From d20c267d7a43e282a6c2818613587c2c6ab16605 Mon Sep 17 00:00:00 2001 From: Bernard Kim Date: Tue, 3 Dec 2024 09:02:06 -0800 Subject: [PATCH] crdgen: Update testdata (#49375) (#49670) * Update crdgen testdata * Update CONTRIBUTING.md --- integrations/operator/CONTRIBUTING.md | 20 +- .../resources.teleport.dev_accesslists.yaml | 4 + ...resources.teleport.dev_oidcconnectors.yaml | 38 +- ...esources.teleport.dev_provisiontokens.yaml | 54 +- .../golden/resources.teleport.dev_roles.yaml | 234 ++++++- .../resources.teleport.dev_rolesv6.yaml | 117 +++- .../resources.teleport.dev_rolesv7.yaml | 117 +++- ...resources.teleport.dev_samlconnectors.yaml | 43 ++ .../teleport/accesslist/v1/accesslist.proto | 27 +- .../legacy/client/proto/authservice.proto | 64 +- .../teleport/legacy/client/proto/event.proto | 22 + .../legacy/client/proto/joinservice.proto | 6 +- .../legacy/client/proto/proxyservice.proto | 7 + .../teleport/legacy/types/events/events.proto | 522 +++++++++++++- .../teleport/legacy/types/types.proto | 660 ++++++++++++++++-- 15 files changed, 1806 insertions(+), 129 deletions(-) diff --git a/integrations/operator/CONTRIBUTING.md b/integrations/operator/CONTRIBUTING.md index 0f19ed607bc2d..e90050c6e719c 100644 --- a/integrations/operator/CONTRIBUTING.md +++ b/integrations/operator/CONTRIBUTING.md @@ -17,12 +17,12 @@ other .proto files used to generate the CRDs have changed). #### Generate the new CRD -1. Add the type name to the `resources` list in `crdgen/main.go`. +1. Add the type name to the `resources` list in `crdgen/handlerequest.go`. 2. Add the proto file to the `PROTOS` list in `Makefile` if it is not already present. Also add it to the `PROTOS` list in `crdgen/Makefile`. 3. Run `make manifests` to generate the CRD. 4. Run `make crdgen-test`. This will should fail if your new CRD is generated. - Update the test snapshots with `make -C crdgen update-snapshots` + Update the test snapshots with `make -C crdgen update-snapshot` #### Create a "scheme" defining Go types to match the CRD @@ -40,13 +40,16 @@ Follow the same patterns of existing reconcilers in those packages. Use the generic TeleportResourceReconciler if possible, that way you only have to implement CRUD methods for your resource. -Write unit tests for your reconciler. Use the generic `testResourceCreation`, -`testResourceDeletionDrift`, and `testResourceUpdate` helpers to get baseline +Write unit tests for your reconciler. Use the generic `ResourceCreationTest`, +`ResourceDeletionDriftTest`, and `ResourceUpdateTest` helpers to get baseline coverage. +Update the `defaultTeleportServiceConfig` teleport role in +`controllers/resources/testlib/env.go` with any new required permissions. + #### Register your reconciler and scheme -In `main.go` and `controllers/resources/testlib/env.go` instantiate your +In `controllers/resources/setup.go` instantiate your controller and register it with the controller-runtime manager. Follow the pattern of existing resources which instantiate the reconciler and call the `SetupWithManager(mgr)` method. @@ -59,11 +62,10 @@ your resource version is added to the root `scheme` with a call like Add Kubernetes RBAC permissions to allow the operator to work with the resources on the Kubernetes side. -The cluster role spec is found in `../../examples/chart/teleport-cluster/templates/auth/clusterrole.yaml`. +The cluster role spec is found in `../../examples/chart/teleport-cluster/templates/auth/config.yaml`. -Add Teleport RBAC permissions for to allow the operator to work with the -resources on the Teleport side. -These should be added to the sidecar role in `sidecar/sidecar.go`. +Update the RBAC permissions in `hack/fixture-operator-role.yaml` to update +operator the role used for debugging. ### Debugging tips diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml index 802e2a4f13a11..2c595617b69d3 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml @@ -153,6 +153,10 @@ spec: description: ineligible_status describes if this owner is eligible or not and if not, describes how they're lacking eligibility. x-kubernetes-int-or-string: true + membership_kind: + description: membership_kind describes the type of membership, + either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. + x-kubernetes-int-or-string: true name: description: name is the username of the owner. type: string diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml index f8a3bd100d52f..29a7b8e286599 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml @@ -65,7 +65,7 @@ spec: type: array client_id: description: ClientID is the id of the authentication client (Teleport - Auth server). + Auth Service). type: string client_redirect_settings: description: ClientRedirectSettings defines which client redirect @@ -116,6 +116,42 @@ spec: time period, they will be forced to re-authenticate. format: duration type: string + mfa: + description: MFASettings contains settings to enable SSO MFA checks + through this auth connector. + nullable: true + properties: + acr_values: + description: AcrValues are Authentication Context Class Reference + values. The meaning of the ACR value is context-specific and + varies for identity providers. Some identity providers support + MFA specific contexts, such Okta with its "phr" (phishing-resistant) + ACR. + type: string + client_id: + description: ClientID is the OIDC OAuth app client ID. + type: string + client_secret: + description: ClientSecret is the OIDC OAuth app client secret. + type: string + enabled: + description: Enabled specified whether this OIDC connector supports + MFA checks. Defaults to false. + type: boolean + max_age: + description: MaxAge is the amount of time in nanoseconds that + an IdP session is valid for. Defaults to 0 to always force re-authentication + for MFA checks. This should only be set to a non-zero value + if the IdP is setup to perform MFA checks on top of active user + sessions. + format: duration + type: string + prompt: + description: Prompt is an optional OIDC prompt. An empty string + omits prompt. If not specified, it defaults to select_account + for backwards compatibility. + type: string + type: object prompt: description: Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml index 4ec3953c6e232..e42dc48675faa 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml @@ -70,8 +70,8 @@ spec: type: array aws_role: description: AWSRole is used for the EC2 join method and is - the ARN of the AWS role that the auth server will assume in - order to call the ec2 API. + the ARN of the AWS role that the Auth Service will assume + in order to call the ec2 API. type: string type: object nullable: true @@ -102,6 +102,40 @@ spec: nullable: true type: array type: object + bitbucket: + description: Bitbucket allows the configuration of options specific + to the "bitbucket" join method. + nullable: true + properties: + allow: + description: Allow is a list of Rules, nodes using this token + must match one allow rule to use this token. + items: + properties: + branch_name: + type: string + deployment_environment_uuid: + type: string + repository_uuid: + type: string + workspace_uuid: + type: string + type: object + nullable: true + type: array + audience: + description: Audience is a Bitbucket-specified audience value + for this token. It is unique to each Bitbucket repository, and + must be set to the value as written in the Pipelines -> OpenID + Connect section of the repository settings. + type: string + identity_provider_url: + description: IdentityProviderURL is a Bitbucket-specified issuer + URL for incoming OIDC tokens. It is unique to each Bitbucket + repository, and must be set to the value as written in the Pipelines + -> OpenID Connect section of the repository settings. + type: string + type: object bot_name: description: BotName is the name of the bot this token grants access to, if any @@ -192,7 +226,7 @@ spec: against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate - must be trusted by the Auth Server. + must be trusted by the Auth Service. type: string enterprise_slug: description: EnterpriseSlug allows the slug of a GitHub Enterprise @@ -204,6 +238,12 @@ spec: if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. type: string + static_jwks: + description: StaticJWKS disables fetching of the GHES signing + keys via the JWKS/OIDC endpoints, and allows them to be directly + specified. This allows joining from GitHub Actions in GHES instances + that are not reachable by the Teleport Auth Service. + type: string type: object gitlab: description: GitLab allows the configuration of options specific to @@ -377,6 +417,14 @@ spec: is set to match the cluster name, it does not need to be set here. type: string + hostname: + description: Hostname is the hostname of the Terraform Enterprise + instance expected to issue JWTs allowed by this token. This + may be unset for regular Terraform Cloud use, in which case + it will be assumed to be `app.terraform.io`. Otherwise, it must + both match the `iss` (issuer) field included in JWTs, and provide + standard JWKS endpoints. + type: string type: object tpm: description: TPM allows the configuration of options specific to the diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml index 46f8d07612cdf..5d1c5ddfb9809 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml @@ -35,6 +35,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -249,7 +260,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -298,7 +308,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -326,12 +336,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -561,6 +600,17 @@ spec: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -775,7 +825,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -824,7 +873,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -852,12 +901,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1133,9 +1211,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -1228,9 +1309,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -1268,6 +1347,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: @@ -1363,6 +1462,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -1577,7 +1687,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -1626,7 +1735,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -1654,12 +1763,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1889,6 +2027,17 @@ spec: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -2103,7 +2252,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -2152,7 +2300,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -2180,12 +2328,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -2461,9 +2638,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -2556,9 +2736,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -2596,6 +2774,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml index 6fdf1b5acfb4b..f0af70fc7cf2f 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml @@ -38,6 +38,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -252,7 +263,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -301,7 +311,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -329,12 +339,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -564,6 +603,17 @@ spec: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -778,7 +828,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -827,7 +876,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -855,12 +904,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1136,9 +1214,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -1231,9 +1312,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -1271,6 +1350,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml index 4cb600cf64307..88056b0b54a53 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml @@ -38,6 +38,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -252,7 +263,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -301,7 +311,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -329,12 +339,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -564,6 +603,17 @@ spec: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -778,7 +828,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -827,7 +876,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -855,12 +904,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1136,9 +1214,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -1231,9 +1312,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -1271,6 +1350,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml index 1b53a4606956f..c6814333c7831 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml @@ -115,9 +115,52 @@ spec: description: EntityDescriptorURL is a URL that supplies a configuration XML. type: string + force_authn: + description: ForceAuthn specified whether re-authentication should + be forced on login. UNSPECIFIED is treated as NO. + x-kubernetes-int-or-string: true issuer: description: Issuer is the identity provider issuer. type: string + mfa: + description: MFASettings contains settings to enable SSO MFA checks + through this auth connector. + nullable: true + properties: + cert: + description: Cert is the identity provider certificate PEM. IDP + signs `` responses using this certificate. + type: string + enabled: + description: Enabled specified whether this SAML connector supports + MFA checks. Defaults to false. + type: boolean + entity_descriptor: + description: EntityDescriptor is XML with descriptor. It can be + used to supply configuration parameters in one XML file rather + than supplying them in the individual elements. Usually set + from EntityDescriptorUrl. + type: string + entity_descriptor_url: + description: EntityDescriptorUrl is a URL that supplies a configuration + XML. + type: string + force_authn: + description: ForceAuthn specified whether re-authentication should + be forced for MFA checks. UNSPECIFIED is treated as YES to always + re-authentication for MFA checks. This should only be set to + NO if the IdP is setup to perform MFA checks on top of active + user sessions. + x-kubernetes-int-or-string: true + issuer: + description: Issuer is the identity provider issuer. Usually set + from EntityDescriptor. + type: string + sso: + description: SSO is the URL of the identity provider's SSO service. + Usually set from EntityDescriptor. + type: string + type: object provider: description: Provider is the external identity provider. type: string diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto index b83034160a9e7..373c325027d39 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto @@ -85,6 +85,10 @@ message AccessListOwner { // ineligible_status describes if this owner is eligible or not // and if not, describes how they're lacking eligibility. IneligibleStatus ineligible_status = 3; + + // membership_kind describes the type of membership, either + // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. + MembershipKind membership_kind = 4; } // AccessListAudit describes the audit configuration for an Access List. @@ -197,6 +201,21 @@ message MemberSpec { // ineligible_status describes if this member is eligible or not // and if not, describes how they're lacking eligibility. IneligibleStatus ineligible_status = 7; + + // membership_kind describes the type of membership, either + // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. + MembershipKind membership_kind = 9; +} + +// MembershipKind represents the different kinds of list membership +enum MembershipKind { + // MEMBERSHIP_KIND_UNSPECIFIED represents list members that are of + // unknown membership kind, defaulting to being treated as type USER + MEMBERSHIP_KIND_UNSPECIFIED = 0; + // MEMBERSHIP_KIND_USER represents list members that are normal users + MEMBERSHIP_KIND_USER = 1; + // MEMBERSHIP_KIND_LIST represents list members that are nested Access Lists + MEMBERSHIP_KIND_LIST = 2; } // IneligibleStatus describes how the user is ineligible. @@ -268,6 +287,12 @@ message ReviewChanges { // AccessListStatus contains dynamic fields calculated during retrieval. message AccessListStatus { - // member_count is the number of members in the in the Access List. + // member_count is the number of members in the Access List. optional uint32 member_count = 1; + // member_list_count is the number of nested list members in the Access List. + optional uint32 member_list_count = 2; + // owner_of describes Access Lists where this Access List is an explicit owner. + repeated string owner_of = 3; + // member_of describes Access Lists where this Access List is an explicit member. + repeated string member_of = 4; } diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto index 6cb986096e777..03b6f9ac35439 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto @@ -317,15 +317,11 @@ message RouteToWindowsDesktop { // RouteToApp contains parameters for application access certificate requests. message RouteToApp { + reserved 2; // SessionID, jsontag "session_id" + reserved "SessionID"; + // Name is the application name certificate is being requested for. string Name = 1 [(gogoproto.jsontag) = "name"]; - // SessionID is the ID of the application session. - // DEPRECATED: Automatically generated by server. - // TODO (Joerger): DELETE IN v17.0.0 - string SessionID = 2 [ - (gogoproto.jsontag) = "session_id", - deprecated = true - ]; // PublicAddr is the application public address. string PublicAddr = 3 [(gogoproto.jsontag) = "public_addr"]; // ClusterName is the cluster where the application resides. @@ -457,9 +453,17 @@ message PingResponse { // LoadAllCAs signals whether or not tsh should load all CAs when trying // to ssh into a node. bool LoadAllCAs = 8 [(gogoproto.jsontag) = "load_all_cas"]; + // SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster. + types.SignatureAlgorithmSuite signature_algorithm_suite = 9; reserved 6; // LicenseWarnings, jsontag "license_warnings" reserved "LicenseWarnings"; + + // LicenseExpiry is the expiry date of the enterprise license, if applicable. + google.protobuf.Timestamp LicenseExpiry = 10 [ + (gogoproto.stdtime) = true, + (gogoproto.jsontag) = "licenseExpiry" + ]; } // ProductType is the type of product. @@ -577,6 +581,8 @@ message Features { // NOTE: this flag is used to signal that Access Monitoring is *enabled* on a cluster. // *Access* to the feature is gated on the `AccessMonitoring` entitlement. bool AccessMonitoringConfigured = 36; + // CloudAnonymizationKey is a hash of the Salesforce ID used to anonymize usage events + bytes CloudAnonymizationKey = 37 [(gogoproto.jsontag) = "cloud_anonymization_key,omitempty"]; } // EntitlementInfo is the state and limits of a particular entitlement @@ -1211,6 +1217,10 @@ message MFAAuthenticateChallenge { // communications, in case of streaming RPCs. It may also return empty // challenges for all other fields. MFARequired MFARequired = 4; + // SSO Challenge is an SSO MFA challenge. If set, the client can go to the + // IdP redirect URL to perform an MFA check in the IdP and obtain an MFA token. + // This token paired with the request id can then be used as MFA verification. + SSOChallenge SSOChallenge = 5; } // MFAAuthenticateResponse is a response to MFAAuthenticateChallenge using one @@ -1220,6 +1230,7 @@ message MFAAuthenticateResponse { // Removed: U2FResponse U2F = 1; TOTPResponse TOTP = 2; webauthn.CredentialAssertionResponse Webauthn = 3; + SSOResponse SSO = 4; } } @@ -1236,6 +1247,24 @@ message TOTPResponse { string Code = 1; } +// SSOChallenge contains SSO auth request details to perform an SSO MFA check. +message SSOChallenge { + // RequestId is the ID of an SSO auth request. + string request_id = 1; + // RedirectUrl is an IdP redirect URL to initate the SSO MFA flow. + string redirect_url = 2; + // Device is the SSO device corresponding to the challenge. + types.SSOMFADevice device = 3; +} + +// SSOResponse is a response to SSOChallenge. +message SSOResponse { + // RequestId is the ID of an SSO auth request. + string request_id = 1; + // Token is a secret token used to verify the user's SSO MFA session. + string token = 2; +} + // MFARegisterChallenge is a challenge for registering a new MFA device. message MFARegisterChallenge { // Request depends on the type of the MFA device being registered. @@ -1860,9 +1889,11 @@ message CreateAuthenticateChallengeRequest { // call [AuthService.IsMFARequired] in the leaf instead of setting this field. IsMFARequiredRequest MFARequiredCheck = 5 [(gogoproto.jsontag) = "mfa_required_check,omitempty"]; // ChallengeExtensions are extensions that will be apply to the issued MFA challenge. - // ChallengeExtensions only apply to webauthn challenges currently. Required, except - // for v15 clients and older. + // Required, except for v15 clients and older. teleport.mfa.v1.ChallengeExtensions ChallengeExtensions = 6 [(gogoproto.jsontag) = "challenge_extensions,omitempty"]; + // SSOClientRedirectURL should be supplied If the client supports SSO MFA checks. + // If unset, the server will only return non-SSO challenges. + string SSOClientRedirectURL = 7 [(gogoproto.jsontag) = "sso_client_redirect_url,omitempty"]; } // CreatePrivilegeTokenRequest defines a request to obtain a privilege token. @@ -2138,6 +2169,9 @@ message UpdateSessionTrackerRequest { message PresenceMFAChallengeRequest { // SessionID is unique identifier of the session you want to request presence for. string SessionID = 1 [(gogoproto.jsontag) = "session_id,omitempty"]; + // SSOClientRedirectURL should be supplied If the client supports SSO MFA checks. + // If unset, the server will only return non-SSO challenges. + string SSOClientRedirectURL = 2 [(gogoproto.jsontag) = "sso_client_redirect_url,omitempty"]; } // PresenceMFAChallengeSend is a presence challenge request or response. @@ -2464,6 +2498,10 @@ message InventoryHeartbeat { types.ServerV2 SSHServer = 1; // AppServer is a complete app server spec to be heartbeated. types.AppServerV3 AppServer = 2; + // DatabaseServer is a complete db server spec to be heartbeated. + types.DatabaseServerV3 DatabaseServer = 3; + // KubeServer is a complete kube server spec to be heartbeated. + types.KubernetesServerV3 KubernetesServer = 4; } // UpstreamInventoryGoodbye informs the upstream service that instance @@ -2801,10 +2839,6 @@ service AuthService { // ListAccessRequests gets access requests with pagination and sorting. rpc ListAccessRequests(ListAccessRequestsRequest) returns (ListAccessRequestsResponse); - // CreateAccessRequest creates a new access request. - // Deprecated: use CreateAccessRequestV2 instead. - // DELETE IN v15.0.0. - rpc CreateAccessRequest(types.AccessRequestV3) returns (google.protobuf.Empty); // CreateAccessRequestV2 creates a new access request. rpc CreateAccessRequestV2(types.AccessRequestV3) returns (types.AccessRequestV3); // DeleteAccessRequest deletes an access request. @@ -3012,10 +3046,6 @@ service AuthService { // GetRole retrieves a role described by the given request. rpc