proto/prehog/v1alpha/teleport.proto

// Copyright 2022 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package prehog.v1alpha;

import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";

// a successful user login
//
// PostHog event: tp.user.login
message UserLoginEvent {
  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
  // should always be a real user as bots and service accounts with long-term
  // credentials don't ever login
  //
  // PostHog property: tp.user_name
  string user_name = 1;

  // type of the auth connector used in the login, should be
  // "local"/"github"/"saml"/"oidc"
  //
  // PostHog property: tp.connector_type
  string connector_type = 2;

  // anonymized device ID, empty or 32 bytes (HMAC-SHA-256) encoded in base64;
  // for logins where device trust is enabled
  //
  // PostHog property: tp.device_id
  string device_id = 3;

  // the required private key policy for this login.
  string required_private_key_policy = 4;
}

message SSOCreateEvent {
  // github/saml/oidc
  string connector_type = 1;
}

// ResourceCreateEvent is emitted when a resource is created.
message ResourceCreateEvent {
  // resource_type is the type of resource ("node", "node.openssh", "db", "k8s", "app").
  string resource_type = 1;
  // resource_origin is the origin of the resource ("cloud", "kubernetes").
  string resource_origin = 2;
  // cloud_provider is the cloud provider the resource came from ("AWS", "Azure", "GCP")
  // if resource_origin == "cloud".
  string cloud_provider = 3;
  // database contains additional database information if resource_type == "db".
  DiscoveredDatabaseMetadata database = 4;
}

// DiscoveredDatabaseMetadata contains additional database information.
message DiscoveredDatabaseMetadata {
  // database type.
  string db_type = 1;
  // database protocol.
  string db_protocol = 2;
}

// the kind of a "resource" as intended by ResourceHeartbeatEvent
enum ResourceKind {
  RESOURCE_KIND_UNSPECIFIED = 0;

  // PostHog property value: "node"
  RESOURCE_KIND_NODE = 1;

  // PostHog property value: "app_server"
  RESOURCE_KIND_APP_SERVER = 2;

  // PostHog property value: "kube_server"
  RESOURCE_KIND_KUBE_SERVER = 3;

  // PostHog property value: "db_server"
  RESOURCE_KIND_DB_SERVER = 4;

  // PostHog property value: "windows_desktop"
  RESOURCE_KIND_WINDOWS_DESKTOP = 5;

  // ServerV3 ("node") heartbeat with a subkind of "openssh" (as opposed to
  // empty or "teleport"); not used in keepalives
  //
  // PostHog property value: "node.openssh"
  RESOURCE_KIND_NODE_OPENSSH = 6;

  // ServerV3 ("node") heartbeat with a subkind of "openssh-ec2-ice".
  // Nodes that map EC2 instances and are accessed using EC2 Instance Connect Endpoint.
  // Not used in keepalives.
  // This is the SubKind SubKindOpenSSHEICENode in teleport repo.
  //
  // PostHog property value: "node.openssh_ec2_ice"
  RESOURCE_KIND_NODE_OPENSSH_EICE = 7;
}

// a heartbeat for a resource served by a Teleport instance outside of the
// control plane (i.e. not auth, not proxy)
//
// PostHog event: tp.resource.hb
message ResourceHeartbeatEvent {
  // anonymized name of the resource, 32 bytes (HMAC-SHA-256); the name is the
  // host ID for nodes but the actual user-facing name for other resources, so
  // an app or a database served by multiple agents won't be counted multiple
  // times
  //
  // PreHog property: tp.resource_name (in base64)
  bytes resource_name = 1;

  // kind of the resource (node, app, db)
  //
  // PostHog property: tp.resource_type (as a string, see ResourceKind)
  ResourceKind resource_kind = 2;

  // true if the heartbeat has no expiration
  //
  // PostHog property: tp.is_static
  bool static = 3;
}

// an event representing one of several audit events: session.start, port,
// app.session.start, db.session.start, windows.desktop.session.start; i.e. a
// SSH shell or port-forward, kubectl exec or kubectl port-forward, DB, App or
// Desktop connection
//
// an earlier encoding (as "tp.session.start") mixed SSH sessions and kubectl
// execs under a session type of "ssh"
//
// PostHog event: tp.session.start
message SessionStartEvent {
  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.user_name
  string user_name = 1;

  // type of the session, should be "ssh"/"k8s"/"db"/"app"/"desktop" (matching
  // the values for api/types.SessionKind) or "app_tcp", "ssh_port_v2" or
  // "k8s_port" for TCP Application Access connections, SSH port forwards and
  // kubectl port-forward respectively; a type of "ssh_port" represents either a
  // SSH port forwarding connection or a kubectl port-forward (not used in new
  // events)
  //
  // PostHog property: tp.session_type
  string session_type = 2;

  // if session_type == "db" the database struct contains additional information
  // about database session.
  //
  // PostHog property: tp.database
  SessionStartDatabaseMetadata database = 3;

  // if session_type == "desktop" the desktop struct contains additional
  // information about the desktop session
  SessionStartDesktopMetadata desktop = 4;
}

// SessionStartDatabaseMetadata contains additional information about database session.
message SessionStartDatabaseMetadata {
  // database type.
  string db_type = 1;
  // database protocol.
  string db_protocol = 2;
  // database origin source.
  string db_origin = 3;
}

