github.com/gravitational/teleport/api@v0.0.0-20240507183017-3110591cbafc/constants/constants.go (about) 1 /* 2 Copyright 2020-2021 Gravitational, Inc. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 // Package constants defines Teleport-specific constants 18 package constants 19 20 import ( 21 "encoding/json" 22 "time" 23 24 "github.com/gravitational/trace" 25 ) 26 27 const ( 28 // DefaultImplicitRole is implicit role that gets added to all service.RoleSet 29 // objects. 30 DefaultImplicitRole = "default-implicit-role" 31 32 // APIDomain is a default domain name for Auth server API. It is often 33 // used as an SNI to pass TLS handshakes regardless of the server address 34 // since we register "teleport.cluster.local" as a DNS in Certificates. 35 APIDomain = "teleport.cluster.local" 36 37 // EnhancedRecordingMinKernel is the minimum kernel version for the enhanced 38 // recording feature. 39 EnhancedRecordingMinKernel = "5.8.0" 40 41 // EnhancedRecordingCommand is a role option that implies command events are 42 // captured. 43 EnhancedRecordingCommand = "command" 44 45 // EnhancedRecordingDisk is a role option that implies disk events are captured. 46 EnhancedRecordingDisk = "disk" 47 48 // EnhancedRecordingNetwork is a role option that implies network events 49 // are captured. 50 EnhancedRecordingNetwork = "network" 51 52 // LocalConnector is the authenticator connector for local logins. 53 LocalConnector = "local" 54 55 // PasswordlessConnector is the authenticator connector for 56 // local/passwordless logins. 57 PasswordlessConnector = "passwordless" 58 59 // HeadlessConnector is the authentication connector for headless logins. 60 HeadlessConnector = "headless" 61 62 // Local means authentication will happen locally within the Teleport cluster. 63 Local = "local" 64 65 // OIDC means authentication will happen remotely using an OIDC connector. 66 OIDC = "oidc" 67 68 // SAML means authentication will happen remotely using a SAML connector. 69 SAML = "saml" 70 71 // Github means authentication will happen remotely using a Github connector. 72 Github = "github" 73 74 // HumanDateFormatSeconds is a human readable date formatting with seconds 75 HumanDateFormatSeconds = "Jan _2 2006 15:04:05 UTC" 76 77 // MaxLeases serves as an identifying error string indicating that the 78 // semaphore system is rejecting an acquisition attempt due to max 79 // leases having already been reached. 80 MaxLeases = "err-max-leases" 81 82 // CertificateFormatStandard is used for normal Teleport operation without any 83 // compatibility modes. 84 CertificateFormatStandard = "standard" 85 86 // DurationNever is human friendly shortcut that is interpreted as a Duration of 0 87 DurationNever = "never" 88 89 // OIDCPromptSelectAccount instructs the Authorization Server to 90 // prompt the End-User to select a user account. 91 OIDCPromptSelectAccount = "select_account" 92 93 // OIDCPromptNone instructs the Authorization Server to skip the prompt. 94 OIDCPromptNone = "none" 95 96 // KeepAliveNode is the keep alive type for SSH servers. 97 KeepAliveNode = "node" 98 99 // KeepAliveApp is the keep alive type for application server. 100 KeepAliveApp = "app" 101 102 // KeepAliveDatabase is the keep alive type for database server. 103 KeepAliveDatabase = "db" 104 105 // KeepAliveWindowsDesktopService is the keep alive type for a Windows 106 // desktop service. 107 KeepAliveWindowsDesktopService = "windows_desktop_service" 108 109 // KeepAliveKube is the keep alive type for Kubernetes server 110 KeepAliveKube = "kube" 111 112 // KeepAliveDatabaseService is the keep alive type for database service. 113 KeepAliveDatabaseService = "db_service" 114 115 // WindowsOS is the GOOS constant used for Microsoft Windows. 116 WindowsOS = "windows" 117 118 // LinuxOS is the GOOS constant used for Linux. 119 LinuxOS = "linux" 120 121 // DarwinOS is the GOOS constant for Apple macOS/darwin. 122 DarwinOS = "darwin" 123 124 // UseOfClosedNetworkConnection is a special string some parts of 125 // go standard lib are using that is the only way to identify some errors 126 // 127 // TODO(r0mant): See if we can use net.ErrClosed and errors.Is() instead. 128 UseOfClosedNetworkConnection = "use of closed network connection" 129 130 // FailedToSendCloseNotify is an error message from Go net package 131 // indicating that the connection was closed by the server. 132 FailedToSendCloseNotify = "tls: failed to send closeNotify alert (but connection was closed anyway)" 133 134 // AWSConsoleURL is the URL of AWS management console. 