GetRole(GetRoleRequest) returns (types.RoleV6); - // GetRole retrieves all roles. - // - // DELETE IN 17.0 - rpc GetRoles(google.protobuf.Empty) returns (GetRolesResponse); // ListRoles is a paginated role getter. rpc ListRoles(ListRolesRequest) returns (ListRolesResponse); // CreateRole creates a new role. diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto index 793ed8f43fd6d..7c0cd043eb13d 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto @@ -23,14 +23,17 @@ import "teleport/clusterconfig/v1/access_graph_settings.proto"; import "teleport/crownjewel/v1/crownjewel.proto"; import "teleport/dbobject/v1/dbobject.proto"; import "teleport/discoveryconfig/v1/discoveryconfig.proto"; +import "teleport/identitycenter/v1/identitycenter.proto"; import "teleport/kubewaitingcontainer/v1/kubewaitingcontainer.proto"; import "teleport/legacy/types/types.proto"; import "teleport/machineid/v1/bot_instance.proto"; import "teleport/machineid/v1/federation.proto"; import "teleport/notifications/v1/notifications.proto"; +import "teleport/provisioning/v1/provisioning.proto"; import "teleport/secreports/v1/secreports.proto"; import "teleport/userloginstate/v1/userloginstate.proto"; import "teleport/userprovisioning/v2/statichostuser.proto"; +import "teleport/usertasks/v1/user_tasks.proto"; option go_package = "github.com/gravitational/teleport/api/client/proto"; @@ -50,8 +53,10 @@ message Event { reserved 7; reserved 49; reserved 63; + reserved 68; reserved "ExternalCloudAudit"; reserved "StaticHostUser"; + reserved "AutoUpdateAgentPlan"; // Operation identifies operation Operation Type = 1; @@ -184,5 +189,22 @@ message Event { teleport.autoupdate.v1.AutoUpdateVersion AutoUpdateVersion = 65; // StaticHostUserV2 is a resource for static host users. teleport.userprovisioning.v2.StaticHostUser StaticHostUserV2 = 66; + // UserTask is a resource for user task. + teleport.usertasks.v1.UserTask UserTask = 67; + // DynamicWindowsDesktop is a resource for dynamic Windows desktop host. + types.DynamicWindowsDesktopV1 DynamicWindowsDesktop = 69; + // ProvisioningPrincipalState is a resource for tracking the provisioning of + // users and groups into downstream systems. + teleport.provisioning.v1.PrincipalState ProvisioningPrincipalState = 70; + // AutoUpdateVersion is a resource for controlling the autoupdate agent rollout. + teleport.autoupdate.v1.AutoUpdateAgentRollout AutoUpdateAgentRollout = 71; + // IdentityCenterAccount is a resource for tracking Identity Center accounts + teleport.identitycenter.v1.Account IdentityCenterAccount = 72; + // IdentityCenterPrincipalAssignment is a resource for tracking the AWS + // Permission Sets assigned to a Teleport user or AAccess List + teleport.identitycenter.v1.PrincipalAssignment IdentityCenterPrincipalAssignment = 73; + // IdentityCenterAccountlAssignment is a resource representing a potential + // Permission Set grant on a specific AWS account. + teleport.identitycenter.v1.AccountAssignment IdentityCenterAccountAssignment = 74; } } diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto index 68b35f06df334..4448558693d58 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto @@ -21,7 +21,8 @@ import "teleport/legacy/types/types.proto"; option go_package = "github.com/gravitational/teleport/api/client/proto"; -// TODO(nklaassen): Document me. +// RegisterUsingIAMMethodRequest is a request for registration via the IAM join +// method. message RegisterUsingIAMMethodRequest { // RegisterUsingTokenRequest holds registration parameters common to all // join methods. @@ -172,4 +173,7 @@ service JoinService { // RegisterUsingTPMMethod allows registration of a new agent or Bot to the // cluster using a known TPM. rpc RegisterUsingTPMMethod(stream RegisterUsingTPMMethodRequest) returns (stream RegisterUsingTPMMethodResponse); + // RegisterUsingToken is used to register a new node to the cluster using one + // of the legacy join methods which do not yet have their own gRPC method. + rpc RegisterUsingToken(types.RegisterUsingTokenRequest) returns (Certs); } diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/proxyservice.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/proxyservice.proto index 0cabcc6f2c8e8..30940ef7c932e 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/proxyservice.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/proxyservice.proto @@ -24,6 +24,9 @@ option go_package = "github.com/gravitational/teleport/api/client/proto"; service ProxyService { // DialNode opens a bidrectional stream to the requested node. rpc DialNode(stream Frame) returns (stream Frame); + + // Ping checks if the peer is reachable and responsive. + rpc Ping(ProxyServicePingRequest) returns (ProxyServicePingResponse); } // Frame wraps different message types to be sent over a stream. @@ -63,3 +66,7 @@ message Data { // ConnectionEstablished signals to the client a connection to the node has been established. message ConnectionEstablished {} + +message ProxyServicePingRequest {} + +message ProxyServicePingResponse {} diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto index 8e499bdae62d3..bd61c99381b62 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto @@ -20,6 +20,7 @@ import "gogoproto/gogo.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/wrappers.proto"; +import "teleport/accesslist/v1/accesslist.proto"; import "teleport/legacy/types/types.proto"; import "teleport/legacy/types/wrappers/wrappers.proto"; @@ -280,6 +281,10 @@ message AccessListMember { // MemberName is the name of the member. string MemberName = 4 [(gogoproto.jsontag) = "member_name,omitempty"]; + + // MembershipKind describes the kind of membership, either + // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. + teleport.accesslist.v1.MembershipKind membership_kind = 5 [(gogoproto.jsontag) = "membership_kind,omitempty"]; } // AccessListReviewMembershipRequirementsChanged contains information for when membership requirements change as part of a review. @@ -1892,6 +1897,54 @@ message SFTP { string Error = 12 [(gogoproto.jsontag) = "error,omitempty"]; } +// SFTPSummary is emitted at the end of an SFTP transfer +message SFTPSummary { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // SessionMetadata is a common event session metadata + SessionMetadata Session = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ServerMetadata is a common server metadata + ServerMetadata Server = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // FileTransferStats contains statistics about transferred files + repeated FileTransferStat FileTransferStats = 6 [(gogoproto.jsontag) = "file_transfer_stats"]; +} + +// FileTransferStat is statistics about a transferred file +message FileTransferStat { + string Path = 1 [(gogoproto.jsontag) = "path"]; + uint64 BytesRead = 2 [(gogoproto.jsontag) = "bytes_read"]; + uint64 BytesWritten = 3 [(gogoproto.jsontag) = "bytes_written"]; +} + // Subsystem is emitted when a user requests a new subsystem. message Subsystem { // Metadata is a common event metadata @@ -1920,6 +1973,13 @@ message Subsystem { // Error contains error in case of unsucessfull attempt string Error = 5 [(gogoproto.jsontag) = "exitError"]; + + // ServerMetadata is a common server metadata + ServerMetadata Server = 6 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; } // ClientDisconnect is emitted when client is disconnected @@ -3041,6 +3101,10 @@ message DatabaseSessionStart { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + // PostgresPID is the Postgres backend PID that was created for a Postgres + // connection. This can be useful for backend process cancellation or + // termination and it is not a sensitive or secret value. + uint32 PostgresPID = 8 [(gogoproto.jsontag) = "postgres_pid,omitempty"]; } // DatabaseSessionQuery is emitted when a user executes a database query. @@ -3460,6 +3524,9 @@ message WindowsDesktopSessionStart { // AllowUserCreation indicates whether automatic local user creation // is allowed for this session. bool AllowUserCreation = 12 [(gogoproto.jsontag) = "allow_user_creation"]; + // NLA indicates whether Teleport performed Network Level Authentication (NLA) + // when initiating this session. + bool NLA = 13 [(gogoproto.jsontag) = "nla"]; } // DatabaseSessionEnd is emitted when a user ends the database session. @@ -4397,23 +4464,30 @@ message PluginDelete { // PluginMetadata contains information about plugin resources. message PluginMetadata { + reserved 2; + reserved "plugin"; // plugin_type is the plugin type of the plugin resource. // The value matches the types.PluginV1.Spec.Type field. string plugin_type = 1 [(gogoproto.jsontag) = "plugin_type"]; - // plugin is the resource without secrets. - types.PluginV1 plugin = 2 [(gogoproto.jsontag) = "plugin,omitempty"]; - // has_credentials indicates whether the plugin has credentials. bool has_credentials = 3 [(gogoproto.jsontag) = "has_credentials"]; // reuses_credentials indicates whether the plugin reuses credentials. bool reuses_credentials = 4 [(gogoproto.jsontag) = "reuses_credentials"]; + + // plugin_data is the plugin data of the plugin resource. + google.protobuf.Struct plugin_data = 5 [ + (gogoproto.jsontag) = "plugin_data,omitempty", + (gogoproto.casttype) = "Struct" + ]; } // OneOf is a union of one of audit events submitted to the auth service message OneOf { // Event is one of the audit events + reserved 185, 186, 187; + reserved "AutoUpdateAgentPlanCreate", "AutoUpdateAgentPlanUpdate", "AutoUpdateAgentPlanDelete"; oneof Event { events.UserLogin UserLogin = 1; events.UserCreate UserCreate = 2; @@ -4592,6 +4666,16 @@ message OneOf { events.AutoUpdateVersionCreate AutoUpdateVersionCreate = 176; events.AutoUpdateVersionUpdate AutoUpdateVersionUpdate = 177; events.AutoUpdateVersionDelete AutoUpdateVersionDelete = 178; + events.StaticHostUserCreate StaticHostUserCreate = 179; + events.StaticHostUserUpdate StaticHostUserUpdate = 180; + events.StaticHostUserDelete StaticHostUserDelete = 181; + events.CrownJewelCreate CrownJewelCreate = 182; + events.CrownJewelUpdate CrownJewelUpdate = 183; + events.CrownJewelDelete CrownJewelDelete = 184; + events.UserTaskCreate UserTaskCreate = 188; + events.UserTaskUpdate UserTaskUpdate = 189; + events.UserTaskDelete UserTaskDelete = 190; + events.SFTPSummary SFTPSummary = 191; } } @@ -5582,6 +5666,10 @@ message SessionRecordingAccess { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + // SessionType is type of the session. + string SessionType = 4 [(gogoproto.jsontag) = "session_type,omitempty"]; + // Format is the format the session recording was accessed. + string Format = 5 [(gogoproto.jsontag) = "format,omitempty"]; } // KubeClusterMetadata contains common kubernetes cluster information. @@ -6603,6 +6691,12 @@ message SPIFFESVIDIssued { string SerialNumber = 8 [(gogoproto.jsontag) = "serial_number"]; // Hint is the hint of the issued SVID string Hint = 9 [(gogoproto.jsontag) = "hint"]; + // JTI is the JTI of the issued SVID. + // Only present if the SVID is a JWT. + string JTI = 10 [(gogoproto.jsontag) = "jti,omitempty"]; + // Audiences is the list of audiences in the issued SVID. + // Only present if the SVID is a JWT. + repeated string Audiences = 11 [(gogoproto.jsontag) = "audiences,omitempty"]; } // AuthPreferenceUpdate is emitted when the auth preference is updated. @@ -6894,6 +6988,13 @@ message AutoUpdateConfigCreate { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + + // Status indicates whether the creation was successful. + Status Status = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; } // AutoUpdateConfigUpdate is emitted when an auto update config is updated. @@ -6925,6 +7026,13 @@ message AutoUpdateConfigUpdate { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; } // AutoUpdateConfigDelete is emitted when an auto update config is deleted. @@ -6956,6 +7064,13 @@ message AutoUpdateConfigDelete { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + + // Status indicates whether the deletion was successful. + Status Status = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; } // AutoUpdateVersionCreate is emitted when an auto update version is created. @@ -6987,6 +7102,13 @@ message AutoUpdateVersionCreate { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + + // Status indicates whether the creation was successful. + Status Status = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; } // AutoUpdateVersionUpdate is emitted when an auto update version is updated. @@ -7018,6 +7140,13 @@ message AutoUpdateVersionUpdate { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; } // AutoUpdateVersionDelete is emitted when an auto update version is deleted. @@ -7049,4 +7178,391 @@ message AutoUpdateVersionDelete { (gogoproto.embed) = true, (gogoproto.jsontag) = "" ]; + + // Status indicates whether the deletion was successful. + Status Status = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; +} + +// StaticHostUserCreate is emitted when a static host user is created. +message StaticHostUserCreate { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the creation was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; +} + +// StaticHostUserUpdate is emitted when a static host user is updated. +message StaticHostUserUpdate { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the update was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + // User is a common user event metadata + UserMetadata User = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; +} + +// StaticHostUserDelete is emitted when a static host user is deleted. +message StaticHostUserDelete { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the deletion was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; +} + +// CrownJewelCreate is emitted when a Access Graph CrownJewel is created. +message CrownJewelCreate { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the update was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata. + ResourceMetadata resource = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // CrownJewelQuery is the query used to track the crown jewel. + string CrownJewelQuery = 6 [(gogoproto.jsontag) = "crown_jewel_query"]; +} + +// CrownJewelUpdate is emitted when a Access Graph CrownJewel is updated. +message CrownJewelUpdate { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the update was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata. + ResourceMetadata resource = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // CurrentCrownJewelQuery is the current query used to track the crown jewel. + string CurrentCrownJewelQuery = 6 [(gogoproto.jsontag) = "current_crown_jewel_query"]; + + // UpdatedCrownJewelQuery is the new query used to track the crown jewel. + string UpdatedCrownJewelQuery = 7 [(gogoproto.jsontag) = "updated_crown_jewel_query"]; +} + +// CrownJewelDelete is emitted when a Access Graph CrownJewel is deleted. +message CrownJewelDelete { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the update was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata. + ResourceMetadata resource = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; +} + +// UserTaskCreate is emitted when a user task is created. +message UserTaskCreate { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the update was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // UserTaskMetadata holds information about the user task. + UserTaskMetadata UserTask = 6 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; +} + +// UserTaskUpdate is emitted when a user task is updated. +message UserTaskUpdate { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the update was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata. + UserMetadata User = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection. + ConnectionMetadata Connection = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // UserTaskMetadata holds information about the user task. + UserTaskMetadata UserTask = 6 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // CurrentUserTaskState is the current UserTask State. + string CurrentUserTaskState = 7 [(gogoproto.jsontag) = "current_user_task_state"]; + + // UpdatedUserTaskState is the updated UserTask State. + string UpdatedUserTaskState = 8 [(gogoproto.jsontag) = "updated_user_task_state"]; +} + +// UserTaskMetadata contains key fields for the UserTask. +message UserTaskMetadata { + // TaskType is type of the task. + string TaskType = 1 [(gogoproto.jsontag) = "user_task_type"]; + // IssueType is type of the issue task. + string IssueType = 2 [(gogoproto.jsontag) = "user_task_issue_type"]; + // Integration is type of associated integration. + string Integration = 3 [(gogoproto.jsontag) = "user_task_integration"]; +} + +// UserTaskDelete is emitted when a user task is deleted. +message UserTaskDelete { + // Metadata is a common event metadata + Metadata Metadata = 1 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // Status indicates whether the update was successful. + Status Status = 2 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ResourceMetadata is a common resource event metadata + ResourceMetadata Resource = 3 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // User is a common user event metadata + UserMetadata User = 4 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; + + // ConnectionMetadata holds information about the connection + ConnectionMetadata Connection = 5 [ + (gogoproto.nullable) = false, + (gogoproto.embed) = true, + (gogoproto.jsontag) = "" + ]; } diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto index 771b714a8e86b..7739ecad6c7a0 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto @@ -504,6 +504,8 @@ message RDS { repeated string Subnets = 5 [(gogoproto.jsontag) = "subnets,omitempty"]; // VPCID is the VPC where the RDS is running. string VPCID = 6 [(gogoproto.jsontag) = "vpc_id,omitempty"]; + // SecurityGroups is a list of attached security groups for the RDS instance. + repeated string SecurityGroups = 7 [(gogoproto.jsontag) = "security_groups,omitempty"]; } // RDSProxy contains AWS RDS Proxy specific database metadata. @@ -686,10 +688,10 @@ message InstanceSpecV1 { // Hostname is the hostname this instance most recently advertised. string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"]; - // AuthID is the ID of the auth server that most recently observed this instance. + // AuthID is the ID of the Auth Service that most recently observed this instance. string AuthID = 4 [(gogoproto.jsontag) = "auth_id,omitempty"]; - // LastSeen is the last time an auth server reported observing this instance. + // LastSeen is the last time an Auth Service server reported observing this instance. google.protobuf.Timestamp LastSeen = 5 [ (gogoproto.stdtime) = true, (gogoproto.nullable) = false, @@ -713,10 +715,10 @@ message InstanceSpecV1 { // InstanceControlLogEntry represents an entry in a given instance's control log. The control log of // an instance is protected by CompareAndSwap semantics, allowing entries to function as a means of -// synchronization as well as recordkeeping. For example, an auth server intending to trigger an upgrade +// synchronization as well as recordkeeping. For example, an Auth Service instance intending to trigger an upgrade // for a given instance can check its control log for 'upgrade-attempt' entries. If no such entry exists, // it can attempt to write an 'upgrade-attempt' entry of its own. If that entry successfully writes without -// hitting a CompareFailed, the auth server knows that no other auth servers will make concurrent upgrade +// hitting a CompareFailed, the Auth Service instance knows that no other Auth Service instances will make concurrent upgrade // attempts while that entry persists. // // NOTE: Due to resource size and backend throughput limitations, care should be taken to minimize the @@ -783,7 +785,7 @@ message InstanceFilter { string NewerThanVersion = 7; } -// ServerV2 represents a Node, App, Database, Proxy or Auth server in a Teleport cluster. +// ServerV2 represents a Node, App, Database, Proxy or Auth Service instance in a Teleport cluster. message ServerV2 { option (gogoproto.goproto_stringer) = false; option (gogoproto.stringer) = false; @@ -945,6 +947,42 @@ message AppV3 { ]; } +// CORSPolicy defines the CORS policy for AppSpecV3 +message CORSPolicy { + // allowed_origins specifies which origins are allowed to access the app. + repeated string allowed_origins = 1 [(gogoproto.jsontag) = "allowed_origins,omitempty"]; + // allowed_methods specifies which methods are allowed when accessing the app. + repeated string allowed_methods = 2 [(gogoproto.jsontag) = "allowed_methods,omitempty"]; + // allowed_headers specifies which headers can be used when accessing the app. + repeated string allowed_headers = 3 [(gogoproto.jsontag) = "allowed_headers,omitempty"]; + // allow_credentials indicates whether credentials are allowed. + bool allow_credentials = 4 [(gogoproto.jsontag) = "allow_credentials,omitempty"]; + // max_age indicates how long (in seconds) the results of a preflight request can be cached. + uint32 max_age = 5 [(gogoproto.jsontag) = "max_age,omitempty"]; + // exposed_headers indicates which headers are made available to scripts via the browser. + repeated string exposed_headers = 6 [(gogoproto.jsontag) = "exposed_headers,omitempty"]; +} + +// IdentityCenterPermissionSet defines a permission set that is available on an +// IdentityCenter account app +message IdentityCenterPermissionSet { + // ARN is the fully-formed ARN of the Permission Set. + string ARN = 1 [(gogoproto.jsontag) = "arn,omitempty"]; + + // Name is the human-readable name of the Permission Set. + string Name = 2 [(gogoproto.jsontag) = "name,omitempty"]; +} + +// AppIdentityCenter encapsulates information about an AWS Identity Center +// account application. +message AppIdentityCenter { + // Account ID is the AWS-assigned ID of the account + string AccountID = 1 [(gogoproto.jsontag) = "account_id,omitempty"]; + + // PermissionSets lists the available permission sets on the given account + repeated IdentityCenterPermissionSet PermissionSets = 2 [(gogoproto.jsontag) = "permission_sets,omitempty"]; +} + // AppSpecV3 is the AppV3 resource spec. message AppSpecV3 { // URI is the web app endpoint. @@ -970,6 +1008,14 @@ message AppSpecV3 { // Only applicable to AWS App Access. // If present, the Application must use the Integration's credentials instead of ambient credentials to access Cloud APIs. string Integration = 9 [(gogoproto.jsontag) = "integration,omitempty"]; + // RequiredAppNames is a list of app names that are required for this app to function. Any app listed here will + // be part of the authentication redirect flow and authenticate along side this app. + repeated string RequiredAppNames = 10 [(gogoproto.jsontag) = "required_app_names,omitempty"]; + // CORSPolicy