reversetunnelclient

package
v0.0.0-...-f25915c Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 26, 2025 License: AGPL-3.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// LocalNode is a special non-resolvable address that indicates the request
	// wants to connect to a dialed back node.
	LocalNode = "@local-node"
	// RemoteAuthServer is a special non-resolvable address that indicates client
	// requests a connection to the remote auth server.
	RemoteAuthServer = "@remote-auth-server"
	// LocalKubernetes is a special non-resolvable address that indicates that clients
	// requests a connection to the kubernetes endpoint of the local proxy.
	// This has to be a valid domain name, so it lacks @
	LocalKubernetes = "remote.kube.proxy." + constants.APIDomain
	// LocalWindowsDesktop is a special non-resolvable address that indicates
	// that clients requests a connection to the windows service endpoint of
	// the local proxy.
	// This has to be a valid domain name, so it lacks @
	LocalWindowsDesktop = "remote.windows_desktop.proxy." + constants.APIDomain
)
View Source
const (
	// NoApplicationTunnel is the error message returned when application
	// reverse tunnel cannot be found.
	//
	// It usually happens when an app agent has shut down (or crashed) but
	// hasn't expired from the backend yet.
	NoApplicationTunnel = "could not find reverse tunnel, check that Application Service agent proxying this application is up and running"
	// NoDatabaseTunnel is the error message returned when database reverse
	// tunnel cannot be found.
	//
	// It usually happens when a database agent has shut down (or crashed) but
	// hasn't expired from the backend yet.
	NoDatabaseTunnel = "could not find reverse tunnel, check that Database Service agent proxying this database is up and running"
	// NoOktaTunnel is the error message returned when an Okta
	// reverse tunnel cannot be found.
	//
	// It usually happens when an Okta service has shut down (or crashed) but
	// hasn't expired from the backend yet.
	NoOktaTunnel = "could not find reverse tunnel, check that Okta Service agent proxying this application is up and running"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ClusterGetter

type ClusterGetter interface {
	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
}

ClusterGetter is an interface that defines GetRemoteCluster method

type DialParams

type DialParams struct {
	// From is the source address.
	From net.Addr

	// To is the destination address.
	To net.Addr

	// GetUserAgent gets an SSH agent for use in connecting to the remote host. Used by the
	// forwarding proxy.
	GetUserAgent teleagent.Getter

	// IsAgentlessNode indicates whether the Node is an OpenSSH Node.
	// This includes Nodes whose sub kind is OpenSSH and OpenSSHEICE.
	IsAgentlessNode bool

	// AgentlessSigner is used for authenticating to the remote host when it is an
	// agentless node.
	AgentlessSigner ssh.Signer

	// Address is used by the forwarding proxy to generate a host certificate for
	// the target node. This is needed because while dialing occurs via IP
	// address, tsh thinks it's connecting via DNS name and that's how it
	// validates the host certificate.
	Address string

	// Principals are additional principals that need to be added to the host
	// certificate. Used by the recording proxy to correctly generate a host
	// certificate.
	Principals []string

	// ServerID the hostUUID.clusterName of a Teleport node. Used with nodes
	// that are connected over a reverse tunnel.
	ServerID string

	// ProxyIDs is a list of proxy ids the node is connected to.
	ProxyIDs []string

	// ConnType is the type of connection requested, either node or application.
	// Only used when connecting through a tunnel.
	ConnType types.TunnelType

	// TargetServer is the host that the connection is being established for.
	// It **MUST** only be populated when the target is a teleport ssh server
	// or an agentless server.
	TargetServer types.Server

	// FromPeerProxy indicates that the dial request is being tunneled from
	// a peer proxy.
	FromPeerProxy bool

	// OriginalClientDstAddr is used in PROXY headers to show where client originally contacted Teleport infrastructure
	OriginalClientDstAddr net.Addr
}

DialParams is a list of parameters used to Dial to a node within a cluster.

