auth

package
v3.1.0-alpha.2+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 17, 2018 License: Apache-2.0 Imports: 67 Imported by: 0

Documentation

Overview

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source
const (
	// BearerTokenTTL specifies standard bearer token to exist before
	// it has to be renewed by the client
	BearerTokenTTL = 10 * time.Minute
	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16
)
View Source
const (
	// CurrentVersion is a current API version
	CurrentVersion = services.V2

	// MissingNamespaceError is a _very_ common error this file generatets
	MissingNamespaceError = "missing required parameter: namespace"
)
View Source
const (
	// GithubAuthURL is the Github authorization endpoint
	GithubAuthURL = "https://github.com/login/oauth/authorize"

	// GithubTokenURL is the Github token exchange endpoint
	GithubTokenURL = "https://github.com/login/oauth/access_token"

	// GithubAPIURL is the Github base API URL
	GithubAPIURL = "https://api.github.com"

	// MaxPages is the maximum number of pagination links that will be followed.
	MaxPages = 99
)
View Source
const (
	// IdentityNameCurrent is a name for the identity credentials that are
	// currently used by the process.
	IdentityCurrent = "current"
	// IdentityReplacement is a name for the identity crdentials that are
	// replacing current identity credentials during CA rotation.
	IdentityReplacement = "replacement"
)
View Source
const ContextUser = "teleport-user"

ContextUser is a user set in the context of the request

View Source
const IdentitySpecV2Schema = `` /* 329-byte string literal not displayed */

IdentitySpecV2Schema is a schema for identity spec.

View Source
const StateSpecV2Schema = `{
  "type": "object",
  "additionalProperties": false,
  "required": ["rotation"],
  "properties": {
    "rotation": %v
  }
}`

StateSpecV2Schema is a schema for local server state.

Variables

View Source
var (
	// GithubScopes is a list of scopes requested during OAuth2 flow
	GithubScopes = []string{

		"read:org",
	}
)

Functions

func ClientCertPool

func ClientCertPool(client AccessPoint) (*x509.CertPool, error)

ClientCertPool returns trusted x509 cerificate authority pool

func ClientTimeout

func ClientTimeout(timeout time.Duration) roundtrip.ClientParam

ClientTimeout sets idle and dial timeouts of the HTTP transport used by the client.

func CreateUploaderDir

func CreateUploaderDir(dir string) error

CreateUploaderDir creates directory for file uploader service

func CreateUserAndRole

func CreateUserAndRole(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRole creates user and role and assignes role to a user, used in tests

func CreateUserAndRoleWithoutRoles

func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests

func DecodeClusterName

func DecodeClusterName(serverName string) (string, error)

DecodeClusterName decodes cluster name, returns NotFound if no cluster name is encoded (empty subdomain), so servers can detect cases when no server name passed returns BadParameter if encoding does not match

func EncodeClusterName

func EncodeClusterName(clusterName string) string

EncodeClusterName encodes cluster name in the SNI hostname

func GenerateCertificate

func GenerateCertificate(authServer *AuthServer, identity TestIdentity) ([]byte, []byte, error)

GenerateCertificate generates certificate for identity, returns private public key pair

func GetCheckerForBuiltinRole

func GetCheckerForBuiltinRole(clusterName string, clusterConfig services.ClusterConfig, role teleport.Role) (services.RoleSet, error)

GetCheckerForBuiltinRole returns checkers for embedded builtin role

func GetIdentitySchema

func GetIdentitySchema() string

GetIdentitySchema returns JSON Schema for cert authorities.

func GetStateSchema

func GetStateSchema() string

GetStateSchema returns JSON Schema for cert authorities.

func HostFQDN

func HostFQDN(hostUUID, clusterName string) string

HostFQDN consits of host UUID and cluster name joined via .

func NewAPIServer

func NewAPIServer(config *APIConfig) http.Handler

NewAPIServer returns a new instance of APIServer HTTP handler

func SetPlugin

func SetPlugin(p Plugin)

SetPlugin sets plugin for the auth API server

Types

type APIConfig added in v1.0.0

type APIConfig struct {
	AuthServer     *AuthServer
	SessionService session.Service
	AuditLog       events.IAuditLog
	Authorizer     Authorizer
}

type APIServer

type APIServer struct {
	APIConfig
	httprouter.Router
	clockwork.Clock
}

APIServer implements http API server for AuthServer interface

type AccessPoint

type AccessPoint interface {
	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels() ([]services.ReverseTunnel, error)

	// GetDomainName returns domain name AKA ("cluster name") of the auth
	// server / certificate authority (CA)
	GetDomainName() (string, error)

	// GetClusterConfig returns cluster level configuration.
	GetClusterConfig() (services.ClusterConfig, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]services.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*services.Namespace, error)

	// GetServers returns a list of registered servers
	GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

	// UpsertServer registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(s services.Server) error

	// UpsertProxy registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s services.Server) error

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]services.Server, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

	// GetUser returns a services.User for this cluster.
	GetUser(string) (services.User, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers() ([]services.User, error)

	// GetRole returns role by name
	GetRole(name string) (services.Role, error)

	// GetRoles returns a list of roles
	GetRoles() ([]services.Role, error)

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(conn services.TunnelConnection) error

	// DeleteTunnelConnection deletes tunnel connection
	DeleteTunnelConnection(clusterName, connName string) error

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)
}

AccessPoint is an API interface implemented by a certificate authority (CA)

type AuthContext

type AuthContext struct {
	// User is the user name
	User services.User
	// Checker is access checker
	Checker services.AccessChecker
}

AuthzContext is authorization context

func NewAdminContext

func NewAdminContext() (*AuthContext, error)

NewAdminContext returns new admin auth context

type AuthMiddleware

type AuthMiddleware struct {
	// AccessPoint is a caching access point for auth server
	AccessPoint AccessPoint
	// Handler is HTTP handler called after the middleware checks requests
	Handler http.Handler
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on certificate metadata,
	// for example middleware can reject certificates with mismatching usage.
	// If empty, will only accept certificates with non-limited usage,
	// if set, will accept certificates with non-limited usage,
	// and usage exactly matching the specified values.
	AcceptedUsage []string
}

AuthMiddleware is authentication middleware checking every request

func (*AuthMiddleware) GetUser

func (a *AuthMiddleware) GetUser(r *http.Request) (interface{}, error)

GetUser returns authenticated user based on request metadata set by HTTP server

func (*AuthMiddleware) ServeHTTP

func (a *AuthMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP serves HTTP requests

func (*AuthMiddleware) Wrap

func (a *AuthMiddleware) Wrap(h http.Handler)

Wrap sets next handler in chain

type AuthServer

type AuthServer struct {
	sshca.Authority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	services.Trust
	services.Presence
	services.Provisioner
	services.Identity
	services.Access
	services.ClusterConfiguration
	events.IAuditLog
	// contains filtered or unexported fields
}

AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func Init

func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error)

Init instantiates and configures an instance of AuthServer

func NewAuthServer

func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) (*AuthServer, error)

NewAuthServer creates and configures a new AuthServer instance

func (*AuthServer) AuthenticateSSHUser

func (s *AuthServer) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates web user, creates and returns web session in case if authentication is successful

func (*AuthServer) AuthenticateUser

func (s *AuthServer) AuthenticateUser(req AuthenticateUserRequest) error

AuthenticateUser authenticates user based on the request type

func (*AuthServer) AuthenticateWebUser

func (s *AuthServer) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successfull. In case if existing session id is used to authenticate, returns session associated with the existing session id instead of creating the new one

func (*AuthServer) ChangePassword

func (s *AuthServer) ChangePassword(req services.ChangePasswordReq) error

ChangePassword changes user passsword

func (*AuthServer) CheckOTP

func (s *AuthServer) CheckOTP(user string, otpToken string) error

CheckOTP determines the type of OTP token used (for legacy HOTP support), fetches the appropriate type from the backend, and checks if the token is valid.

func (*AuthServer) CheckPassword

func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks the password and OTP token. Called by tsh or lib/web/*.

func (*AuthServer) CheckPasswordWOToken

func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error

CheckPasswordWOToken checks just password without checking OTP tokens used in case of SSH authentication, when token has been validated.

func (*AuthServer) CheckU2FSignResponse added in v1.3.0

func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error

func (*AuthServer) ClientCertPool

func (s *AuthServer) ClientCertPool(clusterName string) (*x509.CertPool, error)

ClientCertPool returns trusted x509 cerificate authority pool

func (*AuthServer) Close added in v1.0.0

func (a *AuthServer) Close() error

func (*AuthServer) CreateGithubAuthRequest

func (s *AuthServer) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*AuthServer) CreateOIDCAuthRequest added in v1.0.0

func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthServer) CreateSAMLAuthRequest

func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthServer) CreateSignupToken

func (s *AuthServer) CreateSignupToken(userv1 services.UserV1, ttl time.Duration) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*AuthServer) CreateSignupU2FRegisterRequest added in v1.3.0

func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthServer) CreateUserWithOTP

func (s *AuthServer) CreateUserWithOTP(token string, password string, otpToken string) (services.WebSession, error)

