auth

package
v0.1.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 21, 2016 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source 
const (
	// WebSessionTTL specifies standard web session time to live
	WebSessionTTL = 10 * time.Minute
	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16
	// WebSessionTokenLenBytes specifies len in bytes of the
	// web session random token
	WebSessionTokenLenBytes = 32
)
View Source 
const (
	ActionGetSessions                   = "GetSessions"
	ActionGetSession                    = "GetSession"
	ActionDeleteSession                 = "DeleteSession"
	ActionUpsertSession                 = "UpsertSession"
	ActionUpsertParty                   = "UpsertParty"
	ActionUpsertCertAuthority           = "UpsertCertAuthority"
	ActionGetCertAuthorities            = "GetCertAuthorities"
	ActionGetLocalDomain                = "GetLocalDomain"
	ActionDeleteCertAuthority           = "DeleteCertAuthority"
	ActionGenerateToken                 = "GenerateToken"
	ActionRegisterUsingToken            = "RegisterUsingToken"
	ActionRegisterNewAuthServer         = "RegisterNewAuthServer"
	ActionLog                           = "Log"
	ActionLogEntry                      = "LogEntry"
	ActionGetEvents                     = "GetEvents"
	ActionGetChunkWriter                = "GetChunkWriter"
	ActionGetChunkReader                = "GetChunkReader"
	ActionUpsertServer                  = "UpsertServer"
	ActionGetServers                    = "GetServers"
	ActionUpsertAuthServer              = "UpsertAuthServer"
	ActionGetAuthServers                = "GetAuthServers"
	ActionUpsertProxy                   = "UpsertProxy"
	ActionGetProxies                    = "GetProxies"
	ActionUpsertReverseTunnel           = "UpsertReverseTunnel"
	ActionGetReverseTunnels             = "GetReverseTunnels"
	ActionDeleteReverseTunnel           = "DeleteReverseTunnel"
	ActionUpsertPassword                = "UpsertPassword"
	ActionCheckPassword                 = "CheckPassword"
	ActionSignIn                        = "SignIn"
	ActionCreateWebSession              = "CreateWebSession"
	ActionGetWebSession                 = "GetWebSession"
	ActionGetWebSessionsKeys            = "GetWebSessionsKeys"
	ActionDeleteWebSession              = "DeleteWebSession"
	ActionGetUsers                      = "GetUsers"
	ActionDeleteUser                    = "DeleteUser"
	ActionUpsertUserKey                 = "UpsertUserKey"
	ActionGetUserKeys                   = "GetUserKeys"
	ActionDeleteUserKey                 = "DeleteUserKey"
	ActionGenerateKeyPair               = "GenerateKeyPair"
	ActionGenerateHostCert              = "GenerateHostCert"
	ActionGenerateUserCert              = "GenerateUserCert"
	ActionResetHostCertificateAuthority = "ResetHostCertificateAuthority"
	ActionResetUserCertificateAuthority = "ResetUserCertificateAuthority"
	ActionGenerateSealKey               = "GenerateSealKey"
	ActionGetSealKeys                   = "GetSeakKeys"
	ActionGetSealKey                    = "GetSealKey"
	ActionDeleteSealKey                 = "DeleteSealKey"
	ActionAddSealKey                    = "AddSealKey"
	ActionCreateSignupToken             = "CreateSignupToken"
	ActionGetSignupTokenData            = "GetSignupTokenData"
	ActionCreateUserWithToken           = "CreateUserWithToken"
	ActionUpsertUser                    = "UpsertUser"
)
View Source 
const (
	// DialerRetryAttempts is the amount of attempts for dialer to try and
	// connect to the remote destination
	DialerRetryAttempts = 3
	// DialerPeriodBetweenAttempts is the period between retry attempts
	DialerPeriodBetweenAttempts = time.Second
)
View Source 
const (
	ReqWebSessionAgent = "web-session-agent@teleport"
	ReqProvision       = "provision@teleport"
	ReqDirectTCPIP     = "direct-tcpip"
	ReqNewAuth         = "new-auth@teleport"