defines the Cross-Origin Resource Sharing settings for the app. + CORSPolicy CORS = 11 [(gogoproto.jsontag) = "cors,omitempty"]; + // IdentityCenter encasulates AWS identity-center specific information. Only + // valid for Identity Center account apps. + AppIdentityCenter IdentityCenter = 12 [(gogoproto.jsontag) = "identity_center,omitempty"]; } // AppServerOrSAMLIdPServiceProviderV1 holds either an AppServerV3 or a SAMLIdPServiceProviderV1 resource (never both). @@ -1230,7 +1276,7 @@ message TokenRule { // node is allowed to join from. repeated string AWSRegions = 2 [(gogoproto.jsontag) = "aws_regions,omitempty"]; // AWSRole is used for the EC2 join method and is the ARN of the AWS - // role that the auth server will assume in order to call the ec2 API. + // role that the Auth Service will assume in order to call the ec2 API. string AWSRole = 3 [(gogoproto.jsontag) = "aws_role,omitempty"]; // AWSARN is used for the IAM join method, the AWS identity of joining nodes // must match this ARN. Supports wildcards "*" and "?". @@ -1298,6 +1344,8 @@ message ProvisionTokenSpecV2 { ProvisionTokenSpecV2TPM TPM = 15 [(gogoproto.jsontag) = "tpm,omitempty"]; // TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method. ProvisionTokenSpecV2TerraformCloud TerraformCloud = 16 [(gogoproto.jsontag) = "terraform_cloud,omitempty"]; + // Bitbucket allows the configuration of options specific to the "bitbucket" join method. + ProvisionTokenSpecV2Bitbucket Bitbucket = 17 [(gogoproto.jsontag) = "bitbucket,omitempty"]; } // ProvisionTokenSpecV2TPM contains the TPM-specific part of the @@ -1375,7 +1423,7 @@ message ProvisionTokenSpecV2GitHub { // // This value should be the hostname of the GHES instance, and should not // include the scheme or a path. The instance must be accessible over HTTPS - // at this hostname and the certificate must be trusted by the Auth Server. + // at this hostname and the certificate must be trusted by the Auth Service. string EnterpriseServerHost = 2 [(gogoproto.jsontag) = "enterprise_server_host,omitempty"]; // EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be // included in the expected issuer of the OIDC tokens. This is for @@ -1388,6 +1436,11 @@ message ProvisionTokenSpecV2GitHub { // See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise // for more information about customized issuer values. string EnterpriseSlug = 3 [(gogoproto.jsontag) = "enterprise_slug,omitempty"]; + // StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC + // endpoints, and allows them to be directly specified. This allows joining + // from GitHub Actions in GHES instances that are not reachable by the + // Teleport Auth Service. + string StaticJWKS = 4 [(gogoproto.jsontag) = "static_jwks,omitempty"]; } // ProvisionTokenSpecV2GitLab contains the GitLab-specific part of the @@ -1398,14 +1451,14 @@ message ProvisionTokenSpecV2GitLab { // `project_path:mygroup/my-project:ref_type:branch:ref:main` // project_path:GROUP/PROJECT:ref_type:TYPE:ref:BRANCH_NAME // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string Sub = 1 [(gogoproto.jsontag) = "sub,omitempty"]; // Ref allows access to be limited to jobs triggered by a specific git ref. // Ensure this is used in combination with ref_type. // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string Ref = 2 [(gogoproto.jsontag) = "ref,omitempty"]; @@ -1418,7 +1471,7 @@ message ProvisionTokenSpecV2GitLab { // Example: // `mygroup` // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string NamespacePath = 4 [(gogoproto.jsontag) = "namespace_path,omitempty"]; @@ -1426,7 +1479,7 @@ message ProvisionTokenSpecV2GitLab { // project. Example: // `mygroup/myproject` // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string ProjectPath = 5 [(gogoproto.jsontag) = "project_path,omitempty"]; @@ -1629,6 +1682,56 @@ message ProvisionTokenSpecV2TerraformCloud { // Terraform Cloud, this value should be `foo`. If the variable is set to // match the cluster name, it does not need to be set here. string Audience = 2 [(gogoproto.jsontag) = "audience,omitempty"]; + + // Hostname is the hostname of the Terraform Enterprise instance expected to + // issue JWTs allowed by this token. This may be unset for regular Terraform + // Cloud use, in which case it will be assumed to be `app.terraform.io`. + // Otherwise, it must both match the `iss` (issuer) field included in JWTs, + // and provide standard JWKS endpoints. + string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"]; +} + +message ProvisionTokenSpecV2Bitbucket { + // Rule is a set of properties the Bitbucket-issued token might have to be + // allowed to use this ProvisionToken. + message Rule { + // WorkspaceUUID is the UUID of the workspace for which this token was + // issued. Bitbucket UUIDs must begin and end with braces, e.g. `{...}`. + // This value may be found in the Pipelines -> OpenID Connect section of the + // repository settings. + string WorkspaceUUID = 1 [(gogoproto.jsontag) = "workspace_uuid,omitempty"]; + + // RepositoryUUID is the UUID of the repository for which this token was + // issued. Bitbucket UUIDs must begin and end with braces, e.g. `{...}`. + // This value may be found in the Pipelines -> OpenID Connect section of the + // repository settings. + string RepositoryUUID = 2 [(gogoproto.jsontag) = "repository_uuid,omitempty"]; + + // DeploymentEnvironmentUUID is the UUID of the deployment environment + // targeted by this pipelines run, if any. These values may be found in the + // "Pipelines -> OpenID Connect -> Deployment environments" section of the + // repository settings. + string DeploymentEnvironmentUUID = 3 [(gogoproto.jsontag) = "deployment_environment_uuid,omitempty"]; + + // BranchName is the name of the branch on which this pipeline executed. + string BranchName = 4 [(gogoproto.jsontag) = "branch_name,omitempty"]; + } + + // Allow is a list of Rules, nodes using this token must match one + // allow rule to use this token. + repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"]; + + // Audience is a Bitbucket-specified audience value for this token. It is + // unique to each Bitbucket repository, and must be set to the value as + // written in the Pipelines -> OpenID Connect section of the repository + // settings. + string Audience = 2 [(gogoproto.jsontag) = "audience,omitempty"]; + + // IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC + // tokens. It is unique to each Bitbucket repository, and must be set to the + // value as written in the Pipelines -> OpenID Connect section of the + // repository settings. + string IdentityProviderURL = 3 [(gogoproto.jsontag) = "identity_provider_url,omitempty"]; } // StaticTokensV2 implements the StaticTokens interface. @@ -1694,7 +1797,7 @@ message ClusterNameSpecV2 { string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name"]; // ClusterID is the unique cluster ID that is set once during the first - // auth server startup. + // Auth Service startup. string ClusterID = 2 [(gogoproto.jsontag) = "cluster_id"]; } @@ -1969,7 +2072,7 @@ message AuthPreferenceSpecV2 { // Type is the type of authentication. string Type = 1 [(gogoproto.jsontag) = "type"]; - // SecondFactor is the type of second factor. + // SecondFactor is the type of mult-factor. string SecondFactor = 2 [ (gogoproto.jsontag) = "second_factor,omitempty", (gogoproto.casttype) = "github.com/gravitational/teleport/api/constants.SecondFactorType" @@ -2058,29 +2161,40 @@ message AuthPreferenceSpecV2 { // Requires Teleport Enterprise. OktaOptions Okta = 17 [(gogoproto.jsontag) = "okta,omitempty"]; - // TODO(Joerger): DELETE IN 17.0.0 - // Deprecated, replaced by HardwareKey settings. - string PIVSlot = 18 [ - (gogoproto.jsontag) = "piv_slot,omitempty", - deprecated = true - ]; + reserved 18; // PIVSlot replaced by HardwareKey + reserved "PIVSlot"; // HardwareKey are the settings for hardware key support. HardwareKey HardwareKey = 19 [(gogoproto.jsontag) = "hardware_key,omitempty"]; // SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster. - // The current default value is "legacy". This field is not yet fully supported. + // If unspecified, the current default value is "legacy". + // 1 is "legacy", 2 is "balanced-v1", 3 is "fips-v1", 4 is "hsm-v1". SignatureAlgorithmSuite signature_algorithm_suite = 20; + + // SecondFactors is a list of supported second factor types. + repeated SecondFactorType SecondFactors = 21 [(gogoproto.jsontag) = "second_factors,omitempty"]; +} + +// SecondFactorType is a type of second factor. +enum SecondFactorType { + SECOND_FACTOR_TYPE_UNSPECIFIED = 0; + // SECOND_FACTOR_TYPE_OTP is OTP second factor. + SECOND_FACTOR_TYPE_OTP = 1; + // SECOND_FACTOR_TYPE_WEBAUTHN is WebAuthn second factor. + SECOND_FACTOR_TYPE_WEBAUTHN = 2; + // SECOND_FACTOR_TYPE_SSO is SSO second factor. + SECOND_FACTOR_TYPE_SSO = 3; } // U2F defines settings for U2F device. // Deprecated: U2F is transparently converted to WebAuthn by Teleport. Prefer // using WebAuthn instead. message U2F { - // AppID returns the application ID for universal second factor. + // AppID returns the application ID for universal mult-factor. string AppID = 1 [(gogoproto.jsontag) = "app_id,omitempty"]; - // Facets returns the facets for universal second factor. + // Facets returns the facets for universal mult-factor. // Deprecated: Kept for backwards compatibility reasons, but Facets have no // effect since Teleport v10, when Webauthn replaced the U2F implementation. repeated string Facets = 2 [(gogoproto.jsontag) = "facets,omitempty"]; @@ -2099,7 +2213,7 @@ message Webauthn { // IMPORTANT: RPID must never change in the lifetime of the cluster, because // it's recorded in the registration data on the WebAuthn device. If the // RPID changes, all existing WebAuthn key registrations will become invalid - // and all users who use WebAuthn as the second factor will need to + // and all users who use WebAuthn as the multi-factor will need to // re-register. string RPID = 1 [(gogoproto.jsontag) = "rp_id,omitempty"]; // Allow list of device attestation CAs in PEM format. @@ -2292,7 +2406,7 @@ message UserTokenSecretsSpecV3 { ]; } -// AccessRequest represents an access request resource specification +// AccessRequest represents an Access Request resource specification message AccessRequestV3 { option (gogoproto.goproto_stringer) = false; option (gogoproto.stringer) = false; @@ -2332,7 +2446,7 @@ message AccessReviewThreshold { } // PromotedAccessList is a minimal access list representation used for -// promoting access requests to access lists. +// promoting Access Requests to access lists. message PromotedAccessList { // Name is the name of the access list. string Name = 1 [(gogoproto.jsontag) = "name"]; @@ -2340,7 +2454,7 @@ message PromotedAccessList { string Title = 2 [(gogoproto.jsontag) = "title"]; } -// AccessReview is a review to be applied to an access request. +// AccessReview is a review to be applied to an Access Request. message AccessReview { // Author is the teleport username of the review author. string Author = 1 [(gogoproto.jsontag) = "author"]; @@ -2437,7 +2551,7 @@ message AccessRequestSpecV3 { string User = 1 [(gogoproto.jsontag) = "user"]; // Roles is the name of the roles being requested. repeated string Roles = 2 [(gogoproto.jsontag) = "roles"]; - // State is the current state of this access request. + // State is the current state of this Access Request. RequestState State = 3 [(gogoproto.jsontag) = "state,omitempty"]; // Created encodes the time at which the request was registered with the auth // server. @@ -2472,10 +2586,10 @@ message AccessRequestSpecV3 { ]; // SystemAnnotations is a set of programmatically generated annotations attached - // to pending access requests by teleport. These annotations are generated by + // to pending Access Requests by teleport. These annotations are generated by // applying variable interpolation to the RoleConditions.Request.Annotations block // of a user's role(s). These annotations serve as a mechanism for administrators - // to pass extra information to plugins when they process pending access requests. + // to pass extra information to plugins when they process pending Access Requests. wrappers.LabelValues SystemAnnotations = 9 [ (gogoproto.nullable) = false, (gogoproto.jsontag) = "system_annotations,omitempty", @@ -2518,12 +2632,12 @@ message AccessRequestSpecV3 { (gogoproto.nullable) = false ]; - // LoginHint is used as a hint for search-based access requests to select + // LoginHint is used as a hint for search-based Access Requests to select // roles based on the login the user is attempting. string LoginHint = 15 [(gogoproto.jsontag) = "login_hint,omitempty"]; // DryRun indicates that the request should not actually be created, the - // auth server should only validate the access request. + // Auth Service should only validate the Access Request. bool DryRun = 16 [(gogoproto.jsontag) = "dry_run,omitempty"]; // MaxDuration indicates how long the access should be granted for. @@ -2570,7 +2684,7 @@ enum AccessRequestScope { REVIEWED = 3; } -// AccessRequestFilter encodes filter params for access requests. +// AccessRequestFilter encodes filter params for Access Requests. message AccessRequestFilter { // ID specifies a request ID if set. string ID = 1 [(gogoproto.jsontag) = "id,omitempty"]; @@ -2586,7 +2700,7 @@ message AccessRequestFilter { repeated string SearchKeywords = 4 [(gogoproto.jsontag) = "search,omitempty"]; // Scope is an aditional filter to view requests based on needs review, reviewed, my requests AccessRequestScope Scope = 5 [(gogoproto.jsontag) = "scope,omitempty"]; - // Requester is the requester of the api call. This is set by the auth server + // Requester is the requester of the api call. This is set by the Auth Service // Use User for the requester of the request. string Requester = 6 [(gogoproto.jsontag) = "requester,omitempty"]; } @@ -2636,6 +2750,14 @@ message AccessCapabilitiesRequest { bool FilterRequestableRolesByResource = 6 [(gogoproto.jsontag) = "filter_requestable_roles_by_resource,omitempty"]; } +// RequestKubernetesResource is the Kubernetes resource identifier used +// in access request settings. +// Modeled after existing message KubernetesResource. +message RequestKubernetesResource { + // kind specifies the Kubernetes Resource type. + string kind = 1 [(gogoproto.jsontag) = "kind,omitempty"]; +} + // ResourceID is a unique identifier for a teleport resource. message ResourceID { // ClusterName is the name of the cluster the resource is in. @@ -2801,6 +2923,38 @@ enum CreateDatabaseUserMode { DB_USER_MODE_BEST_EFFORT_DROP = 3; } +// SSHLocalPortForwarding configures access controls for local SSH port forwarding. +message SSHLocalPortForwarding { + BoolValue Enabled = 1 [ + (gogoproto.nullable) = true, + (gogoproto.jsontag) = "enabled,omitempty", + (gogoproto.customtype) = "BoolOption" + ]; +} + +// SSHRemotePortForwarding configures access controls for remote SSH port forwarding. +message SSHRemotePortForwarding { + BoolValue Enabled = 1 [ + (gogoproto.nullable) = true, + (gogoproto.jsontag) = "enabled,omitempty", + (gogoproto.customtype) = "BoolOption" + ]; +} + +// SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. +message SSHPortForwarding { + // Allow local port forwarding. + SSHLocalPortForwarding Local = 1 [ + (gogoproto.nullable) = true, + (gogoproto.jsontag) = "local,omitempty" + ]; + // Allow remote port forwarding. + SSHRemotePortForwarding Remote = 2 [ + (gogoproto.nullable) = true, + (gogoproto.jsontag) = "remote,omitempty" + ]; +} + // RoleOptions is a set of role options message RoleOptions { // ForwardAgent is SSH agent forwarding. @@ -2815,11 +2969,9 @@ message RoleOptions { (gogoproto.casttype) = "Duration" ]; - // PortForwarding defines if the certificate will have - // "permit-port-forwarding" - // in the certificate. PortForwarding is "yes" if not set, - // that's why this is a pointer + // Deprecated: Use SSHPortForwarding instead BoolValue PortForwarding = 3 [ + deprecated = true, (gogoproto.nullable) = true, (gogoproto.jsontag) = "port_forwarding,omitempty", (gogoproto.customtype) = "BoolOption" @@ -2911,7 +3063,7 @@ message RoleOptions { (gogoproto.customtype) = "BoolOption" ]; - // CreateHostUser allows users to be automatically created on a host + // Deprecated: use CreateHostUserMode instead. BoolValue CreateHostUser = 20 [ (gogoproto.nullable) = true, (gogoproto.jsontag) = "create_host_user,omitempty", @@ -2983,6 +3135,15 @@ message RoleOptions { (gogoproto.nullable) = false, (gogoproto.stdduration) = true ]; + + // CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users. + string CreateHostUserDefaultShell = 31 [(gogoproto.jsontag) = "create_host_user_default_shell,omitempty"]; + + // SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. + SSHPortForwarding SSHPortForwarding = 32 [ + (gogoproto.nullable) = true, + (gogoproto.jsontag) = "ssh_port_forwarding,omitempty" + ]; } message RecordSession { @@ -3204,6 +3365,20 @@ message RoleConditions { reserved "SAMLIdPServiceProviderLabels"; reserved 41; // removed saml_idp_service_provider_labels_expression in favor of using app_labels_expression. reserved "SAMLIdPServiceProviderLabelsExpression"; + + // AccountAssignments holds the list of account assignments affected by this + // condition. + repeated IdentityCenterAccountAssignment AccountAssignments = 42 [ + (gogoproto.nullable) = false, + (gogoproto.jsontag) = "account_assignments,omitempty" + ]; +} + +// IdentityCenterAccountAssignment captures an AWS Identity Center account +// assignment (acccount + permission set) pair. +message IdentityCenterAccountAssignment { + string PermissionSet = 1 [(gogoproto.jsontag) = "permission_set,omitempty"]; + string Account = 2 [(gogoproto.jsontag) = "account,omitempty"]; } // SPIFFERoleCondition sets out which SPIFFE identities this role is allowed or @@ -3262,7 +3437,6 @@ message DatabasePermission { // KubernetesResource is the Kubernetes resource identifier. message KubernetesResource { // Kind specifies the Kubernetes Resource type. - // At the moment only "pod" is supported. string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"]; // Namespace is the resource namespace. // It supports wildcards. @@ -3325,7 +3499,7 @@ message AccessRequestConditions { ]; // Annotations is a collection of annotations to be programmatically - // appended to pending access requests at the time of their creation. + // appended to pending Access Requests at the time of their creation. // These annotations serve as a mechanism to propagate extra information // to plugins. Since these annotations support variable interpolation // syntax, they also offer a mechanism for forwarding claims from an @@ -3361,6 +3535,31 @@ message AccessRequestConditions { (gogoproto.jsontag) = "max_duration,omitempty", (gogoproto.casttype) = "Duration" ]; + + // kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. + // Eg: Users can make request to either a resource kind "kube_cluster" or any of its + // subresources like "namespaces". This field can be defined such that it prevents a user + // from requesting "kube_cluster" and enforce requesting any of its subresources. + repeated RequestKubernetesResource kubernetes_resources = 8 [ + (gogoproto.nullable) = false, + (gogoproto.jsontag) = "kubernetes_resources,omitempty" + ]; + + // Reason defines settings for the reason for the access provided by the user. + AccessRequestConditionsReason Reason = 9 [(gogoproto.jsontag) = "reason,omitempty"]; +} + +// AccessRequestConditionsReason defines settings for the reason for the access provided by the +// user. +message AccessRequestConditionsReason { + // Mode can be either "required" or "optional". Empty string is treated as "optional". If a role + // has the request reason mode set to "required", then reason is required for all Access Requests + // requesting roles or resources allowed by this role. It applies only to users who have this + // role assigned. + string Mode = 1 [ + (gogoproto.jsontag) = "mode,omitempty", + (gogoproto.casttype) = "RequestReasonMode" + ]; } // AccessReviewConditions is a matcher for allow/deny restrictions on @@ -3386,7 +3585,7 @@ message AccessReviewConditions { repeated string PreviewAsRoles = 4 [(gogoproto.jsontag) = "preview_as_roles,omitempty"]; } -// AccessRequestAllowedPromotion describes an allowed promotion to an access list. +// AccessRequestAllowedPromotion describes an allowed promotion to an Access List. message AccessRequestAllowedPromotion { // associated access list string accessListName = 1; @@ -3492,6 +3691,9 @@ message UserStatusV2 { // perform any password-related activity since then. See RFD 0159 for // details. Do NOT use this value for authentication purposes! PasswordState password_state = 1 [(gogoproto.jsontag) = "password_state,omitempty"]; + // mfa_weakest_device reflects what the system knows about the user's weakest MFA device. + // Note that this is a "best effort" property, in that it can be UNSPECIFIED. + MFADeviceKind mfa_weakest_device = 2 [(gogoproto.jsontag) = "mfa_weakest_device,omitempty"]; } // PasswordState indicates what is known about existence of user's password. @@ -3504,6 +3706,18 @@ enum PasswordState { PASSWORD_STATE_SET = 2; } +// MFADeviceKind indicates what is known about existence of user's MFA device. +enum MFADeviceKind { + // Unable to tell whether the MFA device has been configured. + MFA_DEVICE_KIND_UNSPECIFIED = 0; + // MFA device is known to be not configured. + MFA_DEVICE_KIND_UNSET = 1; + // MFA device is known to be configured using TOTP as the weakest form of MFA. + MFA_DEVICE_KIND_TOTP = 2; + // MFA device is known to be configured using WebAuthn as the weakest form of MFA. + MFA_DEVICE_KIND_WEBAUTHN = 3; +} + // UserSpecV2 is a specification for V2 user message UserSpecV2 { // OIDCIdentities lists associated OpenID Connect identities @@ -3649,7 +3863,7 @@ message LocalAuthSecrets { repeated MFADevice MFA = 5 [(gogoproto.jsontag) = "mfa,omitempty"]; // Webauthn holds settings necessary for webauthn local auth. // May be null for legacy users or users that haven't yet used webauthn as - // their second factor. + // their multi-factor. WebauthnLocalAuth Webauthn = 6 [(gogoproto.jsontag) = "webauthn,omitempty"]; } @@ -3678,6 +3892,7 @@ message MFADevice { TOTPDevice totp = 8; U2FDevice u2f = 9; WebauthnDevice webauthn = 10; + SSOMFADevice sso = 11; } } @@ -3742,6 +3957,16 @@ message WebauthnDevice { google.protobuf.BoolValue credential_backed_up = 10; } +// SSOMFADevice contains details of an SSO MFA method. +message SSOMFADevice { + // connector_id is the ID of the SSO connector. + string connector_id = 1; + // connector_type is the type of the SSO connector. + string connector_type = 2; + // display_name is the display name of the SSO connector + string display_name = 3; +} + // WebauthnLocalAuth