CreateUserWithOTP creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) CreateUserWithU2FToken added in v1.3.0

func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (services.WebSession, error)

func (*AuthServer) CreateUserWithoutOTP

func (s *AuthServer) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

CreateUserWithoutOTP creates an account with the provided password and deletes the token afterwards.

func (*AuthServer) CreateWebSession added in v1.0.0

func (s *AuthServer) CreateWebSession(user string) (services.WebSession, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*AuthServer) DeleteNamespace

func (s *AuthServer) DeleteNamespace(namespace string) error

func (*AuthServer) DeleteOIDCConnector

func (s *AuthServer) DeleteOIDCConnector(connectorName string) error

func (*AuthServer) DeleteRemoteCluster

func (a *AuthServer) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it

func (*AuthServer) DeleteRole

func (a *AuthServer) DeleteRole(name string) error

func (*AuthServer) DeleteSAMLConnector

func (s *AuthServer) DeleteSAMLConnector(connectorName string) error

func (*AuthServer) DeleteToken

func (s *AuthServer) DeleteToken(token string) (err error)

func (*AuthServer) DeleteTrustedCluster

func (a *AuthServer) DeleteTrustedCluster(name string) error

DeleteTrustedCluster removes services.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.

func (*AuthServer) DeleteUser

func (a *AuthServer) DeleteUser(user string) error

func (*AuthServer) DeleteWebSession

func (s *AuthServer) DeleteWebSession(user string, id string) error

func (*AuthServer) ExtendWebSession added in v1.0.0

func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user

func (*AuthServer) GenerateHostCert

func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*AuthServer) GenerateServerKeys added in v1.0.0

func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthServer) GenerateToken

func (s *AuthServer) GenerateToken(req GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token

func (*AuthServer) GenerateUserCerts

func (a *AuthServer) GenerateUserCerts(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, []byte, error)

GenerateUserCerts is used to generate user certificate, used internally for tests

func (*AuthServer) GetClock

func (a *AuthServer) GetClock() clockwork.Clock

func (*AuthServer) GetClusterCACert

func (a *AuthServer) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*AuthServer) GetClusterName

func (a *AuthServer) GetClusterName() (services.ClusterName, error)

GetClusterName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetDomainName added in v1.2.6

func (a *AuthServer) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetOTPData

func (s *AuthServer) GetOTPData(user string) (string, []byte, error)

GetOTPData returns the OTP Key, Key URL, and the QR code.

func (*AuthServer) GetRemoteCluster

func (a *AuthServer) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*AuthServer) GetRemoteClusters

func (a *AuthServer) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

GetRemoteClusters returns remote clusters with udpated statuses

func (*AuthServer) GetSignupTokenData

func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)

GetSignupTokenData returns token data (username and QR code bytes) for a valid signup token.

func (*AuthServer) GetTokens added in v1.0.0

func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*AuthServer) GetWebSession

func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)

func (*AuthServer) GetWebSessionInfo added in v1.0.0

func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)

func (*AuthServer) NewWebSession

func (s *AuthServer) NewWebSession(username string) (services.WebSession, error)

func (*AuthServer) PreAuthenticatedSignIn added in v1.3.0

func (s *AuthServer) PreAuthenticatedSignIn(user string) (services.WebSession, error)

PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issuing the second factor challenge

func (*AuthServer) ProcessKubeCSR

func (s *AuthServer) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessfull.

func (*AuthServer) RegisterNewAuthServer

func (s *AuthServer) RegisterNewAuthServer(token string) error

func (*AuthServer) RegisterUsingToken

func (s *AuthServer) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.

func (*AuthServer) RotateCertAuthority

func (a *AuthServer) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

Rotation procedure is based on the state machine approach.

Here are the supported rotation states:

  • Standby - the cluster is in standby mode and ready to take action.
  • In-progress - cluster CA rotation is in progress.

In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.

Here are the supported phases:

* Standby - no action is taken.

* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.

This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.

* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".

* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.

* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will loose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.

Rotation modes

There are two rotation modes supported - manual or automatic.

* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.

* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.

It is possible to switch from automatic to manual by setting the phase to the rollback phase.

func (*AuthServer) RotateExternalCertAuthority

func (a *AuthServer) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*AuthServer) SetAuditLog

func (a *AuthServer) SetAuditLog(auditLog events.IAuditLog)

SetAuditLog sets the server's audit log

func (*AuthServer) SetClock

func (a *AuthServer) SetClock(clock clockwork.Clock)

SetClock sets clock, used in tests

func (*AuthServer) U2FSignRequest added in v1.3.0

func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthServer) UpsertOIDCConnector

func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector) error

func (*AuthServer) UpsertSAMLConnector

func (s *AuthServer) UpsertSAMLConnector(connector services.SAMLConnector) error

func (*AuthServer) UpsertTrustedCluster

func (a *AuthServer) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.

func (*AuthServer) UpsertWebSession

func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error

func (*AuthServer) ValidateGithubAuthCallback

func (a *AuthServer) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback redirect

func (*AuthServer) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*AuthServer) ValidateSAMLResponse

func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)

ValidateSAMLResponse consumes attribute statements from SAML identity provider

func (*AuthServer) ValidateToken

func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)

ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found.

func (*AuthServer) WithUserLock

func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error

WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval

type AuthServerOption added in v1.0.0

type AuthServerOption func(*AuthServer)

AuthServerOption allows setting options as functional arguments to AuthServer

type AuthWithRoles

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles

func NewAuthWithRoles(authServer *AuthServer,
	checker services.AccessChecker,
	user services.User,
	sessions session.Service,
	alog events.IAuditLog) *AuthWithRoles

NewAuthWithRoles creates new auth server with access control

func (*AuthWithRoles) ActivateCertAuthority

func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) AuthenticateSSHUser

func (a *AuthWithRoles) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*AuthWithRoles) AuthenticateWebUser

func (a *AuthWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successfull

func (*AuthWithRoles) ChangePassword

func (a *AuthWithRoles) ChangePassword(req services.ChangePasswordReq) error

func (*AuthWithRoles) CheckPassword

func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error

func (*AuthWithRoles) Close

func (a *AuthWithRoles) Close() error

func (*AuthWithRoles) CompareAndSwapCertAuthority

func (a *AuthWithRoles) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*AuthWithRoles) CreateCertAuthority

func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error

func (*AuthWithRoles) CreateGithubAuthRequest

func (a *AuthWithRoles) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

func (*AuthWithRoles) CreateGithubConnector

func (a *AuthWithRoles) CreateGithubConnector(connector services.GithubConnector) error

func (*AuthWithRoles) CreateOIDCAuthRequest added in v1.0.0

func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthWithRoles) CreateRemoteCluster

func (a *AuthWithRoles) CreateRemoteCluster(conn services.RemoteCluster) error

func (*AuthWithRoles) CreateRole

func (a *AuthWithRoles) CreateRole(role services.Role, ttl time.Duration) error

CreateRole creates a role.

func (*AuthWithRoles) CreateSAMLAuthRequest

func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthWithRoles) CreateSAMLConnector

func (a *AuthWithRoles) CreateSAMLConnector(connector services.SAMLConnector) error

func (*AuthWithRoles) CreateSession added in v1.0.0

func (a *AuthWithRoles) CreateSession(s session.Session) error

func (*AuthWithRoles) CreateSignupToken

func (a *AuthWithRoles) CreateSignupToken(user services.UserV1, ttl time.Duration) (token string, e error)

func (*AuthWithRoles) CreateUserWithOTP

func (a *AuthWithRoles) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

func (*AuthWithRoles) CreateUserWithU2FToken added in v1.3.0

func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

func (*AuthWithRoles) CreateUserWithoutOTP

func (a *AuthWithRoles) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

func (*AuthWithRoles) CreateWebSession added in v1.0.0

func (a *AuthWithRoles) CreateWebSession(user string) (services.WebSession, error)

func (*AuthWithRoles) DeactivateCertAuthority

func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteAllCertAuthorities

func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*AuthWithRoles) DeleteAllNamespaces

func (a *AuthWithRoles) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*AuthWithRoles) DeleteAllNodes

func (a *AuthWithRoles) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*AuthWithRoles) DeleteAllProxies

func (a *AuthWithRoles) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*AuthWithRoles) DeleteAllRemoteClusters

func (a *AuthWithRoles) DeleteAllRemoteClusters() error

func (*AuthWithRoles) DeleteAllReverseTunnels

func (a *AuthWithRoles) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*AuthWithRoles) DeleteAllRoles

func (a *AuthWithRoles) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*AuthWithRoles) DeleteAllTunnelConnections

func (a *AuthWithRoles) DeleteAllTunnelConnections() error

func (*AuthWithRoles) DeleteAllUsers

func (a *AuthWithRoles) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*AuthWithRoles) DeleteCertAuthority added in v1.0.0

func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteGithubConnector

func (a *AuthWithRoles) DeleteGithubConnector(id string) error

func (*AuthWithRoles) DeleteNamespace

func (a *AuthWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*AuthWithRoles) DeleteOIDCConnector added in v1.0.0

