.casttype) = "Duration"
  ];
  // ConsumedAccessRequestID is the ID of the access request from which additional roles to assume
  // were obtained.
  string ConsumedAccessRequestID = 10 [(gogoproto.jsontag) = "consumed_access_request_id,omitempty"];
  // SAMLSession is data associated with a SAML IdP session.
  SAMLSessionData SAMLSession = 11 [(gogoproto.jsontag) = "saml_session,omitempty"];
}

// WebSessionFilter encodes cache watch parameters for filtering web sessions.
message WebSessionFilter {
  // User is the username to filter web sessions for.
  string User = 1 [(gogoproto.jsontag) = "user"];
}

// SAMLSessionData contains data for a SAML session.
// Based on crewjam/saml's session object: https://github.com/crewjam/saml/blob/main/identity_provider.go
message SAMLSessionData {
  // ID is the identifier for the SAML session.
  string ID = 1 [(gogoproto.jsontag) = "id"];
  // CreateTime is the time that the session was created.
  google.protobuf.Timestamp CreateTime = 2 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "create_time"
  ];
  // ExpireTime is the time that the session will expire.
  google.protobuf.Timestamp ExpireTime = 3 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expire_time"
  ];
  // Index is the session index that allows the IdP to uniquely identify a session.
  string Index = 4 [(gogoproto.jsontag) = "index"];

  // NameID an identifier for the session.
  string NameID = 5 [(gogoproto.jsontag) = "name_id"];
  // NameIDFormat is the format of the Name ID.
  string NameIDFormat = 6 [(gogoproto.jsontag) = "name_id_format"];
  // SubjectID is the identifier for the subject of the session.
  string SubjectID = 7 [(gogoproto.jsontag) = "subject_id"];

  // Groups is a list of groups that the user has access to.
  repeated string Groups = 8 [(gogoproto.jsontag) = "groups"];
  // UserName is the user's name.
  string UserName = 9 [(gogoproto.jsontag) = "user_name"];
  // UserEmail is the user's e-mail.
  string UserEmail = 10 [(gogoproto.jsontag) = "user_email"];
  // UserCommonName is the user's common name.
  string UserCommonName = 11 [(gogoproto.jsontag) = "user_common_name"];
  // UserSurname is the user's surname.
  string UserSurname = 12 [(gogoproto.jsontag) = "user_surname"];
  // UserGivenName is the user's given name.
  string UserGivenName = 13 [(gogoproto.jsontag) = "user_given_name"];
  // UserScopedAffiliation is the user's scoped affiliation.
  string UserScopedAffiliation = 14 [(gogoproto.jsontag) = "user_scoped_affiliation"];

  // CustomAttributes are any custom attributes associated with the request.
  repeated SAMLAttribute CustomAttributes = 15 [(gogoproto.jsontag) = "custom_attributes"];
}

// SAMLAttribute contains an attribute name and associated values.
// Defined in http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.
message SAMLAttribute {
  // FriendlyName is a user readable name for the attribute.
  string FriendlyName = 1 [(gogoproto.jsontag) = "friendly_name"];
  // Name is a full name for the attribute, typically an OID value.
  string Name = 2 [(gogoproto.jsontag) = "name"];
  // NameFormat is the format of the name.
  string NameFormat = 3 [(gogoproto.jsontag) = "name_format"];
  // Values is a list of attribute values.
  repeated SAMLAttributeValue Values = 4 [(gogoproto.jsontag) = "values"];
}

// SAMLAttributeValues contains a type, value, and an associated name ID block.
// Defined in http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.
message SAMLAttributeValue {
  // Type is the type of value this attribute represents.
  string Type = 1 [(gogoproto.jsontag) = "type"];
  // Value is the value of the attribute.
  string Value = 2 [(gogoproto.jsontag) = "value"];
  // NameID is a more restrictive identifier for the attribute value.
  SAMLNameID NameID = 3 [(gogoproto.jsontag) = "name_id,omitempty"];
}

// SAMLNameID is a more restrictive identifier for an object in SAML.
// Defined in http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.
message SAMLNameID {
  // NameQualifier is the domain that qualifies the identifier.
  string NameQualifier = 1 [(gogoproto.jsontag) = "name_qualifier"];
  // SPNameQualifier qualifies the identifier with the name of the service provider.
  string SPNameQualifier = 2 [(gogoproto.jsontag) = "sp_name_qualifier"];
  // Format is the format of the identifier.
  string Format = 3 [(gogoproto.jsontag) = "format"];
  // SPProvidedID is an identifier established by the service provider.
  string SPProvidedID = 4 [(gogoproto.jsontag) = "sp_provider_id"];
  // Value is the value of the name ID.
  string Value = 5 [(gogoproto.jsontag) = "value"];
}

// RemoteClusterV3 represents remote cluster resource specification
message RemoteClusterV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is resource API version
  string Version = 3 [(gogoproto.jsontag) = "version"];

  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Status is a remote cluster status
  RemoteClusterStatusV3 Status = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "status"
  ];
}

// RemoteClusterStatusV3 represents status of the remote cluster
message RemoteClusterStatusV3 {
  // Connection represents connection status, online or offline
  string Connection = 1 [(gogoproto.jsontag) = "connection"];

  // LastHeartbeat records last heartbeat of the cluster
  google.protobuf.Timestamp LastHeartbeat = 2 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "last_heartbeat"
  ];
}

// KubernetesCluster is a named kubernetes API endpoint handled by a Server.
//
// TODO: deprecate and convert all usage to KubernetesClusterV3
message KubernetesCluster {
  // Name is the name of this kubernetes cluster.
  string Name = 1 [(gogoproto.jsontag) = "name"];

  // StaticLabels is map of static labels associated with this cluster.
  // Used for RBAC.
  map<string, string> StaticLabels = 2 [(gogoproto.jsontag) = "static_labels,omitempty"];
  // DynamicLabels is map of dynamic labels associated with this cluster.
  // Used for RBAC.
  map<string, CommandLabelV2> DynamicLabels = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "dynamic_labels,omitempty"
  ];
}

// KubernetesClusterV3 represents a named kubernetes API endpoint.
message KubernetesClusterV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is the cluster resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the resource spec.
  KubernetesClusterSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// KubernetesClusterSpecV3 is a specification for a Kubernetes cluster.
message KubernetesClusterSpecV3 {
  // DynamicLabels are the cluster's dynamic labels.
  map<string, CommandLabelV2> DynamicLabels = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "dynamic_labels,omitempty"
  ];
  // Kubeconfig is the kubeconfig file payload that grants access to the cluster.
  // If multiple contexts are specified, the first will be selected.
  bytes Kubeconfig = 2 [(gogoproto.jsontag) = "kubeconfig,omitempty"];
  // Azure holds the required Azure information for Teleport to access the cluster.
  KubeAzure Azure = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "azure,omitempty"
  ];
  // AWS holds the required AWS information for Teleport to access the cluster.
  KubeAWS AWS = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "aws,omitempty"
  ];
  // GCP holds the required GCP information for Teleport to access the cluster.
  KubeGCP GCP = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "gcp,omitempty"
  ];
}

// KubeAzure contains the Azure information about the cluster.
message KubeAzure {
  // ResourceName is the AKS cluster name.
  string ResourceName = 1 [(gogoproto.jsontag) = "resource_name,omitempty"];
  // ResourceGroup is the Azure resource group name.
  string ResourceGroup = 2 [(gogoproto.jsontag) = "resource_group,omitempty"];
  // TenantID is the AKS cluster Tenant ID.
  string TenantID = 3 [(gogoproto.jsontag) = "tenant_id,omitempty"];
  // SubscriptionID is the AKS cluster SubscriptionID.
  string SubscriptionID = 4 [(gogoproto.jsontag) = "subscription_id,omitempty"];
}

// KubeAWS contains the AWS information about the cluster.
message KubeAWS {
  // Region is a AWS cloud region.
  string Region = 1 [(gogoproto.jsontag) = "region,omitempty"];
  // AccountID is a AWS Account ID.
  string AccountID = 2 [(gogoproto.jsontag) = "account_id,omitempty"];
  // Name is a AWS EKS cluster name.
  string Name = 3 [(gogoproto.jsontag) = "name,omitempty"];
}

// KubeGCP contains the GCP information about the cluster.
message KubeGCP {
  // Location is a GKE cluster location.
  string Location = 1 [(gogoproto.jsontag) = "location,omitempty"];
  // ProjectID is the GKE Project ID.
  string ProjectID = 2 [(gogoproto.jsontag) = "project_id,omitempty"];
  // Name is a GCP GKE cluster name.
  string Name = 3 [(gogoproto.jsontag) = "name,omitempty"];
}

// KubernetesClusterV3List represents a list of kubernetes clusters.
message KubernetesClusterV3List {
  // KubernetesClusters is a list of kubernetes clusters resources.
  repeated KubernetesClusterV3 KubernetesClusters = 1;
}

// KubernetesServerV3 represents a Kubernetes server.
message KubernetesServerV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;
  // Kind is the Kubernetes server resource kind. Always "kube_server".
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the Kubernetes server metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the Kubernetes server spec.
  KubernetesServerSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// KubernetesServerSpecV3 is the Kubernetes server spec.
message KubernetesServerSpecV3 {
  // Version is the Teleport version that the server is running.
  string Version = 1 [(gogoproto.jsontag) = "version"];
  // Hostname is the Kubernetes server hostname.
  string Hostname = 2 [(gogoproto.jsontag) = "hostname"];
  // HostID is the Kubernetes server host uuid.
  string HostID = 3 [(gogoproto.jsontag) = "host_id"];
  // Rotation contains the Kubernetes server CA rotation information.
  Rotation Rotation = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "rotation,omitempty"
  ];
  // Cluster is a Kubernetes Cluster proxied by this Kubernetes server.
  KubernetesClusterV3 Cluster = 5 [(gogoproto.jsontag) = "cluster"];
  // ProxyIDs is a list of proxy IDs this server is expected to be connected to.
  repeated string ProxyIDs = 6 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
}

