Documentation
¶
Index ¶
- Constants
- type ClientDatabaseConnectionTester
- type ConnectionTester
- type ConnectionTesterConfig
- type DatabaseConnectionTester
- type DatabaseConnectionTesterConfig
- type ExternalAuditStorageConnectionTester
- type ExternalAuditStorageConnectionTesterConfig
- type KubeConnectionTester
- type KubeConnectionTesterConfig
- type KubernetesImpersonation
- type SSHConnectionTester
- type SSHConnectionTesterConfig
- type TestConnectionRequest
Constants ¶
const ( SSHNodeSetupMethodScript = "script" SSHNodeSetupMethodConnectMyComputer = "connect_my_computer" )
const ( SSHPrincipalSelectionModeManual = "manual" SSHPrincipalSelectionModeAuto = "auto" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClientDatabaseConnectionTester ¶
type ClientDatabaseConnectionTester interface {
client.ALPNAuthClient
services.ConnectionsDiagnostic
apiclient.GetResourcesClient
}
ClientDatabaseConnectionTester contains the required auth.ClientI methods to test a Database Connection
type ConnectionTester ¶
type ConnectionTester interface {
// TestConnection implementations should be as close to a real-world scenario as possible.
//
// They should create a ConnectionDiagnostic and pass its id in their certificate when trying to connect to the resource.
// The agent/server/node should check for the id in the certificate and add traces to the ConnectionDiagnostic
// according to whether it passed certain checkpoints.
TestConnection(context.Context, TestConnectionRequest) (types.ConnectionDiagnostic, error)
}
ConnectionTester is a mechanism to test resource access. The result is a list of traces generated in multiple checkpoints. If the connection fails, those traces will be of precious help to the end-user.
func ConnectionTesterForKind ¶
func ConnectionTesterForKind(cfg ConnectionTesterConfig) (ConnectionTester, error)
ConnectionTesterForKind returns the proper Tester given a resource name. It returns trace.NotImplemented if the resource kind does not have a tester.
type ConnectionTesterConfig ¶
type ConnectionTesterConfig struct {
// ResourceKind contains the resource type to test.
// You should use the types.Kind<Resource> strings.
ResourceKind string
// UserClient is an auth client that has a User's identity.
// This is the user that is running the SSH Connection Test.
UserClient auth.ClientI
// ProxyHostPort is the proxy to use in the `--proxy` format (host:webPort,sshPort)
ProxyHostPort string
// PublicProxyAddr is public address of the proxy.
PublicProxyAddr string
// KubernetesPublicProxyAddr is the kubernetes proxy.
KubernetesPublicProxyAddr string
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool
}
ConnectionTesterConfig contains all the required variables to build a connection test.
type DatabaseConnectionTester ¶
type DatabaseConnectionTester struct {
// contains filtered or unexported fields
}
DatabaseConnectionTester implements the ConnectionTester interface for Testing Database access.
func NewDatabaseConnectionTester ¶
func NewDatabaseConnectionTester(cfg DatabaseConnectionTesterConfig) (*DatabaseConnectionTester, error)
NewDatabaseConnectionTester returns a new DatabaseConnectionTester
func (*DatabaseConnectionTester) TestConnection ¶
func (s *DatabaseConnectionTester) TestConnection(ctx context.Context, req TestConnectionRequest) (types.ConnectionDiagnostic, error)
TestConnection tests the access to a database using: - auth Client using the User access - the resource name - database user and database name to connect to
A new ConnectionDiagnostic is created and used to store the traces as it goes through the checkpoints To connect to the Database, we will create a cert-key pair and setup a Database client back to Teleport Proxy. The following checkpoints are reported: - database server for the requested database exists / the user's roles can access it - the user can use the requested database user and database name (per their roles) - the database is acessible and accepting connections from the database server - the database has the database user and database name that was requested
type DatabaseConnectionTesterConfig ¶
type DatabaseConnectionTesterConfig struct {
// UserClient is an auth client that has a User's identity.
UserClient ClientDatabaseConnectionTester
// PublicProxyAddr is public address of the proxy
PublicProxyAddr string
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool
}
DatabaseConnectionTesterConfig defines the config fields for DatabaseConnectionTester.
type ExternalAuditStorageConnectionTester ¶
type ExternalAuditStorageConnectionTester struct {
// contains filtered or unexported fields
}
ExternalAuditStorageConnectionTester implements the ConnectionTester interface for testing External Audit Storage access.
func NewExternalAuditStorageConnectionTester ¶
func NewExternalAuditStorageConnectionTester(cfg ExternalAuditStorageConnectionTesterConfig) (*ExternalAuditStorageConnectionTester, error)
NewDatabaseConnectionTester returns a new DatabaseConnectionTester.
func (*ExternalAuditStorageConnectionTester) TestConnection ¶
func (s *ExternalAuditStorageConnectionTester) TestConnection(ctx context.Context, req TestConnectionRequest) (types.ConnectionDiagnostic, error)
TestConnection tests the current configured ExternalAuditStorage draft by: * Uploading a dummy file to both the audit events and session recordings S3 Buckets. * Tests get object on the session recordings bucket. * Tests the retrieval of the Glue table. * Runs a test query against the audit events bucket through Athena.
type ExternalAuditStorageConnectionTesterConfig ¶
type ExternalAuditStorageConnectionTesterConfig struct {
// UserClient is an auth client that has a User's identity.
UserClient auth.ClientI
}
ExternalAuditStorageConnectionTesterConfig defines the config fields for ExternalAuditStorageConnectionTester.
type KubeConnectionTester ¶
type KubeConnectionTester struct {
// contains filtered or unexported fields
}
KubeConnectionTester implements the ConnectionTester interface for Testing Kubernetes access.
func NewKubeConnectionTester ¶
func NewKubeConnectionTester(cfg KubeConnectionTesterConfig) (*KubeConnectionTester, error)
NewKubeConnectionTester returns a new KubeConnectionTester
func (*KubeConnectionTester) TestConnection ¶
func (s *KubeConnectionTester) TestConnection(ctx context.Context, req TestConnectionRequest) (types.ConnectionDiagnostic, error)
TestConnection tests an Kubernetes Access to the target Kubernetes Cluster using
- the provided client
- resource name
A new ConnectionDiagnostic is created and used to store the traces as it goes through the checkpoints To connect to the KubeCluster, we will create a cert-key pair and setup a Kubernetes client back to Teleport Proxy. We report the following cases:
- trace of whether the Kubernetes cluster is reachable
- trace of whether the User Role defines Kubernetes principals for the cluster: `kubernetes_groups` & `kubernetes_users`
- trace of whether the User role has access to the desired kubernetes cluster: `kubernetes_labels` allow access.
- trace of weather the cluster is accessible and we can list pods on the desired namespace.
type KubeConnectionTesterConfig ¶
type KubeConnectionTesterConfig struct {
// UserClient is an auth client that has a User's identity.
UserClient auth.ClientI
// ProxyHostPort is the proxy to use in the `--proxy` format (host:webPort,sshPort)
ProxyHostPort string
// KubernetesPublicProxyAddr is the kubernetes proxy address.
KubernetesPublicProxyAddr string
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool
}
KubeConnectionTesterConfig defines the config fields for KubeConnectionTester.
type KubernetesImpersonation ¶
type KubernetesImpersonation struct {
// KubernetesUser is the Kubernetes user to impersonate for this request.
// Optional - If multiple values are configured the user must select one
// otherwise the request will return an error.
KubernetesUser string `json:"kubernetes_user,omitempty"`
// KubernetesGroups are the Kubernetes groups to impersonate for this request.
// Optional - If not specified it use all configured groups.
// When KubernetesGroups is specified, KubernetesUser must be provided
// as well.
