auth

package
v2.5.0-beta.1+incompat... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 5, 2018 License: Apache-2.0 Imports: 59 Imported by: 0

Documentation

Overview

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source
const (
	// BearerTokenTTL specifies standard bearer token to exist before
	// it has to be renewed by the client
	BearerTokenTTL = 10 * time.Minute
	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16
)
View Source
const (
	// CurrentVersion is a current API version
	CurrentVersion = services.V2

	// MissingNamespaceError is a _very_ common error this file generatets
	MissingNamespaceError = "missing required parameter: namespace"
)
View Source
const (
	// GithubAuthURL is the Github authorization endpoint
	GithubAuthURL = "https://github.com/login/oauth/authorize"
	// GithubTokenURL is the Github token exchange endpoint
	GithubTokenURL = "https://github.com/login/oauth/access_token"
	// GithubAPIURL is the Github base API URL
	GithubAPIURL = "https://api.github.com"
)
View Source
const (
	// DialerRetryAttempts is the amount of attempts for dialer to try and
	// connect to the remote destination
	DialerRetryAttempts = 3
	// DialerPeriodBetweenAttempts is the period between retry attempts
	DialerPeriodBetweenAttempts = time.Second
)
View Source
const (
	ReqWebSessionAgent = "web-session-agent@teleport"
	ReqProvision       = "provision@teleport"
	ReqDirectTCPIP     = "direct-tcpip"
	ReqNewAuth         = "new-auth@teleport"

	ExtWebSession  = "web-session@teleport"
	ExtWebPassword = "web-password@teleport"
	ExtWebU2F      = "web-u2f@teleport"
	ExtToken       = "provision@teleport"
	ExtHost        = "host@teleport"
	ExtRole        = "role@teleport"
	ExtOrigin      = "origin@teleport"

	AuthWebPassword            = "password"
	AuthWebPasswordWithoutOTP  = "password-without-otp"
	AuthWebU2FSign             = "u2f-sign"
	AuthWebU2F                 = "u2f"
	AuthWebSession             = "session"
	AuthToken                  = "provision-token"
	AuthSignupToken            = "signup-token"
	AuthValidateTrustedCluster = "trusted-cluster"
)
View Source
const ContextUser = "teleport-user"

ContextUser is a user set in the context of the request

Variables

View Source
var (
	// GithubScopes is a list of scopes requested during OAuth2 flow
	GithubScopes = []string{

		"read:org",
	}
)

Functions

func CheckPublicKeysEqual

func CheckPublicKeysEqual(sshKeyBytes []byte, certBytes []byte) error

CheckPublicKeysEqual compares RSA based SSH certificate with the TLS certificate, returns nil if both certificates are using the same public key and refer to the same cluster name, error otherwise

func CreateUserAndRole

func CreateUserAndRole(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRole creates user and role and assignes role to a user, used in tests

func CreateUserAndRoleWithoutRoles

func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests

func GetCheckerForBuiltinRole

func GetCheckerForBuiltinRole(clusterConfig services.ClusterConfig, role teleport.Role) (services.AccessChecker, error)

GetCheckerForBuiltinRole returns checkers for embedded builtin role

func HaveHostKeys added in v1.0.0

func HaveHostKeys(dataDir string, id IdentityID) (bool, error)

HaveHostKeys checks that host keys are in place

func HostFQDN

func HostFQDN(hostUUID, clusterName string) string

HostFQDN consits of host UUID and cluster name joined via .

func Init

func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, *Identity, error)

Init instantiates and configures an instance of AuthServer

func LocalRegister added in v1.0.0

func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer, additionalPrincipals []string) error

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the auth server. This method does not need to use provisioning tokens.

func NewAPIServer

func NewAPIServer(config *APIConfig) http.Handler

NewAPIServer returns a new instance of APIServer HTTP handler

func NewHostAuth

func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)

func NewSignupTokenAuth

func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)

func NewTokenAuth

func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)

func NewValidateTrustedClusterAuth

func NewValidateTrustedClusterAuth(token string) ([]ssh.AuthMethod, error)

func NewWebPasswordAuth

func NewWebPasswordAuth(user string, password []byte, otpToken string) ([]ssh.AuthMethod, error)

func NewWebPasswordU2FSignAuth added in v1.3.0

func NewWebPasswordU2FSignAuth(user string, password []byte) ([]ssh.AuthMethod, error)

NewWebPasswordU2FSignAuth is for getting a U2F sign challenge

func NewWebPasswordWithoutOTPAuth

func NewWebPasswordWithoutOTPAuth(user string, password []byte) ([]ssh.AuthMethod, error)

func NewWebSessionAuth

func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)

func NewWebU2FSignResponseAuth added in v1.3.0

func NewWebU2FSignResponseAuth(user string, u2fSignResponse *u2f.SignResponse) ([]ssh.AuthMethod, error)

NewWebU2FSignResponseAuth is for signing in with a U2F sign response

func ReRegister

func ReRegister(dataDir string, clt ClientI, id IdentityID, additionalPrincipals []string) error

ReRegister renews the certificates and private keys based on the existing identity ID

func Register

func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr, additionalPrincipals []string) error

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request.

func RegisterNewAuth

func RegisterNewAuth(domainName, token string, servers []utils.NetAddr) error

func SetPlugin

func SetPlugin(p Plugin)

SetPlugin sets plugin for the auth API server

func WriteIdentity added in v1.0.0

func WriteIdentity(dataDir string, identity *Identity) error

WriteIdentity writes identity keypair to disk

Types

type APIConfig added in v1.0.0

type APIConfig struct {
	AuthServer     *AuthServer
	SessionService session.Service
	AuditLog       events.IAuditLog
	Authorizer     Authorizer
}

type APIServer

type APIServer struct {
	APIConfig
	httprouter.Router
	clockwork.Clock
}

APIServer implements http API server for AuthServer interface

type AccessPoint

type AccessPoint interface {
	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels() ([]services.ReverseTunnel, error)

	// GetDomainName returns domain name AKA ("cluster name") of the auth
	// server / certificate authority (CA)
	GetDomainName() (string, error)

	// GetClusterConfig returns cluster level configuration.
	GetClusterConfig() (services.ClusterConfig, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]services.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*services.Namespace, error)

	// GetServers returns a list of registered servers
	GetNodes(namespace string) ([]services.Server, error)

	// UpsertServer registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(s services.Server) error

	// UpsertProxy registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s services.Server) error

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]services.Server, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(id services.CertAuthID, loadKeys bool) (services.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers() ([]services.User, error)

	// GetRole returns role by name
	GetRole(name string) (services.Role, error)

	// GetRoles returns a list of roles
	GetRoles() ([]services.Role, error)

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(conn services.TunnelConnection) error

	// DeleteTunnelConnection deletes tunnel connection
	DeleteTunnelConnection(clusterName, connName string) error

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string) ([]services.TunnelConnection, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections() ([]services.TunnelConnection, error)
}

AccessPoint is an API interface implemented by a certificate authority (CA)

type AccessPointDialer

type AccessPointDialer func(context.Context) (net.Conn, error)

DELETE IN: 2.6.0 AccessPointDialer is no longer used for communication with auth server GetDialer returns dialer that will connect to auth server API AccessPointDialer dials to auth access point remote HTTP API

type AgentCloser added in v1.0.0

type AgentCloser interface {
	io.Closer
	agent.Agent
}

type AuthContext

type AuthContext struct {
	// User is the user name
	User services.User
	// Checker is access checker
	Checker services.AccessChecker
}

AuthzContext is authorization context

func NewAdminContext

func NewAdminContext() (*AuthContext, error)

NewAdminContext returns new admin auth context

type AuthMiddleware

type AuthMiddleware struct {
	// AccessPoint is a caching access point for auth server
	AccessPoint AccessPoint
	// Handler is HTTP handler called after the middleware checks requests
	Handler http.Handler
}

AuthMiddleware is authentication middleware checking every request

func (*AuthMiddleware) GetUser

func (a *AuthMiddleware) GetUser(r *http.Request) (interface{}, error)

GetUser returns authenticated user based on request metadata set by HTTP server

func (*AuthMiddleware) ServeHTTP

func (a *AuthMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP serves HTTP requests

func (*AuthMiddleware) Wrap

func (a *AuthMiddleware) Wrap(h http.Handler)

Wrap sets next handler in chain

type AuthServer

type AuthServer struct {
	sshca.Authority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	services.Trust
	services.Presence
	services.Provisioner
	services.Identity
	services.Access
	services.ClusterConfiguration
	events.IAuditLog
	// contains filtered or unexported fields
}

AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func NewAuthServer

func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) (*AuthServer, error)

NewAuthServer creates and configures a new AuthServer instance

func (*AuthServer) AuthenticateSSHUser

func (s *AuthServer) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates web user, creates and returns web session in case if authentication is successful

func (*AuthServer) AuthenticateUser

func (s *AuthServer) AuthenticateUser(req AuthenticateUserRequest) error

AuthenticateUser authenticates user based on the request type

func (*AuthServer) AuthenticateWebUser

func (s *AuthServer) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successfull. In case if existing session id is used to authenticate, returns session associated with the existing session id instead of creating the new one

func (*AuthServer) ChangePassword

func (s *AuthServer) ChangePassword(req services.ChangePasswordReq) error

ChangePassword changes user passsword

func (*AuthServer) CheckOTP

func (s *AuthServer) CheckOTP(user string, otpToken string) error

CheckOTP determines the type of OTP token used (for legacy HOTP support), fetches the appropriate type from the backend, and checks if the token is valid.