// SessionStartDesktop Metadata contains additional information about
// a desktop session.
message SessionStartDesktopMetadata {
  // desktop type ("ad" or "non-ad")
  string desktop_type = 1;

  // Indicates how the desktop was enrolled in Teleport
  // ("config-file" for statically defined hosts, or "dynamic" for
  // hosts discovered via LDAP).
  string origin = 2;

  // If desktop type is "ad" this field contains the anonymized Active
  // Directory domain that the desktop belongs to.
  string windows_domain = 3;

  // If true, and desktop type is "non-ad" automatic user creation is
  // enabled for the session. (This does not mean that the user will
  // be created, as Teleport does not know whether the user already exists.)
  bool allow_user_creation = 4;
}

// the issuance of a user certificate from the user CA
//
// PostHog event: tp.certificate.issued
message UserCertificateIssuedEvent {
  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64; it
  // can be the username of a bot user rather than of a regular user
  //
  // PostHog property: tp.user_name
  string user_name = 1;

  // the TTL of the issued certificate, typically 8 or 12 hours
  //
  // PostHog property: tp.ttl_minutes (in minutes, rounded up)
  google.protobuf.Duration ttl = 2;

  // If true, the certificate was requested by a bot (i.e. Machine ID) user.
  // PostHog property: tp.is_bot
  bool is_bot = 3;
  // If true, the certificate usage is restricted to database access.
  // PostHog property: tp.usage_database
  bool usage_database = 4;
  // If true, the certificate usage is restricted to app access.
  // PostHog property: tp.usage_app
  bool usage_app = 5;
  // If true, the certificate usage is restricted to Kubernetes access.
  // PostHog property: tp.usage_kubernetes
  bool usage_kubernetes = 6;
  // If true, the certificate usage is restricted to desktop access.
  // PostHog property: tp.usage_desktop
  bool usage_desktop = 7;

  // the private key policy associated with these user certificates.
  string private_key_policy = 8;
}

// UIBannerClickEvent is a usage event sent by the UI when the upgrade
// banner is clicked.
message UIBannerClickEvent {
  // anonymized
  string user_name = 1;
  // cluster alert name
  string alert = 2;
}

// UIOnboardCompleteGoToDashboardClickEvent is a UI event sent when initial
// registration is complete.
message UIOnboardCompleteGoToDashboardClickEvent {
  // anonymized
  string user_name = 1;
}

// UIOnboardAddFirstResourceClickEvent is a UI event sent when a user clicks the
// "add first resource" button.
message UIOnboardAddFirstResourceClickEvent {
  // anonymized
  string user_name = 1;
}

// UIOnboardAddFirstResourceLaterClickEvent is a UI event sent when a user
// clicks the "add first resource later" button.
message UIOnboardAddFirstResourceLaterClickEvent {
  // anonymized
  string user_name = 1;
}

// UIOnboardSetCredentialSubmitEvent is a UI event sent during registration when
// users configure their credentials.
message UIOnboardSetCredentialSubmitEvent {
  // anonymized
  string user_name = 1;
}

// UIOnboardRegisterChallengeSubmitEvent is a UI event sent during registration
// when the MFA challenge is completed.
message UIOnboardRegisterChallengeSubmitEvent {
  // anonymized
  string user_name = 1;
  string mfa_type = 2;
  string login_flow = 3;
}

// UIOnboardQuestionnaireSubmitEvent is a UI event sent during registration when
// user submits their onboarding questionnaire.
message UIOnboardQuestionnaireSubmitEvent {
  // anonymized
  string user_name = 1;
}

// UIRecoveryCodesContinueClickEvent is a UI event sent during
// registration when the user configures cluster recovery codes.
message UIRecoveryCodesContinueClickEvent {
  // anonymized
  string user_name = 1;
}

// UIRecoveryCodesCopyClickEvent is a UI event sent during
// registration when the user copies recovery codes.
message UIRecoveryCodesCopyClickEvent {
  // anonymized
  string user_name = 1;
}

// UIRecoveryCodesPrintClickEvent is a UI event sent during
// registration when the user prints recovery codes.
message UIRecoveryCodesPrintClickEvent {
  // anonymized
  string user_name = 1;
}

// DiscoverMetadata contains common metadata for Discover related events.
message DiscoverMetadata {
  // Uniquely identifies Discover wizard "session". Will allow to correlate
  // events within the same Discover wizard run.
  string id = 1;

  // anonymized
  string user_name = 2;

  // SSO indicates whether the user is from an SSO provider.
  bool sso = 3;
}

// DiscoverResource represents a resource type.
enum DiscoverResource {
  DISCOVER_RESOURCE_UNSPECIFIED = 0;
  DISCOVER_RESOURCE_SERVER = 1;
  DISCOVER_RESOURCE_KUBERNETES = 2;
  DISCOVER_RESOURCE_DATABASE_POSTGRES_SELF_HOSTED = 3;
  DISCOVER_RESOURCE_DATABASE_MYSQL_SELF_HOSTED = 4;
  DISCOVER_RESOURCE_DATABASE_MONGODB_SELF_HOSTED = 5;
  DISCOVER_RESOURCE_DATABASE_POSTGRES_RDS = 6;
  DISCOVER_RESOURCE_DATABASE_MYSQL_RDS = 7;
  DISCOVER_RESOURCE_APPLICATION_HTTP = 8;
  DISCOVER_RESOURCE_APPLICATION_TCP = 9;
  DISCOVER_RESOURCE_WINDOWS_DESKTOP = 10;
  DISCOVER_RESOURCE_DATABASE_SQLSERVER_RDS = 11;
  DISCOVER_RESOURCE_DATABASE_POSTGRES_REDSHIFT = 12;
  DISCOVER_RESOURCE_DATABASE_SQLSERVER_SELF_HOSTED = 13;
  DISCOVER_RESOURCE_DATABASE_REDIS_SELF_HOSTED = 14;
  DISCOVER_RESOURCE_DATABASE_POSTGRES_GCP = 15;
  DISCOVER_RESOURCE_DATABASE_MYSQL_GCP = 16;
  DISCOVER_RESOURCE_DATABASE_SQLSERVER_GCP = 17;