	ExtWebSession  = "web-session@teleport"
	ExtWebPassword = "web-password@teleport"
	ExtToken       = "provision@teleport"
	ExtHost        = "host@teleport"
	ExtRole        = "role@teleport"

	AuthWebPassword = "password"
	AuthWebSession  = "session"
	AuthToken       = "provision-token"
	AuthSignupToken = "signup-token"
)
View Source 
const CurrentVersion = "v1"

CurrentVersion is a current API version

Variables

View Source 
var StandardRoles = []teleport.Role{
	teleport.RoleAuth,
	teleport.RoleUser,
	teleport.RoleWeb,
	teleport.RoleNode,
	teleport.RoleProxy,
	teleport.RoleAdmin,
	teleport.RoleProvisionToken,
	teleport.RoleSignup,
}

Functions

func HaveHostKeys added in v1.0.0 

func HaveHostKeys(dataDir string, id IdentityID) (bool, error)

HaveHostKeys checks either the host keys are in place

func Init 

func Init(cfg InitConfig) (*AuthServer, *Identity, error)

Init instantiates and configures an instance of AuthServer

func LocalRegister added in v1.0.0 

func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer) error

LocalRegister is used in standalone mode to register roles without connecting to remote clients and provisioning tokens

func NewHostAuth 

func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)

func NewSignupTokenAuth 

func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)

func NewTokenAuth 

func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)

func NewWebPasswordAuth 

func NewWebPasswordAuth(user string, password []byte, hotpToken string) ([]ssh.AuthMethod, error)

func NewWebSessionAuth 

func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)

func Register 

func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr) error

Register is used by auth service clients (other services, like proxy or SSH) when a new node joins the cluster

func RegisterNewAuth 

func RegisterNewAuth(domainName, token string, servers []utils.NetAddr) error

func RetryingClient added in v1.0.0 

func RetryingClient(client limitedClient, retries int) *retryingClient

Types

type APIConfig added in v1.0.0 

type APIConfig struct {
	AuthServer        *AuthServer
	EventLog          events.Log
	SessionService    session.Service
	Recorder          recorder.Recorder
	Roles             []teleport.Role
	PermissionChecker PermissionChecker
}

APIConfig is a configuration file

type APIServer 

type APIServer struct {
	httprouter.Router
	// contains filtered or unexported fields
}

APIServer implements http API server for AuthServer interface

func NewAPIServer 

func NewAPIServer(a *AuthWithRoles) *APIServer

NewAPIServer returns a new instance of APIServer HTTP handler

type APIWithRoles 

type APIWithRoles struct {
	// contains filtered or unexported fields
}

func NewAPIWithRoles 

func NewAPIWithRoles(config APIConfig) *APIWithRoles

func (*APIWithRoles) Close 

func (api *APIWithRoles) Close()

func (*APIWithRoles) HandleNewChannel 

func (api *APIWithRoles) HandleNewChannel(remoteAddr net.Addr, channel ssh.Channel, role teleport.Role) error

HandleNewChannel is called when a new SSH channel (SSH connection) wants to communicate via HTTP API to one of the API servers

func (*APIWithRoles) Serve 

func (api *APIWithRoles) Serve()

type AccessPoint 

type AccessPoint interface {

	// GetLocalDomain returns domain name of the local authority server
	GetLocalDomain() (string, error)

	// GetServers returns a list of registered servers
	GetNodes() ([]services.Server, error)

	// UpsertServer registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(s services.Server, ttl time.Duration) error

	// UpsertProxy registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s services.Server, ttl time.Duration) error

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType) ([]*services.CertAuthority, error)

	// GetWebSessionsKeys returns a list of generated public keys
	// associated with user web session
	GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers() ([]services.User, error)

	// GetEvents returns a list of events that
	GetEvents(filter events.Filter) ([]lunk.Entry, error)
}

