auth

package
v0.0.0-...-f927bc5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 30, 2025 License: AGPL-3.0 Imports: 207 Imported by: 0

Documentation

Overview

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source 
const (

	// MaxFailedAttemptsFromStartRecoveryErrMsg is a user friendly error message to try again later.
	// This error is defined in a variable so that the root caller can determine if an email needs to be sent.
	MaxFailedAttemptsFromStartRecoveryErrMsg = "you have reached max attempts, please try again later"

	// MaxFailedAttemptsFromVerifyRecoveryErrMsg is a user friendly error message to start over.
	// This error is defined in a variable so that the root caller can determine if an email needs to be sent.
	MaxFailedAttemptsFromVerifyRecoveryErrMsg = "too many incorrect attempts, please start over with a new recovery code"
)
View Source 
const (
	ErrFieldKeyUserMaxedAttempts = "maxed-attempts"

	// MaxFailedAttemptsErrMsg is a user friendly error message that tells a user that they are locked.
	MaxFailedAttemptsErrMsg = "too many incorrect attempts, please try again later"
)
View Source 
const (
	OSSDesktopsCheckPeriod  = 5 * time.Minute
	OSSDesktopsAlertID      = "oss-desktops"
	OSSDesktopsAlertMessage = "Your cluster is beyond its allocation of 5 non-Active Directory Windows desktops. " +
		"Reach out for unlimited desktops with Teleport Enterprise."

	OSSDesktopAlertLink = "https://goteleport.com/r/upgrade-community?utm_campaign=CTA_windows_local"
	OSSDesktopsLimit    = 5
)
View Source 
const (
	// BearerTokenTTL specifies standard bearer token to exist before
	// it has to be renewed by the client
	BearerTokenTTL = 10 * time.Minute

	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16

	// RecoveryTokenLenBytes is len in bytes of a user token for recovery.
	RecoveryTokenLenBytes = 32

	// SessionTokenBytes is the number of bytes of a web or application session.
	SessionTokenBytes = 32
)
View Source 
const (
	// CurrentVersion is a current API version
	CurrentVersion = types.V2

	// MissingNamespaceError indicates that the client failed to
	// provide the namespace in the request.
	MissingNamespaceError = "missing required parameter: namespace"
)
View Source 
const (
	// GithubAuthPath is the GitHub authorization endpoint
	GithubAuthPath = "login/oauth/authorize"

	// GithubTokenPath is the GitHub token exchange endpoint
	GithubTokenPath = "login/oauth/access_token"

	// MaxPages is the maximum number of pagination links that will be followed.
	MaxPages = 99
)
View Source 
const (
	// TeleportImpersonateUserHeader is a header that specifies teleport user identity
	// that the proxy is impersonating.
	TeleportImpersonateUserHeader = "Teleport-Impersonate-User"
	// TeleportImpersonateIPHeader is a header that specifies the real user IP address.
	TeleportImpersonateIPHeader = "Teleport-Impersonate-IP"
)
View Source 
const (
	// IdentityCurrent is a name for the identity credentials that are
	// currently used by the process.
	IdentityCurrent = "current"
	// IdentityReplacement is a name for the identity credentials that are
	// replacing current identity credentials during CA rotation.
	IdentityReplacement = "replacement"
)
View Source 
const (
	// UserTokenTypeResetPasswordInvite is a token type used for the UI invite flow that
	// allows users to change their password and set second factor (if enabled).
	UserTokenTypeResetPasswordInvite = "invite"
	// UserTokenTypeResetPassword is a token type used for the UI flow where user
	// re-sets their password and second factor (if enabled).
	UserTokenTypeResetPassword = "password"
	// UserTokenTypeRecoveryStart describes a recovery token issued to users who
	// successfully verified their recovery code.
	UserTokenTypeRecoveryStart = "recovery_start"
	// UserTokenTypeRecoveryApproved describes a recovery token issued to users who
	// successfully verified their second auth credential (either password or a second factor) and
	// can now start changing their password or add a new second factor device.
	// This token is also used to allow users to delete exisiting second factor devices
	// and retrieve their new set of recovery codes as part of the recovery flow.
	UserTokenTypeRecoveryApproved = "recovery_approved"
	// UserTokenTypePrivilege describes a token type that grants access to a privileged action
	// that requires users to re-authenticate with their second factor while looged in. This
	// token is issued to users who has successfully re-authenticated.
	UserTokenTypePrivilege = "privilege"
	// UserTokenTypePrivilegeException describes a token type that allowed a user to bypass
	// second factor re-authentication which in other cases would be required eg:
	// allowing user to add a mfa device if they don't have any registered.
	UserTokenTypePrivilegeException = "privilege_exception"
)
View Source 
const LicenseExpiredNotification = "licenseExpired"

LicenseExpiredNotification defines a license expired notification

View Source 
const TokenExpiredOrNotFound = "token expired or not found"

TokenExpiredOrNotFound is a special message returned by the auth server when provisioning tokens are either past their TTL, or could not be found.

Variables

View Source 
var ErrDone = errors.New("done iterating")

ErrDone indicates that resource iteration is complete

View Source 
var ErrGithubNoTeams = trace.BadParameter("user does not belong to any teams configured in connector; the configuration may have typos.")

ErrGithubNoTeams results from a github user not belonging to any teams.

View Source 
var ErrNoMFADevices = trace.AccessDenied("MFA is required to access this resource but user has no MFA devices; use 'tsh mfa add' to register MFA devices")

ErrNoMFADevices is returned when an MFA ceremony is performed without possible devices to complete the challenge with.

View Source 
var ErrRequiresEnterprise = services.ErrRequiresEnterprise
View Source 
var ErrSAMLRequiresEnterprise = trace.AccessDenied("SAML is only available in Teleport Enterprise")

ErrSAMLRequiresEnterprise is the error returned by the SAML methods when not using the Enterprise edition of Teleport.

TODO(zmb3): ideally we would wrap ErrRequiresEnterprise here, but we can't currently propagate wrapped errors across the gRPC boundary, and we want tctl to display a clean user-facing message in this case

View Source 
var GithubScopes = []string{

	"read:org",
}

GithubScopes is a list of scopes requested during OAuth2 flow

View Source 
var MinSupportedModeratedSessionsVersion = semver.New(utils.VersionBeforeAlpha("9.0.0"))
View Source 
var ResourceApplyPriority = map[string]int{
	types.KindRole:                    1,
	types.KindUser:                    2,
	types.KindToken:                   3,
	types.KindClusterNetworkingConfig: 3,
	types.KindClusterAuthPreference:   3,

	types.KindBot: 3,
}

ResourceApplyPriority specifies in which order the resources must be applied to avoid consistency issues. A lower priority means the resource is applied before.

View Source 
var (

	// UserLoginCount counts user logins
	UserLoginCount = prometheus.NewCounter(
		prometheus.CounterOpts{
			Name: teleport.MetricUserLoginCount,
			Help: "Number of times there was a user login",
		},
	)
)

Functions

func AuthorizeAccessReviewRequest 

func AuthorizeAccessReviewRequest(context authz.Context, params types.AccessReviewSubmission) error

AuthorizeAccessReviewRequest checks if the current user is allowed to submit the given access review request.

func CertAuthorityInfo 

func CertAuthorityInfo(ca types.CertAuthority) string

CertAuthorityInfo returns debugging information about certificate authority

func CertInfo 

func CertInfo(cert *x509.Certificate) string

CertInfo returns diagnostic information about certificate

func ClientCertPool 

func ClientCertPool(client AccessCache, clusterName string, caTypes ...types.CertAuthType) (*x509.CertPool, int64, error)

ClientCertPool returns trusted x509 certificate authority pool with CAs provided as caTypes. In addition, it returns the total length of all subjects added to the cert pool, allowing the caller to validate that the pool doesn't exceed the maximum 2-byte length prefix before using it.

func ClientParamIdleConnTimeout 

func ClientParamIdleConnTimeout(timeout time.Duration) roundtrip.ClientParam

ClientParamIdleConnTimeout sets idle connection header timeout of the HTTP transport used by the client.

func ClientParamResponseHeaderTimeout 

func ClientParamResponseHeaderTimeout(timeout time.Duration) roundtrip.ClientParam

ClientParamResponseHeaderTimeout sets response header timeout of the HTTP transport used by the client.

func ClientParamTimeout 

func ClientParamTimeout(timeout time.Duration) roundtrip.ClientParam

ClientParamRequestTimeout sets request timeout of the HTTP transport used by the client.

func ContainsSessionKind 

func ContainsSessionKind(s []string, e types.SessionKind) bool

func CreateAccessPluginUser 

func CreateAccessPluginUser(ctx context.Context, clt clt, username string) (types.User, error)

CreateAccessPluginUser creates a user with list/read abilites for access requests, and list/read/update abilities for access plugin data.

func CreateRole 

func CreateRole(ctx context.Context, clt clt, name string, spec types.RoleSpecV6) (types.Role, error)

CreateRole creates a role without assigning any users. Used in tests.

func CreateUser 

func CreateUser(ctx context.Context, clt clt, username string, roles ...types.Role) (types.User, error)

CreateUser creates user and role and assigns role to a user, used in tests

func CreateUserAndRole 

func CreateUserAndRole(clt clt, username string, allowedLogins []string, allowRules []types.Rule) (types.User, types.Role, error)

CreateUserAndRole creates user and role and assigns role to a user, used in tests If allowRules is nil, the role has admin privileges. If allowRules is not-nil, then the rules associated with the role will be replaced with those specified.

func CreateUserAndRoleWithoutRoles 

func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests

func CreateUserRoleAndRequestable 

func CreateUserRoleAndRequestable(clt clt, username string, rolename string) (types.User, error)

CreateUserRoleAndRequestable creates two roles for a user, one base role with allowed login matching username, and another role with a login matching rolename that can be requested.

func DefaultClientCertPool 

func DefaultClientCertPool(client AccessCache, clusterName string) (*x509.CertPool, int64, error)

DefaultClientCertPool returns default trusted x509 certificate authority pool.

func DefaultDNSNamesForRole 

func DefaultDNSNamesForRole(role types.SystemRole) []string

DefaultDNSNamesForRole returns default DNS names for the specified role.

func ExtractHostID 

func ExtractHostID(hostName string, clusterName string) (string, error)

ExtractHostID returns host id based on the hostname

func GetPresetRoles 

func GetPresetRoles() []types.Role

GetPresetRoles returns a list of all preset roles expected to be available on this cluster.

func HasBuiltinRole 

func HasBuiltinRole(authContext authz.Context, name string) bool

HasBuiltinRole checks if the identity is a builtin role with the matching name. Deprecated: use authz.HasBuiltinRole instead.

func HasRemoteBuiltinRole 

func HasRemoteBuiltinRole(authContext authz.Context, name string) bool

HasRemoteBuiltinRole checks if the identity is a remote builtin role with the matching name.

func HostFQDN 

func HostFQDN(hostUUID, clusterName string) string

HostFQDN consists of host UUID and cluster name joined via .

func IdentityForwardingHeaders 

func IdentityForwardingHeaders(ctx context.Context, originalHeaders http.Header) (http.Header, error)

IdentityForwardingHeaders returns a copy of the provided headers with the TeleportImpersonateUserHeader and TeleportImpersonateIPHeader headers set to the identity provided. The returned headers shouln't be used across requests as they contain the client's IP address and the user's identity.

func IsInvalidLocalCredentialError 

func IsInvalidLocalCredentialError(err error) bool

IsInvalidLocalCredentialError checks if an error resulted from an incorrect username, password, or second factor.

func MFARequiredToBool 

func MFARequiredToBool(m proto.MFARequired) (required bool)

MFARequiredToBool translates a [proto.MFARequired] value to a simple "required bool".

func NewAPIServer 

func NewAPIServer(config *APIConfig) (http.Handler, error)

NewAPIServer returns a new instance of APIServer HTTP handler

func PrivateKeyToPublicKeyTLS 

func PrivateKeyToPublicKeyTLS(privateKey []byte) (tlsPublicKey []byte, err error)

PrivateKeyToPublicKeyTLS gets the TLS public key from a raw private key.

func Register 

func Register(params RegisterParams) (*proto.Certs, error)

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.

func RoleSupportsModeratedSessions 

func RoleSupportsModeratedSessions(roles []types.Role) bool

RoleSupportsModeratedSessions checks if the role version is higher or equal to V5 - V5 is the version where ModeratedSession support was introduced.

func TLSCertInfo 

func TLSCertInfo(cert *tls.Certificate) string

TLSCertInfo returns diagnostic information about certificate

func WaitForAppSession 

func WaitForAppSession(ctx context.Context, sessionID, user string, ap ReadProxyAccessPoint) error

WaitForAppSession will block until the requested application session shows up in the cache or a timeout occurs.

func WaitForSnowflakeSession 

func WaitForSnowflakeSession(ctx context.Context, sessionID, user string, ap SnowflakeSessionWatcher) error

WaitForSnowflakeSession waits until the requested Snowflake session shows up int the cache or a timeout occurs.

func WatchEvents 

func WatchEvents(watch *authpb.Watch, stream WatchEvent, componentName string, auth Watcher) error

WatchEvents watches for events and streams them to the provided stream.

func WithClusterCAs 

func WithClusterCAs(tlsConfig *tls.Config, ap AccessCache, currentClusterName string, log logrus.FieldLogger) func(*tls.ClientHelloInfo) (*tls.Config, error)

WithClusterCAs returns a TLS hello callback that returns a copy of the provided TLS config with client CAs pool of the specified cluster.

Types

type APIClient 

type APIClient = client.Client

APIClient is aliased here so that it can be embedded in Client.

type APIConfig 

type APIConfig struct {
	PluginRegistry plugin.Registry
	AuthServer     *Server
	AuditLog       events.AuditLogSessionStreamer
	Authorizer     authz.Authorizer
	Emitter        apievents.Emitter
	// KeepAlivePeriod defines period between keep alives
	KeepAlivePeriod time.Duration
	// KeepAliveCount specifies amount of missed keep alives
	// to wait for until declaring connection as broken
	KeepAliveCount int
	// MetadataGetter retrieves additional metadata about session uploads.
	// Will be nil if audit logging is not enabled.
	MetadataGetter events.UploadMetadataGetter
}

func (*APIConfig) CheckAndSetDefaults 

func (a *APIConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type APIServer 

type APIServer struct {
	APIConfig
	httprouter.Router
	clockwork.Clock
}

APIServer implements http API server for AuthServer interface

func (*APIServer) WithAuth 

func (s *APIServer) WithAuth(handler HandlerWithAuthFunc) httprouter.Handle

type AccessCache 

type AccessCache interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
}

AccessCache is a subset of the interface working on the certificate authorities

type Announcer 

type Announcer interface {
	// UpsertNode registers node presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error)

	// UpsertProxy registers proxy presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(ctx context.Context, s types.Server) error

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(ctx context.Context, s types.Server) error

	// UpsertKubernetesServer registers a kubernetes server
	UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error)

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

	// UpsertApplicationServer registers an application server.
	UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error)

	// UpsertDatabaseServer registers a database proxy server.
	UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error)

	// UpsertWindowsDesktopService registers a Windows desktop service.
	UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error)

	// UpsertWindowsDesktop registers a Windows desktop host.
	UpsertWindowsDesktop(context.Context, types.WindowsDesktop) error

	// UpsertDatabaseService registers a DatabaseService.
	UpsertDatabaseService(context.Context, types.DatabaseService) (*types.KeepAlive, error)
}

Announcer specifies interface responsible for announcing presence

type AppTestCertRequest 

type AppTestCertRequest struct {
	// PublicKey is the public key to sign.
	PublicKey []byte
	// Username is the Teleport user name to sign certificate for.
	Username string
	// TTL is the test certificate validity period.
	TTL time.Duration
	// PublicAddr is the application public address. Used for routing.
	PublicAddr string
	// ClusterName is the name of the cluster application resides in. Used for routing.
	ClusterName string
	// SessionID is the optional session ID to encode. Used for routing.
	SessionID string
	// AWSRoleARN is optional AWS role ARN a user wants to assume to encode.
	AWSRoleARN string
	// AzureIdentity is the optional Azure identity a user wants to assume to encode.
	AzureIdentity string
	// GCPServiceAccount is optional GCP service account a user wants to assume to encode.
	GCPServiceAccount string
	// PinnedIP is optional IP to pin certificate to.
	PinnedIP string
	// LoginTrait is the login to include in the cert
	LoginTrait string
}

AppTestCertRequest combines parameters for generating a test app access cert.

type AppsAccessPoint 

type AppsAccessPoint interface {
	// ReadAppsAccessPoint provides methods to read data
	ReadAppsAccessPoint
	// contains filtered or unexported methods
}

AppsAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.

func NewAppsWrapper 

func NewAppsWrapper(base AppsAccessPoint, cache ReadAppsAccessPoint) AppsAccessPoint

type AppsWrapper 

type AppsWrapper struct {
	ReadAppsAccessPoint

	NoCache AppsAccessPoint
	// contains filtered or unexported fields
}

func (*AppsWrapper) Close 

func (w *AppsWrapper) Close() error

Close closes all associated resources

type AugmentUserCertificateOpts 

type AugmentUserCertificateOpts struct {
	// SSHAuthorizedKey is an SSH certificate, in the authorized key format, to
	// augment with opts.
	// The SSH certificate must be issued for the current authenticated user and
	// must match their TLS certificate.
	SSHAuthorizedKey []byte
	// DeviceExtensions are the device-aware extensions to add to the certificates
	// being augmented.
	DeviceExtensions *DeviceExtensions
}

AugmentUserCertificateOpts aggregates options for extending user certificates. See [AugmentContextUserCertificates].

type AuthenticateSSHRequest 

type AuthenticateSSHRequest struct {
	// AuthenticateUserRequest is a request with credentials
	AuthenticateUserRequest
	// TTL is a requested TTL for certificates to be issues
	TTL time.Duration `json:"ttl"`
	// CompatibilityMode sets certificate compatibility mode with old SSH clients
	CompatibilityMode string `json:"compatibility_mode"`
	RouteToCluster    string `json:"route_to_cluster"`
	// KubernetesCluster sets the target kubernetes cluster for the TLS
	// certificate. This can be empty on older clients.
	KubernetesCluster string `json:"kubernetes_cluster"`
	// AttestationStatement is an attestation statement associated with the given public key.
	AttestationStatement *keys.AttestationStatement `json:"attestation_statement,omitempty"`
}

AuthenticateSSHRequest is a request to authenticate SSH client user via CLI

func (*AuthenticateSSHRequest) CheckAndSetDefaults 

func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default certificate values

type AuthenticateUserRequest 

type AuthenticateUserRequest struct {
	// Username is a username
	Username string `json:"username"`
	// PublicKey is a public key in ssh authorized_keys format
	PublicKey []byte `json:"public_key"`
	// Pass is a password used in local authentication schemes
	Pass *PassCreds `json:"pass,omitempty"`
	// Webauthn is a signed credential assertion, used in MFA authentication
	Webauthn *wantypes.CredentialAssertionResponse `json:"webauthn,omitempty"`
	// OTP is a password and second factor, used for MFA authentication
	OTP *OTPCreds `json:"otp,omitempty"`
	// Session is a web session credential used to authenticate web sessions
	Session *SessionCreds `json:"session,omitempty"`
	// ClientMetadata includes forwarded information about a client
	ClientMetadata *ForwardedClientMetadata `json:"client_metadata,omitempty"`
	// HeadlessAuthenticationID is the ID for a headless authentication resource.
	HeadlessAuthenticationID string `json:"headless_authentication_id"`
}

AuthenticateUserRequest is a request to authenticate interactive user

func (*AuthenticateUserRequest) CheckAndSetDefaults 

func (a *AuthenticateUserRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type AzureParams 

type AzureParams struct {
	// ClientID is the client ID of the managed identity for Teleport to assume
	// when authenticating a node.
	ClientID string
}

AzureParams is the parameters specific to the azure join method.

type Cache 

type Cache interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetClusterName returns cluster name
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetUser returns a services.User for this cluster.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// ListUsers returns a page of users.
	ListUsers(ctx context.Context, pageSize int, nextToken string, withSecrets bool) ([]types.User, string, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)

	// GetSnowflakeSession gets a Snowflake web session.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)

	// GetSAMLIdPSession gets a SAML IdP session.
	GetSAMLIdPSession(context.Context, types.GetSAMLIdPSessionRequest) (types.WebSession, error)

	// GetWebSession gets a web session for the given request
	GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken gets a web token for the given request
	GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

	// GetStaticTokens gets the list of static tokens used to provision nodes.
	GetStaticTokens() (types.StaticTokens, error)

	// GetTokens returns all active (non-expired) provisioning tokens
	GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

	// GetToken finds and returns token by ID
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// GetLock gets a lock by name.
	// NOTE: This method is intentionally available only for the auth server
	// cache, the other Teleport components should make use of
	// services.LockWatcher that provides the necessary freshness guarantees.
	GetLock(ctx context.Context, name string) (types.Lock, error)

	// GetLocks gets all/in-force locks that match at least one of the targets
	// when specified.
	// NOTE: This method is intentionally available only for the auth server
	// cache, the other Teleport components should make use of
	// services.LockWatcher that provides the necessary freshness guarantees.
	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

	// ListResources returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
	// ListWindowsDesktops returns a paginated list of windows desktops.
	ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
	// ListWindowsDesktopServices returns a paginated list of windows desktops.
	ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)

	// GetUIConfig gets the config for the UI served by the proxy service
	GetUIConfig(ctx context.Context) (types.UIConfig, error)

	// GetInstaller gets installer resource for this cluster
	GetInstaller(ctx context.Context, name string) (types.Installer, error)

	// GetInstallers gets all the installer resources.
	GetInstallers(ctx context.Context) ([]types.Installer, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)

	// ListSAMLIdPServiceProviders returns a paginated list of SAML IdP service provider resources.
	ListSAMLIdPServiceProviders(ctx context.Context, pageSize int, nextKey string) ([]types.SAMLIdPServiceProvider, string, error)
	// GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.
	GetSAMLIdPServiceProvider(ctx context.Context, name string) (types.SAMLIdPServiceProvider, error)

	// ListOktaAssignments returns a paginated list of all Okta assignment resources.
	ListOktaAssignments(context.Context, int, string) ([]types.OktaAssignment, string, error)
	// GetOktaAssignment returns the specified Okta assignment resources.
	GetOktaAssignment(ctx context.Context, name string) (types.OktaAssignment, error)

	// ListUserGroups returns a paginated list of all user group resources.
	ListUserGroups(context.Context, int, string) ([]types.UserGroup, string, error)
	// GetUserGroup returns the specified user group resources.
	GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)

	// IntegrationsGetter defines read/list methods for integrations.
	services.IntegrationsGetter
}

Cache is a subset of the auth interface handling access to the discovery API and static tokens

type Client 

type Client struct {
	// APIClient is used to make gRPC requests to the server
	*APIClient
	// HTTPClient is used to make http requests to the server
	*HTTPClient
}

Client is the Auth API client. It works by connecting to auth servers via gRPC and HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.

func NewClient 

func NewClient(cfg client.Config, params ...roundtrip.ClientParam) (*Client, error)

NewClient creates a new API client with a connection to a Teleport server.

The client will use the first credentials and the given dialer. If no dialer is given, the first address will be used. This address must be an auth server address.

NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.

func (*Client) AccessGraphClient 

func (c *Client) AccessGraphClient() accessgraphv1.AccessGraphServiceClient

func (*Client) AccessListClient 

func (c *Client) AccessListClient() services.AccessLists

func (*Client) ActivateCertAuthority 

func (c *Client) ActivateCertAuthority(id types.CertAuthID) error

ActivateCertAuthority not implemented: can only be called locally.

func (*Client) AddUserLoginAttempt 

func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error

AddUserLoginAttempt logs user login attempt

func (*Client) Close 

func (c *Client) Close() error

func (*Client) CompareAndSwapCertAuthority 

func (c *Client) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*Client) CompareAndSwapUser 

func (c *Client) CompareAndSwapUser(ctx context.Context, new, expected types.User) error

CompareAndSwapUser not implemented: can only be called locally

func (*Client) CreateAuditStream 

func (c *Client) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates new audit stream.

func (*Client) CreateCertAuthority 

func (c *Client) CreateCertAuthority(ctx context.Context, ca types.CertAuthority) error

CreateCertAuthority not implemented: can only be called locally.

func (*Client) CreateResetPasswordToken 

func (c *Client) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

CreateResetPasswordToken creates reset password token

func (*Client) DeactivateCertAuthority 

func (c *Client) DeactivateCertAuthority(id types.CertAuthID) error

DeactivateCertAuthority not implemented: can only be called locally.

func (*Client) DeleteAllAuthServers 

func (c *Client) DeleteAllAuthServers() error

DeleteAllAuthServers not implemented: can only be called locally.

func (*Client) DeleteAllCertAuthorities 

func (c *Client) DeleteAllCertAuthorities(caType types.CertAuthType) error

DeleteAllCertAuthorities not implemented: can only be called locally.

func (*Client) DeleteAllLocks 

func (c *Client) DeleteAllLocks(context.Context) error

DeleteAllLocks not implemented: can only be called locally.

func (*Client) DeleteAllNamespaces 

func (c *Client) DeleteAllNamespaces() error

DeleteAllNamespaces not implemented: can only be called locally.

func (*Client) DeleteAllReverseTunnels 

func (c *Client) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels not implemented: can only be called locally.

func (*Client) DeleteAllRoles 

func (c *Client) DeleteAllRoles(context.Context) error

DeleteAllRoles not implemented: can only be called locally.

func (*Client) DeleteAllTokens 

func (c *Client) DeleteAllTokens() error

DeleteAllTokens not implemented: can only be called locally.

func (*Client) DeleteAllUsers 

func (c *Client) DeleteAllUsers(ctx context.Context) error

DeleteAllUsers not implemented: can only be called locally.

func (*Client) DeleteAuthPreference 

func (c *Client) DeleteAuthPreference(context.Context) error

DeleteAuthPreference not implemented: can only be called locally.

func (*Client) DeleteAuthServer 

func (c *Client) DeleteAuthServer(name string) error

DeleteAuthServer not implemented: can only be called locally.

func (*Client) DeleteCertAuthority 

func (c *Client) DeleteCertAuthority(ctx context.Context, id types.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteClusterAuditConfig 

func (c *Client) DeleteClusterAuditConfig(ctx context.Context) error

DeleteClusterAuditConfig not implemented: can only be called locally.

func (*Client) DeleteClusterName 

func (c *Client) DeleteClusterName() error

DeleteClusterName not implemented: can only be called locally.

func (*Client) DeleteClusterNetworkingConfig 

func (c *Client) DeleteClusterNetworkingConfig(ctx context.Context) error

DeleteClusterNetworkingConfig not implemented: can only be called locally.

func (*Client) DeleteSessionRecordingConfig 

func (c *Client) DeleteSessionRecordingConfig(ctx context.Context) error

DeleteSessionRecordingConfig not implemented: can only be called locally.

func (*Client) DiscoveryConfigClient 

func (c *Client) DiscoveryConfigClient() services.DiscoveryConfigs

DiscoveryConfigClient returns a client for managing the DiscoveryConfig resource.

func (*Client) ExternalAuditStorageClient 

func (c *Client) ExternalAuditStorageClient() *externalauditstorage.Client

func (*Client) GenerateCertAuthorityCRL 

func (c *Client) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for a CA.

func (*Client) GenerateHostCert 

func (c *Client) GenerateHostCert(
	ctx context.Context,
	key []byte,
	hostID, nodeName string,
	principals []string,
	clusterName string,
	role types.SystemRole,
	ttl time.Duration,
) ([]byte, error)

GenerateHostCert takes the public key in the OpenSSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate. TODO(noah): DELETE IN 16.0.0

func (*Client) GetCertAuthorities 

func (c *Client) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority 

func (c *Client) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadSigningKeys bool) (types.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetClusterAuditConfig 

func (c *Client) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*Client) GetClusterNetworkingConfig 

func (c *Client) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*Client) GetDatabaseServers 

func (c *Client) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database proxy servers.

func (*Client) GetLicense 

func (c *Client) GetLicense(ctx context.Context) (string, error)

func (*Client) GetReverseTunnel 

func (c *Client) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)

GetReverseTunnel not implemented: can only be called locally.

func (*Client) GetSessionRecordingConfig 

func (c *Client) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*Client) GetUserLoginAttempts 

func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)

GetUserLoginAttempts returns user login attempts

func (*Client) KeepAliveServer 

func (c *Client) KeepAliveServer(ctx context.Context, keepAlive types.KeepAlive) error

KeepAliveServer not implemented: can only be called locally.

func (*Client) ListReleases 

func (c *Client) ListReleases(ctx context.Context) ([]*types.Release, error)

func (*Client) ListWindowsDesktopServices 

func (c *Client) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)

ListWindowsDesktopServices not implemented: can only be called locally.

func (*Client) ListWindowsDesktops 

func (c *Client) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)

ListWindowsDesktops not implemented: can only be called locally.

func (*Client) OktaClient 

func (c *Client) OktaClient() services.Okta

func (*Client) ResumeAuditStream 

func (c *Client) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes existing audit stream.

func (*Client) SearchEvents 

func (c *Client) SearchEvents(ctx context.Context, req events.SearchEventsRequest) ([]apievents.AuditEvent, string, error)

SearchEvents allows searching for audit events with pagination support.

func (*Client) SearchSessionEvents 

func (c *Client) SearchSessionEvents(ctx context.Context, req events.SearchSessionEventsRequest) ([]apievents.AuditEvent, string, error)

SearchSessionEvents returns session related events to find completed sessions.

func (*Client) SecReportsClient 

func (c *Client) SecReportsClient() *secreport.Client

SecReportsClient returns a client for security reports.

func (*Client) SetClusterAuditConfig 

func (c *Client) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error

SetClusterAuditConfig not implemented: can only be called locally.

func (*Client) StreamSessionEvents 

func (c *Client) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*Client) UpdateAndSwapUser 

func (c *Client) UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (bool, error)) (types.User, error)

UpdateAndSwapUser not implemented: can only be called locally.

func (*Client) UpdatePresence 

func (c *Client) UpdatePresence(ctx context.Context, sessionID, user string) error

func (*Client) UpdateUserCARoleMap 

func (c *Client) UpdateUserCARoleMap(ctx context.Context, name string, roleMap types.RoleMap, activated bool) error

UpdateUserCARoleMap not implemented: can only be called locally.

func (*Client) UpsertAppSession 

func (c *Client) UpsertAppSession(ctx context.Context, session types.WebSession) error

UpsertAppSession not implemented: can only be called locally.

func (*Client) UpsertCertAuthority 

func (c *Client) UpsertCertAuthority(ctx context.Context, ca types.CertAuthority) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertClusterName 

func (c *Client) UpsertClusterName(cn types.ClusterName) error

UpsertClusterName not implemented: can only be called locally.

func (*Client) UpsertSAMLIdPSession 

func (c *Client) UpsertSAMLIdPSession(_ context.Context, _ types.WebSession) error

UpsertSAMLIdPSession not implemented: can only be called locally.

func (*Client) UpsertSnowflakeSession 

func (c *Client) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error

UpsertSnowflakeSession not implemented: can only be called locally.

func (*Client) UpsertUser 

func (c *Client) UpsertUser(ctx context.Context, user types.User) (types.User, error)

UpsertUser user updates user entry. TODO(tross): DELETE IN 16.0.0

func (*Client) UserLoginStateClient 

func (c *Client) UserLoginStateClient() services.UserLoginStates

func (*Client) ValidateMFAAuthResponse 

func (c *Client) ValidateMFAAuthResponse(ctx context.Context, resp *proto.MFAAuthenticateResponse, user string, passwordless bool) (*types.MFADevice, string, error)

ValidateMFAAuthResponse validates an MFA or passwordless challenge. Returns the device used to solve the challenge (if applicable) and the username.

type ClientI 

type ClientI interface {
	IdentityService
	ProvisioningService
	services.Trust
	events.AuditLogSessionStreamer
	events.Streamer
	apievents.Emitter
	services.Presence
	services.Access
	services.DynamicAccess
	services.DynamicAccessOracle
	services.Restrictions
	services.Apps
	services.Databases
	services.DatabaseServices
	services.Kubernetes
	services.WindowsDesktops
	services.SAMLIdPServiceProviders
	services.UserGroups
	services.Assistant
	WebService
	services.Status
	services.ClusterConfiguration
	services.SessionTrackerService
	services.ConnectionsDiagnostic
	services.SAMLIdPSession
	services.Integrations
	types.Events

	types.WebSessionsGetter
	types.WebTokensGetter

	// DevicesClient returns a Device Trust client.
	// Clients connecting to non-Enterprise clusters, or older Teleport versions,
	// still get a client when calling this method, but all RPCs will return
	// "not implemented" errors (as per the default gRPC behavior).
	DevicesClient() devicepb.DeviceTrustServiceClient

	// LoginRuleClient returns a client to the Login Rule gRPC service.
	// Clients connecting to non-Enterprise clusters, or older Teleport versions,
	// still get a client when calling this method, but all RPCs will return
	// "not implemented" errors (as per the default gRPC behavior).
	LoginRuleClient() loginrulepb.LoginRuleServiceClient

	// EmbeddingClient returns a client to the Embedding gRPC service.
	EmbeddingClient() assistpb.AssistEmbeddingServiceClient

	// AccessGraphClient returns a client to the Access Graph gRPC service.
	AccessGraphClient() accessgraphv1.AccessGraphServiceClient

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

	// RotateCertAuthority starts or restarts certificate authority rotation process.
	RotateCertAuthority(ctx context.Context, req RotateRequest) error

	// RotateExternalCertAuthority rotates external certificate authority,
	// this method is used to update only public keys and certificates of the
	// the certificate authorities of trusted clusters.
	RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

	// ValidateTrustedCluster validates trusted cluster token with
	// main cluster, in case if validation is successful, main cluster
	// adds remote cluster
	ValidateTrustedCluster(context.Context, *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

	// GetDomainName returns auth server cluster name
	GetDomainName(ctx context.Context) (string, error)