  DISCOVER_RESOURCE_DATABASE_POSTGRES_REDSHIFT_SERVERLESS = 18;
  DISCOVER_RESOURCE_DATABASE_POSTGRES_AZURE = 19;
  DISCOVER_RESOURCE_DATABASE_DYNAMODB = 20;
  DISCOVER_RESOURCE_DATABASE_CASSANDRA_KEYSPACES = 21;
  DISCOVER_RESOURCE_DATABASE_CASSANDRA_SELF_HOSTED = 22; // Cassandra & ScyllaDb
  DISCOVER_RESOURCE_DATABASE_ELASTICSEARCH_SELF_HOSTED = 23;
  DISCOVER_RESOURCE_DATABASE_REDIS_ELASTICACHE = 24; // Elasticache & MemoryDb
  DISCOVER_RESOURCE_DATABASE_REDIS_MEMORYDB = 25;
  DISCOVER_RESOURCE_DATABASE_REDIS_AZURE_CACHE = 26;
  DISCOVER_RESOURCE_DATABASE_REDIS_CLUSTER_SELF_HOSTED = 27;

  DISCOVER_RESOURCE_DATABASE_MYSQL_AZURE = 28;
  DISCOVER_RESOURCE_DATABASE_SQLSERVER_AZURE = 29;
  DISCOVER_RESOURCE_DATABASE_SQLSERVER_MICROSOFT = 30;
  DISCOVER_RESOURCE_DATABASE_COCKROACHDB_SELF_HOSTED = 31;
  DISCOVER_RESOURCE_DATABASE_MONGODB_ATLAS = 32;
  DISCOVER_RESOURCE_DATABASE_SNOWFLAKE = 33;

  DISCOVER_RESOURCE_DOC_DATABASE_RDS_PROXY = 34;
  DISCOVER_RESOURCE_DOC_DATABASE_HIGH_AVAILABILITY = 35;
  DISCOVER_RESOURCE_DOC_DATABASE_DYNAMIC_REGISTRATION = 36;

  DISCOVER_RESOURCE_SAML_APPLICATION = 37;

  DISCOVER_RESOURCE_EC2_INSTANCE = 38;
}

// DiscoverResourceMetadata contains common metadata identifying resource type being added.
message DiscoverResourceMetadata {
  // Resource type that is being added.
  DiscoverResource resource = 1;
}

// DiscoverStatus represents a Discover Step outcome.
enum DiscoverStatus {
  DISCOVER_STATUS_UNSPECIFIED = 0;
  // The user tried to complete the action and it succeeded.
  DISCOVER_STATUS_SUCCESS = 1;
  // The system skipped the step.
  // For example:
  // When setting up a Database and there's already a Database Service proxying the DB.
  // In this case the Database Agent installation is skipped.
  DISCOVER_STATUS_SKIPPED = 2;
  // The user tried to complete the action and it failed.
  DISCOVER_STATUS_ERROR = 3;
  // The user did not complete the action and left the wizard.
  DISCOVER_STATUS_ABORTED = 4;
}

// DiscoverStepStatus contains fields that track a particular step outcome,
// for example connection test failed or succeeded, or user aborted the step.
message DiscoverStepStatus {
  // Indicates the step outcome.
  DiscoverStatus status = 1;
  // Contains error details in case of Error Status.
  // We have to be careful to not include any identifyable infomation like server addresses here.
  string error = 2;
}

// UIDiscoverStartedEvent is emitted when the wizard opens.
message UIDiscoverStartedEvent {
  DiscoverMetadata metadata = 1;
  DiscoverStepStatus status = 2;
}

// UIDiscoverResourceSelectionEvent is emitted when user selected resource type to add
// and proceeded to the next step.
message UIDiscoverResourceSelectionEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverIntegrationAWSOIDCConnectEvent is emitted when a user is finished with the step
// that asks user to setup aws integration or select from a list of existing
// aws integrations.
message UIDiscoverIntegrationAWSOIDCConnectEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverDatabaseRDSEnrollEvent is emitted when a user is finished with
// the step that asks user to select from a list of RDS databases.
message UIDiscoverDatabaseRDSEnrollEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
  int64 selected_resources_count = 4;
}

// UIDiscoverDeployServiceEvent is emitted after the user installs a Teleport Agent.
// For SSH this is the Teleport 'install-node' script.
//
// For Kubernetes this is the teleport-agent helm chart installation.
//
// For Database Access this step is the installation of the teleport 'install-db' script.
// It can be skipped if the cluster already has a Database Service capable of proxying the database.
message UIDiscoverDeployServiceEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;