holds settings necessary for local webauthn use. message WebauthnLocalAuth { // UserID is the random user handle generated for the user. @@ -4454,7 +4679,7 @@ message OIDCConnectorSpecV3 { // IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. string IssuerURL = 1 [(gogoproto.jsontag) = "issuer_url"]; - // ClientID is the id of the authentication client (Teleport Auth server). + // ClientID is the id of the authentication client (Teleport Auth Service). string ClientID = 2 [(gogoproto.jsontag) = "client_id"]; // ClientSecret is used to authenticate the client. string ClientSecret = 3 [(gogoproto.jsontag) = "client_secret"]; @@ -4505,6 +4730,8 @@ message OIDCConnectorSpecV3 { // ClientRedirectSettings defines which client redirect URLs are allowed for // non-browser SSO logins other than the standard localhost ones. SSOClientRedirectSettings ClientRedirectSettings = 18 [(gogoproto.jsontag) = "client_redirect_settings,omitempty"]; + // MFASettings contains settings to enable SSO MFA checks through this auth connector. + OIDCConnectorMFASettings MFASettings = 19 [(gogoproto.jsontag) = "mfa,omitempty"]; } // MaxAge allows the max_age parameter to be nullable to preserve backwards @@ -4525,8 +4752,29 @@ message SSOClientRedirectSettings { repeated string insecure_allowed_cidr_ranges = 2; } +// OIDCConnectorMFASettings contains OIDC MFA settings. +message OIDCConnectorMFASettings { + // Enabled specified whether this OIDC connector supports MFA checks. Defaults to false. + bool enabled = 1; + // ClientID is the OIDC OAuth app client ID. + string client_id = 2; + // ClientSecret is the OIDC OAuth app client secret. + string client_secret = 3; + // AcrValues are Authentication Context Class Reference values. The meaning of the ACR + // value is context-specific and varies for identity providers. Some identity providers + // support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR. + string acr_values = 4; + // Prompt is an optional OIDC prompt. An empty string omits prompt. + // If not specified, it defaults to select_account for backwards compatibility. + string prompt = 5; + // MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to + // 0 to always force re-authentication for MFA checks. This should only be set to a non-zero + // value if the IdP is setup to perform MFA checks on top of active user sessions. + int64 max_age = 6 [(gogoproto.casttype) = "Duration"]; +} + // OIDCAuthRequest is a request to authenticate with OIDC -// provider, the state about request is managed by auth server +// provider, the state about request is managed by Auth Service message OIDCAuthRequest { // ConnectorID is ID of OIDC connector this request uses string ConnectorID = 1 [(gogoproto.jsontag) = "connector_id"]; @@ -4549,10 +4797,13 @@ message OIDCAuthRequest { string RedirectURL = 6 [(gogoproto.jsontag) = "redirect_url"]; // PublicKey is an optional public key, users want these keys to be signed by - // auth servers user CA in case of successful auth. + // the Auth Service's user CA in case of successful auth. // - // Soon to be deprecated after references are removed from teleport.e. - bytes PublicKey = 7 [(gogoproto.jsontag) = "public_key"]; + // Deprecated: prefer SshPublicKey and/or TlsPublicKey. + bytes PublicKey = 7 [ + (gogoproto.jsontag) = "public_key", + deprecated = true + ]; // CertTTL is the TTL of the certificate user wants to get int64 CertTTL = 8 [ @@ -4591,8 +4842,11 @@ message OIDCAuthRequest { // attestation_statement is an attestation statement for the given public key. // - // Soon to be deprecated after references are removed from teleport.e. - teleport.attestation.v1.AttestationStatement attestation_statement = 17 [(gogoproto.jsontag) = "attestation_statement,omitempty"]; + // Deprecated: prefer SshAttestationStatement and/or TlsAttestationStatement. + teleport.attestation.v1.AttestationStatement attestation_statement = 17 [ + (gogoproto.jsontag) = "attestation_statement,omitempty", + deprecated = true + ]; // ClientLoginIP specifies IP address of the client for login, it will be written to the user's certificates. string ClientLoginIP = 18 [(gogoproto.jsontag) = "client_login_ip,omitempty"]; @@ -4691,10 +4945,49 @@ message SAMLConnectorSpecV2 { SSOClientRedirectSettings ClientRedirectSettings = 15 [(gogoproto.jsontag) = "client_redirect_settings,omitempty"]; // SingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled. string SingleLogoutURL = 16 [(gogoproto.jsontag) = "single_logout_url,omitempty"]; + // MFASettings contains settings to enable SSO MFA checks through this auth connector. + SAMLConnectorMFASettings MFASettings = 17 [(gogoproto.jsontag) = "mfa,omitempty"]; + // ForceAuthn specified whether re-authentication should be forced on login. UNSPECIFIED + // is treated as NO. + SAMLForceAuthn ForceAuthn = 18 [(gogoproto.jsontag) = "force_authn,omitempty"]; +} + +// SAMLConnectorMFASettings contains SAML MFA settings. +message SAMLConnectorMFASettings { + // Enabled specified whether this SAML connector supports MFA checks. Defaults to false. + bool enabled = 1; + // EntityDescriptor is XML with descriptor. It can be used to supply configuration + // parameters in one XML file rather than supplying them in the individual elements. + // Usually set from EntityDescriptorUrl. + string entity_descriptor = 2; + // EntityDescriptorUrl is a URL that supplies a configuration XML. + string entity_descriptor_url = 3; + // ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is + // treated as YES to always re-authentication for MFA checks. This should only be set to NO if the + // IdP is setup to perform MFA checks on top of active user sessions. + SAMLForceAuthn force_authn = 4; + // Issuer is the identity provider issuer. Usually set from EntityDescriptor. + string issuer = 5; + // SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor. + string sso = 6; + // Cert is the identity provider certificate PEM. + // IDP signs `` responses using this certificate. + string cert = 7; +} + +// SAMLForceAuthn specified whether existing SAML sessions should be accepted or re-authentication +// should be forced. +enum SAMLForceAuthn { + // UNSPECIFIED is treated as the default value for the context; NO for login, YES for MFA checks. + FORCE_AUTHN_UNSPECIFIED = 0; + // YES re-authentication should be forced for existing SAML sessions.. + FORCE_AUTHN_YES = 1; + // NO re-authentication should not be forced for existing SAML sessions. + FORCE_AUTHN_NO = 2; } // SAMLAuthRequest is a request to authenticate with SAML -// provider, the state about request is managed by auth server. +// provider, the state about request is managed by the Auth Service message SAMLAuthRequest { // ID is a unique request ID. string ID = 1 [(gogoproto.jsontag) = "id"]; @@ -4712,11 +5005,14 @@ message SAMLAuthRequest { string RedirectURL = 5 [(gogoproto.jsontag) = "redirect_url"]; // PublicKey is an optional public key, users want these - // keys to be signed by auth servers user CA in case + // keys to be signed by Auth Service's user CA in case // of successful auth. // - // Soon to be deprecated after references are removed from teleport.e. - bytes PublicKey = 6 [(gogoproto.jsontag) = "public_key"]; + // Deprecated: prefer SshPublicKey and/or TlsPublicKey. + bytes PublicKey = 6 [ + (gogoproto.jsontag) = "public_key", + deprecated = true + ]; // CertTTL is the TTL of the certificate user wants to get. int64 CertTTL = 7 [ @@ -4752,7 +5048,7 @@ message SAMLAuthRequest { // attestation_statement is an attestation statement for the given public key. // - // Soon to be deprecated after references are removed from teleport.e. + // Deprecated: prefer SshAttestationStatement and/or TlsAttestationStatement. teleport.attestation.v1.AttestationStatement attestation_statement = 16 [(gogoproto.jsontag) = "attestation_statement,omitempty"]; // ClientLoginIP specifies IP address of the client for login, it will be written to the user's certificates. @@ -5235,7 +5531,7 @@ message LockTarget { string Login = 3 [(gogoproto.jsontag) = "login,omitempty"]; // Node specifies the UUID of a Teleport node. - // A matching node is also prevented from heartbeating to the auth server. + // A matching node is also prevented from heartbeating to the Auth Service. // DEPRECATED: use ServerID instead. string Node = 4 [ deprecated = true, @@ -5370,12 +5666,42 @@ message WindowsDesktopSpecV3 { Resolution ScreenSize = 5 [(gogoproto.jsontag) = "screen_size,omitempty"]; } +// DynamicWindowsDesktopV1 represents a dynamic windows host for desktop access. +message DynamicWindowsDesktopV1 { + // Header is the common resource header. + ResourceHeader Header = 1 [ + (gogoproto.nullable) = false, + (gogoproto.jsontag) = "", + (gogoproto.embed) = true + ]; + // Spec is the DynamicWindows host spec. + DynamicWindowsDesktopSpecV1 Spec = 2 [ + (gogoproto.nullable) = false, + (gogoproto.jsontag) = "spec" + ]; +} + +// DynamicWindowsDesktopSpecV1 is the dynamic windows host spec. +message DynamicWindowsDesktopSpecV1 { + // Addr is the address that this host can be reached at. + string Addr = 1 [(gogoproto.jsontag) = "addr"]; + // Domain is the ActiveDirectory domain that this host belongs to. + string Domain = 2 [(gogoproto.jsontag) = "domain"]; + // NonAD marks this desktop as a standalone host that is + // not joined to an Active Directory domain. + bool NonAD = 4 [(gogoproto.jsontag) = "non_ad"]; + // ScreenSize specifies the size of the screen to use for sessions + // on this host. In most cases this should be unspecified, in which + // case Teleport will fill the browser window. + Resolution ScreenSize = 5 [(gogoproto.jsontag) = "screen_size,omitempty"]; +} + message Resolution { uint32 Width = 1 [(gogoproto.jsontag) = "width,omitempty"]; uint32 Height = 2 [(gogoproto.jsontag) = "height,omitempty"]; } -// RegisterUsingTokenRequest is a request to register with the auth server using +// RegisterUsingTokenRequest is a request to register with the Auth Service using // an authentication token message RegisterUsingTokenRequest { // HostID is a unique host ID, usually a UUID @@ -5429,7 +5755,7 @@ message RegisterUsingTokenRequest { } // RecoveryCodes holds a user's recovery code information. Recovery codes allows users to regain -// access to their account by restoring their lost password or second factor. Once a recovery code +// access to their account by restoring their lost password or multi-factor. Once a recovery code // is successfully verified, the code is mark used (which invalidates it), and lets the user begin // the recovery flow. When a user successfully finishes the recovery flow, users will get a new set // of codes that will replace all the previous ones. @@ -6050,6 +6376,14 @@ message PluginSpecV1 { PluginEntraIDSettings entra_id = 13; // Settings for the SCIM plugin PluginSCIMSettings scim = 14; + // Settings for the Datadog Incident Management plugin + PluginDatadogAccessSettings datadog = 15; + // PluginAWSICSettings holds settings for AWSICSettings + PluginAWSICSettings aws_ic = 16; + // Settings for the Email Access Request plugin + PluginEmailSettings email = 17; + // Settings for the Microsoft Teams plugin + PluginMSTeamsSettings msteams = 18; } // generation contains a unique ID that should: @@ -6175,6 +6509,21 @@ message PluginOktaSettings { // Sync settings controls the user and access list sync settings for Okta. PluginOktaSyncSettings sync_settings = 4; + + // CredentialsInfo contains information about the Okta credentials. + PluginOktaCredentialsInfo credentials_info = 5; +} + +// PluginOktaCredentialsInfo contains information about the Okta credentials. +// This is used to determine if the plugin has configured the necessary credentials. +message PluginOktaCredentialsInfo { + option (gogoproto.equal) = true; + // HasSSMSToken is true if the plugin has configured SSMSToken. + bool has_ssm_token = 1; + // HasOauthCredentials is true if the plugin has configured OauthCredentials. + bool has_oauth_credentials = 2; + // HasSCIMToken is true if the plugin has configured SCIMToken. + bool has_scim_token = 3; } // Defines settings for syncing users and access lists from Okta. @@ -6217,6 +6566,16 @@ message PluginOktaSyncSettings { // ^app.