func (DialParams) String

func (params DialParams) String() string

type FakeRemoteSite

type FakeRemoteSite struct {
	RemoteSite
	// Name is the remote site name.
	Name string
	// AccessPoint is the auth server client.
	AccessPoint auth.RemoteProxyAccessPoint
	// OfflineTunnels is a list of server IDs that will return connection error.
	OfflineTunnels map[string]struct{}
	// contains filtered or unexported fields
}

FakeRemoteSite is a fake reversetunnelclient.RemoteSite implementation used in tests.

func NewFakeRemoteSite

func NewFakeRemoteSite(clusterName string, accessPoint auth.RemoteProxyAccessPoint) *FakeRemoteSite

NewFakeRemoteSite is a FakeRemoteSite constructor.

func (*FakeRemoteSite) CachingAccessPoint

func (s *FakeRemoteSite) CachingAccessPoint() (auth.RemoteProxyAccessPoint, error)

CachingAccessPoint returns caching auth server client.

func (*FakeRemoteSite) Close

func (s *FakeRemoteSite) Close() error

func (*FakeRemoteSite) Dial

func (s *FakeRemoteSite) Dial(params DialParams) (net.Conn, error)

Dial returns the connection to the remote site.

func (*FakeRemoteSite) DialCount

func (s *FakeRemoteSite) DialCount() int64

func (*FakeRemoteSite) GetName

func (s *FakeRemoteSite) GetName() string

GetName returns the remote site name.

func (*FakeRemoteSite) ProxyConn

func (s *FakeRemoteSite) ProxyConn() <-chan net.Conn

ProxyConn returns proxy connection channel with incoming connections.

type FakeServer

type FakeServer struct {
	Server
	// Sites is a list of sites registered via this fake reverse tunnel.
	Sites []RemoteSite
}

FakeServer is a fake Server implementation used in tests.

func (*FakeServer) GetSite

func (s *FakeServer) GetSite(name string) (RemoteSite, error)

GetSite returns the remote site by name.

func (*FakeServer) GetSites

func (s *FakeServer) GetSites() ([]RemoteSite, error)

GetSites returns all available remote sites.

type RemoteSite

type RemoteSite interface {
	// DialAuthServer returns a net.Conn to the Auth Server of a site.
	DialAuthServer(DialParams) (conn net.Conn, err error)
	// Dial dials any address within the site network, in terminating
	// mode it uses local instance of forwarding server to terminate
	// and record the connection.
	Dial(DialParams) (conn net.Conn, err error)
	// DialTCP dials any address within the site network and
	// ignores recording mode, used in components that need direct dialer.
	DialTCP(DialParams) (conn net.Conn, err error)
	// GetLastConnected returns last time the remote site was seen connected
	GetLastConnected() time.Time
	// GetName returns site name (identified by authority domain's name)
	GetName() string
	// GetStatus returns status of this site (either offline or connected)
	GetStatus() string
	// GetClient returns client connected to remote auth server
	GetClient() (auth.ClientI, error)
	// CachingAccessPoint returns access point that is lightweight
	// but is resilient to auth server crashes
	CachingAccessPoint() (auth.RemoteProxyAccessPoint, error)
	// NodeWatcher returns the node watcher that maintains the node set for the site
	NodeWatcher() (*services.NodeWatcher, error)
	// GetTunnelsCount returns the amount of active inbound tunnels
	// from the remote cluster
	GetTunnelsCount() int
	// IsClosed reports whether this RemoteSite has been closed and should no
	// longer be used.
	IsClosed() bool
	// Closer allows the site to be closed
	io.Closer
}

RemoteSite represents remote teleport site that can be accessed via teleport tunnel or directly by proxy

There are two implementations of this interface: local and remote sites.

type Resolver

type Resolver func(ctx context.Context) (*utils.NetAddr, types.ProxyListenerMode, error)

Resolver looks up reverse tunnel addresses

func CachingResolver

func CachingResolver(ctx context.Context, resolver Resolver, clock clockwork.Clock) (Resolver, error)