  // DeployMethod describes the method used to deploy a service.
  enum DeployMethod {
    // DEPLOY_METHOD_UNSPECIFIED means there was an existing service
    // so deploying step got skipped.
    DEPLOY_METHOD_UNSPECIFIED = 0;
    // DEPLOY_METHOD_AUTO means Teleport deployed a service for the user.
    DEPLOY_METHOD_AUTO = 1;
    // DEPLOY_METHOD_MANUAL means a user deployed a service by themselves.
    DEPLOY_METHOD_MANUAL = 2;
  }

  DeployMethod deploy_method = 4;

  // DeployType describes the type of deployment.
  enum DeployType {
    // DEPLOY_METHOD_UNSPECIFIED means there was an existing service
    // so deploying step got skipped.
    DEPLOY_TYPE_UNSPECIFIED = 0;
    // DEPLOY_TYPE_INSTALL_SCRIPT means service was deployed using an
    // install script.
    DEPLOY_TYPE_INSTALL_SCRIPT = 1;
    // DEPLOY_TYPE_AMAZON_ECS means service was deployed using amazon's
    // elastic container service.
    DEPLOY_TYPE_AMAZON_ECS = 2;
  }

  DeployType deploy_type = 5;
}

// UIDiscoverDatabaseRegisterEvent is emitted when a user is finished with the step that registers a database resource.
message UIDiscoverDatabaseRegisterEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverDatabaseConfigureMTLSEvent is emitted when a user is finished with the step that configures mutual TLS for a self-hosted database.
message UIDiscoverDatabaseConfigureMTLSEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverDesktopActiveDirectoryToolsInstallEvent is emitted when the user is finished with the step that asks user to run the install Active Directory tools script for the Desktop flow.
message UIDiscoverDesktopActiveDirectoryToolsInstallEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverDesktopActiveDirectoryConfigureEvent is emitted when the user is finished with the step that asks user to run the Configure Active Directory script for the Desktop flow.
message UIDiscoverDesktopActiveDirectoryConfigureEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverAutoDiscoveredResourcesEvent is emitted when the user is finished with the step that auto discovers resources (waiting until resources show up).
// resources_count field must reflect the latest amount of discovered resources (get the number after user is finished with this step).
message UIDiscoverAutoDiscoveredResourcesEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
  int64 resources_count = 4;
}

// UIDiscoverEC2InstanceSelectionEvent is emitted when the user is finished with the step that asks the user to select an EC2 Instance to enroll.
message UIDiscoverEC2InstanceSelectionEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverDeployEICEEvent is emitted when the user deploys an EC2 Instance Connect Endpoint.
message UIDiscoverDeployEICEEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverCreateNodeEvent is emitted when the node is created in Teleport.
message UIDiscoverCreateNodeEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverDatabaseConfigureIAMPolicyEvent is emitted when a user is finished with the step that configures IAM policy for an RDS database.
message UIDiscoverDatabaseConfigureIAMPolicyEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverPrincipalsConfigureEvent is emitted when a user is finished with the step that allows user to update their principals (setting up access).
message UIDiscoverPrincipalsConfigureEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverTestConnectionEvent emitted on the "Test Connection" screen
// when the user clicked tested connection to their resource.
message UIDiscoverTestConnectionEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// UIDiscoverCompletedEvent is emitted when user completes the Discover wizard.
message UIDiscoverCompletedEvent {
  DiscoverMetadata metadata = 1;
  DiscoverResourceMetadata resource = 2;
  DiscoverStepStatus status = 3;
}

// RoleCreateEvent is emitted when user creates a custom role.
message RoleCreateEvent {
  // anonymized
  string user_name = 1;
  // anonymized
  string role_name = 2;
}

// BotCreateEvent is emitted when user creates a bot.
message BotCreateEvent {
  // user_name is the anonymized name of the user who created the bot
  string user_name = 1;
  // anonymized
  string bot_user_name = 2;
  // role_name is the anonymized name of the bot role that was created.
  string role_name = 3;
  // role_count is the number of roles that the bot role can impersonate on
  // creation.
  int64 role_count = 4;
  // join_method is the join method of the token associated with the bot on
  // creation.
  string join_method = 5;
  // bot_name is the anonymised name of the bot.
  string bot_name = 6;
}

// BotJoinEvent is emitted when a bot joins a Teleport cluster.
message BotJoinEvent {
  // bot_name is the anonymised name of the bot.
  string bot_name = 1;
  // join_method is the join method of the token associated with the bot on
  // creation. This will be the string value of `api/types.JoinMethod`.
  string join_method = 2;
  // join_token_name is the anonymised name of the token used to join
  // the cluster.
  string join_token_name = 3;
}

// UICreateNewRoleClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleClickEvent {
  //anonymized
  string user_name = 1;
}

// UICreateNewRoleSaveClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleSaveClickEvent {
  //anonymized
  string user_name = 1;
}

// UICreateNewRoleCancelClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleCancelClickEvent {
  //anonymized
  string user_name = 1;
}

// UICreateNewRoleViewDocumentationClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleViewDocumentationClickEvent {
  //anonymized
  string user_name = 1;
}

// UICallToActionClickEvent is a click in a Teleport Web UI's CTA
message UICallToActionClickEvent {
  //anonymized
  string user_name = 1;
  CTA cta = 2;
}