AccessPoint is a interface needed by nodes to control the access to the node, and provide heartbeats

type AccessPointDialer 

type AccessPointDialer func() (net.Conn, error)

AccessPointDialer dials to auth access point remote HTTP api

type AgentCloser added in v1.0.0 

type AgentCloser interface {
	io.Closer
	agent.Agent
}

type AuthServer 

type AuthServer struct {
	Authority

	// DomainName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	DomainName string

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	*services.CAService
	*services.LockService
	*services.PresenceService
	*services.ProvisioningService
	*services.WebService
	*services.BkKeysService
	// contains filtered or unexported fields
}

AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func NewAuthServer 

func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) *AuthServer

NewAuthServer creates and configures a new AuthServer instance

func (*AuthServer) CreateSignupToken 

func (s *AuthServer) CreateSignupToken(user string, allowedLogins []string) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

allowedLogins are linux user logins allowed for the new user to use

func (*AuthServer) CreateUserWithToken 

func (s *AuthServer) CreateUserWithToken(token, password, hotpToken string) (*Session, error)

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) CreateWebSession added in v1.0.0 

func (s *AuthServer) CreateWebSession(user string, prevSessionID string) (*Session, error)

CreateWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user

func (*AuthServer) DeleteToken 

func (s *AuthServer) DeleteToken(outputToken string) error

func (*AuthServer) DeleteWebSession 

func (s *AuthServer) DeleteWebSession(user string, id string) error

func (*AuthServer) GenerateHostCert 

func (s *AuthServer) GenerateHostCert(key []byte, hostID, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)

GenerateHostCert generates host certificate, it takes pkey as a signing private key (host certificate authority)

func (*AuthServer) GenerateServerKeys added in v1.0.0 

func (s *AuthServer) GenerateServerKeys(hostID string, role teleport.Role) (*PackedKeys, error)

GenerateServerKeys generates private key and certificate signed by the host certificate authority, listing the role of this server

func (*AuthServer) GenerateToken 

func (s *AuthServer) GenerateToken(role teleport.Role, ttl time.Duration) (string, error)

func (*AuthServer) GenerateUserCert 

func (s *AuthServer) GenerateUserCert(
	key []byte, username string, ttl time.Duration) ([]byte, error)

GenerateUserCert generates user certificate, it takes pkey as a signing private key (user certificate authority)

func (*AuthServer) GetLocalDomain added in v1.0.0 

func (a *AuthServer) GetLocalDomain() (string, error)

GetLocalDomain returns domain name that identifies this authority server

func (*AuthServer) GetSignupTokenData 

func (s *AuthServer) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*AuthServer) GetWebSession 

func (s *AuthServer) GetWebSession(userName string, id string) (*Session, error)

func (*AuthServer) GetWebSessionInfo added in v1.0.0 

func (s *AuthServer) GetWebSessionInfo(userName string, id string) (*Session, error)

func (*AuthServer) NewWebSession 

func (s *AuthServer) NewWebSession(userName string) (*Session, error)

func (*AuthServer) RegisterNewAuthServer 

func (s *AuthServer) RegisterNewAuthServer(outputToken string) error

func (*AuthServer) RegisterUsingToken 

func (s *AuthServer) RegisterUsingToken(outputToken, hostID string, role teleport.Role) (*PackedKeys, error)

func (*AuthServer) SignIn 

func (s *AuthServer) SignIn(user string, password []byte) (*Session, error)

func (*AuthServer) UpsertWebSession 

func (s *AuthServer) UpsertWebSession(user string, sess *Session, ttl time.Duration) error

func (*AuthServer) ValidateToken 

func (s *AuthServer) ValidateToken(token string) (role string, e error)

type AuthServerOption added in v1.0.0 

type AuthServerOption func(*AuthServer)