// WebTokenV3 describes a web token. Web tokens are used as a transport to relay bearer tokens
// to the client.
// Initially bound to a web session, these have been factored out into a separate resource to
// enable separate lifecycle management.
message WebTokenV3 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is resource metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec defines the web token
  WebTokenSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// WebTokenSpecV3 is a unique time-limited token bound to a user's web session
message WebTokenSpecV3 {
  // User specifies the user the token is bound to.
  string User = 1 [(gogoproto.jsontag) = "user"];
  // Token specifies the token's value.
  string Token = 2 [(gogoproto.jsontag) = "token"];
}

// GetWebSessionRequest describes a request to query a web session
message GetWebSessionRequest {
  // User specifies the user the web session is for.
  string User = 1 [(gogoproto.jsontag) = "user"];
  // SessionID specifies the web session ID.
  string SessionID = 2 [(gogoproto.jsontag) = "session_id"];
}

// DeleteWebSessionRequest describes a request to delete a web session
message DeleteWebSessionRequest {
  // User specifies the user the session is bound to
  string User = 1 [(gogoproto.jsontag) = "user"];
  // SessionID specifies the web session ID to delete.
  string SessionID = 2 [(gogoproto.jsontag) = "session_id"];
}

// GetWebTokenRequest describes a request to query a web token
message GetWebTokenRequest {
  // User specifies the user the token is for.
  string User = 1 [(gogoproto.jsontag) = "user"];
  // Token specifies the token to get.
  string Token = 2 [(gogoproto.jsontag) = "token"];
}

// DeleteWebTokenRequest describes a request to delete a web token
message DeleteWebTokenRequest {
  // User specifies the user the token is for.
  string User = 1 [(gogoproto.jsontag) = "user"];
  // Token specifies the token to delete.
  string Token = 2 [(gogoproto.jsontag) = "token"];
}

// ResourceRequest is a request relating to a named resource.
message ResourceRequest {
  // Name is the name of the resource.
  string Name = 1 [(gogoproto.jsontag) = "name"];
}

// ResourceWithSecretsRequest is a request relating to a named resource with secrets.
message ResourceWithSecretsRequest {
  // Name is the name of the resource.
  string Name = 1 [(gogoproto.jsontag) = "name"];
  // WithSecrets specifies whether to load associated secrets.
  bool WithSecrets = 2 [(gogoproto.jsontag) = "with_secrets,omitempty"];
}

// ResourcesWithSecretsRequest is a request relating to resources with secrets.
message ResourcesWithSecretsRequest {
  // WithSecrets specifies whether to load associated secrets.
  bool WithSecrets = 1 [(gogoproto.jsontag) = "with_secrets,omitempty"];
}

// ResourcesInNamespaceRequest is a request relating to a named resource in the given namespace.
message ResourceInNamespaceRequest {
  // Name is the name of the resource.
  string Name = 1;
  // Namespace is the namespace of resources.
  string Namespace = 2;
}

// ResourcesInNamespaceRequest is a request relating to resources in the given namespace.
message ResourcesInNamespaceRequest {
  // Namespace is the namespace of resources.
  string Namespace = 1;
}

// OIDCConnectorV3 represents an OIDC connector.
message OIDCConnectorV3 {
  // Kind is a resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata holds resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is an OIDC connector specification.
  OIDCConnectorSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// OIDCConnectorV3List is a list of OIDC connectors.
message OIDCConnectorV3List {
  // OIDCConnectors is a list of OIDC connectors.
  repeated OIDCConnectorV3 OIDCConnectors = 1;
}

// OIDCConnectorSpecV3 is an OIDC connector specification.
//
// It specifies configuration for Open ID Connect compatible external
// identity provider: https://openid.net/specs/openid-connect-core-1_0.html
message OIDCConnectorSpecV3 {
  reserved 4;

  // IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
  string IssuerURL = 1 [(gogoproto.jsontag) = "issuer_url"];
  // ClientID is the id of the authentication client (Teleport Auth server).
  string ClientID = 2 [(gogoproto.jsontag) = "client_id"];
  // ClientSecret is used to authenticate the client.
  string ClientSecret = 3 [(gogoproto.jsontag) = "client_secret"];
  // ACR is an Authentication Context Class Reference value. The meaning of the ACR
  // value is context-specific and varies for identity providers.
  string ACR = 5 [(gogoproto.jsontag) = "acr_values,omitempty"];
  // Provider is the external identity provider.
  string Provider = 6 [(gogoproto.jsontag) = "provider,omitempty"];
  // Display is the friendly name for this provider.
  string Display = 7 [(gogoproto.jsontag) = "display,omitempty"];
  // Scope specifies additional scopes set by provider.
  repeated string Scope = 8 [(gogoproto.jsontag) = "scope,omitempty"];
  // Prompt is an optional OIDC prompt. An empty string omits prompt.
  // If not specified, it defaults to select_account for backwards compatibility.
  string Prompt = 9 [(gogoproto.jsontag) = "prompt,omitempty"];
  // ClaimsToRoles specifies a dynamic mapping from claims to roles.
  repeated ClaimMapping ClaimsToRoles = 10 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "claims_to_roles,omitempty"
  ];
  // GoogleServiceAccountURI is a path to a google service account uri.
  string GoogleServiceAccountURI = 11 [(gogoproto.jsontag) = "google_service_account_uri,omitempty"];
  // GoogleServiceAccount is a string containing google service account credentials.
  string GoogleServiceAccount = 12 [(gogoproto.jsontag) = "google_service_account,omitempty"];
  // GoogleAdminEmail is the email of a google admin to impersonate.
  string GoogleAdminEmail = 13 [(gogoproto.jsontag) = "google_admin_email,omitempty"];
  // RedirectURLs is a list of callback URLs which the identity provider can use
  // to redirect the client back to the Teleport Proxy to complete authentication.
  // This list should match the URLs on the provider's side. The URL used for a
  // given auth request will be chosen to match the requesting Proxy's public
  // address. If there is no match, the first url in the list will be used.
  wrappers.StringValues RedirectURLs = 14 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "redirect_url",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Strings"
  ];
  // AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.
  bool AllowUnverifiedEmail = 15 [(gogoproto.jsontag) = "allow_unverified_email,omitempty"];
  // UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.
  string UsernameClaim = 16 [(gogoproto.jsontag) = "username_claim,omitempty"];
}

// OIDCAuthRequest is a request to authenticate with OIDC
// provider, the state about request is managed by auth server
message OIDCAuthRequest {
  // ConnectorID is ID of OIDC connector this request uses
  string ConnectorID = 1 [(gogoproto.jsontag) = "connector_id"];

  // Type is opaque string that helps callbacks identify the request type
  string Type = 2 [(gogoproto.jsontag) = "type"];

  // CheckUser tells validator if it should expect and check user
  bool CheckUser = 3 [(gogoproto.jsontag) = "check_user"];

  // StateToken is generated by service and is used to validate
  // request coming from
  string StateToken = 4 [(gogoproto.jsontag) = "state_token"];

  // CSRFToken is associated with user web session token
  string CSRFToken = 5 [(gogoproto.jsontag) = "csrf_token"];

  // RedirectURL will be used to route the user back to a
  // Teleport Proxy after the oidc login attempt in the browser.
  string RedirectURL = 6 [(gogoproto.jsontag) = "redirect_url"];

  // PublicKey is an optional public key, users want these
  // keys to be signed by auth servers user CA in case
  // of successful auth
  bytes PublicKey = 7 [(gogoproto.jsontag) = "public_key"];

  // CertTTL is the TTL of the certificate user wants to get
  int64 CertTTL = 8 [
    (gogoproto.jsontag) = "cert_ttl",
    (gogoproto.casttype) = "time.Duration"
  ];

  // CreateWebSession indicates if user wants to generate a web
  // session after successful authentication
  bool CreateWebSession = 9 [(gogoproto.jsontag) = "create_web_session"];

  // ClientRedirectURL is a URL client wants to be redirected
  // after successful authentication
  string ClientRedirectURL = 10 [(gogoproto.jsontag) = "client_redirect_url"];

  // Compatibility specifies OpenSSH compatibility flags.
  string Compatibility = 11 [(gogoproto.jsontag) = "compatibility,omitempty"];

  // RouteToCluster is the name of Teleport cluster to issue credentials for.
  string RouteToCluster = 12 [(gogoproto.jsontag) = "route_to_cluster,omitempty"];

  // KubernetesCluster is the name of Kubernetes cluster to issue credentials for.
  string KubernetesCluster = 13 [(gogoproto.jsontag) = "kubernetes_cluster,omitempty"];

  // SSOTestFlow indicates if the request is part of the test flow.
  bool SSOTestFlow = 14 [(gogoproto.jsontag) = "sso_test_flow"];

  // ConnectorSpec is embedded connector spec for use in test flow.
  OIDCConnectorSpecV3 ConnectorSpec = 15 [(gogoproto.jsontag) = "connector_spec,omitempty"];

  // ProxyAddress is an optional address which can be used to
  // find a redirect url from the OIDC connector which matches
  // the address. If there is no match, the default redirect
  // url will be used.
  string ProxyAddress = 16 [(gogoproto.jsontag) = "proxy_address,omitempty"];

  // attestation_statement is an attestation statement for the given public key.
  teleport.attestation.v1.AttestationStatement attestation_statement = 17 [(gogoproto.jsontag) = "attestation_statement,omitempty"];

  // ClientLoginIP specifies IP address of the client for login, it will be written to the user's certificates.
  string ClientLoginIP = 18 [(gogoproto.jsontag) = "client_login_ip,omitempty"];
}

// SAMLConnectorV2 represents a SAML connector.
message SAMLConnectorV2 {
  // Kind is a resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata holds resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is an SAML connector specification.
  SAMLConnectorSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// SAMLConnectorV2List is a list of SAML connectors.
message SAMLConnectorV2List {
  // SAMLConnectors is a list of SAML connectors.
  repeated SAMLConnectorV2 SAMLConnectors = 1;
}

