forked from gravitational/teleport
/
auth.go
185 lines (149 loc) · 6.5 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
/*
* Teleport
* Copyright (C) 2023 Gravitational, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package servicecfg
import (
"github.com/coreos/go-oidc/oauth2"
"github.com/dustin/go-humanize"
"github.com/gravitational/trace"
"github.com/jonboulle/clockwork"
"github.com/gravitational/teleport/api/types"
apiutils "github.com/gravitational/teleport/api/utils"
"github.com/gravitational/teleport/lib/auth/keystore"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/limiter"
"github.com/gravitational/teleport/lib/multiplexer"
"github.com/gravitational/teleport/lib/utils"
)
// AuthConfig is a configuration of the auth server
type AuthConfig struct {
// Enabled turns auth role on or off for this process
Enabled bool
// PROXYProtocolMode controls behavior related to unsigned PROXY protocol headers.
PROXYProtocolMode multiplexer.PROXYProtocolMode
// ListenAddr is the listening address of the auth service
ListenAddr utils.NetAddr
// Authorities is a set of trusted certificate authorities
// that will be added by this auth server on the first start
Authorities []types.CertAuthority
// BootstrapResources is a set of previously backed up resources
// used to bootstrap backend state on the first start.
BootstrapResources []types.Resource
// ApplyOnStartupResources is a set of resources that should be applied
// on each Teleport start.
ApplyOnStartupResources []types.Resource
// Roles is a set of roles to pre-provision for this cluster
Roles []types.Role
// ClusterName is a name that identifies this authority and all
// host nodes in the cluster that will share this authority domain name
// as a base name, e.g. if authority domain name is example.com,
// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
ClusterName types.ClusterName
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
// environments where paranoid security is not needed
StaticTokens types.StaticTokens
// StorageConfig contains configuration settings for the storage backend.
StorageConfig backend.Config
Limiter limiter.Config
// NoAudit, when set to true, disables session recording and event audit
NoAudit bool
// Preference defines the authentication preference (type and second factor) for
// the auth server.
Preference types.AuthPreference
// AuditConfig stores cluster audit configuration.
AuditConfig types.ClusterAuditConfig
// NetworkingConfig stores cluster networking configuration.
NetworkingConfig types.ClusterNetworkingConfig
// SessionRecordingConfig stores session recording configuration.
SessionRecordingConfig types.SessionRecordingConfig
// LicenseFile is a full path to the license file
LicenseFile string
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
PublicAddrs []utils.NetAddr
// KeyStore configuration. Handles CA private keys which may be held in a HSM.
KeyStore keystore.Config
// LoadAllCAs sends the host CAs of all clusters to SSH clients logging in when enabled,
// instead of just the host CA for the current cluster.
LoadAllCAs bool
// HostedPlugins configures the Enterprise hosted plugin runtime
HostedPlugins HostedPluginsConfig
// Clock is the clock instance auth uses. Typically you'd only want to set
// this during testing.
Clock clockwork.Clock
// HTTPClientForAWSSTS overwrites the default HTTP client used for making
// STS requests. Used in test.
HTTPClientForAWSSTS utils.HTTPDoClient
// AssistAPIKey is the OpenAI API key.
// TODO: This key will be moved to a plugin once support for plugins is implemented.
AssistAPIKey string
// AccessMonitoring configures access monitoring.
AccessMonitoring *AccessMonitoringOptions
}
// AccessMonitoringOptions configures access monitoring.
type AccessMonitoringOptions struct {
// EnabledString is the string representation of the Enabled field.
EnabledString string `yaml:"enabled"`
// Enabled is true if access monitoring is enabled.
Enabled bool `yaml:"-"`
// RoleARN is the ARN of the IAM role to assume when accessing Athena.
RoleARN string `yaml:"role_arn,omitempty"`
// RoleTags are the tags to use when assuming the IAM role.
RoleTags map[string]string `yaml:"role_tags,omitempty"`
// DataLimitString is the string representation of the DataLimit field.
DataLimitString string `yaml:"data_limit,omitempty"`
// DataLimit is the maximum amount of data that can be returned by a query.
DataLimit uint64 `yaml:"-"`
// Database is the name of the database to use.
Database string `yaml:"database,omitempty"`
// Table is the name of the table to use.
Table string `yaml:"table,omitempty"`
// Workgroup is the name of the Athena workgroup to use.
Workgroup string `yaml:"workgroup,omitempty"`
// QueryResults is the S3 bucket to use for query results.
QueryResults string `yaml:"query_results,omitempty"`
// ReportResults is the S3 bucket to use for report results.
ReportResults string `yaml:"report_results,omitempty"`
}
// IsAccessMonitoringEnabled returns true if access monitoring is enabled.
func (a *AuthConfig) IsAccessMonitoringEnabled() bool {
return a.AccessMonitoring != nil && a.AccessMonitoring.Enabled
}
// CheckAndSetDefaults checks and sets default values for any missing fields.
func (a *AccessMonitoringOptions) CheckAndSetDefaults() error {
var err error
if a.DataLimitString != "" {
if a.DataLimit, err = humanize.ParseBytes(a.DataLimitString); err != nil {
return trace.Wrap(err)
}
}
if a.EnabledString != "" {
if a.Enabled, err = apiutils.ParseBool(a.EnabledString); err != nil {
return trace.Wrap(err)
}
}
return nil
}
// HostedPluginsConfig configures the hosted plugin runtime.
type HostedPluginsConfig struct {
Enabled bool
OAuthProviders PluginOAuthProviders
}
// PluginOAuthProviders holds application credentials for each
// 3rd party API provider
type PluginOAuthProviders struct {
Slack *oauth2.ClientCredentials
}