func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error

func (*AuthWithRoles) DeleteRemoteCluster

func (a *AuthWithRoles) DeleteRemoteCluster(clusterName string) error

func (*AuthWithRoles) DeleteReverseTunnel added in v1.0.0

func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error

func (*AuthWithRoles) DeleteRole

func (a *AuthWithRoles) DeleteRole(name string) error

DeleteRole deletes role by name

func (*AuthWithRoles) DeleteSAMLConnector

func (a *AuthWithRoles) DeleteSAMLConnector(connectorID string) error

func (*AuthWithRoles) DeleteToken added in v1.0.0

func (a *AuthWithRoles) DeleteToken(token string) error

func (*AuthWithRoles) DeleteTrustedCluster

func (a *AuthWithRoles) DeleteTrustedCluster(name string) error

func (*AuthWithRoles) DeleteTunnelConnection

func (a *AuthWithRoles) DeleteTunnelConnection(clusterName string, connName string) error

func (*AuthWithRoles) DeleteTunnelConnections

func (a *AuthWithRoles) DeleteTunnelConnections(clusterName string) error

func (*AuthWithRoles) DeleteUser

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteWebSession

func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error

func (*AuthWithRoles) EmitAuditEvent added in v1.0.0

func (a *AuthWithRoles) EmitAuditEvent(eventType string, fields events.EventFields) error

func (*AuthWithRoles) ExtendWebSession added in v1.0.0

func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)

func (*AuthWithRoles) GenerateHostCert

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateServerKeys

func (a *AuthWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthWithRoles) GenerateToken

func (a *AuthWithRoles) GenerateToken(req GenerateTokenRequest) (string, error)

func (*AuthWithRoles) GenerateUserCert

func (a *AuthWithRoles) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

func (*AuthWithRoles) GetAllTunnelConnections

func (a *AuthWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetAuthPreference

func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)

func (*AuthWithRoles) GetAuthServers added in v1.0.0

func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)

func (*AuthWithRoles) GetCertAuthorities added in v1.0.0

func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

func (*AuthWithRoles) GetCertAuthority

func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

func (*AuthWithRoles) GetClusterCACert

func (a *AuthWithRoles) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*AuthWithRoles) GetClusterConfig

func (a *AuthWithRoles) GetClusterConfig() (services.ClusterConfig, error)

GetClusterConfig gets cluster level configuration.

func (*AuthWithRoles) GetClusterName

func (a *AuthWithRoles) GetClusterName() (services.ClusterName, error)

GetClusterName gets the name of the cluster.

func (*AuthWithRoles) GetDomainName added in v1.2.6

func (a *AuthWithRoles) GetDomainName() (string, error)

func (*AuthWithRoles) GetGithubConnector

func (a *AuthWithRoles) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

func (*AuthWithRoles) GetGithubConnectors

func (a *AuthWithRoles) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

func (*AuthWithRoles) GetLocalClusterName

func (a *AuthWithRoles) GetLocalClusterName() (string, error)

func (*AuthWithRoles) GetNamespace

func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*AuthWithRoles) GetNamespaces

func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*AuthWithRoles) GetNodes added in v1.0.0

func (a *AuthWithRoles) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

func (*AuthWithRoles) GetOIDCConnector added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

func (*AuthWithRoles) GetOIDCConnectors added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

func (*AuthWithRoles) GetOTPData

func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)

func (*AuthWithRoles) GetProxies added in v1.0.0

func (a *AuthWithRoles) GetProxies() ([]services.Server, error)

func (*AuthWithRoles) GetRemoteCluster

func (a *AuthWithRoles) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

func (*AuthWithRoles) GetRemoteClusters

func (a *AuthWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

func (*AuthWithRoles) GetReverseTunnel

func (a *AuthWithRoles) GetReverseTunnel(name string) (services.ReverseTunnel, error)

func (*AuthWithRoles) GetReverseTunnels added in v1.0.0

func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)

func (*AuthWithRoles) GetRole

func (a *AuthWithRoles) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*AuthWithRoles) GetRoles

func (a *AuthWithRoles) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*AuthWithRoles) GetSAMLConnector

func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

func (*AuthWithRoles) GetSAMLConnectors

func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

func (*AuthWithRoles) GetSession

func (a *AuthWithRoles) GetSession(namespace string, id session.ID) (*session.Session, error)

func (*AuthWithRoles) GetSessionChunk added in v1.0.0

func (a *AuthWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*AuthWithRoles) GetSessionEvents added in v1.0.0

func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)

func (*AuthWithRoles) GetSessions

func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)

func (*AuthWithRoles) GetSignupToken

func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)

func (*AuthWithRoles) GetSignupTokenData

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)

func (*AuthWithRoles) GetSignupU2FRegisterRequest added in v1.3.0

func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthWithRoles) GetStaticTokens

func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*AuthWithRoles) GetToken

func (a *AuthWithRoles) GetToken(token string) (*services.ProvisionToken, error)

func (*AuthWithRoles) GetTokens added in v1.0.0

func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)

func (*AuthWithRoles) GetTrustedCluster

func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*AuthWithRoles) GetTrustedClusters

func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*AuthWithRoles) GetTunnelConnections

func (a *AuthWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetU2FSignRequest added in v1.3.0

func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthWithRoles) GetUser added in v1.0.0

func (a *AuthWithRoles) GetUser(name string) (services.User, error)

func (*AuthWithRoles) GetUsers

func (a *AuthWithRoles) GetUsers() ([]services.User, error)

func (*AuthWithRoles) GetWebSessionInfo added in v1.0.0

func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

func (*AuthWithRoles) PostSessionSlice

func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error

func (*AuthWithRoles) PreAuthenticatedSignIn added in v1.3.0

func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)

func (*AuthWithRoles) ProcessKubeCSR

func (a *AuthWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessfull.

func (*AuthWithRoles) RegisterNewAuthServer

func (a *AuthWithRoles) RegisterNewAuthServer(token string) error

func (*AuthWithRoles) RegisterUsingToken

func (a *AuthWithRoles) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

func (*AuthWithRoles) RotateCertAuthority

func (a *AuthWithRoles) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*AuthWithRoles) RotateExternalCertAuthority

func (a *AuthWithRoles) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*AuthWithRoles) SearchEvents added in v1.0.0

func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SearchSessionEvents

func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SetAuthPreference

func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error

func (*AuthWithRoles) SetClusterConfig

func (a *AuthWithRoles) SetClusterConfig(c services.ClusterConfig) error

SetClusterConfig sets cluster level configuration.

func (*AuthWithRoles) SetClusterName

func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error

SetClusterName sets the name of the cluster. SetClusterName can only be called once.

func (*AuthWithRoles) SetStaticTokens

func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*AuthWithRoles) UpdateSession added in v1.0.0

func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error

func (*AuthWithRoles) UploadSessionRecording

func (a *AuthWithRoles) UploadSessionRecording(r events.SessionRecording) error

func (*AuthWithRoles) UpsertAuthServer added in v1.0.0

func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error

func (*AuthWithRoles) UpsertCertAuthority added in v1.0.0

func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error

UpsertCertAuthority updates existing cert authority or updates the existing one.

func (*AuthWithRoles) UpsertGithubConnector

func (a *AuthWithRoles) UpsertGithubConnector(connector services.GithubConnector) error

func (*AuthWithRoles) UpsertLocalClusterName

func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error

func (*AuthWithRoles) UpsertNamespace

func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*AuthWithRoles) UpsertNode added in v1.0.0

func (a *AuthWithRoles) UpsertNode(s services.Server) error

func (*AuthWithRoles) UpsertNodes

func (a *AuthWithRoles) UpsertNodes(namespace string, servers []services.Server) error

UpsertNodes bulk upserts nodes into the backend.

func (*AuthWithRoles) UpsertOIDCConnector added in v1.0.0

func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) error

func (*AuthWithRoles) UpsertPassword

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error

func (*AuthWithRoles) UpsertProxy added in v1.0.0

func (a *AuthWithRoles) UpsertProxy(s services.Server) error

func (*AuthWithRoles) UpsertReverseTunnel added in v1.0.0

func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error

func (*AuthWithRoles) UpsertRole

func (a *AuthWithRoles) UpsertRole(role services.Role, ttl time.Duration) error

UpsertRole creates or updates role

func (*AuthWithRoles) UpsertSAMLConnector

func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) error

func (*AuthWithRoles) UpsertTOTP

func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error

func (*AuthWithRoles) UpsertToken

func (a *AuthWithRoles) UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error

func (*AuthWithRoles) UpsertTrustedCluster

func (a *AuthWithRoles) UpsertTrustedCluster(tc services.TrustedCluster) (services.TrustedCluster, error)

func (*AuthWithRoles) UpsertTunnelConnection

func (a *AuthWithRoles) UpsertTunnelConnection(conn services.TunnelConnection) error

func (*AuthWithRoles) UpsertUser added in v1.0.0

func (a *AuthWithRoles) UpsertUser(u services.User) error

func (*AuthWithRoles) ValidateGithubAuthCallback

func (a *AuthWithRoles) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

func (*AuthWithRoles) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

func (*AuthWithRoles) ValidateSAMLResponse

func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

func (*AuthWithRoles) ValidateTrustedCluster

func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*AuthWithRoles) WaitForDelivery

func (a *AuthWithRoles) WaitForDelivery(context.Context) error

type AuthenticateSSHRequest

type AuthenticateSSHRequest struct {
	// AuthenticateUserRequest is a request with credentials
	AuthenticateUserRequest
	// PublicKey is a public key in ssh authorized_keys format
	PublicKey []byte `json:"public_key"`
	// TTL is a requested TTL for certificates to be issues
	TTL time.Duration `json:"ttl"`
	// CompatibilityMode sets certificate compatibility mode with old SSH clients
	CompatibilityMode string `json:"compatibility_mode"`
}