// CTA represents teleport web UI's call to action buttons
enum CTA {
  CTA_UNSPECIFIED = 0;
  CTA_AUTH_CONNECTOR = 1;
  CTA_ACTIVE_SESSIONS = 2;
  CTA_ACCESS_REQUESTS = 3;
  CTA_PREMIUM_SUPPORT = 4;
  CTA_TRUSTED_DEVICES = 5;
  CTA_UPGRADE_BANNER = 6;
  CTA_BILLING_SUMMARY = 7;
  CTA_ACCESS_LIST = 8;
  CTA_ACCESS_MONITORING = 9;
  CTA_EXTERNAL_AUDIT_STORAGE = 10;
}

// a request forwarded to a kube cluster's API server (other than exec and
// port-forward)
//
// PostHog event: tp.kube.request
message KubeRequestEvent {
  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.user_name
  string user_name = 1;
}

// an sftp event, represents a single operation on a file
//
// PostHog event: tp.sftp
message SFTPEvent {
  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.user_name
  string user_name = 1;
  // matching SFTPAction in teleport/api/types/events/events.proto
  int32 action = 2;
}

message AgentMetadataEvent {
  string version = 1;
  string host_id = 2;
  repeated string services = 3;
  string os = 4;
  string os_version = 5;
  string host_architecture = 6;
  string glibc_version = 7;
  repeated string install_methods = 8;
  string container_runtime = 9;
  string container_orchestrator = 10;
  string cloud_environment = 11;

  // external_upgrader is the name of the registered external upgrader. if non-empty, this field indicates
  // that the associated agent is enrolled in automatic upgrades.
  string external_upgrader = 12;
}

// AssistCompletionEvent is an event that is emitted
// when a single completion occurs in the Teleport Assist,
// i.e. a user submits a prompt, and receives an answer from the Assist
message AssistCompletionEvent {
  // anonymized
  string user_name = 1;

  // ConversationId is the UUID that identifies a single Assist conversation
  string conversation_id = 2;

  // TotalTokens is the total amount of token used to satisfy this request
  int64 total_tokens = 3;
  // PromptTokens is the amount of estimated tokens used by the prompt
  int64 prompt_tokens = 4;
  // CompletionTokens is the amount of tokens that the completion response consists of
  int64 completion_tokens = 5;
}

// AssistExecutionEvent is an event that is emitted when an Assist command
// execution is triggered by the user.
message AssistExecutionEvent {
  // UserName is anonymized user name
  string user_name = 1;
  // ConversationId is the UUID that identifies a single Assist conversation
  string conversation_id = 2;
  // NodeCount is the number of nodes the command was executed on
  int64 node_count = 3;
  // TotalTokens is the total amount of token used to generate the command summary
  int64 total_tokens = 4;
  // PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
  int64 prompt_tokens = 5;
  // CompletionTokens is the amount of tokens that the summary completion response consists of
  int64 completion_tokens = 6;
}

// AssistNewConversationEvent is an event that is emitted for each new Assist
// conversation and contains the conversation category.
message AssistNewConversationEvent {
  // UserName is anonymized user name
  string user_name = 1;
  // Category is the conversation category. This represents what kind of request
  // the user is asking Assist.
  string category = 2;
}

// AssistAccessRequest is an event that is emitted when a user requests access
// to a resource via Assist.
message AssistAccessRequestEvent {
  // UserName is anonymized user name
  string user_name = 1;
  // ResourceType describes the type of resource the user is requesting access to, e.g. "node", "db", "k8s" or "role".
  string resource_type = 2;
  // TotalTokens is the total amount of token used to generate the command summary
  int64 total_tokens = 4;
  // PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
  int64 prompt_tokens = 5;
  // CompletionTokens is the amount of tokens that the summary completion response consists of
  int64 completion_tokens = 6;
}

// AssistAction is an event that is emitted when a user triggers an action (SSH command generation, output explain, etc.)
// via Assist.
message AssistActionEvent {
  // UserName is anonymized user name
  string user_name = 1;
  // Action is the action that was triggered, e.g. "ssh-explain", "ssh-command-generate", etc.
  string action = 2;
  // TotalTokens is the total amount of token used to generate the command summary
  int64 total_tokens = 4;
  // PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
  int64 prompt_tokens = 5;
  // CompletionTokens is the amount of tokens that the summary completion response consists of
  int64 completion_tokens = 6;
}

// AccessListMetadata contains common metadata for Access List related events.
message AccessListMetadata {
  // id uniquely identifies an Access List. Will allow correlation of events within an access list.
  string id = 1;
}

// AccessListCreate is an event that is emitted when an access list is created.
message AccessListCreateEvent {
  // user_name is the anonymized user name
  string user_name = 1;
  AccessListMetadata metadata = 2;
}

// AccessListUpdate is an event that is emitted when an access list is updated.
message AccessListUpdateEvent {
  // user_name is the anonymized user name
  string user_name = 1;
  AccessListMetadata metadata = 2;
}

// AccessListDelete is an event that is emitted when an access list is deleted.
message AccessListDeleteEvent {
  // user_name is the anonymized user name
  string user_name = 1;
  AccessListMetadata metadata = 2;
}

// AccessListMemberCreate is an event that is emitted when a member is added to an access list.
message AccessListMemberCreateEvent {
  // user_name is the anonymized user name
  string user_name = 1;
  AccessListMetadata metadata = 2;
}

// AccessListMemberUpdate is an event that is emitted when a member is updated in an access list.
message AccessListMemberUpdateEvent {
  // user_name is the anonymized user name
  string user_name = 1;
  AccessListMetadata metadata = 2;
}