135 AWSConsoleURL = "https://console.aws.amazon.com" 136 // AWSUSGovConsoleURL is the URL of AWS management console for AWS GovCloud 137 // (US) Partition. 138 AWSUSGovConsoleURL = "https://console.amazonaws-us-gov.com" 139 // AWSCNConsoleURL is the URL of AWS management console for AWS China 140 // Partition. 141 AWSCNConsoleURL = "https://console.amazonaws.cn" 142 143 // AWSAccountIDLabel is the key of the label containing AWS account ID. 144 AWSAccountIDLabel = "aws_account_id" 145 146 // RSAKeySize is the size of the RSA key. 147 RSAKeySize = 2048 148 149 // NoLoginPrefix is the prefix used for nologin certificate principals. 150 NoLoginPrefix = "-teleport-nologin-" 151 152 // DatabaseCAMinVersion is the minimum Teleport version that supports Database Certificate Authority. 153 DatabaseCAMinVersion = "10.0.0" 154 155 // OpenSSHCAMinVersion is the minimum Teleport version that supports OpenSSH Certificate Authority. 156 OpenSSHCAMinVersion = "12.0.0" 157 158 // SSHRSAType is the string which specifies an "ssh-rsa" formatted keypair 159 SSHRSAType = "ssh-rsa" 160 161 // OktaAssignmentStatusPending is represents a pending status for an Okta assignment. 162 OktaAssignmentStatusPending = "pending" 163 164 // OktaAssignmentStatusProcessing is represents an Okta assignment which is currently being acted on. 165 OktaAssignmentStatusProcessing = "processing" 166 167 // OktaAssignmentStatusSuccessful is represents a successfully applied Okta assignment. 168 OktaAssignmentStatusSuccessful = "successful" 169 170 // OktaAssignmentStatusFailed is represents an Okta assignment which failed to apply. It will be retried. 171 OktaAssignmentStatusFailed = "failed" 172 173 // OktaAssignmentStatusPending is represents a unknown status for an Okta assignment. 174 OktaAssignmentStatusUnknown = "unknown" 175 176 // OktaAssignmentTargetApplication is an application target of an Okta assignment. 177 OktaAssignmentTargetApplication = "application" 178 179 // OktaAssignmentActionTargetGroup is a group target of an Okta assignment. 180 OktaAssignmentTargetGroup = "group" 181 182 // OktaAssignmentTargetUnknown is an unknown target of an Okta assignment. 183 OktaAssignmentTargetUnknown = "unknown" 184 ) 185 186 // LocalConnectors are the system connectors that use local auth. 187 var LocalConnectors = []string{ 188 LocalConnector, 189 PasswordlessConnector, 190 } 191 192 // SystemConnectors lists the names of the system-reserved connectors. 193 var SystemConnectors = []string{ 194 LocalConnector, 195 PasswordlessConnector, 196 HeadlessConnector, 197 } 198 199 // SecondFactorType is the type of 2FA authentication. 200 type SecondFactorType string 201 202 const ( 203 // SecondFactorOff means no second factor. 204 SecondFactorOff = SecondFactorType("off") 205 // SecondFactorOTP means that only OTP is supported for 2FA and 2FA is 206 // required for all users. 207 SecondFactorOTP = SecondFactorType("otp") 208 // SecondFactorU2F means that only Webauthn is supported for 2FA and 2FA 209 // is required for all users. 210 // Deprecated: "u2f" is aliased to "webauthn". Prefer using 211 // SecondFactorWebauthn instead. 212 SecondFactorU2F = SecondFactorType("u2f") 213 // SecondFactorWebauthn means that only Webauthn is supported for 2FA and 2FA 214 // is required for all users. 215 SecondFactorWebauthn = SecondFactorType("webauthn") 216 // SecondFactorOn means that all 2FA protocols are supported and 2FA is 217 // required for all users. 218 SecondFactorOn = SecondFactorType("on") 219 // SecondFactorOptional means that all 2FA protocols are supported and 2FA 220 // is required only for users that have MFA devices registered. 221 SecondFactorOptional = SecondFactorType("optional") 222 ) 223 224 // UnmarshalYAML supports parsing off|on into string on SecondFactorType. 225 func (sft *SecondFactorType) UnmarshalYAML(unmarshal func(interface{}) error) error { 226 var tmp interface{} 227 if err := unmarshal(&tmp); err != nil { 228 return err 229 } 230 switch v := tmp.(type) { 231 case string: 232 *sft = SecondFactorType(v) 233 case bool: 234 if v { 235 *sft = SecondFactorOn 236 } else { 237 *sft = SecondFactorOff 238 } 239 default: 240 return trace.BadParameter("SecondFactorType invalid type %T", v) 241 } 242 return nil 243 } 244 245 // UnmarshalJSON supports parsing off|on into string on SecondFactorType. 246 func (sft *SecondFactorType) UnmarshalJSON(data []byte) error { 247 var tmp interface{} 248 if err := json.Unmarshal(data, &tmp); err != nil { 249 return err 250 } 251 switch v := tmp.