AuthenticateSSHRequest is a request to authenticate SSH client user via CLI

func (*AuthenticateSSHRequest) CheckAndSetDefaults

func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default certificate values

type AuthenticateUserRequest

type AuthenticateUserRequest struct {
	// Username is a user name
	Username string `json:"username"`
	// Pass is a password used in local authentication schemes
	Pass *PassCreds `json:"pass,omitempty"`
	// U2F is a sign response crdedentials used to authenticate via U2F
	U2F *U2FSignResponseCreds `json:"u2f,omitempty"`
	// OTP is a password and second factor, used in two factor authentication
	OTP *OTPCreds `json:"otp,omitempty"`
	// Session is a web session credential used to authenticate web sessions
	Session *SessionCreds `json:"session,omitempty"`
}

AuthenticateUserRequest is a request to authenticate interactive user

func (*AuthenticateUserRequest) CheckAndSetDefaults

func (a *AuthenticateUserRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type Authorizer

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*AuthContext, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer

func NewAuthorizer(access services.Access, identity services.UserGetter, trust services.Trust) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

func NewRoleAuthorizer

func NewRoleAuthorizer(clusterName string, clusterConfig services.ClusterConfig, r teleport.Role) (Authorizer, error)

NewRoleAuthorizer authorizes everyone as predefined role, used in tests

func NewUserAuthorizer

func NewUserAuthorizer(username string, identity services.UserGetter, access services.Access) (Authorizer, error)

NewUserAuthorizer authorizes everyone as predefined local user

type BuiltinRole

type BuiltinRole struct {
	// GetClusterConfig fetches cluster configuration.
	GetClusterConfig GetClusterConfigFunc

	// Role is the builtin role this username is associated with
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the local cluster
	ClusterName string
}

BuiltinRole is the role of the Teleport service.

type BuiltinRoleSet

type BuiltinRoleSet struct {
	services.RoleSet
}

BuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is builtin or not.

type Client

type Client struct {
	roundtrip.Client
	// contains filtered or unexported fields
}

Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

func NewClient

func NewClient(addr string, dialer Dialer, params ...roundtrip.ClientParam) (*Client, error)

NewAuthClient returns a new instance of the client which talks to an Auth server API (aka "site API") via HTTP-over-SSH

func NewTLSClient

func NewTLSClient(addrs []utils.NetAddr, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)

NewTLSClient returns new client using TLS mutual authentication

func NewTLSClientWithDialer

func NewTLSClientWithDialer(dialContext DialContext, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)

NewTLSClientWithDialer returns new TLS client that uses mutual TLS authenticate and dials the remote server using dialer

func (*Client) ActivateCertAuthority

func (c *Client) ActivateCertAuthority(id services.CertAuthID) error

ActivateCertAuthority moves a CertAuthority from the deactivated list to the normal list.

func (*Client) AddUserLoginAttempt

func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error

AddUserLoginAttempt logs user login attempt

func (*Client) AuthenticateSSHUser

func (c *Client) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*Client) AuthenticateWebUser

func (c *Client) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successfull

func (*Client) ChangePassword

func (c *Client) ChangePassword(req services.ChangePasswordReq) error

ChangePassword changes user password

func (*Client) CheckPassword

func (c *Client) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close added in v1.0.0

func (c *Client) Close() error

func (*Client) CompareAndSwapCertAuthority

func (c *Client) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*Client) CreateCertAuthority

func (c *Client) CreateCertAuthority(ca services.CertAuthority) error

CreateCertAuthority inserts new cert authority

func (*Client) CreateGithubAuthRequest

func (c *Client) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*Client) CreateGithubConnector

func (c *Client) CreateGithubConnector(connector services.GithubConnector) error

CreateGithubConnector creates a new Github connector

func (*Client) CreateOIDCAuthRequest added in v1.0.0

func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*Client) CreateRemoteCluster

func (c *Client) CreateRemoteCluster(rc services.RemoteCluster) error

CreateRemoteCluster creates remote cluster resource

func (*Client) CreateRole

func (c *Client) CreateRole(role services.Role, ttl time.Duration) error

CreateRole creates a role.

func (*Client) CreateSAMLAuthRequest

func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAML AuthnRequest

func (*Client) CreateSAMLConnector

func (c *Client) CreateSAMLConnector(connector services.SAMLConnector) error

CreateOIDCConnector creates SAML connector

func (*Client) CreateSession added in v1.0.0

func (c *Client) CreateSession(sess session.Session) error

CreateSession creates new session

func (*Client) CreateSignupToken

func (c *Client) CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*Client) CreateUserWithOTP

func (c *Client) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

CreateUserWithOTP creates account with provided token and password. Account username and OTP key are taken from token data. Deletes token after account creation.

func (*Client) CreateUserWithU2FToken added in v1.3.0

func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

CreateUserWithU2FToken creates user account with provided token and U2F sign response

func (*Client) CreateUserWithoutOTP

func (c *Client) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

CreateUserWithoutOTP validates a given token creates a user with the given password and deletes the token afterwards.

func (*Client) CreateWebSession added in v1.0.0

func (c *Client) CreateWebSession(user string) (services.WebSession, error)

CreateWebSession creates a new web session for a user

func (*Client) DeactivateCertAuthority

func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error

DeactivateCertAuthority moves a CertAuthority from the normal list to the deactivated list.

func (*Client) Delete

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteAllCertAuthorities

func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*Client) DeleteAllNamespaces

func (c *Client) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*Client) DeleteAllNodes

func (c *Client) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*Client) DeleteAllProxies

func (c *Client) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*Client) DeleteAllRemoteClusters

func (c *Client) DeleteAllRemoteClusters() error

DeleteAllRemoteClusters deletes all remote clusters

func (*Client) DeleteAllReverseTunnels

func (c *Client) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*Client) DeleteAllRoles

func (c *Client) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*Client) DeleteAllTunnelConnections

func (c *Client) DeleteAllTunnelConnections() error

DeleteAllTunnelConnections deletes all tunnel connections

func (*Client) DeleteAllUsers

func (c *Client) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*Client) DeleteCertAuthority added in v1.0.0

func (c *Client) DeleteCertAuthority(id services.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteGithubConnector

func (c *Client) DeleteGithubConnector(id string) error

DeleteGithubConnector deletes the specified Github connector

func (*Client) DeleteNamespace

func (c *Client) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*Client) DeleteOIDCConnector added in v1.0.0

func (c *Client) DeleteOIDCConnector(connectorID string) error

DeleteOIDCConnector deletes OIDC connector by ID

func (*Client) DeleteRemoteCluster

func (c *Client) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster by name

func (*Client) DeleteReverseTunnel added in v1.0.0

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteRole

func (c *Client) DeleteRole(name string) error

DeleteRole deletes role by name

func (*Client) DeleteSAMLConnector

func (c *Client) DeleteSAMLConnector(connectorID string) error

DeleteSAMLConnector deletes SAML connector by ID

func (*Client) DeleteSession

func (c *Client) DeleteSession(namespace, id string) error

DeleteSession deletes a session by ID

func (*Client) DeleteToken added in v1.0.0

func (c *Client) DeleteToken(token string) error

DeleteToken deletes a given provisioning token on the auth server (CA). It could be a user token or a machine token

func (*Client) DeleteTrustedCluster

func (c *Client) DeleteTrustedCluster(name string) error

func (*Client) DeleteTunnelConnection

func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error

DeleteTunnelConnection deletes tunnel connection by name

func (*Client) DeleteTunnelConnections

func (c *Client) DeleteTunnelConnections(clusterName string) error

DeleteTunnelConnections deletes all tunnel connections for cluster

func (*Client) DeleteUser

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteWebSession

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) EmitAuditEvent added in v1.0.0

func (c *Client) EmitAuditEvent(eventType string, fields events.EventFields) error

EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)

func (*Client) ExtendWebSession added in v1.0.0

func (c *Client) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateHostCert

func (c *Client) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateServerKeys

func (c *Client) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

RenewCredentials returns a new set of credentials associated with the server with the same privileges

func (*Client) GenerateToken

func (c *Client) GenerateToken(req GenerateTokenRequest) (string, error)

GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

If token is not supplied, it will be auto generated and returned. If TTL is not supplied, token will be valid until removed.