// AccessListMemberDelete is an event that is emitted when a member is removed from an access list.
message AccessListMemberDeleteEvent {
  // user_name is anonymized user name
  string user_name = 1;
  AccessListMetadata metadata = 2;
}

// AccessListGrantsToUser is an event that is emitted when access list permissions are granted to a user
// on login.
message AccessListGrantsToUserEvent {
  // user_name is the anonymized user name
  string user_name = 1;

  // count_roles_granted is the number of roles granted to a user.
  int32 count_roles_granted = 2;

  // count_traits_granted is the number of traits granted to a user.
  int32 count_traits_granted = 3;
}

// IntegrationEnrollKind represents the types of integration that
// can be enrolled.
enum IntegrationEnrollKind {
  INTEGRATION_ENROLL_KIND_UNSPECIFIED = 0;
  INTEGRATION_ENROLL_KIND_SLACK = 1;
  INTEGRATION_ENROLL_KIND_AWS_OIDC = 2;
  INTEGRATION_ENROLL_KIND_PAGERDUTY = 3;
  INTEGRATION_ENROLL_KIND_EMAIL = 4;
  INTEGRATION_ENROLL_KIND_JIRA = 5;
  INTEGRATION_ENROLL_KIND_DISCORD = 6;
  INTEGRATION_ENROLL_KIND_MATTERMOST = 7;
  INTEGRATION_ENROLL_KIND_MS_TEAMS = 8;
  INTEGRATION_ENROLL_KIND_OPSGENIE = 9;
  INTEGRATION_ENROLL_KIND_OKTA = 10;
  INTEGRATION_ENROLL_KIND_JAMF = 11;
  INTEGRATION_ENROLL_KIND_MACHINE_ID = 12;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_GITHUB_ACTIONS = 13;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_CIRCLECI = 14;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_GITLAB = 15;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_JENKINS = 16;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_ANSIBLE = 17;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_AWS = 18;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_GCP = 19;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_AZURE = 20;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_SPACELIFT = 21;
  INTEGRATION_ENROLL_KIND_MACHINE_ID_KUBERNETES = 22;
}

// IntegrationEnrollMetadata contains common metadata
// for Integration Enroll related events.
message IntegrationEnrollMetadata {
  // id is used as a unique identifier to correlate events within the
  // same enroll wizard run.
  string id = 1;
  // kind identifies what type of integration the user clicked on to enroll.
  IntegrationEnrollKind kind = 2;
  // user_name is anonymized.
  string user_name = 3;
}

// UIIntegrationEnrollEvent is an event that is emitted when a user
// clicks on a integration to enroll.
message UIIntegrationEnrollStartEvent {
  IntegrationEnrollMetadata metadata = 1;
}

// UIIntegrationEnrollEvent is an event that is emitted when a user
// completed enrolling an integration.
message UIIntegrationEnrollCompleteEvent {
  IntegrationEnrollMetadata metadata = 1;
}

// EditorChangeEvent is an event that is emitted when a user role set changes resulting in
// a editor role being added on removed
message EditorChangeEvent {
  // anonymized user name
  string user_name = 1;
  EditorChangeStatus status = 2;
}

// EditorChangeStatus is the possible value of an EditorChangeEvent event status
enum EditorChangeStatus {
  EDITOR_CHANGE_STATUS_UNSPECIFIED = 0;
  // Status when the editor role is granted
  EDITOR_CHANGE_STATUS_ROLE_GRANTED = 1;
  // Status when the editor role is removed
  EDITOR_CHANGE_STATUS_ROLE_REMOVED = 2;
}

// Device authentication event
message DeviceAuthenticateEvent {
  // anonymized device ID, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.device_id
  string device_id = 1;

  // anonymized username, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.user_name
  string user_name = 2;

  // device OS type
  //
  // PostHog property: tp.device_os_type
  string device_os_type = 3;
}

// Device Enrollment event
//
// PostHost event: tp.device.enroll
message DeviceEnrollEvent {
  // anonymized device ID, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.device_id
  string device_id = 1;

  // anonymized username, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.user_name
  string user_name = 2;

  // device OS type
  //
  // PostHog property: tp.device_os_type
  string device_os_type = 3;

  // device origin
  //
  // PostHog property: tp.device_origin
  string device_origin = 4;
}

// FeatureRecommendationEvent captures event emitted when a feature is recommended to user or
// when user completes the desired CTA for the feature.
//
// PostHost event: tp.ui.feature.recommendation
message FeatureRecommendationEvent {
  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
  //
  // PostHog property: tp.user_name
  string user_name = 1;
  // feature is name of the Teleport feature.
  //
  // PostHog property: tp.feature
  Feature feature = 2;
  // feature_recommendation_status records recommendation state, which can be 'NOTIFIED' (feature is recommended)
  // OR 'DONE' (user completes desired CTA)
  //
  // PostHost property: tp.feature_recommendation_status
  FeatureRecommendationStatus feature_recommendation_status = 3;
}

// Feature is name of Teleport feature
enum Feature {
  FEATURE_UNSPECIFIED = 0;
  FEATURE_TRUSTED_DEVICES = 1;
}

// FeatureRecommendationStatus is feature recommendation status.
enum FeatureRecommendationStatus {
  FEATURE_RECOMMENDATION_STATUS_UNSPECIFIED = 0;
  // FEATURE_RECOMMENDATION_STATUS_NOTIFIED is emitted when a feature is recommended (notified in UI) to user.
  FEATURE_RECOMMENDATION_STATUS_NOTIFIED = 1;
  // FEATURE_RECOMMENDATION_STATUS_DONE is emitted when user completes the desired CTA.
  FEATURE_RECOMMENDATION_STATUS_DONE = 2;
}

// LicenseLimitEvent is emitted when access to Teleport feature
// is denied based on license limits
//
// PostHost event: tp.license.limit
message LicenseLimitEvent {
  // PostHost property: tp.license_limit
  LicenseLimit license_limit = 1;
}

// LicenseLimit indicates event type that triggered LicenseLimitEvent.
enum LicenseLimit {
  LICENSE_LIMIT_UNSPECIFIED = 0;
  // LICENSE_LIMIT_DEVICE_TRUST_TEAM_JAMF is emitted if license does not
  // allow Jamf integration (e.g. Team Plan)
  LICENSE_LIMIT_DEVICE_TRUST_TEAM_JAMF = 1;
  // LICENSE_LIMIT_DEVICE_TRUST_TEAM_USAGE is emitted when allowed enrolled device
  // limit is reached
  LICENSE_LIMIT_DEVICE_TRUST_TEAM_USAGE = 2;
}

// DesktopDirectoryShareEvent is emitted when directory sharing is used
// in a Teleport desktop session.
message DesktopDirectoryShareEvent {
  // anonymized desktop addr, used to uniquely idenfity the desktop
  //
  // PostHog property: tp.desktop
  string desktop = 1;

  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
  //
  // PostHog property: tp.user_name
  string user_name = 2;

  // anonymized directory name
  //
  // PostHog property: tp.directory_name
  string directory_name = 3;
}

// DesktopClipboardEvent is emitted when data is transferred between a user's
// local clipboard and a remote Windows clipboard.
message DesktopClipboardEvent {
  // anonymized desktop addr, used to uniquely idenfity the desktop
  //
  // PostHog property: tp.desktop
  string desktop = 1;

  // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
  //
  // PostHog property: tp.user_name
  string user_name = 2;
}

// TAGExecuteQueryEvent is an event that is emitted
// when a single query is executed in the Teleport Access Graph.
// This event is emitted for both successful and failed queries. For
// successful queries, the total number of nodes and edges is reported.
message TAGExecuteQueryEvent {
  // anonymized
  string user_name = 1;

  // total_nodes is the total amount of nodes returned by the query.
  int64 total_nodes = 2;
  // total_edges is the total amount of edges returned by the query.
  int64 total_edges = 3;
  // is_success is true if the query was successful and false it if failed.
  bool is_success = 4;
}

// ExternalAuditStorageAuthenticateEvent is emitted when the External Audit
// Storage feature authenticates to the customer AWS account via OIDC connector.
// The purpose is to have a regularly emitted event indicating that the External
// Audit Storage feature is still in use.
message ExternalAuditStorageAuthenticateEvent {}

// SecurityReportGetResultEvent is emitted when the user requests a security report.
message SecurityReportGetResultEvent {
  // anonymized
  string user_name = 1;
  // name is the name of the security report.
  string name = 2;
  // days is the time range of the security reports in days.
  int32 days = 3;
}

// AuditQueryRunEvent is emitted when the user runs an audit query.
message AuditQueryRunEvent {
  // anonymized
  string user_name = 1;
  // days is the time range of the query in days.
  int32 days = 2;
  // is_success is true if the query was successful false if execution failed.
  bool is_success = 3;
}

message SubmitEventRequest {
  // anonymized, 32 bytes (HMAC-SHA-256) encoded in base64
  //
  // PostHog property: tp.cluster_name (still in base64)
  string cluster_name = 1;

  // optional, will default to the ingest time if unset
  //
  // PostHog timestamp
  google.protobuf.Timestamp timestamp = 2;

  // the event being submitted
  oneof event {
    UserLoginEvent user_login = 3;
    SSOCreateEvent sso_create = 4;
    ResourceCreateEvent resource_create = 5;

    // REMOVE IN V14: Use session_start_v2 instead
    SessionStartEvent session_start = 6;

    UIBannerClickEvent ui_banner_click = 7;
    UIOnboardCompleteGoToDashboardClickEvent ui_onboard_complete_go_to_dashboard_click = 9;
    UIOnboardAddFirstResourceClickEvent ui_onboard_add_first_resource_click = 10;
    UIOnboardAddFirstResourceLaterClickEvent ui_onboard_add_first_resource_later_click = 11;
    UIOnboardSetCredentialSubmitEvent ui_onboard_set_credential_submit = 12;
    UIOnboardRegisterChallengeSubmitEvent ui_onboard_register_challenge_submit = 13;
    UIRecoveryCodesContinueClickEvent ui_recovery_codes_continue_click = 14;
    UIRecoveryCodesCopyClickEvent ui_recovery_codes_copy_click = 15;
    UIRecoveryCodesPrintClickEvent ui_recovery_codes_print_click = 16;

    UIDiscoverStartedEvent ui_discover_started_event = 17;
    UIDiscoverResourceSelectionEvent ui_discover_resource_selection_event = 18;

    UserCertificateIssuedEvent user_certificate_issued_event = 19;

    // Note: semantics of SessionStartEvent type values have changed to
    // differentiate SSH from Kubernetes exec sessions (as well as adding
    // db/app/desktop events). The structures are the same, however, so we don't
    // need a new message type.
    SessionStartEvent session_start_v2 = 20;