AuthServerOption allows setting options as functional arguments to AuthServer

func AuthClock 

func AuthClock(clock clockwork.Clock) AuthServerOption

AuthClock allows setting clock for auth server (used in tests)

type AuthTunnel added in v1.0.0 

type AuthTunnel struct {
	// contains filtered or unexported fields
}

AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then stablishes an SSH tunnell which HTTP requests travel over. In other words, the Auth Service API runs on HTTP-via-SSH-tunnel.

func NewTunnel added in v1.0.0 

func NewTunnel(addr utils.NetAddr,
	hostSigners []ssh.Signer,
	apiServer *APIWithRoles,
	authServer *AuthServer,
	opts ...ServerOption) (tunnel *AuthTunnel, err error)

NewTunnel creates a new SSH tunnel server which is not started yet

func (*AuthTunnel) Addr added in v1.0.0 

func (s *AuthTunnel) Addr() string

func (*AuthTunnel) Close added in v1.0.0 

func (s *AuthTunnel) Close() error

func (*AuthTunnel) HandleNewChan added in v1.0.0 

func (s *AuthTunnel) HandleNewChan(_ net.Conn, sconn *ssh.ServerConn, nch ssh.NewChannel)

HandleNewChan implements NewChanHandler interface: it gets called every time a new SSH connection is established

func (*AuthTunnel) Start added in v1.0.0 

func (s *AuthTunnel) Start() error

type AuthWithRoles 

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles 

func NewAuthWithRoles(authServer *AuthServer, permChecker PermissionChecker,
	elog events.Log, sessions session.Service,
	role teleport.Role, recorder recorder.Recorder) *AuthWithRoles

func (*AuthWithRoles) CheckPassword 

func (a *AuthWithRoles) CheckPassword(user string, password []byte, hotpToken string) error

func (*AuthWithRoles) CreateSession added in v1.0.0 

func (a *AuthWithRoles) CreateSession(s session.Session) error

func (*AuthWithRoles) CreateSignupToken 

func (a *AuthWithRoles) CreateSignupToken(user string, mappings []string) (token string, e error)

func (*AuthWithRoles) CreateUserWithToken 

func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) (*Session, error)

func (*AuthWithRoles) CreateWebSession added in v1.0.0 

func (a *AuthWithRoles) CreateWebSession(user string, prevSessionID string) (*Session, error)

func (*AuthWithRoles) DeleteCertAuthority added in v1.0.0 

func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteReverseTunnel added in v1.0.0 

func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error

func (*AuthWithRoles) DeleteUser 

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteWebSession 

func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error

func (*AuthWithRoles) GenerateHostCert 

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, hostname, authDomain string, role teleport.Role,
	ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair 

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateToken 

func (a *AuthWithRoles) GenerateToken(role teleport.Role, ttl time.Duration) (string, error)

func (*AuthWithRoles) GenerateUserCert 

func (a *AuthWithRoles) GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GetAuthServers added in v1.0.0 

func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)

func (*AuthWithRoles) GetCertAuthorities added in v1.0.0 

func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType) ([]*services.CertAuthority, error)

func (*AuthWithRoles) GetChunkReader 

func (a *AuthWithRoles) GetChunkReader(id string) (recorder.ChunkReadCloser, error)

func (*AuthWithRoles) GetChunkWriter 

func (a *AuthWithRoles) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)

func (*AuthWithRoles) GetEvents 

func (a *AuthWithRoles) GetEvents(filter events.Filter) ([]lunk.Entry, error)

func (*AuthWithRoles) GetLocalDomain added in v1.0.0 

func (a *AuthWithRoles) GetLocalDomain() (string, error)

func (*AuthWithRoles) GetNodes added in v1.0.0 

func (a *AuthWithRoles) GetNodes() ([]services.Server, error)

func (*AuthWithRoles) GetProxies added in v1.0.0 

func (a *AuthWithRoles) GetProxies() ([]services.Server, error)

func (*AuthWithRoles) GetReverseTunnels added in v1.0.0 

func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)

func (*AuthWithRoles) GetSession 

func (a *AuthWithRoles) GetSession(id session.ID) (*session.Session, error)