func (*Client) GenerateUserCert

func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) Get

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAllTunnelConnections

func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetAllTunnelConnections returns all tunnel connections

func (*Client) GetAuthPreference

func (c *Client) GetAuthPreference() (services.AuthPreference, error)

func (*Client) GetAuthServers added in v1.0.0

func (c *Client) GetAuthServers() ([]services.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetCertAuthorities added in v1.0.0

func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority

func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetClusterCACert

func (c *Client) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*Client) GetClusterConfig

func (c *Client) GetClusterConfig() (services.ClusterConfig, error)

GetClusterConfig returns cluster level configuration information.

func (*Client) GetClusterName

func (c *Client) GetClusterName() (services.ClusterName, error)

func (*Client) GetDomainName added in v1.2.6

func (c *Client) GetDomainName() (string, error)

GetDomainName returns local auth domain of the current auth server

func (*Client) GetGithubConnector

func (c *Client) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

GetGithubConnector returns the specified Github connector

func (*Client) GetGithubConnectors

func (c *Client) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

GetGithubConnectors returns all configured Github connectors

func (*Client) GetLocalClusterName

func (c *Client) GetLocalClusterName() (string, error)

GetLocalClusterName returns local cluster name

func (*Client) GetNamespace

func (c *Client) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*Client) GetNamespaces

func (c *Client) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*Client) GetNodes added in v1.0.0

func (c *Client) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

GetNodes returns the list of servers registered in the cluster.

func (*Client) GetOIDCConnector added in v1.0.0

func (c *Client) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

GetOIDCConnector returns OIDC connector information by id

func (*Client) GetOIDCConnectors added in v1.0.0

func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

GetOIDCConnector gets OIDC connectors list

func (*Client) GetProxies added in v1.0.0

func (c *Client) GetProxies() ([]services.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetRemoteCluster

func (c *Client) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*Client) GetRemoteClusters

func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*Client) GetReverseTunnel

func (c *Client) GetReverseTunnel(name string) (services.ReverseTunnel, error)

GetReverseTunnel returns reverse tunnel by name

func (*Client) GetReverseTunnels added in v1.0.0

func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetRole

func (c *Client) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*Client) GetRoles

func (c *Client) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*Client) GetSAMLConnector

func (c *Client) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

GetOIDCConnector returns SAML connector information by id

func (*Client) GetSAMLConnectors

func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

GetSAMLConnectors gets SAML connectors list

func (*Client) GetSession

func (c *Client) GetSession(namespace string, id session.ID) (*session.Session, error)

GetSession returns a session by ID

func (*Client) GetSessionChunk added in v1.0.0

func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents added in v1.0.0

func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessions

func (c *Client) GetSessions(namespace string) ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by auth server

func (*Client) GetSignupTokenData

func (c *Client) GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetSignupU2FRegisterRequest added in v1.3.0

func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite tokenx

func (*Client) GetStaticTokens

func (c *Client) GetStaticTokens() (services.StaticTokens, error)

func (*Client) GetToken

func (c *Client) GetToken(token string) (*services.ProvisionToken, error)

GetToken returns provisioning token

func (*Client) GetTokens added in v1.0.0

func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns a list of active invitation tokens for nodes and users

func (*Client) GetTransport added in v1.0.0

func (c *Client) GetTransport() *http.Transport

func (*Client) GetTrustedCluster

func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*Client) GetTrustedClusters

func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*Client) GetTunnelConnections

func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetTunnelConnections returns tunnel connections for a given cluster

func (*Client) GetU2FAppID added in v1.3.0

func (c *Client) GetU2FAppID() (string, error)

GetU2FAppID returns U2F settings, like App ID and Facets

func (*Client) GetU2FSignRequest added in v1.3.0

func (c *Client) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

GetU2FSignRequest generates request for user trying to authenticate with U2F token

func (*Client) GetUser added in v1.0.0

func (c *Client) GetUser(name string) (services.User, error)

GetUser returns a list of usernames registered in the system

func (*Client) GetUserLoginAttempts

func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)

GetUserLoginAttempts returns user login attempts

func (*Client) GetUsers

func (c *Client) GetUsers() ([]services.User, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSessionInfo added in v1.0.0

func (c *Client) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) PostForm

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON added in v1.0.0

func (c *Client) PostJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) PostSessionSlice

func (c *Client) PostSessionSlice(slice events.SessionSlice) error

PostSessionSlice allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)

The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)

func (*Client) ProcessKubeCSR

func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessfull.

func (*Client) PutJSON added in v1.0.0

func (c *Client) PutJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterNewAuthServer

func (c *Client) RegisterNewAuthServer(token string) error

RegisterNewAuthServer is used to register new auth server with token

func (*Client) RegisterUsingToken

func (c *Client) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.

func (*Client) RotateCertAuthority

func (c *Client) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*Client) RotateExternalCertAuthority

func (c *Client) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.

func (*Client) SearchEvents added in v1.0.0

func (c *Client) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

SearchEvents returns events that fit the criteria

func (*Client) SearchSessionEvents

func (c *Client) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

SearchSessionEvents returns session related events to find completed sessions.

func (*Client) SetAuthPreference

func (c *Client) SetAuthPreference(cap services.AuthPreference) error

func (*Client) SetClusterConfig

func (c *Client) SetClusterConfig(cc services.ClusterConfig) error

SetClusterConfig sets cluster level configuration information.

func (*Client) SetClusterName

func (c *Client) SetClusterName(cn services.ClusterName) error

func (*Client) SetStaticTokens

func (c *Client) SetStaticTokens(st services.StaticTokens) error

func (*Client) TLSConfig

func (c *Client) TLSConfig() *tls.Config

TLSConfig returns TLS config used by the client, could return nil if the client is not using TLS

func (*Client) UpdateSession added in v1.0.0

func (c *Client) UpdateSession(req session.UpdateRequest) error

UpdateSession updates existing session

func (*Client) UploadSessionRecording

func (c *Client) UploadSessionRecording(r events.SessionRecording) error

UploadSessionRecording uploads session recording to the audit server

func (*Client) UpsertAuthServer added in v1.0.0

func (c *Client) UpsertAuthServer(s services.Server) error

UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority added in v1.0.0

func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertGithubConnector

func (c *Client) UpsertGithubConnector(connector services.GithubConnector) error

UpsertGithubConnector creates or updates a Github connector

func (*Client) UpsertLocalClusterName

func (c *Client) UpsertLocalClusterName(string) error

UpsertLocalClusterName upserts local cluster name

func (*Client) UpsertNamespace

func (c *Client) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*Client) UpsertNode added in v1.0.0

func (c *Client) UpsertNode(s services.Server) error

UpsertNode is used by SSH servers to reprt their presence to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertNodes

func (c *Client) UpsertNodes(namespace string, servers []services.Server) error

UpsertNodes bulk inserts nodes.

func (*Client) UpsertOIDCConnector added in v1.0.0

func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector) error

UpsertOIDCConnector updates or creates OIDC connector

func (*Client) UpsertPassword

func (c *Client) UpsertPassword(user string, password []byte) error

UpsertPassword updates web access password for the user

func (*Client) UpsertProxy added in v1.0.0

func (c *Client) UpsertProxy(s services.Server) error

UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel added in v1.0.0

func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertRole

func (c *Client) UpsertRole(role services.Role, ttl time.Duration) error

UpsertRole creates or updates role

func (*Client) UpsertSAMLConnector

func (c *Client) UpsertSAMLConnector(connector services.SAMLConnector) error

UpsertSAMLConnector updates or creates OIDC connector

func (*Client) UpsertTrustedCluster

func (c *Client) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

func (*Client) UpsertTunnelConnection

func (c *Client) UpsertTunnelConnection(conn services.TunnelConnection) error

UpsertTunnelConnection upserts tunnel connection

func (*Client) UpsertUser added in v1.0.0

func (c *Client) UpsertUser(user services.User) error

UpsertUser user updates or inserts user entry

func (*Client) ValidateGithubAuthCallback

func (c *Client) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback returned from redirect

func (*Client) ValidateOIDCAuthCallback added in v1.0.0

func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

func (*Client) ValidateSAMLResponse

func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates response returned by SAML identity provider

func (*Client) ValidateTrustedCluster

func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*Client) WaitForDelivery

func (c *Client) WaitForDelivery(context.Context) error

type ClientI

type ClientI interface {
	IdentityService
	ProvisioningService
	services.Trust
	events.IAuditLog
	services.Presence
	services.Access
	WebService
	session.Service
	services.ClusterConfiguration

	// RotateCertAuthority starts or restarts certificate authority rotation process.
	RotateCertAuthority(req RotateRequest) error

	// RotateExternalCertAuthority rotates external certificate authority,
	// this method is used to update only public keys and certificates of the
	// the certificate authorities of trusted clusters.
	RotateExternalCertAuthority(ca services.CertAuthority) error

	// ValidateTrustedCluster validates trusted cluster token with
	// main cluster, in case if validation is successfull, main cluster
	// adds remote cluster
	ValidateTrustedCluster(*ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

	// GetDomainName returns auth server cluster name
	GetDomainName() (string, error)

	// GetClusterCACert returns the CAs for the local cluster without signing keys.
	GetClusterCACert() (*LocalCAResponse, error)

	// GenerateServerKeys generates new host private keys and certificates (signed
	// by the host certificate authority) for a node
	GenerateServerKeys(GenerateServerKeysRequest) (*PackedKeys, error)
	// AuthenticateWebUser authenticates web user, creates and  returns web session
	// in case if authentication is successfull
	AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
	// AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
	// short lived certificates as a result
	AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

	// ProcessKubeCSR processes CSR request against Kubernetes CA, returns
	// signed certificate if sucessfull.
	ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
}

ClientI is a client to Auth service

func NewAdminAuthServer

func NewAdminAuthServer(authServer *AuthServer, sessions session.Service, alog events.IAuditLog) (ClientI, error)

NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access

type DialContext

type DialContext func(in context.Context, network, addr string) (net.Conn, error)

DialContext is a function that dials to the specified address

func NewAddrDialer

func NewAddrDialer(addrs []utils.NetAddr) DialContext

NewAddrDialer returns new dialer from a list of addresses

type Dialer added in v1.0.0

type Dialer func(network, addr string) (net.Conn, error)

type FakeSSHConnection added in v1.0.0

type FakeSSHConnection struct {
	// contains filtered or unexported fields
}

FakeSSHConnection implements net.Conn interface on top of the ssh.Cnahhel object. This allows us to run non-SSH servers (like HTTP) on top of an existing SSH connection

func (*FakeSSHConnection) Close added in v1.0.0

func (conn *FakeSSHConnection) Close() error

func (*FakeSSHConnection) LocalAddr added in v1.0.0

func (conn *FakeSSHConnection) LocalAddr() net.Addr

func (*FakeSSHConnection) Read added in v1.0.0

func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)

func (*FakeSSHConnection) RemoteAddr added in v1.0.0

func (conn *FakeSSHConnection) RemoteAddr() net.Addr

func (*FakeSSHConnection) SetDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetDeadline(t time.Time) error

SetDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetReadDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error

SetReadDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetWriteDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error

SetWriteDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) Write added in v1.0.0

func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)

type GenerateServerKeysRequest

type GenerateServerKeysRequest struct {
	// HostID is a unique ID of the host
	HostID string `json:"host_id"`
	// NodeName is a user friendly host name
	NodeName string `json:"node_name"`
	// Roles is a list of roles assigned to node
	Roles teleport.Roles `json:"roles"`
	// AdditionalPrincipals is a list of additional principals
	// to include in OpenSSH and X509 certificates
	AdditionalPrincipals []string `json:"additional_principals"`
	// PublicTLSKey is a PEM encoded public key
	// used for TLS setup
	PublicTLSKey []byte `json:"public_tls_key"`
	// PublicSSHKey is a SSH encoded public key,
	// if present will be signed as a return value
	// otherwise, new public/private key pair will be generated
	PublicSSHKey []byte `json:"public_ssh_key"`
}

GenerateServerKeysRequest is a request to generate server keys

func (*GenerateServerKeysRequest) CheckAndSetDefaults

func (req *GenerateServerKeysRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GenerateTokenRequest

type GenerateTokenRequest struct {
	// Token if provided sets the token value, otherwise will be auto generated
	Token string `json:"token"`
	// Roles is a list of roles this token authenticates as
	Roles teleport.Roles `json:"roles"`
	// TTL is a time to live for token
	TTL time.Duration `json:"ttl"`
}

GenerateTokenRequest is a request to generate auth token

func (*GenerateTokenRequest) CheckAndSetDefaults

func (req *GenerateTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values of request

type GetClusterConfigFunc

type GetClusterConfigFunc func() (services.ClusterConfig, error)

GetClusterConfigFunc returns a cached services.ClusterConfig.

type GithubAuthResponse

type GithubAuthResponse struct {
	// Username is the name of authenticated user
	Username string `json:"username"`
	// Identity is the external identity
	Identity services.ExternalIdentity `json:"identity"`
	// Session is the created web session
	Session services.WebSession `json:"session,omitempty"`
	// Cert is the generated SSH client certificate
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS client certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is the original auth request
	Req services.GithubAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

GithubAuthResponse represents Github auth callback validation response

type HandlerWithAuthFunc

type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type Identity added in v1.0.0

type Identity struct {
	// ID specifies server unique ID, name and role
	ID IdentityID
	// KeyBytes is a PEM encoded private key
	KeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// Cert is a parsed SSH certificate
	Cert *ssh.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
}

Identity is collection of certificates and signers that represent server identity

func GenerateIdentity

func GenerateIdentity(a *AuthServer, id IdentityID, additionalPrincipals []string) (*Identity, error)

GenerateIdentity generates identity for the auth server

func LocalRegister added in v1.0.0

func LocalRegister(id IdentityID, authServer *AuthServer, additionalPrincipals []string) (*Identity, error)

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the auth server. This method does not need to use provisioning tokens.

func NewServerIdentity

func NewServerIdentity(clt *AuthServer, hostID string, role teleport.Role) (*Identity, error)

NewServerIdentity generates new server identity, used in tests

func ReRegister

func ReRegister(params ReRegisterParams) (*Identity, error)

ReRegister renews the certificates and private keys based on the client's existing identity.

func ReadIdentityFromKeyPair added in v1.0.0

func ReadIdentityFromKeyPair(keyBytes, sshCertBytes, tlsCertBytes []byte, tlsCACertsBytes [][]byte) (*Identity, error)

ReadIdentityFromKeyPair reads TLS identity from key pair

func ReadLocalIdentity

func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)

ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadSSHIdentityFromKeyPair

func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair

func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func Register

func Register(params RegisterParams) (*Identity, error)

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.

func (*Identity) HasPrincipals

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasTLSConfig

func (i *Identity) HasTLSConfig() bool

HasTSLConfig returns true if this identity has TLS certificate and private key

func (*Identity) String

func (i *Identity) String() string

String returns user-friendly representation of the identity.

func (*Identity) TLSConfig

func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type IdentityID added in v1.0.0

type IdentityID struct {
	Role     teleport.Role
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals added in v1.0.0

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) HostID

func (id *IdentityID) HostID() (string, error)

HostID is host ID part of the host UUID that consists cluster name

func (*IdentityID) String added in v1.0.0

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityService

type IdentityService interface {
	// UpsertPassword updates web access password for the user
	UpsertPassword(user string, password []byte) error

	// UpsertOIDCConnector updates or creates OIDC connector
	UpsertOIDCConnector(connector services.OIDCConnector) error

	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

	// GetOIDCConnector gets OIDC connectors list
	GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(connectorID string) error

	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

	// CreateSAMLConnector creates SAML connector
	CreateSAMLConnector(connector services.SAMLConnector) error

	// UpsertSAMLConnector updates or creates SAML connector
	UpsertSAMLConnector(connector services.SAMLConnector) error

	// GetSAMLConnector returns SAML connector information by id
	GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

	// GetSAMLConnector gets SAML connectors list
	GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

	// DeleteSAMLConnector deletes SAML connector by ID
	DeleteSAMLConnector(connectorID string) error

	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

	// CreateGithubConnector creates a new Github connector
	CreateGithubConnector(connector services.GithubConnector) error
	// UpsertGithubConnector creates or updates a Github connector
	UpsertGithubConnector(connector services.GithubConnector) error
	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
	// GetGithubConnector returns the specified Github connector
	GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)
	// DeleteGithubConnector deletes the specified Github connector
	DeleteGithubConnector(id string) error
	// CreateGithubAuthRequest creates a new request for Github OAuth2 flow
	CreateGithubAuthRequest(services.GithubAuthRequest) (*services.GithubAuthRequest, error)
	// ValidateGithubAuthCallback validates Github auth callback
	ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

	// GetU2FSignRequest generates request for user trying to authenticate with U2F token
	GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

	// GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite token
	GetSignupU2FRegisterRequest(token string) (*u2f.RegisterRequest, error)

	// CreateUserWithU2FToken creates user account with provided token and U2F sign response
	CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

	// GetUser returns user by name
	GetUser(name string) (services.User, error)

	// UpsertUser user updates or inserts user entry
	UpsertUser(user services.User) error

	// DeleteUser deletes a user by username
	DeleteUser(user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers() ([]services.User, error)

	// ChangePassword changes user password
	ChangePassword(req services.ChangePasswordReq) error

	// CheckPassword checks if the suplied web access password is valid.
	CheckPassword(user string, password []byte, otpToken string) error

	// CreateUserWithOTP creates account with provided token and password.
	// Account username and OTP key are taken from token data.
	// Deletes token after account creation.
	CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

	// CreateUserWithoutOTP validates a given token creates a user
	// with the given password and deletes the token afterwards.
	CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

	// GenerateToken creates a special provisioning token for a new SSH server
	// that is valid for ttl period seconds.
	//
	// This token is used by SSH server to authenticate with Auth server
	// and get signed certificate and private key from the auth server.
	//
	// If token is not supplied, it will be auto generated and returned.
	// If TTL is not supplied, token will be valid until removed.
	GenerateToken(GenerateTokenRequest) (string, error)