// SAMLConnectorSpecV2 is a SAML connector specification.
message SAMLConnectorSpecV2 {
  // Issuer is the identity provider issuer.
  string Issuer = 1 [(gogoproto.jsontag) = "issuer"];
  // SSO is the URL of the identity provider's SSO service.
  string SSO = 2 [(gogoproto.jsontag) = "sso"];
  // Cert is the identity provider certificate PEM.
  // IDP signs <Response> responses using this certificate.
  string Cert = 3 [(gogoproto.jsontag) = "cert"];
  // Display controls how this connector is displayed.
  string Display = 4 [(gogoproto.jsontag) = "display"];
  // AssertionConsumerService is a URL for assertion consumer service
  // on the service provider (Teleport's side).
  string AssertionConsumerService = 5 [(gogoproto.jsontag) = "acs"];
  // Audience uniquely identifies our service provider.
  string Audience = 6 [(gogoproto.jsontag) = "audience"];
  // ServiceProviderIssuer is the issuer of the service provider (Teleport).
  string ServiceProviderIssuer = 7 [(gogoproto.jsontag) = "service_provider_issuer"];
  // EntityDescriptor is XML with descriptor. It can be used to supply configuration
  // parameters in one XML file rather than supplying them in the individual elements.
  string EntityDescriptor = 8 [(gogoproto.jsontag) = "entity_descriptor"];
  // EntityDescriptorURL is a URL that supplies a configuration XML.
  string EntityDescriptorURL = 9 [(gogoproto.jsontag) = "entity_descriptor_url"];
  // AttributesToRoles is a list of mappings of attribute statements to roles.
  repeated AttributeMapping AttributesToRoles = 10 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "attributes_to_roles"
  ];
  // SigningKeyPair is an x509 key pair used to sign AuthnRequest.
  AsymmetricKeyPair SigningKeyPair = 11 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "signing_key_pair,omitempty"
  ];
  // Provider is the external identity provider.
  string Provider = 12 [(gogoproto.jsontag) = "provider,omitempty"];
  // EncryptionKeyPair is a key pair used for decrypting SAML assertions.
  AsymmetricKeyPair EncryptionKeyPair = 13 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "assertion_key_pair,omitempty"
  ];
  // AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated
  // logins.
  bool AllowIDPInitiated = 14 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "allow_idp_initiated,omitempty"
  ];
}

// SAMLAuthRequest is a request to authenticate with SAML
// provider, the state about request is managed by auth server.
message SAMLAuthRequest {
  // ID is a unique request ID.
  string ID = 1 [(gogoproto.jsontag) = "id"];

  // ConnectorID is ID of OIDC connector this request uses.
  string ConnectorID = 2 [(gogoproto.jsontag) = "connector_id"];

  // Type is opaque string that helps callbacks identify the request type.
  string Type = 3 [(gogoproto.jsontag) = "type"];

  // CheckUser tells validator if it should expect and check user.
  bool CheckUser = 4 [(gogoproto.jsontag) = "check_user"];

  // RedirectURL will be used by browser.
  string RedirectURL = 5 [(gogoproto.jsontag) = "redirect_url"];

  // PublicKey is an optional public key, users want these
  // keys to be signed by auth servers user CA in case
  // of successful auth.
  bytes PublicKey = 6 [(gogoproto.jsontag) = "public_key"];

  // CertTTL is the TTL of the certificate user wants to get.
  int64 CertTTL = 7 [
    (gogoproto.jsontag) = "cert_ttl",
    (gogoproto.casttype) = "time.Duration"
  ];

  // CSRFToken is associated with user web session token.
  string CSRFToken = 8 [(gogoproto.jsontag) = "csrf_token"];

  // CreateWebSession indicates if user wants to generate a web
  // session after successful authentication.
  bool CreateWebSession = 9 [(gogoproto.jsontag) = "create_web_session"];

  // ClientRedirectURL is a URL client wants to be redirected
  // after successful authentication.
  string ClientRedirectURL = 10 [(gogoproto.jsontag) = "client_redirect_url"];

  // Compatibility specifies OpenSSH compatibility flags.
  string Compatibility = 11 [(gogoproto.jsontag) = "compatibility,omitempty"];

  // RouteToCluster is the name of Teleport cluster to issue credentials for.
  string RouteToCluster = 12 [(gogoproto.jsontag) = "route_to_cluster,omitempty"];

  // KubernetesCluster is the name of Kubernetes cluster to issue credentials for.
  string KubernetesCluster = 13 [(gogoproto.jsontag) = "kubernetes_cluster,omitempty"];

  // SSOTestFlow indicates if the request is part of the test flow.
  bool SSOTestFlow = 14 [(gogoproto.jsontag) = "sso_test_flow"];

  // ConnectorSpec is embedded connector spec for use in test flow.
  SAMLConnectorSpecV2 ConnectorSpec = 15 [(gogoproto.jsontag) = "connector_spec,omitempty"];

  // attestation_statement is an attestation statement for the given public key.
  teleport.attestation.v1.AttestationStatement attestation_statement = 16 [(gogoproto.jsontag) = "attestation_statement,omitempty"];

  // ClientLoginIP specifies IP address of the client for login, it will be written to the user's certificates.
  string ClientLoginIP = 17 [(gogoproto.jsontag) = "client_login_ip,omitempty"];
}

// AttributeMapping maps a SAML attribute statement to teleport roles.
message AttributeMapping {
  // Name is an attribute statement name.
  string Name = 1 [(gogoproto.jsontag) = "name"];
  // Value is an attribute statement value to match.
  string Value = 2 [(gogoproto.jsontag) = "value"];
  // Roles is a list of static teleport roles to map to.
  repeated string Roles = 3 [(gogoproto.jsontag) = "roles,omitempty"];
}

// AsymmetricKeyPair is a combination of a public certificate and
// private key that can be used for encryption and signing.
message AsymmetricKeyPair {
  // PrivateKey is a PEM encoded x509 private key.
  string PrivateKey = 1 [(gogoproto.jsontag) = "private_key"];
  // Cert is a PEM-encoded x509 certificate.
  string Cert = 2 [(gogoproto.jsontag) = "cert"];
}

// GithubConnectorV3 represents a Github connector.
message GithubConnectorV3 {
  // Kind is a resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata holds resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is an Github connector specification.
  GithubConnectorSpecV3 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// GithubConnectorV3List is a list of Github connectors.
message GithubConnectorV3List {
  // GithubConnectors is a list of Github connectors.
  repeated GithubConnectorV3 GithubConnectors = 1;
}

// GithubConnectorSpecV3 is a Github connector specification.
message GithubConnectorSpecV3 {
  // ClientID is the Github OAuth app client ID.
  string ClientID = 1 [(gogoproto.jsontag) = "client_id"];
  // ClientSecret is the Github OAuth app client secret.
  string ClientSecret = 2 [(gogoproto.jsontag) = "client_secret"];
  // RedirectURL is the authorization callback URL.
  string RedirectURL = 3 [(gogoproto.jsontag) = "redirect_url"];
  // TeamsToLogins maps Github team memberships onto allowed logins/roles.
  //
  // DELETE IN 11.0.0
  // Deprecated: use GithubTeamsToRoles instead.
  repeated TeamMapping TeamsToLogins = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "teams_to_logins"
  ];
  // Display is the connector display name.
  string Display = 5 [(gogoproto.jsontag) = "display"];
  // TeamsToRoles maps Github team memberships onto allowed roles.
  repeated TeamRolesMapping TeamsToRoles = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "teams_to_roles"
  ];
  // EndpointURL is the URL of the GitHub instance this connector is for.
  string EndpointURL = 7 [(gogoproto.jsontag) = "endpoint_url"];
  // APIEndpointURL is the URL of the API endpoint of the Github instance
  // this connector is for.
  string APIEndpointURL = 8 [(gogoproto.jsontag) = "api_endpoint_url"];
}

// GithubAuthRequest is the request to start Github OAuth2 flow.
message GithubAuthRequest {
  // ConnectorID is the name of the connector to use.
  string ConnectorID = 1 [(gogoproto.jsontag) = "connector_id"];
  // Type is opaque string that helps callbacks identify the request type.
  string Type = 2 [(gogoproto.jsontag) = "type"];
  // StateToken is used to validate the request.
  string StateToken = 3 [(gogoproto.jsontag) = "state_token"];
  // CSRFToken is used to protect against CSRF attacks.
  string CSRFToken = 4 [(gogoproto.jsontag) = "csrf_token"];
  // PublicKey is an optional public key to sign in case of successful auth.
  bytes PublicKey = 5 [(gogoproto.jsontag) = "public_key"];
  // CertTTL is TTL of the cert that's generated in case of successful auth.
  int64 CertTTL = 6 [
    (gogoproto.jsontag) = "cert_ttl",
    (gogoproto.casttype) = "time.Duration"
  ];
  // CreateWebSession indicates that a user wants to generate a web session
  // after successful authentication.
  bool CreateWebSession = 7 [(gogoproto.jsontag) = "create_web_session"];
  // RedirectURL will be used by browser.
  string RedirectURL = 8 [(gogoproto.jsontag) = "redirect_url"];
  // ClientRedirectURL is the URL where client will be redirected after
  // successful auth.
  string ClientRedirectURL = 9 [(gogoproto.jsontag) = "client_redirect_url"];
  // Compatibility specifies OpenSSH compatibility flags.
  string Compatibility = 10 [(gogoproto.jsontag) = "compatibility,omitempty"];
  // Expires is a global expiry time header can be set on any resource in the system.
  google.protobuf.Timestamp Expires = 11 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "expires,omitempty"
  ];
  // RouteToCluster is the name of Teleport cluster to issue credentials for.
  string RouteToCluster = 12 [(gogoproto.jsontag) = "route_to_cluster,omitempty"];
  // KubernetesCluster is the name of Kubernetes cluster to issue credentials for.
  string KubernetesCluster = 13 [(gogoproto.jsontag) = "kubernetes_cluster,omitempty"];
  // SSOTestFlow indicates if the request is part of the test flow.
  bool SSOTestFlow = 14 [(gogoproto.jsontag) = "sso_test_flow"];
  // ConnectorSpec is embedded connector spec for use in test flow.
  GithubConnectorSpecV3 ConnectorSpec = 15 [(gogoproto.jsontag) = "connector_spec,omitempty"];
  // attestation_statement is an attestation statement for the given public key.
  teleport.attestation.v1.AttestationStatement attestation_statement = 16 [(gogoproto.jsontag) = "attestation_statement,omitempty"];
  // ClientLoginIP specifies IP address of the client for login, it will be written to the user's certificates.
  string ClientLoginIP = 17 [(gogoproto.jsontag) = "client_login_ip,omitempty"];
}

