auth

package
v0.0.0-...-8d1852a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2022 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Overview

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source 
const (
	// WebSessionTTL specifies standard web session time to live
	WebSessionTTL = 10 * time.Minute
	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16
)
View Source 
const (
	PocketApiVersion  string = "v0"
	PocketUserSignup  string = "signup"
	PocketSignupToken string = "token"

	PocketOperation           string = "operation"
	PocketRequestSignedCert   string = "reqsignedcert"
	PocketReuqestUserIdentity string = "requserinfo"
)
View Source 
const (
	ActionIssueSignedCertificateWithToken string = "IssueSignedCertificateWithToken"
	ActionDeliverUserIdentityWithToken    string = "DeliverUserIdentityWithToken"
)
View Source 
const (
	ActionGetSessions                       = "GetSessions"
	ActionGetSession                        = "GetSession"
	ActionViewSession                       = "ViewSession"
	ActionDeleteSession                     = "DeleteSession"
	ActionUpsertSession                     = "UpsertSession"
	ActionUpsertCertAuthority               = "UpsertCertAuthority"
	ActionGetCertAuthorities                = "GetCertAuthorities"
	ActionGetCertAuthoritiesWithSigningKeys = "GetCertAuthoritiesWithSigningKeys"
	ActionGetLocalDomain                    = "GetLocalDomain"
	ActionDeleteCertAuthority               = "DeleteCertAuthority"
	ActionGenerateToken                     = "GenerateToken"
	ActionRegisterUsingToken                = "RegisterUsingToken"
	ActionRegisterNewAuthServer             = "RegisterNewAuthServer"
	ActionUpsertServer                      = "UpsertServer"
	ActionGetServers                        = "GetServers"
	ActionUpsertAuthServer                  = "UpsertAuthServer"
	ActionGetAuthServers                    = "GetAuthServers"
	ActionUpsertProxy                       = "UpsertProxy"
	ActionGetProxies                        = "GetProxies"
	ActionUpsertReverseTunnel               = "UpsertReverseTunnel"
	ActionGetReverseTunnels                 = "GetReverseTunnels"
	ActionDeleteReverseTunnel               = "DeleteReverseTunnel"
	ActionUpsertPassword                    = "UpsertPassword"
	ActionCheckPassword                     = "CheckPassword"
	ActionSignIn                            = "SignIn"
	ActionExtendWebSession                  = "ExtendWebSession"
	ActionCreateWebSession                  = "CreateWebSession"
	ActionGetWebSession                     = "GetWebSession"
	ActionDeleteWebSession                  = "DeleteWebSession"
	ActionGetUsers                          = "GetUsers"
	ActionGetUser                           = "GetUser"
	ActionDeleteUser                        = "DeleteUser"
	ActionUpsertUserKey                     = "UpsertUserKey"
	ActionGetUserKeys                       = "GetUserKeys"
	ActionDeleteUserKey                     = "DeleteUserKey"
	ActionGenerateKeyPair                   = "GenerateKeyPair"
	ActionGenerateHostCert                  = "GenerateHostCert"
	ActionGenerateUserCert                  = "GenerateUserCert"
	ActionResetHostCertificateAuthority     = "ResetHostCertificateAuthority"
	ActionResetUserCertificateAuthority     = "ResetUserCertificateAuthority"
	ActionGenerateSealKey                   = "GenerateSealKey"
	ActionGetSealKeys                       = "GetSeakKeys"
	ActionGetSealKey                        = "GetSealKey"
	ActionDeleteSealKey                     = "DeleteSealKey"
	ActionAddSealKey                        = "AddSealKey"
	ActionCreateSignupToken                 = "CreateSignupToken"
	ActionGetSignupTokenData                = "GetSignupTokenData"
	ActionCreateUserWithToken               = "CreateUserWithToken"
	ActionUpsertUser                        = "UpsertUser"
	ActionUpsertOIDCConnector               = "UpsertOIDCConnector"
	ActionDeleteOIDCConnector               = "DeleteOIDCConnector"
	ActionGetOIDCConnectorWithSecrets       = "GetOIDCConnectorWithSecrets"
	ActionGetOIDCConnectorWithoutSecrets    = "GetOIDCConnectorWithoutSecrets"
	ActionGetOIDCConnectorsWithSecrets      = "GetOIDCConnectorsWithSecrets"
	ActionGetOIDCConnectorsWithoutSecrets   = "GetOIDCConnectorsWithoutSecrets"
	ActionCreateOIDCAuthRequest             = "CreateOIDCAuthRequest"
	ActionValidateOIDCAuthCallback          = "ValidateOIDCAuthCallback"
	ActionEmitEvents                        = "EmitEvents"
)
View Source 
const (
	// DialerRetryAttempts is the amount of attempts for dialer to try and
	// connect to the remote destination
	DialerRetryAttempts = 3
	// DialerPeriodBetweenAttempts is the period between retry attempts
	DialerPeriodBetweenAttempts = time.Second
)
View Source 
const (
	ReqWebSessionAgent = "web-session-agent@teleport"
	ReqProvision       = "provision@teleport"
	ReqDirectTCPIP     = "direct-tcpip"
	ReqNewAuth         = "new-auth@teleport"