func (*AuthServer) CheckPassword

func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks the password and OTP token. Called by tsh or lib/web/*.

func (*AuthServer) CheckPasswordWOToken

func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error

CheckPasswordWOToken checks just password without checking OTP tokens used in case of SSH authentication, when token has been validated.

func (*AuthServer) CheckU2FSignResponse added in v1.3.0

func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error

func (*AuthServer) ClientCertPool

func (s *AuthServer) ClientCertPool() (*x509.CertPool, error)

ClientCertPool returns trusted x509 cerificate authority pool

func (*AuthServer) Close added in v1.0.0

func (a *AuthServer) Close() error

func (*AuthServer) CreateGithubAuthRequest

func (s *AuthServer) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*AuthServer) CreateOIDCAuthRequest added in v1.0.0

func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthServer) CreateSAMLAuthRequest

func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthServer) CreateSignupToken

func (s *AuthServer) CreateSignupToken(userv1 services.UserV1, ttl time.Duration) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*AuthServer) CreateSignupU2FRegisterRequest added in v1.3.0

func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthServer) CreateUserWithOTP

func (s *AuthServer) CreateUserWithOTP(token string, password string, otpToken string) (services.WebSession, error)

CreateUserWithOTP creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) CreateUserWithU2FToken added in v1.3.0

func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (services.WebSession, error)

func (*AuthServer) CreateUserWithoutOTP

func (s *AuthServer) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

CreateUserWithoutOTP creates an account with the provided password and deletes the token afterwards.

func (*AuthServer) CreateWebSession added in v1.0.0

func (s *AuthServer) CreateWebSession(user string) (services.WebSession, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*AuthServer) DeleteNamespace

func (s *AuthServer) DeleteNamespace(namespace string) error

func (*AuthServer) DeleteOIDCConnector

func (s *AuthServer) DeleteOIDCConnector(connectorName string) error

func (*AuthServer) DeleteRemoteCluster

func (a *AuthServer) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it

func (*AuthServer) DeleteRole

func (a *AuthServer) DeleteRole(name string) error

func (*AuthServer) DeleteSAMLConnector

func (s *AuthServer) DeleteSAMLConnector(connectorName string) error

func (*AuthServer) DeleteToken

func (s *AuthServer) DeleteToken(token string) (err error)

func (*AuthServer) DeleteTrustedCluster

func (a *AuthServer) DeleteTrustedCluster(name string) error

DeleteTrustedCluster removes services.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.

func (*AuthServer) DeleteUser

func (a *AuthServer) DeleteUser(user string) error

func (*AuthServer) DeleteWebSession

func (s *AuthServer) DeleteWebSession(user string, id string) error

func (*AuthServer) ExchangeCerts

func (s *AuthServer) ExchangeCerts(req ExchangeCertsRequest) (*ExchangeCertsResponse, error)

DELETE IN: 2.6.0 This method is used to ugprade from 2.4.0 to 2.5.0 ExchangeCerts is a method to exchange TLS certificates between certificate authorities of the trusted clusters. A remote auth server that wishes to exchange TLS certs with a local auth server sends a request that consists of a public key already trusted by the local server and TLS certificate for the public key. The local server ensures that the TLS certificate was issued to the public key that is already trusted preventing random certificates to be injected by the remote server. This is a minor security enforcement.

func (*AuthServer) ExtendWebSession added in v1.0.0

func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user

func (*AuthServer) GenerateHostCert

func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*AuthServer) GenerateServerKeys added in v1.0.0

func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthServer) GenerateToken

func (s *AuthServer) GenerateToken(req GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token

func (*AuthServer) GenerateUserCerts

func (a *AuthServer) GenerateUserCerts(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, []byte, error)

GenerateUserCerts is used to generate user certificate, used internally for tests

func (*AuthServer) GetClusterName

func (a *AuthServer) GetClusterName() (services.ClusterName, error)

GetClusterName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetDomainName added in v1.2.6

func (a *AuthServer) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetOTPData

func (s *AuthServer) GetOTPData(user string) (string, []byte, error)

GetOTPData returns the OTP Key, Key URL, and the QR code.

func (*AuthServer) GetRemoteCluster

func (a *AuthServer) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*AuthServer) GetRemoteClusters

func (a *AuthServer) GetRemoteClusters() ([]services.RemoteCluster, error)

GetRemoteClusters returns remote clusters with udpated statuses

func (*AuthServer) GetSignupTokenData

func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)

GetSignupTokenData returns token data for a valid token

func (*AuthServer) GetTokens added in v1.0.0

func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*AuthServer) GetWebSession

func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)

func (*AuthServer) GetWebSessionInfo added in v1.0.0

func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)

func (*AuthServer) NewWebSession

func (s *AuthServer) NewWebSession(username string) (services.WebSession, error)

func (*AuthServer) PreAuthenticatedSignIn added in v1.3.0

func (s *AuthServer) PreAuthenticatedSignIn(user string) (services.WebSession, error)

PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issuing the second factor challenge

func (*AuthServer) RegisterNewAuthServer

func (s *AuthServer) RegisterNewAuthServer(token string) error

func (*AuthServer) RegisterUsingToken

func (s *AuthServer) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.

func (*AuthServer) SetAuditLog

func (a *AuthServer) SetAuditLog(auditLog events.IAuditLog)

SetAuditLog sets the server's audit log

func (*AuthServer) SetClock

func (a *AuthServer) SetClock(clock clockwork.Clock)

SetClock sets clock, used in tests

func (*AuthServer) SignIn

func (s *AuthServer) SignIn(user string, password []byte) (services.WebSession, error)

DELETE IN: 2.6.0 This method is no longer used in 2.5.0 and is replaced by AuthenticateUser methods

func (*AuthServer) U2FSignRequest added in v1.3.0

func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthServer) UpsertOIDCConnector

func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector) error

func (*AuthServer) UpsertSAMLConnector

func (s *AuthServer) UpsertSAMLConnector(connector services.SAMLConnector) error

func (*AuthServer) UpsertTrustedCluster

func (a *AuthServer) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.

func (*AuthServer) UpsertWebSession

func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error

func (*AuthServer) ValidateGithubAuthCallback

func (a *AuthServer) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback redirect

func (*AuthServer) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*AuthServer) ValidateSAMLResponse

func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)

ValidateSAMLResponse consumes attribute statements from SAML identity provider

func (*AuthServer) ValidateToken

func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)

ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found

func (*AuthServer) WithUserLock

func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error

WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval

type AuthServerOption added in v1.0.0

type AuthServerOption func(*AuthServer)

AuthServerOption allows setting options as functional arguments to AuthServer

type AuthTunnel added in v1.0.0

type AuthTunnel struct {
	// contains filtered or unexported fields
}

DELETE IN: 2.6.0 AuthTunnel is deprecated in 2.5.0 and is replaced by TLS auth server

AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then establishes an SSH tunnel which HTTP requests travel over. In other words, the Auth Service API runs on HTTP-via-SSH-tunnel.

Use auth.TunClient to connect to AuthTunnel

func NewTunnel added in v1.0.0

func NewTunnel(addr utils.NetAddr,
	hostSigner ssh.Signer,
	apiConf *APIConfig,
	opts ...ServerOption) (tunnel *AuthTunnel, err error)

NewTunnel creates a new SSH tunnel server which is not started yet. This is how "site API" (aka "auth API") is served: by creating an "tunnel server" which serves HTTP via SSH.

func (*AuthTunnel) Addr added in v1.0.0

func (s *AuthTunnel) Addr() string

func (*AuthTunnel) Close added in v1.0.0

func (s *AuthTunnel) Close() error

Close closes SSH server

func (*AuthTunnel) HandleNewChan added in v1.0.0

func (s *AuthTunnel) HandleNewChan(_ net.Conn, sconn *ssh.ServerConn, nch ssh.NewChannel)

HandleNewChan implements NewChanHandler interface: it gets called every time a new SSH connection is established

func (*AuthTunnel) Serve

func (s *AuthTunnel) Serve(l net.Listener) error

Serve starts serving requests on passed listener

func (*AuthTunnel) Start added in v1.0.0

func (s *AuthTunnel) Start() error

Start starts SSH server associated with auth server

type AuthWithRoles

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles

func NewAuthWithRoles(authServer *AuthServer,
	checker services.AccessChecker,
	user services.User,
	sessions session.Service,
	alog events.IAuditLog) *AuthWithRoles