// SSOWarnings conveys a user-facing main message along with auxiliary warnings.
message SSOWarnings {
  // Message is main user-facing message to be shown.
  string Message = 1 [(gogoproto.jsontag) = "message,omitempty"];
  // Warnings is a set of distinct warnings to be reported.
  repeated string Warnings = 2 [(gogoproto.jsontag) = "warnings,omitempty"];
}

// CreateUserParams represents the user creation parameters as called during SSO login flow.
message CreateUserParams {
  // ConnectorName is the name of the connector used for SSO login flow.
  string ConnectorName = 1 [(gogoproto.jsontag) = "connector_name,omitempty"];
  // Username is the name of the user to be created.
  string Username = 2 [(gogoproto.jsontag) = "username,omitempty"];
  // Logins is a list of available unix logins.
  repeated string Logins = 3 [(gogoproto.jsontag) = "logins,omitempty"];
  // KubeGroups is a list of assigned kube groups.
  repeated string KubeGroups = 4 [(gogoproto.jsontag) = "kube_groups,omitempty"];
  // KubeUsers is a list of available kube users.
  repeated string KubeUsers = 5 [(gogoproto.jsontag) = "kube_users,omitempty"];
  // Roles is a list of assigned roles.
  repeated string Roles = 6 [(gogoproto.jsontag) = "roles,omitempty"];

  // Traits is the set of traits the user is assigned.
  wrappers.LabelValues Traits = 7 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "traits,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // SessionTTL determines the TTL.
  int64 SessionTTL = 8 [
    (gogoproto.jsontag) = "session_ttl,omitempty",
    (gogoproto.casttype) = "Duration"
  ];
}

// SSODiagnosticInfo is a single SSO diagnostic info entry.
message SSODiagnosticInfo {
  // TestFlow indicates the SSO flow was a test one.
  bool TestFlow = 1 [(gogoproto.jsontag) = "test_flow"];

  // Error stores user-friendly error message.
  string Error = 2 [(gogoproto.jsontag) = "error"];

  // Success if present, marks the flow as finished with success.
  bool Success = 3 [(gogoproto.jsontag) = "success"];

  // CreateUserParams represents the user creation parameters as called during SSO login flow.
  CreateUserParams CreateUserParams = 4 [(gogoproto.jsontag) = "create_user_params,omitempty"];

  // SAMLAttributesToRoles represents mapping from attributes to roles, as used during SAML SSO
  // login flow.
  repeated AttributeMapping SAMLAttributesToRoles = 10 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "saml_attributes_to_roles,omitempty"
  ];

  // SAMLAttributesToRolesWarnings contains warnings produced during the process of mapping the
  // SAML attributes to roles.
  SSOWarnings SAMLAttributesToRolesWarnings = 11 [(gogoproto.jsontag) = "saml_attributes_to_roles_warnings,omitempty"];

  // SAMLAttributeStatements represents SAML attribute statements.
  wrappers.LabelValues SAMLAttributeStatements = 12 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "saml_attribute_statements,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // SAMLAssertionInfo represents raw SAML assertion info as returned by IdP during SAML flow.
  wrappers.CustomType SAMLAssertionInfo = 13 [
    (gogoproto.jsontag) = "saml_assertion_info,omitempty",
    (gogoproto.customtype) = "AssertionInfo"
  ];

  // SAMLTraitsFromAssertions represents traits translated from SAML assertions.
  wrappers.LabelValues SAMLTraitsFromAssertions = 14 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "saml_traits_from_assertions,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // SAMLConnectorTraitMapping represents connector-specific trait mapping.
  repeated TraitMapping SAMLConnectorTraitMapping = 15 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "saml_connector_trait_mapping,omitempty"
  ];

  // OIDCClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
  repeated ClaimMapping OIDCClaimsToRoles = 20 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "oidc_claims_to_roles,omitempty"
  ];

  // OIDCClaimsToRolesWarnings contains warnings produced during the process of mapping the
  // OIDC claims to roles.
  SSOWarnings OIDCClaimsToRolesWarnings = 21 [(gogoproto.jsontag) = "oidc_claims_to_roles_warnings,omitempty"];

  // OIDCClaims represents OIDC claims.
  wrappers.CustomType OIDCClaims = 22 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "oidc_claims,omitempty",
    (gogoproto.customtype) = "OIDCClaims"
  ];

  // OIDCIdentity represents mapped OIDC Identity.
  wrappers.CustomType OIDCIdentity = 23 [
    (gogoproto.jsontag) = "oidc_identity,omitempty",
    (gogoproto.customtype) = "OIDCIdentity"
  ];

  // OIDCTraitsFromClaims represents traits translated from OIDC claims.
  wrappers.LabelValues OIDCTraitsFromClaims = 24 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "oidc_traits_from_claims,omitempty",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // OIDCConnectorTraitMapping represents connector-specific trait mapping.
  repeated TraitMapping OIDCConnectorTraitMapping = 25 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "oidc_connector_trait_mapping,omitempty"
  ];

  // GithubClaims represents Github user information obtained during OAuth2 flow.
  GithubClaims GithubClaims = 30 [(gogoproto.jsontag) = "github_claims,omitempty"];

  // GithubTeamsToLogins is TeamsToLogins mapping from Github connector used in the SSO flow.
  repeated TeamMapping GithubTeamsToLogins = 31 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "github_teams_to_logins,omitempty"
  ];

  // GithubTeamsToRoles is TeamRolesMapping mapping from Github connector used in the SSO flow.
  repeated TeamRolesMapping GithubTeamsToRoles = 32 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "github_teams_to_roles,omitempty"
  ];

  // GithubTokenInfo stores diagnostic info about Github OAuth2 token obtained during SSO flow.
  GithubTokenInfo GithubTokenInfo = 33 [(gogoproto.jsontag) = "github_token_info,omitempty"];

  // AppliedLoginRules stores the name of each login rule that was applied.
  repeated string AppliedLoginRules = 34 [(gogoproto.jsontag) = "applied_login_rules,omitempty"];
}

// GithubTokenInfo stores diagnostic info about Github OAuth2 token obtained during SSO flow.
// The token itself is secret and therefore not included.
message GithubTokenInfo {
  string TokenType = 1 [(gogoproto.jsontag) = "token_type"];
  int64 Expires = 2 [(gogoproto.jsontag) = "expires"];
  string Scope = 3 [(gogoproto.jsontag) = "scope"];
}

// GithubClaims represents Github user information obtained during OAuth2 flow
message GithubClaims {
  // Username is the user's username
  string Username = 1 [(gogoproto.jsontag) = "username"];

  // OrganizationToTeams is the user's organization and team membership
  wrappers.LabelValues OrganizationToTeams = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "organization_to_teams",
    (gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
  ];

  // Teams is the users team membership
  repeated string Teams = 3 [(gogoproto.jsontag) = "teams"];
}

// TeamMapping represents a single team membership mapping.
//
// DELETE IN 11.0.0
message TeamMapping {
  // Organization is a Github organization a user belongs to.
  string Organization = 1 [(gogoproto.jsontag) = "organization"];
  // Team is a team within the organization a user belongs to.
  string Team = 2 [(gogoproto.jsontag) = "team"];
  // Logins is a list of allowed logins for this org/team.
  repeated string Logins = 3 [(gogoproto.jsontag) = "logins,omitempty"];
  // KubeGroups is a list of allowed kubernetes groups for this org/team.
  repeated string KubeGroups = 4 [(gogoproto.jsontag) = "kubernetes_groups,omitempty"];
  // KubeUsers is a list of allowed kubernetes users to impersonate for this org/team.
  repeated string KubeUsers = 5 [(gogoproto.jsontag) = "kubernetes_users,omitempty"];
}

// TeamRolesMapping represents a single team membership mapping.
message TeamRolesMapping {
  // Organization is a Github organization a user belongs to.
  string Organization = 1 [(gogoproto.jsontag) = "organization"];
  // Team is a team within the organization a user belongs to.
  string Team = 2 [(gogoproto.jsontag) = "team"];
  // Roles is a list of allowed logins for this org/team.
  repeated string Roles = 3 [(gogoproto.jsontag) = "roles,omitempty"];
}

// TrustedClusterV2 represents a Trusted Cluster.
message TrustedClusterV2 {
  option (gogoproto.goproto_stringer) = false;
  // Kind is a resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata holds resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a Trusted Cluster specification.
  TrustedClusterSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// TrustedClusterV2List is a list of trusted cluster.
message TrustedClusterV2List {
  // TrustedClusters is a list of trusted cluster.
  repeated TrustedClusterV2 TrustedClusters = 1;
}

// TrustedClusterSpecV2 is a Trusted Cluster specification.
message TrustedClusterSpecV2 {
  // Enabled is a bool that indicates if the TrustedCluster is enabled or disabled.
  // Setting Enabled to false has a side effect of deleting the user and host certificate
  // authority (CA).
  bool Enabled = 1 [(gogoproto.jsontag) = "enabled"];
  // Roles is a list of roles that users will be assuming when connecting to this cluster.
  repeated string Roles = 2 [(gogoproto.jsontag) = "roles,omitempty"];
  // Token is the authorization token provided by another cluster needed by this cluster to join.
  string Token = 3 [(gogoproto.jsontag) = "token"];
  // ProxyAddress is the address of the web proxy server of the cluster to join. If not set,
  // it is derived from <metadata.name>:<default web proxy server port>.
  string ProxyAddress = 4 [(gogoproto.jsontag) = "web_proxy_addr"];
  // ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If
  // not set, it is derived from <metadata.name>:<default reverse tunnel port>.
  string ReverseTunnelAddress = 5 [(gogoproto.jsontag) = "tunnel_addr"];
  // RoleMap specifies role mappings to remote roles.
  repeated RoleMapping RoleMap = 6 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "role_map,omitempty"
  ];
}

// LockV2 represents a lock.
// Locks are used to restrict access to a Teleport environment by disabling
// interactions involving a user, an RBAC role, a node, etc.
// See rfd/0009-locking.md for more details.
message LockV2 {
  // Kind is a resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is a resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata holds resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is a Lock specification.
  LockSpecV2 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// LockSpecV2 is a Lock specification.
message LockSpecV2 {
  // Target describes the set of interactions that the lock applies to.
  LockTarget Target = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "target"
  ];
  // Message is the message displayed to locked-out users.
  string Message = 2 [(gogoproto.jsontag) = "message,omitempty"];
  // Expires if set specifies when the lock ceases to be in force.
  google.protobuf.Timestamp Expires = 3 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "expires,omitempty"
  ];
}

// LockTarget lists the attributes of interactions to be disabled.
message LockTarget {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // User specifies the name of a Teleport user.
  string User = 1 [(gogoproto.jsontag) = "user,omitempty"];

  // Role specifies the name of an RBAC role known to the root cluster.
  // In remote clusters, this constraint is evaluated before translating to local roles.
  string Role = 2 [(gogoproto.jsontag) = "role,omitempty"];

  // Login specifies the name of a local UNIX user.
  string Login = 3 [(gogoproto.jsontag) = "login,omitempty"];

  // Node specifies the UUID of a Teleport node.
  // A matching node is also prevented from heartbeating to the auth server.
  // DEPRECATED: use ServerID instead.
  string Node = 4 [
    deprecated = true,
    (gogoproto.jsontag) = "node,omitempty"
  ];

  // MFADevice specifies the UUID of a user MFA device.
  string MFADevice = 5 [(gogoproto.jsontag) = "mfa_device,omitempty"];

  // WindowsDesktop specifies the name of a Windows desktop.
  string WindowsDesktop = 6 [(gogoproto.jsontag) = "windows_desktop,omitempty"];

  // AccessRequest specifies the UUID of an access request.
  string AccessRequest = 7 [(gogoproto.jsontag) = "access_request,omitempty"];

  // Device is the device ID of a trusted device.
  // Requires Teleport Enterprise.
  string Device = 8 [(gogoproto.jsontag) = "device,omitempty"];

  // ServerID is the host id of the Teleport instance.
  string ServerID = 9 [(gogoproto.jsontag) = "server_id,omitempty"];
}

// AddressCondition represents a set of addresses. Presently the addresses are specified
// exclusively in terms of IPv4/IPv6 ranges.
message AddressCondition {
  // CIDR is IPv4 or IPv6 address. Valid value are either CIDR ranges (e.g. "10.0.1.0/24",
  // "fe::/8") or a single IP address (e.g "10.1.2.3")
  string CIDR = 1 [(gogoproto.jsontag) = "cidr"];
}

message NetworkRestrictionsSpecV4 {
  // Allow lists the addresses that should be allowed.
  repeated AddressCondition Allow = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "allow"
  ];
  // Deny lists the addresses that should be denied even if they're allowed by Allow condition.
  repeated AddressCondition Deny = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "deny"
  ];
}

// NetworkRestrictions specifies a list of addresses to restrict (block). The deny
// list is checked first and the allow lists overrides it. Thus an empty allow
// list does not mean that no addresses will be allowed, that will only be the
// case if the deny list covers the whole address range.
message NetworkRestrictionsV4 {
  // Kind is the network restrictions resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the network restrictions metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec contains the network restrictions data
  NetworkRestrictionsSpecV4 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// WindowsDesktopServiceV3 represents a windows desktop access service.
message WindowsDesktopServiceV3 {
  // Header is the common resource header.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  // Spec is the windows desktop service spec.
  WindowsDesktopServiceSpecV3 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// WindowsDesktopServiceSpecV3 is the windows desktop service spec.
message WindowsDesktopServiceSpecV3 {
  // Addr is the address that this service can be reached at.
  string Addr = 1 [(gogoproto.jsontag) = "addr"];
  // TeleportVersion is teleport binary version running this service.
  string TeleportVersion = 2 [(gogoproto.jsontag) = "teleport_version"];
  // Hostname is the desktop service hostname.
  string Hostname = 3 [(gogoproto.jsontag) = "hostname"];
  // ProxyIDs is a list of proxy IDs this server is expected to be connected to.
  repeated string ProxyIDs = 4 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
}

// WindowsDesktopFilter are filters to apply when searching for windows desktops.
message WindowsDesktopFilter {
  // HostID is the ID of the host the Windows Desktop Service proxying the desktop.
  string HostID = 1 [(gogoproto.jsontag) = "host_id"];
  // Name is the name of the desktop.
  string Name = 2 [(gogoproto.jsontag) = "name"];
}

// WindowsDesktopV3 represents a Windows host for desktop access.
message WindowsDesktopV3 {
  // Header is the common resource header.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  // Spec is the Windows host spec.
  WindowsDesktopSpecV3 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// WindowsDesktopSpecV3 is the Windows host spec.
message WindowsDesktopSpecV3 {
  // Addr is the address that this host can be reached at.
  string Addr = 1 [(gogoproto.jsontag) = "addr"];
  // Domain is the ActiveDirectory domain that this host belongs to.
  string Domain = 2 [(gogoproto.jsontag) = "domain"];
  // HostID is the ID of the host the Windows Desktop Service proxying the desktop.
  string HostID = 3 [(gogoproto.jsontag) = "host_id"];
  // NonAD marks this desktop as a standalone host that is
  // not joined to an Active Directory domain.
  bool NonAD = 4 [(gogoproto.jsontag) = "non_ad"];
}

// RegisterUsingTokenRequest is a request to register with the auth server using
// an authentication token
message RegisterUsingTokenRequest {
  // HostID is a unique host ID, usually a UUID
  string HostID = 1 [(gogoproto.jsontag) = "hostID"];
  // NodeName is a node name
  string NodeName = 2 [(gogoproto.jsontag) = "node_name"];
  // Role is a system role, e.g. Proxy
  string Role = 3 [
    (gogoproto.jsontag) = "role",
    (gogoproto.casttype) = "SystemRole"
  ];
  // Token is the name of an authentication token
  string Token = 4 [(gogoproto.jsontag) = "token"];
  // AdditionalPrincipals is a list of additional principals
  repeated string AdditionalPrincipals = 5 [(gogoproto.jsontag) = "additional_principals"];
  // DNSNames is a list of DNS names to include in the x509 client certificate
  repeated string DNSNames = 6 [(gogoproto.jsontag) = "dns_names"];
  // PublicTLSKey is a PEM encoded public key
  // used for TLS setup
  bytes PublicTLSKey = 7 [(gogoproto.jsontag) = "public_tls_key"];
  // PublicSSHKey is a SSH encoded public key,
  // if present will be signed as a return value
  // otherwise, new public/private key pair will be generated
  bytes PublicSSHKey = 8 [(gogoproto.jsontag) = "public_ssh_key"];
  // RemoteAddr is the remote address of the host requesting a host certificate.
  // It is used to replace 0.0.0.0 in the list of additional principals.
  string RemoteAddr = 9 [(gogoproto.jsontag) = "remote_addr"];
  // EC2IdentityDocument is used for the EC2 join method to prove the identity
  // of a joining EC2 instance.
  bytes EC2IdentityDocument = 10 [(gogoproto.jsontag) = "ec2_id"];
  // IDToken is a token provided by a workload identity provider as part of
  // OIDC join types such as GitHub.
  string IDToken = 11 [(gogoproto.jsontag) = "id_token"];
  // Expires is a desired time of the expiry of user certificates returned by
  // registration. This only applies to bot joining, and will be ignored by
  // node joining.
  google.protobuf.Timestamp Expires = 12 [
    (gogoproto.stdtime) = true,
    (gogoproto.jsontag) = "expires,omitempty"
  ];
}

// RecoveryCodes holds a user's recovery code information. Recovery codes allows users to regain
// access to their account by restoring their lost password or second factor. Once a recovery code
// is successfully verified, the code is mark used (which invalidates it), and lets the user begin
// the recovery flow. When a user successfully finishes the recovery flow, users will get a new set
// of codes that will replace all the previous ones.
message RecoveryCodesV1 {
  // Kind is the resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind. Currently unused for this resource.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the resource spec.
  RecoveryCodesSpecV1 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// RecoveryCodesSpecV1 is the recovery codes spec.
message RecoveryCodesSpecV1 {
  // Codes hold a list of numOfRecoveryCodes.
  repeated RecoveryCode Codes = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "codes"
  ];
  // Created is when the set of recovery codes were generated. Updated when a new set of recovery
  // codes are inserted.
  google.protobuf.Timestamp Created = 2 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "created"
  ];
}

// RecoveryCode describes a recovery code.
message RecoveryCode {
  // HashedCode is a bcrypt hash of this recovery code.
  bytes HashedCode = 1 [(gogoproto.jsontag) = "hashed_code"];
  // IsUsed determines if this recovery code was used.
  bool IsUsed = 2 [(gogoproto.jsontag) = "is_used"];
}

message NullableSessionState {
  SessionState State = 1 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "state,omitempty"
  ];
}

// SessionTrackerFilter are filters to apply when searching for session trackers.
message SessionTrackerFilter {
  // Kind describes what kind of session this is.
  string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];
  // State is the current state of this session.
  NullableSessionState State = 2 [
    (gogoproto.nullable) = true,
    (gogoproto.jsontag) = "state,omitempty"
  ];
  // DesktopName is the windows desktop server this session belongs to.
  string DesktopName = 3 [(gogoproto.jsontag) = "desktop_name,omitempty"];
}

// SessionTrackerV1 represents a live session resource.
message SessionTrackerV1 {
  // Header is the common resource header.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];

  // Spec is a session specification.
  SessionTrackerSpecV1 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// SessionTrackerSpecV1 is the specification for a live session.
message SessionTrackerSpecV1 {
  // SessionID is unique identifier of this session.
  string SessionID = 1 [(gogoproto.jsontag) = "session_id,omitempty"];

  // Kind describes what kind of session this is.
  string Kind = 2 [(gogoproto.jsontag) = "kind,omitempty"];

  // State is the current state of this session.
  SessionState State = 3 [(gogoproto.jsontag) = "state,omitempty"];

  // Created encodes the time at which the session was registered with the auth
  // server.
  //
  // This should match the timestamp in the corresponding `session.create` event.
  // It's thus up to the tracker creator to set the correct timestamp.
  google.protobuf.Timestamp Created = 4 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "created,omitempty"
  ];

  // Expires encodes the time at which this session expires and becomes invalid.
  google.protobuf.Timestamp Expires = 5 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "expires,omitempty"
  ];

  // AttachedData is arbitrary attached JSON serialized metadata.
  string AttachedData = 6 [(gogoproto.jsontag) = "attached,omitempty"];

  // Reason is an arbitrary string that may be used to describe the session and/or it's
  // purpose.
  string Reason = 7 [(gogoproto.jsontag) = "reason,omitempty"];

  // Invited is a list of invited users, this field is interpreted by different
  // clients on a best-effort basis and used for delivering notifications to invited users.
  repeated string Invited = 8 [(gogoproto.jsontag) = "invited,omitempty"];

  // Hostname identifies the target this session is connected to.
  string Hostname = 9 [(gogoproto.jsontag) = "target_hostname,omitempty"];

  // Address is the address of the target this session is connected to.
  string Address = 10 [(gogoproto.jsontag) = "target_address,omitempty"];

  // ClusterName is the name of the Teleport cluster that this session belongs to.
  string ClusterName = 11 [(gogoproto.jsontag) = "cluster_name,omitempty"];

  // Login is the local login/user on the target used by the session.
  string Login = 12 [(gogoproto.jsontag) = "login,omitempty"];

  // Participants is a list of session participants.
  repeated Participant Participants = 13 [
    (gogoproto.jsontag) = "participants,omitempty",
    (gogoproto.nullable) = false
  ];

  // The Kubernetes cluster this session belongs to.
  string KubernetesCluster = 14 [(gogoproto.jsontag) = "kubernetes_cluster,omitempty"];

  // HostUser is the user regarded as the owner of this session, RBAC checks are performed
  // against the require policies of this user.
  //
  // This refers to the Teleport user but may not be the same as the sessions initiator.
  string HostUser = 15 [(gogoproto.jsontag) = "host_user,omitempty"];

  // HostPolicies is a list of RBAC policy sets held by the host user at the time of session
  // creation.
  repeated SessionTrackerPolicySet HostPolicies = 16 [(gogoproto.jsontag) = "host_roles,omitempty"];

  // DatabaseName is the database server this session belongs to.
  string DatabaseName = 17 [(gogoproto.jsontag) = "database_name,omitempty"];

  // AppName is the app server this session belongs to.
  string AppName = 18 [(gogoproto.jsontag) = "app_name,omitempty"];

  // AppSessionID is the unique ID of the app access certificate used to start this app session.
  string AppSessionID = 19 [(gogoproto.jsontag) = "app_session_id,omitempty"];

  // DesktopName is the windows desktop server this session belongs to.
  string DesktopName = 20 [(gogoproto.jsontag) = "desktop_name,omitempty"];
}

// SessionTrackerPolicySet is a set of RBAC policies held by the session tracker
// that contain additional metadata from the originating role.
message SessionTrackerPolicySet {
  // Name is name of the role this policy set originates from.
  string Name = 1 [(gogoproto.jsontag) = "name,omitempty"];

  // Version is version of the role this policy set originates from.
  string Version = 2 [(gogoproto.jsontag) = "version,omitempty"];

  // RequireSessionJoin specifies policies for required users to start a session.
  repeated SessionRequirePolicy RequireSessionJoin = 3 [(gogoproto.jsontag) = "require_session_join,omitempty"];
}

// Participant stores information about a participant in the session.
message Participant {
  // ID is a unique UUID of this participant for a given session.
  string ID = 1 [(gogoproto.jsontag) = "id,omitempty"];

  // User is the canonical name of the Teleport user controlling this participant.
  string User = 2 [(gogoproto.jsontag) = "user,omitempty"];

  // Mode is the participant mode.
  string Mode = 3 [(gogoproto.jsontag) = "mode,omitempty"];

  // LastActive is the last time this party was active in the session.
  google.protobuf.Timestamp LastActive = 4 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "last_active,omitempty"
  ];
}

// UIConfigV1 represents the configuration for the web UI served by the proxy service
message UIConfigV1 {
  // Header is the resource header for the UI configuration.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  // Spec is the resource spec.
  UIConfigSpecV1 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// UIConfigSpecV1 is the specification for a UIConfig
message UIConfigSpecV1 {
  int32 ScrollbackLines = 1 [(gogoproto.jsontag) = "scrollback_lines"];
}

// InstallerV1 represents an installer script resource. Used to
// provide a script to install teleport on discovered nodes.
message InstallerV1 {
  // Kind is the resource kind.
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource subkind. Currently unused for this resource.
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is the resource version.
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is the resource metadata.
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec is the resource spec.
  InstallerSpecV1 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// InstallerSpecV1 is the specification for an Installer
message InstallerSpecV1 {
  // Script represents the contents of a installer shell script
  string Script = 1 [(gogoproto.jsontag) = "script"];
}

// InstallerV1List represents a list of installer resources.
message InstallerV1List {
  // Installers is a list of installer resources.
  repeated InstallerV1 installers = 1;
}

// SessionState represents the state of a session.
enum SessionState {
  // Pending variant represents a session that is waiting on participants to fulfill the criteria
  // to start the session.
  SessionStatePending = 0;

  // Running variant represents a session that has had it's criteria for starting
  // fulfilled at least once and has transitioned to a RUNNING state.
  SessionStateRunning = 1;

  // Terminated variant represents a session that is no longer running and due for removal.
  SessionStateTerminated = 2;
}

// SortBy defines a sort criteria.
message SortBy {
  // IsDesc is a sort direction flag where if true the direction is descending, else ascending.
  bool IsDesc = 1 [(gogoproto.jsontag) = "is_desc"];
  // Field is the name of an objects field to sort by.
  string Field = 2 [(gogoproto.jsontag) = "field"];
}

// ConnectionDiagnosticV1 is the result of testing a connection.
// When setting up a new resource in Teleport, it's useful to know if we can connect to it.
// This can be done using the test connection feature.
// The user can then receive the result as feedback using the UI
message ConnectionDiagnosticV1 {
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  // Spec is the resource spec.
  ConnectionDiagnosticSpecV1 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ConnectionDiagnosticSpecV1 is the ConnectionDiagnostic Spec.
// It contains the result of testing a connection.
// It has the overall result of the connection and then a list of traces.
// Each trace contains checkpoints of the connection attempt and its result.
message ConnectionDiagnosticSpecV1 {
  // Success describes whether the connection was a success or a failure.
  bool Success = 1 [(gogoproto.jsontag) = "success"];
  // Message may contain some user friendly message to let the user know whether it was
  // successful or a failure.
  string Message = 2 [(gogoproto.jsontag) = "message"];
  // Traces contain a list of checkpoints defined by
  repeated ConnectionDiagnosticTrace Traces = 3 [(gogoproto.jsontag) = "traces"];
}

// ConnectionDiagnosticTrace describes a trace of a connection diagnostic
message ConnectionDiagnosticTrace {
  // TraceType is an identification of the checkpoint.
  enum TraceType {
    TRACE_TYPE_UNSPECIFIED = 0;
    // UNKNOWN_ERROR is used when we don't know the error.
    // It's not always possible to offer guidance based on the received error.
    // This trace type should be used when the error is too generic given the context we
    // have.
    UNKNOWN_ERROR = 1;
    // RBAC_NODE is for RBAC checks for the node.
    RBAC_NODE = 2;
    // CONNECTIVITY is for network connectivity checks.
    CONNECTIVITY = 3;
    // RBAC_PRINCIPAL is used when checking if the principal is allowed per RBAC rules.
    RBAC_PRINCIPAL = 4;
    // NODE_PRINCIPAL is used when checking if the Node has the requested principal.
    NODE_PRINCIPAL = 5;
    // RBAC_KUBE is for RBAC checks to kubernetes the cluster.
    RBAC_KUBE = 6;
    // KUBE_PRINCIPAL is used when checking if the Kube Cluster has at least one user principals.
    KUBE_PRINCIPAL = 7;
    // RBAC_DATABASE is for RBAC checks to database access (db_labels).
    RBAC_DATABASE = 8;
    // RBAC_DATABASE_LOGIN is for RBAC checks to database login (db_name and db_user).
    RBAC_DATABASE_LOGIN = 9;
    // DATABASE_DB_USER is used when checking whether the Database has the requested Database User.
    DATABASE_DB_USER = 10;
    // DATABASE_DB_NAME is used when checking whether the Database has the requested Database Name.
    DATABASE_DB_NAME = 11;
  }
  TraceType Type = 1 [(gogoproto.jsontag) = "type"];
  // StatusType describes whether this was a success or a failure.
  enum StatusType {
    STATUS_UNSPECIFIED = 0;
    SUCCESS = 1;
    FAILED = 2;
  }
  StatusType Status = 2 [(gogoproto.jsontag) = "status"];
  // Details contains a User friendly message of the check's result.
  string Details = 3 [(gogoproto.jsontag) = "details"];
  // Error contains the low level error message in case of a failure.
  string Error = 4 [(gogoproto.jsontag) = "error"];
}