	// GetClusterCACert returns the PEM-encoded TLS certs for the local cluster.
	// If the cluster has multiple TLS certs, they will all be concatenated.
	GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)

	// GenerateHostCerts generates new host certificates (signed
	// by the host certificate authority) for a node
	GenerateHostCerts(context.Context, *proto.HostCertsRequest) (*proto.Certs, error)
	// GenerateOpenSSHCert signs a SSH certificate with OpenSSH CA that
	// can be used to connect to Agentless nodes.
	GenerateOpenSSHCert(ctx context.Context, req *proto.OpenSSHCertRequest) (*proto.OpenSSHCert, error)
	// AuthenticateWebUser authenticates web user, creates and  returns web session
	// in case if authentication is successful
	AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
	// AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
	// short-lived certificates as a result
	AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

	// ProcessKubeCSR processes CSR request against Kubernetes CA, returns
	// signed certificate if successful.
	ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

	// Ping gets basic info about the auth server.
	Ping(ctx context.Context) (proto.PingResponse, error)

	// CreateAppSession creates an application web session. Application web
	// sessions represent a browser session the client holds.
	CreateAppSession(context.Context, types.CreateAppSessionRequest) (types.WebSession, error)

	// CreateSnowflakeSession creates a Snowflake web session. Snowflake web
	// sessions represent Database Access Snowflake session the client holds.
	CreateSnowflakeSession(context.Context, types.CreateSnowflakeSessionRequest) (types.WebSession, error)

	// CreateSAMLIdPSession creates a SAML IdP. SAML IdP sessions represent
	// sessions created by the SAML identity provider.
	CreateSAMLIdPSession(context.Context, types.CreateSAMLIdPSessionRequest) (types.WebSession, error)

	// GenerateDatabaseCert generates client certificate used by a database
	// service to authenticate with the database instance.
	GenerateDatabaseCert(context.Context, *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

	// GetWebSession queries the existing web session described with req.
	// Implements ReadAccessPoint.
	GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken queries the existing web token described with req.
	// Implements ReadAccessPoint.
	GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
	GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)

	// ResetAuthPreference resets cluster auth preference to defaults.
	ResetAuthPreference(ctx context.Context) error

	// ResetClusterNetworkingConfig resets cluster networking configuration to defaults.
	ResetClusterNetworkingConfig(ctx context.Context) error

	// ResetSessionRecordingConfig resets session recording configuration to defaults.
	ResetSessionRecordingConfig(ctx context.Context) error

	// GenerateWindowsDesktopCert generates client smartcard certificate used
	// by an RDP client to authenticate with Windows.
	GenerateWindowsDesktopCert(context.Context, *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
	// GenerateCertAuthorityCRL generates an empty CRL for a CA.
	GenerateCertAuthorityCRL(context.Context, types.CertAuthType) ([]byte, error)

	// GetInventoryStatus gets basic status info about instance inventory.
	GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)

	// PingInventory attempts to trigger a downstream ping against a connected instance.
	PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)

	// SubmitUsageEvent submits an external usage event.
	SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

	// GetLicense returns the license used to start Teleport Enterprise
	GetLicense(ctx context.Context) (string, error)

	// ListReleases returns a list of Teleport Enterprise releases
	ListReleases(ctx context.Context) ([]*types.Release, error)

	// PluginsClient returns a Plugins client.
	// Clients connecting to non-Enterprise clusters, or older Teleport versions,
	// still get a plugins client when calling this method, but all RPCs will return
	// "not implemented" errors (as per the default gRPC behavior).
	PluginsClient() pluginspb.PluginServiceClient

	// SAMLIdPClient returns a SAML IdP client.
	// Clients connecting to non-Enterprise clusters, or older Teleport versions,
	// still get a SAML IdP client when calling this method, but all RPCs will return
	// "not implemented" errors (as per the default gRPC behavior).
	SAMLIdPClient() samlidppb.SAMLIdPServiceClient

	// OktaClient returns an Okta client.
	// Clients connecting to non-Enterprise clusters, or older Teleport versions,
	// still get an Okta client when calling this method, but all RPCs will return
	// "not implemented" errors (as per the default gRPC behavior).
	OktaClient() services.Okta

	// AccessListClient returns an access list client.
	// Clients connecting to older Teleport versions still get an access list client
	// when calling this method, but all RPCs will return "not implemented" errors
	// (as per the default gRPC behavior).
	AccessListClient() services.AccessLists

	// SecReportsClient returns a client for security reports.
	// Clients connecting to  older Teleport versions, still get an access list client
	// when calling this method, but all RPCs will return "not implemented" errors
	// (as per the default gRPC behavior).
	SecReportsClient() *secreport.Client

	// BotServiceClient returns a client for security reports.
	// Clients connecting to  older Teleport versions, still get a bot service client
	// when calling this method, but all RPCs will return "not implemented" errors
	// (as per the default gRPC behavior).
	BotServiceClient() machineidv1pb.BotServiceClient

	// UserLoginStateClient returns a user login state client.
	// Clients connecting to older Teleport versions still get a user login state client
	// when calling this method, but all RPCs will return "not implemented" errors
	// (as per the default gRPC behavior).
	UserLoginStateClient() services.UserLoginStates

	// DiscoveryConfigClient returns a DiscoveryConfig client.
	// Clients connecting to older Teleport versions, still get an DiscoveryConfig client
	// when calling this method, but all RPCs will return "not implemented" errors
	// (as per the default gRPC behavior).
	DiscoveryConfigClient() services.DiscoveryConfigs

	// ResourceUsageClient returns a resource usage service client.
	// Clients connecting to non-Enterprise clusters, or older Teleport versions,
	// still get a client when calling this method, but all RPCs will return
	// "not implemented" errors (as per the default gRPC behavior).
	ResourceUsageClient() resourceusagepb.ResourceUsageServiceClient

	// ExternalAuditStorageClient returns an External Audit Storage client.
	// Clients connecting to non-Enterprise clusters, or older Teleport versions,
	// still get a client when calling this method, but all RPCs will return
	// "not implemented" errors (as per the default gRPC behavior).
	ExternalAuditStorageClient() *externalauditstorage.Client

	// CloneHTTPClient creates a new HTTP client with the same configuration.
	CloneHTTPClient(params ...roundtrip.ClientParam) (*HTTPClient, error)

	// GetResources returns a paginated list of resources.
	GetResources(ctx context.Context, req *proto.ListResourcesRequest) (*proto.ListResourcesResponse, error)

	// GetUserPreferences returns the user preferences for a given user.
	GetUserPreferences(ctx context.Context, req *userpreferencesv1.GetUserPreferencesRequest) (*userpreferencesv1.GetUserPreferencesResponse, error)

	// UpsertUserPreferences creates or updates user preferences for a given username.
	UpsertUserPreferences(ctx context.Context, req *userpreferencesv1.UpsertUserPreferencesRequest) error

	// ListUnifiedResources returns a paginated list of unified resources.
	ListUnifiedResources(ctx context.Context, req *proto.ListUnifiedResourcesRequest) (*proto.ListUnifiedResourcesResponse, error)

	// GetSSHTargets gets all servers that would match an equivalent ssh dial request. Note that this method
	// returns all resources directly accessible to the user *and* all resources available via 'SearchAsRoles',
	// which is what we want when handling things like ambiguous host errors and resource-based access requests,
	// but may result in confusing behavior if it is used outside of those contexts.
	GetSSHTargets(ctx context.Context, req *proto.GetSSHTargetsRequest) (*proto.GetSSHTargetsResponse, error)

	// ValidateMFAAuthResponse validates an MFA or passwordless challenge.
	// Returns the device used to solve the challenge (if applicable) and the username.
	ValidateMFAAuthResponse(ctx context.Context, resp *proto.MFAAuthenticateResponse, user string, passwordless bool) (*types.MFADevice, string, error)
}

ClientI is a client to Auth service

func WithGithubConnectorConversions 

func WithGithubConnectorConversions(c ClientI) ClientI

WithGithubConnectorConversions takes a ClientI and returns one that ensures returned or passed types.GithubConnector interfaces use the registered implementation for the following methods:

  • ClientI.GetGithubConnector
  • ClientI.GetGithubConnectors
  • ClientI.UpsertGithubConnector

This is function is necessary so that the github.com/gravitational/teleport/api module does not import github.com/gravitational/teleport/lib/services.

type ConnectionEnforcer 

type ConnectionEnforcer interface {
	EnforceConnectionLimits(ctx context.Context, identity ConnectionIdentity, closers ...io.Closer) (context.Context, error)
}

ConnectionEnforcer limits incoming connections based on max connection settings.

type ConnectionIdentity 

type ConnectionIdentity struct {
	// Username is the name of the user
	Username string
	// MaxConnections the upper limit to number of open connections for a user
	MaxConnections int64
	// LocalAddr is the local address for the connection
	LocalAddr string
	// RemoteAddr is the remote address for the connection
	RemoteAddr string
	// UserMetadata contains metadata for a user
	UserMetadata apievents.UserMetadata
}

ConnectionIdentity contains the identifying properties of a client connection required to enforce connection limits.

type CreateUserParams 

type CreateUserParams struct {
	// ConnectorName is the name of the connector for the identity provider.
	ConnectorName string

	// Username is the Teleport user name .
	Username string

	// KubeGroups is the list of Kubernetes groups this user belongs to.
	KubeGroups []string

	// KubeUsers is the list of Kubernetes users this user belongs to.
	KubeUsers []string

	// Roles is the list of Roles this user is assigned to.
	Roles []string

	// Traits is the list of Traits for this user.
	Traits map[string][]string

	// SessionTTL is how long this session will last.
	SessionTTL time.Duration
}

CreateUserParams is a set of parameters used to create a user for an external identity provider.

type CreateUserTokenRequest 

type CreateUserTokenRequest struct {
	// Name is the user name for token.
	Name string `json:"name"`
	// TTL specifies how long the generated token is valid for.
	TTL time.Duration `json:"ttl"`
	// Type is the token type.
	Type string `json:"type"`
}

CreateUserTokenRequest is a request to create a new user token.

func (*CreateUserTokenRequest) CheckAndSetDefaults 

func (r *CreateUserTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets the defaults.

type DatabaseAccessPoint 

type DatabaseAccessPoint interface {
	// ReadDatabaseAccessPoint provides methods to read data
	ReadDatabaseAccessPoint
	// contains filtered or unexported methods
}

DatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.

func NewDatabaseWrapper 

func NewDatabaseWrapper(base DatabaseAccessPoint, cache ReadDatabaseAccessPoint) DatabaseAccessPoint

type DatabaseTestCertRequest 

type DatabaseTestCertRequest struct {
	// PublicKey is the public key to sign.
	PublicKey []byte
	// Cluster is the Teleport cluster name.
	Cluster string
	// Username is the Teleport username.
	Username string
	// RouteToDatabase contains database routing information.
	RouteToDatabase tlsca.RouteToDatabase
	// PinnedIP is an IP new certificate should be pinned to.
	PinnedIP string
}

DatabaseTestCertRequest combines parameters for generating test database access certificate.

type DatabaseWrapper 

type DatabaseWrapper struct {
	ReadDatabaseAccessPoint

	NoCache DatabaseAccessPoint
	// contains filtered or unexported fields
}

func (*DatabaseWrapper) Close 

func (w *DatabaseWrapper) Close() error

Close closes all associated resources

type DeviceExtensions 

type DeviceExtensions tlsca.DeviceExtensions

DeviceExtensions hold device-aware user certificate extensions. Device extensions are a part of Device Trust, a feature exclusive to Teleport Enterprise.

type DiscoveryAccessPoint 

type DiscoveryAccessPoint interface {
	// ReadDiscoveryAccessPoint provides methods to read data
	ReadDiscoveryAccessPoint

	// CreateKubernetesCluster creates a new kubernetes cluster resource.
	CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
	// UpdateKubernetesCluster updates existing kubernetes cluster resource.
	UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
	// DeleteKubernetesCluster deletes specified kubernetes cluster resource.
	DeleteKubernetesCluster(ctx context.Context, name string) error

	// CreateDatabase creates a new database resource.
	CreateDatabase(ctx context.Context, database types.Database) error
	// UpdateDatabase updates an existing database resource.
	UpdateDatabase(ctx context.Context, database types.Database) error
	// DeleteDatabase deletes a database resource.
	DeleteDatabase(ctx context.Context, name string) error
	// UpsertServerInfo upserts a server info resource.
	UpsertServerInfo(ctx context.Context, si types.ServerInfo) error

	// CreateApp creates a new application resource.
	CreateApp(context.Context, types.Application) error
	// UpdateApp updates an existing application resource.
	UpdateApp(context.Context, types.Application) error
	// DeleteApp removes the specified application resource.
	DeleteApp(ctx context.Context, name string) error

	// SubmitUsageEvent submits an external usage event.
	SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
	GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)
	// contains filtered or unexported methods
}

DiscoveryAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDiscovery

func NewDiscoveryWrapper 

func NewDiscoveryWrapper(base DiscoveryAccessPoint, cache ReadDiscoveryAccessPoint) DiscoveryAccessPoint

type DiscoveryWrapper 

type DiscoveryWrapper struct {
	ReadDiscoveryAccessPoint

	NoCache DiscoveryAccessPoint
	// contains filtered or unexported fields
}

func (*DiscoveryWrapper) Close 

func (w *DiscoveryWrapper) Close() error

Close closes all associated resources

func (*DiscoveryWrapper) CreateApp 

func (w *DiscoveryWrapper) CreateApp(ctx context.Context, app types.Application) error

func (*DiscoveryWrapper) CreateDatabase 

func (w *DiscoveryWrapper) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*DiscoveryWrapper) CreateKubernetesCluster 

func (w *DiscoveryWrapper) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*DiscoveryWrapper) DeleteApp 

func (w *DiscoveryWrapper) DeleteApp(ctx context.Context, name string) error

func (*DiscoveryWrapper) DeleteDatabase 

func (w *DiscoveryWrapper) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase deletes a database resource.

func (*DiscoveryWrapper) DeleteKubernetesCluster 

func (w *DiscoveryWrapper) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster deletes specified kubernetes cluster resource.

func (*DiscoveryWrapper) GenerateAWSOIDCToken 

func (w *DiscoveryWrapper) GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)

GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.

func (*DiscoveryWrapper) SubmitUsageEvent 

func (w *DiscoveryWrapper) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*DiscoveryWrapper) UpdateApp 

func (w *DiscoveryWrapper) UpdateApp(ctx context.Context, app types.Application) error

func (*DiscoveryWrapper) UpdateDatabase 

func (w *DiscoveryWrapper) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates an existing database resource.

func (*DiscoveryWrapper) UpdateKubernetesCluster 

func (w *DiscoveryWrapper) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*DiscoveryWrapper) UpsertServerInfo 

func (w *DiscoveryWrapper) UpsertServerInfo(ctx context.Context, si types.ServerInfo) error

UpsertServerInfo upserts a server info resource.

type ForwardedClientMetadata 

type ForwardedClientMetadata struct {
	UserAgent string `json:"user_agent,omitempty"`
	// RemoteAddr is the IP address of the end user. This IP address is derived
	// either from a direct client connection, or from a PROXY protocol header
	// if the connection is forwarded through a load balancer.
	RemoteAddr string `json:"remote_addr,omitempty"`
}

ForwardedClientMetadata can be used by the proxy web API to forward information about the client to the auth service.

type GRPCServer 

type GRPCServer struct {
	authpb.UnimplementedAuthServiceServer
	auditlogpb.UnimplementedAuditLogServiceServer
	*logrus.Entry
	APIConfig

	// TraceServiceServer exposes the exporter server so that the auth server may
	// collect and forward spans
	collectortracepb.TraceServiceServer
	// contains filtered or unexported fields
}

GRPCServer is gRPC Auth Server API

func NewGRPCServer 

func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error)

NewGRPCServer returns a new instance of gRPC server

func (*GRPCServer) AcquireSemaphore 

func (g *GRPCServer) AcquireSemaphore(ctx context.Context, params *types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)

AcquireSemaphore acquires lease with requested resources from semaphore.

func (*GRPCServer) AddMFADevice deprecated 

func (g *GRPCServer) AddMFADevice(stream authpb.AuthService_AddMFADeviceServer) error

Deprecated: Use AddMFADeviceSync instead.

DELETE IN v16, kept for compatibility with older tsh versions (codingllama). (Don't actually delete it, but instead make it always error.)

func (*GRPCServer) AddMFADeviceSync 

func (g *GRPCServer) AddMFADeviceSync(ctx context.Context, req *authpb.AddMFADeviceSyncRequest) (*authpb.AddMFADeviceSyncResponse, error)

AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.

func (*GRPCServer) AppendDiagnosticTrace 

func (g *GRPCServer) AppendDiagnosticTrace(ctx context.Context, in *authpb.AppendDiagnosticTraceRequest) (*types.ConnectionDiagnosticV1, error)

AppendDiagnosticTrace updates a connection diagnostic

func (*GRPCServer) CancelSemaphoreLease 

func (g *GRPCServer) CancelSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)

CancelSemaphoreLease cancels semaphore lease early.

func (*GRPCServer) ChangePassword 

func (g *GRPCServer) ChangePassword(ctx context.Context, req *authpb.ChangePasswordRequest) (*emptypb.Empty, error)

func (*GRPCServer) ChangeUserAuthentication 

func (g *GRPCServer) ChangeUserAuthentication(ctx context.Context, req *authpb.ChangeUserAuthenticationRequest) (*authpb.ChangeUserAuthenticationResponse, error)

ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.

func (*GRPCServer) ClearAlertAcks 

func (g *GRPCServer) ClearAlertAcks(ctx context.Context, req *authpb.ClearAlertAcksRequest) (*emptypb.Empty, error)

func (*GRPCServer) CompleteAccountRecovery 

func (g *GRPCServer) CompleteAccountRecovery(ctx context.Context, req *authpb.CompleteAccountRecoveryRequest) (*emptypb.Empty, error)

CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.

func (*GRPCServer) CreateAccessRequest 

func (g *GRPCServer) CreateAccessRequest(ctx context.Context, req *types.AccessRequestV3) (*emptypb.Empty, error)

func (*GRPCServer) CreateAccessRequestV2 

func (g *GRPCServer) CreateAccessRequestV2(ctx context.Context, req *types.AccessRequestV3) (*types.AccessRequestV3, error)

func (*GRPCServer) CreateAccountRecoveryCodes 

func (g *GRPCServer) CreateAccountRecoveryCodes(ctx context.Context, req *authpb.CreateAccountRecoveryCodesRequest) (*authpb.RecoveryCodes, error)

CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.

func (*GRPCServer) CreateAlertAck 

func (g *GRPCServer) CreateAlertAck(ctx context.Context, ack *types.AlertAcknowledgement) (*emptypb.Empty, error)

func (*GRPCServer) CreateApp 

func (g *GRPCServer) CreateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)

CreateApp creates a new application resource.

func (*GRPCServer) CreateAppSession 

func (g *GRPCServer) CreateAppSession(ctx context.Context, req *authpb.CreateAppSessionRequest) (*authpb.CreateAppSessionResponse, error)

CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.

func (*GRPCServer) CreateAuditStream 

func (g *GRPCServer) CreateAuditStream(stream authpb.AuthService_CreateAuditStreamServer) error

CreateAuditStream creates or resumes audit event stream

func (*GRPCServer) CreateAuthenticateChallenge 

func (g *GRPCServer) CreateAuthenticateChallenge(ctx context.Context, req *authpb.CreateAuthenticateChallengeRequest) (*authpb.MFAAuthenticateChallenge, error)

CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.

func (*GRPCServer) CreateBot 

func (g *GRPCServer) CreateBot(ctx context.Context, req *authpb.CreateBotRequest) (*authpb.CreateBotResponse, error)

CreateBot creates a new bot and an optional join token. TODO(noah): DELETE IN 16.0.0 Deprecated: use machineidv1.BotService.CreateBot instead.

func (*GRPCServer) CreateConnectionDiagnostic 

func (g *GRPCServer) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)

CreateConnectionDiagnostic creates a connection diagnostic

func (*GRPCServer) CreateDatabase 

func (g *GRPCServer) CreateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)

CreateDatabase creates a new database resource.

func (*GRPCServer) CreateGithubAuthRequest 

func (g *GRPCServer) CreateGithubAuthRequest(ctx context.Context, req *types.GithubAuthRequest) (*types.GithubAuthRequest, error)

CreateGithubAuthRequest creates GithubAuthRequest.

func (*GRPCServer) CreateGithubConnector 

func (g *GRPCServer) CreateGithubConnector(ctx context.Context, req *authpb.CreateGithubConnectorRequest) (*types.GithubConnectorV3, error)

CreateGithubConnector creates a new Github connector.

func (*GRPCServer) CreateKubernetesCluster 

func (g *GRPCServer) CreateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*GRPCServer) CreateOIDCAuthRequest 

func (g *GRPCServer) CreateOIDCAuthRequest(ctx context.Context, req *types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*GRPCServer) CreateOIDCConnector 

func (g *GRPCServer) CreateOIDCConnector(ctx context.Context, req *authpb.CreateOIDCConnectorRequest) (*types.OIDCConnectorV3, error)

CreateOIDCConnector creates a new OIDC connector.

func (*GRPCServer) CreatePrivilegeToken 

func (g *GRPCServer) CreatePrivilegeToken(ctx context.Context, req *authpb.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.

func (*GRPCServer) CreateRegisterChallenge 

func (g *GRPCServer) CreateRegisterChallenge(ctx context.Context, req *authpb.CreateRegisterChallengeRequest) (*authpb.MFARegisterChallenge, error)

CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.

func (*GRPCServer) CreateResetPasswordToken 

func (g *GRPCServer) CreateResetPasswordToken(ctx context.Context, req *authpb.CreateResetPasswordTokenRequest) (*types.UserTokenV3, error)

func (*GRPCServer) CreateRole 

func (g *GRPCServer) CreateRole(ctx context.Context, req *authpb.CreateRoleRequest) (*types.RoleV6, error)

CreateRole creates a new role.

func (*GRPCServer) CreateSAMLAuthRequest 

func (g *GRPCServer) CreateSAMLAuthRequest(ctx context.Context, req *types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAMLAuthRequest.

func (*GRPCServer) CreateSAMLConnector 

func (g *GRPCServer) CreateSAMLConnector(ctx context.Context, req *authpb.CreateSAMLConnectorRequest) (*types.SAMLConnectorV2, error)

CreateSAMLConnector creates a new SAML connector.

func (*GRPCServer) CreateSAMLIdPServiceProvider 

func (g *GRPCServer) CreateSAMLIdPServiceProvider(ctx context.Context, sp *types.SAMLIdPServiceProviderV1) (*emptypb.Empty, error)

CreateSAMLIdPServiceProvider creates a new SAML IdP service provider resource.

func (*GRPCServer) CreateSAMLIdPSession 

func (g *GRPCServer) CreateSAMLIdPSession(ctx context.Context, req *authpb.CreateSAMLIdPSessionRequest) (*authpb.CreateSAMLIdPSessionResponse, error)

CreateSAMLIdPSession creates a SAML IdP session.

func (*GRPCServer) CreateSessionTracker 

func (g *GRPCServer) CreateSessionTracker(ctx context.Context, req *authpb.CreateSessionTrackerRequest) (*types.SessionTrackerV1, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*GRPCServer) CreateSnowflakeSession 

func (g *GRPCServer) CreateSnowflakeSession(ctx context.Context, req *authpb.CreateSnowflakeSessionRequest) (*authpb.CreateSnowflakeSessionResponse, error)

func (*GRPCServer) CreateTokenV2 

func (g *GRPCServer) CreateTokenV2(ctx context.Context, req *authpb.CreateTokenV2Request) (*emptypb.Empty, error)

CreateTokenV2 creates a token.

func (*GRPCServer) CreateUser 

func (g *GRPCServer) CreateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)

CreateUser inserts a new user entry in a backend. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.CreateUser instead.

func (*GRPCServer) CreateUserGroup 

func (g *GRPCServer) CreateUserGroup(ctx context.Context, sp *types.UserGroupV1) (*emptypb.Empty, error)

CreateUserGroup creates a new user group resource.

func (*GRPCServer) CreateWindowsDesktop 

func (g *GRPCServer) CreateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

CreateWindowsDesktop registers a new Windows desktop host.

func (*GRPCServer) DeleteAccessRequest 

func (g *GRPCServer) DeleteAccessRequest(ctx context.Context, id *authpb.RequestID) (*emptypb.Empty, error)

func (*GRPCServer) DeleteAllAppSessions 

func (g *GRPCServer) DeleteAllAppSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllAppSessions removes all application web sessions.

func (*GRPCServer) DeleteAllApplicationServers 

func (g *GRPCServer) DeleteAllApplicationServers(ctx context.Context, req *authpb.DeleteAllApplicationServersRequest) (*emptypb.Empty, error)

DeleteAllApplicationServers deletes all registered application servers.

func (*GRPCServer) DeleteAllApps 

func (g *GRPCServer) DeleteAllApps(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllApps removes all application resources.

func (*GRPCServer) DeleteAllDatabaseServers 

func (g *GRPCServer) DeleteAllDatabaseServers(ctx context.Context, req *authpb.DeleteAllDatabaseServersRequest) (*emptypb.Empty, error)

DeleteAllDatabaseServers removes all registered database proxy servers.

func (*GRPCServer) DeleteAllDatabaseServices 

func (g *GRPCServer) DeleteAllDatabaseServices(ctx context.Context, _ *authpb.DeleteAllDatabaseServicesRequest) (*emptypb.Empty, error)

DeleteAllDatabaseServices removes all registered DatabaseServices.

func (*GRPCServer) DeleteAllDatabases 

func (g *GRPCServer) DeleteAllDatabases(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllDatabases removes all databases.

func (*GRPCServer) DeleteAllInstallers 

func (g *GRPCServer) DeleteAllInstallers(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteALlInstallers deletes all the installers

func (*GRPCServer) DeleteAllKubernetesClusters 

func (g *GRPCServer) DeleteAllKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllKubernetesClusters removes all kubernetes cluster.

func (*GRPCServer) DeleteAllKubernetesServers 

func (g *GRPCServer) DeleteAllKubernetesServers(ctx context.Context, req *authpb.DeleteAllKubernetesServersRequest) (*emptypb.Empty, error)

DeleteAllKubernetesServers deletes all registered kubernetes servers.

func (*GRPCServer) DeleteAllNodes 

func (g *GRPCServer) DeleteAllNodes(ctx context.Context, req *types.ResourcesInNamespaceRequest) (*emptypb.Empty, error)

DeleteAllNodes deletes all nodes in a given namespace.

func (*GRPCServer) DeleteAllSAMLIdPServiceProviders 

func (g *GRPCServer) DeleteAllSAMLIdPServiceProviders(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllSAMLIdPServiceProviders removes all SAML IdP service providers.

func (*GRPCServer) DeleteAllSAMLIdPSessions 

func (g *GRPCServer) DeleteAllSAMLIdPSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllSAMLIdPSessions removes all SAML IdP sessions.

func (*GRPCServer) DeleteAllServerInfos 

func (g *GRPCServer) DeleteAllServerInfos(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllServerInfos deletes all ServerInfos.

func (*GRPCServer) DeleteAllSnowflakeSessions 

func (g *GRPCServer) DeleteAllSnowflakeSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

func (*GRPCServer) DeleteAllUserGroups 

func (g *GRPCServer) DeleteAllUserGroups(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllUserGroups removes all user groups.

func (*GRPCServer) DeleteAllWebSessions 

func (g *GRPCServer) DeleteAllWebSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWebSessions removes all web sessions.

func (*GRPCServer) DeleteAllWebTokens 

func (g *GRPCServer) DeleteAllWebTokens(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWebTokens removes all web tokens.

func (*GRPCServer) DeleteAllWindowsDesktopServices 

func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWindowsDesktopServices removes all registered Windows desktop services.

func (*GRPCServer) DeleteAllWindowsDesktops 

func (g *GRPCServer) DeleteAllWindowsDesktops(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWindowsDesktops removes all registered Windows desktop hosts.

func (*GRPCServer) DeleteApp 

func (g *GRPCServer) DeleteApp(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteApp removes the specified application resource.

func (*GRPCServer) DeleteAppSession 

func (g *GRPCServer) DeleteAppSession(ctx context.Context, req *authpb.DeleteAppSessionRequest) (*emptypb.Empty, error)

DeleteAppSession removes an application web session.

func (*GRPCServer) DeleteApplicationServer 

func (g *GRPCServer) DeleteApplicationServer(ctx context.Context, req *authpb.DeleteApplicationServerRequest) (*emptypb.Empty, error)

DeleteApplicationServer deletes an application server.

func (*GRPCServer) DeleteBot 

func (g *GRPCServer) DeleteBot(ctx context.Context, req *authpb.DeleteBotRequest) (*emptypb.Empty, error)

DeleteBot removes a bot and its associated resources. TODO(noah): DELETE IN 16.0.0 Deprecated: use machineidv1.BotService.DeleteBot instead.

func (*GRPCServer) DeleteClusterMaintenanceConfig 

func (g *GRPCServer) DeleteClusterMaintenanceConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteClusterMaintenanceConfig deletes the current maintenance config singleton.

func (*GRPCServer) DeleteDatabase 

func (g *GRPCServer) DeleteDatabase(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteDatabase removes the specified database.

func (*GRPCServer) DeleteDatabaseServer 

func (g *GRPCServer) DeleteDatabaseServer(ctx context.Context, req *authpb.DeleteDatabaseServerRequest) (*emptypb.Empty, error)

DeleteDatabaseServer removes the specified database proxy server.

func (*GRPCServer) DeleteDatabaseService 

func (g *GRPCServer) DeleteDatabaseService(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteDatabaseService removes the specified DatabaseService.

func (*GRPCServer) DeleteGithubConnector 

func (g *GRPCServer) DeleteGithubConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteGithubConnector deletes a Github connector by name.

func (*GRPCServer) DeleteInstaller 

func (g *GRPCServer) DeleteInstaller(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteInstaller sets the installer script resource to its default

func (*GRPCServer) DeleteKubernetesCluster 

func (g *GRPCServer) DeleteKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteKubernetesCluster removes the specified kubernetes cluster.

func (*GRPCServer) DeleteKubernetesServer 

func (g *GRPCServer) DeleteKubernetesServer(ctx context.Context, req *authpb.DeleteKubernetesServerRequest) (*emptypb.Empty, error)

DeleteKubernetesServer deletes a kubernetes server.

func (*GRPCServer) DeleteLock 

func (g *GRPCServer) DeleteLock(ctx context.Context, req *authpb.DeleteLockRequest) (*emptypb.Empty, error)

DeleteLock deletes a lock.

func (*GRPCServer) DeleteMFADevice deprecated 

func (g *GRPCServer) DeleteMFADevice(stream authpb.AuthService_DeleteMFADeviceServer) error

Deprecated: Use DeleteMFADeviceSync instead.