NewAuthWithRoles creates new auth server with access control

func (*AuthWithRoles) ActivateCertAuthority

func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) AuthenticateSSHUser

func (a *AuthWithRoles) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*AuthWithRoles) AuthenticateWebUser

func (a *AuthWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successfull

func (*AuthWithRoles) ChangePassword

func (a *AuthWithRoles) ChangePassword(req services.ChangePasswordReq) error

func (*AuthWithRoles) CheckPassword

func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error

func (*AuthWithRoles) Close

func (a *AuthWithRoles) Close() error

func (*AuthWithRoles) CreateCertAuthority

func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error

func (*AuthWithRoles) CreateGithubAuthRequest

func (a *AuthWithRoles) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

func (*AuthWithRoles) CreateGithubConnector

func (a *AuthWithRoles) CreateGithubConnector(connector services.GithubConnector) error

func (*AuthWithRoles) CreateOIDCAuthRequest added in v1.0.0

func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthWithRoles) CreateRemoteCluster

func (a *AuthWithRoles) CreateRemoteCluster(conn services.RemoteCluster) error

func (*AuthWithRoles) CreateRole

func (a *AuthWithRoles) CreateRole(role services.Role, ttl time.Duration) error

CreateRole creates a role.

func (*AuthWithRoles) CreateSAMLAuthRequest

func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthWithRoles) CreateSAMLConnector

func (a *AuthWithRoles) CreateSAMLConnector(connector services.SAMLConnector) error

func (*AuthWithRoles) CreateSession added in v1.0.0

func (a *AuthWithRoles) CreateSession(s session.Session) error

func (*AuthWithRoles) CreateSignupToken

func (a *AuthWithRoles) CreateSignupToken(user services.UserV1, ttl time.Duration) (token string, e error)

func (*AuthWithRoles) CreateUserWithOTP

func (a *AuthWithRoles) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

func (*AuthWithRoles) CreateUserWithU2FToken added in v1.3.0

func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

func (*AuthWithRoles) CreateUserWithoutOTP

func (a *AuthWithRoles) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

func (*AuthWithRoles) CreateWebSession added in v1.0.0

func (a *AuthWithRoles) CreateWebSession(user string) (services.WebSession, error)

func (*AuthWithRoles) DeactivateCertAuthority

func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteAllCertAuthorities

func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*AuthWithRoles) DeleteAllNamespaces

func (a *AuthWithRoles) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*AuthWithRoles) DeleteAllNodes

func (a *AuthWithRoles) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*AuthWithRoles) DeleteAllProxies

func (a *AuthWithRoles) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*AuthWithRoles) DeleteAllRemoteClusters

func (a *AuthWithRoles) DeleteAllRemoteClusters() error

func (*AuthWithRoles) DeleteAllReverseTunnels

func (a *AuthWithRoles) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*AuthWithRoles) DeleteAllRoles

func (a *AuthWithRoles) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*AuthWithRoles) DeleteAllTunnelConnections

func (a *AuthWithRoles) DeleteAllTunnelConnections() error

func (*AuthWithRoles) DeleteAllUsers

func (a *AuthWithRoles) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*AuthWithRoles) DeleteCertAuthority added in v1.0.0

func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteGithubConnector

func (a *AuthWithRoles) DeleteGithubConnector(id string) error

func (*AuthWithRoles) DeleteNamespace

func (a *AuthWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*AuthWithRoles) DeleteOIDCConnector added in v1.0.0

func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error

func (*AuthWithRoles) DeleteRemoteCluster

func (a *AuthWithRoles) DeleteRemoteCluster(clusterName string) error

func (*AuthWithRoles) DeleteReverseTunnel added in v1.0.0

func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error

func (*AuthWithRoles) DeleteRole

func (a *AuthWithRoles) DeleteRole(name string) error

DeleteRole deletes role by name

func (*AuthWithRoles) DeleteSAMLConnector

func (a *AuthWithRoles) DeleteSAMLConnector(connectorID string) error

func (*AuthWithRoles) DeleteToken added in v1.0.0

func (a *AuthWithRoles) DeleteToken(token string) error

func (*AuthWithRoles) DeleteTrustedCluster

func (a *AuthWithRoles) DeleteTrustedCluster(name string) error

func (*AuthWithRoles) DeleteTunnelConnection

func (a *AuthWithRoles) DeleteTunnelConnection(clusterName string, connName string) error

func (*AuthWithRoles) DeleteTunnelConnections

func (a *AuthWithRoles) DeleteTunnelConnections(clusterName string) error

func (*AuthWithRoles) DeleteUser

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteWebSession

func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error

func (*AuthWithRoles) EmitAuditEvent added in v1.0.0

func (a *AuthWithRoles) EmitAuditEvent(eventType string, fields events.EventFields) error

func (*AuthWithRoles) ExchangeCerts

ExchangeCerts exchanges TLS certificates for established host certificate authorities

func (*AuthWithRoles) ExtendWebSession added in v1.0.0

func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)

func (*AuthWithRoles) GenerateHostCert

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateServerKeys

func (a *AuthWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthWithRoles) GenerateToken

func (a *AuthWithRoles) GenerateToken(req GenerateTokenRequest) (string, error)

func (*AuthWithRoles) GenerateUserCert

func (a *AuthWithRoles) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

func (*AuthWithRoles) GetAllTunnelConnections

func (a *AuthWithRoles) GetAllTunnelConnections() ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetAnyCertAuthority

func (a *AuthWithRoles) GetAnyCertAuthority(id services.CertAuthID) (services.CertAuthority, error)

func (*AuthWithRoles) GetAuthPreference

func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)

func (*AuthWithRoles) GetAuthServers added in v1.0.0

func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)

func (*AuthWithRoles) GetCertAuthorities added in v1.0.0

func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)

func (*AuthWithRoles) GetCertAuthority

func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool) (services.CertAuthority, error)

func (*AuthWithRoles) GetClusterConfig

func (a *AuthWithRoles) GetClusterConfig() (services.ClusterConfig, error)

GetClusterConfig gets cluster level configuration.

func (*AuthWithRoles) GetClusterName

func (a *AuthWithRoles) GetClusterName() (services.ClusterName, error)

GetClusterName gets the name of the cluster.

func (*AuthWithRoles) GetDialer

func (a *AuthWithRoles) GetDialer() AccessPointDialer

func (*AuthWithRoles) GetDomainName added in v1.2.6

func (a *AuthWithRoles) GetDomainName() (string, error)

func (*AuthWithRoles) GetGithubConnector

func (a *AuthWithRoles) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

func (*AuthWithRoles) GetGithubConnectors

func (a *AuthWithRoles) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

func (*AuthWithRoles) GetLocalClusterName

func (a *AuthWithRoles) GetLocalClusterName() (string, error)

func (*AuthWithRoles) GetNamespace

func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*AuthWithRoles) GetNamespaces

func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*AuthWithRoles) GetNodes added in v1.0.0

func (a *AuthWithRoles) GetNodes(namespace string) ([]services.Server, error)

func (*AuthWithRoles) GetOIDCConnector added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

func (*AuthWithRoles) GetOIDCConnectors added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

func (*AuthWithRoles) GetOTPData

func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)

func (*AuthWithRoles) GetProxies added in v1.0.0

func (a *AuthWithRoles) GetProxies() ([]services.Server, error)

func (*AuthWithRoles) GetRemoteCluster

func (a *AuthWithRoles) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

func (*AuthWithRoles) GetRemoteClusters

func (a *AuthWithRoles) GetRemoteClusters() ([]services.RemoteCluster, error)

func (*AuthWithRoles) GetReverseTunnel

func (a *AuthWithRoles) GetReverseTunnel(name string) (services.ReverseTunnel, error)

func (*AuthWithRoles) GetReverseTunnels added in v1.0.0

func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)

func (*AuthWithRoles) GetRole

func (a *AuthWithRoles) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*AuthWithRoles) GetRoles

func (a *AuthWithRoles) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*AuthWithRoles) GetSAMLConnector

func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

func (*AuthWithRoles) GetSAMLConnectors

func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

func (*AuthWithRoles) GetSession

func (a *AuthWithRoles) GetSession(namespace string, id session.ID) (*session.Session, error)

func (*AuthWithRoles) GetSessionChunk added in v1.0.0

func (a *AuthWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*AuthWithRoles) GetSessionEvents added in v1.0.0

func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int) ([]events.EventFields, error)

func (*AuthWithRoles) GetSessions

func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)

func (*AuthWithRoles) GetSignupToken

func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)

func (*AuthWithRoles) GetSignupTokenData

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)

func (*AuthWithRoles) GetSignupU2FRegisterRequest added in v1.3.0

func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthWithRoles) GetStaticTokens

func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*AuthWithRoles) GetToken

func (a *AuthWithRoles) GetToken(token string) (*services.ProvisionToken, error)

func (*AuthWithRoles) GetTokens added in v1.0.0

func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)

func (*AuthWithRoles) GetTrustedCluster

func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*AuthWithRoles) GetTrustedClusters

func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*AuthWithRoles) GetTunnelConnections

func (a *AuthWithRoles) GetTunnelConnections(clusterName string) ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetU2FSignRequest added in v1.3.0

func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthWithRoles) GetUser added in v1.0.0

func (a *AuthWithRoles) GetUser(name string) (services.User, error)

func (*AuthWithRoles) GetUsers

func (a *AuthWithRoles) GetUsers() ([]services.User, error)

func (*AuthWithRoles) GetWebSessionInfo added in v1.0.0

func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

func (*AuthWithRoles) PostSessionChunk added in v1.0.0

func (a *AuthWithRoles) PostSessionChunk(namespace string, sid session.ID, reader io.Reader) error

func (*AuthWithRoles) PostSessionSlice

func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error

func (*AuthWithRoles) PreAuthenticatedSignIn added in v1.3.0

func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)

func (*AuthWithRoles) RegisterNewAuthServer

func (a *AuthWithRoles) RegisterNewAuthServer(token string) error

func (*AuthWithRoles) RegisterUsingToken

func (a *AuthWithRoles) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

func (*AuthWithRoles) SearchEvents added in v1.0.0

func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SearchSessionEvents

func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SetAuthPreference

func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error

func (*AuthWithRoles) SetClusterConfig

func (a *AuthWithRoles) SetClusterConfig(c services.ClusterConfig) error

SetClusterConfig sets cluster level configuration.