    UIDiscoverDeployServiceEvent ui_discover_deploy_service_event = 21;
    UIDiscoverDatabaseRegisterEvent ui_discover_database_register_event = 22;
    UIDiscoverDatabaseConfigureMTLSEvent ui_discover_database_configure_mtls_event = 23;
    UIDiscoverDesktopActiveDirectoryToolsInstallEvent ui_discover_desktop_active_directory_tools_install_event = 24;
    UIDiscoverDesktopActiveDirectoryConfigureEvent ui_discover_desktop_active_directory_configure_event = 25;
    UIDiscoverAutoDiscoveredResourcesEvent ui_discover_auto_discovered_resources_event = 26;
    UIDiscoverDatabaseConfigureIAMPolicyEvent ui_discover_database_configure_iam_policy_event = 27;
    UIDiscoverPrincipalsConfigureEvent ui_discover_principals_configure_event = 28;
    UIDiscoverTestConnectionEvent ui_discover_test_connection_event = 29;
    UIDiscoverCompletedEvent ui_discover_completed_event = 30;

    RoleCreateEvent role_create = 31;

    UICreateNewRoleClickEvent ui_create_new_role_click = 32;
    UICreateNewRoleSaveClickEvent ui_create_new_role_save_click = 33;
    UICreateNewRoleCancelClickEvent ui_create_new_role_cancel_click = 34;
    UICreateNewRoleViewDocumentationClickEvent ui_create_new_role_view_documentation_click = 35;

    KubeRequestEvent kube_request = 36;
    SFTPEvent sftp = 37;
    AgentMetadataEvent agent_metadata_event = 38;
    ResourceHeartbeatEvent resource_heartbeat = 39;

    UIDiscoverIntegrationAWSOIDCConnectEvent ui_discover_integration_aws_oidc_connect_event = 40;
    UIDiscoverDatabaseRDSEnrollEvent ui_discover_database_rds_enroll_event = 41;

    UICallToActionClickEvent ui_call_to_action_click_event = 42;

    AssistCompletionEvent assist_completion = 43;

    UIIntegrationEnrollStartEvent ui_integration_enroll_start_event = 44;
    UIIntegrationEnrollCompleteEvent ui_integration_enroll_complete_event = 45;

    EditorChangeEvent editor_change_event = 46;

    BotCreateEvent bot_create = 47;

    UIOnboardQuestionnaireSubmitEvent ui_onboard_questionnaire_submit = 48;

    BotJoinEvent bot_join = 49;

    AssistExecutionEvent assist_execution = 50;
    AssistNewConversationEvent assist_new_conversation = 51;

    DeviceAuthenticateEvent device_authenticate_event = 52;

    FeatureRecommendationEvent feature_recommendation_event = 53;

    AssistAccessRequestEvent assist_access_request = 54;
    AssistActionEvent assist_action = 55;

    DeviceEnrollEvent device_enroll_event = 56;

    LicenseLimitEvent license_limit_event = 57;

    AccessListCreateEvent access_list_create = 58;
    AccessListUpdateEvent access_list_update = 59;
    AccessListDeleteEvent access_list_delete = 60;
    AccessListMemberCreateEvent access_list_member_create = 61;
    AccessListMemberUpdateEvent access_list_member_update = 62;
    AccessListMemberDeleteEvent access_list_member_delete = 63;
    AccessListGrantsToUserEvent access_list_grants_to_user = 64;
    UIDiscoverEC2InstanceSelectionEvent ui_discover_ec2_instance_selection = 65;
    UIDiscoverDeployEICEEvent ui_discover_deploy_eice = 66;
    UIDiscoverCreateNodeEvent ui_discover_create_node = 67;

    DesktopDirectoryShareEvent desktop_directory_share = 68;
    DesktopClipboardEvent desktop_clipboard_transfer = 69;

    TAGExecuteQueryEvent tag_execute_query = 70;

    ExternalAuditStorageAuthenticateEvent external_audit_storage_authenticate = 71;

    SecurityReportGetResultEvent security_report_get_result = 72;
    AuditQueryRunEvent audit_query_run = 73;
  }

  reserved 8; // UIOnboardGetStartedClickEvent
  reserved "ui_onboard_get_started_click";
}
message SubmitEventResponse {}

message SubmitEventsRequest {
  // individual events to be submitted in a batch, up to 500 at once
  repeated SubmitEventRequest events = 1;
}
message SubmitEventsResponse {}

message HelloTeleportRequest {}
message HelloTeleportResponse {}

service TeleportReportingService {
  // equivalent to SubmitEvents with a single event, should be unused by now
  rpc SubmitEvent(SubmitEventRequest) returns (SubmitEventResponse) {
    option deprecated = true;
  }

  // encodes and forwards usage events to the PostHog event database; each
  // event is annotated with some properties that depend on the identity of the
  // caller:
  // - tp.account_id (UUID in string form, can be empty if missing from the
  //   license)
  // - tp.license_name (should always be a UUID)
  // - tp.license_authority (name of the authority that signed the license file
  //   used for authentication)
  // - tp.is_cloud (boolean)
  rpc SubmitEvents(SubmitEventsRequest) returns (SubmitEventsResponse) {}

  rpc HelloTeleport(HelloTeleportRequest) returns (HelloTeleportResponse) {}
}