	ExtWebSession  = "web-session@teleport"
	ExtWebPassword = "web-password@teleport"
	ExtToken       = "provision@teleport"
	ExtHost        = "host@teleport"
	ExtRole        = "role@teleport"

	AuthWebPassword = "password"
	AuthWebSession  = "session"
	AuthToken       = "provision-token"
	AuthSignupToken = "signup-token"
)
View Source 
const (
	AuthAESEncryption = "aesencrypt"
)
View Source 
const CurrentVersion = "v1"

CurrentVersion is a current API version

Variables

View Source 
var StandardRoles = teleport.Roles{
	teleport.RoleAuth,
	teleport.RoleUser,
	teleport.RoleWeb,
	teleport.RoleNode,
	teleport.RoleProxy,
	teleport.RoleAdmin,
	teleport.RoleProvisionToken,
	teleport.RoleSignup,
}

Functions

func HaveHostKeys 

func HaveHostKeys(dataDir string, id IdentityID) (bool, error)

HaveHostKeys checks either the host keys are in place

func Init 

func Init(cfg InitConfig, seedConfig bool) (*AuthServer, *Identity, error)

Init instantiates and configures an instance of AuthServer

func LocalRegister 

func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer) error

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the auth server. This method does not need to use provisioning tokens.

func LocalRegisterWithCertStorage 

func LocalRegisterWithCertStorage(authServer *AuthServer, certStorage certdb.Accessor, id IdentityID) error

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the auth server. This method does not need to use provisioning tokens.

func NewHostAuth 

func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)

func NewSignupTokenAuth 

func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)

func NewTokenAuth 

func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)

func NewWebAESEncryptionAuth 

func NewWebAESEncryptionAuth(user string, password []byte, encrypted string) ([]ssh.AuthMethod, error)

func NewWebPasswordAuth 

func NewWebPasswordAuth(user string, password []byte, hotpToken string) ([]ssh.AuthMethod, error)

func NewWebSessionAuth 

func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)

func NodeRegister 

func NodeRegister(keyFilePath, certFilePath, token string, id IdentityID, servers []utils.NetAddr) error

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request.

func PocketAuthInit 

func PocketAuthInit(cfg InitConfig, certStorage certdb.Accessor, seedConfig bool) (*AuthServer, *Identity, error)

Init instantiates and configures an instance of AuthServer

func Register 

func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr) error

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request.

func RegisterNewAuth 

func RegisterNewAuth(domainName, token string, servers []utils.NetAddr) error

func RequestHOTPforSignupToken 

func RequestHOTPforSignupToken(client *TunClient, signupToken string) ([]string, error)

TODO : apply encryption

func RetryingClient 

func RetryingClient(client limitedClient, retries int) *retryingClient

func WriteIdentity 

func WriteIdentity(dataDir string, identity *Identity) error

WriteIdentity writes identity keypair to disk

Types

type APIConfig 

type APIConfig struct {
	AuthServer        *AuthServer
	SessionService    session.Service
	PermissionChecker PermissionChecker
	AuditLog          events.IAuditLog

	// (03/16/17) added for pocket cert issues
	CertSigner *pcrypto.CaSigner
	// (03/19/17) added for storing certificates
	CertStorage certdb.Accessor
	// (10/06/17) added for deliver user identity across cluster
	UserKiosk UserIdentityKiosk
}

type APIServer 

type APIServer struct {
	httprouter.Router
	// contains filtered or unexported fields
}