func (*AuthWithRoles) GetSessionEvents added in v1.0.0 

func (a *AuthWithRoles) GetSessionEvents(filter events.Filter) ([]session.Session, error)

func (*AuthWithRoles) GetSessions 

func (a *AuthWithRoles) GetSessions() ([]session.Session, error)

func (*AuthWithRoles) GetSignupTokenData 

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

func (*AuthWithRoles) GetUsers 

func (a *AuthWithRoles) GetUsers() ([]services.User, error)

func (*AuthWithRoles) GetWebSessionInfo added in v1.0.0 

func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (*Session, error)

func (*AuthWithRoles) GetWebSessionsKeys 

func (a *AuthWithRoles) GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)

func (*AuthWithRoles) Log 

func (a *AuthWithRoles) Log(id lunk.EventID, e lunk.Event)

func (*AuthWithRoles) LogEntry 

func (a *AuthWithRoles) LogEntry(en lunk.Entry) error

func (*AuthWithRoles) LogSession 

func (a *AuthWithRoles) LogSession(sess session.Session) error

func (*AuthWithRoles) RegisterNewAuthServer 

func (a *AuthWithRoles) RegisterNewAuthServer(token string) error

func (*AuthWithRoles) RegisterUsingToken 

func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)

func (*AuthWithRoles) SignIn 

func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error)

func (*AuthWithRoles) UpdateSession added in v1.0.0 

func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error

func (*AuthWithRoles) UpsertAuthServer added in v1.0.0 

func (a *AuthWithRoles) UpsertAuthServer(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertCertAuthority added in v1.0.0 

func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error

func (*AuthWithRoles) UpsertNode added in v1.0.0 

func (a *AuthWithRoles) UpsertNode(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertParty 

func (a *AuthWithRoles) UpsertParty(id session.ID, p session.Party, ttl time.Duration) error

func (*AuthWithRoles) UpsertPassword 

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)

func (*AuthWithRoles) UpsertProxy added in v1.0.0 

func (a *AuthWithRoles) UpsertProxy(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertReverseTunnel added in v1.0.0 

func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel, ttl time.Duration) error

func (*AuthWithRoles) UpsertUser added in v1.0.0 

func (a *AuthWithRoles) UpsertUser(u services.User) error

type Authority 

type Authority interface {
	// GenerateKeyPair generates new keypair
	GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error)

	// GetNewKeyPairFromPool returns new keypair from pre-generated in memory pool
	GetNewKeyPairFromPool() (privKey []byte, pubKey []byte, err error)

	// GenerateHostCert generates host certificate, it takes pkey as a signing
	// private key (host certificate authority)
	GenerateHostCert(pkey, key []byte, hostID, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)

	// GenerateHostCert generates user certificate, it takes pkey as a signing
	// private key (user certificate authority)
	GenerateUserCert(pkey, key []byte, teleportUsername string, allowedLogins []string, ttl time.Duration) ([]byte, error)
}

Authority implements minimal key-management facility for generating OpenSSH compatible public/private key pairs and OpenSSH certificates

type Client 

type Client struct {
	roundtrip.Client
}

Client is HTTP API client that connects to the remote server

func NewClient 

func NewClient(addr string, params ...roundtrip.ClientParam) (*Client, error)

NewClient returns a new instance of the client

func (*Client) CheckPassword 

func (c *Client) CheckPassword(user string,
	password []byte, hotpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) CreateSession added in v1.0.0 

func (c *Client) CreateSession(sess session.Session) error

CreateSession creates new session

func (*Client) CreateSignupToken 

func (c *Client) CreateSignupToken(user string, allowedLogins []string) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

func (*Client) CreateUserWithToken 

func (c *Client) CreateUserWithToken(token, password, hotpToken string) (*Session, error)

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*Client) CreateWebSession added in v1.0.0 

func (c *Client) CreateWebSession(user string, prevSessionID string) (*Session, error)