(type) { 252 case string: 253 *sft = SecondFactorType(v) 254 case bool: 255 if v { 256 *sft = SecondFactorOn 257 } else { 258 *sft = SecondFactorOff 259 } 260 default: 261 return trace.BadParameter("SecondFactorType invalid type %T", v) 262 } 263 return nil 264 } 265 266 // LockingMode determines how a (possibly stale) set of locks should be applied 267 // to an interaction. 268 type LockingMode string 269 270 const ( 271 // LockingModeStrict causes all interactions to be terminated when the 272 // available lock view becomes unreliable. 273 LockingModeStrict = LockingMode("strict") 274 275 // LockingModeBestEffort applies the most recently known locks under all 276 // circumstances. 277 LockingModeBestEffort = LockingMode("best_effort") 278 ) 279 280 // DeviceTrustMode is the mode of verification for trusted devices. 281 // DeviceTrustMode is always "off" for OSS. 282 // Defaults to "optional" for Enterprise. 283 type DeviceTrustMode = string 284 285 const ( 286 // DeviceTrustModeOff disables both device authentication and authorization. 287 DeviceTrustModeOff DeviceTrustMode = "off" 288 // DeviceTrustModeOptional allows both device authentication and 289 // authorization, but doesn't enforce the presence of device extensions for 290 // sensitive endpoints. 291 DeviceTrustModeOptional DeviceTrustMode = "optional" 292 // DeviceTrustModeRequired enforces the presence of device extensions for 293 // sensitive endpoints. 294 DeviceTrustModeRequired DeviceTrustMode = "required" 295 ) 296 297 const ( 298 // ChanTransport is a channel type that can be used to open a net.Conn 299 // through the reverse tunnel server. Used for trusted clusters and dial back 300 // nodes. 301 ChanTransport = "teleport-transport" 302 303 // ChanTransportDialReq is the first (and only) request sent on a 304 // chanTransport channel. It's payload is the address of the host a 305 // connection should be established to. 306 ChanTransportDialReq = "teleport-transport-dial" 307 308 // RemoteAuthServer is a special non-resolvable address that indicates client 309 // requests a connection to the remote auth server. 310 RemoteAuthServer = "@remote-auth-server" 311 312 // ALPNSNIAuthProtocol allows dialing local/remote auth service based on SNI cluster name value. 313 ALPNSNIAuthProtocol = "teleport-auth@" 314 // ALPNSNIProtocolReverseTunnel is TLS ALPN protocol value used to indicate Proxy reversetunnel protocol. 315 ALPNSNIProtocolReverseTunnel = "teleport-reversetunnel" 316 // ALPNSNIProtocolSSH is the TLS ALPN protocol value used to indicate Proxy SSH protocol. 317 ALPNSNIProtocolSSH = "teleport-proxy-ssh" 318 // ALPNSNIProtocolPingSuffix is TLS ALPN suffix used to wrap connections with Ping. 319 ALPNSNIProtocolPingSuffix = "-ping" 320 ) 321 322 const ( 323 // KubeTeleportProxyALPNPrefix is a SNI Kubernetes prefix used for distinguishing the Kubernetes HTTP traffic. 324 KubeTeleportProxyALPNPrefix = "kube-teleport-proxy-alpn." 325 ) 326 327 // SessionRecordingService is used to differentiate session recording services. 328 type SessionRecordingService int 329 330 const ( 331 // SessionRecordingServiceSSH represents the SSH service session. 332 SessionRecordingServiceSSH SessionRecordingService = iota 333 ) 334 335 // SessionRecordingMode determines how session recording will behave in failure 336 // scenarios. 337 type SessionRecordingMode string 338 339 const ( 340 // SessionRecordingModeStrict causes any failure session recording to 341 // terminate the session or prevent a new session from starting. 342 SessionRecordingModeStrict = SessionRecordingMode("strict") 343 344 // SessionRecordingModeBestEffort allows the session to keep going even when 345 // session recording fails. 346 SessionRecordingModeBestEffort = SessionRecordingMode("best_effort") 347 ) 348 349 // ShowResources determines which resources are shown in the web UI. Default if unset is "requestable" 350 // which means resources the user has access to and resources they can request will be shown in the 351 // resources UI. If set to `accessible_only`, only resources the user already has access to will be shown. 352 type ShowResources string 353 354 const ( 355 // ShowResourcesaccessibleOnly will only show resources the user currently has access to. 356 ShowResourcesaccessibleOnly = ShowResources("accessible_only") 357 358 // ShowResourcesRequestable will allow resources that the user can request into resources page. 359 ShowResourcesRequestable = ShowResources("requestable") 360 ) 361 362 // Constants for Traits 363 const ( 364 // TraitLogins is the name of the role variable used to store 365 // allowed logins. 