func (*AuthWithRoles) SetClusterName

func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error

SetClusterName sets the name of the cluster. SetClusterName can only be called once.

func (*AuthWithRoles) SetStaticTokens

func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*AuthWithRoles) SignIn

func (a *AuthWithRoles) SignIn(user string, password []byte) (services.WebSession, error)

DELETE IN: 2.6.0 This method is no longer used in 2.5.0 and is replaced by AuthenticateUser methods

func (*AuthWithRoles) UpdateSession added in v1.0.0

func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error

func (*AuthWithRoles) UpsertAuthServer added in v1.0.0

func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error

func (*AuthWithRoles) UpsertCertAuthority added in v1.0.0

func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error

func (*AuthWithRoles) UpsertGithubConnector

func (a *AuthWithRoles) UpsertGithubConnector(connector services.GithubConnector) error

func (*AuthWithRoles) UpsertLocalClusterName

func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error

func (*AuthWithRoles) UpsertNamespace

func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*AuthWithRoles) UpsertNode added in v1.0.0

func (a *AuthWithRoles) UpsertNode(s services.Server) error

func (*AuthWithRoles) UpsertOIDCConnector added in v1.0.0

func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) error

func (*AuthWithRoles) UpsertPassword

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error

func (*AuthWithRoles) UpsertProxy added in v1.0.0

func (a *AuthWithRoles) UpsertProxy(s services.Server) error

func (*AuthWithRoles) UpsertReverseTunnel added in v1.0.0

func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error

func (*AuthWithRoles) UpsertRole

func (a *AuthWithRoles) UpsertRole(role services.Role, ttl time.Duration) error

UpsertRole creates or updates role

func (*AuthWithRoles) UpsertSAMLConnector

func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) error

func (*AuthWithRoles) UpsertTOTP

func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error

func (*AuthWithRoles) UpsertToken

func (a *AuthWithRoles) UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error

func (*AuthWithRoles) UpsertTrustedCluster

func (a *AuthWithRoles) UpsertTrustedCluster(tc services.TrustedCluster) (services.TrustedCluster, error)

func (*AuthWithRoles) UpsertTunnelConnection

func (a *AuthWithRoles) UpsertTunnelConnection(conn services.TunnelConnection) error

func (*AuthWithRoles) UpsertUser added in v1.0.0

func (a *AuthWithRoles) UpsertUser(u services.User) error

func (*AuthWithRoles) ValidateGithubAuthCallback

func (a *AuthWithRoles) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

func (*AuthWithRoles) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

func (*AuthWithRoles) ValidateSAMLResponse

func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

func (*AuthWithRoles) ValidateTrustedCluster

func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*AuthWithRoles) WaitForDelivery

func (a *AuthWithRoles) WaitForDelivery(context.Context) error

type AuthenticateSSHRequest

type AuthenticateSSHRequest struct {
	// AuthenticateUserRequest is a request with credentials
	AuthenticateUserRequest
	// PublicKey is a public key in ssh authorized_keys format
	PublicKey []byte `json:"public_key"`
	// TTL is a requested TTL for certificates to be issues
	TTL time.Duration `json:"ttl"`
	// CompatibilityMode sets certificate compatibility mode with old SSH clients
	CompatibilityMode string `json:"compatibility_mode"`
}

AuthenticateSSHRequest is a request to authenticate SSH client user via CLI

func (*AuthenticateSSHRequest) CheckAndSetDefaults

func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default certificate values

type AuthenticateUserRequest

type AuthenticateUserRequest struct {
	// Username is a user name
	Username string `json:"username"`
	// Pass is a password used in local authentication schemes
	Pass *PassCreds `json:"pass,omitempty"`
	// U2F is a sign response crdedentials used to authenticate via U2F
	U2F *U2FSignResponseCreds `json:"u2f,omitempty"`
	// OTP is a password and second factor, used in two factor authentication
	OTP *OTPCreds `json:"otp,omitempty"`
	// Session is a web session credential used to authenticate web sessions
	Session *SessionCreds `json:"session,omitempty"`
}

AuthenticateUserRequest is a request to authenticate interactive user

func (*AuthenticateUserRequest) CheckAndSetDefaults

func (a *AuthenticateUserRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type Authorizer

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*AuthContext, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer

func NewAuthorizer(access services.Access, identity services.Identity, trust services.Trust) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

func NewRoleAuthorizer

func NewRoleAuthorizer(clusterConfig services.ClusterConfig, r teleport.Role) (Authorizer, error)

NewRoleAuthorizer authorizes everyone as predefined role, used in tests

func NewUserAuthorizer

func NewUserAuthorizer(username string, identity services.Identity, access services.Access) (Authorizer, error)

NewUserAuthorizer authorizes everyone as predefined local user

type BuiltinRole

type BuiltinRole struct {
	// GetClusterConfig fetches cluster configuration.
	GetClusterConfig GetClusterConfigFunc

	// Role is the builtin role this username is associated with
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string
}

BuiltinRole is the role of the Teleport service.

type Client

type Client struct {
	roundtrip.Client
	// contains filtered or unexported fields
}

Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

func NewClient

func NewClient(addr string, dialer Dialer, params ...roundtrip.ClientParam) (*Client, error)

NewAuthClient returns a new instance of the client which talks to an Auth server API (aka "site API") via HTTP-over-SSH

func NewTLSClient

func NewTLSClient(addrs []utils.NetAddr, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)

NewTLSClient returns new client using TLS mutual authentication

func NewTLSClientWithDialer

func NewTLSClientWithDialer(dialContext DialContext, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)

NewTLSClientWithDialer returns new TLS client that uses mutual TLS authenticate and dials the remote server using dialer

func (*Client) ActivateCertAuthority

func (c *Client) ActivateCertAuthority(id services.CertAuthID) error

ActivateCertAuthority moves a CertAuthority from the deactivated list to the normal list.

func (*Client) AddUserLoginAttempt

func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error

AddUserLoginAttempt logs user login attempt

func (*Client) AuthenticateSSHUser

func (c *Client) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*Client) AuthenticateWebUser

func (c *Client) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successfull

func (*Client) ChangePassword

func (c *Client) ChangePassword(req services.ChangePasswordReq) error

ChangePassword changes user password

func (*Client) CheckPassword

func (c *Client) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close added in v1.0.0

func (c *Client) Close() error

func (*Client) CreateCertAuthority

func (c *Client) CreateCertAuthority(ca services.CertAuthority) error

CreateCertAuthority inserts new cert authority

func (*Client) CreateGithubAuthRequest

func (c *Client) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*Client) CreateGithubConnector

func (c *Client) CreateGithubConnector(connector services.GithubConnector) error

CreateGithubConnector creates a new Github connector

func (*Client) CreateOIDCAuthRequest added in v1.0.0

func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*Client) CreateRemoteCluster

func (c *Client) CreateRemoteCluster(rc services.RemoteCluster) error

CreateRemoteCluster creates remote cluster resource

func (*Client) CreateRole

func (c *Client) CreateRole(role services.Role, ttl time.Duration) error

CreateRole creates a role.

func (*Client) CreateSAMLAuthRequest

func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAML AuthnRequest

func (*Client) CreateSAMLConnector

func (c *Client) CreateSAMLConnector(connector services.SAMLConnector) error

CreateOIDCConnector creates SAML connector

func (*Client) CreateSession added in v1.0.0

func (c *Client) CreateSession(sess session.Session) error

CreateSession creates new session

func (*Client) CreateSignupToken

func (c *Client) CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*Client) CreateUserWithOTP

func (c *Client) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

CreateUserWithOTP creates account with provided token and password. Account username and OTP key are taken from token data. Deletes token after account creation.

func (*Client) CreateUserWithU2FToken added in v1.3.0

func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

CreateUserWithU2FToken creates user account with provided token and U2F sign response

func (*Client) CreateUserWithoutOTP

func (c *Client) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

CreateUserWithoutOTP validates a given token creates a user with the given password and deletes the token afterwards.

func (*Client) CreateWebSession added in v1.0.0

func (c *Client) CreateWebSession(user string) (services.WebSession, error)

CreateWebSession creates a new web session for a user

func (*Client) DeactivateCertAuthority

func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error

DeactivateCertAuthority moves a CertAuthority from the normal list to the deactivated list.