CreateWebSession creates a new web session for a user based on another valid web session

func (*Client) Delete 

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteCertAuthority added in v1.0.0 

func (c *Client) DeleteCertAuthority(id services.CertAuthID) error

func (*Client) DeleteReverseTunnel added in v1.0.0 

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteSession 

func (c *Client) DeleteSession(id string) error

DeleteSession deletes a session by ID

func (*Client) DeleteUser 

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteWebSession 

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) GenerateHostCert 

func (c *Client) GenerateHostCert(
	key []byte, hostname, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair 

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateToken 

func (c *Client) GenerateToken(role teleport.Role, ttl time.Duration) (string, error)

GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

The token can be used only once.

func (*Client) GenerateUserCert 

func (c *Client) GenerateUserCert(
	key []byte, user string, ttl time.Duration) ([]byte, error)

GenerateUserCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) Get 

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAuthServers added in v1.0.0 

func (c *Client) GetAuthServers() ([]services.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetCertAuthorities added in v1.0.0 

func (c *Client) GetCertAuthorities(caType services.CertAuthType) ([]*services.CertAuthority, error)

func (*Client) GetChunkReader 

func (c *Client) GetChunkReader(id string) (recorder.ChunkReadCloser, error)

GetChunkReader returns a reader of recorded session

func (*Client) GetChunkWriter 

func (c *Client) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)

GetChunkWriter returns a writer for chunks (parts of the recorded session)

func (*Client) GetEvents 

func (c *Client) GetEvents(filter events.Filter) ([]lunk.Entry, error)

GetEvents returns a list of filtered events

func (*Client) GetLocalDomain added in v1.0.0 

func (c *Client) GetLocalDomain() (string, error)

GetLocalDomain returns local auth domain of the current auth server

func (*Client) GetNodes added in v1.0.0 

func (c *Client) GetNodes() ([]services.Server, error)

GetNodes returns the list of servers registered in the cluster.

func (*Client) GetProxies added in v1.0.0 

func (c *Client) GetProxies() ([]services.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetReverseTunnels added in v1.0.0 

func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetSession 

func (c *Client) GetSession(id session.ID) (*session.Session, error)

GetSession returns a session by ID

func (*Client) GetSessionEvents added in v1.0.0 

func (c *Client) GetSessionEvents(filter events.Filter) ([]session.Session, error)

GetSessionEvents returns a list of filtered session events

func (*Client) GetSessions 

func (c *Client) GetSessions() ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by auth server

func (*Client) GetSignupTokenData 

func (c *Client) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetUsers 

func (c *Client) GetUsers() ([]services.User, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSessionInfo added in v1.0.0 

func (c *Client) GetWebSessionInfo(user string, sid string) (*Session, error)

GetWebSessionInfo check if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) GetWebSessionsKeys 

func (c *Client) GetWebSessionsKeys(
	user string) ([]services.AuthorizedKey, error)

GetWebSessionKeys returns the list of temporary keys generated for this user web session. Each web session has a temporary user ssh key and certificate generated, that is stored for the duration of this web session. These keys are used to access SSH servers via web portal.

func (*Client) Log 

func (c *Client) Log(id lunk.EventID, e lunk.Event)

func (*Client) LogEntry 

func (c *Client) LogEntry(en lunk.Entry) error

func (*Client) LogSession 

func (c *Client) LogSession(sess session.Session) error

func (*Client) PostForm 

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON added in v1.0.0 

func (c *Client) PostJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) PutJSON added in v1.0.0 

func (c *Client) PutJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterNewAuthServer 

func (c *Client) RegisterNewAuthServer(token string) error

func (*Client) RegisterUsingToken 

func (c *Client) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)

RegisterUserToken calls the auth service API to register a new node via registration token which has been previously issued via GenerateToken

func (*Client) SignIn 

func (c *Client) SignIn(user string, password []byte) (*Session, error)

SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.