APIServer implements http API server for AuthServer interface

func NewAPIServer 

func NewAPIServer(config *APIConfig, role teleport.Role) APIServer

NewAPIServer returns a new instance of APIServer HTTP handler

type AccessPoint 

type AccessPoint interface {
	// GetDomainName returns domain name AKA ("cluster name") of the auth
	// server / certificate authority (CA)
	GetDomainName() (string, error)

	// GetServers returns a list of registered servers
	GetNodes() ([]services.Server, error)

	// UpsertServer registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(s services.Server, ttl time.Duration) error

	// UpsertProxy registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s services.Server, ttl time.Duration) error

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]services.Server, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers() ([]services.User, error)
}

AccessPoint is an API interface implemented by a certificate authority (CA)

type AccessPointDialer 

type AccessPointDialer func() (net.Conn, error)

AccessPointDialer dials to auth access point remote HTTP api

type AgentCloser 

type AgentCloser interface {
	io.Closer
	agent.Agent
}

type AuthServer 

type AuthServer struct {
	Authority

	// DomainName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	DomainName string

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens []services.ProvisionToken

	services.Trust
	services.Lock
	services.Presence
	services.Provisioner
	services.Identity
	// contains filtered or unexported fields
}

AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func NewAuthServer 

func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) *AuthServer

NewAuthServer creates and configures a new AuthServer instance

func (*AuthServer) Close 

func (a *AuthServer) Close() error

func (*AuthServer) CreateOIDCAuthRequest 

func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthServer) CreateSignupToken 

func (s *AuthServer) CreateSignupToken(user services.User) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

allowedLogins are linux user logins allowed for the new user to use

func (*AuthServer) CreateUserWithToken 

func (s *AuthServer) CreateUserWithToken(token, password, hotpToken string) (*Session, error)

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) CreateWebSession 

func (s *AuthServer) CreateWebSession(user string) (*Session, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*AuthServer) DeleteToken 

func (s *AuthServer) DeleteToken(token string) (err error)

func (*AuthServer) DeleteWebSession 

func (s *AuthServer) DeleteWebSession(user string, id string) error

func (*AuthServer) ExtendWebSession 

func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (*Session, error)

ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user

func (*AuthServer) GenerateHostCert 

func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*AuthServer) GenerateServerKeys 

func (s *AuthServer) GenerateServerKeys(hostID string, nodeName string, roles teleport.Roles) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthServer) GenerateToken 

func (s *AuthServer) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)

func (*AuthServer) GenerateUserCert 

func (s *AuthServer) GenerateUserCert(
	key []byte, username string, ttl time.Duration) ([]byte, error)

GenerateUserCert generates user certificate, it takes pkey as a signing private key (user certificate authority)

func (*AuthServer) GetDomainName 

func (a *AuthServer) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetSignupTokenData 

func (s *AuthServer) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*AuthServer) GetTokens 

func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*AuthServer) GetWebSession 

func (s *AuthServer) GetWebSession(userName string, id string) (*Session, error)

func (*AuthServer) GetWebSessionInfo 

func (s *AuthServer) GetWebSessionInfo(userName string, id string) (*Session, error)

func (*AuthServer) NewWebSession 

func (s *AuthServer) NewWebSession(userName string) (*Session, error)

func (*AuthServer) RegisterNewAuthServer 

func (s *AuthServer) RegisterNewAuthServer(token string) error

func (*AuthServer) RegisterUsingToken 

func (s *AuthServer) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)

RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.

func (*AuthServer) SignIn 

func (s *AuthServer) SignIn(user string, password []byte) (*Session, error)

func (*AuthServer) UpsertWebSession 

func (s *AuthServer) UpsertWebSession(user string, sess *Session, ttl time.Duration) error

func (*AuthServer) ValidateOIDCAuthCallback 

func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*AuthServer) ValidateToken 

func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)

ValidteToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found

type AuthServerOption 

type AuthServerOption func(*AuthServer)

AuthServerOption allows setting options as functional arguments to AuthServer

type AuthTunnel 

type AuthTunnel struct {
	// contains filtered or unexported fields
}

AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then establishes an SSH tunnell which HTTP requests travel over. In other words, the Auth Service API runs on HTTP-via-SSH-tunnel.

Use auth.TunClient to connect to AuthTunnel

func NewTunnel 

func NewTunnel(addr utils.NetAddr,
	hostSigner ssh.Signer,
	apiConf *APIConfig,
	opts ...ServerOption) (tunnel *AuthTunnel, err error)

NewTunnel creates a new SSH tunnel server which is not started yet. This is how "site API" (aka "auth API") is served: by creating an "tunnel server" which serves HTTP via SSH.

func (*AuthTunnel) Addr 

func (s *AuthTunnel) Addr() string

func (*AuthTunnel) Close 

func (s *AuthTunnel) Close() error

func (*AuthTunnel) HandleNewChan 

func (s *AuthTunnel) HandleNewChan(_ net.Conn, sconn *ssh.ServerConn, nch ssh.NewChannel)

HandleNewChan implements NewChanHandler interface: it gets called every time a new SSH connection is established

func (*AuthTunnel) Start 

func (s *AuthTunnel) Start() error

type AuthWithRoles 

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles 

func NewAuthWithRoles(authServer *AuthServer,
	permChecker PermissionChecker,
	sessions session.Service,
	role teleport.Role,
	alog events.IAuditLog) *AuthWithRoles

test helper

func (*AuthWithRoles) CheckPassword 

func (a *AuthWithRoles) CheckPassword(user string, password []byte, hotpToken string) error

func (*AuthWithRoles) CreateOIDCAuthRequest 

func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthWithRoles) CreateSession 

func (a *AuthWithRoles) CreateSession(s session.Session) error

func (*AuthWithRoles) CreateSignupToken 

func (a *AuthWithRoles) CreateSignupToken(user services.User) (token string, e error)

func (*AuthWithRoles) CreateUserWithToken 

func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) (*Session, error)

func (*AuthWithRoles) CreateWebSession 

func (a *AuthWithRoles) CreateWebSession(user string) (*Session, error)

func (*AuthWithRoles) DeleteCertAuthority 

func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteOIDCConnector 

func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error

func (*AuthWithRoles) DeleteReverseTunnel 

func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error

func (*AuthWithRoles) DeleteToken 

func (a *AuthWithRoles) DeleteToken(token string) error

func (*AuthWithRoles) DeleteUser 

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteWebSession 

func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error

func (*AuthWithRoles) EmitAuditEvent 

func (a *AuthWithRoles) EmitAuditEvent(eventType string, fields events.EventFields) error

func (*AuthWithRoles) ExtendWebSession 

func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (*Session, error)

func (*AuthWithRoles) GenerateHostCert 

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, hostID, nodeName, clusterName string, roles teleport.Roles,
	ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair 

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateToken 

func (a *AuthWithRoles) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)

func (*AuthWithRoles) GenerateUserCert 

func (a *AuthWithRoles) GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GetAuthServers 

func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)

func (*AuthWithRoles) GetCertAuthorities 

func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)

func (*AuthWithRoles) GetDomainName 

func (a *AuthWithRoles) GetDomainName() (string, error)

func (*AuthWithRoles) GetNodes 

func (a *AuthWithRoles) GetNodes() ([]services.Server, error)

func (*AuthWithRoles) GetOIDCConnector 

func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (*services.OIDCConnector, error)

func (*AuthWithRoles) GetOIDCConnectors 

func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

func (*AuthWithRoles) GetProxies 

func (a *AuthWithRoles) GetProxies() ([]services.Server, error)

func (*AuthWithRoles) GetReverseTunnels 

func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)

func (*AuthWithRoles) GetSession 

func (a *AuthWithRoles) GetSession(id session.ID) (*session.Session, error)

func (*AuthWithRoles) GetSessionChunk 

func (a *AuthWithRoles) GetSessionChunk(sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*AuthWithRoles) GetSessionEvents 

func (a *AuthWithRoles) GetSessionEvents(sid session.ID, afterN int) ([]events.EventFields, error)

func (*AuthWithRoles) GetSessions 

func (a *AuthWithRoles) GetSessions() ([]session.Session, error)

func (*AuthWithRoles) GetSignupTokenData 

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

func (*AuthWithRoles) GetTokens 

func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)

func (*AuthWithRoles) GetUser 

func (a *AuthWithRoles) GetUser(name string) (services.User, error)

func (*AuthWithRoles) GetUsers 

func (a *AuthWithRoles) GetUsers() ([]services.User, error)

func (*AuthWithRoles) GetWebSessionInfo 

func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (*Session, error)

func (*AuthWithRoles) PostSessionChunk 

func (a *AuthWithRoles) PostSessionChunk(sid session.ID, reader io.Reader) error

func (*AuthWithRoles) RegisterNewAuthServer 

func (a *AuthWithRoles) RegisterNewAuthServer(token string) error

func (*AuthWithRoles) RegisterUsingToken 

func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)

func (*AuthWithRoles) SearchEvents 

func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string) ([]events.EventFields, error)

func (*AuthWithRoles) SignIn 

func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error)

func (*AuthWithRoles) UpdateSession 

func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error

func (*AuthWithRoles) UpsertAuthServer 

func (a *AuthWithRoles) UpsertAuthServer(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertCertAuthority 

func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error

func (*AuthWithRoles) UpsertNode 

func (a *AuthWithRoles) UpsertNode(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertOIDCConnector 

func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error

func (*AuthWithRoles) UpsertPassword 

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)

func (*AuthWithRoles) UpsertProxy 

func (a *AuthWithRoles) UpsertProxy(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertReverseTunnel 

func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel, ttl time.Duration) error

func (*AuthWithRoles) UpsertUser 

func (a *AuthWithRoles) UpsertUser(u services.User) error

func (*AuthWithRoles) ValidateOIDCAuthCallback 

func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

type Authority 

type Authority interface {
	// GenerateKeyPair generates new keypair
	GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error)

	// GetNewKeyPairFromPool returns new keypair from pre-generated in memory pool
	GetNewKeyPairFromPool() (privKey []byte, pubKey []byte, err error)

	// GenerateHostCert takes the private key of the CA, public key of the new host,
	// along with metadata (host ID, node name, cluster name, roles, and ttl) and generates
	// a host certificate.
	GenerateHostCert(certParams services.CertParams) ([]byte, error)

	// GenerateUserCert generates user certificate, it takes pkey as a signing
	// private key (user certificate authority)
	GenerateUserCert(pkey, key []byte, teleportUsername string, allowedLogins []string, ttl time.Duration) ([]byte, error)
}

Authority implements minimal key-management facility for generating OpenSSH compatible public/private key pairs and OpenSSH certificates

type Client 

type Client struct {
	roundtrip.Client
	// contains filtered or unexported fields
}

Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

func NewClient 

func NewClient(addr string, dialer Dialer) (*Client, error)

NewAuthClient returns a new instance of the client which talks to an Auth server API (aka "site API") via HTTP-over-SSH

func (*Client) CheckPassword 

func (c *Client) CheckPassword(user string,
	password []byte, hotpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close 

func (c *Client) Close() error

func (*Client) CreateOIDCAuthRequest 

func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*Client) CreateSession 

func (c *Client) CreateSession(sess session.Session) error

CreateSession creates new session

func (*Client) CreateSignupToken 

func (c *Client) CreateSignupToken(user services.User) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

func (*Client) CreateUserWithToken 

func (c *Client) CreateUserWithToken(token, password, hotpToken string) (*Session, error)

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*Client) CreateWebSession 

func (c *Client) CreateWebSession(user string) (*Session, error)

CreateWebSession creates a new web session for a user

func (*Client) Delete 

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteCertAuthority 

func (c *Client) DeleteCertAuthority(id services.CertAuthID) error

func (*Client) DeleteOIDCConnector 

func (c *Client) DeleteOIDCConnector(connectorID string) error

func (*Client) DeleteReverseTunnel 

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteSession 

func (c *Client) DeleteSession(id string) error

DeleteSession deletes a session by ID

func (*Client) DeleteToken 

func (c *Client) DeleteToken(token string) error

DeleteToken deletes a given provisioning token on the auth server (CA). It could be a user token or a machine token

func (*Client) DeleteUser 

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteWebSession 

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) EmitAuditEvent 

func (c *Client) EmitAuditEvent(eventType string, fields events.EventFields) error

EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)

func (*Client) ExtendWebSession 

func (c *Client) ExtendWebSession(user string, prevSessionID string) (*Session, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateHostCert 

func (c *Client) GenerateHostCert(
	key []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair 

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateToken 

func (c *Client) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)

GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

The token can be used only once.

func (*Client) GenerateUserCert 

func (c *Client) GenerateUserCert(
	key []byte, user string, ttl time.Duration) ([]byte, error)

GenerateUserCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) Get 

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAuthServers 

func (c *Client) GetAuthServers() ([]services.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetCertAuthorities 

func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)

func (*Client) GetDomainName 

func (c *Client) GetDomainName() (string, error)

GetDomainName returns local auth domain of the current auth server

func (*Client) GetNodes 

func (c *Client) GetNodes() ([]services.Server, error)

GetNodes returns the list of servers registered in the cluster.

func (*Client) GetOIDCConnector 

func (c *Client) GetOIDCConnector(id string, withSecrets bool) (*services.OIDCConnector, error)

func (*Client) GetOIDCConnectors 

func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

func (*Client) GetProxies 

func (c *Client) GetProxies() ([]services.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetReverseTunnels 

func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetSession 

func (c *Client) GetSession(id session.ID) (*session.Session, error)

GetSession returns a session by ID

func (*Client) GetSessionChunk 

func (c *Client) GetSessionChunk(sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents 

func (c *Client) GetSessionEvents(sid session.ID, afterN int) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessions 

func (c *Client) GetSessions() ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by auth server

func (*Client) GetSignupTokenData 

func (c *Client) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetTokens 

func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns a list of active invitation tokens for nodes and users

func (*Client) GetTransport 

func (c *Client) GetTransport() *http.Transport

func (*Client) GetUser 

func (c *Client) GetUser(name string) (services.User, error)

GetUser returns a list of usernames registered in the system

func (*Client) GetUsers 

func (c *Client) GetUsers() ([]services.User, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSessionInfo 

func (c *Client) GetWebSessionInfo(user string, sid string) (*Session, error)

GetWebSessionInfo check if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) PostForm 

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON 

func (c *Client) PostJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) PostSessionChunk 

func (c *Client) PostSessionChunk(sid session.ID, reader io.Reader) error

PostSessionChunk allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)

The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)

func (*Client) PutJSON 

func (c *Client) PutJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterNewAuthServer 

func (c *Client) RegisterNewAuthServer(token string) error

func (*Client) RegisterUsingToken 

func (c *Client) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.

func (*Client) SearchEvents 

func (c *Client) SearchEvents(from, to time.Time, query string) ([]events.EventFields, error)

SearchEvents returns events that fit the criteria

func (*Client) SignIn 

func (c *Client) SignIn(user string, password []byte) (*Session, error)

SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.

func (*Client) UpdateSession 

func (c *Client) UpdateSession(req session.UpdateRequest) error

UpdateSession updates existing session

func (*Client) UpsertAuthServer 

func (c *Client) UpsertAuthServer(s services.Server, ttl time.Duration) error

UpsertAuthServer is used by auth servers to report their presense to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority 

func (c *Client) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertNode 

func (c *Client) UpsertNode(s services.Server, ttl time.Duration) error

UpsertNode is used by SSH servers to reprt their presense to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertOIDCConnector 

func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error

func (*Client) UpsertPassword 

func (c *Client) UpsertPassword(user string,
	password []byte) (hotpURL string, hotpQR []byte, err error)

UpsertPassword updates web access password for the user

func (*Client) UpsertProxy 

func (c *Client) UpsertProxy(s services.Server, ttl time.Duration) error

UpsertProxy is used by proxies to report their presense to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel 

func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel, ttl time.Duration) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertUser 

func (c *Client) UpsertUser(user services.User) error

UpsertUser user updates or inserts user entry

func (*Client) ValidateOIDCAuthCallback 

func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

type ClientI 

type ClientI interface {
	GetUser(name string) (services.User, error)
	UpsertUser(user services.User) error
	GetSessions() ([]session.Session, error)
	GetSession(id session.ID) (*session.Session, error)
	CreateSession(s session.Session) error
	UpdateSession(req session.UpdateRequest) error
	UpsertCertAuthority(cert services.CertAuthority, ttl time.Duration) error
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)
	DeleteCertAuthority(caType services.CertAuthID) error
	GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)
	RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)
	RegisterNewAuthServer(token string) error
	UpsertNode(s services.Server, ttl time.Duration) error
	GetNodes() ([]services.Server, error)
	GetAuthServers() ([]services.Server, error)
	UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
	CheckPassword(user string, password []byte, hotpToken string) error
	SignIn(user string, password []byte) (*Session, error)
	CreateWebSession(user string) (*Session, error)
	ExtendWebSession(user string, prevSessionID string) (*Session, error)
	GetWebSessionInfo(user string, sid string) (*Session, error)
	DeleteWebSession(user string, sid string) error
	GetUsers() ([]services.User, error)
	DeleteUser(user string) error
	GenerateKeyPair(pass string) ([]byte, []byte, error)
	GenerateHostCert(key []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)
	GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error)
	GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
	CreateUserWithToken(token, password, hotpToken string) (*Session, error)
	UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error
	GetOIDCConnector(id string, withSecrets bool) (*services.OIDCConnector, error)
	GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
	DeleteOIDCConnector(connectorID string) error
	CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
	ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
	// UpsertReverseTunnel is used by admins to create a new reverse tunnel
	// to the remote proxy to bypass firewall restrictions
	UpsertReverseTunnel(tunnel services.ReverseTunnel, ttl time.Duration) error
	// GetReverseTunnels returns the list of created reverse tunnels
	GetReverseTunnels() ([]services.ReverseTunnel, error)
	// DeleteReverseTunnel deletes reverse tunnel by domain name
	DeleteReverseTunnel(domainName string) error

	events.IAuditLog
}

TOODO(klizhentas) this should be just including appropriate service implementations

type Dialer 

type Dialer func(network, addr string) (net.Conn, error)

type FakeSSHConnection 

type FakeSSHConnection struct {
	// contains filtered or unexported fields
}

FakeSSHConnection implements net.Conn interface on top of the ssh.Cnahhel object. This allows us to run non-SSH servers (like HTTP) on top of an existing SSH connection

func (*FakeSSHConnection) Close 

func (conn *FakeSSHConnection) Close() error

func (*FakeSSHConnection) LocalAddr 

func (conn *FakeSSHConnection) LocalAddr() net.Addr

func (*FakeSSHConnection) Read 

func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)

func (*FakeSSHConnection) RemoteAddr 

func (conn *FakeSSHConnection) RemoteAddr() net.Addr

func (*FakeSSHConnection) SetDeadline 

func (conn *FakeSSHConnection) SetDeadline(t time.Time) error

SetDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetReadDeadline 

func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error

SetReadDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetWriteDeadline 

func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error

SetWriteDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) Write 

func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)

type Identity 

type Identity struct {
	ID              IdentityID
	KeyBytes        []byte
	CertBytes       []byte
	KeySigner       ssh.Signer
	Cert            *ssh.Certificate
	AuthorityDomain string
}

Identity is a collection of certificates and signers that represent identity

func NodeReadIdentityFromFile 

func NodeReadIdentityFromFile(keyFilePath, certFilePath string, id IdentityID) (i *Identity, err error)

ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir) for slave node.

func ReadIdentity 

func ReadIdentity(dataDir string, id IdentityID) (i *Identity, err error)

ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadIdentityFromCertStorage 

func ReadIdentityFromCertStorage(certStorage certdb.Accessor, id IdentityID) (i *Identity, err error)

ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadIdentityFromKeyPair 

func ReadIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadIdentityFromKeyPair reads identity from initialized keypair

type IdentityID 

type IdentityID struct {
	Role     teleport.Role
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals 

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) String 

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type InitConfig 

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority Authority

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// DomainName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	DomainName string

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []services.CertAuthority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []services.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []services.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Lock is a distributed or local lock service
	Lock services.Lock

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Trust is a service that manages users and credentials
	Identity services.Identity

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens []services.ProvisionToken
}

InitConfig is auth server init config

type OIDCAuthResponse 

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity services.OIDCIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session *Session `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// Req is original oidc auth request
	Req services.OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type PackedKeys 

type PackedKeys struct {
	Key  []byte `json:"key"`
	Cert []byte `json:"cert"`
}

type PermissionChecker 

type PermissionChecker interface {
	// HasPermission checks if the given role has a permission to execute
	// the action
	HasPermission(role teleport.Role, action string) error
}