// DatabaseServiceV1 is the representation of a DatabaseService (agent) process.
message DatabaseServiceV1 {
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  // Spec is the resource spec.
  DatabaseServiceSpecV1 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// DatabaseServiceSpecV1 is the DatabaseService Spec.
message DatabaseServiceSpecV1 {
  // ResourceMatchers is the configured match for Database resources.
  repeated DatabaseResourceMatcher ResourceMatchers = 1 [(gogoproto.jsontag) = "resources"];
}

// DatabaseResourceMatcher is a set of properties that is used to match on resources.
message DatabaseResourceMatcher {
  wrappers.LabelValues Labels = 1 [
    (gogoproto.jsontag) = "labels",
    (gogoproto.customtype) = "Labels"
  ];
}

// AlertSeverity represents how problematic/urgent an alert is, and is used to assist
// in sorting alerts for display.
enum AlertSeverity {
  LOW = 0;
  MEDIUM = 5;
  HIGH = 10;
}

// ClusterAlert is a cluster-level alert message.
message ClusterAlert {
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  ClusterAlertSpec Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// ClusterAlertSpec is a cluster alert specification.
message ClusterAlertSpec {
  // Severity represents how problematic/urgent the alert is.
  AlertSeverity Severity = 1 [(gogoproto.jsontag) = "severity"];
  // Message is the user-facing message associated with the alert.
  string Message = 2 [(gogoproto.jsontag) = "message"];
  // Created is the time at which the alert was generated.
  google.protobuf.Timestamp Created = 3 [
    (gogoproto.jsontag) = "created,omitempty",
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false
  ];
}

// GetClusterAlertsRequest matches cluster alerts.
message GetClusterAlertsRequest {
  // Severity is an optional minimum severity.
  AlertSeverity Severity = 1;
  // AlertID optionally specifies the ID of the alert being requested.
  string AlertID = 2;
  // Labels is an optional label selector.
  map<string, string> Labels = 3;
  // WithSuperseded includes superseded alerts in the output of the request.
  bool WithSuperseded = 4;
  // WithAcknowledged includes acknowledged alerts in the output of the request.
  bool WithAcknowledged = 5;
  // WithUntargeted requests that alerts be included even if they are not specifically
  // targeted toward the caller. This has no effect unless the caller has `cluster_alert:list`.
  bool WithUntargeted = 6;
}

// AlertAcknowledgement marks a cluster alert as having been "acknowledged".
// This causes the alert to no longer be displayed in 'tsh login', UI banners,
// etc. Acknowledgements must have an expiry and a message describing why the
// alert can be considered acknowledged.
message AlertAcknowledgement {
  // AlertID is the ID of the alert being acknowledged.
  string AlertID = 1 [(gogoproto.jsontag) = "alert_id,omitempty"];
  // Reason describes the reason why the alert can be considered
  // acknowledged (e.g. 'alice will fix next week').
  string Reason = 2 [(gogoproto.jsontag) = "reason,omitempty"];

  // 3 is reserved for the previously used alert acknowledgement "severity"
  reserved 3;
  reserved "Severity";

  // Expires is the time after which the acknowledgement expires.
  google.protobuf.Timestamp Expires = 4 [
    (gogoproto.jsontag) = "expires,omitempty",
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false
  ];
}

// Release correspond to a Teleport Enterprise releases
message Release {
  // NotesMD is the notes of the release in markdown
  string NotesMD = 1 [(gogoproto.jsontag) = "notes_md"];
  // Product is the release product, teleport or teleport-ent
  string Product = 2 [(gogoproto.jsontag) = "product"];
  // ReleaseID is the ID of the product
  string ReleaseID = 3 [(gogoproto.jsontag) = "release_id"];
  // Status is the status of the release
  string Status = 4 [(gogoproto.jsontag) = "status"];
  // Version is the version of the release
  string Version = 5 [(gogoproto.jsontag) = "version"];
  // Assets is a list of assets related to the release
  repeated Asset Assets = 6 [(gogoproto.jsontag) = "assets"];
}

// Asset represents a release asset
message Asset {
  // Arch is the architecture of the asset
  string Arch = 1 [(gogoproto.jsontag) = "arch"];
  // Description is the description of the asset
  string Description = 2 [(gogoproto.jsontag) = "description"];
  // Name is the name of the asset
  string Name = 3 [(gogoproto.jsontag) = "name"];
  // OS is which OS the asset is built for
  string OS = 4 [(gogoproto.jsontag) = "os"];
  // SHA256 is the sha256 of the asset
  string SHA256 = 5 [(gogoproto.jsontag) = "sha256"];
  // Size is the size of the release in bytes
  int64 AssetSize = 6 [(gogoproto.jsontag) = "asset_size"];
  // DisplaySize is the human-readable size of the asset
  string DisplaySize = 7 [(gogoproto.jsontag) = "display_size"];
  // ReleaseIDs is a list of releases that have the asset included
  repeated string ReleaseIDs = 8 [(gogoproto.jsontag) = "release_ids"];
  // PublicURL is the public URL used to download the asset
  string PublicURL = 9 [(gogoproto.jsontag) = "public_url"];
}

// RequireMFAType is a type of MFA requirement enforced outside of login,
// such as per-session MFA or per-request PIV touch.
enum RequireMFAType {
  // OFF means additional MFA enforcement is not enabled.
  OFF = 0;
  // SESSION means MFA is required to begin server sessions.
  SESSION = 1;
  // SESSION_AND_HARDWARE_KEY means MFA is required to begin server sessions,
  // and login sessions must use a private key backed by a hardware key.
  SESSION_AND_HARDWARE_KEY = 2;
  // HARDWARE_KEY_TOUCH means login sessions must use a hardware private key that
  // requires touch to be used. This touch requirement applies to all API requests
  // rather than only session requests. This touch is different from MFA, so to prevent
  // requiring double touch on session requests, normal Session MFA is disabled.
  HARDWARE_KEY_TOUCH = 3;
}

// Plugin describes a single instance of a Teleport Plugin
message PluginV1 {
  // kind is the plugin resource kind.
  string kind = 1;
  // sub_kind is an optional resource subkind.
  string sub_kind = 2;
  // version is the resource version.
  string version = 3;

  // metadata is the resource metadata.
  Metadata metadata = 4 [(gogoproto.nullable) = false];

  PluginSpecV1 spec = 5 [(gogoproto.nullable) = false];

  PluginStatusV1 status = 6 [(gogoproto.nullable) = false];

  // credentials are "live" credentials to the 3rd party API.
  // These are considered secrets.
  PluginCredentialsV1 credentials = 7;
}

message PluginSpecV1 {
  option (gogoproto.equal) = true;

  // settings contain provider-specific plugin options.
  oneof settings {
    // Settings for the Slack access plugin
    PluginSlackAccessSettings slack_access_plugin = 1;
    // Settings for OpenAI plugin
    PluginOpenAISettings openai = 3;
  }
}

message PluginSlackAccessSettings {
  option (gogoproto.equal) = true;

  string fallback_channel = 1;
}

// Defines settings for the OpenAI plugin. Currently there are no settings.
message PluginOpenAISettings {
  option (gogoproto.equal) = true;
}

message PluginBootstrapCredentialsV1 {
  oneof credentials {
    PluginOAuth2AuthorizationCodeCredentials oauth2_authorization_code = 1;
    PluginBearerTokenCredentials bearer_token = 2;
  }
}

message PluginOAuth2AuthorizationCodeCredentials {
  string authorization_code = 1;
  string redirect_uri = 2;
}

// PluginStatus is the user-facing status for the plugin instance.
message PluginStatusV1 {
  PluginStatusCode code = 1;
}

enum PluginStatusCode {
  // UNKNOWN is the default value when the plugin has not reported its status yet.
  UNKNOWN = 0;
  // RUNNING means the plugin reports running successfully.
  RUNNING = 1;
  // OTHER_ERROR indicates that an otherwise-unspecified error has been encountered.
  OTHER_ERROR = 2;
  // UNAUTHORIZED indicates that plugin is not able to authenticate to the 3rd party API.
  // This could be a result of e.g. the user revoking the authorization on the API provider's side.
  UNAUTHORIZED = 3;

  // SLACK_NOT_IN_CHANNEL is a Slack-specific status code that indicates
  // that the bot has not been invited to a channel that it is configured to post in.
  SLACK_NOT_IN_CHANNEL = 10;
}

// PluginCredentialsV1 represents "live" credentials
// that are used by the plugin to authenticate to the 3rd party API.
message PluginCredentialsV1 {
  oneof credentials {
    PluginOAuth2AccessTokenCredentials oauth2_access_token = 1;
    PluginBearerTokenCredentials bearer_token = 2;
  }
}

message PluginOAuth2AccessTokenCredentials {
  string access_token = 1;
  string refresh_token = 2;
  google.protobuf.Timestamp expires = 3 [
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false
  ];
}

message PluginBearerTokenCredentials {
  // Token is the literal bearer token to be submitted to the 3rd-party API provider.
  string token = 1;

  reserved 2; // token_file
  reserved "token_file";
}

// PluginList represents a list of plugin resources
message PluginListV1 {
  // Plugins is a list of plugin resources.
  repeated PluginV1 plugins = 1;
}