func (*Client) UpdateSession added in v1.0.0 

func (c *Client) UpdateSession(req session.UpdateRequest) error

UpdateSession updates existing session

func (*Client) UpsertAuthServer added in v1.0.0 

func (c *Client) UpsertAuthServer(s services.Server, ttl time.Duration) error

UpsertAuthServer is used by auth servers to report their presense to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority added in v1.0.0 

func (c *Client) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertNode added in v1.0.0 

func (c *Client) UpsertNode(s services.Server, ttl time.Duration) error

UpsertNode is used by SSH servers to reprt their presense to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertParty 

func (c *Client) UpsertParty(id session.ID, p session.Party, ttl time.Duration) error

UpsertParty updates existing session party or inserts new party

func (*Client) UpsertPassword 

func (c *Client) UpsertPassword(user string,
	password []byte) (hotpURL string, hotpQR []byte, err error)

UpsertPassword updates web access password for the user

func (*Client) UpsertProxy added in v1.0.0 

func (c *Client) UpsertProxy(s services.Server, ttl time.Duration) error

UpsertProxy is used by proxies to report their presense to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel added in v1.0.0 

func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel, ttl time.Duration) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

type ClientI 

type ClientI interface {
	GetSessions() ([]session.Session, error)
	GetSession(id session.ID) (*session.Session, error)
	CreateSession(s session.Session) error
	UpdateSession(req session.UpdateRequest) error
	UpsertParty(id session.ID, p session.Party, ttl time.Duration) error
	UpsertCertAuthority(cert services.CertAuthority, ttl time.Duration) error
	GetCertAuthorities(caType services.CertAuthType) ([]*services.CertAuthority, error)
	DeleteCertAuthority(caType services.CertAuthID) error
	GenerateToken(role teleport.Role, ttl time.Duration) (string, error)
	RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)
	RegisterNewAuthServer(token string) error
	Log(id lunk.EventID, e lunk.Event)
	LogEntry(en lunk.Entry) error
	LogSession(sess session.Session) error
	GetEvents(filter events.Filter) ([]lunk.Entry, error)
	GetSessionEvents(filter events.Filter) ([]session.Session, error)
	GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)
	GetChunkReader(id string) (recorder.ChunkReadCloser, error)
	UpsertNode(s services.Server, ttl time.Duration) error
	GetNodes() ([]services.Server, error)
	GetAuthServers() ([]services.Server, error)
	UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
	CheckPassword(user string, password []byte, hotpToken string) error
	SignIn(user string, password []byte) (*Session, error)
	CreateWebSession(user string, prevSessionID string) (*Session, error)
	GetWebSessionInfo(user string, sid string) (*Session, error)
	GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)
	DeleteWebSession(user string, sid string) error
	GetUsers() ([]services.User, error)
	DeleteUser(user string) error
	GenerateKeyPair(pass string) ([]byte, []byte, error)
	GenerateHostCert(key []byte, hostname, authServer string, role teleport.Role, ttl time.Duration) ([]byte, error)
	GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error)
	GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
	CreateUserWithToken(token, password, hotpToken string) (*Session, error)
}

TOODO(klizhentas) this should be just including appropriate service implementations

type Config 

type Config struct {
	Backend backend.Backend
	Addr    string
}

Config is APIServer config

type FakeSSHConnection added in v1.0.0 

type FakeSSHConnection struct {
	// contains filtered or unexported fields
}

func (*FakeSSHConnection) Close added in v1.0.0 

func (conn *FakeSSHConnection) Close() error

func (*FakeSSHConnection) LocalAddr added in v1.0.0 

func (conn *FakeSSHConnection) LocalAddr() net.Addr

func (*FakeSSHConnection) Read added in v1.0.0 

func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)

func (*FakeSSHConnection) RemoteAddr added in v1.0.0 

func (conn *FakeSSHConnection) RemoteAddr() net.Addr

func (*FakeSSHConnection) SetDeadline added in v1.0.0 

func (conn *FakeSSHConnection) SetDeadline(t time.Time) error

SetDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetReadDeadline added in v1.0.0 

func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error

SetReadDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetWriteDeadline added in v1.0.0 

func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error

SetWriteDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) Write added in v1.0.0 

func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)

type Identity added in v1.0.0 

type Identity struct {
	KeyBytes  []byte
	CertBytes []byte
	KeySigner ssh.Signer
	PubKey    ssh.PublicKey
	Cert      *ssh.Certificate
}