func (*Client) Delete

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteAllCertAuthorities

func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*Client) DeleteAllNamespaces

func (c *Client) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*Client) DeleteAllNodes

func (c *Client) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*Client) DeleteAllProxies

func (c *Client) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*Client) DeleteAllRemoteClusters

func (c *Client) DeleteAllRemoteClusters() error

DeleteAllRemoteClusters deletes all remote clusters

func (*Client) DeleteAllReverseTunnels

func (c *Client) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*Client) DeleteAllRoles

func (c *Client) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*Client) DeleteAllTunnelConnections

func (c *Client) DeleteAllTunnelConnections() error

DeleteAllTunnelConnections deletes all tunnel connections

func (*Client) DeleteAllUsers

func (c *Client) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*Client) DeleteCertAuthority added in v1.0.0

func (c *Client) DeleteCertAuthority(id services.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteGithubConnector

func (c *Client) DeleteGithubConnector(id string) error

DeleteGithubConnector deletes the specified Github connector

func (*Client) DeleteNamespace

func (c *Client) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*Client) DeleteOIDCConnector added in v1.0.0

func (c *Client) DeleteOIDCConnector(connectorID string) error

DeleteOIDCConnector deletes OIDC connector by ID

func (*Client) DeleteRemoteCluster

func (c *Client) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster by name

func (*Client) DeleteReverseTunnel added in v1.0.0

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteRole

func (c *Client) DeleteRole(name string) error

DeleteRole deletes role by name

func (*Client) DeleteSAMLConnector

func (c *Client) DeleteSAMLConnector(connectorID string) error

DeleteSAMLConnector deletes SAML connector by ID

func (*Client) DeleteSession

func (c *Client) DeleteSession(namespace, id string) error

DeleteSession deletes a session by ID

func (*Client) DeleteToken added in v1.0.0

func (c *Client) DeleteToken(token string) error

DeleteToken deletes a given provisioning token on the auth server (CA). It could be a user token or a machine token

func (*Client) DeleteTrustedCluster

func (c *Client) DeleteTrustedCluster(name string) error

func (*Client) DeleteTunnelConnection

func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error

DeleteTunnelConnection deletes tunnel connection by name

func (*Client) DeleteTunnelConnections

func (c *Client) DeleteTunnelConnections(clusterName string) error

DeleteTunnelConnections deletes all tunnel connections for cluster

func (*Client) DeleteUser

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteWebSession

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) EmitAuditEvent added in v1.0.0

func (c *Client) EmitAuditEvent(eventType string, fields events.EventFields) error

EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)

func (*Client) ExchangeCerts

func (c *Client) ExchangeCerts(req ExchangeCertsRequest) (*ExchangeCertsResponse, error)

DELETE IN: 2.6.0 ExchangeCerts exchanges TLS certificates for established host certificate authorities

func (*Client) ExtendWebSession added in v1.0.0

func (c *Client) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateHostCert

func (c *Client) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateServerKeys

func (c *Client) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

RenewCredentials returns a new set of credentials associated with the server with the same privileges

func (*Client) GenerateToken

func (c *Client) GenerateToken(req GenerateTokenRequest) (string, error)

GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

If token is not supplied, it will be auto generated and returned. If TTL is not supplied, token will be valid until removed.

func (*Client) GenerateUserCert

func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)

DELETE IN: 2.6.0 This code is obsolete due to TLS refactoring GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) GenerateUserCertBundle

func (c *Client) GenerateUserCertBundle(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, []services.CertAuthorityV1, error)

DELETE IN: 2.6.0 This code is obsolete due to TLS refactoring GenerateUserCertBundle takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate. It also includes the host certificate that can be added to the known_hosts file.

func (*Client) Get

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAgent

func (c *Client) GetAgent() (AgentCloser, error)

GetAgent creates an SSH key agent (similar object to what CLI uses), this key agent fetches user keys directly from the auth server using a custom channel created via "ReqWebSessionAgent" reguest

func (*Client) GetAllTunnelConnections

func (c *Client) GetAllTunnelConnections() ([]services.TunnelConnection, error)

GetAllTunnelConnections returns all tunnel connections

func (*Client) GetAnyCertAuthority

func (c *Client) GetAnyCertAuthority(id services.CertAuthID) (services.CertAuthority, error)

GetAnyCertAuthority returns certificate authority by given id whether it's activated or not

func (*Client) GetAuthPreference

func (c *Client) GetAuthPreference() (services.AuthPreference, error)

func (*Client) GetAuthServers added in v1.0.0

func (c *Client) GetAuthServers() ([]services.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetCertAuthorities added in v1.0.0

func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority

func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool) (services.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetClusterConfig

func (c *Client) GetClusterConfig() (services.ClusterConfig, error)

GetClusterConfig returns cluster level configuration information.

func (*Client) GetClusterName

func (c *Client) GetClusterName() (services.ClusterName, error)

func (*Client) GetDialer

func (c *Client) GetDialer() AccessPointDialer

DELETE IN: 2.6.0 GetDialer and AccessPoint SSH subsystem are no longer used in Teleport as of 2.5.0 and should be removed. GetDialer returns dialer that will connect to auth server API

func (*Client) GetDomainName added in v1.2.6

func (c *Client) GetDomainName() (string, error)

GetDomainName returns local auth domain of the current auth server

func (*Client) GetGithubConnector

func (c *Client) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

GetGithubConnector returns the specified Github connector

func (*Client) GetGithubConnectors

func (c *Client) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

GetGithubConnectors returns all configured Github connectors

func (*Client) GetLocalClusterName

func (c *Client) GetLocalClusterName() (string, error)

GetLocalClusterName returns local cluster name

func (*Client) GetNamespace

func (c *Client) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*Client) GetNamespaces

func (c *Client) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*Client) GetNodes added in v1.0.0

func (c *Client) GetNodes(namespace string) ([]services.Server, error)

GetNodes returns the list of servers registered in the cluster.

func (*Client) GetOIDCConnector added in v1.0.0

func (c *Client) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

GetOIDCConnector returns OIDC connector information by id

func (*Client) GetOIDCConnectors added in v1.0.0

func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

GetOIDCConnector gets OIDC connectors list

func (*Client) GetProxies added in v1.0.0

func (c *Client) GetProxies() ([]services.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetRemoteCluster

func (c *Client) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*Client) GetRemoteClusters

func (c *Client) GetRemoteClusters() ([]services.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*Client) GetReverseTunnel

func (c *Client) GetReverseTunnel(name string) (services.ReverseTunnel, error)

GetReverseTunnel returns reverse tunnel by name

func (*Client) GetReverseTunnels added in v1.0.0

func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetRole

func (c *Client) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*Client) GetRoles

func (c *Client) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*Client) GetSAMLConnector

func (c *Client) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

GetOIDCConnector returns SAML connector information by id

func (*Client) GetSAMLConnectors

func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

GetSAMLConnectors gets SAML connectors list

func (*Client) GetSession

func (c *Client) GetSession(namespace string, id session.ID) (*session.Session, error)

GetSession returns a session by ID

func (*Client) GetSessionChunk added in v1.0.0

func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents added in v1.0.0

func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessions

func (c *Client) GetSessions(namespace string) ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by auth server

func (*Client) GetSignupTokenData

func (c *Client) GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetSignupU2FRegisterRequest added in v1.3.0

func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite tokenx

func (*Client) GetStaticTokens

func (c *Client) GetStaticTokens() (services.StaticTokens, error)

func (*Client) GetToken

func (c *Client) GetToken(token string) (*services.ProvisionToken, error)

GetToken returns provisioning token

func (*Client) GetTokens added in v1.0.0

func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns a list of active invitation tokens for nodes and users

func (*Client) GetTransport added in v1.0.0

func (c *Client) GetTransport() *http.Transport

func (*Client) GetTrustedCluster

func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*Client) GetTrustedClusters

func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*Client) GetTunnelConnections

func (c *Client) GetTunnelConnections(clusterName string) ([]services.TunnelConnection, error)

GetTunnelConnections returns tunnel connections for a given cluster

func (*Client) GetU2FAppID added in v1.3.0

func (c *Client) GetU2FAppID() (string, error)

GetU2FAppID returns U2F settings, like App ID and Facets

func (*Client) GetU2FSignRequest added in v1.3.0

func (c *Client) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

GetU2FSignRequest generates request for user trying to authenticate with U2F token

func (*Client) GetUser added in v1.0.0

func (c *Client) GetUser(name string) (services.User, error)

GetUser returns a list of usernames registered in the system

func (*Client) GetUserLoginAttempts

func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)

GetUserLoginAttempts returns user login attempts

func (*Client) GetUsers

func (c *Client) GetUsers() ([]services.User, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSessionInfo added in v1.0.0

func (c *Client) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) PostForm

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON added in v1.0.0

func (c *Client) PostJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) PostSessionChunk added in v1.0.0

func (c *Client) PostSessionChunk(namespace string, sid session.ID, reader io.Reader) error

PostSessionChunk allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)

The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)

func (*Client) PostSessionSlice

func (c *Client) PostSessionSlice(slice events.SessionSlice) error

PostSessionSlice allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)

The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)

func (*Client) PreAuthenticatedSignIn added in v1.3.0

func (c *Client) PreAuthenticatedSignIn(user string) (services.WebSession, error)

PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issuing the second factor challenge

func (*Client) PutJSON added in v1.0.0

func (c *Client) PutJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterNewAuthServer

func (c *Client) RegisterNewAuthServer(token string) error

RegisterNewAuthServer is used to register new auth server with token

func (*Client) RegisterUsingToken

func (c *Client) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.