// SAMLIdPServiceProviderV1 is the representation of a SAML IdP service provider.
message SAMLIdPServiceProviderV1 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Header is the resource header for the SAML IdP service provider.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
  // Spec is the SAML IdP service provider spec.
  SAMLIdPServiceProviderSpecV1 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// SAMLIdPServiceProviderSpecV1 is the SAMLIdPServiceProviderV1 resource spec.
message SAMLIdPServiceProviderSpecV1 {
  // EntityDescriptor is the entity descriptor for the service provider
  string EntityDescriptor = 1 [(gogoproto.jsontag) = "entity_descriptor"];
  // EntityID is the entity ID for the entity descriptor. This ID is checked that it matches
  // the entity ID in the entity descriptor at upsert time to avoid having to parse the
  // XML blob in the entity descriptor every time we need to use this resource.
  string EntityID = 2 [(gogoproto.jsontag) = "entity_id"];
}

// IdPOptions specify options related to access Teleport IdPs.
message IdPOptions {
  // SAML are options related to the Teleport SAML IdP.
  IdPSAMLOptions SAML = 1 [(gogoproto.jsontag) = "saml"];
}

// IdPSAMLOptions specifies options related to accessing the Teleport SAML IdP.
message IdPSAMLOptions {
  // Enabled is set to true if this option allows access to the Teleport SAML IdP.
  BoolValue Enabled = 1 [
    (gogoproto.jsontag) = "enabled",
    (gogoproto.customtype) = "BoolOption"
  ];
}

// KubernetesResourceV1 represents a Kubernetes resource.
message KubernetesResourceV1 {
  // Kind is a resource kind
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // SubKind is an optional resource sub kind, used in some resources
  string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version is version
  string Version = 3 [(gogoproto.jsontag) = "version"];
  // Metadata is KubernetesResourceV1 metadata
  Metadata Metadata = 4 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "metadata"
  ];
  // Spec contains the Kubernetes resource data.
  KubernetesResourceSpecV1 Spec = 5 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// KubernetesResourceSpecV1 is the Kubernetes resource spec.
message KubernetesResourceSpecV1 {
  // Namespace is the resource namespace.
  string Namespace = 1 [(gogoproto.jsontag) = "namespace"];
}

// UserGroupV1 is a representation of an externally sourced user group.
message UserGroupV1 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Header is the resource header for the user group.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];
}

// OktaImportRuleSpecV1 is a Okta import rule specification.
message OktaImportRuleSpecV1 {
  // Priority represents the priority of the rule application. Lower numbered rules will be applied first.
  int32 Priority = 1 [(gogoproto.jsontag) = "priority"];
  // Mappings is a list of matches that will map match conditions to labels.
  repeated OktaImportRuleMappingV1 Mappings = 2 [(gogoproto.jsontag) = "mappings"];
}

// OktaImportRuleMappingV1 is a list of matches that map match rules to labels.
message OktaImportRuleMappingV1 {
  // Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.
  repeated OktaImportRuleMatchV1 Match = 1 [(gogoproto.jsontag) = "match"];
  // AddLabels specifies which labels to add if any of the previous matches match.
  map<string, string> AddLabels = 2 [(gogoproto.jsontag) = "add_labels"];
}

// OktaImportRuleV1 is a representation of labeling rules for importing of Okta objects.
message OktaImportRuleV1 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Header is the resource header for the SAML IdP service provider.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];

  // Spec is the specification for the Okta import rule.
  OktaImportRuleSpecV1 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// OktaImportRuleMatchV1 is a match rule for a mapping.
message OktaImportRuleMatchV1 {
  // AppIDs is a list of app IDs to match against.
  repeated string AppIDs = 1 [(gogoproto.jsontag) = "app_ids,omitempty"];
  // GroupIDs is a list of group IDs to match against.
  repeated string GroupIDs = 2 [(gogoproto.jsontag) = "group_ids,omitempty"];
}

// OktaAssignmentV1 is a representation of an action or set of actions taken by Teleport to assign Okta users to applications or groups.
message OktaAssignmentV1 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Header is the resource header for the Okta assignment.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];

  // Spec is the specification for the Okta assignment.
  OktaAssignmentSpecV1 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// OktaAssignmentSpecV1 is a Okta assignment specification.
message OktaAssignmentSpecV1 {
  // User is the user that these actions will be applied to.
  string User = 1 [(gogoproto.jsontag) = "user"];
  // Targets is a list of Okta targets to take on a user.
  repeated OktaAssignmentTargetV1 Targets = 2 [(gogoproto.jsontag) = "targets"];
  // CleanupTime is an optional field that notes when the assignment should be cleaned up.
  // If absent, the assignment will never be cleaned up.
  google.protobuf.Timestamp CleanupTime = 3 [
    (gogoproto.jsontag) = "cleanup_time",
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false
  ];

  // Status is the status of the assignment.
  OktaAssignmentStatus status = 4 [(gogoproto.jsontag) = "status"];

  // OktaAssignmentStatus represents the status of an Okta assignment.
  enum OktaAssignmentStatus {
    // UNKNOWN indicates the status is not set.
    UNKNOWN = 0;
    // PENDING indicates the action has not yet been applied.
    PENDING = 1;
    // PROCESSSING indicates that the assignment is being applied.
    PROCESSING = 2;
    // SUCCESSFUL indicates the action was applied successfully.
    SUCCESSFUL = 3;
    // FAILED indicates the action was not applied successfully. It will be retried.
    FAILED = 4;
  }

  // LastTransition is an optional field that notes when the last state transition
  // occurred for this action. If absent, this object has never transitioned.
  google.protobuf.Timestamp LastTransition = 5 [
    (gogoproto.jsontag) = "last_transition",
    (gogoproto.stdtime) = true,
    (gogoproto.nullable) = false
  ];

  // Finalized is set when the assignment has been properly cleaned up.
  bool Finalized = 6 [(gogoproto.jsontag) = "finalized"];
}

// OktaAssignmentTargetV1 is a target of an Okta assignment.
message OktaAssignmentTargetV1 {
  // OktaAssignmentTargetType is the type of Okta object that an assignment is targeting.
  enum OktaAssignmentTargetType {
    // UNKNOWN indicates the target is unknown.
    UNKNOWN = 0;
    // APPLICATION indicates the target is an application.
    APPLICATION = 1;
    // GROUP indicates the target is a group.
    GROUP = 2;
  }

  // Type is the type of Okta resource this assignment is targeting.
  OktaAssignmentTargetType type = 1 [(gogoproto.jsontag) = "type"];
  // ID is the ID of the Okta resource that's being targeted.
  string id = 2 [(gogoproto.jsontag) = "id"];
}

// IntegrationV1 represents a connection between Teleport and some other 3rd party system.
// This connection allows API access to that service from Teleport.
// Each Integration instance must have a SubKind defined which identifies the external system.
message IntegrationV1 {
  option (gogoproto.goproto_stringer) = false;
  option (gogoproto.stringer) = false;

  // Header is the resource header.
  ResourceHeader Header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "",
    (gogoproto.embed) = true
  ];

  // Spec is an Integration specification.
  IntegrationSpecV1 Spec = 2 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "spec"
  ];
}

// IntegrationSpecV1 contains properties of all the supported integrations.
message IntegrationSpecV1 {
  oneof SubKindSpec {
    // AWSOIDC contains the specific fields to handle the AWS OIDC Integration subkind
    AWSOIDCIntegrationSpecV1 AWSOIDC = 1 [(gogoproto.jsontag) = "aws_oidc,omitempty"];
  }
}

// AWSOIDCIntegrationSpecV1 contains the spec properties for the AWS OIDC SubKind Integration.
message AWSOIDCIntegrationSpecV1 {
  // RoleARN contains the Role ARN used to set up the Integration.
  // This is the AWS Role that Teleport will use to issue tokens for API Calls.
  string RoleARN = 1 [(gogoproto.jsontag) = "role_arn,omitempty"];
}

// HeadlessAuthentication holds data for an ongoing headless authentication attempt.
message HeadlessAuthentication {
  // Header is the resource header.
  ResourceHeader header = 1 [
    (gogoproto.nullable) = false,
    (gogoproto.embed) = true
  ];

  // User is a teleport user name.
  string user = 2;

  // PublicKey is an ssh public key to sign in case of successful auth.
  bytes public_key = 3;

  // State is the headless authentication request state.
  HeadlessAuthenticationState state = 4;

  // MFADevice is the mfa device used to approve the request in case of successful auth.
  types.MFADevice mfa_device = 5;

  // ClientIPAddress is the IP address of the client being authenticated.
  string client_ip_address = 6;
}

// HeadlessAuthenticationState is a headless authentication state.
enum HeadlessAuthenticationState {
  HEADLESS_AUTHENTICATION_STATE_UNSPECIFIED = 0;

  // authentication pending.
  HEADLESS_AUTHENTICATION_STATE_PENDING = 1;

  // authentication denied.
  HEADLESS_AUTHENTICATION_STATE_DENIED = 2;

  // authentication approved.
  HEADLESS_AUTHENTICATION_STATE_APPROVED = 3;
}

// WatchKind specifies resource kind to watch
message WatchKind {
  // Kind is a resource kind to watch
  string Kind = 1 [(gogoproto.jsontag) = "kind"];
  // LoadSecrets specifies whether to load secrets
  bool LoadSecrets = 2 [(gogoproto.jsontag) = "load_secrets"];
  // Name is an optional specific resource type to watch,
  // if specified only the events with a specific resource
  // name will be sent
  string Name = 3 [(gogoproto.jsontag) = "name"];
  // Filter is an optional mapping of custom filter parameters.
  // Valid values vary by resource kind.
  map<string, string> Filter = 4 [(gogoproto.jsontag) = "filter,omitempty"];
  // SubKind is a resource subkind to watch
  string SubKind = 5 [(gogoproto.jsontag) = "sub_kind,omitempty"];
  // Version optionally specifies the resource version to watch.
  string Version = 6 [(gogoproto.jsontag) = "version,omitempty"];
}