CachingResolver wraps the provided Resolver with one that will cache the previous result for 3 seconds to reduce the number of resolutions in an effort to mitigate potentially overwhelming the Resolver source.

func StaticResolver

func StaticResolver(address string, mode types.ProxyListenerMode) Resolver

StaticResolver returns a Resolver which will always resolve to the provided address

func WebClientResolver

func WebClientResolver(cfg *webclient.Config) Resolver

WebClientResolver returns a Resolver which uses the web proxy to discover where the SSH reverse tunnel server is running.

type Server

type Server interface {
	Tunnel
	// Start starts server
	Start() error
	// Close closes server's operations immediately
	Close() error
	// DrainConnections closes listeners and begins draining connections without
	// closing open connections.
	DrainConnections(context.Context) error
	// Shutdown performs graceful server shutdown closing open connections.
	Shutdown(context.Context) error
	// Wait waits for server to close all outstanding operations
	Wait(ctx context.Context)
	// GetProxyPeerClient returns the proxy peer client
	GetProxyPeerClient() *peer.Client
	// TrackUserConnection tracks a user connection that should prevent
	// the server from being terminated if active. The returned function
	// should be called when the connection is terminated.
	TrackUserConnection() (release func())
}

Server is a TCP/IP SSH server which listens on an SSH endpoint and remote/local sites connect and register with it.

type Tunnel

type Tunnel interface {
	// GetSites returns a list of connected remote sites
	GetSites() ([]RemoteSite, error)
	// GetSite returns remote site this node belongs to
	GetSite(domainName string) (RemoteSite, error)
}

Tunnel provides access to connected local or remote clusters using unified interface.

type TunnelAuthDialer

type TunnelAuthDialer struct {
	// TunnelAuthDialerConfig is the TunnelAuthDialer configuration.
	TunnelAuthDialerConfig
}

TunnelAuthDialer connects to the Auth Server through the reverse tunnel.

func NewTunnelAuthDialer

func NewTunnelAuthDialer(config TunnelAuthDialerConfig) (*TunnelAuthDialer, error)

NewTunnelAuthDialer creates a new instance of TunnelAuthDialer

func (*TunnelAuthDialer) DialContext

func (t *TunnelAuthDialer) DialContext(ctx context.Context, _, _ string) (net.Conn, error)

DialContext dials auth server via SSH tunnel

type TunnelAuthDialerConfig

type TunnelAuthDialerConfig struct {
	// Resolver retrieves the address of the proxy
	Resolver Resolver
	// ClientConfig is SSH tunnel client config
	ClientConfig *ssh.ClientConfig
	// Log is used for logging.
	Log logrus.FieldLogger
	// InsecureSkipTLSVerify is whether to skip certificate validation.
	InsecureSkipTLSVerify bool
	// ClusterCAs contains cluster CAs.
	ClusterCAs *x509.CertPool
}

TunnelAuthDialerConfig specifies TunnelAuthDialer configuration.

func (*TunnelAuthDialerConfig) CheckAndSetDefaults

func (c *TunnelAuthDialerConfig) CheckAndSetDefaults() error

type TunnelWithRoles

type TunnelWithRoles struct {
	// contains filtered or unexported fields
}

TunnelWithRoles authorizes requests

func NewTunnelWithRoles

func NewTunnelWithRoles(tunnel Tunnel, localCluster string, accessChecker services.AccessChecker, access ClusterGetter) *TunnelWithRoles

NewTunnelWithRoles returns new authorizing tunnel

func (*TunnelWithRoles) GetSite

func (t *TunnelWithRoles) GetSite(clusterName string) (RemoteSite, error)

GetSite returns remote site this node belongs to

func (*TunnelWithRoles) GetSites

func (t *TunnelWithRoles) GetSites() ([]RemoteSite, error)

GetSites returns a list of connected remote sites

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL