-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
constants.go
449 lines (361 loc) · 15.9 KB
/
constants.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
/*
Copyright 2020-2021 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package constants defines Teleport-specific constants
package constants
import (
"encoding/json"
"time"
"github.com/gravitational/trace"
)
const (
// DefaultImplicitRole is implicit role that gets added to all service.RoleSet
// objects.
DefaultImplicitRole = "default-implicit-role"
// APIDomain is a default domain name for Auth server API. It is often
// used as an SNI to pass TLS handshakes regardless of the server address
// since we register "teleport.cluster.local" as a DNS in Certificates.
APIDomain = "teleport.cluster.local"
// EnhancedRecordingMinKernel is the minimum kernel version for the enhanced
// recording feature.
EnhancedRecordingMinKernel = "5.8.0"
// EnhancedRecordingCommand is a role option that implies command events are
// captured.
EnhancedRecordingCommand = "command"
// EnhancedRecordingDisk is a role option that implies disk events are captured.
EnhancedRecordingDisk = "disk"
// EnhancedRecordingNetwork is a role option that implies network events
// are captured.
EnhancedRecordingNetwork = "network"
// LocalConnector is the authenticator connector for local logins.
LocalConnector = "local"
// PasswordlessConnector is the authenticator connector for
// local/passwordless logins.
PasswordlessConnector = "passwordless"
// HeadlessConnector is the authentication connector for headless logins.
HeadlessConnector = "headless"
// Local means authentication will happen locally within the Teleport cluster.
Local = "local"
// OIDC means authentication will happen remotely using an OIDC connector.
OIDC = "oidc"
// SAML means authentication will happen remotely using a SAML connector.
SAML = "saml"
// Github means authentication will happen remotely using a Github connector.
Github = "github"
// HumanDateFormatSeconds is a human readable date formatting with seconds
HumanDateFormatSeconds = "Jan _2 2006 15:04:05 UTC"
// MaxLeases serves as an identifying error string indicating that the
// semaphore system is rejecting an acquisition attempt due to max
// leases having already been reached.
MaxLeases = "err-max-leases"
// CertificateFormatStandard is used for normal Teleport operation without any
// compatibility modes.
CertificateFormatStandard = "standard"
// DurationNever is human friendly shortcut that is interpreted as a Duration of 0
DurationNever = "never"
// OIDCPromptSelectAccount instructs the Authorization Server to
// prompt the End-User to select a user account.
OIDCPromptSelectAccount = "select_account"
// OIDCPromptNone instructs the Authorization Server to skip the prompt.
OIDCPromptNone = "none"
// KeepAliveNode is the keep alive type for SSH servers.
KeepAliveNode = "node"
// KeepAliveApp is the keep alive type for application server.
KeepAliveApp = "app"
// KeepAliveDatabase is the keep alive type for database server.
KeepAliveDatabase = "db"
// KeepAliveWindowsDesktopService is the keep alive type for a Windows
// desktop service.
KeepAliveWindowsDesktopService = "windows_desktop_service"
// KeepAliveKube is the keep alive type for Kubernetes server
KeepAliveKube = "kube"
// KeepAliveDatabaseService is the keep alive type for database service.
KeepAliveDatabaseService = "db_service"
// WindowsOS is the GOOS constant used for Microsoft Windows.
WindowsOS = "windows"
// LinuxOS is the GOOS constant used for Linux.
LinuxOS = "linux"
// DarwinOS is the GOOS constant for Apple macOS/darwin.
DarwinOS = "darwin"
// UseOfClosedNetworkConnection is a special string some parts of
// go standard lib are using that is the only way to identify some errors
//
// TODO(r0mant): See if we can use net.ErrClosed and errors.Is() instead.
UseOfClosedNetworkConnection = "use of closed network connection"
// FailedToSendCloseNotify is an error message from Go net package
// indicating that the connection was closed by the server.
FailedToSendCloseNotify = "tls: failed to send closeNotify alert (but connection was closed anyway)"
// AWSConsoleURL is the URL of AWS management console.
AWSConsoleURL = "https://console.aws.amazon.com"
// AWSUSGovConsoleURL is the URL of AWS management console for AWS GovCloud
// (US) Partition.
AWSUSGovConsoleURL = "https://console.amazonaws-us-gov.com"
// AWSCNConsoleURL is the URL of AWS management console for AWS China
// Partition.
AWSCNConsoleURL = "https://console.amazonaws.cn"
// AWSAccountIDLabel is the key of the label containing AWS account ID.
AWSAccountIDLabel = "aws_account_id"
// RSAKeySize is the size of the RSA key.
RSAKeySize = 2048
// NoLoginPrefix is the prefix used for nologin certificate principals.
NoLoginPrefix = "-teleport-nologin-"
// DatabaseCAMinVersion is the minimum Teleport version that supports Database Certificate Authority.
DatabaseCAMinVersion = "10.0.0"
// OpenSSHCAMinVersion is the minimum Teleport version that supports OpenSSH Certificate Authority.
OpenSSHCAMinVersion = "12.0.0"
// SSHRSAType is the string which specifies an "ssh-rsa" formatted keypair
SSHRSAType = "ssh-rsa"
// OktaAssignmentStatusPending is represents a pending status for an Okta assignment.
OktaAssignmentStatusPending = "pending"
// OktaAssignmentStatusProcessing is represents an Okta assignment which is currently being acted on.
OktaAssignmentStatusProcessing = "processing"
// OktaAssignmentStatusSuccessful is represents a successfully applied Okta assignment.
OktaAssignmentStatusSuccessful = "successful"
// OktaAssignmentStatusFailed is represents an Okta assignment which failed to apply. It will be retried.
OktaAssignmentStatusFailed = "failed"
// OktaAssignmentStatusPending is represents a unknown status for an Okta assignment.
OktaAssignmentStatusUnknown = "unknown"
// OktaAssignmentTargetApplication is an application target of an Okta assignment.
OktaAssignmentTargetApplication = "application"
// OktaAssignmentActionTargetGroup is a group target of an Okta assignment.
OktaAssignmentTargetGroup = "group"
// OktaAssignmentTargetUnknown is an unknown target of an Okta assignment.
OktaAssignmentTargetUnknown = "unknown"
)
// LocalConnectors are the system connectors that use local auth.
var LocalConnectors = []string{
LocalConnector,
PasswordlessConnector,
}
// SystemConnectors lists the names of the system-reserved connectors.
var SystemConnectors = []string{
LocalConnector,
PasswordlessConnector,
HeadlessConnector,
}
// SecondFactorType is the type of 2FA authentication.
type SecondFactorType string
const (
// SecondFactorOff means no second factor.
SecondFactorOff = SecondFactorType("off")
// SecondFactorOTP means that only OTP is supported for 2FA and 2FA is
// required for all users.
SecondFactorOTP = SecondFactorType("otp")
// SecondFactorU2F means that only Webauthn is supported for 2FA and 2FA
// is required for all users.
// Deprecated: "u2f" is aliased to "webauthn". Prefer using
// SecondFactorWebauthn instead.
SecondFactorU2F = SecondFactorType("u2f")
// SecondFactorWebauthn means that only Webauthn is supported for 2FA and 2FA
// is required for all users.
SecondFactorWebauthn = SecondFactorType("webauthn")
// SecondFactorOn means that all 2FA protocols are supported and 2FA is
// required for all users.
SecondFactorOn = SecondFactorType("on")
// SecondFactorOptional means that all 2FA protocols are supported and 2FA
// is required only for users that have MFA devices registered.