DELETE IN v16, kept for compatibility with older tsh versions (codingllama). (Don't actually delete it, but instead make it always error.)

func (*GRPCServer) DeleteMFADeviceSync 

func (g *GRPCServer) DeleteMFADeviceSync(ctx context.Context, req *authpb.DeleteMFADeviceSyncRequest) (*emptypb.Empty, error)

DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.

func (*GRPCServer) DeleteNetworkRestrictions 

func (g *GRPCServer) DeleteNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteNetworkRestrictions deletes the network restrictions.

func (*GRPCServer) DeleteNode 

func (g *GRPCServer) DeleteNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*emptypb.Empty, error)

DeleteNode deletes a node by name.

func (*GRPCServer) DeleteOIDCConnector 

func (g *GRPCServer) DeleteOIDCConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteOIDCConnector deletes an OIDC connector by name.

func (*GRPCServer) DeleteRole 

func (g *GRPCServer) DeleteRole(ctx context.Context, req *authpb.DeleteRoleRequest) (*emptypb.Empty, error)

DeleteRole deletes a role by name.

func (*GRPCServer) DeleteSAMLConnector 

func (g *GRPCServer) DeleteSAMLConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteSAMLConnector deletes a SAML connector by name.

func (*GRPCServer) DeleteSAMLIdPServiceProvider 

func (g *GRPCServer) DeleteSAMLIdPServiceProvider(ctx context.Context, req *authpb.DeleteSAMLIdPServiceProviderRequest) (*emptypb.Empty, error)

DeleteSAMLIdPServiceProvider removes the specified SAML IdP service provider resource.

func (*GRPCServer) DeleteSAMLIdPSession 

func (g *GRPCServer) DeleteSAMLIdPSession(ctx context.Context, req *authpb.DeleteSAMLIdPSessionRequest) (*emptypb.Empty, error)

DeleteSAMLIdPSession removes a SAML IdP session.

func (*GRPCServer) DeleteSemaphore 

func (g *GRPCServer) DeleteSemaphore(ctx context.Context, req *types.SemaphoreFilter) (*emptypb.Empty, error)

DeleteSemaphore deletes a semaphore matching the supplied filter.

func (*GRPCServer) DeleteServerInfo 

func (g *GRPCServer) DeleteServerInfo(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteServerInfo deletes a ServerInfo by name.

func (*GRPCServer) DeleteSnowflakeSession 

func (g *GRPCServer) DeleteSnowflakeSession(ctx context.Context, req *authpb.DeleteSnowflakeSessionRequest) (*emptypb.Empty, error)

func (*GRPCServer) DeleteToken 

func (g *GRPCServer) DeleteToken(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteToken deletes a token by name.

func (*GRPCServer) DeleteTrustedCluster 

func (g *GRPCServer) DeleteTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteTrustedCluster deletes a Trusted Cluster by name.

func (*GRPCServer) DeleteUIConfig 

func (g *GRPCServer) DeleteUIConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

func (*GRPCServer) DeleteUser 

func (g *GRPCServer) DeleteUser(ctx context.Context, req *authpb.DeleteUserRequest) (*emptypb.Empty, error)

DeleteUser deletes an existng user in a backend by username.

func (*GRPCServer) DeleteUserAppSessions 

func (g *GRPCServer) DeleteUserAppSessions(ctx context.Context, req *authpb.DeleteUserAppSessionsRequest) (*emptypb.Empty, error)

DeleteUserAppSessions removes user's all application web sessions.

func (*GRPCServer) DeleteUserGroup 

func (g *GRPCServer) DeleteUserGroup(ctx context.Context, req *authpb.DeleteUserGroupRequest) (*emptypb.Empty, error)

DeleteUserGroup removes the specified user group resource.

func (*GRPCServer) DeleteUserSAMLIdPSessions 

func (g *GRPCServer) DeleteUserSAMLIdPSessions(ctx context.Context, req *authpb.DeleteUserSAMLIdPSessionsRequest) (*emptypb.Empty, error)

DeleteUserSAMLIdPSessions removes all of a user's SAML IdP sessions.

func (*GRPCServer) DeleteWebSession 

func (g *GRPCServer) DeleteWebSession(ctx context.Context, req *types.DeleteWebSessionRequest) (*emptypb.Empty, error)

DeleteWebSession removes the web session given with req.

func (*GRPCServer) DeleteWebToken 

func (g *GRPCServer) DeleteWebToken(ctx context.Context, req *types.DeleteWebTokenRequest) (*emptypb.Empty, error)

DeleteWebToken removes the web token given with req.

func (*GRPCServer) DeleteWindowsDesktop 

func (g *GRPCServer) DeleteWindowsDesktop(ctx context.Context, req *authpb.DeleteWindowsDesktopRequest) (*emptypb.Empty, error)

DeleteWindowsDesktop removes the specified windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.

func (*GRPCServer) DeleteWindowsDesktopService 

func (g *GRPCServer) DeleteWindowsDesktopService(ctx context.Context, req *authpb.DeleteWindowsDesktopServiceRequest) (*emptypb.Empty, error)

DeleteWindowsDesktopService removes the specified Windows desktop service.

func (*GRPCServer) EmitAuditEvent 

func (g *GRPCServer) EmitAuditEvent(ctx context.Context, req *apievents.OneOf) (*emptypb.Empty, error)

EmitAuditEvent emits audit event

func (*GRPCServer) Export 

func (g *GRPCServer) Export(ctx context.Context, req *collectortracepb.ExportTraceServiceRequest) (*collectortracepb.ExportTraceServiceResponse, error)

Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.

func (*GRPCServer) ExportUpgradeWindows 

func (g *GRPCServer) ExportUpgradeWindows(ctx context.Context, req *authpb.ExportUpgradeWindowsRequest) (*authpb.ExportUpgradeWindowsResponse, error)

ExportUpgradeWindows is used to load derived upgrade window values for agents that need to export schedules to external upgraders.

func (*GRPCServer) GenerateAppToken 

func (g *GRPCServer) GenerateAppToken(ctx context.Context, req *authpb.GenerateAppTokenRequest) (*authpb.GenerateAppTokenResponse, error)

GenerateAppToken creates a JWT token with application access.

func (*GRPCServer) GenerateCertAuthorityCRL 

func (g *GRPCServer) GenerateCertAuthorityCRL(ctx context.Context, req *authpb.CertAuthorityRequest) (*authpb.CRL, error)

GenerateCertAuthorityCRL returns a CRL for a CA.

func (*GRPCServer) GenerateDatabaseCert 

func (g *GRPCServer) GenerateDatabaseCert(ctx context.Context, req *authpb.DatabaseCertRequest) (*authpb.DatabaseCertResponse, error)

GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.

func (*GRPCServer) GenerateHostCerts 

func (g *GRPCServer) GenerateHostCerts(ctx context.Context, req *authpb.HostCertsRequest) (*authpb.Certs, error)

func (*GRPCServer) GenerateOpenSSHCert 

func (g *GRPCServer) GenerateOpenSSHCert(ctx context.Context, req *authpb.OpenSSHCertRequest) (*authpb.OpenSSHCert, error)

func (*GRPCServer) GenerateSnowflakeJWT 

func (g *GRPCServer) GenerateSnowflakeJWT(ctx context.Context, req *authpb.SnowflakeJWTRequest) (*authpb.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the format required by Snowflake.

func (*GRPCServer) GenerateUserCerts 

func (g *GRPCServer) GenerateUserCerts(ctx context.Context, req *authpb.UserCertsRequest) (*authpb.Certs, error)

func (*GRPCServer) GenerateUserSingleUseCerts 

func (g *GRPCServer) GenerateUserSingleUseCerts(stream authpb.AuthService_GenerateUserSingleUseCertsServer) error

DELETE IN v16, kept for compatibility with older tsh versions (codingllama). (Don't actually delete it, but instead make it always error.)

func (*GRPCServer) GenerateWindowsDesktopCert 

func (g *GRPCServer) GenerateWindowsDesktopCert(ctx context.Context, req *authpb.WindowsDesktopCertRequest) (*authpb.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.

func (*GRPCServer) GetAccessCapabilities 

func (g *GRPCServer) GetAccessCapabilities(ctx context.Context, req *types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*GRPCServer) GetAccessRequestAllowedPromotions 

func (g *GRPCServer) GetAccessRequestAllowedPromotions(ctx context.Context, request *authpb.AccessRequestAllowedPromotionRequest) (*authpb.AccessRequestAllowedPromotionResponse, error)

func (*GRPCServer) GetAccessRequestsV2 

func (g *GRPCServer) GetAccessRequestsV2(f *types.AccessRequestFilter, stream authpb.AuthService_GetAccessRequestsV2Server) error

func (*GRPCServer) GetAccountRecoveryCodes 

func (g *GRPCServer) GetAccountRecoveryCodes(ctx context.Context, req *authpb.GetAccountRecoveryCodesRequest) (*authpb.RecoveryCodes, error)

GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.

func (*GRPCServer) GetAccountRecoveryToken 

func (g *GRPCServer) GetAccountRecoveryToken(ctx context.Context, req *authpb.GetAccountRecoveryTokenRequest) (*types.UserTokenV3, error)

GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.

func (*GRPCServer) GetActiveSessionTrackers 

func (g *GRPCServer) GetActiveSessionTrackers(_ *emptypb.Empty, stream authpb.AuthService_GetActiveSessionTrackersServer) error

GetActiveSessionTrackers returns a list of active session trackers.

func (*GRPCServer) GetActiveSessionTrackersWithFilter 

func (g *GRPCServer) GetActiveSessionTrackersWithFilter(filter *types.SessionTrackerFilter, stream authpb.AuthService_GetActiveSessionTrackersWithFilterServer) error

GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.

func (*GRPCServer) GetAlertAcks 

func (g *GRPCServer) GetAlertAcks(ctx context.Context, _ *authpb.GetAlertAcksRequest) (*authpb.GetAlertAcksResponse, error)

func (*GRPCServer) GetApp 

func (g *GRPCServer) GetApp(ctx context.Context, req *types.ResourceRequest) (*types.AppV3, error)

GetApp returns the specified application resource.

func (*GRPCServer) GetAppSession 

func (g *GRPCServer) GetAppSession(ctx context.Context, req *authpb.GetAppSessionRequest) (*authpb.GetAppSessionResponse, error)

GetAppSession gets an application web session.

func (*GRPCServer) GetApps 

func (g *GRPCServer) GetApps(ctx context.Context, _ *emptypb.Empty) (*types.AppV3List, error)

GetApps returns all application resources.

func (*GRPCServer) GetAuthPreference 

func (g *GRPCServer) GetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*types.AuthPreferenceV2, error)

GetAuthPreference gets cluster auth preference.

func (*GRPCServer) GetBackend 

func (g *GRPCServer) GetBackend() backend.Backend

GetBackend returns the backend from the underlying auth server.

func (*GRPCServer) GetBotUsers 

func (g *GRPCServer) GetBotUsers(_ *authpb.GetBotUsersRequest, stream authpb.AuthService_GetBotUsersServer) error

GetBotUsers lists all users with a bot label TODO(noah): DELETE IN 16.0.0 Deprecated: use machineidv1.BotService.ListBots instead.

func (*GRPCServer) GetClusterAlerts 

func (g *GRPCServer) GetClusterAlerts(ctx context.Context, query *types.GetClusterAlertsRequest) (*authpb.GetClusterAlertsResponse, error)

func (*GRPCServer) GetClusterAuditConfig 

func (g *GRPCServer) GetClusterAuditConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterAuditConfigV2, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*GRPCServer) GetClusterCACert 

func (g *GRPCServer) GetClusterCACert(
	ctx context.Context, req *emptypb.Empty,
) (*authpb.GetClusterCACertResponse, error)

GetClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be appended.

func (*GRPCServer) GetClusterMaintenanceConfig 

func (g *GRPCServer) GetClusterMaintenanceConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterMaintenanceConfigV1, error)

GetClusterMaintenanceConfig gets the current maintenance config singleton.

func (*GRPCServer) GetClusterNetworkingConfig 

func (g *GRPCServer) GetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterNetworkingConfigV2, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*GRPCServer) GetConnectionDiagnostic 

func (g *GRPCServer) GetConnectionDiagnostic(ctx context.Context, req *authpb.GetConnectionDiagnosticRequest) (*types.ConnectionDiagnosticV1, error)

GetConnectionDiagnostic reads a connection diagnostic.

func (*GRPCServer) GetCurrentUser 

func (g *GRPCServer) GetCurrentUser(ctx context.Context, req *emptypb.Empty) (*types.UserV2, error)

GetCurrentUser returns the currently authenticated user. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.GetUser instead.

func (*GRPCServer) GetCurrentUserRoles 

func (g *GRPCServer) GetCurrentUserRoles(_ *emptypb.Empty, stream authpb.AuthService_GetCurrentUserRolesServer) error

func (*GRPCServer) GetDatabase 

func (g *GRPCServer) GetDatabase(ctx context.Context, req *types.ResourceRequest) (*types.DatabaseV3, error)

GetDatabase returns the specified database resource.

func (*GRPCServer) GetDatabases 

func (g *GRPCServer) GetDatabases(ctx context.Context, _ *emptypb.Empty) (*types.DatabaseV3List, error)

GetDatabases returns all database resources.

func (*GRPCServer) GetDomainName 

func (g *GRPCServer) GetDomainName(ctx context.Context, req *emptypb.Empty) (*authpb.GetDomainNameResponse, error)

GetDomainName returns local auth domain of the current auth server.

func (*GRPCServer) GetEvents 

func (g *GRPCServer) GetEvents(ctx context.Context, req *authpb.GetEventsRequest) (*authpb.Events, error)

GetEvents searches for events on the backend and sends them back in a response.

func (*GRPCServer) GetGithubAuthRequest 

func (g *GRPCServer) GetGithubAuthRequest(ctx context.Context, req *authpb.GetGithubAuthRequestRequest) (*types.GithubAuthRequest, error)

GetGithubAuthRequest gets a GithubAuthRequest by id.

func (*GRPCServer) GetGithubConnector 

func (g *GRPCServer) GetGithubConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.GithubConnectorV3, error)

GetGithubConnector retrieves a Github connector by name.

func (*GRPCServer) GetGithubConnectors 

func (g *GRPCServer) GetGithubConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.GithubConnectorV3List, error)

GetGithubConnectors retrieves valid GitHub connectors, errors from individual connectors are not forwarded.

func (*GRPCServer) GetHeadlessAuthentication 

func (g *GRPCServer) GetHeadlessAuthentication(ctx context.Context, req *authpb.GetHeadlessAuthenticationRequest) (*types.HeadlessAuthentication, error)

GetHeadlessAuthentication retrieves a headless authentication.

func (*GRPCServer) GetInstaller 

func (g *GRPCServer) GetInstaller(ctx context.Context, req *types.ResourceRequest) (*types.InstallerV1, error)

GetInstaller retrieves the installer script resource

func (*GRPCServer) GetInstallers 

func (g *GRPCServer) GetInstallers(ctx context.Context, _ *emptypb.Empty) (*types.InstallerV1List, error)

GetInstallers returns all installer script resources registered in the cluster.

func (*GRPCServer) GetInstances 

func (g *GRPCServer) GetInstances(filter *types.InstanceFilter, stream authpb.AuthService_GetInstancesServer) error

func (*GRPCServer) GetInventoryConnectedServiceCounts 

func (g *GRPCServer) GetInventoryConnectedServiceCounts(ctx context.Context, _ *authpb.InventoryConnectedServiceCountsRequest) (*authpb.InventoryConnectedServiceCounts, error)

GetInventoryConnectedServiceCounts returns the counts of each connected service seen in the inventory.

func (*GRPCServer) GetInventoryStatus 

func (g *GRPCServer) GetInventoryStatus(ctx context.Context, req *authpb.InventoryStatusRequest) (*authpb.InventoryStatusSummary, error)

func (*GRPCServer) GetKubernetesCluster 

func (g *GRPCServer) GetKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*types.KubernetesClusterV3, error)

GetKubernetesCluster returns the specified kubernetes cluster resource.

func (*GRPCServer) GetKubernetesClusters 

func (g *GRPCServer) GetKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*types.KubernetesClusterV3List, error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*GRPCServer) GetLicense 

func (g *GRPCServer) GetLicense(ctx context.Context, req *authpb.GetLicenseRequest) (*authpb.GetLicenseResponse, error)

GetLicense returns the license used to start the auth server.

func (*GRPCServer) GetLock 

func (g *GRPCServer) GetLock(ctx context.Context, req *authpb.GetLockRequest) (*types.LockV2, error)

GetLock retrieves a lock by name.

func (*GRPCServer) GetLocks 

func (g *GRPCServer) GetLocks(ctx context.Context, req *authpb.GetLocksRequest) (*authpb.GetLocksResponse, error)

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*GRPCServer) GetMFADevices 

func (g *GRPCServer) GetMFADevices(ctx context.Context, req *authpb.GetMFADevicesRequest) (*authpb.GetMFADevicesResponse, error)

func (*GRPCServer) GetNetworkRestrictions 

func (g *GRPCServer) GetNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*types.NetworkRestrictionsV4, error)

GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).

func (*GRPCServer) GetNode 

func (g *GRPCServer) GetNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*types.ServerV2, error)

GetNode retrieves a node by name and namespace.

func (*GRPCServer) GetOIDCAuthRequest 

func (g *GRPCServer) GetOIDCAuthRequest(ctx context.Context, req *authpb.GetOIDCAuthRequestRequest) (*types.OIDCAuthRequest, error)

GetOIDCAuthRequest gets OIDC AuthnRequest

func (*GRPCServer) GetOIDCConnector 

func (g *GRPCServer) GetOIDCConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.OIDCConnectorV3, error)

GetOIDCConnector retrieves an OIDC connector by name.

func (*GRPCServer) GetOIDCConnectors 

func (g *GRPCServer) GetOIDCConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.OIDCConnectorV3List, error)

GetOIDCConnectors retrieves valid OIDC connectors, errors from individual connectors are not forwarded.

func (*GRPCServer) GetPluginData 

func (g *GRPCServer) GetPluginData(ctx context.Context, filter *types.PluginDataFilter) (*authpb.PluginDataSeq, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*GRPCServer) GetResetPasswordToken 

func (g *GRPCServer) GetResetPasswordToken(ctx context.Context, req *authpb.GetResetPasswordTokenRequest) (*types.UserTokenV3, error)

func (*GRPCServer) GetRole 

func (g *GRPCServer) GetRole(ctx context.Context, req *authpb.GetRoleRequest) (*types.RoleV6, error)

GetRole retrieves a role by name.

func (*GRPCServer) GetRoles 

func (g *GRPCServer) GetRoles(ctx context.Context, _ *emptypb.Empty) (*authpb.GetRolesResponse, error)

GetRoles retrieves all roles.

func (*GRPCServer) GetSAMLAuthRequest 

func (g *GRPCServer) GetSAMLAuthRequest(ctx context.Context, req *authpb.GetSAMLAuthRequestRequest) (*types.SAMLAuthRequest, error)

GetSAMLAuthRequest gets a SAMLAuthRequest by id.

func (*GRPCServer) GetSAMLConnector 

func (g *GRPCServer) GetSAMLConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.SAMLConnectorV2, error)

GetSAMLConnector retrieves a SAML connector by name.

func (*GRPCServer) GetSAMLConnectors 

func (g *GRPCServer) GetSAMLConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.SAMLConnectorV2List, error)

GetSAMLConnectors retrieves valid SAML connectors, errors from individual connectors are not forwarded.

func (*GRPCServer) GetSAMLIdPServiceProvider 

func (g *GRPCServer) GetSAMLIdPServiceProvider(ctx context.Context, req *authpb.GetSAMLIdPServiceProviderRequest) (*types.SAMLIdPServiceProviderV1, error)

GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.

func (*GRPCServer) GetSAMLIdPSession 

func (g *GRPCServer) GetSAMLIdPSession(ctx context.Context, req *authpb.GetSAMLIdPSessionRequest) (*authpb.GetSAMLIdPSessionResponse, error)

GetSAMLIdPSession gets a SAML IdPsession.

func (*GRPCServer) GetSSHTargets 

func (g *GRPCServer) GetSSHTargets(ctx context.Context, req *authpb.GetSSHTargetsRequest) (*authpb.GetSSHTargetsResponse, error)

func (*GRPCServer) GetSSODiagnosticInfo 

func (g *GRPCServer) GetSSODiagnosticInfo(ctx context.Context, req *authpb.GetSSODiagnosticInfoRequest) (*types.SSODiagnosticInfo, error)

GetSSODiagnosticInfo gets a SSO diagnostic info for a specific SSO auth request.

func (*GRPCServer) GetSemaphores 

func (g *GRPCServer) GetSemaphores(ctx context.Context, req *types.SemaphoreFilter) (*authpb.Semaphores, error)

GetSemaphores returns a list of all semaphores matching the supplied filter.

func (*GRPCServer) GetServer 

func (g *GRPCServer) GetServer() (*grpc.Server, error)

GetServer returns an instance of grpc server

func (*GRPCServer) GetServerInfo 

func (g *GRPCServer) GetServerInfo(ctx context.Context, req *types.ResourceRequest) (*types.ServerInfoV1, error)

GetServerInfo returns a ServerInfo by name.

func (*GRPCServer) GetServerInfos 

func (g *GRPCServer) GetServerInfos(_ *emptypb.Empty, stream authpb.AuthService_GetServerInfosServer) error

GetServerInfos returns a stream of ServerInfos.

func (*GRPCServer) GetSessionEvents 

func (g *GRPCServer) GetSessionEvents(ctx context.Context, req *authpb.GetSessionEventsRequest) (*authpb.Events, error)

GetSessionEvents searches for session events on the backend and sends them back in a response.

func (*GRPCServer) GetSessionRecordingConfig 

func (g *GRPCServer) GetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*types.SessionRecordingConfigV2, error)

GetSessionRecordingConfig gets session recording configuration.

func (*GRPCServer) GetSessionTracker 

func (g *GRPCServer) GetSessionTracker(ctx context.Context, req *authpb.GetSessionTrackerRequest) (*types.SessionTrackerV1, error)

GetSessionTracker returns the current state of a session tracker for an active session.

func (*GRPCServer) GetSnowflakeSession 

func (g *GRPCServer) GetSnowflakeSession(ctx context.Context, req *authpb.GetSnowflakeSessionRequest) (*authpb.GetSnowflakeSessionResponse, error)

func (*GRPCServer) GetSnowflakeSessions 

func (g *GRPCServer) GetSnowflakeSessions(ctx context.Context, e *emptypb.Empty) (*authpb.GetSnowflakeSessionsResponse, error)

func (*GRPCServer) GetToken 

func (g *GRPCServer) GetToken(ctx context.Context, req *types.ResourceRequest) (*types.ProvisionTokenV2, error)

GetToken retrieves a token by name.

func (*GRPCServer) GetTokens 

func (g *GRPCServer) GetTokens(ctx context.Context, _ *emptypb.Empty) (*types.ProvisionTokenV2List, error)

GetTokens retrieves all tokens.

func (*GRPCServer) GetTrustedCluster 

func (g *GRPCServer) GetTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*types.TrustedClusterV2, error)

GetTrustedCluster retrieves a Trusted Cluster by name.

func (*GRPCServer) GetTrustedClusters 

func (g *GRPCServer) GetTrustedClusters(ctx context.Context, _ *emptypb.Empty) (*types.TrustedClusterV2List, error)

GetTrustedClusters retrieves all Trusted Clusters.

func (*GRPCServer) GetUIConfig 

func (g *GRPCServer) GetUIConfig(ctx context.Context, _ *emptypb.Empty) (*types.UIConfigV1, error)

func (*GRPCServer) GetUnstructuredEvents 

func (g *GRPCServer) GetUnstructuredEvents(ctx context.Context, req *auditlogpb.GetUnstructuredEventsRequest) (*auditlogpb.EventsUnstructured, error)

GetUnstructuredEvents searches for events on the backend and sends them back in an unstructured format.

func (*GRPCServer) GetUser 

func (g *GRPCServer) GetUser(ctx context.Context, req *authpb.GetUserRequest) (*types.UserV2, error)

GetUser returns a user matching the provided name if one exists. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.GetUser instead.

func (*GRPCServer) GetUserGroup 

func (g *GRPCServer) GetUserGroup(ctx context.Context, req *authpb.GetUserGroupRequest) (*types.UserGroupV1, error)

GetUserGroup returns the specified user group resources.

func (*GRPCServer) GetUsers 

func (g *GRPCServer) GetUsers(req *authpb.GetUsersRequest, stream authpb.AuthService_GetUsersServer) error

GetUsers returns all users. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.ListUsers instead.

func (*GRPCServer) GetWebSession 

func (g *GRPCServer) GetWebSession(ctx context.Context, req *types.GetWebSessionRequest) (*authpb.GetWebSessionResponse, error)

GetWebSession gets a web session.

func (*GRPCServer) GetWebSessions 

func (g *GRPCServer) GetWebSessions(ctx context.Context, _ *emptypb.Empty) (*authpb.GetWebSessionsResponse, error)

GetWebSessions gets all web sessions.

func (*GRPCServer) GetWebToken 

func (g *GRPCServer) GetWebToken(ctx context.Context, req *types.GetWebTokenRequest) (*authpb.GetWebTokenResponse, error)

GetWebToken gets a web token.

func (*GRPCServer) GetWebTokens 

func (g *GRPCServer) GetWebTokens(ctx context.Context, _ *emptypb.Empty) (*authpb.GetWebTokensResponse, error)

GetWebTokens gets all web tokens.

func (*GRPCServer) GetWindowsDesktopService 

func (g *GRPCServer) GetWindowsDesktopService(ctx context.Context, req *authpb.GetWindowsDesktopServiceRequest) (*authpb.GetWindowsDesktopServiceResponse, error)

GetWindowsDesktopService returns a registered Windows desktop service by name.

func (*GRPCServer) GetWindowsDesktopServices 

func (g *GRPCServer) GetWindowsDesktopServices(ctx context.Context, req *emptypb.Empty) (*authpb.GetWindowsDesktopServicesResponse, error)

GetWindowsDesktopServices returns all registered Windows desktop services.

func (*GRPCServer) GetWindowsDesktops 

func (g *GRPCServer) GetWindowsDesktops(ctx context.Context, filter *types.WindowsDesktopFilter) (*authpb.GetWindowsDesktopsResponse, error)

GetWindowsDesktops returns all registered Windows desktop hosts.

func (*GRPCServer) InventoryControlStream 

func (g *GRPCServer) InventoryControlStream(stream authpb.AuthService_InventoryControlStreamServer) error

func (*GRPCServer) IsMFARequired 

func (g *GRPCServer) IsMFARequired(ctx context.Context, req *authpb.IsMFARequiredRequest) (*authpb.IsMFARequiredResponse, error)

func (*GRPCServer) KeepAliveSemaphoreLease 

func (g *GRPCServer) KeepAliveSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)

KeepAliveSemaphoreLease updates semaphore lease.

func (*GRPCServer) ListAppSessions 

func (g *GRPCServer) ListAppSessions(ctx context.Context, req *authpb.ListAppSessionsRequest) (*authpb.ListAppSessionsResponse, error)

ListAppSessions gets a paginated list of application web sessions.

func (*GRPCServer) ListReleases 

func (g *GRPCServer) ListReleases(ctx context.Context, req *authpb.ListReleasesRequest) (*authpb.ListReleasesResponse, error)

ListReleases returns a list of Teleport Enterprise releases.

func (*GRPCServer) ListResources 

func (g *GRPCServer) ListResources(ctx context.Context, req *authpb.ListResourcesRequest) (*authpb.ListResourcesResponse, error)

ListResources retrieves a paginated list of resources.

func (*GRPCServer) ListSAMLIdPServiceProviders 

func (g *GRPCServer) ListSAMLIdPServiceProviders(ctx context.Context, req *authpb.ListSAMLIdPServiceProvidersRequest) (*authpb.ListSAMLIdPServiceProvidersResponse, error)

ListSAMLIdPServiceProviders returns a paginated list of SAML IdP service provider resources.

func (*GRPCServer) ListSAMLIdPSessions 

func (g *GRPCServer) ListSAMLIdPSessions(ctx context.Context, req *authpb.ListSAMLIdPSessionsRequest) (*authpb.ListSAMLIdPSessionsResponse, error)

ListSAMLIdPSessions gets a paginated list of SAML IdP sessions.

func (*GRPCServer) ListUnifiedResources 

func (g *GRPCServer) ListUnifiedResources(ctx context.Context, req *authpb.ListUnifiedResourcesRequest) (*authpb.ListUnifiedResourcesResponse, error)

ListUnifiedResources retrieves a paginated list of unified resources.

func (*GRPCServer) ListUserGroups 

func (g *GRPCServer) ListUserGroups(ctx context.Context, req *authpb.ListUserGroupsRequest) (*authpb.ListUserGroupsResponse, error)

ListUserGroups returns a paginated list of user group resources.

func (*GRPCServer) MaintainSessionPresence 

func (g *GRPCServer) MaintainSessionPresence(stream authpb.AuthService_MaintainSessionPresenceServer) error

MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.

func (*GRPCServer) Ping 

func (g *GRPCServer) Ping(ctx context.Context, req *authpb.PingRequest) (*authpb.PingResponse, error)

func (*GRPCServer) PingInventory 

func (g *GRPCServer) PingInventory(ctx context.Context, req *authpb.InventoryPingRequest) (*authpb.InventoryPingResponse, error)

func (*GRPCServer) RemoveSessionTracker 

func (g *GRPCServer) RemoveSessionTracker(ctx context.Context, req *authpb.RemoveSessionTrackerRequest) (*emptypb.Empty, error)

RemoveSessionTracker removes a tracker resource for an active session.

func (*GRPCServer) ReplaceRemoteLocks 

func (g *GRPCServer) ReplaceRemoteLocks(ctx context.Context, req *authpb.ReplaceRemoteLocksRequest) (*emptypb.Empty, error)

ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.

func (*GRPCServer) ResetAuthPreference 

func (g *GRPCServer) ResetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetAuthPreference resets cluster auth preference to defaults.

func (*GRPCServer) ResetClusterNetworkingConfig 

func (g *GRPCServer) ResetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetClusterNetworkingConfig resets cluster networking configuration to defaults.

func (*GRPCServer) ResetSessionRecordingConfig 

func (g *GRPCServer) ResetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetSessionRecordingConfig resets session recording configuration to defaults.

func (*GRPCServer) SendKeepAlives 

func (g *GRPCServer) SendKeepAlives(stream authpb.AuthService_SendKeepAlivesServer) error

SendKeepAlives allows node to send a stream of keep alive requests

func (*GRPCServer) SetAccessRequestState 

func (g *GRPCServer) SetAccessRequestState(ctx context.Context, req *authpb.RequestStateSetter) (*emptypb.Empty, error)

func (*GRPCServer) SetAuthPreference 

func (g *GRPCServer) SetAuthPreference(ctx context.Context, authPref *types.AuthPreferenceV2) (*emptypb.Empty, error)

SetAuthPreference sets cluster auth preference.

func (*GRPCServer) SetClusterNetworkingConfig 

func (g *GRPCServer) SetClusterNetworkingConfig(ctx context.Context, netConfig *types.ClusterNetworkingConfigV2) (*emptypb.Empty, error)

SetClusterNetworkingConfig sets cluster networking configuration.

func (*GRPCServer) SetInstaller 

func (g *GRPCServer) SetInstaller(ctx context.Context, req *types.InstallerV1) (*emptypb.Empty, error)

SetInstaller sets the installer script resource

func (*GRPCServer) SetNetworkRestrictions 

func (g *GRPCServer) SetNetworkRestrictions(ctx context.Context, nr *types.NetworkRestrictionsV4) (*emptypb.Empty, error)

SetNetworkRestrictions updates the network restrictions.

func (*GRPCServer) SetSessionRecordingConfig 

func (g *GRPCServer) SetSessionRecordingConfig(ctx context.Context, recConfig *types.SessionRecordingConfigV2) (*emptypb.Empty, error)

SetSessionRecordingConfig sets session recording configuration.

func (*GRPCServer) SetUIConfig 

func (g *GRPCServer) SetUIConfig(ctx context.Context, req *types.UIConfigV1) (*emptypb.Empty, error)

func (*GRPCServer) SignDatabaseCSR 

func (g *GRPCServer) SignDatabaseCSR(ctx context.Context, req *authpb.DatabaseCSRRequest) (*authpb.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*GRPCServer) StartAccountRecovery 

func (g *GRPCServer) StartAccountRecovery(ctx context.Context, req *authpb.StartAccountRecoveryRequest) (*types.UserTokenV3, error)

StartAccountRecovery is implemented by AuthService.StartAccountRecovery.

func (*GRPCServer) StreamSessionEvents 

func (g *GRPCServer) StreamSessionEvents(req *authpb.StreamSessionEventsRequest, stream authpb.AuthService_StreamSessionEventsServer) error

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*GRPCServer) StreamUnstructuredSessionEventsServer 

func (g *GRPCServer) StreamUnstructuredSessionEventsServer(req *auditlogpb.StreamUnstructuredSessionEventsRequest, stream auditlogpb.AuditLogService_StreamUnstructuredSessionEventsServer) error

StreamUnstructuredSessionEventsServer streams all events from a given session recording as an unstructured format.

func (*GRPCServer) SubmitAccessReview 

func (g *GRPCServer) SubmitAccessReview(ctx context.Context, review *types.AccessReviewSubmission) (*types.AccessRequestV3, error)

func (*GRPCServer) SubmitUsageEvent 

func (g *GRPCServer) SubmitUsageEvent(ctx context.Context, req *authpb.SubmitUsageEventRequest) (*emptypb.Empty, error)

SubmitUsageEvent submits an external usage event.

func (*GRPCServer) UpdateApp 

func (g *GRPCServer) UpdateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)

UpdateApp updates existing application resource.

func (*GRPCServer) UpdateClusterMaintenanceConfig 

func (g *GRPCServer) UpdateClusterMaintenanceConfig(ctx context.Context, cmc *types.ClusterMaintenanceConfigV1) (*emptypb.Empty, error)

UpdateClusterMaintenanceConfig updates the current maintenance config singleton.

func (*GRPCServer) UpdateConnectionDiagnostic 

func (g *GRPCServer) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)

UpdateConnectionDiagnostic updates a connection diagnostic

func (*GRPCServer) UpdateDatabase 

func (g *GRPCServer) UpdateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)

UpdateDatabase updates existing database resource.

func (*GRPCServer) UpdateGithubConnector 

func (g *GRPCServer) UpdateGithubConnector(ctx context.Context, req *authpb.UpdateGithubConnectorRequest) (*types.GithubConnectorV3, error)

UpdateGithubConnector updates an existing Github connector.

func (*GRPCServer) UpdateHeadlessAuthenticationState 

func (g *GRPCServer) UpdateHeadlessAuthenticationState(ctx context.Context, req *authpb.UpdateHeadlessAuthenticationStateRequest) (*emptypb.Empty, error)

UpdateHeadlessAuthenticationState updates a headless authentication state.

func (*GRPCServer) UpdateKubernetesCluster 

func (g *GRPCServer) UpdateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*GRPCServer) UpdateOIDCConnector 

func (g *GRPCServer) UpdateOIDCConnector(ctx context.Context, req *authpb.UpdateOIDCConnectorRequest) (*types.OIDCConnectorV3, error)

UpdateOIDCConnector updates an existing OIDC connector.

func (*GRPCServer) UpdatePluginData 

func (g *GRPCServer) UpdatePluginData(ctx context.Context, params *types.PluginDataUpdateParams) (*emptypb.Empty, error)

UpdatePluginData updates a per-resource PluginData entry.

func (*GRPCServer) UpdateRemoteCluster 

func (g *GRPCServer) UpdateRemoteCluster(ctx context.Context, req *types.RemoteClusterV3) (*emptypb.Empty, error)

UpdateRemoteCluster updates remote cluster

func (*GRPCServer) UpdateRole 

func (g *GRPCServer) UpdateRole(ctx context.Context, req *authpb.UpdateRoleRequest) (*types.RoleV6, error)

UpdateRole updates an existing role.

func (*GRPCServer) UpdateSAMLConnector 

func (g *GRPCServer) UpdateSAMLConnector(ctx context.Context, req *authpb.UpdateSAMLConnectorRequest) (*types.SAMLConnectorV2, error)

UpdateSAMLConnector updates an existing SAML connector.

func (*GRPCServer) UpdateSAMLIdPServiceProvider 

func (g *GRPCServer) UpdateSAMLIdPServiceProvider(ctx context.Context, sp *types.SAMLIdPServiceProviderV1) (*emptypb.Empty, error)

UpdateSAMLIdPServiceProvider updates an existing SAML IdP service provider resource.

func (*GRPCServer) UpdateSessionTracker 

func (g *GRPCServer) UpdateSessionTracker(ctx context.Context, req *authpb.UpdateSessionTrackerRequest) (*emptypb.Empty, error)

UpdateSessionTracker updates a tracker resource for an active session.

func (*GRPCServer) UpdateUser 

func (g *GRPCServer) UpdateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)

UpdateUser updates an existing user in a backend. This does not use the users service like other user CRUD methods to preserve update semantics. This results in all updates blindly overwriting the existing user. Updating users with usersv1.Service.UpdateUser is protected by optimistic locking. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.UpdateUser instead.

func (*GRPCServer) UpdateUserGroup 

func (g *GRPCServer) UpdateUserGroup(ctx context.Context, sp *types.UserGroupV1) (*emptypb.Empty, error)

UpdateUserGroup updates an existing user group resource.

func (*GRPCServer) UpdateWindowsDesktop 

func (g *GRPCServer) UpdateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

UpdateWindowsDesktop updates an existing Windows desktop host.

func (*GRPCServer) UpsertApplicationServer 

func (g *GRPCServer) UpsertApplicationServer(ctx context.Context, req *authpb.UpsertApplicationServerRequest) (*types.KeepAlive, error)

UpsertApplicationServer registers an application server.

func (*GRPCServer) UpsertClusterAlert 

func (g *GRPCServer) UpsertClusterAlert(ctx context.Context, req *authpb.UpsertClusterAlertRequest) (*emptypb.Empty, error)

func (*GRPCServer) UpsertDatabaseServer 

func (g *GRPCServer) UpsertDatabaseServer(ctx context.Context, req *authpb.UpsertDatabaseServerRequest) (*types.KeepAlive, error)

UpsertDatabaseServer registers a new database proxy server.

func (*GRPCServer) UpsertDatabaseService 

func (g *GRPCServer) UpsertDatabaseService(ctx context.Context, req *authpb.UpsertDatabaseServiceRequest) (*types.KeepAlive, error)

UpsertDatabaseService registers a new database service.

func (*GRPCServer) UpsertGithubConnector 

func (g *GRPCServer) UpsertGithubConnector(ctx context.Context, connector *types.GithubConnectorV3) (*emptypb.Empty, error)

UpsertGithubConnector creates a new or replaces an existing Github connector. Deprecated: Use GRPCServer.UpsertGithubConnectorV2 instead.

func (*GRPCServer) UpsertGithubConnectorV2 

func (g *GRPCServer) UpsertGithubConnectorV2(ctx context.Context, req *authpb.UpsertGithubConnectorRequest) (*types.GithubConnectorV3, error)

UpsertGithubConnectorV2 creates a new or replaces an existing Github connector.

func (*GRPCServer) UpsertKubernetesServer 

func (g *GRPCServer) UpsertKubernetesServer(ctx context.Context, req *authpb.UpsertKubernetesServerRequest) (*types.KeepAlive, error)

UpsertKubernetesServer registers an kubernetes server.

func (*GRPCServer) UpsertLock 

func (g *GRPCServer) UpsertLock(ctx context.Context, lock *types.LockV2) (*emptypb.Empty, error)

UpsertLock upserts a lock.

func (*GRPCServer) UpsertNode 

func (g *GRPCServer) UpsertNode(ctx context.Context, node *types.ServerV2) (*types.KeepAlive, error)

UpsertNode upserts a node.

func (*GRPCServer) UpsertOIDCConnector 

func (g *GRPCServer) UpsertOIDCConnector(ctx context.Context, oidcConnector *types.OIDCConnectorV3) (*emptypb.Empty, error)

UpsertOIDCConnector creates a new or replaces an existing OIDC connector. Deprecated: Use GRPCServer.UpsertOIDCConnectorV2 instead.

func (*GRPCServer) UpsertOIDCConnectorV2 

func (g *GRPCServer) UpsertOIDCConnectorV2(ctx context.Context, req *authpb.UpsertOIDCConnectorRequest) (*types.OIDCConnectorV3, error)

UpsertOIDCConnectorV2 creates a new or replaces an existing OIDC connector.

func (*GRPCServer) UpsertRole 

func (g *GRPCServer) UpsertRole(ctx context.Context, role *types.RoleV6) (*emptypb.Empty, error)

UpsertRole upserts a role.

func (*GRPCServer) UpsertRoleV2 

func (g *GRPCServer) UpsertRoleV2(ctx context.Context, req *authpb.UpsertRoleRequest) (*types.RoleV6, error)

UpsertRoleV2 upserts a role.

func (*GRPCServer) UpsertSAMLConnector 

func (g *GRPCServer) UpsertSAMLConnector(ctx context.Context, samlConnector *types.SAMLConnectorV2) (*emptypb.Empty, error)

UpsertSAMLConnector upserts a SAML connector. Deprecated: Use GRPCServer.UpsertSAMLConnectorV2 instead.

func (*GRPCServer) UpsertSAMLConnectorV2 

func (g *GRPCServer) UpsertSAMLConnectorV2(ctx context.Context, req *authpb.UpsertSAMLConnectorRequest) (*types.SAMLConnectorV2, error)

UpsertSAMLConnectorV2 creates a new or replaces an existing SAML connector.

func (*GRPCServer) UpsertServerInfo 

func (g *GRPCServer) UpsertServerInfo(ctx context.Context, si *types.ServerInfoV1) (*emptypb.Empty, error)

UpsertServerInfo upserts a ServerInfo.

func (*GRPCServer) UpsertTokenV2 

func (g *GRPCServer) UpsertTokenV2(ctx context.Context, req *authpb.UpsertTokenV2Request) (*emptypb.Empty, error)

UpsertTokenV2 upserts a token.

func (*GRPCServer) UpsertTrustedCluster 

func (g *GRPCServer) UpsertTrustedCluster(ctx context.Context, cluster *types.TrustedClusterV2) (*types.TrustedClusterV2, error)

UpsertTrustedCluster upserts a Trusted Cluster.

func (*GRPCServer) UpsertWindowsDesktop 

func (g *GRPCServer) UpsertWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

UpsertWindowsDesktop updates a Windows desktop host, creating it if it doesn't exist.

func (*GRPCServer) UpsertWindowsDesktopService 

func (g *GRPCServer) UpsertWindowsDesktopService(ctx context.Context, service *types.WindowsDesktopServiceV3) (*types.KeepAlive, error)

UpsertWindowsDesktopService registers a new Windows desktop service.

func (*GRPCServer) VerifyAccountRecovery 

func (g *GRPCServer) VerifyAccountRecovery(ctx context.Context, req *authpb.VerifyAccountRecoveryRequest) (*types.UserTokenV3, error)

VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.

func (*GRPCServer) WatchEvents 

func (g *GRPCServer) WatchEvents(watch *authpb.Watch, stream authpb.AuthService_WatchEventsServer) (err error)

WatchEvents returns a new stream of cluster events

func (*GRPCServer) WatchPendingHeadlessAuthentications 

func (g *GRPCServer) WatchPendingHeadlessAuthentications(_ *emptypb.Empty, stream authpb.AuthService_WatchPendingHeadlessAuthenticationsServer) error

WatchPendingHeadlessAuthentications watches the backend for pending headless authentication requests for the user.

type GRPCServerConfig 

type GRPCServerConfig struct {
	// APIConfig is gRPC server API configuration
	APIConfig
	// TLS is gRPC server config
	TLS *tls.Config
	// Middleware is the request TLS client authenticator
	Middleware *Middleware
	// UnaryInterceptors is the gRPC unary interceptor chain.
	UnaryInterceptors []grpc.UnaryServerInterceptor
	// StreamInterceptors is the gRPC stream interceptor chain.
	StreamInterceptors []grpc.StreamServerInterceptor
}

GRPCServerConfig specifies gRPC server configuration

func (*GRPCServerConfig) CheckAndSetDefaults 

func (cfg *GRPCServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GenerateUserTestCertsRequest 

type GenerateUserTestCertsRequest struct {
	Key            []byte
	Username       string
	TTL            time.Duration
	Compatibility  string
	RouteToCluster string
	PinnedIP       string
	MFAVerified    string
}

GenerateUserTestCertsRequest is a request to generate test certificates.

type GithubAuthRequest 

type GithubAuthRequest struct {
	// ConnectorID is the name of the connector to use.
	ConnectorID string `json:"connector_id"`
	// CSRFToken is used to protect against CSRF attacks.
	CSRFToken string `json:"csrf_token"`
	// PublicKey is an optional public key to sign in case of successful auth.
	PublicKey []byte `json:"public_key"`
	// CreateWebSession indicates that a user wants to generate a web session
	// after successful authentication.
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is the URL where client will be redirected after
	// successful auth.
	ClientRedirectURL string `json:"client_redirect_url"`
}

GithubAuthRequest is an Github auth request that supports standard json marshaling

func GithubAuthRequestFromProto 

func GithubAuthRequestFromProto(req *types.GithubAuthRequest) GithubAuthRequest

GithubAuthRequestFromProto converts the types.GithubAuthRequest to GithubAuthRequest.

type GithubAuthResponse 

type GithubAuthResponse struct {
	// Username is the name of authenticated user
	Username string `json:"username"`
	// Identity is the external identity
	Identity types.ExternalIdentity `json:"identity"`
	// Session is the created web session
	Session types.WebSession `json:"session,omitempty"`
	// Cert is the generated SSH client certificate
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS client certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is the original auth request
	Req GithubAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

GithubAuthResponse represents Github auth callback validation response

type GithubConverter 

type GithubConverter struct {
	ClientI
}

GithubConverter is a thin wrapper around the ClientI interface that ensures GitHub auth connectors use the registered implementation.

func (*GithubConverter) CreateGithubConnector 

func (g *GithubConverter) CreateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

func (*GithubConverter) GetGithubConnector 

func (g *GithubConverter) GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

func (*GithubConverter) GetGithubConnectors 

func (g *GithubConverter) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

func (*GithubConverter) UpdateGithubConnector 

func (g *GithubConverter) UpdateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

func (*GithubConverter) UpsertGithubConnector 

func (g *GithubConverter) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

type HTTPClient 

type HTTPClient struct {
	*roundtrip.Client
	// contains filtered or unexported fields
}

HTTPClient is a teleport HTTP API client.

func NewHTTPClient 

func NewHTTPClient(cfg *HTTPClientConfig, params ...roundtrip.ClientParam) (*HTTPClient, error)

NewHTTPClient creates a new HTTP client with TLS authentication and the given dialer.

func (*HTTPClient) AuthenticateSSHUser 

func (c *HTTPClient) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*HTTPClient) AuthenticateWebUser 

func (c *HTTPClient) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful

func (*HTTPClient) CloneHTTPClient 

func (c *HTTPClient) CloneHTTPClient(params ...roundtrip.ClientParam) (*HTTPClient, error)

CloneHTTPClient creates a new HTTP client with the same configuration.

func (*HTTPClient) Close 

func (c *HTTPClient) Close()

Close closes the HTTP client connection to the auth server.

func (*HTTPClient) CreateRemoteCluster 

func (c *HTTPClient) CreateRemoteCluster(rc types.RemoteCluster) error

CreateRemoteCluster creates remote cluster resource

func (*HTTPClient) CreateWebSession 

func (c *HTTPClient) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for a user

func (*HTTPClient) Delete 

func (c *HTTPClient) Delete(ctx context.Context, u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*HTTPClient) DeleteAllProxies 

func (c *HTTPClient) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*HTTPClient) DeleteAllRemoteClusters 

func (c *HTTPClient) DeleteAllRemoteClusters() error

DeleteAllRemoteClusters deletes all remote clusters

func (*HTTPClient) DeleteAllTunnelConnections 

func (c *HTTPClient) DeleteAllTunnelConnections() error

DeleteAllTunnelConnections deletes all tunnel connections

func (*HTTPClient) DeleteNamespace 

func (c *HTTPClient) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*HTTPClient) DeleteProxy 

func (c *HTTPClient) DeleteProxy(ctx context.Context, name string) error

DeleteProxy deletes proxy by name

func (*HTTPClient) DeleteRemoteCluster 

func (c *HTTPClient) DeleteRemoteCluster(ctx context.Context, clusterName string) error

DeleteRemoteCluster deletes remote cluster by name

func (*HTTPClient) DeleteReverseTunnel 

func (c *HTTPClient) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*HTTPClient) DeleteStaticTokens 

func (c *HTTPClient) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*HTTPClient) DeleteTunnelConnection 

func (c *HTTPClient) DeleteTunnelConnection(clusterName string, connName string) error

DeleteTunnelConnection deletes tunnel connection by name

func (*HTTPClient) DeleteTunnelConnections 

func (c *HTTPClient) DeleteTunnelConnections(clusterName string) error

DeleteTunnelConnections deletes all tunnel connections for cluster

func (*HTTPClient) DeleteWebSession 

func (c *HTTPClient) DeleteWebSession(ctx context.Context, user string, sid string) error

DeleteWebSession deletes the web session specified with sid for the given user

func (*HTTPClient) ExtendWebSession 

func (c *HTTPClient) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*HTTPClient) Get 

func (c *HTTPClient) Get(ctx context.Context, u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*HTTPClient) GetAllTunnelConnections 

func (c *HTTPClient) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

GetAllTunnelConnections returns all tunnel connections

func (*HTTPClient) GetAuthServers 

func (c *HTTPClient) GetAuthServers() ([]types.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*HTTPClient) GetClusterName 

func (c *HTTPClient) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

GetClusterName returns a cluster name

func (*HTTPClient) GetNamespace 

func (c *HTTPClient) GetNamespace(name string) (*types.Namespace, error)

GetNamespace returns namespace by name

func (*HTTPClient) GetNamespaces 

func (c *HTTPClient) GetNamespaces() ([]types.Namespace, error)

GetNamespaces returns a list of namespaces

func (*HTTPClient) GetProxies 

func (c *HTTPClient) GetProxies() ([]types.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*HTTPClient) GetRemoteCluster 

func (c *HTTPClient) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*HTTPClient) GetRemoteClusters 

func (c *HTTPClient) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*HTTPClient) GetReverseTunnels 

func (c *HTTPClient) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*HTTPClient) GetSessionChunk 

func (c *HTTPClient) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*HTTPClient) GetSessionEvents 

func (c *HTTPClient) GetSessionEvents(namespace string, sid session.ID, afterN int) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

func (*HTTPClient) GetStaticTokens 

func (c *HTTPClient) GetStaticTokens() (types.StaticTokens, error)

GetStaticTokens returns a list of static register tokens

func (*HTTPClient) GetTunnelConnections 

func (c *HTTPClient) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

GetTunnelConnections returns tunnel connections for a given cluster

func (*HTTPClient) GetWebSessionInfo 

func (c *HTTPClient) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*HTTPClient) PostForm 

func (c *HTTPClient) PostForm(ctx context.Context, endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*HTTPClient) PostJSON 

func (c *HTTPClient) PostJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*HTTPClient) ProcessKubeCSR 

func (c *HTTPClient) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*HTTPClient) PutJSON 

func (c *HTTPClient) PutJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*HTTPClient) RegisterUsingToken 

func (c *HTTPClient) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via CreateToken/UpsertToken.

func (*HTTPClient) RotateCertAuthority 

func (c *HTTPClient) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*HTTPClient) RotateExternalCertAuthority 

func (c *HTTPClient) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.

func (*HTTPClient) SetClusterName 

func (c *HTTPClient) SetClusterName(cn types.ClusterName) error

SetClusterName sets cluster name once, will return Already Exists error if the name is already set

func (*HTTPClient) SetStaticTokens 

func (c *HTTPClient) SetStaticTokens(st types.StaticTokens) error

SetStaticTokens sets a list of static register tokens

func (*HTTPClient) TLSConfig 

func (c *HTTPClient) TLSConfig() *tls.Config

TLSConfig returns the HTTP client's TLS config.

func (*HTTPClient) UpsertAuthServer 

func (c *HTTPClient) UpsertAuthServer(ctx context.Context, s types.Server) error

UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*HTTPClient) UpsertNamespace 

func (c *HTTPClient) UpsertNamespace(ns types.Namespace) error

UpsertNamespace upserts namespace

func (*HTTPClient) UpsertProxy 

func (c *HTTPClient) UpsertProxy(ctx context.Context, s types.Server) error

UpsertProxy is used by proxies to report their presence to other auth servers in form of heartbeat expiring after ttl period.

func (*HTTPClient) UpsertReverseTunnel 

func (c *HTTPClient) UpsertReverseTunnel(tunnel types.ReverseTunnel) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*HTTPClient) UpsertTunnelConnection 

func (c *HTTPClient) UpsertTunnelConnection(conn types.TunnelConnection) error

UpsertTunnelConnection upserts tunnel connection

func (*HTTPClient) ValidateGithubAuthCallback 

func (c *HTTPClient) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback returned from redirect

func (*HTTPClient) ValidateOIDCAuthCallback 

func (c *HTTPClient) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

func (*HTTPClient) ValidateSAMLResponse 

func (c *HTTPClient) ValidateSAMLResponse(ctx context.Context, samlResponse, connectorID, clientIP string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates response returned by SAML identity provider

func (*HTTPClient) ValidateTrustedCluster 

func (c *HTTPClient) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

type HTTPClientConfig 

type HTTPClientConfig struct {
	// TLS holds the TLS config for the http client.
	TLS *tls.Config
	// MaxIdleConns controls the maximum number of idle (keep-alive) connections across all hosts.
	MaxIdleConns int
	// MaxIdleConnsPerHost, if non-zero, controls the maximum idle (keep-alive) connections to keep per-host.
	MaxIdleConnsPerHost int
	// MaxConnsPerHost limits the total number of connections per host, including connections in the dialing,
	// active, and idle states. On limit violation, dials will block.
	MaxConnsPerHost int
	// RequestTimeout specifies a time limit for requests made by this Client.
	RequestTimeout time.Duration
	// IdleConnTimeout defines the maximum amount of time before idle connections are closed.
	IdleConnTimeout time.Duration
	// ResponseHeaderTimeout specifies the amount of time to wait for a server's
	// response headers after fully writing the request (including its body, if any).
	// This time does not include the time to read the response body.
	ResponseHeaderTimeout time.Duration
	// Dialer is a custom dialer used to dial a server. The Dialer should
	// have custom logic to provide an address to the dialer. If set, Dialer
	// takes precedence over all other connection options.
	Dialer client.ContextDialer
	// ALPNSNIAuthDialClusterName if present the client will include ALPN SNI routing information in TLS Hello message
	// allowing to dial auth service through Teleport Proxy directly without using SSH Tunnels.
	ALPNSNIAuthDialClusterName string
	// CircuitBreakerConfig defines how the circuit breaker should behave.
	CircuitBreakerConfig breaker.Config
}

HTTPClientConfig contains configuration for an HTTP client.

func (*HTTPClientConfig) CheckAndSetDefaults 

func (c *HTTPClientConfig) CheckAndSetDefaults() error

CheckAndSetDefaults validates and sets defaults for HTTP configuration.

func (*HTTPClientConfig) Clone 

func (c *HTTPClientConfig) Clone() *HTTPClientConfig

Clone creates a new client with the same configuration.

type HandlerWithAuthFunc 

type HandlerWithAuthFunc func(auth *ServerWithRoles, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type HostCredentials 

type HostCredentials func(context.Context, string, bool, types.RegisterUsingTokenRequest) (*proto.Certs, error)

CredGetter is an interface for a client that can be used to get host credentials. This interface is needed because lib/client can not be imported in lib/auth due to circular imports.

type Identity 

type Identity struct {
	// ID specifies server unique ID, name and role
	ID IdentityID
	// KeyBytes is a PEM encoded private key
	KeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format.
	SSHCACertBytes [][]byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// Cert is a parsed SSH certificate
	Cert *ssh.Certificate
	// XCert is X509 client certificate
	XCert *x509.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
	// SystemRoles is a list of additional system roles.
	SystemRoles []string
}

Identity is collection of certificates and signers that represent server identity

func GenerateIdentity 

func GenerateIdentity(a *Server, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)

GenerateIdentity generates identity for the auth server

func LocalRegister 

func LocalRegister(id IdentityID, authServer *Server, additionalPrincipals, dnsNames []string, remoteAddr string, systemRoles []types.SystemRole) (*Identity, error)

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the Auth Server and as such, does not need to use provisioning tokens.

func NewServerIdentity 

func NewServerIdentity(clt *Server, hostID string, role types.SystemRole) (*Identity, error)

NewServerIdentity generates new server identity, used in tests

func ReRegister 

func ReRegister(params ReRegisterParams) (*Identity, error)

ReRegister renews the certificates and private keys based on the client's existing identity.

func ReadIdentityFromKeyPair 

func ReadIdentityFromKeyPair(privateKey []byte, certs *proto.Certs) (*Identity, error)

ReadIdentityFromKeyPair reads SSH and TLS identity from key pair.

func ReadLocalIdentity 

func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)

ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadSSHIdentityFromKeyPair 

func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair 

func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func (*Identity) HasDNSNames 

func (i *Identity) HasDNSNames(dnsNames []string) bool

HasDNSNames returns true if TLS certificate has required DNS names

func (*Identity) HasPrincipals 

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasSystemRole 

func (i *Identity) HasSystemRole(role types.SystemRole) bool

HasSystemRole checks if this identity encompasses the supplied system role.

func (*Identity) HasTLSConfig 

func (i *Identity) HasTLSConfig() bool

HasTLSConfig returns true if this identity has TLS certificate and private key.

func (*Identity) SSHClientConfig 

func (i *Identity) SSHClientConfig(fips bool) (*ssh.ClientConfig, error)

SSHClientConfig returns a ssh.ClientConfig used by nodes to connect to the reverse tunnel server.

func (*Identity) String 

func (i *Identity) String() string

String returns user-friendly representation of the identity.

func (*Identity) TLSConfig 

func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type IdentityID 

type IdentityID struct {
	Role     types.SystemRole
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals 

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) HostID 

func (id *IdentityID) HostID() string

HostID is host ID part of the host UUID that consists cluster name

func (*IdentityID) String 

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityInfo 

type IdentityInfo struct {
	// TLSInfo contains TLS connection information.
	*credentials.TLSInfo
	// IdentityGetter provides a mechanism to retrieve the
	// identity of the client.
	IdentityGetter authz.IdentityGetter
	// AuthContext contains information about the traits and roles
	// that an identity may have. This will be unset if the
	// [TransportCredentialsConfig.Authorizer] provided to [NewTransportCredentials]
	// was nil.
	AuthContext *authz.Context
}

IdentityInfo contains the auth information and identity for an authenticated TLS connection. It implements the credentials.AuthInfo interface and is returned from TransportCredentials.ServerHandshake.

type IdentityService 

type IdentityService interface {
	// CreateOIDCConnector creates a new OIDC connector.
	CreateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)
	// UpdateOIDCConnector updates an existing OIDC connector.
	UpdateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)
	// UpsertOIDCConnector updates or creates an OIDC connector.
	UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)
	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)
	// GetOIDCConnectors gets valid OIDC connectors list
	GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)
	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(ctx context.Context, connectorID string) error
	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)
	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

	// CreateSAMLConnector creates a new SAML connector.
	CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)
	// UpdateSAMLConnector updates an existing SAML connector
	UpdateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)
	// UpsertSAMLConnector updates or creates a SAML connector
	UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)
	// GetSAMLConnector returns SAML connector information by id
	GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)
	// GetSAMLConnectors gets valid SAML connectors list
	GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)
	// DeleteSAMLConnector deletes SAML connector by ID
	DeleteSAMLConnector(ctx context.Context, connectorID string) error
	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(ctx context.Context, samlResponse, connectorID, clientIP string) (*SAMLAuthResponse, error)
	// GetSAMLAuthRequest returns SAML auth request if found
	GetSAMLAuthRequest(ctx context.Context, authRequestID string) (*types.SAMLAuthRequest, error)

	// CreateGithubConnector creates a new Github connector.
	CreateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)
	// UpdateGithubConnector updates an existing Github connector.
	UpdateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)
	// UpsertGithubConnector creates or updates a Github connector.
	UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)
	// GetGithubConnectors returns valid Github connectors
	GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)
	// GetGithubConnector returns the specified Github connector
	GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)
	// DeleteGithubConnector deletes the specified Github connector
	DeleteGithubConnector(ctx context.Context, id string) error
	// CreateGithubAuthRequest creates a new request for Github OAuth2 flow
	CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)
	// GetGithubAuthRequest returns Github auth request if found
	GetGithubAuthRequest(ctx context.Context, id string) (*types.GithubAuthRequest, error)
	// ValidateGithubAuthCallback validates Github auth callback
	ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

	// GetSSODiagnosticInfo returns SSO diagnostic info records.
	GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

	// GetUser returns user by name
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetCurrentUser returns current user as seen by the server.
	// Useful especially in the context of remote clusters which perform role and trait mapping.
	GetCurrentUser(ctx context.Context) (types.User, error)

	// GetCurrentUserRoles returns current user's roles.
	GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)

	// CreateUser inserts a new entry in a backend.
	CreateUser(ctx context.Context, user types.User) (types.User, error)

	// UpdateUser updates an existing user in a backend.
	UpdateUser(ctx context.Context, user types.User) (types.User, error)

	// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
	// the result to storage. Return `false` from `fn` to avoid storage changes.
	// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
	// Returns the storage user.
	UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)

	// UpsertUser user updates or inserts user entry
	UpsertUser(ctx context.Context, user types.User) (types.User, error)

	// CompareAndSwapUser updates an existing user in a backend, but fails if
	// the user in the backend does not match the expected value.
	CompareAndSwapUser(ctx context.Context, new, expected types.User) error

	// DeleteUser deletes an existng user in a backend by username.
	DeleteUser(ctx context.Context, user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)

	// ListUsers returns a page of users.
	ListUsers(ctx context.Context, pageSize int, pageToken string, withSecrets bool) ([]types.User, string, error)

	// ChangePassword changes user password
	ChangePassword(ctx context.Context, req *proto.ChangePasswordRequest) error

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error)

	// GenerateUserCerts takes the public key in the OpenSSH `authorized_keys` plain
	// text format, signs it using User Certificate Authority signing key and
	// returns the resulting certificates.
	GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

	// GenerateUserSingleUseCerts is like GenerateUserCerts but issues a
	// certificate for a single session
	// (https://github.com/gravitational/teleport/blob/3a1cf9111c2698aede2056513337f32bfc16f1f1/rfd/0014-session-2FA.md#sessions).
	//
	// Deprecated: Use GenerateUserCerts instead.
	GenerateUserSingleUseCerts(ctx context.Context) (proto.AuthService_GenerateUserSingleUseCertsClient, error)

	// IsMFARequired is a request to check whether MFA is required to
	// access the Target.
	IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)

	// DeleteAllUsers deletes all users
	DeleteAllUsers(ctx context.Context) error

	// CreateResetPasswordToken creates a new user reset token
	CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

	// CreateBot creates a new certificate renewal bot and associated resources.
	CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
	// DeleteBot removes a certificate renewal bot and associated resources.
	DeleteBot(ctx context.Context, botName string) error
	// GetBotUsers gets all bot users.
	GetBotUsers(ctx context.Context) ([]types.User, error)

	// ChangeUserAuthentication allows a user with a reset or invite token to change their password and if enabled also adds a new mfa device.
	// Upon success, creates new web session and creates new set of recovery codes (if user meets requirements).
	ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

	// GetResetPasswordToken returns a reset password token.
	GetResetPasswordToken(ctx context.Context, username string) (types.UserToken, error)

	// GetMFADevices fetches all MFA devices registered for the calling user.
	GetMFADevices(ctx context.Context, in *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
	// Deprecated: Use AddMFADeviceSync instead.
	AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADeviceClient, error)
	// Deprecated: Use DeleteMFADeviceSync instead.
	DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error)
	// AddMFADeviceSync adds a new MFA device (nonstream).
	AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
	// DeleteMFADeviceSync deletes a users MFA device (nonstream).
	DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error
	// CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices.
	CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
	// CreateRegisterChallenge creates and returns MFA register challenge for a new MFA device.
	CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

	// MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.
	MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error)

	// StartAccountRecovery creates a recovery start token for a user who successfully verified their username and their recovery code.
	// This token is used as part of a URL that will be emailed to the user (not done in this request).
	// Represents step 1 of the account recovery process.
	StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)
	// VerifyAccountRecovery creates a recovery approved token after successful verification of users password or second factor
	// (authn depending on what user needed to recover). This token will allow users to perform protected actions while not logged in.
	// Represents step 2 of the account recovery process after RPC StartAccountRecovery.
	VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)
	// CompleteAccountRecovery sets a new password or adds a new mfa device,
	// allowing user to regain access to their account using the new credentials.
	// Represents the last step in the account recovery process after RPC's StartAccountRecovery and VerifyAccountRecovery.
	CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

	// CreateAccountRecoveryCodes creates new set of recovery codes for a user, replacing and invalidating any previously owned codes.
	CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
	// GetAccountRecoveryToken returns a user token resource after verifying the token in
	// request is not expired and is of the correct recovery type.
	GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)
	// GetAccountRecoveryCodes returns the user in context their recovery codes resource without any secrets.
	GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

	// CreatePrivilegeToken creates a privilege token for the logged in user who has successfully re-authenticated with their second factor.
	// A privilege token allows users to perform privileged action eg: add/delete their MFA device.
	CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

	// UpdateHeadlessAuthenticationState updates a headless authentication state.
	UpdateHeadlessAuthenticationState(ctx context.Context, id string, state types.HeadlessAuthenticationState, mfaResponse *proto.MFAAuthenticateResponse) error
	// GetHeadlessAuthentication retrieves a headless authentication by id.
	GetHeadlessAuthentication(ctx context.Context, id string) (*types.HeadlessAuthentication, error)
	// WatchPendingHeadlessAuthentications creates a watcher for pending headless authentication for the current user.
	WatchPendingHeadlessAuthentications(ctx context.Context) (types.Watcher, error)
}

IdentityService manages identities and users

type IdentitySpecV2 

type IdentitySpecV2 struct {
	// Key is a PEM encoded private key.
	Key []byte `json:"key,omitempty"`
	// SSHCert is a PEM encoded SSH host cert.
	SSHCert []byte `json:"ssh_cert,omitempty"`
	// TLSCert is a PEM encoded x509 client certificate.
	TLSCert []byte `json:"tls_cert,omitempty"`
	// TLSCACert is a list of PEM encoded x509 certificate of the
	// certificate authority of the cluster.
	TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"`
	// SSHCACerts is a list of SSH certificate authorities encoded in the
	// authorized_keys format.
	SSHCACerts [][]byte `json:"ssh_ca_certs,omitempty"`
}

IdentitySpecV2 specifies credentials used by local process.

type IdentityV2 

type IdentityV2 struct {
	// ResourceHeader is a common resource header.
	types.ResourceHeader
	// Spec is the identity spec.
	Spec IdentitySpecV2 `json:"spec"`
}

IdentityV2 specifies local host identity.

func (*IdentityV2) CheckAndSetDefaults 

func (s *IdentityV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type ImpersonatorRoundTripper 

type ImpersonatorRoundTripper struct {
	http.RoundTripper
}

ImpersonatorRoundTripper is a round tripper that impersonates a user with the identity provided.

func NewImpersonatorRoundTripper 

func NewImpersonatorRoundTripper(rt http.RoundTripper) *ImpersonatorRoundTripper

NewImpersonatorRoundTripper returns a new impersonator round tripper.

func (*ImpersonatorRoundTripper) CloseIdleConnections 

func (r *ImpersonatorRoundTripper) CloseIdleConnections()

CloseIdleConnections ensures that the returned net.RoundTripper has a CloseIdleConnections method.

func (*ImpersonatorRoundTripper) RoundTrip 

func (r *ImpersonatorRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper interface to include the identity in the request header.

type InitConfig 

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority sshca.Authority

	// KeyStoreConfig is the config for the KeyStore which handles private CA
	// keys that may be held in an HSM.
	KeyStoreConfig keystore.Config

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// ClusterName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	ClusterName types.ClusterName

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []types.CertAuthority

	// ApplyOnStartupResources is a set of resources that should be applied
	// on each Teleport start.
	ApplyOnStartupResources []types.Resource

	// BootstrapResources is a list of previously backed-up resources used to
	// bootstrap backend on first start.
	BootstrapResources []types.Resource

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []types.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []types.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and heartbeat tracker
	Presence services.PresenceInternal

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// DynamicAccessExt is a service that manages dynamic RBAC.
	DynamicAccessExt services.DynamicAccessExt

	// Events is an event service
	Events types.Events

	// ClusterConfiguration is a services that holds cluster wide configuration.
	ClusterConfiguration services.ClusterConfiguration

	// Restrictions is a service to access network restrictions, etc
	Restrictions services.Restrictions

	// Apps is a service that manages application resources.
	Apps services.Apps

	// Databases is a service that manages database resources.
	Databases services.Databases

	// DatabaseServices is a service that manages DatabaseService resources.
	DatabaseServices services.DatabaseServices

	// Status is a service that manages cluster status info.
	Status services.StatusInternal

	// Assist is a service that implements the Teleport Assist functionality.
	Assist services.Assistant

	// UserPreferences is a service that manages user preferences.
	UserPreferences services.UserPreferences

	// Roles is a set of roles to create
	Roles []types.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens types.StaticTokens

	// AuthPreference defines the authentication type (local, oidc) and second
	// factor passed in from a configuration file.
	AuthPreference types.AuthPreference

	// AuditLog is used for emitting events to audit log.
	AuditLog events.AuditLogSessionStreamer

	// ClusterAuditConfig holds cluster audit configuration.
	ClusterAuditConfig types.ClusterAuditConfig

	// ClusterNetworkingConfig holds cluster networking configuration.
	ClusterNetworkingConfig types.ClusterNetworkingConfig

	// SessionRecordingConfig holds session recording configuration.
	SessionRecordingConfig types.SessionRecordingConfig

	// SkipPeriodicOperations turns off periodic operations
	// used in tests that don't need periodic operations.
	SkipPeriodicOperations bool

	// CipherSuites is a list of ciphersuites that the auth server supports.
	CipherSuites []uint16

	// Emitter is events emitter, used to submit discrete events
	Emitter apievents.Emitter

	// Streamer is events sessionstreamer, used to create continuous
	// session related streams
	Streamer events.Streamer

	// WindowsServices is a service that manages Windows desktop resources.
	WindowsDesktops services.WindowsDesktops

	// SAMLIdPServiceProviders is a service that manages SAML IdP service providers.
	SAMLIdPServiceProviders services.SAMLIdPServiceProviders

	// UserGroups is a service that manages user groups.
	UserGroups services.UserGroups

	// Integrations is a service that manages Integrations.
	Integrations services.Integrations

	// DiscoveryConfigs is a service that manages DiscoveryConfigs.
	DiscoveryConfigs services.DiscoveryConfigs

	// Embeddings is a service that manages Embeddings
	Embeddings services.Embeddings

	// SessionTrackerService is a service that manages trackers for all active sessions.
	SessionTrackerService services.SessionTrackerService

	// ConnectionsDiagnostic is a service that manages Connection Diagnostics resources.
	ConnectionsDiagnostic services.ConnectionsDiagnostic

	// LoadAllCAs tells tsh to load the host CAs for all clusters when trying to ssh into a node.
	LoadAllCAs bool

	// TraceClient is used to forward spans to the upstream telemetry collector
	TraceClient otlptrace.Client

	// Kubernetes is a service that manages kubernetes cluster resources.
	Kubernetes services.Kubernetes

	// AssertionReplayService is a service that mitigates SSO assertion replay.
	*local.AssertionReplayService

	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool

	// UsageReporter is a service that forwards cluster usage events.
	UsageReporter usagereporter.UsageReporter

	// Okta is a service that manages Okta resources.
	Okta services.Okta

	// AccessLists is a service that manages access list resources.
	AccessLists services.AccessLists

	// UserLoginStates is a service that manages user login states.
	UserLoginState services.UserLoginStates

	// SecReports is a service that manages security reports.
	SecReports services.SecReports

	// PluginData is a service that manages plugin data.
	PluginData services.PluginData

	// Clock is the clock instance auth uses. Typically you'd only want to set
	// this during testing.
	Clock clockwork.Clock

	// HTTPClientForAWSSTS overwrites the default HTTP client used for making
	// STS requests. Used in test.
	HTTPClientForAWSSTS utils.HTTPDoClient

	// EmbeddingRetriever is a retriever for embeddings.
	EmbeddingRetriever *ai.SimpleRetriever

	// EmbeddingClient is a client that allows generating embeddings.
	EmbeddingClient embedding.Embedder

	// Tracer used to create spans.
	Tracer oteltrace.Tracer

	// AccessMonitoringEnabled is true if access monitoring is enabled.
	AccessMonitoringEnabled bool
}

InitConfig is auth server init config

type KubeCSR 

type KubeCSR struct {
	// Username of user's certificate
	Username string `json:"username"`
	// ClusterName is a name of the target cluster to generate certificate for
	ClusterName string `json:"cluster_name"`
	// CSR is a kubernetes CSR
	CSR []byte `json:"csr"`
}

KubeCSR is a kubernetes CSR request

func (*KubeCSR) CheckAndSetDefaults 

func (a *KubeCSR) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type KubeCSRResponse 

type KubeCSRResponse struct {
	// Cert is a signed certificate PEM block
	Cert []byte `json:"cert"`
	// CertAuthorities is a list of PEM block with trusted cert authorities
	CertAuthorities [][]byte `json:"cert_authorities"`
	// TargetAddr is an optional target address
	// of the kubernetes API server that can be set
	// in the kubeconfig
	TargetAddr string `json:"target_addr"`
}

KubeCSRResponse is a response to kubernetes CSR request

type KubernetesAccessPoint 

type KubernetesAccessPoint interface {
	// ReadKubernetesAccessPoint provides methods to read data
	ReadKubernetesAccessPoint
	// contains filtered or unexported methods
}

KubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.

func NewKubernetesWrapper 

func NewKubernetesWrapper(base KubernetesAccessPoint, cache ReadKubernetesAccessPoint) KubernetesAccessPoint

type KubernetesWrapper 

type KubernetesWrapper struct {
	ReadKubernetesAccessPoint

	NoCache KubernetesAccessPoint
	// contains filtered or unexported fields
}

func (*KubernetesWrapper) Close 

func (w *KubernetesWrapper) Close() error

Close closes all associated resources

type LoginHook 

type LoginHook func(context.Context, types.User) error

LoginHook is a function that will be called on a successful login. This will likely be used for enterprise services that need to add in feature specific operations after a user has been successfully authenticated. An example would be creating objects based on the user.

type Metrics 

type Metrics struct {
	GRPCServerLatency bool
}

Metrics handles optional metrics for TLSServerConfig

type Middleware 

type Middleware struct {
	ClusterName string
	// Handler is HTTP handler called after the middleware checks requests
	Handler http.Handler
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on certificate metadata,
	// for example middleware can reject certificates with mismatching usage.
	// If empty, will only accept certificates with non-limited usage,
	// if set, will accept certificates with non-limited usage,
	// and usage exactly matching the specified values.
	AcceptedUsage []string
	// Limiter is a rate and connection limiter
	Limiter *limiter.Limiter
	// GRPCMetrics is the configured gRPC metrics for the interceptors
	GRPCMetrics *om.ServerMetrics
	// EnableCredentialsForwarding allows the middleware to receive impersonation
	// identity from the client if it presents a valid proxy certificate.
	// This is used by the proxy to forward the identity of the user who
	// connected to the proxy to the next hop.
	EnableCredentialsForwarding bool
}

Middleware is authentication middleware checking every request

func (*Middleware) GetUser 

func (a *Middleware) GetUser(connState tls.ConnectionState) (authz.IdentityGetter, error)

GetUser returns authenticated user based on request TLS metadata

func (*Middleware) ServeHTTP 

func (a *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP serves HTTP requests

func (*Middleware) StreamInterceptors 

func (a *Middleware) StreamInterceptors() []grpc.StreamServerInterceptor

StreamInterceptors returns the gRPC stream interceptor chain.

func (*Middleware) UnaryInterceptors 

func (a *Middleware) UnaryInterceptors() []grpc.UnaryServerInterceptor

UnaryInterceptors returns the gRPC unary interceptor chain.

func (*Middleware) Wrap 

func (a *Middleware) Wrap(h http.Handler)

Wrap sets next handler in chain

func (*Middleware) WrapContextWithUser 

func (a *Middleware) WrapContextWithUser(ctx context.Context, conn utils.TLSConn) (context.Context, error)

WrapContextWithUser enriches the provided context with the identity information extracted from the provided TLS connection.

func (*Middleware) WrapContextWithUserFromTLSConnState 

func (a *Middleware) WrapContextWithUserFromTLSConnState(ctx context.Context, tlsState tls.ConnectionState, remoteAddr net.Addr) (context.Context, error)

WrapContextWithUserFromTLSConnState enriches the provided context with the identity information extracted from the provided TLS connection state.

type NewRemoteProxyCachingAccessPoint 

type NewRemoteProxyCachingAccessPoint func(clt ClientI, cacheName []string) (RemoteProxyAccessPoint, error)

NewRemoteProxyCachingAccessPoint returns new caching access point using access point policy

type NodeAccessPoint 

type NodeAccessPoint interface {
	// ReadNodeAccessPoint provides methods to read data
	ReadNodeAccessPoint
	// contains filtered or unexported methods
}

NodeAccessPoint is an API interface implemented by a certificate authority (CA) to be used by teleport.ComponentNode.

func NewNodeWrapper 

func NewNodeWrapper(base NodeAccessPoint, cache ReadNodeAccessPoint) NodeAccessPoint

type NodeWrapper 

type NodeWrapper struct {
	ReadNodeAccessPoint

	NoCache NodeAccessPoint
	// contains filtered or unexported fields
}

func (*NodeWrapper) Close 

func (w *NodeWrapper) Close() error

Close closes all associated resources

type OIDCAuthRawResponse 

type OIDCAuthRawResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session json.RawMessage `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []json.RawMessage `json:"host_signers"`
}

OIDCAuthRawResponse is returned when auth server validated callback parameters returned from OIDC provider

type OIDCAuthRequest 

type OIDCAuthRequest struct {
	// ConnectorID is ID of OIDC connector this request uses
	ConnectorID string `json:"connector_id"`
	// CSRFToken is associated with user web session token
	CSRFToken string `json:"csrf_token"`
	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth
	PublicKey []byte `json:"public_key"`
	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication
	ClientRedirectURL string `json:"client_redirect_url"`
}

OIDCAuthRequest is an OIDC auth request that supports standard json marshaling.

type OIDCAuthResponse 

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session types.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type OIDCService 

type OIDCService interface {
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
	ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)
}

type OTPCreds 

type OTPCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
	// Token is a user second factor token
	Token string `json:"token"`
}

OTPCreds is a two-factor authentication credentials

type OktaAccessPoint 

type OktaAccessPoint interface {
	// ReadOktaAccessPoint provides methods to read data
	ReadOktaAccessPoint

	// CreateUser creates a new user in the cluster
	CreateUser(ctx context.Context, user types.User) (types.User, error)

	// UpdateUser updates the given user record
	UpdateUser(ctx context.Context, user types.User) (types.User, error)

	// DeleteUser deletes the given user from the cluster
	DeleteUser(ctx context.Context, user string) error

	// CreateUserGroup creates a new user group resource.
	CreateUserGroup(context.Context, types.UserGroup) error

	// UpdateUserGroup updates an existing user group resource.
	UpdateUserGroup(context.Context, types.UserGroup) error

	// DeleteUserGroup removes the specified user group resource.
	DeleteUserGroup(ctx context.Context, name string) error

	// CreateOktaImportRule creates a new Okta import rule resource.
	CreateOktaImportRule(context.Context, types.OktaImportRule) (types.OktaImportRule, error)

	// UpdateOktaImportRule updates an existing Okta import rule resource.
	UpdateOktaImportRule(context.Context, types.OktaImportRule) (types.OktaImportRule, error)

	// DeleteOktaImportRule removes the specified Okta import rule resource.
	DeleteOktaImportRule(ctx context.Context, name string) error

	// CreateOktaAssignment creates a new Okta assignment resource.
	CreateOktaAssignment(context.Context, types.OktaAssignment) (types.OktaAssignment, error)

	// UpdateOktaAssignment updates an existing Okta assignment resource.
	UpdateOktaAssignment(context.Context, types.OktaAssignment) (types.OktaAssignment, error)

	// UpdateOktaAssignmentStatus will update the status for an Okta assignment if the given time has passed
	// since the last transition.
	UpdateOktaAssignmentStatus(ctx context.Context, name, status string, timeHasPassed time.Duration) error

	// DeleteOktaAssignment removes the specified Okta assignment resource.
	DeleteOktaAssignment(ctx context.Context, name string) error

	// DeleteApplicationServer removes specified application server.
	DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error
	// contains filtered or unexported methods
}

OktaAccessPoint is a read caching interface used by an Okta component.

func NewOktaWrapper 

func NewOktaWrapper(base OktaAccessPoint, cache ReadOktaAccessPoint) OktaAccessPoint

type OktaWrapper 

type OktaWrapper struct {
	ReadOktaAccessPoint

	NoCache OktaAccessPoint
	// contains filtered or unexported fields
}

func (*OktaWrapper) Close 

func (w *OktaWrapper) Close() error

Close closes all associated resources

func (*OktaWrapper) CreateOktaAssignment 

func (w *OktaWrapper) CreateOktaAssignment(ctx context.Context, assignment types.OktaAssignment) (types.OktaAssignment, error)

CreateOktaAssignment creates a new Okta assignment resource.

func (*OktaWrapper) CreateOktaImportRule 

func (w *OktaWrapper) CreateOktaImportRule(ctx context.Context, importRule types.OktaImportRule) (types.OktaImportRule, error)

CreateOktaImportRule creates a new Okta import rule resource.

func (*OktaWrapper) CreateUser 

func (w *OktaWrapper) CreateUser(ctx context.Context, user types.User) (types.User, error)

CreateUser creates a new user in the cluster

func (*OktaWrapper) CreateUserGroup 

func (w *OktaWrapper) CreateUserGroup(ctx context.Context, userGroup types.UserGroup) error

CreateUserGroup creates a new user group resource.

func (*OktaWrapper) DeleteApplicationServer 

func (w *OktaWrapper) DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error

DeleteApplicationServer removes specified application server.

func (*OktaWrapper) DeleteOktaAssignment 

func (w *OktaWrapper) DeleteOktaAssignment(ctx context.Context, name string) error

DeleteOktaAssignment removes the specified Okta assignment resource.

func (*OktaWrapper) DeleteOktaImportRule 

func (w *OktaWrapper) DeleteOktaImportRule(ctx context.Context, name string) error

DeleteOktaImportRule removes the specified Okta import rule resource.

func (*OktaWrapper) DeleteUser 

func (w *OktaWrapper) DeleteUser(ctx context.Context, user string) error

DeleteUser removes a user from the cluster

func (*OktaWrapper) DeleteUserGroup 

func (w *OktaWrapper) DeleteUserGroup(ctx context.Context, name string) error

DeleteUserGroup removes the specified user group resource.

func (*OktaWrapper) UpdateOktaAssignment 

func (w *OktaWrapper) UpdateOktaAssignment(ctx context.Context, assignment types.OktaAssignment) (types.OktaAssignment, error)

UpdateOktaAssignment updates an existing Okta assignment resource.

func (*OktaWrapper) UpdateOktaAssignmentStatus 

func (w *OktaWrapper) UpdateOktaAssignmentStatus(ctx context.Context, name, status string, timeHasPassed time.Duration) error

UpdateOktaAssignmentStatus will update the status for an Okta assignment if the given time has passed since the last transition.

func (*OktaWrapper) UpdateOktaImportRule 

func (w *OktaWrapper) UpdateOktaImportRule(ctx context.Context, importRule types.OktaImportRule) (types.OktaImportRule, error)

UpdateOktaImportRule updates an existing Okta import rule resource.

func (*OktaWrapper) UpdateUser 

func (w *OktaWrapper) UpdateUser(ctx context.Context, user types.User) (types.User, error)

UpdateUser updates a user in the cluster

func (*OktaWrapper) UpdateUserGroup 

func (w *OktaWrapper) UpdateUserGroup(ctx context.Context, userGroup types.UserGroup) error

UpdateUserGroup updates an existing user group resource.

type PassCreds 

type PassCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
}

PassCreds is a password credential

type PolicyOptions 

type PolicyOptions struct {
	OnLeaveAction types.OnSessionLeaveAction
}

PolicyOptions is a set of settings for the session determined by the matched required policy.

type PresetRoleManager 

type PresetRoleManager interface {
	// GetRole returns role by name.
	GetRole(ctx context.Context, name string) (types.Role, error)
	// CreateRole creates a role.
	CreateRole(ctx context.Context, role types.Role) (types.Role, error)
	// UpsertRole creates or updates a role and emits a related audit event.
	UpsertRole(ctx context.Context, role types.Role) (types.Role, error)
}

PresetRoleManager contains the required Role Management methods to create a Preset Role.

type PresetUsers 

type PresetUsers interface {
	// CreateUser creates a new user record based on the supplied `user` instance.
	CreateUser(ctx context.Context, user types.User) (types.User, error)
	// GetUser fetches a user from the repository by name, optionally fetching
	// any associated secrets.
	GetUser(ctx context.Context, username string, withSecrets bool) (types.User, error)
	// UpsertUser user creates or updates a user record as needed.
	UpsertUser(ctx context.Context, user types.User) (types.User, error)
}

PresetUsers contains the required User Management methods to create a preset User. Method names represent the appropriate subset

type ProcessStorage 

type ProcessStorage struct {
	// BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states.
	BackendStorage backend.Backend
	// contains filtered or unexported fields
}

ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.

func NewProcessStorage 

func NewProcessStorage(ctx context.Context, path string) (*ProcessStorage, error)

NewProcessStorage returns a new instance of the process storage.

func (*ProcessStorage) Close 

func (p *ProcessStorage) Close() error

Close closes all resources used by process storage backend.

func (*ProcessStorage) CreateState 

func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error

CreateState creates process state if it does not exist yet.

func (*ProcessStorage) GetState 

func (p *ProcessStorage) GetState(ctx context.Context, role types.SystemRole) (*StateV2, error)

GetState reads rotation state from disk.

func (*ProcessStorage) ReadIdentity 

func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error)

ReadIdentity reads identity using identity name and role.

func (*ProcessStorage) WriteIdentity 

func (p *ProcessStorage) WriteIdentity(name string, id Identity) error

WriteIdentity writes identity to the backend.

func (*ProcessStorage) WriteState 

func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error

WriteState writes local cluster state to the backend.

type ProvisioningService 

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens(ctx context.Context) (tokens []types.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a reset password token or a machine token
	DeleteToken(ctx context.Context, token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ctx context.Context, token types.ProvisionToken) error

	// CreateToken creates a new provision token for the auth server
	CreateToken(ctx context.Context, token types.ProvisionToken) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type ProxyAccessPoint 

type ProxyAccessPoint interface {
	// ReadProxyAccessPoint provides methods to read data
	ReadProxyAccessPoint
	// contains filtered or unexported methods
}

ProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

func NewProxyWrapper 

func NewProxyWrapper(base ProxyAccessPoint, cache ReadProxyAccessPoint) ProxyAccessPoint

type ProxyWrapper 

type ProxyWrapper struct {
	ReadProxyAccessPoint

	NoCache ProxyAccessPoint
	// contains filtered or unexported fields
}

func (*ProxyWrapper) Close 

func (w *ProxyWrapper) Close() error

Close closes all associated resources

type ReRegisterParams 

type ReRegisterParams struct {
	// Client is an authenticated client using old credentials
	Client ClientI
	// ID is identity ID
	ID IdentityID
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS Names to add to the x509 client certificate
	DNSNames []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// Rotation is the rotation state of the certificate authority
	Rotation types.Rotation
	// SystemRoles is a set of additional system roles held by the instance.
	SystemRoles []types.SystemRole
}

ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)

type ReadAppsAccessPoint 

type ReadAppsAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)
}

ReadAppsAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.

NOTE: This interface must match the resources replicated in cache.ForApps.

type ReadDatabaseAccessPoint 

type ReadDatabaseAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)
}

ReadDatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.

NOTE: This interface must match the resources replicated in cache.ForDatabases.

type ReadDiscoveryAccessPoint 

type ReadDiscoveryAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
	// GetKubernetesCluster returns a kubernetes cluster resource identified by name.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetApps returns all application resources.
	GetApps(context.Context) ([]types.Application, error)
	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)

	// ListDiscoveryConfigs returns a paginated list of Discovery Config resources.
	ListDiscoveryConfigs(ctx context.Context, pageSize int, nextKey string) ([]*discoveryconfig.DiscoveryConfig, string, error)

	// GetIntegration returns the specified integration resource.
	GetIntegration(ctx context.Context, name string) (types.Integration, error)

	// GetProxies returns a list of registered proxies.
	GetProxies() ([]types.Server, error)
}

ReadDiscoveryAccessPoint is a read only API interface to be used by a teleport.ComponentDiscovery.

NOTE: This interface must match the resources replicated in cache.ForDiscovery.

type ReadKubernetesAccessPoint 

type ReadKubernetesAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

ReadKubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.

NOTE: This interface must match the resources replicated in cache.ForKubernetes.

type ReadNodeAccessPoint 

type ReadNodeAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)
}

ReadNodeAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentNode.

NOTE: This interface must match the resources replicated in cache.ForNode.

type ReadOktaAccessPoint 

type ReadOktaAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	AccessCache

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetUser returns a services.User for this cluster.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetUsers returns a list of users with the cluster
	GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)

	// ListUserGroups returns a paginated list of all user group resources.
	ListUserGroups(context.Context, int, string) ([]types.UserGroup, string, error)

	// GetUserGroup returns the specified user group resources.
	GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)

	// ListOktaImportRules returns a paginated list of all Okta import rule resources.
	ListOktaImportRules(context.Context, int, string) ([]types.OktaImportRule, string, error)

	// GetOktaImportRule returns the specified Okta import rule resources.
	GetOktaImportRule(ctx context.Context, name string) (types.OktaImportRule, error)

	// ListOktaAssignments returns a paginated list of all Okta assignment resources.
	ListOktaAssignments(context.Context, int, string) ([]types.OktaAssignment, string, error)

	// GetOktaAssignment returns the specified Okta assignment resource.
	GetOktaAssignment(ctx context.Context, name string) (types.OktaAssignment, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// ListResources returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

ReadOktaAccessPoint is a read only API interface to be used by an Okta component.

NOTE: This interface must provide read interfaces for the types.WatchKind registered in cache.ForOkta.

type ReadProxyAccessPoint 

type ReadProxyAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUIConfig returns configuration for the UI served by the proxy service
	GetUIConfig(ctx context.Context) (types.UIConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetUser returns a services.User for this cluster.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)

	// GetWebSession gets a web session for the given request
	GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken gets a web token for the given request
	GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)
	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)

	// GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.
	GetSAMLIdPServiceProvider(ctx context.Context, name string) (types.SAMLIdPServiceProvider, error)

	// ListSAMLIdPServiceProviders returns a paginated list of all SAML IdP service provider resources.
	ListSAMLIdPServiceProviders(context.Context, int, string) ([]types.SAMLIdPServiceProvider, string, error)

	// GetSAMLIdPSession gets a SAML IdP session.
	GetSAMLIdPSession(context.Context, types.GetSAMLIdPSessionRequest) (types.WebSession, error)

	// ListUserGroups returns a paginated list of user group resources.
	ListUserGroups(ctx context.Context, pageSize int, nextKey string) ([]types.UserGroup, string, error)

	// GetUserGroup returns the specified user group resources.
	GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)
}

ReadProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

NOTE: This interface must match the resources replicated in cache.ForProxy.

type ReadRemoteProxyAccessPoint 

type ReadRemoteProxyAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)
}

ReadRemoteProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

NOTE: This interface must match the resources replicated in cache.ForRemoteProxy.

type ReadWindowsDesktopAccessPoint 

type ReadWindowsDesktopAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
}

ReadWindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.

NOTE: This interface must match the resources replicated in cache.ForWindowsDesktop.

type RegisterParams 

type RegisterParams struct {
	// Token is a secure token to join the cluster
	Token string
	// ID is identity ID
	ID IdentityID
	// AuthServers is a list of auth servers to dial
	AuthServers []utils.NetAddr
	// ProxyServer is a proxy server to dial
	ProxyServer utils.NetAddr
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS names to add to x509 certificate
	DNSNames []string
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// CipherSuites is a list of cipher suites to use for TLS client connection
	CipherSuites []uint16
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// CAPath is the path to the CA file.
	CAPath string
	// GetHostCredentials is a client that can fetch host credentials.
	GetHostCredentials HostCredentials
	// Clock specifies the time provider. Will be used to override the time anchor
	// for TLS certificate verification.
	// Defaults to real clock if unspecified
	Clock clockwork.Clock
	// JoinMethod is the joining method used for this register request.
	JoinMethod types.JoinMethod

	// AzureParams is the parameters specific to the azure join method.
	AzureParams AzureParams
	// CircuitBreakerConfig defines how the circuit breaker should behave.
	CircuitBreakerConfig breaker.Config
	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool
	// IDToken is a token retrieved from a workload identity provider for
	// certain join types e.g GitHub, Google.
	IDToken string
	// Expires is an optional field for bots that specifies a time that the
	// certificates that are returned by registering should expire at.
	// It should not be specified for non-bot registrations.
	Expires *time.Time
	// Insecure trusts the certificates from the Auth Server or Proxy during registration without verification.
	Insecure bool
	// contains filtered or unexported fields
}

RegisterParams specifies parameters for first time register operation with auth server

type RemoteProxyAccessPoint 

type RemoteProxyAccessPoint interface {
	// ReadRemoteProxyAccessPoint provides methods to read data
	ReadRemoteProxyAccessPoint
	// contains filtered or unexported methods
}

RemoteProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

func NewRemoteProxyWrapper 

func NewRemoteProxyWrapper(base RemoteProxyAccessPoint, cache ReadRemoteProxyAccessPoint) RemoteProxyAccessPoint

type RemoteProxyWrapper 

type RemoteProxyWrapper struct {
	ReadRemoteProxyAccessPoint

	NoCache RemoteProxyAccessPoint
	// contains filtered or unexported fields
}

func (*RemoteProxyWrapper) Close 

func (w *RemoteProxyWrapper) Close() error

Close closes all associated resources

type RotateRequest 

type RotateRequest struct {
	// Type is a certificate authority type, if omitted, both user and host CA
	// will be rotated.
	Type types.CertAuthType `json:"type"`
	// GracePeriod is used to generate cert rotation schedule that defines
	// times at which different rotation phases will be applied by the auth server
	// in auto mode. It is not used in manual rotation mode.
	// If omitted, default value is set, if 0 is supplied, it is interpreted as
	// forcing rotation of all certificate authorities with no grace period,
	// all existing users and hosts will have to re-login and re-added
	// into the cluster.
	GracePeriod *time.Duration `json:"grace_period,omitempty"`
	// TargetPhase sets desired rotation phase to move to, if not set
	// will be set automatically, it is a required argument
	// for manual rotation.
	TargetPhase string `json:"target_phase,omitempty"`
	// Mode sets manual or auto rotation mode.
	Mode string `json:"mode"`
	// Schedule is an optional rotation schedule,
	// autogenerated based on GracePeriod parameter if not set.
	Schedule *types.RotationSchedule `json:"schedule"`
}

RotateRequest is a request to start rotation of the certificate authority.

func (*RotateRequest) CheckAndSetDefaults 

func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default values.

type SAMLAuthRawResponse 

type SAMLAuthRawResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session json.RawMessage `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// Req is original oidc auth request
	Req SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []json.RawMessage `json:"host_signers"`
	// TLSCert is TLS certificate authority certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
}

SAMLAuthRawResponse is returned when auth server validated callback parameters returned from SAML provider

type SAMLAuthRequest 

type SAMLAuthRequest struct {
	// ID is a unique request ID.
	ID string `json:"id"`
	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth.
	PublicKey []byte `json:"public_key"`
	// CSRFToken is associated with user web session token.
	CSRFToken string `json:"csrf_token"`
	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication.
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication.
	ClientRedirectURL string `json:"client_redirect_url"`
}

SAMLAuthRequest is a SAML auth request that supports standard json marshaling.

type SAMLAuthResponse 

type SAMLAuthResponse struct {
	// Username is an authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated SAML identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in SAMLAuthRequest
	Session types.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is a PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is an original SAML auth request
	Req SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider

type SAMLService 

type SAMLService interface {
	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(ctx context.Context, samlResponse, connectorID, clientIP string) (*SAMLAuthResponse, error)
}

SAMLService are the methods that the auth server delegates to a plugin for implementing the SAML connector. These are the core functions of SAML authentication - the connector CRUD operations and Get methods are implemented in auth.Server and provide no connector-specific logic.

type SSHLoginResponse 

type SSHLoginResponse struct {
	// User contains a logged-in user information
	Username string `json:"username"`
	// Cert is a PEM encoded  signed certificate
	Cert []byte `json:"cert"`
	// TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority
	TLSCert []byte `json:"tls_cert"`
	// HostSigners is a list of signing host public keys trusted by proxy
	HostSigners []TrustedCerts `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

type SSODiagContext 

type SSODiagContext struct {
	// AuthKind is auth kind such as types.KindSAML
	AuthKind string
	// DiagService is the SSODiagService that will record our diagnostic info in the backend.
	DiagService SSODiagService
	// RequestID is the ID of the auth request being processed.
	RequestID string
	// Info accumulates SSO diagnostic Info
	Info types.SSODiagnosticInfo
}

SSODiagContext is a helper type for accumulating the SSO diagnostic info prior to writing it to the backend.

func NewSSODiagContext 

func NewSSODiagContext(authKind string, diagSvc SSODiagService) *SSODiagContext

NewSSODiagContext returns new ssoDiagContext referencing particular Server. authKind must be one of supported auth kinds (e.g. types.KindSAML).

func (*SSODiagContext) WriteToBackend 

func (c *SSODiagContext) WriteToBackend(ctx context.Context)

WriteToBackend saves the accumulated SSO diagnostic information to the backend.

type SSODiagService 

type SSODiagService interface {
	// CreateSSODiagnosticInfo creates new SSO diagnostic info record.
	CreateSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error
}

SSODiagService is a thin slice of services.Identity required by SSODiagContext to record the SSO diagnostic info in a store.

type SSODiagServiceFunc 

type SSODiagServiceFunc func(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error

SSODiagServiceFunc is an adaptor allowing a function to be used in place of the SSODiagService interface.

func (SSODiagServiceFunc) CreateSSODiagnosticInfo 

func (f SSODiagServiceFunc) CreateSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error

type Server 

type Server struct {
	sshca.Authority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// ServerID is the server ID of this auth server.
	ServerID string

	// Unstable implements Unstable backend methods not suitable
	// for inclusion in Services.
	Unstable local.UnstableService

	// Services encapsulate services - provisioner, trust, etc. used by the auth
	// server in a separate structure. Reads through Services hit the backend.
	*Services

	// Cache should either be the same as Services, or a caching layer over it.
	// As it's an interface (and thus directly implementing all of its methods)
	// its embedding takes priority over Services (which only indirectly
	// implements its methods), thus any implemented GetFoo method on both Cache
	// and Services will call the one from Cache. To bypass the cache, call the
	// method on Services instead.
	Cache

	// Streamer is an events session streamer, used to create continuous
	// session related streams
	events.Streamer

	// UnifiedResourceCache is a cache of multiple resource kinds to be presented
	// in a unified manner in the web UI.
	UnifiedResourceCache *services.UnifiedResourceCache
	// contains filtered or unexported fields
}

Server keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func Init 

func Init(ctx context.Context, cfg InitConfig, opts ...ServerOption) (*Server, error)

Init instantiates and configures an instance of AuthServer

func NewServer 

func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error)

NewServer creates and configures a new Server instance

func (*Server) AddMFADeviceSync 

func (a *Server) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)

AddMFADeviceSync implements AuthService.AddMFADeviceSync.

func (*Server) AugmentContextUserCertificates 

func (a *Server) AugmentContextUserCertificates(
	ctx context.Context,
	authCtx *authz.Context, opts *AugmentUserCertificateOpts,
) (*proto.Certs, error)

AugmentContextUserCertificates augments the context user certificates with the given extensions. It requires the user's TLS certificate to be present in the [ctx], in addition to the [authCtx] itself.

Any additional certificates to augment, such as the SSH certificate, must be valid and fully match the certificate used to authenticate (likely the user's mTLS cert).

Used by Device Trust to add device extensions to the user certificate.

func (*Server) AuthenticateSSHUser 

func (a *Server) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates an SSH user and returns SSH and TLS certificates for the public key in req.

func (*Server) AuthenticateUser 

func (a *Server) AuthenticateUser(ctx context.Context, req AuthenticateUserRequest) (services.UserState, services.AccessChecker, error)

AuthenticateUser authenticates user based on the request type. Returns the username of the authenticated user.

func (*Server) AuthenticateWebUser 

func (a *Server) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns a web session if authentication is successful. In case the existing session ID is used to authenticate, returns the existing session instead of creating a new one

func (*Server) CallLoginHooks 

func (a *Server) CallLoginHooks(ctx context.Context, user types.User) error

CallLoginHooks will call the registered login hooks.

func (*Server) ChangePassword 

func (a *Server) ChangePassword(ctx context.Context, req *proto.ChangePasswordRequest) error

ChangePassword updates users password based on the old password.

func (*Server) ChangeUserAuthentication 

func (a *Server) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.

func (*Server) Close 

func (a *Server) Close() error

func (*Server) CloseContext 

func (a *Server) CloseContext() context.Context

CloseContext returns the close context

func (*Server) CompareAndSwapHeadlessAuthentication 

func (a *Server) CompareAndSwapHeadlessAuthentication(ctx context.Context, old, new *types.HeadlessAuthentication) (*types.HeadlessAuthentication, error)

CompareAndSwapHeadlessAuthentication performs a compare and swap replacement on a headless authentication resource.

func (*Server) CompareAndSwapUser 

func (a *Server) CompareAndSwapUser(ctx context.Context, new, existing types.User) error

CompareAndSwapUser updates a user but fails if the value on the backend does not match the expected value.

func (*Server) CompleteAccountRecovery 

func (a *Server) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

CompleteAccountRecovery implements AuthService.CompleteAccountRecovery.

func (*Server) CreateAccessRequestV2 

func (a *Server) CreateAccessRequestV2(ctx context.Context, req types.AccessRequest, identity tlsca.Identity) (types.AccessRequest, error)

func (*Server) CreateAccountRecoveryCodes 

func (a *Server) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes implements AuthService.CreateAccountRecoveryCodes.

func (*Server) CreateApp 

func (a *Server) CreateApp(ctx context.Context, app types.Application) error

CreateApp creates a new application resource.

func (*Server) CreateAppSession 

func (a *Server) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest, user services.UserState, identity tlsca.Identity, checker services.AccessChecker) (types.WebSession, error)

CreateAppSession creates and inserts a services.WebSession into the backend with the identity of the caller used to generate the certificate. The certificate is used for all access requests, which is where access control is enforced.

func (*Server) CreateAssistantConversation 

func (a *Server) CreateAssistantConversation(ctx context.Context, req *assist.CreateAssistantConversationRequest) (*assist.CreateAssistantConversationResponse, error)

CreateAssistantConversation creates a new conversation entry in the backend.

func (*Server) CreateAssistantMessage 

func (a *Server) CreateAssistantMessage(ctx context.Context, msg *assist.CreateAssistantMessageRequest) error

CreateAssistantMessage adds the message to the backend.

func (*Server) CreateAuthenticateChallenge 

func (a *Server) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)

CreateAuthenticateChallenge implements AuthService.CreateAuthenticateChallenge.

func (*Server) CreateDatabase 

func (a *Server) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*Server) CreateGithubAuthRequest 

func (a *Server) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*Server) CreateKubernetesCluster 

func (a *Server) CreateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*Server) CreateOIDCAuthRequest 

func (a *Server) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

func (*Server) CreateOIDCConnector 

func (a *Server) CreateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

CreateOIDCConnector creates a new OIDC connector.

func (*Server) CreatePrivilegeToken 

func (a *Server) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken implements AuthService.CreatePrivilegeToken.

func (*Server) CreateRegisterChallenge 

func (a *Server) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

CreateRegisterChallenge implements AuthService.CreateRegisterChallenge.

func (*Server) CreateResetPasswordToken 

func (a *Server) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

CreateResetPasswordToken creates a reset password token

func (*Server) CreateRole 

func (a *Server) CreateRole(ctx context.Context, role types.Role) (types.Role, error)

CreateRole creates a role and emits a related audit event.

func (*Server) CreateSAMLAuthRequest 

func (a *Server) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

CreateSAMLAuthRequest delegates the method call to the samlAuthService if present, or returns a NotImplemented error if not present.

func (*Server) CreateSAMLConnector 

func (a *Server) CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

CreateSAMLConnector creates a new SAML connector.

func (*Server) CreateSAMLIdPSession 

func (a *Server) CreateSAMLIdPSession(ctx context.Context, req types.CreateSAMLIdPSessionRequest,
	identity tlsca.Identity, checker services.AccessChecker,
) (types.WebSession, error)

func (*Server) CreateSessionCert 

func (a *Server) CreateSessionCert(user services.UserState, sessionTTL time.Duration, publicKey []byte, compatibility, routeToCluster, kubernetesCluster, loginIP string, attestationReq *keys.AttestationStatement) ([]byte, []byte, error)

func (*Server) CreateSessionTracker 

func (a *Server) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*Server) CreateSnowflakeSession 

func (a *Server) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest,
	identity tlsca.Identity, checker services.AccessChecker,
) (types.WebSession, error)

func (*Server) CreateUser 

func (a *Server) CreateUser(ctx context.Context, user types.User) (types.User, error)

CreateUser inserts a new user entry in a backend. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.CreateUser instead.

func (*Server) CreateWebSession 

func (a *Server) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*Server) CreateWebSessionFromReq 

func (a *Server) CreateWebSessionFromReq(ctx context.Context, req types.NewWebSessionRequest) (types.WebSession, error)

func (*Server) CreateWindowsDesktop 

func (a *Server) CreateWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error

CreateWindowsDesktop implements services.WindowsDesktops by delegating to [Server.Services] and then potentially emitting a usagereporter event.

func (*Server) DeleteAccessRequest 

func (a *Server) DeleteAccessRequest(ctx context.Context, name string) error

func (*Server) DeleteApp 

func (a *Server) DeleteApp(ctx context.Context, name string) error

DeleteApp deletes an application resource.

func (*Server) DeleteAssistantConversation 

func (a *Server) DeleteAssistantConversation(ctx context.Context, request *assist.DeleteAssistantConversationRequest) error

DeleteAssistantConversation deletes a conversation from the backend.

func (*Server) DeleteDatabase 

func (a *Server) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase deletes a database resource.

func (*Server) DeleteKubernetesCluster 

func (a *Server) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster deletes a kubernetes cluster resource.

func (*Server) DeleteLock 

func (a *Server) DeleteLock(ctx context.Context, lockName string) error

DeleteLock deletes a lock and emits a related audit event.

func (*Server) DeleteMFADeviceSync 

func (a *Server) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error

DeleteMFADeviceSync implements AuthService.DeleteMFADeviceSync.

func (*Server) DeleteNamespace 

func (a *Server) DeleteNamespace(namespace string) error

func (*Server) DeleteOIDCConnector 

func (a *Server) DeleteOIDCConnector(ctx context.Context, connectorName string) error

DeleteOIDCConnector deletes an OIDC connector by name.

func (*Server) DeleteRemoteCluster 

func (a *Server) DeleteRemoteCluster(ctx context.Context, clusterName string) error

DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it

func (*Server) DeleteRole 

func (a *Server) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes a role and emits a related audit event.

func (*Server) DeleteSAMLConnector 

func (a *Server) DeleteSAMLConnector(ctx context.Context, connectorID string) error

DeleteSAMLConnector deletes a SAML connector.

func (*Server) DeleteToken 

func (a *Server) DeleteToken(ctx context.Context, token string) (err error)

func (*Server) DeleteTrustedCluster 

func (a *Server) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster removes types.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.

func (*Server) DeleteUser 

func (a *Server) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes an existing user in a backend by username. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.DeleteUser instead.

func (*Server) DeleteWindowsDesktop 

func (a *Server) DeleteWindowsDesktop(ctx context.Context, hostID, name string) error

func (*Server) EmitAuditEvent 

func (a *Server) EmitAuditEvent(ctx context.Context, e apievents.AuditEvent) error

EmitAuditEvent implements apievents.Emitter by delegating to its dedicated emitter rather than falling back to the implementation from Services (using the audit log directly, which is almost never what you want).

func (*Server) ExportUpgradeWindows 

func (a *Server) ExportUpgradeWindows(ctx context.Context, req proto.ExportUpgradeWindowsRequest) (proto.ExportUpgradeWindowsResponse, error)

func (*Server) ExtendWebSession 

func (a *Server) ExtendWebSession(ctx context.Context, req WebSessionReq, identity tlsca.Identity) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous (current) session.

If there is an approved access request, additional roles are appended to the roles that were extracted from identity. The new session expiration time will not exceed the expiration time of the previous session.

If there is a switchback request, the roles will switchback to user's default roles and the expiration time is derived from users recently logged in time.

func (*Server) GenerateCertAuthorityCRL 

func (a *Server) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for the local CA of a given type.

func (*Server) GenerateDatabaseCert 

func (a *Server) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.

func (*Server) GenerateDatabaseTestCert 

func (a *Server) GenerateDatabaseTestCert(req DatabaseTestCertRequest) ([]byte, error)

GenerateDatabaseTestCert generates a database access certificate for the provided parameters. Used only internally in tests.

func (*Server) GenerateExternalAuditStorageOIDCToken 

func (a *Server) GenerateExternalAuditStorageOIDCToken(ctx context.Context) (string, error)

GenerateExternalAuditStorageOIDCToken generates a signed OIDC token for use by the External Audit Storage feature when authenticating to customer AWS accounts.

func (*Server) GenerateHostCert 

func (a *Server) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*Server) GenerateHostCerts 

func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.

func (*Server) GenerateOpenSSHCert 

func (a *Server) GenerateOpenSSHCert(ctx context.Context, req *proto.OpenSSHCertRequest) (*proto.OpenSSHCert, error)

func (*Server) GenerateSnowflakeJWT 

func (a *Server) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the format required by Snowflake.

func (*Server) GenerateUserAppTestCert 

func (a *Server) GenerateUserAppTestCert(req AppTestCertRequest) ([]byte, error)

GenerateUserAppTestCert generates an application specific certificate, used internally for tests.

func (*Server) GenerateUserTestCerts 

func (a *Server) GenerateUserTestCerts(req GenerateUserTestCertsRequest) ([]byte, []byte, error)

GenerateUserTestCerts is used to generate user certificate, used internally for tests

func (*Server) GenerateWindowsDesktopCert 

func (a *Server) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.

func (*Server) GetAccessCapabilities 

func (a *Server) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*Server) GetAccountRecoveryCodes 

func (a *Server) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes implements AuthService.GetAccountRecoveryCodes.

func (*Server) GetAccountRecoveryToken 

func (a *Server) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)

GetAccountRecoveryToken implements AuthService.GetAccountRecoveryToken.

func (*Server) GetAssistantConversations 

func (a *Server) GetAssistantConversations(ctx context.Context, request *assist.GetAssistantConversationsRequest) (*assist.GetAssistantConversationsResponse, error)

GetAssistantConversations returns all conversations started by a user.

func (*Server) GetAssistantMessages 

func (a *Server) GetAssistantMessages(ctx context.Context, req *assist.GetAssistantMessagesRequest) (*assist.GetAssistantMessagesResponse, error)

GetAssistantMessages returns all messages with given conversation ID.

func (*Server) GetClock 

func (a *Server) GetClock() clockwork.Clock

func (*Server) GetClusterCACert 

func (a *Server) GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)

GetClusterCACert returns the PEM-encoded TLS certs for the local cluster. If the cluster has multiple TLS certs, they will all be concatenated.

func (*Server) GetDomainName 

func (a *Server) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*Server) GetEmitter 

func (a *Server) GetEmitter() apievents.Emitter

GetEmitter fetches the current audit log emitter implementation.

func (*Server) GetHeadlessAuthenticationFromWatcher 

func (a *Server) GetHeadlessAuthenticationFromWatcher(ctx context.Context, username, name string) (*types.HeadlessAuthentication, error)

GetHeadlessAuthenticationFromWatcher gets a headless authentication from the headless authentication watcher.

func (*Server) GetInventoryConnectedServiceCount 

func (a *Server) GetInventoryConnectedServiceCount(service types.SystemRole) uint64

GetInventoryConnectedServiceCount returns the counts of a particular connected service seen in the inventory.

func (*Server) GetInventoryConnectedServiceCounts 

func (a *Server) GetInventoryConnectedServiceCounts() proto.InventoryConnectedServiceCounts

GetInventoryConnectedServiceCounts returns the counts of each connected service seen in the inventory.

func (*Server) GetInventoryStatus 

func (a *Server) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)

func (*Server) GetKeyStore 

func (a *Server) GetKeyStore() *keystore.Manager

GetKeyStore returns the KeyStore used by the auth server

func (*Server) GetLicense 

func (a *Server) GetLicense(ctx context.Context) (string, error)

GetLicense return the license used the start the teleport enterprise auth server

func (*Server) GetLoginRuleEvaluator 

func (a *Server) GetLoginRuleEvaluator() loginrule.Evaluator

GetLoginRuleEvaluator returns the login rule evaluator. It is guaranteed not to return nil, if no evaluator has been installed it will return [loginrule.NullEvaluator].

func (*Server) GetMFADevices 

func (a *Server) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)

GetMFADevices returns all mfa devices for the user defined in the token or the user defined in context.

func (*Server) GetNodeStream 

func (a *Server) GetNodeStream(ctx context.Context, namespace string) stream.Stream[types.Server]

GetNodeStream streams a list of registered servers.

func (*Server) GetRemoteCluster 

func (a *Server) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*Server) GetRemoteClusters 

func (a *Server) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

GetRemoteClusters returns remote clusters with updated statuses

func (*Server) GetTokens 

func (a *Server) GetTokens(ctx context.Context, opts ...services.MarshalOption) (tokens []types.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*Server) GetUserOrLoginState 

func (a *Server) GetUserOrLoginState(ctx context.Context, username string) (services.UserState, error)

GetUserOrLoginState will return the given user or the login state associated with the user.

func (*Server) GetWebSession 

func (a *Server) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns existing web session described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.

func (*Server) GetWebSessionInfo 

func (a *Server) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo returns the web session specified with sessionID for the given user. The session is stripped of any authentication details. Implements auth.WebUIService

func (*Server) GetWebToken 

func (a *Server) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns existing web token described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.

func (*Server) IterateResources 

func (a *Server) IterateResources(ctx context.Context, req proto.ListResourcesRequest, f func(resource types.ResourceWithLabels) error) error

IterateResources loads all resources matching the provided request and passes them one by one to the provided callback function. To stop iteration callers may return ErrDone from the callback function, which will result in a nil return from IterateResources. Any other errors returned from the callback function cause iteration to stop and the error to be returned.

func (*Server) KeepAliveServer 

func (a *Server) KeepAliveServer(ctx context.Context, h types.KeepAlive) error

KeepAliveServer implements services.Presence by delegating to [Server.Services] and potentially emitting a usagereporter event.

func (*Server) ListResources 

func (a *Server) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)

ListResources returns paginated resources depending on the resource type..

func (*Server) MakeLocalInventoryControlStream 

func (a *Server) MakeLocalInventoryControlStream(opts ...client.ICSPipeOption) client.DownstreamInventoryControlStream

MakeLocalInventoryControlStream sets up an in-memory control stream which automatically registers with this auth server upon hello exchange.

func (*Server) NewKeepAliver 

func (a *Server) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*Server) NewStream 

func (a *Server) NewStream(ctx context.Context, watch types.Watch) (stream.Stream[types.Event], error)

func (*Server) NewWebSession 

func (a *Server) NewWebSession(ctx context.Context, req types.NewWebSessionRequest) (types.WebSession, error)

NewWebSession creates and returns a new web session for the specified request

func (*Server) Ping 

func (a *Server) Ping(ctx context.Context) (proto.PingResponse, error)

Ping gets basic info about the auth server. Please note that Ping is publicly accessible (not protected by any RBAC) by design, and thus PingResponse must never contain any sensitive information.

func (*Server) PingInventory 

func (a *Server) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)

func (*Server) PreAuthenticatedSignIn 

func (a *Server) PreAuthenticatedSignIn(ctx context.Context, user string, identity tlsca.Identity) (types.WebSession, error)

PreAuthenticatedSignIn is for MFA authentication methods where the password is already checked before issuing the second factor challenge

func (*Server) ProcessKubeCSR 

func (a *Server) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*Server) ReconcileServerInfos 

func (a *Server) ReconcileServerInfos(ctx context.Context) error

ReconcileServerInfos periodically reconciles the labels of ServerInfo resources with their corresponding Teleport SSH servers.

func (*Server) RegisterInventoryControlStream 

func (a *Server) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream, hello proto.UpstreamInventoryHello) error

func (*Server) RegisterLoginHook 

func (a *Server) RegisterLoginHook(hook LoginHook)

RegisterLoginHook will register a login hook with the auth server.

func (*Server) RegisterUsingAzureMethod 

func (a *Server) RegisterUsingAzureMethod(ctx context.Context, challengeResponse client.RegisterAzureChallengeResponseFunc, opts ...azureRegisterOption) (*proto.Certs, error)

RegisterUsingAzureMethod registers the caller using the Azure join method and returns signed certs to join the cluster.

The caller must provide a ChallengeResponseFunc which returns a *proto.RegisterUsingAzureMethodRequest with a signed attested data document including the challenge as a nonce.

func (*Server) RegisterUsingIAMMethod 

func (a *Server) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterIAMChallengeResponseFunc, opts ...iamRegisterOption) (*proto.Certs, error)

RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.

The caller must provide a ChallengeResponseFunc which returns a *types.RegisterUsingTokenRequest with a signed sts:GetCallerIdentity request including the challenge as a signed header.

func (*Server) RegisterUsingToken 

func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

RegisterUsingToken returns credentials for a new node to join the Teleport cluster using a previously issued token.

A node must also request a specific role (and the role must match one of the roles the token was generated for.)

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires.)

If the token includes a specific join method, the rules for that join method will be checked.

func (*Server) ResetLoginHooks 

func (a *Server) ResetLoginHooks()

ResetLoginHooks will clear out the login hooks.

func (*Server) ResetPassword 

func (a *Server) ResetPassword(ctx context.Context, username string) (string, error)

ResetPassword securely generates a new random password and assigns it to user. This method is used to invalidate existing user password during password reset process.

func (*Server) RotateCertAuthority 

func (a *Server) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

Rotation procedure is based on the state machine approach.

Here are the supported rotation states:

  • Standby - the cluster is in standby mode and ready to take action.
  • In-progress - cluster CA rotation is in progress.

In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.

Here are the supported phases:

* Standby - no action is taken.

* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.

This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.

* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".

* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.

* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will lose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.

Rotation modes

There are two rotation modes supported - manual or automatic.

* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.

* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.

It is possible to switch from automatic to manual by setting the phase to the rollback phase.

func (*Server) RotateExternalCertAuthority 

func (a *Server) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*Server) SetAccessRequestState 

func (a *Server) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error

func (*Server) SetAuditLog 

func (a *Server) SetAuditLog(auditLog events.AuditLogSessionStreamer)

SetAuditLog sets the server's audit log

func (*Server) SetClock 

func (a *Server) SetClock(clock clockwork.Clock)

SetClock sets clock, used in tests

func (*Server) SetEmitter 

func (a *Server) SetEmitter(emitter apievents.Emitter)

SetEmitter sets the current audit log emitter. Note that this is only safe to use before main server start.

func (*Server) SetHeadlessAuthenticationWatcher 

func (a *Server) SetHeadlessAuthenticationWatcher(headlessAuthenticationWatcher *local.HeadlessAuthenticationWatcher)

func (*Server) SetLicense 

func (a *Server) SetLicense(license *liblicense.License)

SetLicense sets the license

func (*Server) SetLockWatcher 

func (a *Server) SetLockWatcher(lockWatcher *services.LockWatcher)

func (*Server) SetLoginRuleEvaluator 

func (a *Server) SetLoginRuleEvaluator(l loginrule.Evaluator)

SetLoginRuleEvaluator sets the login rule evaluator.

func (*Server) SetOIDCService 

func (a *Server) SetOIDCService(svc OIDCService)

SetOIDCService registers svc as the OIDCService that provides the OIDC connector implementation. If a OIDCService has already been registered, this will override the previous registration.

func (*Server) SetReleaseService 

func (a *Server) SetReleaseService(svc release.Client)

SetReleaseService sets the release service

func (*Server) SetSAMLService 

func (a *Server) SetSAMLService(svc SAMLService)

SetSAMLService registers svc as the SAMLService that provides the SAML connector implementation. If a SAMLService has already been registered, this will override the previous registration.

func (*Server) SetUnifiedResourcesCache 

func (a *Server) SetUnifiedResourcesCache(unifiedResourcesCache *services.UnifiedResourceCache)

SetUnifiedResourcesCache sets the unified resource cache.

func (*Server) SetUpgradeWindowStartHourGetter 

func (a *Server) SetUpgradeWindowStartHourGetter(fn func(context.Context) (int64, error))

SetUpgradeWindowStartHourGetter sets the getter used to sync the ClusterMaintenanceConfig resource with the cloud UpgradeWindowStartHour value.

func (*Server) SetUsageReporter 

func (a *Server) SetUsageReporter(reporter usagereporter.UsageReporter)

SetUsageReporter sets the server's usage reporter. Note that this is only safe to use before server start.

func (*Server) SignDatabaseCSR 

func (a *Server) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*Server) StartAccountRecovery 

func (a *Server) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)

StartAccountRecovery implements AuthService.StartAccountRecovery.

func (*Server) SubmitAccessReview 

func (a *Server) SubmitAccessReview(
	ctx context.Context,
	params types.AccessReviewSubmission,
) (types.AccessRequest, error)

SubmitAccessReview is used to process a review of an Access Request. This is implemented by Server.submitAccessRequest but this method exists to provide a matching signature with the auth client. This allows the hosted plugins to use the Server struct directly as a client.

func (*Server) SubmitUsageEvent 

func (a *Server) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*Server) UpdateApp 

func (a *Server) UpdateApp(ctx context.Context, app types.Application) error

UpdateApp updates an existing application resource.

func (*Server) UpdateAssistantConversationInfo 

func (a *Server) UpdateAssistantConversationInfo(ctx context.Context, msg *assist.UpdateAssistantConversationInfoRequest) error

UpdateAssistantConversationInfo stores the given conversation title in the backend.

func (*Server) UpdateDatabase 

func (a *Server) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates an existing database resource.

func (*Server) UpdateKubernetesCluster 

func (a *Server) UpdateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error

UpdateKubernetesCluster updates an existing kubernetes cluster resource.

func (*Server) UpdateLabels 

func (a *Server) UpdateLabels(ctx context.Context, req proto.InventoryUpdateLabelsRequest) error

UpdateLabels updates the labels on an instance over the inventory control stream.

func (*Server) UpdateOIDCConnector 

func (a *Server) UpdateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

UpdateOIDCConnector updates an existing OIDC connector.

func (*Server) UpdateRole 

func (a *Server) UpdateRole(ctx context.Context, role types.Role) (types.Role, error)

UpdateRole updates a role and emits a related audit event.

func (*Server) UpdateSAMLConnector 

func (a *Server) UpdateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

UpdateSAMLConnector updates an existing SAML connector.

func (*Server) UpdateUser 

func (a *Server) UpdateUser(ctx context.Context, user types.User) (types.User, error)

UpdateUser updates an existing user in a backend. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.UpdateUser instead.

func (*Server) UpdateWindowsDesktop 

func (a *Server) UpdateWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error

UpdateWindowsDesktop implements services.WindowsDesktops by delegating to [Server.Services] and then potentially emitting a usagereporter event.

func (*Server) UpsertApplicationServer 

func (a *Server) UpsertApplicationServer(ctx context.Context, server types.AppServer) (*types.KeepAlive, error)

UpsertApplicationServer implements services.Presence by delegating to [Server.Services] and then potentially emitting a usagereporter event.

func (*Server) UpsertDatabaseServer 

func (a *Server) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error)

UpsertDatabaseServer implements services.Presence by delegating to [Server.Services] and then potentially emitting a usagereporter event.

func (*Server) UpsertHeadlessAuthenticationStub 

func (a *Server) UpsertHeadlessAuthenticationStub(ctx context.Context, username string) error

UpsertHeadlessAuthenticationStub creates a headless authentication stub for the user that will expire after the standard callback timeout.

func (*Server) UpsertKubernetesServer 

func (a *Server) UpsertKubernetesServer(ctx context.Context, server types.KubeServer) (*types.KeepAlive, error)

UpsertKubernetesServer implements services.Presence by delegating to [Server.Services] and then potentially emitting a usagereporter event.

func (*Server) UpsertLock 

func (a *Server) UpsertLock(ctx context.Context, lock types.Lock) error

UpsertLock upserts a lock and emits a related audit event.

func (*Server) UpsertNode 

func (a *Server) UpsertNode(ctx context.Context, server types.Server) (*types.KeepAlive, error)

UpsertNode implements services.Presence by delegating to [Server.Services] and potentially emitting a usagereporter event.

func (*Server) UpsertOIDCConnector 

func (a *Server) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

UpsertOIDCConnector creates or updates an OIDC connector.

func (*Server) UpsertRole 

func (a *Server) UpsertRole(ctx context.Context, role types.Role) (types.Role, error)

UpsertRole creates or updates a role and emits a related audit event.

func (*Server) UpsertSAMLConnector 

func (a *Server) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

UpsertSAMLConnector creates or updates a SAML connector.

func (*Server) UpsertTrustedCluster 

func (a *Server) UpsertTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (newTrustedCluster types.TrustedCluster, returnErr error)

UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.

func (*Server) UpsertUser 

func (a *Server) UpsertUser(ctx context.Context, user types.User) (types.User, error)

UpsertUser updates a user. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.UpsertUser instead.

func (*Server) UpsertWindowsDesktop 

func (a *Server) UpsertWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error

UpsertWindowsDesktop implements services.WindowsDesktops by delegating to [Server.Services] and then potentially emitting a usagereporter event.

func (*Server) ValidateGithubAuthCallback 

func (a *Server) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback redirect

func (*Server) ValidateMFAAuthResponse 

func (a *Server) ValidateMFAAuthResponse(ctx context.Context, resp *proto.MFAAuthenticateResponse, user string, passwordless bool) (*types.MFADevice, string, error)

ValidateMFAAuthResponse validates an MFA or passwordless challenge. Returns the device used to solve the challenge (if applicable) and the username.

func (*Server) ValidateOIDCAuthCallback 

func (a *Server) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

func (*Server) ValidateSAMLResponse 

func (a *Server) ValidateSAMLResponse(ctx context.Context, samlResponse, connectorID, clientIP string) (*SAMLAuthResponse, error)

ValidateSAMLResponse delegates the method call to the samlAuthService if present, or returns a NotImplemented error if not present.

func (*Server) ValidateToken 

func (a *Server) ValidateToken(ctx context.Context, token string) (types.ProvisionToken, error)

ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume and token labels, or an error if the token cannot be found.

func (*Server) VerifyAccountRecovery 

func (a *Server) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)

VerifyAccountRecovery implements AuthService.VerifyAccountRecovery.

func (*Server) WithUserLock 

func (a *Server) WithUserLock(ctx context.Context, username string, authenticateFn func() error) error

WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval

type ServerOption 

type ServerOption func(*Server) error

ServerOption allows setting options as functional arguments to Server

func WithClock 

func WithClock(clock clockwork.Clock) ServerOption

WithClock is a functional server option that sets the server's clock

func WithEmbedder 

func WithEmbedder(embedder embedding.Embedder) ServerOption

WithEmbedder is a functional server option that sets the server's embedder.

type ServerWithRoles 

type ServerWithRoles struct {
	// contains filtered or unexported fields
}

ServerWithRoles is a wrapper around auth service methods that focuses on authorizing every request

func (*ServerWithRoles) AcquireSemaphore 

func (a *ServerWithRoles) AcquireSemaphore(ctx context.Context, params types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)

AcquireSemaphore acquires lease with requested resources from semaphore.

func (*ServerWithRoles) AddMFADeviceSync 

func (a *ServerWithRoles) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)

AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.

func (*ServerWithRoles) AppendDiagnosticTrace 

func (a *ServerWithRoles) AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)

AppendDiagnosticTrace adds a new trace for the given ConnectionDiagnostic.

func (*ServerWithRoles) AuthenticateSSHUser 

func (a *ServerWithRoles) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*ServerWithRoles) AuthenticateWebUser 

func (a *ServerWithRoles) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns a web session in case authentication is successful

func (*ServerWithRoles) CancelSemaphoreLease 

func (a *ServerWithRoles) CancelSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

CancelSemaphoreLease cancels semaphore lease early.

func (*ServerWithRoles) ChangePassword 

func (a *ServerWithRoles) ChangePassword(
	ctx context.Context,
	req *proto.ChangePasswordRequest,
) error

ChangePassword updates users password based on the old password.

func (*ServerWithRoles) ChangeUserAuthentication 

func (a *ServerWithRoles) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

ChangeUserAuthentication is implemented by AuthService.ChangeUserAuthentication.

func (*ServerWithRoles) ClearAlertAcks 

func (a *ServerWithRoles) ClearAlertAcks(ctx context.Context, req proto.ClearAlertAcksRequest) error

func (*ServerWithRoles) Close 

func (a *ServerWithRoles) Close() error

func (*ServerWithRoles) CloseContext 

func (a *ServerWithRoles) CloseContext() context.Context

CloseContext is closed when the auth server shuts down

func (*ServerWithRoles) CompareAndSwapCertAuthority 

func (a *ServerWithRoles) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*ServerWithRoles) CompareAndSwapUser 

func (a *ServerWithRoles) CompareAndSwapUser(ctx context.Context, new, existing types.User) error

CompareAndSwapUser updates an existing user in a backend, but fails if the backend's value does not match the expected value. Captures the auth user who modified the user record.

func (*ServerWithRoles) CompleteAccountRecovery 

func (a *ServerWithRoles) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.

func (*ServerWithRoles) CreateAccessRequestV2 

func (a *ServerWithRoles) CreateAccessRequestV2(ctx context.Context, req types.AccessRequest) (types.AccessRequest, error)

func (*ServerWithRoles) CreateAccountRecoveryCodes 

func (a *ServerWithRoles) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.

func (*ServerWithRoles) CreateAlertAck 

func (a *ServerWithRoles) CreateAlertAck(ctx context.Context, ack types.AlertAcknowledgement) error

func (*ServerWithRoles) CreateApp 

func (a *ServerWithRoles) CreateApp(ctx context.Context, app types.Application) error

CreateApp creates a new application resource.

func (*ServerWithRoles) CreateAppSession 

func (a *ServerWithRoles) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest) (types.WebSession, error)

CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.

func (*ServerWithRoles) CreateAuditStream 

func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates audit event stream

func (*ServerWithRoles) CreateAuthenticateChallenge 

func (a *ServerWithRoles) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)

CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.

func (*ServerWithRoles) CreateConnectionDiagnostic 

func (a *ServerWithRoles) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

CreateConnectionDiagnostic creates a new connection diagnostic.

func (*ServerWithRoles) CreateDatabase 

func (a *ServerWithRoles) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*ServerWithRoles) CreateGithubAuthRequest 

func (a *ServerWithRoles) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)

func (*ServerWithRoles) CreateGithubConnector 

func (a *ServerWithRoles) CreateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

CreateGithubConnector creates a new Github connector.

func (*ServerWithRoles) CreateIntegration 

func (a *ServerWithRoles) CreateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error)

CreateIntegration creates an Integration.

func (*ServerWithRoles) CreateKubernetesCluster 

func (a *ServerWithRoles) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*ServerWithRoles) CreateOIDCAuthRequest 

func (a *ServerWithRoles) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

func (*ServerWithRoles) CreateOIDCConnector 

func (a *ServerWithRoles) CreateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

CreateOIDCConnector creates a new OIDC connector.

func (*ServerWithRoles) CreatePrivilegeToken 

func (a *ServerWithRoles) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.

func (*ServerWithRoles) CreateRegisterChallenge 

func (a *ServerWithRoles) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.

func (*ServerWithRoles) CreateRemoteCluster 

func (a *ServerWithRoles) CreateRemoteCluster(conn types.RemoteCluster) error

func (*ServerWithRoles) CreateResetPasswordToken 

func (a *ServerWithRoles) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

func (*ServerWithRoles) CreateRole 

func (a *ServerWithRoles) CreateRole(ctx context.Context, role types.Role) (types.Role, error)

CreateRole creates a new role.

func (*ServerWithRoles) CreateSAMLAuthRequest 

func (a *ServerWithRoles) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

func (*ServerWithRoles) CreateSAMLConnector 

func (a *ServerWithRoles) CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

CreateSAMLConnector creates a new SAML connector.

func (*ServerWithRoles) CreateSAMLIdPServiceProvider 

func (a *ServerWithRoles) CreateSAMLIdPServiceProvider(ctx context.Context, sp types.SAMLIdPServiceProvider) (err error)

CreateSAMLIdPServiceProvider creates a new SAML IdP service provider resource.

func (*ServerWithRoles) CreateSAMLIdPSession 

func (a *ServerWithRoles) CreateSAMLIdPSession(ctx context.Context, req types.CreateSAMLIdPSessionRequest) (types.WebSession, error)

CreateSAMLIdPSession creates a SAML IdP session.

func (*ServerWithRoles) CreateSessionTracker 

func (a *ServerWithRoles) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*ServerWithRoles) CreateSnowflakeSession 

func (a *ServerWithRoles) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest) (types.WebSession, error)

CreateSnowflakeSession creates a Snowflake web session.

func (*ServerWithRoles) CreateToken 

func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.ProvisionToken) error

func (*ServerWithRoles) CreateUserGroup 

func (a *ServerWithRoles) CreateUserGroup(ctx context.Context, userGroup types.UserGroup) error

CreateUserGroup creates a new user group resource.

func (*ServerWithRoles) CreateWebSession 

func (a *ServerWithRoles) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for the specified user

func (*ServerWithRoles) CreateWindowsDesktop 

func (a *ServerWithRoles) CreateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

CreateWindowsDesktop creates a new windows desktop host.

func (*ServerWithRoles) DeleteAccessRequest 

func (a *ServerWithRoles) DeleteAccessRequest(ctx context.Context, name string) error

func (*ServerWithRoles) DeleteAllAppSessions 

func (a *ServerWithRoles) DeleteAllAppSessions(ctx context.Context) error

DeleteAllAppSessions removes all application web sessions.

func (*ServerWithRoles) DeleteAllApplicationServers 

func (a *ServerWithRoles) DeleteAllApplicationServers(ctx context.Context, namespace string) error

DeleteAllApplicationServers deletes all registered application servers.

func (*ServerWithRoles) DeleteAllApps 

func (a *ServerWithRoles) DeleteAllApps(ctx context.Context) error

DeleteAllApps removes all application resources.

func (*ServerWithRoles) DeleteAllAuthServers 

func (a *ServerWithRoles) DeleteAllAuthServers() error

DeleteAllAuthServers deletes all auth servers

func (*ServerWithRoles) DeleteAllDatabaseServers 

func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespace string) error

DeleteAllDatabaseServers removes all registered database proxy servers.

func (*ServerWithRoles) DeleteAllDatabaseServices 

func (a *ServerWithRoles) DeleteAllDatabaseServices(ctx context.Context) error

DeleteAllDatabaseServices removes all DatabaseService resources.

func (*ServerWithRoles) DeleteAllDatabases 

func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error

DeleteAllDatabases removes all database resources.

func (*ServerWithRoles) DeleteAllInstallers 

func (a *ServerWithRoles) DeleteAllInstallers(ctx context.Context) error

DeleteAllInstallers removes all installer script resources

func (*ServerWithRoles) DeleteAllIntegrations 

func (a *ServerWithRoles) DeleteAllIntegrations(ctx context.Context) error

DeleteAllIntegrations deletes all integrations.

func (*ServerWithRoles) DeleteAllKubernetesClusters 

func (a *ServerWithRoles) DeleteAllKubernetesClusters(ctx context.Context) error

DeleteAllKubernetesClusters removes all kubernetes cluster resources.

func (*ServerWithRoles) DeleteAllKubernetesServers 

func (a *ServerWithRoles) DeleteAllKubernetesServers(ctx context.Context) error

DeleteAllKubernetesServers deletes all registered kubernetes servers.

func (*ServerWithRoles) DeleteAllNodes 

func (a *ServerWithRoles) DeleteAllNodes(ctx context.Context, namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*ServerWithRoles) DeleteAllProxies 

func (a *ServerWithRoles) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*ServerWithRoles) DeleteAllRemoteClusters 

func (a *ServerWithRoles) DeleteAllRemoteClusters() error

func (*ServerWithRoles) DeleteAllSAMLIdPServiceProviders 

func (a *ServerWithRoles) DeleteAllSAMLIdPServiceProviders(ctx context.Context) (err error)

DeleteAllSAMLIdPServiceProviders removes all SAML IdP service providers.

func (*ServerWithRoles) DeleteAllSAMLIdPSessions 

func (a *ServerWithRoles) DeleteAllSAMLIdPSessions(ctx context.Context) error

DeleteAllSAMLIdPSessions removes all SAML IdP sessions.

func (*ServerWithRoles) DeleteAllServerInfos 

func (a *ServerWithRoles) DeleteAllServerInfos(ctx context.Context) error

DeleteAllServerInfos deletes all ServerInfos.

func (*ServerWithRoles) DeleteAllSnowflakeSessions 

func (a *ServerWithRoles) DeleteAllSnowflakeSessions(ctx context.Context) error

DeleteAllSnowflakeSessions removes all Snowflake web sessions.

func (*ServerWithRoles) DeleteAllTunnelConnections 

func (a *ServerWithRoles) DeleteAllTunnelConnections() error

func (*ServerWithRoles) DeleteAllUserGroups 

func (a *ServerWithRoles) DeleteAllUserGroups(ctx context.Context) error

DeleteAllUserGroups removes all user groups.

func (*ServerWithRoles) DeleteAllWindowsDesktopServices 

func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) error

DeleteAllWindowsDesktopServices removes all registered windows desktop services.

func (*ServerWithRoles) DeleteAllWindowsDesktops 

func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error

DeleteAllWindowsDesktops removes all registered windows desktop hosts.

func (*ServerWithRoles) DeleteApp 

func (a *ServerWithRoles) DeleteApp(ctx context.Context, name string) error

DeleteApp removes the specified application resource.

func (*ServerWithRoles) DeleteAppSession 

func (a *ServerWithRoles) DeleteAppSession(ctx context.Context, req types.DeleteAppSessionRequest) error

DeleteAppSession removes an application web session.

func (*ServerWithRoles) DeleteApplicationServer 

func (a *ServerWithRoles) DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error

DeleteApplicationServer deletes specified application server.

func (*ServerWithRoles) DeleteAuthServer 

func (a *ServerWithRoles) DeleteAuthServer(name string) error

DeleteAuthServer deletes auth server by name

func (*ServerWithRoles) DeleteClusterMaintenanceConfig 

func (a *ServerWithRoles) DeleteClusterMaintenanceConfig(ctx context.Context) error

func (*ServerWithRoles) DeleteClusterName 

func (a *ServerWithRoles) DeleteClusterName() error

DeleteClusterName deletes cluster name

func (*ServerWithRoles) DeleteDatabase 

func (a *ServerWithRoles) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase removes the specified database resource.

func (*ServerWithRoles) DeleteDatabaseServer 

func (a *ServerWithRoles) DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error

DeleteDatabaseServer removes the specified database proxy server.

func (*ServerWithRoles) DeleteDatabaseService 

func (a *ServerWithRoles) DeleteDatabaseService(ctx context.Context, name string) error

DeleteDatabaseService removes a specific DatabaseService resource.

func (*ServerWithRoles) DeleteGithubConnector 

func (a *ServerWithRoles) DeleteGithubConnector(ctx context.Context, connectorID string) error

DeleteGithubConnector deletes a Github connector by name.

func (*ServerWithRoles) DeleteInstaller 

func (a *ServerWithRoles) DeleteInstaller(ctx context.Context, name string) error

DeleteInstaller removes an installer script resource

func (*ServerWithRoles) DeleteIntegration 

func (a *ServerWithRoles) DeleteIntegration(ctx context.Context, name string) error

DeleteIntegration deletes an integration integrations.

func (*ServerWithRoles) DeleteKubernetesCluster 

func (a *ServerWithRoles) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster removes the specified kubernetes cluster resource.

func (*ServerWithRoles) DeleteKubernetesServer 

func (a *ServerWithRoles) DeleteKubernetesServer(ctx context.Context, hostID, name string) error

DeleteKubernetesServer deletes specified kubernetes server.

func (*ServerWithRoles) DeleteLock 

func (a *ServerWithRoles) DeleteLock(ctx context.Context, name string) error

DeleteLock deletes a lock.

func (*ServerWithRoles) DeleteMFADeviceSync 

func (a *ServerWithRoles) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error

DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.

func (*ServerWithRoles) DeleteNamespace 

func (a *ServerWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*ServerWithRoles) DeleteNetworkRestrictions 

func (a *ServerWithRoles) DeleteNetworkRestrictions(ctx context.Context) error

DeleteNetworkRestrictions deletes the network restrictions.

func (*ServerWithRoles) DeleteNode 

func (a *ServerWithRoles) DeleteNode(ctx context.Context, namespace, node string) error

DeleteNode deletes node in the namespace

func (*ServerWithRoles) DeleteOIDCConnector 

func (a *ServerWithRoles) DeleteOIDCConnector(ctx context.Context, connectorID string) error

func (*ServerWithRoles) DeleteProxy 

func (a *ServerWithRoles) DeleteProxy(ctx context.Context, name string) error

DeleteProxy deletes proxy by name

func (*ServerWithRoles) DeleteRemoteCluster 

func (a *ServerWithRoles) DeleteRemoteCluster(ctx context.Context, clusterName string) error

func (*ServerWithRoles) DeleteReverseTunnel 

func (a *ServerWithRoles) DeleteReverseTunnel(domainName string) error

func (*ServerWithRoles) DeleteRole 

func (a *ServerWithRoles) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes role by name

func (*ServerWithRoles) DeleteSAMLConnector 

func (a *ServerWithRoles) DeleteSAMLConnector(ctx context.Context, connectorID string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*ServerWithRoles) DeleteSAMLIdPServiceProvider 

func (a *ServerWithRoles) DeleteSAMLIdPServiceProvider(ctx context.Context, name string) (err error)

DeleteSAMLIdPServiceProvider removes the specified SAML IdP service provider resource.

func (*ServerWithRoles) DeleteSAMLIdPSession 

func (a *ServerWithRoles) DeleteSAMLIdPSession(ctx context.Context, req types.DeleteSAMLIdPSessionRequest) error

DeleteSAMLIdPSession removes a SAML IdP session.

func (*ServerWithRoles) DeleteSemaphore 

func (a *ServerWithRoles) DeleteSemaphore(ctx context.Context, filter types.SemaphoreFilter) error

DeleteSemaphore deletes a semaphore matching the supplied filter.

func (*ServerWithRoles) DeleteServerInfo 

func (a *ServerWithRoles) DeleteServerInfo(ctx context.Context, name string) error

DeleteServerInfo deletes a ServerInfo by name.

func (*ServerWithRoles) DeleteSnowflakeSession 

func (a *ServerWithRoles) DeleteSnowflakeSession(ctx context.Context, req types.DeleteSnowflakeSessionRequest) error

DeleteSnowflakeSession removes a Snowflake web session.

func (*ServerWithRoles) DeleteStaticTokens 

func (a *ServerWithRoles) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*ServerWithRoles) DeleteToken 

func (a *ServerWithRoles) DeleteToken(ctx context.Context, token string) error

func (*ServerWithRoles) DeleteTrustedCluster 

func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster deletes a trusted cluster by name.

func (*ServerWithRoles) DeleteTunnelConnection 

func (a *ServerWithRoles) DeleteTunnelConnection(clusterName string, connName string) error

func (*ServerWithRoles) DeleteTunnelConnections 

func (a *ServerWithRoles) DeleteTunnelConnections(clusterName string) error

func (*ServerWithRoles) DeleteUIConfig 

func (a *ServerWithRoles) DeleteUIConfig(ctx context.Context) error

func (*ServerWithRoles) DeleteUserAppSessions 

func (a *ServerWithRoles) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error

DeleteUserAppSessions deletes all user’s application sessions.

func (*ServerWithRoles) DeleteUserGroup 

func (a *ServerWithRoles) DeleteUserGroup(ctx context.Context, name string) error

DeleteUserGroup removes the specified user group resource.

func (*ServerWithRoles) DeleteUserSAMLIdPSessions 

func (a *ServerWithRoles) DeleteUserSAMLIdPSessions(ctx context.Context, username string) error

DeleteUserSAMLIdPSessions deletes all of a user's SAML IdP sessions.

func (*ServerWithRoles) DeleteWindowsDesktop 

func (a *ServerWithRoles) DeleteWindowsDesktop(ctx context.Context, hostID, name string) error

DeleteWindowsDesktop removes the specified Windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.

func (*ServerWithRoles) DeleteWindowsDesktopService 

func (a *ServerWithRoles) DeleteWindowsDesktopService(ctx context.Context, name string) error

DeleteWindowsDesktopService removes the specified windows desktop service.

func (*ServerWithRoles) EmitAuditEvent 

func (a *ServerWithRoles) EmitAuditEvent(ctx context.Context, event apievents.AuditEvent) error

EmitAuditEvent emits a single audit event

func (*ServerWithRoles) Export 

func (a *ServerWithRoles) Export(ctx context.Context, req *collectortracev1.ExportTraceServiceRequest) (*collectortracev1.ExportTraceServiceResponse, error)

Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.

All spans received will have a `teleport.forwarded.for` attribute added to them with the value being one of two things depending on the role of the forwarder:

  1. User forwarded: `teleport.forwarded.for: alice`
  2. Instance forwarded: `teleport.forwarded.for: Proxy.clustername:Proxy,Node,Instance`

This allows upstream consumers of the spans to be able to identify forwarded spans and act on them accordingly.

func (*ServerWithRoles) ExportUpgradeWindows 

func (a *ServerWithRoles) ExportUpgradeWindows(ctx context.Context, req proto.ExportUpgradeWindowsRequest) (proto.ExportUpgradeWindowsResponse, error)

ExportUpgradeWindows is used to load derived upgrade window values for agents that need to export schedules to external upgraders.

func (*ServerWithRoles) ExtendWebSession 

func (a *ServerWithRoles) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous session. Additional roles are appended to initial roles if there is an approved access request. The new session expiration time will not exceed the expiration time of the old session.

func (*ServerWithRoles) GenerateAWSOIDCToken 

func (a *ServerWithRoles) GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)

GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.

func (*ServerWithRoles) GenerateAppToken 

func (a *ServerWithRoles) GenerateAppToken(ctx context.Context, req types.GenerateAppTokenRequest) (string, error)

GenerateAppToken creates a JWT token with application access.

func (*ServerWithRoles) GenerateCertAuthorityCRL 

func (a *ServerWithRoles) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for a CA.

This CRL can be requested by:

  • Windows desktop service when updating the certificate authority contents on LDAP.
  • Cluster administrator using "tctl auth crl --type=db" command locally on the auth server to produce revocation list used to be configured on external services such as Windows certificate store.
  • Remote user using "tctl auth crl --type=db" command with a remote proxy (e.g. Teleport Cloud), as long as they have permission to read certificate authorities.

func (*ServerWithRoles) GenerateDatabaseCert 

func (a *ServerWithRoles) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates a certificate used by a database service to authenticate with the database instance.

This certificate can be requested by:

  • Cluster administrator using "tctl auth sign --format=db" command locally on the auth server to produce a certificate for configuring a self-hosted database.
  • Remote user using "tctl auth sign --format=db" command with a remote proxy (e.g. Teleport Cloud), as long as they can impersonate system role Db.
  • Database service when initiating connection to a database instance to produce a client certificate.
  • Proxy service when generating mTLS files to a database

func (*ServerWithRoles) GenerateHostCert 

func (a *ServerWithRoles) GenerateHostCert(
	ctx context.Context,
	key []byte,
	hostID, nodeName string,
	principals []string,
	clusterName string,
	role types.SystemRole,
	ttl time.Duration,
) ([]byte, error)

GenerateHostCert TODO(noah): DELETE IN 16.0 Deprecated: use trustv1.Service.GenerateHostCert instead.

func (*ServerWithRoles) GenerateHostCerts 

func (a *ServerWithRoles) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.

func (*ServerWithRoles) GenerateOpenSSHCert 

func (a *ServerWithRoles) GenerateOpenSSHCert(ctx context.Context, req *proto.OpenSSHCertRequest) (*proto.OpenSSHCert, error)

GenerateOpenSSHCert signs a SSH certificate that can be used to connect to Agentless nodes.

func (*ServerWithRoles) GenerateSnowflakeJWT 

func (a *ServerWithRoles) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the Snowflake required format.

func (*ServerWithRoles) GenerateUserCerts 

func (a *ServerWithRoles) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

GenerateUserCerts generates users certificates

func (*ServerWithRoles) GenerateWindowsDesktopCert 

func (a *ServerWithRoles) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates a certificate for Windows RDP or SQL Server authentication.

func (*ServerWithRoles) GetAccessCapabilities 

func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*ServerWithRoles) GetAccessRequestAllowedPromotions 

func (a *ServerWithRoles) GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)

GetAccessRequestAllowedPromotions returns a list of roles that the user can promote to, based on the given access requests.

func (*ServerWithRoles) GetAccessRequests 

func (a *ServerWithRoles) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)

func (*ServerWithRoles) GetAccountRecoveryCodes 

func (a *ServerWithRoles) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.

func (*ServerWithRoles) GetAccountRecoveryToken 

func (a *ServerWithRoles) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)

GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.

func (*ServerWithRoles) GetActiveSessionTrackers 

func (a *ServerWithRoles) GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

GetActiveSessionTrackers returns a list of active session trackers.

func (*ServerWithRoles) GetActiveSessionTrackersWithFilter 

func (a *ServerWithRoles) GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.

func (*ServerWithRoles) GetAlertAcks 

func (a *ServerWithRoles) GetAlertAcks(ctx context.Context) ([]types.AlertAcknowledgement, error)

func (*ServerWithRoles) GetAllTunnelConnections 

func (a *ServerWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

func (*ServerWithRoles) GetApp 

func (a *ServerWithRoles) GetApp(ctx context.Context, name string) (types.Application, error)

GetApp returns specified application resource.

func (*ServerWithRoles) GetAppServersAndSAMLIdPServiceProviders 

func (a *ServerWithRoles) GetAppServersAndSAMLIdPServiceProviders(ctx context.Context, namespace string) ([]types.AppServerOrSAMLIdPServiceProvider, error)

GetAppServersAndSAMLIdPServiceProviders returns a list containing all registered AppServers and SAMLIdPServiceProviders.

func (*ServerWithRoles) GetAppSession 

func (a *ServerWithRoles) GetAppSession(ctx context.Context, req types.GetAppSessionRequest) (types.WebSession, error)

GetAppSession gets an application web session.

func (*ServerWithRoles) GetApplicationServers 

func (a *ServerWithRoles) GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

GetApplicationServers returns all registered application servers.

func (*ServerWithRoles) GetApps 

func (a *ServerWithRoles) GetApps(ctx context.Context) (result []types.Application, err error)

GetApps returns all application resources.

func (*ServerWithRoles) GetAuthPreference 

func (a *ServerWithRoles) GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

GetAuthPreference gets cluster auth preference.

func (*ServerWithRoles) GetAuthServers 

func (a *ServerWithRoles) GetAuthServers() ([]types.Server, error)

func (*ServerWithRoles) GetClusterAlerts 

func (a *ServerWithRoles) GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

func (*ServerWithRoles) GetClusterAuditConfig 

func (a *ServerWithRoles) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*ServerWithRoles) GetClusterCACert 

func (a *ServerWithRoles) GetClusterCACert(
	ctx context.Context,
) (*proto.GetClusterCACertResponse, error)

getClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be concatenated.

func (*ServerWithRoles) GetClusterMaintenanceConfig 

func (a *ServerWithRoles) GetClusterMaintenanceConfig(ctx context.Context) (types.ClusterMaintenanceConfig, error)

GetClusterMaintenanceConfig gets the current maintenance config singleton.

func (*ServerWithRoles) GetClusterName 

func (a *ServerWithRoles) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

GetClusterName gets the name of the cluster.

func (*ServerWithRoles) GetClusterNetworkingConfig 

func (a *ServerWithRoles) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*ServerWithRoles) GetConnectionDiagnostic 

func (a *ServerWithRoles) GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

GetConnectionDiagnostic returns the connection diagnostic with the matching name

func (*ServerWithRoles) GetCurrentUserRoles 

func (a *ServerWithRoles) GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)

GetCurrentUserRoles returns current user's roles.

func (*ServerWithRoles) GetDatabase 

func (a *ServerWithRoles) GetDatabase(ctx context.Context, name string) (types.Database, error)

GetDatabase returns specified database resource.

func (*ServerWithRoles) GetDatabaseServers 

func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database servers.

func (*ServerWithRoles) GetDatabases 

func (a *ServerWithRoles) GetDatabases(ctx context.Context) (result []types.Database, err error)

GetDatabases returns all database resources.

func (*ServerWithRoles) GetDomainName 

func (a *ServerWithRoles) GetDomainName(ctx context.Context) (string, error)

func (*ServerWithRoles) GetGithubAuthRequest 

func (a *ServerWithRoles) GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

GetGithubAuthRequest returns Github auth request if found.

func (*ServerWithRoles) GetGithubConnector 

func (a *ServerWithRoles) GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)

func (*ServerWithRoles) GetGithubConnectors 

func (a *ServerWithRoles) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

func (*ServerWithRoles) GetHeadlessAuthentication 

func (a *ServerWithRoles) GetHeadlessAuthentication(ctx context.Context, name string) (*types.HeadlessAuthentication, error)

GetHeadlessAuthentication gets a headless authentication from the backend.

func (*ServerWithRoles) GetHeadlessAuthenticationFromWatcher 

func (a *ServerWithRoles) GetHeadlessAuthenticationFromWatcher(ctx context.Context, name string) (*types.HeadlessAuthentication, error)

GetHeadlessAuthenticationFromWatcher gets a headless authentication from the headless authentication watcher.

func (*ServerWithRoles) GetInstaller 

func (a *ServerWithRoles) GetInstaller(ctx context.Context, name string) (types.Installer, error)

GetInstaller retrieves an installer script resource

func (*ServerWithRoles) GetInstallers 

func (a *ServerWithRoles) GetInstallers(ctx context.Context) ([]types.Installer, error)

GetInstallers gets all the installer resources.

func (*ServerWithRoles) GetInstances 

func (a *ServerWithRoles) GetInstances(ctx context.Context, filter types.InstanceFilter) stream.Stream[types.Instance]

func (*ServerWithRoles) GetIntegration 

func (a *ServerWithRoles) GetIntegration(ctx context.Context, name string) (types.Integration, error)

GetIntegration returns an Integration by its name.

func (*ServerWithRoles) GetInventoryConnectedServiceCounts 

func (a *ServerWithRoles) GetInventoryConnectedServiceCounts() (proto.InventoryConnectedServiceCounts, error)

GetInventoryConnectedServiceCounts returns the counts of each connected service seen in the inventory.

func (*ServerWithRoles) GetInventoryStatus 

func (a *ServerWithRoles) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)

func (*ServerWithRoles) GetKubernetesCluster 

func (a *ServerWithRoles) GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)

GetKubernetesCluster returns specified kubernetes cluster resource.

func (*ServerWithRoles) GetKubernetesClusters 

func (a *ServerWithRoles) GetKubernetesClusters(ctx context.Context) (result []types.KubeCluster, err error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*ServerWithRoles) GetKubernetesServers 

func (a *ServerWithRoles) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)

GetKubernetesServers returns all registered kubernetes servers.

func (*ServerWithRoles) GetLicense 

func (a *ServerWithRoles) GetLicense(ctx context.Context) (string, error)

GetLicense returns the license used to start the auth server

func (*ServerWithRoles) GetLock 

func (a *ServerWithRoles) GetLock(ctx context.Context, name string) (types.Lock, error)

GetLock gets a lock by name.

func (*ServerWithRoles) GetLocks 

func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*ServerWithRoles) GetMFADevices 

func (a *ServerWithRoles) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)

GetMFADevices returns a list of MFA devices.

func (*ServerWithRoles) GetNamespace 

func (a *ServerWithRoles) GetNamespace(name string) (*types.Namespace, error)

GetNamespace returns namespace by name

func (*ServerWithRoles) GetNamespaces 

func (a *ServerWithRoles) GetNamespaces() ([]types.Namespace, error)

GetNamespaces returns a list of namespaces

func (*ServerWithRoles) GetNetworkRestrictions 

func (a *ServerWithRoles) GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).

func (*ServerWithRoles) GetNode 

func (a *ServerWithRoles) GetNode(ctx context.Context, namespace, name string) (types.Server, error)

GetNode gets a node by name and namespace.

func (*ServerWithRoles) GetNodeStream 

func (a *ServerWithRoles) GetNodeStream(ctx context.Context, namespace string) stream.Stream[types.Server]

GetNodeStream returns a stream of nodes.

func (*ServerWithRoles) GetNodes 

func (a *ServerWithRoles) GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

func (*ServerWithRoles) GetOIDCAuthRequest 

func (a *ServerWithRoles) GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)

GetOIDCAuthRequest returns OIDC auth request if found.

func (*ServerWithRoles) GetOIDCConnector 

func (a *ServerWithRoles) GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)

func (*ServerWithRoles) GetOIDCConnectors 

func (a *ServerWithRoles) GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

func (*ServerWithRoles) GetPluginData 

func (a *ServerWithRoles) GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*ServerWithRoles) GetProxies 

func (a *ServerWithRoles) GetProxies() ([]types.Server, error)

func (*ServerWithRoles) GetRemoteCluster 

func (a *ServerWithRoles) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

func (*ServerWithRoles) GetRemoteClusters 

func (a *ServerWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

func (*ServerWithRoles) GetResetPasswordToken 

func (a *ServerWithRoles) GetResetPasswordToken(ctx context.Context, tokenID string) (types.UserToken, error)

func (*ServerWithRoles) GetReverseTunnel 

func (a *ServerWithRoles) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)

func (*ServerWithRoles) GetReverseTunnels 

func (a *ServerWithRoles) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

func (*ServerWithRoles) GetRole 

func (a *ServerWithRoles) GetRole(ctx context.Context, name string) (types.Role, error)

GetRole returns role by name

func (*ServerWithRoles) GetRoles 

func (a *ServerWithRoles) GetRoles(ctx context.Context) ([]types.Role, error)

GetRoles returns a list of roles

func (*ServerWithRoles) GetSAMLAuthRequest 

func (a *ServerWithRoles) GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

GetSAMLAuthRequest returns SAML auth request if found.

func (*ServerWithRoles) GetSAMLConnector 

func (a *ServerWithRoles) GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)

func (*ServerWithRoles) GetSAMLConnectors 

func (a *ServerWithRoles) GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

func (*ServerWithRoles) GetSAMLIdPServiceProvider 

func (a *ServerWithRoles) GetSAMLIdPServiceProvider(ctx context.Context, name string) (types.SAMLIdPServiceProvider, error)

GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.

func (*ServerWithRoles) GetSAMLIdPSession 

func (a *ServerWithRoles) GetSAMLIdPSession(ctx context.Context, req types.GetSAMLIdPSessionRequest) (types.WebSession, error)

GetSAMLIdPSession gets a SAML IdP session.

func (*ServerWithRoles) GetSSHTargets 

func (a *ServerWithRoles) GetSSHTargets(ctx context.Context, req *proto.GetSSHTargetsRequest) (*proto.GetSSHTargetsResponse, error)

GetSSHTargets gets all servers that would match an equivalent ssh dial request. Note that this method returns all resources directly accessible to the user *and* all resources available via 'SearchAsRoles', which is what we want when handling things like ambiguous host errors and resource-based access requests, but may result in confusing behavior if it is used outside of those contexts.

func (*ServerWithRoles) GetSSODiagnosticInfo 

func (a *ServerWithRoles) GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

GetSSODiagnosticInfo returns SSO diagnostic info records.

func (*ServerWithRoles) GetSemaphores 

func (a *ServerWithRoles) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error)

GetSemaphores returns a list of all semaphores matching the supplied filter.

func (*ServerWithRoles) GetServerInfo 

func (a *ServerWithRoles) GetServerInfo(ctx context.Context, name string) (types.ServerInfo, error)

GetServerInfo returns a ServerInfo by name.

func (*ServerWithRoles) GetServerInfos 

func (a *ServerWithRoles) GetServerInfos(ctx context.Context) stream.Stream[types.ServerInfo]

GetServerInfos returns a stream of ServerInfos.

func (*ServerWithRoles) GetSessionChunk 

func (a *ServerWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*ServerWithRoles) GetSessionEvents 

func (a *ServerWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int) ([]events.EventFields, error)

func (*ServerWithRoles) GetSessionRecordingConfig 

func (a *ServerWithRoles) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*ServerWithRoles) GetSessionTracker 

func (a *ServerWithRoles) GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

GetSessionTracker returns the current state of a session tracker for an active session.

func (*ServerWithRoles) GetSnowflakeSession 

func (a *ServerWithRoles) GetSnowflakeSession(ctx context.Context, req types.GetSnowflakeSessionRequest) (types.WebSession, error)

GetSnowflakeSession gets a Snowflake web session.

func (*ServerWithRoles) GetSnowflakeSessions 

func (a *ServerWithRoles) GetSnowflakeSessions(ctx context.Context) ([]types.WebSession, error)

GetSnowflakeSessions gets all Snowflake web sessions.

func (*ServerWithRoles) GetStaticTokens 

func (a *ServerWithRoles) GetStaticTokens() (types.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*ServerWithRoles) GetToken 

func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

func (*ServerWithRoles) GetTokens 

func (a *ServerWithRoles) GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

func (*ServerWithRoles) GetTrustedCluster 

func (a *ServerWithRoles) GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

func (*ServerWithRoles) GetTrustedClusters 

func (a *ServerWithRoles) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

func (*ServerWithRoles) GetTunnelConnections 

func (a *ServerWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

func (*ServerWithRoles) GetUIConfig 

func (a *ServerWithRoles) GetUIConfig(ctx context.Context) (types.UIConfig, error)

func (*ServerWithRoles) GetUserGroup 

func (a *ServerWithRoles) GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)

GetUserGroup returns the specified user group resources.

func (*ServerWithRoles) GetUsers 

func (a *ServerWithRoles) GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)

GetUsers returns all existing users TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.ListUsers instead.

func (*ServerWithRoles) GetWebSession 

func (a *ServerWithRoles) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns the web session specified with req. Implements auth.ReadAccessPoint.

func (*ServerWithRoles) GetWebSessionInfo 

func (a *ServerWithRoles) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo returns the web session for the given user specified with sid. The session is stripped of any authentication details. Implements auth.WebUIService

func (*ServerWithRoles) GetWebToken 

func (a *ServerWithRoles) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns the web token specified with req. Implements auth.ReadAccessPoint.

func (*ServerWithRoles) GetWindowsDesktopService 

func (a *ServerWithRoles) GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

GetWindowsDesktopService returns a registered windows desktop service by name.

func (*ServerWithRoles) GetWindowsDesktopServices 

func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

GetWindowsDesktopServices returns all registered windows desktop services.

func (*ServerWithRoles) GetWindowsDesktops 

func (a *ServerWithRoles) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

GetWindowsDesktops returns all registered windows desktop hosts.

func (*ServerWithRoles) IsMFARequired 

func (a *ServerWithRoles) IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)

func (*ServerWithRoles) KeepAliveSemaphoreLease 

func (a *ServerWithRoles) KeepAliveSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

KeepAliveSemaphoreLease updates semaphore lease.

func (*ServerWithRoles) KeepAliveServer 

func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.KeepAlive) error

KeepAliveServer updates expiry time of a server resource.

func (*ServerWithRoles) ListAppSessions 

func (a *ServerWithRoles) ListAppSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)

ListAppSessions gets a paginated list of application web sessions.

func (*ServerWithRoles) ListIntegrations 

func (a *ServerWithRoles) ListIntegrations(ctx context.Context, pageSize int, nextKey string) ([]types.Integration, string, error)

ListIntegrations returns a list of Integrations. A next page can be retreived by calling ListIntegrations again and passing the nextKey from the previous response.

func (*ServerWithRoles) ListReleases 

func (a *ServerWithRoles) ListReleases(ctx context.Context) ([]*types.Release, error)

ListReleases return Teleport Enterprise releases

func (*ServerWithRoles) ListResources 

func (a *ServerWithRoles) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)

ListResources returns a paginated list of resources filtered by user access.

func (*ServerWithRoles) ListSAMLIdPServiceProviders 

func (a *ServerWithRoles) ListSAMLIdPServiceProviders(ctx context.Context, pageSize int, nextToken string) ([]types.SAMLIdPServiceProvider, string, error)

ListSAMLIdPServiceProviders returns a paginated list of SAML IdP service provider resources.

func (*ServerWithRoles) ListSAMLIdPSessions 

func (a *ServerWithRoles) ListSAMLIdPSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)

ListSAMLIdPSessions gets a paginated list of SAML IdP sessions.

func (*ServerWithRoles) ListUnifiedResources 

func (a *ServerWithRoles) ListUnifiedResources(ctx context.Context, req *proto.ListUnifiedResourcesRequest) (*proto.ListUnifiedResourcesResponse, error)

ListUnifiedResources returns a paginated list of unified resources filtered by user access.

func (*ServerWithRoles) ListUserGroups 

func (a *ServerWithRoles) ListUserGroups(ctx context.Context, pageSize int, nextToken string) ([]types.UserGroup, string, error)

ListUserGroups returns a paginated list of user group resources.

func (*ServerWithRoles) MaintainHeadlessAuthenticationStub 

func (a *ServerWithRoles) MaintainHeadlessAuthenticationStub(ctx context.Context) error

MaintainHeadlessAuthenticationStub maintains a headless authentication stub for the user. Headless login processes will look for this stub before inserting the headless authentication resource into the backend as a form of indirect authorization.

func (*ServerWithRoles) NewStream 

func (a *ServerWithRoles) NewStream(ctx context.Context, watch types.Watch) (stream.Stream[types.Event], error)

NewStream returns a new event stream (equivalent to NewWatcher, but with slightly different performance characteristics).

func (*ServerWithRoles) NewWatcher 

func (a *ServerWithRoles) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher returns a new event watcher

func (*ServerWithRoles) Ping 

func (a *ServerWithRoles) Ping(ctx context.Context) (proto.PingResponse, error)

Ping gets basic info about the auth server.

func (*ServerWithRoles) PingInventory 

func (a *ServerWithRoles) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)

func (*ServerWithRoles) PreAuthenticatedSignIn 

func (a *ServerWithRoles) PreAuthenticatedSignIn(ctx context.Context, user string) (types.WebSession, error)

func (*ServerWithRoles) ProcessKubeCSR 

func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*ServerWithRoles) RegisterInventoryControlStream 

func (a *ServerWithRoles) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream) (proto.UpstreamInventoryHello, error)

RegisterInventoryControlStream handles the upstream half of the control stream handshake, then passes the control stream to the auth server's main control logic. We also return the post-auth hello message back up to the grpcserver layer in order to use it for metrics purposes.

func (*ServerWithRoles) RegisterUsingAzureMethod 

func (a *ServerWithRoles) RegisterUsingAzureMethod(ctx context.Context, challengeResponse client.RegisterAzureChallengeResponseFunc) (*proto.Certs, error)

RegisterUsingAzureMethod registers the caller using the Azure join method and returns signed certs to join the cluster.

See (*Server).RegisterUsingAzureMethod for further documentation.

This wrapper does not do any extra authz checks, as the register method has its own authz mechanism.

func (*ServerWithRoles) RegisterUsingIAMMethod 

func (a *ServerWithRoles) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterIAMChallengeResponseFunc) (*proto.Certs, error)

RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.

See (*Server).RegisterUsingIAMMethod for further documentation.

This wrapper does not do any extra authz checks, as the register method has its own authz mechanism.

func (*ServerWithRoles) RegisterUsingToken 

func (a *ServerWithRoles) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

func (*ServerWithRoles) RemoveSessionTracker 

func (a *ServerWithRoles) RemoveSessionTracker(ctx context.Context, sessionID string) error

RemoveSessionTracker removes a tracker resource for an active session.

func (*ServerWithRoles) ReplaceRemoteLocks 

func (a *ServerWithRoles) ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error

ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.

func (*ServerWithRoles) ResetAuthPreference 

func (a *ServerWithRoles) ResetAuthPreference(ctx context.Context) error

ResetAuthPreference resets cluster auth preference to defaults.

func (*ServerWithRoles) ResetClusterNetworkingConfig 

func (a *ServerWithRoles) ResetClusterNetworkingConfig(ctx context.Context) error

ResetClusterNetworkingConfig resets cluster networking configuration to defaults.

func (*ServerWithRoles) ResetSessionRecordingConfig 

func (a *ServerWithRoles) ResetSessionRecordingConfig(ctx context.Context) error

ResetSessionRecordingConfig resets session recording configuration to defaults.

func (*ServerWithRoles) ResumeAuditStream 

func (a *ServerWithRoles) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes the stream that has been created

func (*ServerWithRoles) RotateCertAuthority 

func (a *ServerWithRoles) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*ServerWithRoles) RotateExternalCertAuthority 

func (a *ServerWithRoles) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*ServerWithRoles) SearchEvents 

func (a *ServerWithRoles) SearchEvents(ctx context.Context, req events.SearchEventsRequest) (outEvents []apievents.AuditEvent, lastKey string, err error)

SearchEvents allows searching audit events with pagination support.

func (*ServerWithRoles) SearchSessionEvents 

func (a *ServerWithRoles) SearchSessionEvents(ctx context.Context, req events.SearchSessionEventsRequest) (outEvents []apievents.AuditEvent, lastKey string, err error)

SearchSessionEvents allows searching session audit events with pagination support.

func (*ServerWithRoles) SetAccessRequestState 

func (a *ServerWithRoles) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error

func (*ServerWithRoles) SetAuthPreference 

func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref types.AuthPreference) error

SetAuthPreference sets cluster auth preference.

func (*ServerWithRoles) SetClusterName 

func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error

SetClusterName sets the name of the cluster. SetClusterName can only be called once.

func (*ServerWithRoles) SetClusterNetworkingConfig 

func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNetConfig types.ClusterNetworkingConfig) error

SetClusterNetworkingConfig sets cluster networking configuration.

func (*ServerWithRoles) SetInstaller 

func (a *ServerWithRoles) SetInstaller(ctx context.Context, inst types.Installer) error

SetInstaller sets an Installer script resource

func (*ServerWithRoles) SetNetworkRestrictions 

func (a *ServerWithRoles) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error

SetNetworkRestrictions updates the network restrictions.

func (*ServerWithRoles) SetSessionRecordingConfig 

func (a *ServerWithRoles) SetSessionRecordingConfig(ctx context.Context, newRecConfig types.SessionRecordingConfig) error

SetSessionRecordingConfig sets session recording configuration.

func (*ServerWithRoles) SetStaticTokens 

func (a *ServerWithRoles) SetStaticTokens(s types.StaticTokens) error

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*ServerWithRoles) SetUIConfig 

func (a *ServerWithRoles) SetUIConfig(ctx context.Context, uic types.UIConfig) error

func (*ServerWithRoles) SignDatabaseCSR 

func (a *ServerWithRoles) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*ServerWithRoles) StartAccountRecovery 

func (a *ServerWithRoles) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)

StartAccountRecovery is implemented by AuthService.StartAccountRecovery.

func (*ServerWithRoles) StreamSessionEvents 

func (a *ServerWithRoles) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*ServerWithRoles) SubmitAccessReview 

func (a *ServerWithRoles) SubmitAccessReview(ctx context.Context, submission types.AccessReviewSubmission) (types.AccessRequest, error)

func (*ServerWithRoles) SubmitUsageEvent 

func (a *ServerWithRoles) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*ServerWithRoles) UpdateApp 

func (a *ServerWithRoles) UpdateApp(ctx context.Context, app types.Application) error

UpdateApp updates existing application resource.

func (*ServerWithRoles) UpdateClusterMaintenanceConfig 

func (a *ServerWithRoles) UpdateClusterMaintenanceConfig(ctx context.Context, cmc types.ClusterMaintenanceConfig) error

UpdateClusterMaintenanceConfig updates the current maintenance config singleton.

func (*ServerWithRoles) UpdateConnectionDiagnostic 

func (a *ServerWithRoles) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

UpdateConnectionDiagnostic updates a connection diagnostic.

func (*ServerWithRoles) UpdateDatabase 

func (a *ServerWithRoles) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates existing database resource.

func (*ServerWithRoles) UpdateGithubConnector 

func (a *ServerWithRoles) UpdateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

UpdateGithubConnector updates an existing Github connector.

func (*ServerWithRoles) UpdateHeadlessAuthenticationState 

func (a *ServerWithRoles) UpdateHeadlessAuthenticationState(ctx context.Context, name string, state types.HeadlessAuthenticationState, mfaResp *proto.MFAAuthenticateResponse) error

UpdateHeadlessAuthenticationState updates a headless authentication state.

func (*ServerWithRoles) UpdateIntegration 

func (a *ServerWithRoles) UpdateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error)

UpdateIntegration updates an Integration.

func (*ServerWithRoles) UpdateKubernetesCluster 

func (a *ServerWithRoles) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*ServerWithRoles) UpdateOIDCConnector 

func (a *ServerWithRoles) UpdateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

UpdateOIDCConnector updates an existing OIDC connector.

func (*ServerWithRoles) UpdatePluginData 

func (a *ServerWithRoles) UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error

UpdatePluginData updates a per-resource PluginData entry.

func (*ServerWithRoles) UpdateRemoteCluster 

func (a *ServerWithRoles) UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error

func (*ServerWithRoles) UpdateRole 

func (a *ServerWithRoles) UpdateRole(ctx context.Context, role types.Role) (types.Role, error)

UpdateRole updates an existing role.

func (*ServerWithRoles) UpdateSAMLConnector 

func (a *ServerWithRoles) UpdateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

UpdateSAMLConnector updates an existing SAML connector

func (*ServerWithRoles) UpdateSAMLIdPServiceProvider 

func (a *ServerWithRoles) UpdateSAMLIdPServiceProvider(ctx context.Context, sp types.SAMLIdPServiceProvider) (err error)

UpdateSAMLIdPServiceProvider updates an existing SAML IdP service provider resource.

func (*ServerWithRoles) UpdateSessionTracker 

func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

UpdateSessionTracker updates a tracker resource for an active session.

func (*ServerWithRoles) UpdateUser 

func (a *ServerWithRoles) UpdateUser(ctx context.Context, user types.User) (types.User, error)

UpdateUser updates an existing user in a backend. Captures the auth user who modified the user record. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.UpdateUser instead.

func (*ServerWithRoles) UpdateUserGroup 

func (a *ServerWithRoles) UpdateUserGroup(ctx context.Context, userGroup types.UserGroup) error

UpdateUserGroup updates an existing user group resource.

func (*ServerWithRoles) UpdateWindowsDesktop 

func (a *ServerWithRoles) UpdateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

UpdateWindowsDesktop updates an existing windows desktop host.

func (*ServerWithRoles) UpsertApplicationServer 

func (a *ServerWithRoles) UpsertApplicationServer(ctx context.Context, server types.AppServer) (*types.KeepAlive, error)

UpsertApplicationServer registers an application server.

func (*ServerWithRoles) UpsertAuthServer 

func (a *ServerWithRoles) UpsertAuthServer(ctx context.Context, s types.Server) error

func (*ServerWithRoles) UpsertClusterAlert 

func (a *ServerWithRoles) UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error

func (*ServerWithRoles) UpsertClusterName 

func (a *ServerWithRoles) UpsertClusterName(c types.ClusterName) error

UpsertClusterName sets the name of the cluster.

func (*ServerWithRoles) UpsertDatabaseServer 

func (a *ServerWithRoles) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error)

UpsertDatabaseServer creates or updates a new database proxy server.

func (*ServerWithRoles) UpsertDatabaseService 

func (a *ServerWithRoles) UpsertDatabaseService(ctx context.Context, service types.DatabaseService) (*types.KeepAlive, error)

UpsertDatabaseService creates or updates a new DatabaseService resource.

func (*ServerWithRoles) UpsertGithubConnector 

func (a *ServerWithRoles) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

UpsertGithubConnector creates or updates a Github connector.

func (*ServerWithRoles) UpsertHeadlessAuthenticationStub 

func (a *ServerWithRoles) UpsertHeadlessAuthenticationStub(ctx context.Context) error

UpsertHeadlessAuthenticationStub creates a headless authentication stub for the user that will expire after the standard callback timeout. Headless login processes will look for this stub before inserting the headless authentication resource into the backend as a form of indirect authorization.

func (*ServerWithRoles) UpsertKubernetesServer 

func (a *ServerWithRoles) UpsertKubernetesServer(ctx context.Context, s types.KubeServer) (*types.KeepAlive, error)

UpsertKubernetesServer creates or updates a Server representing a teleport kubernetes server.

func (*ServerWithRoles) UpsertLock 

func (a *ServerWithRoles) UpsertLock(ctx context.Context, lock types.Lock) error

UpsertLock upserts a lock.

func (*ServerWithRoles) UpsertNamespace 

func (a *ServerWithRoles) UpsertNamespace(ns types.Namespace) error

UpsertNamespace upserts namespace

func (*ServerWithRoles) UpsertNode 

func (a *ServerWithRoles) UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error)

func (*ServerWithRoles) UpsertOIDCConnector 

func (a *ServerWithRoles) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

UpsertOIDCConnector creates or updates an OIDC connector.

func (*ServerWithRoles) UpsertProxy 

func (a *ServerWithRoles) UpsertProxy(ctx context.Context, s types.Server) error

func (*ServerWithRoles) UpsertReverseTunnel 

func (a *ServerWithRoles) UpsertReverseTunnel(r types.ReverseTunnel) error

func (*ServerWithRoles) UpsertRole 

func (a *ServerWithRoles) UpsertRole(ctx context.Context, role types.Role) (types.Role, error)

UpsertRole creates or updates role.

func (*ServerWithRoles) UpsertSAMLConnector 

func (a *ServerWithRoles) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

UpsertSAMLConnector creates or updates a SAML connector.

func (*ServerWithRoles) UpsertServerInfo 

func (a *ServerWithRoles) UpsertServerInfo(ctx context.Context, si types.ServerInfo) error

UpsertServerInfo upserts a ServerInfo.

func (*ServerWithRoles) UpsertToken 

func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.ProvisionToken) error

func (*ServerWithRoles) UpsertTrustedCluster 

func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)

UpsertTrustedCluster creates or updates a trusted cluster.

func (*ServerWithRoles) UpsertTunnelConnection 

func (a *ServerWithRoles) UpsertTunnelConnection(conn types.TunnelConnection) error

func (*ServerWithRoles) UpsertUser 

func (a *ServerWithRoles) UpsertUser(ctx context.Context, u types.User) (types.User, error)

UpsertUser create or updates an existing user. TODO(tross): DELETE IN 16.0.0 Deprecated: use usersv1.Service.UpdateUser instead.

func (*ServerWithRoles) UpsertWindowsDesktop 

func (a *ServerWithRoles) UpsertWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

UpsertWindowsDesktop updates a windows desktop resource, creating it if it doesn't exist.

func (*ServerWithRoles) UpsertWindowsDesktopService 

func (a *ServerWithRoles) UpsertWindowsDesktopService(ctx context.Context, s types.WindowsDesktopService) (*types.KeepAlive, error)

UpsertWindowsDesktopService creates or updates a new windows desktop service.

func (*ServerWithRoles) ValidateGithubAuthCallback 

func (a *ServerWithRoles) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

func (*ServerWithRoles) ValidateOIDCAuthCallback 

func (a *ServerWithRoles) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

func (*ServerWithRoles) ValidateSAMLResponse 

func (a *ServerWithRoles) ValidateSAMLResponse(ctx context.Context, samlResponse, connectorID, clientIP string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates SAML auth response.

func (*ServerWithRoles) ValidateTrustedCluster 

func (a *ServerWithRoles) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*ServerWithRoles) VerifyAccountRecovery 

func (a *ServerWithRoles) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)

VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.

func (*ServerWithRoles) WatchPendingHeadlessAuthentications 

func (a *ServerWithRoles) WatchPendingHeadlessAuthentications(ctx context.Context) (types.Watcher, error)

WatchPendingHeadlessAuthentications creates a watcher for pending headless authentication for the current user.

func (*ServerWithRoles) WebSessions 

func (a *ServerWithRoles) WebSessions() types.WebSessionInterface

WebSessions returns the web session manager. Implements services.WebSessionsGetter.

func (*ServerWithRoles) WebTokens 

func (a *ServerWithRoles) WebTokens() types.WebTokenInterface

WebTokens returns the web token manager. Implements services.WebTokensGetter.

type Services 

type Services struct {
	services.Trust
	services.PresenceInternal
	services.Provisioner
	services.Identity
	services.Access
	services.DynamicAccessExt
	services.ClusterConfiguration
	services.Restrictions
	services.Apps
	services.Kubernetes
	services.Databases
	services.DatabaseServices
	services.WindowsDesktops
	services.SAMLIdPServiceProviders
	services.UserGroups
	services.SessionTrackerService
	services.ConnectionsDiagnostic
	services.StatusInternal
	services.Integrations
	services.IntegrationsTokenGenerator
	services.DiscoveryConfigs
	services.Okta
	services.AccessLists
	services.UserLoginStates
	services.Assistant
	services.Embeddings
	services.UserPreferences
	services.PluginData
	usagereporter.UsageReporter
	types.Events
	events.AuditLogSessionStreamer
	services.SecReports
}

func (*Services) AccessListClient 

func (r *Services) AccessListClient() services.AccessLists

AccessListClient returns the access list client.

func (*Services) DiscoveryConfigClient 

func (r *Services) DiscoveryConfigClient() services.DiscoveryConfigs

DiscoveryConfigClient returns the DiscoveryConfig client.

func (*Services) GenerateAWSOIDCToken 

func (r *Services) GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)

GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.

func (*Services) GetWebSession 

func (r *Services) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns existing web session described by req. Implements ReadAccessPoint

func (*Services) GetWebToken 

func (r *Services) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns existing web token described by req. Implements ReadAccessPoint

func (*Services) OktaClient 

func (r *Services) OktaClient() services.Okta

OktaClient returns the okta client.

func (*Services) SecReportsClient 

func (r *Services) SecReportsClient() *secreport.Client

SecReportsClient returns the security reports client.

func (*Services) UserLoginStateClient 

func (r *Services) UserLoginStateClient() services.UserLoginStates

UserLoginStateClient returns the user login state client.

type SessionAccessContext 

type SessionAccessContext struct {
	Username string
	Roles    []types.Role
	Mode     types.SessionParticipantMode
}

SessionAccessContext is the context that must be provided per participant in the session.

func (*SessionAccessContext) GetIdentifier 

func (ctx *SessionAccessContext) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier is used by the `predicate` library to evaluate variable expressions when evaluating policy filters. It deals with evaluating strings like `participant.name` to the appropriate value.

func (*SessionAccessContext) GetResource 

func (ctx *SessionAccessContext) GetResource() (types.Resource, error)

type SessionAccessEvaluator 

type SessionAccessEvaluator struct {
	// contains filtered or unexported fields
}

SessionAccessEvaluator takes a set of policies and uses rules to evaluate them to determine when a session may start and if a user can join a session.

The current implementation is very simple and uses a brute-force algorithm. More efficient implementations that run in non O(n^2)-ish time are possible but require complex code that is harder to debug in the case of misconfigured policies or other error and are harder to intuitively follow. In the real world, the number of roles and session are small enough that this doesn't have a meaningful impact.

func NewSessionAccessEvaluator 

func NewSessionAccessEvaluator(policySets []*types.SessionTrackerPolicySet, kind types.SessionKind, owner string) SessionAccessEvaluator

NewSessionAccessEvaluator creates a new session access evaluator for a given session kind and a set of roles attached to the host user.

func (*SessionAccessEvaluator) CanJoin 

func (e *SessionAccessEvaluator) CanJoin(user SessionAccessContext) []types.SessionParticipantMode

CanJoin returns the modes a user has access to join a session with. If the list is empty, the user doesn't have access to join the session at all.

func (*SessionAccessEvaluator) FulfilledFor 

func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContext) (bool, PolicyOptions, error)

FulfilledFor checks if a given session may run with a list of participants.

func (*SessionAccessEvaluator) IsModerated 

func (e *SessionAccessEvaluator) IsModerated() bool

IsModerated returns true if the session needs moderation.

func (*SessionAccessEvaluator) PrettyRequirementsList 

func (e *SessionAccessEvaluator) PrettyRequirementsList() string

PrettyRequirementsList generates a pretty-printed string of precise requirements for session start suitable for user display.

type SessionCreds 

type SessionCreds struct {
	// ID is a web session id
	ID string `json:"id"`
}

SessionCreds is a web session credentials

type SnowflakeSessionWatcher 

type SnowflakeSessionWatcher interface {
	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)
	// GetSnowflakeSession gets a Snowflake web session for a given request.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)
}

SnowflakeSessionWatcher is watcher interface used by Snowflake web session watcher.

type StateSpecV2 

type StateSpecV2 struct {
	// Rotation holds local process rotation state.
	Rotation types.Rotation `json:"rotation"`
}

StateSpecV2 is a state spec.

type StateV2 

type StateV2 struct {
	// ResourceHeader is a common resource header.
	types.ResourceHeader
	// Spec is a process spec.
	Spec StateSpecV2 `json:"spec"`
}

StateV2 is a local process state.

func (*StateV2) CheckAndSetDefaults 

func (s *StateV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type TLSServer 

type TLSServer struct {
	// contains filtered or unexported fields
}

TLSServer is TLS auth server

func NewTLSServer 

func NewTLSServer(ctx context.Context, cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) Close 

func (t *TLSServer) Close() error

Close closes TLS server non-gracefully - terminates in flight connections

func (*TLSServer) GetConfigForClient 

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve 

func (t *TLSServer) Serve() error

Serve starts gRPC and HTTP1.1 services on the mux listener

func (*TLSServer) Shutdown 

func (t *TLSServer) Shutdown(ctx context.Context) error

Shutdown shuts down TLS server

type TLSServerConfig 

type TLSServerConfig struct {
	// Listener is a listener to bind to
	Listener net.Listener
	// TLS is a base TLS configuration
	TLS *tls.Config
	// API is API server configuration
	APIConfig
	// LimiterConfig is limiter config
	LimiterConfig limiter.Config
	// AccessPoint is a caching access point
	AccessPoint AccessCache
	// Component is used for debugging purposes
	Component string
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on the metadata
	AcceptedUsage []string
	// ID is an optional debugging ID
	ID string
	// Metrics are optional TLSServer metrics
	Metrics *Metrics
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults 

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type TestAuthServer 

type TestAuthServer struct {
	// TestAuthServer config is configuration used for auth server setup
	TestAuthServerConfig
	// AuthServer is an auth server
	AuthServer *Server
	// AuditLog is an event audit log
	AuditLog events.AuditLogSessionStreamer
	// Backend is a backend for auth server
	Backend backend.Backend
	// Authorizer is an authorizer used in tests
	Authorizer authz.Authorizer
	// LockWatcher is a lock watcher used in tests.
	LockWatcher *services.LockWatcher
}

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key

func NewTestAuthServer 

func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)

NewTestAuthServer returns new instances of Auth server

func (*TestAuthServer) Clock 

func (a *TestAuthServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestAuthServer) Close 

func (a *TestAuthServer) Close() error

func (*TestAuthServer) GenerateUserCert 

func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*TestAuthServer) NewCertificate 

func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)

NewCertificate returns new TLS credentials generated by test auth server

func (*TestAuthServer) NewRemoteClient 

func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)

NewRemoteClient creates new client to the remote server using identity generated for this certificate authority

func (*TestAuthServer) NewTestTLSServer 

func (a *TestAuthServer) NewTestTLSServer(opts ...TestTLSServerOption) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server

func (*TestAuthServer) Trust 

func (a *TestAuthServer) Trust(ctx context.Context, remote *TestAuthServer, roleMap types.RoleMap) error

Trust adds other server host certificate authority as trusted

type TestAuthServerConfig 

type TestAuthServerConfig struct {
	// ClusterName is cluster name
	ClusterName string
	// Dir is directory for local backend
	Dir string
	// AcceptedUsage is an optional list of restricted
	// server usage
	AcceptedUsage []string
	// CipherSuites is the list of ciphers that the server supports.
	CipherSuites []uint16
	// Clock is used to control time in tests.
	Clock clockwork.FakeClock
	// ClusterNetworkingConfig allows a test to change the default
	// networking configuration.
	ClusterNetworkingConfig types.ClusterNetworkingConfig
	// Streamer allows a test to set its own session recording streamer.
	Streamer events.Streamer
	// AuditLog allows a test to configure its own audit log.
	AuditLog events.AuditLogSessionStreamer
	// TraceClient allows a test to configure the trace client
	TraceClient otlptrace.Client
	// AuthPreferenceSpec is custom initial AuthPreference spec for the test.
	AuthPreferenceSpec *types.AuthPreferenceSpecV2
	// Embedder is required to enable the assist in the auth server.
	Embedder embedding.Embedder
	// CacheEnabled enables the primary auth server cache.
	CacheEnabled bool
}

TestAuthServerConfig is auth server test config

func (*TestAuthServerConfig) CheckAndSetDefaults 

func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type TestDevice 

type TestDevice struct {
	MFA        *types.MFADevice
	TOTPSecret string
	Key        *mocku2f.Key
	// contains filtered or unexported fields
}

TestDevice is a test MFA device.

func NewTestDeviceFromChallenge 

func NewTestDeviceFromChallenge(c *proto.MFARegisterChallenge, opts ...TestDeviceOpt) (*TestDevice, *proto.MFARegisterResponse, error)

func RegisterTestDevice 

func RegisterTestDevice(
	ctx context.Context, clt authClientI, devName string, devType proto.DeviceType, authenticator *TestDevice, opts ...TestDeviceOpt) (*TestDevice, error)

RegisterTestDevice creates and registers a TestDevice. TOTP devices require a clock option.

func (*TestDevice) Origin 

func (d *TestDevice) Origin() string

func (*TestDevice) SolveAuthn 

func (d *TestDevice) SolveAuthn(c *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)

type TestDeviceOpt 

type TestDeviceOpt func(d *TestDevice)

TestDeviceOpt is a creation option for TestDevice.

func WithPasswordless 

func WithPasswordless() TestDeviceOpt

func WithTestDeviceClock 

func WithTestDeviceClock(clock clockwork.Clock) TestDeviceOpt

type TestIdentity 

type TestIdentity struct {
	I              authz.IdentityGetter
	TTL            time.Duration
	AcceptedUsage  []string
	RouteToCluster string
	Renewable      bool
	Generation     uint64
}

TestIdentity is test identity spec used to generate identities in tests

func TestAdmin 

func TestAdmin() TestIdentity

TestAdmin returns TestIdentity for admin user

func TestBuiltin 

func TestBuiltin(role types.SystemRole) TestIdentity

TestBuiltin returns TestIdentity for builtin user

func TestNop 

func TestNop() TestIdentity

TestNop returns "Nop" - unauthenticated identity

func TestRemoteBuiltin 

func TestRemoteBuiltin(role types.SystemRole, remoteCluster string) TestIdentity

TestRemoteBuiltin returns TestIdentity for a remote builtin role.

func TestRenewableUser 

func TestRenewableUser(username string, generation uint64) TestIdentity

TestRenewableUser returns a TestIdentity for a local user with renewable credentials.

func TestServerID 

func TestServerID(role types.SystemRole, serverID string) TestIdentity

TestServerID returns a TestIdentity for a node with the passed in serverID.

func TestUser 

func TestUser(username string) TestIdentity

TestUser returns TestIdentity for local user

func TestUserWithDeviceExtensions 

func TestUserWithDeviceExtensions(username string, exts tlsca.DeviceExtensions) TestIdentity

TestUserWithDeviceExtensions returns a TestIdentity for a local user, including the supplied device extensions in the tlsca.Identity.

type TestServer 

type TestServer struct {
	TLS        *TestTLSServer
	AuthServer *TestAuthServer
}

TestServer defines the set of server components for a test

func NewTestServer 

func NewTestServer(cfg TestServerConfig) (*TestServer, error)

NewTestServer creates a new test server configuration

func (*TestServer) Auth 

func (a *TestServer) Auth() *Server

Auth returns the underlying auth server instance

func (*TestServer) ClusterName 

func (a *TestServer) ClusterName() string

func (*TestServer) NewClient 

func (a *TestServer) NewClient(identity TestIdentity) (*Client, error)

func (*TestServer) Shutdown 

func (a *TestServer) Shutdown(ctx context.Context) error

Shutdown stops this server instance gracefully

type TestServerConfig 

type TestServerConfig struct {
	// Auth specifies the auth server configuration
	Auth TestAuthServerConfig
	// TLS optionally specifies the configuration for the TLS server.
	// If unspecified, will be generated automatically
	TLS *TestTLSServerConfig
}

TestServerConfig defines the configuration for all server components

type TestTLSServer 

type TestTLSServer struct {
	// TestTLSServerConfig is a configuration for TLS server
	TestTLSServerConfig
	// Identity is a generated TLS/SSH identity used to answer in TLS
	Identity *Identity
	// TLSServer is a configured TLS server
	TLSServer *TLSServer
}

TestTLSServer is a test TLS server

func NewTestTLSServer 

func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port

func (*TestTLSServer) Addr 

func (t *TestTLSServer) Addr() net.Addr

Addr returns address of TLS server

func (*TestTLSServer) Auth 

func (t *TestTLSServer) Auth() *Server

Auth returns auth server used by this TLS server

func (*TestTLSServer) CertPool 

func (t *TestTLSServer) CertPool() (*x509.CertPool, error)

CertPool returns cert pool that auth server represents

func (*TestTLSServer) ClientTLSConfig 

func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)

ClientTLSConfig returns client TLS config based on the identity

func (*TestTLSServer) Clock 

func (t *TestTLSServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestTLSServer) CloneClient 

func (t *TestTLSServer) CloneClient(tt *testing.T, clt *Client) *Client

CloneClient uses the same credentials as the passed client but forces the client to be recreated

func (*TestTLSServer) Close 

func (t *TestTLSServer) Close() error

Close closes the listener and HTTP server

func (*TestTLSServer) ClusterName 

func (t *TestTLSServer) ClusterName() string

ClusterName returns name of test TLS server cluster

func (*TestTLSServer) NewClient 

func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)

NewClient returns new client to test server authenticated with identity

func (*TestTLSServer) NewClientFromWebSession 

func (t *TestTLSServer) NewClientFromWebSession(sess types.WebSession) (*Client, error)

NewClientFromWebSession returns new authenticated client from web session

func (*TestTLSServer) NewClientWithCert 

func (t *TestTLSServer) NewClientWithCert(clientCert tls.Certificate) *Client

NewClientWithCert creates a new client using given cert and private key

func (*TestTLSServer) Shutdown 

func (t *TestTLSServer) Shutdown(ctx context.Context) error

Shutdown closes the listener and HTTP server gracefully

func (*TestTLSServer) Start 

func (t *TestTLSServer) Start() error

Start starts TLS server on loopback address on the first listening socket

func (*TestTLSServer) Stop 

func (t *TestTLSServer) Stop() error

Stop stops listening server, but does not close the auth backend

type TestTLSServerConfig 

type TestTLSServerConfig struct {
	// APIConfig is a configuration of API server
	APIConfig *APIConfig
	// AuthServer is a test auth server used to serve requests
	AuthServer *TestAuthServer
	// Limiter is a connection and request limiter
	Limiter *limiter.Config
	// Listener is a listener to serve requests on
	Listener net.Listener
	// AcceptedUsage is a list of accepted usage restrictions
	AcceptedUsage []string
}

TestTLSServerConfig is a configuration for test TLS server

func (*TestTLSServerConfig) CheckAndSetDefaults 

func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets limiter defaults

type TestTLSServerOption 

type TestTLSServerOption func(*TestTLSServerConfig)

TestTLSServerOption is a functional option passed to NewTestTLSServer

func WithLimiterConfig 

func WithLimiterConfig(config *limiter.Config) TestTLSServerOption

WithLimiterConfig sets connection and request limiter configuration.

type TransportCredentials 

type TransportCredentials struct {
	credentials.TransportCredentials
	// contains filtered or unexported fields
}

TransportCredentials is a credentials.TransportCredentials that enforces mTLS and retrieves the [IdentityGetter] for use by middleware to perform authorization.

func NewTransportCredentials 

func NewTransportCredentials(cfg TransportCredentialsConfig) (*TransportCredentials, error)

NewTransportCredentials returns a new TransportCredentials

func (*TransportCredentials) Clone 

func (c *TransportCredentials) Clone() credentials.TransportCredentials

Clone makes a copy of this TransportCredentials.

func (*TransportCredentials) ServerHandshake 

func (c *TransportCredentials) ServerHandshake(rawConn net.Conn) (_ net.Conn, _ credentials.AuthInfo, err error)

ServerHandshake does the authentication handshake for servers. It returns the authenticated connection and the corresponding auth information about the connection. At minimum the TLS handshake is performed and the identity is built from the tls.ConnectionState. If the TransportCredentials is configured with and Authorizer and ConnectionEnforcer then additional session controls are applied before the handshake completes.

type TransportCredentialsConfig 

type TransportCredentialsConfig struct {
	// TransportCredentials provide the credentials that are used to perform the TLS
	// server and client handshakes as well as the [credentials.ProtocolInfo]. This
	// **MUST** not be nil, and it must have its [credentials.ProtocolInfo.SecurityProtocol]
	// equal to "tls".
	TransportCredentials credentials.TransportCredentials
	// UserGetter constructs the clients' [tlsca.Identity] from the [tls.ConnectionState]
	// that is received from the TLS handshake. This
	UserGetter UserGetter
	// Authorizer prevents any connections from being established if the user is not
	// authorized due to locks, private key policy, device trust, etc. If not set
	// then no authorization is performed.
	Authorizer authz.Authorizer
	// Enforcer prevents any connections from being established if the user would
	// exceed their configured max connection limit. Any connections that are
	// permitted may be terminated if there is an issue determining if the number
	// of active connections is within the limit. If not set then no connection
	// limits are enforced.
	Enforcer ConnectionEnforcer
}

TransportCredentialsConfig configures the behavior that occurs during the server handshake by the TransportCredentials

func (*TransportCredentialsConfig) Check 

func (c *TransportCredentialsConfig) Check() error

Check validates that the configuration is valid for use and that all supplied parameters are set accordingly.

type TrustedCerts 

type TrustedCerts struct {
	// ClusterName identifies teleport cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"domain_name"`
	// AuthorizedKeys is a list of SSH public keys in authorized_keys format
	// that can be used to check host key signatures.
	AuthorizedKeys [][]byte `json:"checking_keys"`
	// TLSCertificates is a list of TLS certificates of the certificate authority
	// of the authentication server
	TLSCertificates [][]byte `json:"tls_certs"`
}

TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

func AuthoritiesToTrustedCerts 

func AuthoritiesToTrustedCerts(authorities []types.CertAuthority) []TrustedCerts

AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure

func (*TrustedCerts) SSHCertPublicKeys 

func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)

SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys

type UserGetter 

type UserGetter interface {
	GetUser(connState tls.ConnectionState) (authz.IdentityGetter, error)
}

UserGetter is responsible for building an authenticated user based on TLS metadata

type ValidateOIDCAuthCallbackReq 

type ValidateOIDCAuthCallbackReq struct {
	Query url.Values `json:"query"`
}

ValidateOIDCAuthCallbackReq is the request made by the proxy to validate and activate a login via OIDC.

type ValidateSAMLResponseReq 

type ValidateSAMLResponseReq struct {
	// Response is SAML statements coming from the identity provider.
	Response string `json:"response"`
	// ConnectorID is ID of a SAML connector that should be used for this request.
	ConnectorID string `json:"connector_id,omitempty"`
	// ClientIP is IP of the logging in client, used in identity provider initiated login case,
	// when we don't have original client's request with their IP stored.
	ClientIP string `json:"client_ip,omitempty"`
}

ValidateSAMLResponseReq is the request made by the proxy to validate and activate a login via SAML.

type ValidateTrustedClusterRequest 

type ValidateTrustedClusterRequest struct {
	Token           string                `json:"token"`
	CAs             []types.CertAuthority `json:"certificate_authorities"`
	TeleportVersion string                `json:"teleport_version"`
}

func (*ValidateTrustedClusterRequest) ToRaw 

func (v *ValidateTrustedClusterRequest) ToRaw() (*ValidateTrustedClusterRequestRaw, error)

type ValidateTrustedClusterRequestRaw 

type ValidateTrustedClusterRequestRaw struct {
	Token           string   `json:"token"`
	CAs             [][]byte `json:"certificate_authorities"`
	TeleportVersion string   `json:"teleport_version"`
}

func (*ValidateTrustedClusterRequestRaw) ToNative 

func (v *ValidateTrustedClusterRequestRaw) ToNative() (*ValidateTrustedClusterRequest, error)

type ValidateTrustedClusterResponse 

type ValidateTrustedClusterResponse struct {
	CAs []types.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponse) ToRaw 

func (v *ValidateTrustedClusterResponse) ToRaw() (*ValidateTrustedClusterResponseRaw, error)

type ValidateTrustedClusterResponseRaw 

type ValidateTrustedClusterResponseRaw struct {
	CAs [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponseRaw) ToNative 

func (v *ValidateTrustedClusterResponseRaw) ToNative() (*ValidateTrustedClusterResponse, error)

type WatchEvent 

type WatchEvent interface {
	Context() context.Context
	Send(*authpb.Event) error
}

WatchEvent is a stream interface for sending events.

type Watcher 

type Watcher interface {
	NewStream(ctx context.Context, watch types.Watch) (stream.Stream[types.Event], error)
}

type WebService 

type WebService interface {
	// GetWebSessionInfo checks if a web session is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)
	// CreateWebSession creates a new web session for a user
	CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

	// AppSession defines application session features.
	services.AppSession
	// SnowflakeSession defines Snowflake session features.
	services.SnowflakeSession
}

WebService implements features used by Web UI clients

type WebSessionReq 

type WebSessionReq struct {
	// User is the user name associated with the session id.
	User string `json:"user"`
	// PrevSessionID is the id of current session.
	PrevSessionID string `json:"prev_session_id"`
	// AccessRequestID is an optional field that holds the id of an approved access request.
	AccessRequestID string `json:"access_request_id"`
	// Switchback is a flag to indicate if user is wanting to switchback from an assumed role
	// back to their default role.
	Switchback bool `json:"switchback"`
	// ReloadUser is a flag to indicate if user needs to be refetched from the backend
	// to apply new user changes e.g. user traits were updated.
	ReloadUser bool `json:"reload_user"`
}

type WindowsDesktopAccessPoint 

type WindowsDesktopAccessPoint interface {
	// ReadWindowsDesktopAccessPoint provides methods to read data
	ReadWindowsDesktopAccessPoint
	// contains filtered or unexported methods
}

WindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.

func NewWindowsDesktopWrapper 

func NewWindowsDesktopWrapper(base WindowsDesktopAccessPoint, cache ReadWindowsDesktopAccessPoint) WindowsDesktopAccessPoint

type WindowsDesktopWrapper 

type WindowsDesktopWrapper struct {
	ReadWindowsDesktopAccessPoint

	NoCache WindowsDesktopAccessPoint
	// contains filtered or unexported fields
}

func (*WindowsDesktopWrapper) Close 

func (w *WindowsDesktopWrapper) Close() error

Close closes all associated resources

Source Files

View all Source files

Directories

Path Synopsis
package accesspoint provides helpers for configuring caches in the context of setting up service-level auth access points.
 package accesspoint provides helpers for configuring caches in the context of setting up service-level auth access points.
assist
assistv1
Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.
 Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.
discoveryconfig
discoveryconfigv1
integration
integrationv1
Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.
 Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.
internal/faketime
machineid
machineidv1
package test contains CA authority acceptance test suite.
 package test contains CA authority acceptance test suite.
Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.
 Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.
trust
trustv1
userpreferences
userpreferencesv1
users
usersv1
Package webauthn implements server-side support for the Web Authentication specification.
 Package webauthn implements server-side support for the Web Authentication specification.
Package webauthncli provides the client-side implementation for WebAuthn.
 Package webauthncli provides the client-side implementation for WebAuthn.
Package webauthntypes provides WebAuthn types and conversions for both client-side and server-side implementations.
 Package webauthntypes provides WebAuthn types and conversions for both client-side and server-side implementations.
Package webauthnwin is wrapper around Windows webauthn API.
 Package webauthnwin is wrapper around Windows webauthn API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.