*$ // ^.*service.*$ repeated string app_filters = 7; + + // AppName is the Okta-assigned unique name of the Okta App that Teleport uses + // as a gateway to interact with Okta for SAML login, SCIM provisioning and user + // sync. May be missing for old Okta integration installs. + string app_name = 8; + + // DisableSyncAppGroups disables syncing of app groups from Okta. + // This is useful when the app groups are not needed in Teleport. + // and integration with Okta is only used for user sync. + bool disable_sync_app_groups = 9; } // Defines a set of discord channel IDs @@ -6254,8 +6613,33 @@ message PluginEntraIDSyncSettings { // DefaultOwners are the default owners for all imported access lists. repeated string default_owners = 1; - // SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin + // SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin. string sso_connector_id = 2; + + // credentials_source specifies the source of the credentials used for authentication with Azure. + EntraIDCredentialsSource credentials_source = 3; + + // tenant_id refers to the Azure Directory that this plugin synchronizes with. + // This field is populated on a best-effort basis for legacy plugins but mandatory for plugins created after its introduction. + // For existing plugins, it is filled in using the Entra integration when utilized. + string tenant_id = 4; + + // entra_app_id refers to the Entra Application ID that supports the SSO for "sso_connector_id". + // This field is populated on a best-effort basis for legacy plugins but mandatory for plugins created after its introduction. + // For existing plugins, it is filled in using the entity descriptor url when utilized. + string entra_app_id = 5; +} + +// EntraIDCredentialsSource defines the credentials source for Entra ID. +enum EntraIDCredentialsSource { + // ENTRAID_CREDENTIALS_SOURCE_UNKNOWN is used when the credentials source is not specified. + // Due to legacy reasons, UNKNOWN is handled as OIDC. + ENTRAID_CREDENTIALS_SOURCE_UNKNOWN = 0; + // ENTRAID_CREDENTIALS_SOURCE_OIDC indicates that the plugin will authenticate with Azure/Entra ID using OIDC. + ENTRAID_CREDENTIALS_SOURCE_OIDC = 1; + // ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS means the plugin will rely on system-provided credentials + // for authentication with Azure Entra ID, especially for clusters with no internet access. + ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS = 2; } // AccessGraphSettings controls settings for syncing access graph specific data. @@ -6295,6 +6679,137 @@ message PluginSCIMSettings { string default_role = 2; } +// PluginDatadogAccessSettings defines the settings for a Datadog Incident Management plugin +message PluginDatadogAccessSettings { + option (gogoproto.equal) = true; + + // ApiEndpoint is the Datadog API endpoint. + string api_endpoint = 1; + // FallbackRecipient specifies the default recipient. + string fallback_recipient = 2; +} + +// PluginAWSICSettings holds the settings for an AWS Identity Center integration. +message PluginAWSICSettings { + option (gogoproto.equal) = true; + + // IntegrationName is the Teleport OIDC integration used to gain access to the + // AWS account + string integration_name = 1; + + // Region is the AWS region the target Identity Center instance is configured in + string region = 2; + + // InstanceARN is the arn of the Identity Center instance to manage + string arn = 3; + + // Provisioning holds settings for provisioing users and groups into AWS + AWSICProvisioningSpec provisioning_spec = 4; + + // AccessListDefaultOwners is a list of default owners for Access List created for + // user groups imported from AWS Idenity Center. + repeated string access_list_default_owners = 5; + + // SAMLIdPServiceProviderName is the name of a SAML service provider created + // for the Identity Center. + string saml_idp_service_provider_name = 6; +} + +// AWSICProvisioningSpec holds provisioning-specific Identity Center settings +message AWSICProvisioningSpec { + option (gogoproto.equal) = true; + + // BaseURL is the SCIM base URL + string base_url = 1; + + // BearerToken is used to authenticate with AWS when provisioning users and + // groups via SCIM. This is expected to be empty in serialized records, as the + // actual credential is stored separetely ain a PluginStaticCredentials + // service, and populated at runtime as necessary. + string bearer_token = 2; +} + +// PluginAWSICStatusV1 defines AWS Identity Center plugin sub-process status. +message PluginAWSICStatusV1 { + // GroupImportStatus is a status of Identity Center group and group members import. + AWSICGroupImportStatus group_import_status = 1; +} + +// AWSICGroupImportStatus defines Identity Center group and group members import status. +message AWSICGroupImportStatus { + // StatusCode is a status code of group and group members import operation. + AWSICGroupImportStatusCode status_code = 1; + // ErrorMessage contains error message for a group and group members import attempt + // that met with an error. + string error_message = 2; +} + +// AWSICGroupImportStatus defines Identity Center group and group members +// import status codes. +enum AWSICGroupImportStatusCode { + // UNSPECIFIED denotes that a status is unknown. + UNSPECIFIED = 0; + // DONE denotes that the group and group members import operation was + // completed. + DONE = 1; + // FAILED denotes that the group and group members import met with an error. + FAILED = 2; +} + +// PluginEmailSettings holds the settings for an Email Access Request plugin. +message PluginEmailSettings { + option (gogoproto.equal) = true; + + // Sender specifies the email sender. + string sender = 1; + // FallbackRecipient specifies the default recipient. + string fallback_recipient = 2; + + // Spec configures the mail service settings. + oneof spec { + // MailgunSpec configures Mailgun service settings. + MailgunSpec mailgun_spec = 3; + // SmtpSpec configures generic SMTP service settings. + SMTPSpec smtp_spec = 4; + } +} + +// MailgunSpec holds Mailgun-specific settings. +message MailgunSpec { + option (gogoproto.equal) = true; + + // Domain specifies the Mailgun sending domain. + string domain = 1; +} + +// SMTPSpec holds a generic SMTP service specific settings. +message SMTPSpec { + option (gogoproto.equal) = true; + + // Host specifies the SMTP service host name. + string host = 1; + // Port specifies the SMTP service port number. + int32 port = 2; + // StartTLSPolicy specifies the SMTP start TLS policy used to send emails over + // SMTP. + string start_tls_policy = 3; +} + +// PluginMSTeamsSettings defines the settings for a Microsoft Teams integration plugin +message PluginMSTeamsSettings { + option (gogoproto.equal) = true; + // AppId is the Microsoft application ID (uuid, for Azure bots must be underlying app id, not bot's id). + string app_id = 1; + // TenantId is the Microsoft tenant ID. + string tenant_id = 2; + // TeamsAppId is the Microsoft teams application ID. + string teams_app_id = 3; + // Region to be used by the Microsoft Graph API client. + string region = 4; + // DefaultRecipient is the default recipient to use if no access monitoring rules are specified. + string default_recipient = 5; +} + message PluginBootstrapCredentialsV1 { oneof credentials { PluginOAuth2AuthorizationCodeCredentials oauth2_authorization_code = 1; @@ -6331,6 +6846,8 @@ message PluginStatusV1 { PluginEntraIDStatusV1 entra_id = 5; // Okta holds status details for the Okta plugin PluginOktaStatusV1 okta = 7; + // AWSIC holds status details for the AWS Identity Center plugin. + PluginAWSICStatusV1 aws_ic = 8; } // last_raw_error variable stores the most recent raw error message received from an API or service. @@ -6569,6 +7086,8 @@ message PluginBearerTokenCredentials { // PluginStaticCredentialsRef is a reference to plugin static credentials by labels. message PluginStaticCredentialsRef { + option (gogoproto.equal) = true; + // Labels is the set of labels to use to match against a set of static credentials. map Labels = 1 [(gogoproto.jsontag) = "labels,omitempty"]; } @@ -6660,6 +7179,17 @@ message SAMLIdPServiceProviderSpecV1 { // The value can contain service provider specific redirect URL, static state token etc. // The value is only applied in the IdP initiated SSO flow. string RelayState = 6 [(gogoproto.jsontag) = "relay_state"]; + // LaunchURLs is used to configure custom landing URLs for service provider. It is useful in + // the following scenarios: + // 1. If a service provider does not support IdP initiated authentication, launch url can be + // configured to launch users directly into the service provider authentication endpoint. + // 2. If a service provider does support IdP initiated authentication, it can be useful if + // that service provider acts as a master authentication service provider for internal services. + // In such case, Teleport administrator can configure launch URL, that lets user pick a specific + // internal service URL from the Log In tile in the UI, which would take them to that particular + // service for authentication instead of directly launching to the master service provider. + // Each launch URL value must be an HTTPs endpoint. + repeated string LaunchURLs = 7 [(gogoproto.jsontag) = "launch_urls"]; } // SAMLAttributeMapping represents SAML service provider requested attribute @@ -6981,6 +7511,14 @@ message AWSOIDCIntegrationSpecV1 { (gogoproto.jsontag) = "issuer_s3_uri,omitempty", deprecated = true ]; + + // Audience is used to record a name of a plugin or a discover service in Teleport + // that depends on this integration. + // Audience value can be empty or configured with supported preset audience type. + // Preset audience may impose specific behavior on the integration CRUD API, + // such as preventing integration from update or deletion. Empty audience value + // should be treated as a default and backward-compatible behavior of the integration. + string audience = 3 [(gogoproto.jsontag) = "audience,omitempty"]; } // AzureOIDCIntegrationSpecV1 contains the spec properties for the Azure OIDC SubKind Integration. @@ -7382,6 +7920,12 @@ message OktaOptions { message AccessGraphSync { // AWS is a configuration for AWS Access Graph service poll service. repeated AccessGraphAWSSync AWS = 1 [(gogoproto.jsontag) = "aws,omitempty"]; + // PollInterval is the frequency at which to poll for AWS resources + google.protobuf.Duration PollInterval = 2 [ + (gogoproto.jsontag) = "poll_interval,omitempty", + (gogoproto.nullable) = false, + (gogoproto.stdduration) = true + ]; } // AccessGraphAWSSync is a configuration for AWS Access Graph service poll service.