KubernetesGroups []string `json:"kubernetes_groups,omitempty"`
}
KubernetesImpersonation allows to configure a subset of `kubernetes_users` and `kubernetes_groups` to impersonate.
type SSHConnectionTester ¶
type SSHConnectionTester struct {
// contains filtered or unexported fields
}
SSHConnectionTester implements the ConnectionTester interface for Testing SSH access
func NewSSHConnectionTester ¶
func NewSSHConnectionTester(cfg SSHConnectionTesterConfig) (*SSHConnectionTester, error)
NewSSHConnectionTester creates a new SSHConnectionTester
func (*SSHConnectionTester) TestConnection ¶
func (s *SSHConnectionTester) TestConnection(ctx context.Context, req TestConnectionRequest) (types.ConnectionDiagnostic, error)
TestConnection tests an SSH Connection to the target Node using
- the provided client
- resource name
- principal / linux user
A new ConnectionDiagnostic is created and used to store the traces as it goes through the checkpoints To set up the SSH client, it will generate a new cert and inject the ConnectionDiagnosticID
- add a trace of whether the SSH Node was reachable
- SSH Node receives the cert and extracts the ConnectionDiagnostiID
- the SSH Node will append a trace indicating if the has access (RBAC)
- the SSH Node will append a trace indicating if the requested principal is valid for the target Node
type SSHConnectionTesterConfig ¶
type SSHConnectionTesterConfig struct {
// UserClient is an auth client that has a User's identity.
// This is the user that is running the SSH Connection Test.
UserClient auth.ClientI
// ProxyHostPort is the proxy to use in the `--proxy` format (host:webPort,sshPort)
ProxyHostPort string
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool
}
SSHConnectionTesterConfig has the necessary fields to create a new SSHConnectionTester.
type TestConnectionRequest ¶
type TestConnectionRequest struct {
// MFAResponse is an optional field that holds a response to a MFA device challenge.
MFAResponse client.MFAChallengeResponse `json:"mfa_response,omitempty"`
// ResourceKind describes the type of resource to test.
ResourceKind string `json:"resource_kind"`
// ResourceName is the identification of the resource's instance to test.
ResourceName string `json:"resource_name"`
// DialTimeout when trying to connect to the destination host
DialTimeout time.Duration `json:"dial_timeout,omitempty"`
// InsecureSkipTLSVerify turns off verification for x509 upstream ALPN proxy service certificate.
InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"`
// SSHPrincipal is the Linux username to use in a connection test.
// Specific to SSHTester.
SSHPrincipal string `json:"ssh_principal,omitempty"`
// SSHPrincipalSelectionMode is an optional field which describes whether the user has chosen the
// principal manually or if it was automatically chosen.
//
// Used in Connect My Computer where the principal is picked automatically if the Connect My
// Computer role contains only a single login.
//
// Valid values: manual, auto.
SSHPrincipalSelectionMode string `json:"ssh_principal_selection_mode,omitempty"`
// SSHNodeOS is an optional field which describes the OS the agent runs on.
// Valid values: windows, darwin, linux.
SSHNodeOS string `json:"ssh_node_os,omitempty"`
// SSHNodeSetupMethod is an optional field which describes how an SSH agent was installed.
// Valid values: script, connect_my_computer.
SSHNodeSetupMethod string `json:"ssh_node_setup_method,omitempty"`
// KubernetesNamespace is the Kubernetes Namespace to List the Pods in.
// Specific to KubernetesTester.
KubernetesNamespace string `json:"kubernetes_namespace,omitempty"`
// KubernetesImpersonation allows to configure a subset of `kubernetes_users` and
// `kubernetes_groups` to impersonate.
// Specific to KubernetesTester.
KubernetesImpersonation KubernetesImpersonation `json:"kubernetes_impersonation,omitempty"`
// DatabaseUser is the database User to be tested
// Specific to DatabaseTester.
DatabaseUser string `json:"database_user,omitempty"`
// DatabaseName is the database user of the Database to be tested
// Specific to DatabaseTester.
DatabaseName string `json:"database_name,omitempty"`
}
TestConnectionRequest contains - the identification of the resource kind and resource name to test - additional paramenters which depend on the actual kind of resource to test As an example, for SSH Node it also includes the User/Principal that will be used to login.
func (*TestConnectionRequest) CheckAndSetDefaults ¶
func (r *TestConnectionRequest) CheckAndSetDefaults() error
CheckAndSetDefaults validates the Request has the required fields.
Source Files
Directories