SecondFactorOptional = SecondFactorType("optional")
)
// UnmarshalYAML supports parsing off|on into string on SecondFactorType.
func (sft *SecondFactorType) UnmarshalYAML(unmarshal func(interface{}) error) error {
var tmp interface{}
if err := unmarshal(&tmp); err != nil {
return err
}
switch v := tmp.(type) {
case string:
*sft = SecondFactorType(v)
case bool:
if v {
*sft = SecondFactorOn
} else {
*sft = SecondFactorOff
}
default:
return trace.BadParameter("SecondFactorType invalid type %T", v)
}
return nil
}
// UnmarshalJSON supports parsing off|on into string on SecondFactorType.
func (sft *SecondFactorType) UnmarshalJSON(data []byte) error {
var tmp interface{}
if err := json.Unmarshal(data, &tmp); err != nil {
return err
}
switch v := tmp.(type) {
case string:
*sft = SecondFactorType(v)
case bool:
if v {
*sft = SecondFactorOn
} else {
*sft = SecondFactorOff
}
default:
return trace.BadParameter("SecondFactorType invalid type %T", v)
}
return nil
}
// LockingMode determines how a (possibly stale) set of locks should be applied
// to an interaction.
type LockingMode string
const (
// LockingModeStrict causes all interactions to be terminated when the
// available lock view becomes unreliable.
LockingModeStrict = LockingMode("strict")
// LockingModeBestEffort applies the most recently known locks under all
// circumstances.
LockingModeBestEffort = LockingMode("best_effort")
)
// DeviceTrustMode is the mode of verification for trusted devices.
// DeviceTrustMode is always "off" for OSS.
// Defaults to "optional" for Enterprise.
type DeviceTrustMode = string
const (
// DeviceTrustModeOff disables both device authentication and authorization.
DeviceTrustModeOff DeviceTrustMode = "off"
// DeviceTrustModeOptional allows both device authentication and
// authorization, but doesn't enforce the presence of device extensions for
// sensitive endpoints.
DeviceTrustModeOptional DeviceTrustMode = "optional"
// DeviceTrustModeRequired enforces the presence of device extensions for
// sensitive endpoints.
DeviceTrustModeRequired DeviceTrustMode = "required"
)
const (
// ChanTransport is a channel type that can be used to open a net.Conn
// through the reverse tunnel server. Used for trusted clusters and dial back
// nodes.
ChanTransport = "teleport-transport"
// ChanTransportDialReq is the first (and only) request sent on a
// chanTransport channel. It's payload is the address of the host a
// connection should be established to.
ChanTransportDialReq = "teleport-transport-dial"
// RemoteAuthServer is a special non-resolvable address that indicates client
// requests a connection to the remote auth server.
RemoteAuthServer = "@remote-auth-server"
// ALPNSNIAuthProtocol allows dialing local/remote auth service based on SNI cluster name value.
ALPNSNIAuthProtocol = "teleport-auth@"
// ALPNSNIProtocolReverseTunnel is TLS ALPN protocol value used to indicate Proxy reversetunnel protocol.
ALPNSNIProtocolReverseTunnel = "teleport-reversetunnel"
// ALPNSNIProtocolSSH is the TLS ALPN protocol value used to indicate Proxy SSH protocol.
ALPNSNIProtocolSSH = "teleport-proxy-ssh"
// ALPNSNIProtocolPingSuffix is TLS ALPN suffix used to wrap connections with Ping.
ALPNSNIProtocolPingSuffix = "-ping"
)
const (
// KubeTeleportProxyALPNPrefix is a SNI Kubernetes prefix used for distinguishing the Kubernetes HTTP traffic.
KubeTeleportProxyALPNPrefix = "kube-teleport-proxy-alpn."
)
// SessionRecordingService is used to differentiate session recording services.
type SessionRecordingService int
const (
// SessionRecordingServiceSSH represents the SSH service session.
SessionRecordingServiceSSH SessionRecordingService = iota
)
// SessionRecordingMode determines how session recording will behave in failure
// scenarios.
type SessionRecordingMode string
const (
// SessionRecordingModeStrict causes any failure session recording to
// terminate the session or prevent a new session from starting.
SessionRecordingModeStrict = SessionRecordingMode("strict")
// SessionRecordingModeBestEffort allows the session to keep going even when
// session recording fails.