Identity is a collection of certificates and signers that represent identity

func ReadIdentity added in v1.0.0 

func ReadIdentity(dataDir string, id IdentityID) (i *Identity, err error)

ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

type IdentityID added in v1.0.0 

type IdentityID struct {
	Role     teleport.Role
	HostUUID string
}

IdentityID is a combination of role and host UUID

type InitConfig 

type InitConfig struct {
	Backend   backend.Backend
	Authority Authority

	// HostUUID is a UUID of this host
	HostUUID string

	// DomainName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	DomainName string

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	SecretKey     string
	AllowedTokens map[string]string

	// HostCA is an optional host certificate authority keypair
	HostCA *services.CertAuthority
	// UserCA is an optional user certificate authority keypair
	UserCA *services.CertAuthority
}

InitConfig is auth server init config

type PackedKeys 

type PackedKeys struct {
	Key  []byte `json:"key"`
	Cert []byte `json:"cert"`
}

type PermissionChecker 

type PermissionChecker interface {
	// HasPermission checks if the given role has a permission to execute
	// the action
	HasPermission(role teleport.Role, action string) error
}

PermissionChecker interface verifies that clients have permissions to execute any action of the auth server

func NewAllowAllPermissions 

func NewAllowAllPermissions() PermissionChecker

func NewStandardPermissions 

func NewStandardPermissions() PermissionChecker

NewStandardPermissions returns permission checker with hardcoded roles that are built in when auth server starts in standard mode

type ServerOption 

type ServerOption func(s *AuthTunnel) error

ServerOption is the functional argument passed to the server

func SetLimiter added in v1.0.0 

func SetLimiter(limiter *limiter.Limiter) ServerOption

SetLimiter sets rate and connection limiter for auth tunnel server

type Session 

type Session struct {
	// ID is a session ID
	ID string `json:"id"`
	// User is a user this session belongs to
	User services.User `json:"user"`
	// WS is a private keypair used for signing requests
	WS services.WebSession `json:"web"`
}

Session is a web session context, stores temporary key-value pair and session id

type TunClient 

type TunClient struct {
	sync.Mutex
	Client
	// contains filtered or unexported fields
}

TunClient is HTTP client that works over SSH tunnel This is done in order to authenticate various teleport roles using existing SSH certificate infrastructure

func NewTunClient 

func NewTunClient(authServers []utils.NetAddr, user string, authMethods []ssh.AuthMethod, opts ...TunClientOption) (*TunClient, error)

NewTunClient returns an instance of new HTTP client to Auth server API exposed over SSH tunnel, so client uses SSH credentials to dial and authenticate

func (*TunClient) Close 

func (c *TunClient) Close() error

Close releases all the resources allocated for this client

func (*TunClient) Dial added in v1.0.0 

func (c *TunClient) Dial(network, address string) (net.Conn, error)

Dial dials to Auth server's HTTP API over SSH tunnel

func (*TunClient) GetAgent 

func (c *TunClient) GetAgent() (AgentCloser, error)

GetAgent returns SSH agent that uses ReqWebSessionAgent Auth server extension

func (*TunClient) GetDialer 

func (c *TunClient) GetDialer() AccessPointDialer

GetDialer returns dialer that will connect to auth server API

type TunClientOption added in v1.0.0 

type TunClientOption func(t *TunClient)

TunClientOption is functional option for tunnel client

func TunClientStorage added in v1.0.0 

func TunClientStorage(storage utils.AddrStorage) TunClientOption

TunClientStorage allows tun client to set local presence service that it will use to sync up the latest information about auth servers

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.