func (*Client) SearchEvents added in v1.0.0

func (c *Client) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

SearchEvents returns events that fit the criteria

func (*Client) SearchSessionEvents

func (c *Client) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

SearchSessionEvents returns session related events to find completed sessions.

func (*Client) SetAuthPreference

func (c *Client) SetAuthPreference(cap services.AuthPreference) error

func (*Client) SetClusterConfig

func (c *Client) SetClusterConfig(cc services.ClusterConfig) error

SetClusterConfig sets cluster level configuration information.

func (*Client) SetClusterName

func (c *Client) SetClusterName(cn services.ClusterName) error

func (*Client) SetStaticTokens

func (c *Client) SetStaticTokens(st services.StaticTokens) error

func (*Client) SignIn

func (c *Client) SignIn(user string, password []byte) (services.WebSession, error)

SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.

func (*Client) TLSConfig

func (c *Client) TLSConfig() *tls.Config

TLSConfig returns TLS config used by the client, could return nil if the client is not using TLS

func (*Client) UpdateSession added in v1.0.0

func (c *Client) UpdateSession(req session.UpdateRequest) error

UpdateSession updates existing session

func (*Client) UpsertAuthServer added in v1.0.0

func (c *Client) UpsertAuthServer(s services.Server) error

UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority added in v1.0.0

func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertGithubConnector

func (c *Client) UpsertGithubConnector(connector services.GithubConnector) error

UpsertGithubConnector creates or updates a Github connector

func (*Client) UpsertLocalClusterName

func (c *Client) UpsertLocalClusterName(string) error

UpsertLocalClusterName upserts local cluster name

func (*Client) UpsertNamespace

func (c *Client) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*Client) UpsertNode added in v1.0.0

func (c *Client) UpsertNode(s services.Server) error

UpsertNode is used by SSH servers to reprt their presence to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertOIDCConnector added in v1.0.0

func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector) error

UpsertOIDCConnector updates or creates OIDC connector

func (*Client) UpsertPassword

func (c *Client) UpsertPassword(user string, password []byte) error

UpsertPassword updates web access password for the user

func (*Client) UpsertProxy added in v1.0.0

func (c *Client) UpsertProxy(s services.Server) error

UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel added in v1.0.0

func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertRole

func (c *Client) UpsertRole(role services.Role, ttl time.Duration) error

UpsertRole creates or updates role

func (*Client) UpsertSAMLConnector

func (c *Client) UpsertSAMLConnector(connector services.SAMLConnector) error

UpsertSAMLConnector updates or creates OIDC connector

func (*Client) UpsertTrustedCluster

func (c *Client) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

func (*Client) UpsertTunnelConnection

func (c *Client) UpsertTunnelConnection(conn services.TunnelConnection) error

UpsertTunnelConnection upserts tunnel connection

func (*Client) UpsertUser added in v1.0.0

func (c *Client) UpsertUser(user services.User) error

UpsertUser user updates or inserts user entry

func (*Client) ValidateGithubAuthCallback

func (c *Client) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback returned from redirect

func (*Client) ValidateOIDCAuthCallback added in v1.0.0

func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

func (*Client) ValidateSAMLResponse

func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates response returned by SAML identity provider

func (*Client) ValidateTrustedCluster

func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*Client) WaitForDelivery

func (c *Client) WaitForDelivery(context.Context) error

type ClientI

type ClientI interface {
	IdentityService
	ProvisioningService
	services.Trust
	events.IAuditLog
	services.Presence
	services.Access
	WebService
	session.Service
	services.ClusterConfiguration

	// ValidateTrustedCluster validates trusted cluster token with
	// main cluster, in case if validation is successfull, main cluster
	// adds remote cluster
	ValidateTrustedCluster(*ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

	GetDomainName() (string, error)
	// GenerateServerKeys generates new host private keys and certificates (signed
	// by the host certificate authority) for a node
	GenerateServerKeys(GenerateServerKeysRequest) (*PackedKeys, error)
	// DELETE IN: 2.6.0
	// AccessPointDialer is no longer used for communication with auth server
	// GetDialer returns dialer that will connect to auth server API
	GetDialer() AccessPointDialer
	// AuthenticateWebUser authenticates web user, creates and  returns web session
	// in case if authentication is successfull
	AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
	// AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
	// short lived certificates as a result
	AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

	// DELETE IN: 2.6.0
	// ExchangeCerts exchanges TLS certificates between host certificate authorities of trusted clusters
	ExchangeCerts(req ExchangeCertsRequest) (*ExchangeCertsResponse, error)
}

ClientI is a client to Auth service

func NewAdminAuthServer

func NewAdminAuthServer(authServer *AuthServer, sessions session.Service, alog events.IAuditLog) (ClientI, error)

NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access

type DialContext

type DialContext func(in context.Context, network, addr string) (net.Conn, error)

DialContext is a function that dials to the specified address

func NewAddrDialer

func NewAddrDialer(addrs []utils.NetAddr) DialContext

NewAddrDialer returns new dialer from a list of addresses

type Dialer added in v1.0.0

type Dialer func(network, addr string) (net.Conn, error)

type ExchangeCertsRequest

type ExchangeCertsRequest struct {
	// PublicKey is public key of the trusted certificate authority
	PublicKey []byte `json:"public_key"`
	// TLSCert is TLS certificate associated with the public key
	TLSCert []byte `json:"tls_cert"`
}

DELETE IN: 2.6.0 This method is used only for upgrades from 2.4.0 to 2.5.0 ExchangeCertsRequest is a request to exchange TLS certificates for clusters that already trust each other

func (*ExchangeCertsRequest) CheckAndSetDefaults

func (req *ExchangeCertsRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type ExchangeCertsResponse

type ExchangeCertsResponse struct {
	// TLSCert is a PEM encoded certificate of a local certificate authority
	TLSCert []byte `json:"tls_cert"`
}

DELETE IN: 2.6.0 ExchangeCertsResponse is a resposne to exchange certificates request

type FakeSSHConnection added in v1.0.0

type FakeSSHConnection struct {
	// contains filtered or unexported fields
}

FakeSSHConnection implements net.Conn interface on top of the ssh.Cnahhel object. This allows us to run non-SSH servers (like HTTP) on top of an existing SSH connection

func (*FakeSSHConnection) Close added in v1.0.0

func (conn *FakeSSHConnection) Close() error

func (*FakeSSHConnection) LocalAddr added in v1.0.0

func (conn *FakeSSHConnection) LocalAddr() net.Addr

func (*FakeSSHConnection) Read added in v1.0.0

func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)

func (*FakeSSHConnection) RemoteAddr added in v1.0.0

func (conn *FakeSSHConnection) RemoteAddr() net.Addr

func (*FakeSSHConnection) SetDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetDeadline(t time.Time) error

SetDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetReadDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error

SetReadDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetWriteDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error

SetWriteDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) Write added in v1.0.0

func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)

type GenerateServerKeysRequest

type GenerateServerKeysRequest struct {
	// HostID is a unique ID of the host
	HostID string `json:"host_id"`
	// NodeName is a user friendly host name
	NodeName string `json:"node_name"`
	// Roles is a list of roles assigned to node
	Roles teleport.Roles `json:"roles"`
	// AdditionalPrincipals is a list of additional principals
	// to include in OpenSSH and X509 certificates
	AdditionalPrincipals []string `json:"additional_principals"`
}

GenerateServerKeysRequest is a request to generate server keys

func (*GenerateServerKeysRequest) CheckAndSetDefaults

func (req *GenerateServerKeysRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GenerateTokenRequest

type GenerateTokenRequest struct {
	// Token if provided sets the token value, otherwise will be auto generated
	Token string `json:"token"`
	// Roles is a list of roles this token authenticates as
	Roles teleport.Roles `json:"roles"`
	// TTL is a time to live for token
	TTL time.Duration `json:"ttl"`
}

GenerateTokenRequest is a request to generate auth token

func (*GenerateTokenRequest) CheckAndSetDefaults

func (req *GenerateTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values of request

type GetClusterConfigFunc

type GetClusterConfigFunc func() (services.ClusterConfig, error)

GetClusterConfigFunc returns a cached services.ClusterConfig.

type GithubAuthResponse

type GithubAuthResponse struct {
	// Username is the name of authenticated user
	Username string `json:"username"`
	// Identity is the external identity
	Identity services.ExternalIdentity `json:"identity"`
	// Session is the created web session
	Session services.WebSession `json:"session,omitempty"`
	// Cert is the generated SSH client certificate
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS client certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is the original auth request
	Req services.GithubAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

GithubAuthResponse represents Github auth callback validation response

type HandlerWithAuthFunc

type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type Identity added in v1.0.0

type Identity struct {
	// ID specifies server unique ID, name and role
	ID IdentityID
	// KeyBytes is a PEM encoded private key
	KeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertBytes []byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// Cert is a parsed SSH certificate
	Cert *ssh.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
}

Identity is collection of certificates and signers that represent server identity

func NewServerIdentity

func NewServerIdentity(clt *AuthServer, hostID string, role teleport.Role) (*Identity, error)

NewServerIdentity generates new server identity, used in tests

func ReadIdentity added in v1.0.0

func ReadIdentity(dataDir string, id IdentityID) (i *Identity, err error)

ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadIdentityFromKeyPair added in v1.0.0

func ReadIdentityFromKeyPair(keyBytes, sshCertBytes, tlsCertBytes, tlsCACertBytes []byte) (*Identity, error)

ReadIdentityFromKeyPair reads TLS identity from key pair

func ReadSSHIdentityFromKeyPair

func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair

func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertBytes []byte) (*Identity, error)

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func (*Identity) HasPrincipals

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasTLSConfig

func (i *Identity) HasTLSConfig() bool

HasTSLConfig returns true if this identity has TLS certificate and private key

func (*Identity) TLSConfig

func (i *Identity) TLSConfig() (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type IdentityID added in v1.0.0

type IdentityID struct {
	Role     teleport.Role
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals added in v1.0.0

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) HostID

func (id *IdentityID) HostID() (string, error)

HostID is host ID part of the host UUID that consists cluster name

func (*IdentityID) String added in v1.0.0

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityService

type IdentityService interface {
	// UpsertPassword updates web access password for the user
	UpsertPassword(user string, password []byte) error

	// UpsertOIDCConnector updates or creates OIDC connector
	UpsertOIDCConnector(connector services.OIDCConnector) error

	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

	// GetOIDCConnector gets OIDC connectors list
	GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(connectorID string) error

	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

	// CreateSAMLConnector creates SAML connector
	CreateSAMLConnector(connector services.SAMLConnector) error

	// UpsertSAMLConnector updates or creates SAML connector
	UpsertSAMLConnector(connector services.SAMLConnector) error

	// GetSAMLConnector returns SAML connector information by id
	GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

	// GetSAMLConnector gets SAML connectors list
	GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

	// DeleteSAMLConnector deletes SAML connector by ID
	DeleteSAMLConnector(connectorID string) error

	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

	// CreateGithubConnector creates a new Github connector
	CreateGithubConnector(connector services.GithubConnector) error
	// UpsertGithubConnector creates or updates a Github connector
	UpsertGithubConnector(connector services.GithubConnector) error
	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
	// GetGithubConnector returns the specified Github connector
	GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)
	// DeleteGithubConnector deletes the specified Github connector
	DeleteGithubConnector(id string) error
	// CreateGithubAuthRequest creates a new request for Github OAuth2 flow
	CreateGithubAuthRequest(services.GithubAuthRequest) (*services.GithubAuthRequest, error)
	// ValidateGithubAuthCallback validates Github auth callback
	ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

	// GetU2FSignRequest generates request for user trying to authenticate with U2F token
	GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

	// GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite token
	GetSignupU2FRegisterRequest(token string) (*u2f.RegisterRequest, error)

	// CreateUserWithU2FToken creates user account with provided token and U2F sign response
	CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

	// PreAuthenticatedSignIn is used get web session for a user that is already authenticated
	PreAuthenticatedSignIn(user string) (services.WebSession, error)

	// GetUser returns user by name
	GetUser(name string) (services.User, error)

	// UpsertUser user updates or inserts user entry
	UpsertUser(user services.User) error

	// DeleteUser deletes a user by username
	DeleteUser(user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers() ([]services.User, error)

	// ChangePassword changes user password
	ChangePassword(req services.ChangePasswordReq) error

	// CheckPassword checks if the suplied web access password is valid.
	CheckPassword(user string, password []byte, otpToken string) error

	// SignIn checks if the web access password is valid, and if it is valid
	// returns a secure web session id.
	SignIn(user string, password []byte) (services.WebSession, error)

	// CreateUserWithOTP creates account with provided token and password.
	// Account username and OTP key are taken from token data.
	// Deletes token after account creation.
	CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

	// CreateUserWithoutOTP validates a given token creates a user
	// with the given password and deletes the token afterwards.
	CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

	// GenerateToken creates a special provisioning token for a new SSH server
	// that is valid for ttl period seconds.
	//
	// This token is used by SSH server to authenticate with Auth server
	// and get signed certificate and private key from the auth server.
	//
	// If token is not supplied, it will be auto generated and returned.
	// If TTL is not supplied, token will be valid until removed.
	GenerateToken(GenerateTokenRequest) (string, error)

	// GenerateKeyPair generates SSH private/public key pair optionally protected
	// by password. If the pass parameter is an empty string, the key pair
	// is not password-protected.
	GenerateKeyPair(pass string) ([]byte, []byte, error)

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

	// GenerateUserCert takes the public key in the OpenSSH `authorized_keys`
	// plain text format, signs it using User Certificate Authority signing key and returns the
	// resulting certificate.
	GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)

	// GetSignupTokenData returns token data for a valid token
	GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

	// CreateSignupToken creates one time token for creating account for the user
	// For each token it creates username and OTP key
	CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error)
}

IdentityService manages identities and users

type InitConfig

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority sshca.Authority

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// ClusterName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	ClusterName services.ClusterName

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []services.CertAuthority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []services.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []services.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// ClusterConfiguration is a services that holds cluster wide configuration.
	ClusterConfiguration services.ClusterConfiguration

	// Roles is a set of roles to create
	Roles []services.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//StaticTokens []services.ProvisionToken
	StaticTokens services.StaticTokens

	// AuthPreference defines the authentication type (local, oidc) and second
	// factor (off, otp, u2f) passed in from a configuration file.
	AuthPreference services.AuthPreference

	// AuditLog is used for emitting events to audit log
	AuditLog events.IAuditLog

	// ClusterConfig holds cluster level configuration.
	ClusterConfig services.ClusterConfig
}

InitConfig is auth server init config

type LocalUser

type LocalUser struct {
	// Username is local username
	Username string
}

LocalUsername is a local username

type OIDCAuthResponse added in v1.0.0

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req services.OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type OTPCreds

type OTPCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
	// Token is a user second factor token
	Token string `json:"token"`
}

OTPCreds is a two factor authencication credentials

type PackedKeys

type PackedKeys struct {
	// Key is a private key
	Key []byte `json:"key"`
	// Cert is an SSH host cert
	Cert []byte `json:"cert"`
	// TLSCert is an X509 certificate
	TLSCert []byte `json:"tls_cert"`
	// TLSCACerts is a list of certificate authorities
	TLSCACerts [][]byte `json:"tls_ca_certs"`
}

PackedKeys is a collection of private key, SSH host certificate and TLS certificate and certificate authority issued the certificate

type PassCreds

type PassCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
}

PassCreds is a password credential

type Plugin

type Plugin interface {
	// AddHandlers adds handlers to the auth API server
	AddHandlers(srv *APIServer)
}

Plugin is auth API server extension setter

func GetPlugin

func GetPlugin() Plugin

GetPlugin returns auth API server plugin that allows injecting handlers

type ProvisioningService

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens() (tokens []services.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(token string) (*services.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a user token or a machine token
	DeleteToken(token string) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

	// RegisterNewAuthServer is used to register new auth server with token
	RegisterNewAuthServer(token string) error
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type RegisterUsingTokenRequest

type RegisterUsingTokenRequest struct {
	// HostID is a unique host ID, usually a UUID
	HostID string `json:"hostID"`
	// NodeName is a node name
	NodeName string `json:"node_name"`
	// Role is a system role, e.g. Proxy
	Role teleport.Role `json:"role"`
	// Token is an authentication token
	Token string `json:"token"`
	// AdditionalPrincipals is a list of additional principals
	AdditionalPrincipals []string `json:"additional_principals"`
}

RegisterUsingTokenRequest is a request to register with auth server using authentication token

func (*RegisterUsingTokenRequest) CheckAndSetDefaults

func (r *RegisterUsingTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks for errors and sets defaults

type RemoteBuiltinRole

type RemoteBuiltinRole struct {
	// Role is the builtin role of the user
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the remote cluster
	ClusterName string
}

RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.

type RemoteUser

type RemoteUser struct {
	// Username is a name of the remote user
	Username string `json:"username"`

	// ClusterName is a name of the remote cluster
	// of the user
	ClusterName string `json:"cluster_name"`

	// RemoteRoles is optional list of remote roles
	RemoteRoles []string `json:"remote_roles"`
}

RemoteUser defines encoded remote user

type SAMLAuthResponse

type SAMLAuthResponse struct {
	// Username is an authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated SAML identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in SAMLAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is a PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is an original SAML auth request
	Req services.SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider

type SSHLoginResponse

type SSHLoginResponse struct {
	// User contains a logged in user informationn
	Username string `json:"username"`
	// Cert is a PEM encoded  signed certificate
	Cert []byte `json:"cert"`
	// TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority
	TLSCert []byte `json:"tls_cert"`
	// HostSigners is a list of signing host public keys trusted by proxy
	HostSigners []TrustedCerts `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

type ServerOption

type ServerOption func(s *AuthTunnel) error

ServerOption is the functional argument passed to the server

func SetLimiter added in v1.0.0

func SetLimiter(limiter *limiter.Limiter) ServerOption

SetLimiter sets rate and connection limiter for auth tunnel server

type SessionCreds

type SessionCreds struct {
	// ID is a web session id
	ID string `json:"id"`
}

SessionCreds is a web session credentials

type TLSServer

type TLSServer struct {
	*http.Server
	// TLSServerConfig is TLS server configuration used for auth server
	TLSServerConfig
}