SessionRecordingModeBestEffort = SessionRecordingMode("best_effort")
)
// Constants for Traits
const (
// TraitLogins is the name of the role variable used to store
// allowed logins.
TraitLogins = "logins"
// TraitWindowsLogins is the name of the role variable used
// to store allowed Windows logins.
TraitWindowsLogins = "windows_logins"
// TraitKubeGroups is the name the role variable used to store
// allowed kubernetes groups
TraitKubeGroups = "kubernetes_groups"
// TraitKubeUsers is the name the role variable used to store
// allowed kubernetes users
TraitKubeUsers = "kubernetes_users"
// TraitDBNames is the name of the role variable used to store
// allowed database names.
TraitDBNames = "db_names"
// TraitDBUsers is the name of the role variable used to store
// allowed database users.
TraitDBUsers = "db_users"
// TraitDBRoles is the name of the role variable used to store
// allowed database roles.
TraitDBRoles = "db_roles"
// TraitAWSRoleARNs is the name of the role variable used to store
// allowed AWS role ARNs.
TraitAWSRoleARNs = "aws_role_arns"
// TraitAzureIdentities is the name of the role variable used to store
// allowed Azure identity names.
TraitAzureIdentities = "azure_identities"
// TraitGCPServiceAccounts is the name of the role variable used to store
// allowed GCP service accounts.
TraitGCPServiceAccounts = "gcp_service_accounts"
// TraitHostUserUID is the name of the variable used to specify
// the UID to create host user account with.
TraitHostUserUID = "host_user_uid"
// TraitHostUserGID is the name of the variable used to specify
// the GID to create host user account with.
TraitHostUserGID = "host_user_gid"
)
const (
// TimeoutGetClusterAlerts is the timeout for grabbing cluster alerts from tctl and tsh
TimeoutGetClusterAlerts = time.Millisecond * 750
)
const (
// MaxAssumeStartDuration latest duration into the future an access request's assume
// start time can be
MaxAssumeStartDuration = time.Hour * 24 * 7
)
const (
// WebAPIConnUpgrade is the HTTP web API to make the connection upgrade
// call.
WebAPIConnUpgrade = "/webapi/connectionupgrade"
// WebAPIConnUpgradeHeader is the header used to indicate the requested
// connection upgrade types in the connection upgrade API.
WebAPIConnUpgradeHeader = "Upgrade"
// WebAPIConnUpgradeTeleportHeader is a Teleport-specific header used to
// indicate the requested connection upgrade types in the connection
// upgrade API. This header is sent in addition to "Upgrade" header in case
// a load balancer/reverse proxy removes "Upgrade".
WebAPIConnUpgradeTeleportHeader = "X-Teleport-Upgrade"
// WebAPIConnUpgradeTypeALPN is a connection upgrade type that specifies
// the upgraded connection should be handled by the ALPN handler.
WebAPIConnUpgradeTypeALPN = "alpn"
// WebAPIConnUpgradeTypeALPNPing is a connection upgrade type that
// specifies the upgraded connection should be handled by the ALPN handler
// wrapped with the Ping protocol.
//
// This should be used when the tunneled TLS Routing protocol cannot keep
// long-lived connections alive as L7 LB usually ignores TCP keepalives and
// has very short idle timeouts.
WebAPIConnUpgradeTypeALPNPing = "alpn-ping"
// WebAPIConnUpgradeConnectionHeader is the standard header that controls
// whether the network connection stays open after the current transaction
// finishes.
WebAPIConnUpgradeConnectionHeader = "Connection"
// WebAPIConnUpgradeConnectionType is the value of the "Connection" header
// used for connection upgrades.
WebAPIConnUpgradeConnectionType = "Upgrade"
)
const (
// InitiateFileTransfer is used when creating a new file transfer request
InitiateFileTransfer string = "file-transfer@goteleport.com"
// FileTransferDecision is a request that will approve or deny an active file transfer.
// Multiple decisions can be sent for the same request if the policy requires it.
FileTransferDecision string = "file-transfer-decision@goteleport.com"
)