366 TraitLogins = "logins" 367 368 // TraitWindowsLogins is the name of the role variable used 369 // to store allowed Windows logins. 370 TraitWindowsLogins = "windows_logins" 371 372 // TraitKubeGroups is the name the role variable used to store 373 // allowed kubernetes groups 374 TraitKubeGroups = "kubernetes_groups" 375 376 // TraitKubeUsers is the name the role variable used to store 377 // allowed kubernetes users 378 TraitKubeUsers = "kubernetes_users" 379 380 // TraitDBNames is the name of the role variable used to store 381 // allowed database names. 382 TraitDBNames = "db_names" 383 384 // TraitDBUsers is the name of the role variable used to store 385 // allowed database users. 386 TraitDBUsers = "db_users" 387 388 // TraitDBRoles is the name of the role variable used to store 389 // allowed database roles. 390 TraitDBRoles = "db_roles" 391 392 // TraitAWSRoleARNs is the name of the role variable used to store 393 // allowed AWS role ARNs. 394 TraitAWSRoleARNs = "aws_role_arns" 395 396 // TraitAzureIdentities is the name of the role variable used to store 397 // allowed Azure identity names. 398 TraitAzureIdentities = "azure_identities" 399 400 // TraitGCPServiceAccounts is the name of the role variable used to store 401 // allowed GCP service accounts. 402 TraitGCPServiceAccounts = "gcp_service_accounts" 403 404 // TraitHostUserUID is the name of the variable used to specify 405 // the UID to create host user account with. 406 TraitHostUserUID = "host_user_uid" 407 408 // TraitHostUserGID is the name of the variable used to specify 409 // the GID to create host user account with. 410 TraitHostUserGID = "host_user_gid" 411 ) 412 413 const ( 414 // TimeoutGetClusterAlerts is the timeout for grabbing cluster alerts from tctl and tsh 415 TimeoutGetClusterAlerts = time.Millisecond * 750 416 ) 417 418 const ( 419 // MaxAssumeStartDuration latest duration into the future an access request's assume 420 // start time can be 421 MaxAssumeStartDuration = time.Hour * 24 * 7 422 ) 423 424 // Constants for TLS routing connection upgrade. See RFD for more details: 425 // https://github.com/gravitational/teleport/blob/master/rfd/0123-tls-routing-behind-layer7-lb.md 426 const ( 427 // WebAPIConnUpgrade is the HTTP web API to make the connection upgrade 428 // call. 429 WebAPIConnUpgrade = "/webapi/connectionupgrade" 430 // WebAPIConnUpgradeHeader is the header used to indicate the requested 431 // connection upgrade types in the connection upgrade API. 432 WebAPIConnUpgradeHeader = "Upgrade" 433 // WebAPIConnUpgradeTeleportHeader is a Teleport-specific header used to 434 // indicate the requested connection upgrade types in the connection 435 // upgrade API. This header is sent in addition to "Upgrade" header in case 436 // a load balancer/reverse proxy removes "Upgrade". 437 WebAPIConnUpgradeTeleportHeader = "X-Teleport-Upgrade" 438 // WebAPIConnUpgradeTypeALPN is a connection upgrade type that specifies 439 // the upgraded connection should be handled by the ALPN handler. 440 WebAPIConnUpgradeTypeALPN = "alpn" 441 // WebAPIConnUpgradeTypeALPNPing is a connection upgrade type that 442 // specifies the upgraded connection should be handled by the ALPN handler 443 // wrapped with the Ping protocol. 444 // 445 // This should be used when the tunneled TLS Routing protocol cannot keep 446 // long-lived connections alive as L7 LB usually ignores TCP keepalives and 447 // has very short idle timeouts. 448 WebAPIConnUpgradeTypeALPNPing = "alpn-ping" 449 // WebAPIConnUpgradeTypeWebSocket is the standard upgrade type for WebSocket. 450 WebAPIConnUpgradeTypeWebSocket = "websocket" 451 // WebAPIConnUpgradeConnectionHeader is the standard header that controls 452 // whether the network connection stays open after the current transaction 453 // finishes. 454 WebAPIConnUpgradeConnectionHeader = "Connection" 455 // WebAPIConnUpgradeConnectionType is the value of the "Connection" header 456 // used for connection upgrades. 457 WebAPIConnUpgradeConnectionType = "Upgrade" 458 ) 459 460 const ( 461 // InitiateFileTransfer is used when creating a new file transfer request 462 InitiateFileTransfer string = "file-transfer@goteleport.com" 463 // FileTransferDecision is a request that will approve or deny an active file transfer. 464 // Multiple decisions can be sent for the same request if the policy requires it. 465 FileTransferDecision string = "file-transfer-decision@goteleport.com" 466 )