TLSServer is TLS auth server

func NewTLSServer

func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) GetConfigForClient

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve

func (t *TLSServer) Serve(listener net.Listener) error

Serve takes TCP listener, upgrades to TLS using config and starts serving

type TLSServerConfig

type TLSServerConfig struct {
	// TLS is a base TLS configuration
	TLS *tls.Config
	// API is API server configuration
	APIConfig
	// LimiterConfig is limiter config
	LimiterConfig limiter.LimiterConfig
	// AccessPoint is caching access point
	AccessPoint AccessPoint
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type TestAuthServer

type TestAuthServer struct {
	// TestAuthServer config is configuration used for auth server setup
	TestAuthServerConfig
	// AuthServer is an auth server
	AuthServer *AuthServer
	// AuditLog is an event audit log
	AuditLog events.IAuditLog
	// SessionLogger is a session logger
	SessionServer session.Service
	// Backend is a backend for auth server
	Backend backend.Backend
	// Authorizer is an authorizer used in tests
	Authorizer Authorizer
}

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key

func NewTestAuthServer

func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)

NewTestAuthServer returns new instances of Auth server

func (*TestAuthServer) Clock

func (a *TestAuthServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestAuthServer) NewCertificate

func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)

NewCertificate returns new TLS credentials generated by test auth server

func (*TestAuthServer) NewRemoteClient

func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)

NewRemoteClient creates new client to the remote server using identity generated for this certificate authority

func (*TestAuthServer) NewTestTLSServer

func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server

func (*TestAuthServer) Trust

func (a *TestAuthServer) Trust(remote *TestAuthServer, roleMap services.RoleMap) error

Trust adds other server host certificate authority as trusted

type TestAuthServerConfig

type TestAuthServerConfig struct {
	// ClusterName is cluster name
	ClusterName string
	// Dir is directory for local backend
	Dir string
}

TestAuthServerConfig is auth server test config

func (*TestAuthServerConfig) CheckAndSetDefaults

func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type TestIdentity

type TestIdentity struct {
	I   interface{}
	TTL time.Duration
}

TestIdentity is test identity spec used to generate identities in tests

func TestAdmin

func TestAdmin() TestIdentity

TestAdmin returns TestIdentity for admin user

func TestBuiltin

func TestBuiltin(role teleport.Role) TestIdentity

TestBuiltin returns TestIdentity for builtin user

func TestNop

func TestNop() TestIdentity

TestNop returns "Nop" - unauthenticated identity

func TestUser

func TestUser(username string) TestIdentity

TestUser returns TestIdentity for local user

type TestTLSServer

type TestTLSServer struct {
	// TestTLSServerConfig is a configuration for TLS server
	TestTLSServerConfig
	// Identity is a generated TLS/SSH identity used to answer in TLS
	Identity *Identity
	// TLSServer is a configured TLS server
	TLSServer *TLSServer
}

TestTLSServer is a test TLS server

func NewTestTLSServer

func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port

func (*TestTLSServer) Addr

func (t *TestTLSServer) Addr() net.Addr

Addr returns address of TLS server

func (*TestTLSServer) Auth

func (t *TestTLSServer) Auth() *AuthServer

Auth returns auth server used by this TLS server

func (*TestTLSServer) CertPool

func (t *TestTLSServer) CertPool() (*x509.CertPool, error)

CertPool returns cert pool that auth server represents

func (*TestTLSServer) ClientTLSConfig

func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)

ClientTLSConfig returns client TLS config based on the identity

func (*TestTLSServer) Clock

func (t *TestTLSServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestTLSServer) Close

func (t *TestTLSServer) Close() error

Close closes the listener and HTTP server

func (*TestTLSServer) ClusterName

func (t *TestTLSServer) ClusterName() string

ClusterName returns name of test TLS server cluster

func (*TestTLSServer) NewClient

func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)

NewClient returns new client to test server authenticated with identity

func (*TestTLSServer) NewClientFromWebSession

func (t *TestTLSServer) NewClientFromWebSession(sess services.WebSession) (*Client, error)

NewClientFromWebSession returns new authenticated client from web session

func (*TestTLSServer) Start

func (t *TestTLSServer) Start() error

Start starts TLS server on loopback address on the first lisenting socket

func (*TestTLSServer) Stop

func (t *TestTLSServer) Stop() error

Stop stops listening server, but does not close the auth backend

type TestTLSServerConfig

type TestTLSServerConfig struct {
	// APIConfig is a configuration of API server
	APIConfig *APIConfig
	// AuthServer is a test auth server used to serve requests
	AuthServer *TestAuthServer
	// Limiter is a connection and request limiter
	Limiter *limiter.LimiterConfig
	// Listener is a listener to serve requests on
	Listener net.Listener
}

TestTLSServerConfig is a configuration for test TLS server

func (*TestTLSServerConfig) CheckAndSetDefaults

func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets limiter defaults

type TrustedCerts

type TrustedCerts struct {
	// ClusterName identifies teleport cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"domain_name"`
	// HostCertificates is a list of SSH public keys that can be used to check
	// host certificate signatures
	HostCertificates [][]byte `json:"checking_keys"`
	// TLSCertificates  is a list of TLS certificates of the certificate authoritiy
	// of the authentication server
	TLSCertificates [][]byte `json:"tls_certs"`
}

TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

func AuthoritiesToTrustedCerts

func AuthoritiesToTrustedCerts(authorities []services.CertAuthority) []TrustedCerts

AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure

func (*TrustedCerts) SSHCertPublicKeys

func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)

SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys

type TunClient

type TunClient struct {
	sync.Mutex

	// embed auth API HTTP client
	Client

	*logrus.Entry
	// contains filtered or unexported fields
}

DELETE IN: 2.6.0 TunClient is deprecated in 2.5.0 and is replaced by TLS auth server

TunClient is HTTP client that works over SSH tunnel This is done in order to authenticate various teleport roles using existing SSH certificate infrastructure

func NewTunClient

func NewTunClient(purpose string,
	authServers []utils.NetAddr,
	user string,
	authMethods []ssh.AuthMethod,
	opts ...TunClientOption) (*TunClient, error)

NewTunClient returns an instance of new HTTP client to Auth server API exposed over SSH tunnel, so client uses SSH credentials to dial and authenticate

  • purpose is mostly for debuggin, like "web client" or "reverse tunnel client"
  • authServers: list of auth servers in this cluster (they are supposed to be in sync)
  • authMethods: how to authenticate (via cert, web passwowrd, etc)
  • opts : functional arguments for further extending

func (*TunClient) Close

func (c *TunClient) Close() error

Close releases all the resources allocated for this client

func (*TunClient) Dial added in v1.0.0

func (c *TunClient) Dial(network, address string) (net.Conn, error)

Dial dials to Auth server's HTTP API over SSH tunnel.

func (*TunClient) GetAgent

func (c *TunClient) GetAgent() (AgentCloser, error)

GetAgent creates an SSH key agent (similar object to what CLI uses), this key agent fetches user keys directly from the auth server using a custom channel created via "ReqWebSessionAgent" reguest

func (*TunClient) GetDialer

func (c *TunClient) GetDialer() AccessPointDialer

GetDialer returns dialer that will connect to auth server API

func (*TunClient) String

func (c *TunClient) String() string

type TunClientOption added in v1.0.0

type TunClientOption func(t *TunClient)

TunClientOption is functional option for tunnel client

func TunClientStorage added in v1.0.0

func TunClientStorage(storage utils.AddrStorage) TunClientOption

TunClientStorage allows tun client to set local presence service that it will use to sync up the latest information about auth servers

func TunDisableRefresh

func TunDisableRefresh() TunClientOption

TunDisableRefresh will disable refreshing the list of auth servers. This is required when requesting user certificates because we only allow a single HTTP request to be made over the tunnel. This is because each request does keyAuth, and for situations like password+otp where the OTP token is invalid after the first use, that means all other requests would fail.

type U2FSignResponseCreds

type U2FSignResponseCreds struct {
	// SignResponse is a U2F sign resposne
	SignResponse u2f.SignResponse `json:"sign_response"`
}

U2FSignResponseCreds is a U2F signature sent by U2F device

type ValidateTrustedClusterRequest

type ValidateTrustedClusterRequest struct {
	Token string                   `json:"token"`
	CAs   []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequest) ToRaw

type ValidateTrustedClusterRequestRaw

type ValidateTrustedClusterRequestRaw struct {
	Token string   `json:"token"`
	CAs   [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequestRaw) ToNative

type ValidateTrustedClusterResponse

type ValidateTrustedClusterResponse struct {
	CAs []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponse) ToRaw

type ValidateTrustedClusterResponseRaw

type ValidateTrustedClusterResponseRaw struct {
	CAs [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponseRaw) ToNative

type WebService

type WebService interface {
	// GetWebSessionInfo checks if a web sesion is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(user string, sid string) (services.WebSession, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
	// CreateWebSession creates a new web session for a user
	CreateWebSession(user string) (services.WebSession, error)
	// DeleteWebSession deletes a web session for this user by id
	DeleteWebSession(user string, sid string) error
}

WebService implements features used by Web UI clients

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL