Documentation
¶
Overview ¶
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.
* Local services are implemented in local package * Package suite contains the set of acceptance tests for services
Package services implements API services exposed by Teleport: * presence service that takes care of heratbeats * web service that takes care of web logins * ca service - certificate authorities
Index ¶
- func SetUserUnmarshaler(u UserUnmarshaler)
- func VerifyPassword(password []byte) error
- type CertAuthID
- type CertAuthType
- type CertAuthority
- type CommandLabel
- type CommandLabels
- type Identity
- type Lock
- type OIDCAuthRequest
- type OIDCConnector
- type OIDCIdentity
- type Presence
- type ProvisionToken
- type Provisioner
- type ReverseTunnel
- type Server
- type SignupToken
- type Site
- type TeleportUser
- func (u *TeleportUser) Check() error
- func (u *TeleportUser) Equals(other User) bool
- func (u *TeleportUser) GetAllowedLogins() []string
- func (u *TeleportUser) GetIdentities() []OIDCIdentity
- func (u *TeleportUser) GetName() string
- func (u *TeleportUser) String() string
- func (u *TeleportUser) WebSessionInfo() User
- type Trust
- type U2F
- type User
- type UserUnmarshaler
- type Users
- type WebSession
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SetUserUnmarshaler ¶ added in v1.0.0
func SetUserUnmarshaler(u UserUnmarshaler)
func VerifyPassword ¶ added in v1.0.0
VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in
Types ¶
type CertAuthID ¶ added in v1.0.0
type CertAuthID struct {
Type CertAuthType `json:"type"`
DomainName string `json:"domain_name"`
}
CertAuthID - id of certificate authority (it's type and domain name)
func (*CertAuthID) Check ¶ added in v1.0.0
func (c *CertAuthID) Check() error
Check returns error if any of the id parameters are bad, nil otherwise
func (*CertAuthID) String ¶ added in v1.0.0
func (c *CertAuthID) String() string
type CertAuthType ¶ added in v1.0.0
type CertAuthType string
CertAuthType specifies certificate authority type, user or host
const ( // HostCA identifies the key as a host certificate authority HostCA CertAuthType = "host" // UserCA identifies the key as a user certificate authority UserCA CertAuthType = "user" )
func (CertAuthType) Check ¶ added in v1.0.0
func (c CertAuthType) Check() error
Check checks if certificate authority type value is correct
type CertAuthority ¶ added in v1.0.0
type CertAuthority struct {
// Type is either user or host certificate authority
Type CertAuthType `json:"type"`
// DomainName identifies domain name this authority serves,
// for host authorities that means base hostname of all servers,
// for user authorities that means organization name
DomainName string `json:"domain_name"`
// Checkers is a list of SSH public keys that can be used to check
// certificate signatures
CheckingKeys [][]byte `json:"checking_keys"`
// SigningKeys is a list of private keys used for signing
SigningKeys [][]byte `json:"signing_keys"`
// AllowedLogins is a list of allowed logins for users within
// this certificate authority
AllowedLogins []string `json:"allowed_logins"`
}
CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
func (*CertAuthority) Check ¶ added in v1.0.0
func (ca *CertAuthority) Check() error
Check checks if all passed parameters are valid
func (*CertAuthority) Checkers ¶ added in v1.0.0
func (ca *CertAuthority) Checkers() ([]ssh.PublicKey, error)
Checkers returns public keys that can be used to check cert authorities
func (*CertAuthority) FirstSigningKey ¶ added in v1.0.0
func (ca *CertAuthority) FirstSigningKey() ([]byte, error)
FirstSigningKey returns first signing key or returns error if it's not here
func (*CertAuthority) ID ¶ added in v1.0.0
func (ca *CertAuthority) ID() *CertAuthID
ID returns id (consisting of domain name and type) that identifies the authority this key belongs to
type CommandLabel ¶
type CommandLabel struct {
// Period is a time between command runs
Period time.Duration `json:"period"`
// Command is a command to run
Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
// Result captures standard output
Result string `json:"result"`
}
CommandLabel is a label that has a value as a result of the output generated by running command, e.g. hostname
type CommandLabels ¶
type CommandLabels map[string]CommandLabel
CommandLabels is a set of command labels
func (*CommandLabels) SetEnv ¶
func (c *CommandLabels) SetEnv(v string) error
SetEnv sets the value of the label from environment variable
type Identity ¶ added in v1.0.0
type Identity interface {
// GetUsers returns a list of users registered with the local auth server
GetUsers() ([]User, error)
// UpsertUser updates parameters about user
UpsertUser(user User) error
// GetUser returns a user by name
GetUser(user string) (User, error)
// GetUserByOIDCIdentity returns a user by it's specified OIDC Identity, returns first
// user specified with this identity
GetUserByOIDCIdentity(id OIDCIdentity) (User, error)
// DeleteUser deletes a user with all the keys from the backend
DeleteUser(user string) error
// UpsertPasswordHash upserts user password hash
UpsertPasswordHash(user string, hash []byte) error
// GetPasswordHash returns the password hash for a given user
GetPasswordHash(user string) ([]byte, error)
// UpsertHOTP upserts HOTP state for user
UpsertHOTP(user string, otp *hotp.HOTP) error
// GetHOTP gets HOTP token state for a user
GetHOTP(user string) (*hotp.HOTP, error)
// UpsertWebSession updates or inserts a web session for a user and session id
UpsertWebSession(user, sid string, session WebSession, ttl time.Duration) error
// GetWebSession returns a web session state for a given user and session id
GetWebSession(user, sid string) (*WebSession, error)
// DeleteWebSession deletes web session from the storage
DeleteWebSession(user, sid string) error
// UpsertPassword upserts new password and HOTP token
UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
// CheckPassword is called on web user or tsh user login
CheckPassword(user string, password []byte, hotpToken string) error
// CheckPasswordWOToken checks just password without checking HOTP tokens
// used in case of SSH authentication, when token has been validated
CheckPasswordWOToken(user string, password []byte) error
// UpsertSignupToken upserts signup token - one time token that lets user to create a user account
UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error
// GetSignupToken returns signup token data
GetSignupToken(token string) (*SignupToken, error)
// GetSignupTokens returns a list of signup tokens
GetSignupTokens() ([]SignupToken, error)
// DeleteSignupToken deletes signup token from the storage
DeleteSignupToken(token string) error
// UpsertU2FRegisterChallenge upserts a U2F challenge for a new user corresponding to the token
UpsertU2FRegisterChallenge(token string, u2fChallenge *u2f.Challenge) error
// GetU2FRegisterChallenge returns a U2F challenge for a new user corresponding to the token
GetU2FRegisterChallenge(token string) (*u2f.Challenge, error)
// UpsertU2FRegistration upserts a U2F registration from a valid register response
UpsertU2FRegistration(user string, u2fReg *u2f.Registration) error
// GetU2FRegistration returns a U2F registration from a valid register response
GetU2FRegistration(user string) (*u2f.Registration, error)
// UpsertU2FSignChallenge upserts a U2F sign (auth) challenge
UpsertU2FSignChallenge(user string, u2fChallenge *u2f.Challenge) error
// GetU2FSignChallenge returns a U2F sign (auth) challenge
GetU2FSignChallenge(user string) (*u2f.Challenge, error)
// UpsertU2FRegistrationCounter upserts a counter associated with a U2F registration
UpsertU2FRegistrationCounter(user string, counter uint32) error
// GetU2FRegistrationCounter returns a counter associated with a U2F registration
GetU2FRegistrationCounter(user string) (uint32, error)
// UpsertOIDCConnector upserts OIDC Connector
UpsertOIDCConnector(connector OIDCConnector, ttl time.Duration) error
// DeleteOIDCConnector deletes OIDC Connector
DeleteOIDCConnector(connectorID string) error
// GetOIDCConnector returns OIDC connector data, , withSecrets adds or removes client secret from return results
GetOIDCConnector(id string, withSecrets bool) (*OIDCConnector, error)
// GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results
GetOIDCConnectors(withSecrets bool) ([]OIDCConnector, error)
// CreateOIDCAuthRequest creates new auth request
CreateOIDCAuthRequest(req OIDCAuthRequest, ttl time.Duration) error
// GetOIDCAuthRequest returns OIDC auth request if found
GetOIDCAuthRequest(stateToken string) (*OIDCAuthRequest, error)
}
Identity is responsible for managing user entries
type Lock ¶ added in v1.0.0
type Lock interface {
// AcquireLock grabs a lock that will be released automatically in ttl time
AcquireLock(token string, ttl time.Duration) error
// ReleaseLock releases
ReleaseLock(token string) error
}
Lock implements distributed locking service
type OIDCAuthRequest ¶ added in v1.0.0
type OIDCAuthRequest struct {
// ConnectorID is ID of OIDC connector this request uses
ConnectorID string `json:"connector_id"`
// Type is opaque string that helps callbacks identify the request type
Type string `json:"type"`
// CheckUser tells validator if it should expect and check user
CheckUser bool `json:"check_user"`
// StateToken is generated by service and is used to validate
// reuqest coming from
StateToken string `json:"state_token"`
// RedirectURL will be used by browser
RedirectURL string `json:"redirect_url"`
// PublicKey is an optional public key, users want these
// keys to be signed by auth servers user CA in case
// of successfull auth
PublicKey []byte `json:"public_key"`
// CertTTL is the TTL of the certificate user wants to get
CertTTL time.Duration `json:"cert_ttl"`
// CreateWebSession indicates if user wants to generate a web
// session after successful authentication
CreateWebSession bool `json:"create_web_session"`
// ClientRedirectURL is a URL client wants to be redirected
// after successfull authentication
ClientRedirectURL string `json:"client_redirect_url"`
}
OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server
func (*OIDCAuthRequest) Check ¶ added in v1.0.0
func (i *OIDCAuthRequest) Check() error
Check returns nil if all parameters are great, err otherwise
type OIDCConnector ¶ added in v1.0.0
type OIDCConnector struct {
// ID is a provider id, 'e.g.' google, used internally
ID string `json:"id"`
// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
IssuerURL string `json:"issuer_url"`
// ClientID is id for authentication client (in our case it's our Auth server)
ClientID string `json:"client_id"`
// ClientSecret is used to authenticate our client and should not
// be visible to end user
ClientSecret string `json:"client_secret"`
// RedirectURL - Identity provider will use this URL to redirect
// client's browser back to it after successfull authentication
// Should match the URL on Provider's side
RedirectURL string `json:"redirect_url"`
// Display - Friendly name for this provider.
Display string `json:"display"`
}
OIDCConnector specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnector) Check ¶ added in v1.0.0
func (o *OIDCConnector) Check() error
Check returns nil if all parameters are great, err otherwise
type OIDCIdentity ¶ added in v1.0.0
type OIDCIdentity struct {
// ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
ConnectorID string `json:"connector_id"`
// Email is OIDC verified email claim
// e.g. bob@example.com
Email string `json:"username"`
}
OIDCIdentity is OpenID Connect identity that is linked to particular user and connector and lets user to log in using external credentials, e.g. google
func (*OIDCIdentity) Check ¶ added in v1.0.0
func (i *OIDCIdentity) Check() error
Check returns nil if all parameters are great, err otherwise
func (*OIDCIdentity) Equals ¶ added in v1.0.0
func (i *OIDCIdentity) Equals(other *OIDCIdentity) bool
Equals returns true if this identity equals to passed one
func (*OIDCIdentity) String ¶ added in v1.0.0
func (i *OIDCIdentity) String() string
String returns debug friendly representation of this identity
type Presence ¶ added in v1.0.0
type Presence interface {
// GetNodes returns a list of registered servers
GetNodes() ([]Server, error)
// UpsertNode registers node presence, permanently if ttl is 0 or
// for the specified duration with second resolution if it's >= 1 second
UpsertNode(server Server, ttl time.Duration) error
// GetAuthServers returns a list of registered servers
GetAuthServers() ([]Server, error)
// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
// for the specified duration with second resolution if it's >= 1 second
UpsertAuthServer(server Server, ttl time.Duration) error
// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
// for the specified duration with second resolution if it's >= 1 second
UpsertProxy(server Server, ttl time.Duration) error
// GetProxies returns a list of registered proxies
GetProxies() ([]Server, error)
// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error
// GetReverseTunnels returns a list of registered servers
GetReverseTunnels() ([]ReverseTunnel, error)
// DeleteReverseTunnel deletes reverse tunnel by it's domain name
DeleteReverseTunnel(domainName string) error
}
Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes
type ProvisionToken ¶
type ProvisionToken struct {
Roles teleport.Roles `json:"roles"`
Expires time.Time `json:"expires"`
Token string `json:"token"`
}
ProvisionToken stores metadata about some provisioning token
type Provisioner ¶ added in v1.0.0
type Provisioner interface {
// UpsertToken adds provisioning tokens for the auth server
UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error
// GetToken finds and returns token by id
GetToken(token string) (*ProvisionToken, error)
// DeleteToken deletes provisioning token
DeleteToken(token string) error
// GetTokens returns all non-expired tokens
GetTokens() ([]ProvisionToken, error)
}
Provisioner governs adding new nodes to the cluster
type ReverseTunnel ¶ added in v1.0.0
type ReverseTunnel struct {
// DomainName is a domain name of remote cluster we are connecting to
DomainName string `json:"domain_name"`
// DialAddrs is a list of remote address to establish a connection to
// it's always SSH over TCP
DialAddrs []string `json:"dial_addrs"`
}
ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved
func (*ReverseTunnel) Check ¶ added in v1.0.0
func (r *ReverseTunnel) Check() error
Check returns nil if all parameters are good, error otherwise
type Server ¶
type Server struct {
ID string `json:"id"`
Addr string `json:"addr"`
Hostname string `json:"hostname"`
Labels map[string]string `json:"labels"`
CmdLabels map[string]CommandLabel `json:"cmd_labels"`
}
Server represents a node in a Teleport cluster
func (*Server) LabelsMap ¶ added in v1.0.0
LabelsMap returns the full key:value map of both static labels and "command labels"
func (*Server) LabelsString ¶ added in v1.0.0
LabelsString returns a comma separated string with all node's labels
type SignupToken ¶
type SignupToken struct {
Token string `json:"token"`
User TeleportUser `json:"user"`
Hotp []byte `json:"hotp"`
HotpFirstValues []string `json:"hotp_first_values"`
HotpQR []byte `json:"hotp_qr"`
Expires time.Time `json:"expires"`
}
SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed
type Site ¶ added in v1.0.0
type Site struct {
Name string `json:"name"`
LastConnected time.Time `json:"lastconnected"`
Status string `json:"status"`
}
Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.
The CA is represented by an auth server (or multiple auth servers, if running in HA mode)
type TeleportUser ¶ added in v1.0.0
type TeleportUser struct {
// Name is a user name
Name string `json:"name"`
// AllowedLogins represents a list of OS users this teleport
// user is allowed to login as
AllowedLogins []string `json:"allowed_logins"`
// OIDCIdentities lists associated OpenID Connect identities
// that let user log in using externally verified identity
OIDCIdentities []OIDCIdentity `json:"oidc_identities"`
}
TeleportUser is an optional user entry in the database
func (*TeleportUser) Check ¶ added in v1.0.0
func (u *TeleportUser) Check() error
Check checks validity of all parameters
func (*TeleportUser) Equals ¶ added in v1.0.0
func (u *TeleportUser) Equals(other User) bool
Equals checks if user equals to another
func (*TeleportUser) GetAllowedLogins ¶ added in v1.0.0
func (u *TeleportUser) GetAllowedLogins() []string
GetAllowedLogins returns user's allowed linux logins
func (*TeleportUser) GetIdentities ¶ added in v1.0.0
func (u *TeleportUser) GetIdentities() []OIDCIdentity
GetIdentities returns a list of connected OIDCIdentities
func (*TeleportUser) GetName ¶ added in v1.0.0
func (u *TeleportUser) GetName() string
GetName returns user name
func (*TeleportUser) String ¶ added in v1.0.0
func (u *TeleportUser) String() string
func (*TeleportUser) WebSessionInfo ¶ added in v1.2.6
func (u *TeleportUser) WebSessionInfo() User
WebSessionInfo returns web session information
type Trust ¶ added in v1.0.0
type Trust interface {
// UpsertCertAuthority updates or inserts a new certificate authority
UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error
// DeleteCertAuthority deletes particular certificate authority
DeleteCertAuthority(id CertAuthID) error
// GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys
// controls if signing keys are loaded
GetCertAuthority(id CertAuthID, loadSigningKeys bool) (*CertAuthority, error)
// GetCertAuthorities returns a list of authorities of a given type
// loadSigningKeys controls whether signing keys should be loaded or not
GetCertAuthorities(caType CertAuthType, loadSigningKeys bool) ([]*CertAuthority, error)
}
Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com
There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts
Remote authorities have only public keys available, so they can be only used to validate
type U2F ¶ added in v1.3.0
type U2F struct {
Enabled bool
// AppID identifies the website to the U2F keys. It should not be changed once a U2F
// key is registered or all existing registrations will become invalid.
AppID string
// Facets should include the domain name of all proxies.
Facets []string
}
U2F is a configuration of the U2F two factor authentication
type User ¶ added in v1.0.0
type User interface {
// GetName returns user name
GetName() string
// GetAllowedLogins returns user's allowed linux logins
GetAllowedLogins() []string
// GetIdentities returns a list of connected OIDCIdentities
GetIdentities() []OIDCIdentity
// String returns user
String() string
// Check checks if all parameters are correct
Check() error
// Equals checks if user equals to another
Equals(other User) bool
// WebSessionInfo returns web session information
WebSessionInfo() User
}
User represents teleport or external user
func TeleportUserUnmarshaler ¶ added in v1.0.0
type UserUnmarshaler ¶ added in v1.0.0
func GetUserUnmarshaler ¶ added in v1.0.0
func GetUserUnmarshaler() UserUnmarshaler
type Users ¶ added in v1.0.0
type Users []User
Users represents a slice of users, makes it sort compatible (sorts by username)
type WebSession ¶
type WebSession struct {
// Pub is a public certificate signed by auth server
Pub []byte `json:"pub"`
// Priv is a private OpenSSH key used to auth with SSH nodes
Priv []byte `json:"priv"`
// BearerToken is a special bearer token used for additional
// bearer authentication
BearerToken string `json:"bearer_token"`
// Expires - absolute time when token expires
Expires time.Time `json:"expires"`
}
WebSession stores key and value used to authenticate with SSH notes on behalf of user
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd |
Click to show internal directories.
Click to hide internal directories.