PermissionChecker interface verifies that clients have permissions to execute any action of the auth server

func NewAllowAllPermissions 

func NewAllowAllPermissions() PermissionChecker

func NewStandardPermissions 

func NewStandardPermissions() PermissionChecker

NewStandardPermissions returns permission checker with hardcoded roles that are built in when auth server starts in standard mode

type PocketRequestBase 

type PocketRequestBase struct {
	// AuthServers is a list of auth servers nodes, proxies and peer auth servers connect to
	AuthServers []utils.NetAddr
	// Host role
	Role teleport.Role
	// Hostname is a node host name
	Hostname string
	// HostUUID is a unique host id
	HostUUID string
	// AuthToken
	AuthToken string
}

type PocketResponseAuthKeyCert 

type PocketResponseAuthKeyCert struct {
	Auth []byte `json:"auth"`
	Key  []byte `json:"key"`
	Cert []byte `json:"cert"`
}

func RequestSignedCertificate 

func RequestSignedCertificate(param *PocketRequestBase) (*PocketResponseAuthKeyCert, error)

RequestSignedCertificate is used by auth service clients (other services, like proxy or SSH) when a new node joins the cluster

type PocketResponseUserIdentity 

type PocketResponseUserIdentity struct {
	LoginName string `json:"login"`
	UID       string `json:"uid"`
	GID       string `json:"gid"`
}

func RequestUserIdentity 

func RequestUserIdentity(param *PocketRequestBase) (*PocketResponseUserIdentity, error)

RequestUserIdentity is used by auth service clients (other services, like proxy or SSH) when a new node joins the cluster

type ServerOption 

type ServerOption func(s *AuthTunnel) error

ServerOption is the functional argument passed to the server

func SetLimiter 

func SetLimiter(limiter *limiter.Limiter) ServerOption

SetLimiter sets rate and connection limiter for auth tunnel server

type Session 

type Session struct {
	// ID is a session ID
	ID string `json:"id"`
	// Username is a user this session belongs to
	Username string `json:"username"`
	// ExpiresAt is an optional expiry time, if set
	// that means this web session and all derived web sessions
	// can not continue after this time, used in OIDC use case
	// when expiry is set by external identity provider, so user
	// has to relogin (or later on we'd need to refresh the token)
	ExpiresAt time.Time `json:"expires_at"`
	// WS is a private keypair used for signing requests
	WS services.WebSession `json:"web"`
}

Session is a web session context, stores temporary key-value pair and session id

type TunClient 

type TunClient struct {
	sync.Mutex

	// embed auth API HTTP client
	Client
	// contains filtered or unexported fields
}

TunClient is HTTP client that works over SSH tunnel This is done in order to authenticate various teleport roles using existing SSH certificate infrastructure

func NewTunClient 

func NewTunClient(purpose string,
	authServers []utils.NetAddr,
	user string,
	authMethods []ssh.AuthMethod,
	opts ...TunClientOption) (*TunClient, error)

NewTunClient returns an instance of new HTTP client to Auth server API exposed over SSH tunnel, so client uses SSH credentials to dial and authenticate

  • purpose is mostly for debuggin, like "web client" or "reverse tunnel client"
  • authServers: list of auth servers in this cluster (they are supposed to be in sync)
  • authMethods: how to authenticate (via cert, web passwowrd, etc)
  • opts : functional arguments for further extending

func (*TunClient) Close 

func (c *TunClient) Close() error

Close releases all the resources allocated for this client

func (*TunClient) Dial 

func (c *TunClient) Dial(network, address string) (net.Conn, error)

Dial dials to Auth server's HTTP API over SSH tunnel.

func (*TunClient) GetAgent 

func (c *TunClient) GetAgent() (AgentCloser, error)

GetAgent creates an SSH key agent (similar object to what CLI uses), this key agent fetches user keys directly from the auth server using a custom channel created via "ReqWebSessionAgent" reguest

func (*TunClient) GetDialer 

func (c *TunClient) GetDialer() AccessPointDialer

GetDialer returns dialer that will connect to auth server API

type TunClientOption 

type TunClientOption func(t *TunClient)

TunClientOption is functional option for tunnel client

func TunClientStorage 

func TunClientStorage(storage utils.AddrStorage) TunClientOption

TunClientStorage allows tun client to set local presence service that it will use to sync up the latest information about auth servers

type UserIdentity 

type UserIdentity struct {
	LoginName string
	UID       string
	GID       string
}

type UserIdentityKiosk 

type UserIdentityKiosk interface {
	// in order of user login, uid, gid, error
	GetUserIdentity(hostName, hostUUID string) (*UserIdentity, error)
}

notifies user information incl. user login, uid, gid

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.