	// GenerateKeyPair generates SSH private/public key pair optionally protected
	// by password. If the pass parameter is an empty string, the key pair
	// is not password-protected.
	GenerateKeyPair(pass string) ([]byte, []byte, error)

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

	// GenerateUserCert takes the public key in the OpenSSH `authorized_keys`
	// plain text format, signs it using User Certificate Authority signing key and returns the
	// resulting certificate.
	GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)

	// GetSignupTokenData returns token data for a valid token
	GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

	// CreateSignupToken creates one time token for creating account for the user
	// For each token it creates username and OTP key
	CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error)
}

IdentityService manages identities and users

type IdentitySpecV2

type IdentitySpecV2 struct {
	// Key is a PEM encoded private key.
	Key []byte `json:"key,omitempty"`
	// SSHCert is a PEM encoded SSH host cert.
	SSHCert []byte `json:"ssh_cert,omitempty"`
	// TLSCert is a PEM encoded x509 client certificate.
	TLSCert []byte `json:"tls_cert,omitempty"`
	// TLSCACert is a list of PEM encoded x509 certificate of the
	// certificate authority of the cluster.
	TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"`
}

IdentitySpecV2 specifies credentials used by local process.

type IdentityV2

type IdentityV2 struct {
	// ResourceHeader is a common resource header.
	services.ResourceHeader
	// Spec is the identity spec.
	Spec IdentitySpecV2 `json:"spec"`
}

IdentityV2 specifies local host identity.

func (*IdentityV2) CheckAndSetDefaults

func (s *IdentityV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type InitConfig

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority sshca.Authority

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// ClusterName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	ClusterName services.ClusterName

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []services.CertAuthority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []services.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []services.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// ClusterConfiguration is a services that holds cluster wide configuration.
	ClusterConfiguration services.ClusterConfiguration

	// Roles is a set of roles to create
	Roles []services.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//StaticTokens []services.ProvisionToken
	StaticTokens services.StaticTokens

	// AuthPreference defines the authentication type (local, oidc) and second
	// factor (off, otp, u2f) passed in from a configuration file.
	AuthPreference services.AuthPreference

	// AuditLog is used for emitting events to audit log.
	AuditLog events.IAuditLog

	// ClusterConfig holds cluster level configuration.
	ClusterConfig services.ClusterConfig

	// SkipPeriodicOperations turns off periodic operations
	// used in tests that don't need periodc operations.
	SkipPeriodicOperations bool

	// CipherSuites is a list of ciphersuites that the auth server supports.
	CipherSuites []uint16

	// KubeconfigPath is an optional path to kubernetes config file
	KubeconfigPath string
}

InitConfig is auth server init config

type KubeCSR

type KubeCSR struct {
	// Username of user's certificate
	Username string `json:"username"`
	// ClusterName is a name of the target cluster to generate certificate for
	ClusterName string `json:"cluster_name"`
	// CSR is a kubernetes CSR
	CSR []byte `json:"csr"`
}

KubeCSR is a kubernetes CSR request

func (*KubeCSR) CheckAndSetDefaults

func (a *KubeCSR) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type KubeCSRResponse

type KubeCSRResponse struct {
	// Cert is a signed certificate PEM block
	Cert []byte `json:"cert"`
	// CertAuthorities is a list of PEM block with trusted cert authorities
	CertAuthorities [][]byte `json:"cert_authorities"`
	// TargetAddr is an optional target address
	// of the kubernetes API server that can be set
	// in the kubeconfig
	TargetAddr string `json:"target_addr"`
}

KubeCSRREsponse is a response to kubernetes CSR request

type LocalCAResponse

type LocalCAResponse struct {
	// TLSCA is the PEM-encoded TLS certificate authority.
	TLSCA []byte `json:"tls_ca"`
}

LocalCAResponse contains PEM-encoded local CAs.

type LocalUser

type LocalUser struct {
	// Username is local username
	Username string
}

LocalUsername is a local username

type OIDCAuthResponse added in v1.0.0

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req services.OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type OTPCreds

type OTPCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
	// Token is a user second factor token
	Token string `json:"token"`
}

OTPCreds is a two factor authencication credentials

type PackedKeys

type PackedKeys struct {
	// Key is a private key
	Key []byte `json:"key"`
	// Cert is an SSH host cert
	Cert []byte `json:"cert"`
	// TLSCert is an X509 certificate
	TLSCert []byte `json:"tls_cert"`
	// TLSCACerts is a list of certificate authorities
	TLSCACerts [][]byte `json:"tls_ca_certs"`
}

PackedKeys is a collection of private key, SSH host certificate and TLS certificate and certificate authority issued the certificate

type PassCreds

type PassCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
}

PassCreds is a password credential

type Plugin

type Plugin interface {
	// AddHandlers adds handlers to the auth API server
	AddHandlers(srv *APIServer)
}

Plugin is auth API server extension setter

func GetPlugin

func GetPlugin() Plugin

GetPlugin returns auth API server plugin that allows injecting handlers

type ProcessStorage

type ProcessStorage struct {
	// contains filtered or unexported fields
}

ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.

func NewProcessStorage

func NewProcessStorage(path string) (*ProcessStorage, error)

NewProcessStorage returns a new instance of the process storage.

func (*ProcessStorage) Close

func (p *ProcessStorage) Close() error

Close closes all resources used by process storage backend.

func (*ProcessStorage) CreateState

func (p *ProcessStorage) CreateState(role teleport.Role, state StateV2) error

CreateState creates process state if it does not exist yet.

func (*ProcessStorage) GetState

func (p *ProcessStorage) GetState(role teleport.Role) (*StateV2, error)

GetState reads rotation state from disk.

func (*ProcessStorage) ReadIdentity

func (p *ProcessStorage) ReadIdentity(name string, role teleport.Role) (*Identity, error)

ReadIdentity reads identity using identity name and role.

func (*ProcessStorage) WriteIdentity

func (p *ProcessStorage) WriteIdentity(name string, id Identity) error

WriteIdentity writes identity to the backend.

func (*ProcessStorage) WriteState

func (p *ProcessStorage) WriteState(role teleport.Role, state StateV2) error

WriteState writes local cluster state to the backend.

type ProvisioningService

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens() (tokens []services.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(token string) (*services.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a user token or a machine token
	DeleteToken(token string) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

	// RegisterNewAuthServer is used to register new auth server with token
	RegisterNewAuthServer(token string) error
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type ReRegisterParams

type ReRegisterParams struct {
	// Client is an authenticated client using old credentials
	Client ClientI
	// ID is identity ID
	ID IdentityID
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
}

ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)

type RegisterParams

type RegisterParams struct {
	// DataDir is the data directory
	// storing CA certificate
	DataDir string
	// Token is a secure token to join the cluster
	Token string
	// ID is identity ID
	ID IdentityID
	// Servers is a list of auth servers to dial
	Servers []utils.NetAddr
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// CipherSuites is a list of cipher suites to use for TLS client connection
	CipherSuites []uint16
	// CAPin is the SKPI hash of the CA used to verify the Auth Server.
	CAPin string
	// CAPath is the path to the CA file.
	CAPath string
}

RegisterParams specifies parameters for first time register operation with auth server

type RegisterUsingTokenRequest

type RegisterUsingTokenRequest struct {
	// HostID is a unique host ID, usually a UUID
	HostID string `json:"hostID"`
	// NodeName is a node name
	NodeName string `json:"node_name"`
	// Role is a system role, e.g. Proxy
	Role teleport.Role `json:"role"`
	// Token is an authentication token
	Token string `json:"token"`
	// AdditionalPrincipals is a list of additional principals
	AdditionalPrincipals []string `json:"additional_principals"`
	// PublicTLSKey is a PEM encoded public key
	// used for TLS setup
	PublicTLSKey []byte `json:"public_tls_key"`
	// PublicSSHKey is a SSH encoded public key,
	// if present will be signed as a return value
	// otherwise, new public/private key pair will be generated
	PublicSSHKey []byte `json:"public_ssh_key"`
}

RegisterUsingTokenRequest is a request to register with auth server using authentication token

func (*RegisterUsingTokenRequest) CheckAndSetDefaults

func (r *RegisterUsingTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks for errors and sets defaults

type RemoteBuiltinRole

type RemoteBuiltinRole struct {
	// Role is the builtin role of the user
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the remote cluster.
	ClusterName string
}

RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.

type RemoteBuiltinRoleSet

type RemoteBuiltinRoleSet struct {
	services.RoleSet
}

BuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is a remote builtin or not.

type RemoteUser

type RemoteUser struct {
	// Username is a name of the remote user
	Username string `json:"username"`

	// ClusterName is the name of the remote cluster
	// of the user.
	ClusterName string `json:"cluster_name"`

	// RemoteRoles is optional list of remote roles
	RemoteRoles []string `json:"remote_roles"`

	// Principals is a list of Unix logins.
	Principals []string `json:"principals"`
}

RemoteUser defines encoded remote user.

type RotateRequest

type RotateRequest struct {
	// Type is a certificate authority type, if omitted, both user and host CA
	// will be rotated.
	Type services.CertAuthType `json:"type"`
	// GracePeriod is used to generate cert rotation schedule that defines
	// times at which different rotation phases will be applied by the auth server
	// in auto mode. It is not used in manual rotation mode.
	// If omitted, default value is set, if 0 is supplied, it is interpreted as
	// forcing rotation of all certificate authorities with no grace period,
	// all existing users and hosts will have to re-login and re-added
	// into the cluster.
	GracePeriod *time.Duration `json:"grace_period,omitempty"`
	// TargetPhase sets desired rotation phase to move to, if not set
	// will be set automatically, it is a required argument
	// for manual rotation.
	TargetPhase string `json:"target_phase,omitempty"`
	// Mode sets manual or auto rotation mode.
	Mode string `json:"mode"`
	// Schedule is an optional rotation schedule,
	// autogenerated based on GracePeriod parameter if not set.
	Schedule *services.RotationSchedule `json:"schedule"`
}

RotateRequest is a request to start rotation of the certificate authority.

func (*RotateRequest) CheckAndSetDefaults

func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default values.

func (*RotateRequest) Types

func (r *RotateRequest) Types() []services.CertAuthType

Types returns cert authority types requested to be rotated.

type SAMLAuthResponse

type SAMLAuthResponse struct {
	// Username is an authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated SAML identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in SAMLAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is a PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is an original SAML auth request
	Req services.SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider

type SSHLoginResponse

type SSHLoginResponse struct {
	// User contains a logged in user informationn
	Username string `json:"username"`
	// Cert is a PEM encoded  signed certificate
	Cert []byte `json:"cert"`
	// TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority
	TLSCert []byte `json:"tls_cert"`
	// HostSigners is a list of signing host public keys trusted by proxy
	HostSigners []TrustedCerts `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

type SessionCreds

type SessionCreds struct {
	// ID is a web session id
	ID string `json:"id"`
}

SessionCreds is a web session credentials

type StateSpecV2

type StateSpecV2 struct {
	// Rotation holds local process rotation state.
	Rotation services.Rotation `json:"rotation"`
}

StateSpecV2 is a state spec.

type StateV2

type StateV2 struct {
	// ResourceHeader is a common resource header.
	services.ResourceHeader
	// Spec is a process spec.
	Spec StateSpecV2 `json:"spec"`
}

StateV2 is a local process state.

func (*StateV2) CheckAndSetDefaults

func (s *StateV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type TLSServer

type TLSServer struct {
	*http.Server
	// TLSServerConfig is TLS server configuration used for auth server
	TLSServerConfig
}

TLSServer is TLS auth server

func NewTLSServer

func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) GetConfigForClient

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve

func (t *TLSServer) Serve(listener net.Listener) error

Serve takes TCP listener, upgrades to TLS using config and starts serving

type TLSServerConfig

type TLSServerConfig struct {
	// TLS is a base TLS configuration
	TLS *tls.Config
	// API is API server configuration
	APIConfig
	// LimiterConfig is limiter config
	LimiterConfig limiter.LimiterConfig
	// AccessPoint is caching access point
	AccessPoint AccessPoint
	// Component is used for debugging purposes
	Component string
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on the metadata
	AcceptedUsage []string
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type TestAuthServer

type TestAuthServer struct {
	// TestAuthServer config is configuration used for auth server setup
	TestAuthServerConfig
	// AuthServer is an auth server
	AuthServer *AuthServer
	// AuditLog is an event audit log
	AuditLog events.IAuditLog
	// SessionLogger is a session logger
	SessionServer session.Service
	// Backend is a backend for auth server
	Backend backend.Backend
	// Authorizer is an authorizer used in tests
	Authorizer Authorizer
}

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key

func NewTestAuthServer

func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)

NewTestAuthServer returns new instances of Auth server

func (*TestAuthServer) Clock

func (a *TestAuthServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestAuthServer) GenerateUserCert

func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*TestAuthServer) NewCertificate

func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)

NewCertificate returns new TLS credentials generated by test auth server

func (*TestAuthServer) NewRemoteClient

func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)

NewRemoteClient creates new client to the remote server using identity generated for this certificate authority

func (*TestAuthServer) NewTestTLSServer

func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server

func (*TestAuthServer) Trust

func (a *TestAuthServer) Trust(remote *TestAuthServer, roleMap services.RoleMap) error

Trust adds other server host certificate authority as trusted

type TestAuthServerConfig

type TestAuthServerConfig struct {
	// ClusterName is cluster name
	ClusterName string
	// Dir is directory for local backend
	Dir string
	// AcceptedUsage is an optional list of restricted
	// server usage
	AcceptedUsage []string
	// CipherSuites is the list of ciphers that the server supports.
	CipherSuites []uint16
}

TestAuthServerConfig is auth server test config

func (*TestAuthServerConfig) CheckAndSetDefaults

func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type TestIdentity

type TestIdentity struct {
	I             interface{}
	TTL           time.Duration
	AcceptedUsage []string
}

TestIdentity is test identity spec used to generate identities in tests

func TestAdmin

func TestAdmin() TestIdentity

TestAdmin returns TestIdentity for admin user

func TestBuiltin

func TestBuiltin(role teleport.Role) TestIdentity

TestBuiltin returns TestIdentity for builtin user

func TestNop

func TestNop() TestIdentity

TestNop returns "Nop" - unauthenticated identity

func TestUser

func TestUser(username string) TestIdentity

TestUser returns TestIdentity for local user

type TestTLSServer

type TestTLSServer struct {
	// TestTLSServerConfig is a configuration for TLS server
	TestTLSServerConfig
	// Identity is a generated TLS/SSH identity used to answer in TLS
	Identity *Identity
	// TLSServer is a configured TLS server
	TLSServer *TLSServer
}

TestTLSServer is a test TLS server

func NewTestTLSServer

func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port

func (*TestTLSServer) Addr

func (t *TestTLSServer) Addr() net.Addr

Addr returns address of TLS server

func (*TestTLSServer) Auth

func (t *TestTLSServer) Auth() *AuthServer

Auth returns auth server used by this TLS server

func (*TestTLSServer) CertPool

func (t *TestTLSServer) CertPool() (*x509.CertPool, error)

CertPool returns cert pool that auth server represents

func (*TestTLSServer) ClientTLSConfig

func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)

ClientTLSConfig returns client TLS config based on the identity

func (*TestTLSServer) Clock

func (t *TestTLSServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestTLSServer) CloneClient

func (t *TestTLSServer) CloneClient(clt *Client) *Client

CloneClient uses the same credentials as the passed client but forces the client to be recreated

func (*TestTLSServer) Close

func (t *TestTLSServer) Close() error

Close closes the listener and HTTP server

func (*TestTLSServer) ClusterName

func (t *TestTLSServer) ClusterName() string

ClusterName returns name of test TLS server cluster

func (*TestTLSServer) NewClient

func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)

NewClient returns new client to test server authenticated with identity

func (*TestTLSServer) NewClientFromWebSession

func (t *TestTLSServer) NewClientFromWebSession(sess services.WebSession) (*Client, error)

NewClientFromWebSession returns new authenticated client from web session

func (*TestTLSServer) Start

func (t *TestTLSServer) Start() error

Start starts TLS server on loopback address on the first lisenting socket

func (*TestTLSServer) Stop

func (t *TestTLSServer) Stop() error

Stop stops listening server, but does not close the auth backend

type TestTLSServerConfig

type TestTLSServerConfig struct {
	// APIConfig is a configuration of API server
	APIConfig *APIConfig
	// AuthServer is a test auth server used to serve requests
	AuthServer *TestAuthServer
	// Limiter is a connection and request limiter
	Limiter *limiter.LimiterConfig
	// Listener is a listener to serve requests on
	Listener net.Listener
	// AcceptedUsage is a list of accepted usage restrictions
	AcceptedUsage []string
}

TestTLSServerConfig is a configuration for test TLS server

func (*TestTLSServerConfig) CheckAndSetDefaults

func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets limiter defaults

type TrustedCerts

type TrustedCerts struct {
	// ClusterName identifies teleport cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"domain_name"`
	// HostCertificates is a list of SSH public keys that can be used to check
	// host certificate signatures
	HostCertificates [][]byte `json:"checking_keys"`
	// TLSCertificates  is a list of TLS certificates of the certificate authoritiy
	// of the authentication server
	TLSCertificates [][]byte `json:"tls_certs"`
}

TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

func AuthoritiesToTrustedCerts

func AuthoritiesToTrustedCerts(authorities []services.CertAuthority) []TrustedCerts

AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure

func (*TrustedCerts) SSHCertPublicKeys

func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)

SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys

type U2FSignResponseCreds

type U2FSignResponseCreds struct {
	// SignResponse is a U2F sign resposne
	SignResponse u2f.SignResponse `json:"sign_response"`
}

U2FSignResponseCreds is a U2F signature sent by U2F device

type ValidateTrustedClusterRequest

type ValidateTrustedClusterRequest struct {
	Token string                   `json:"token"`
	CAs   []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequest) ToRaw

type ValidateTrustedClusterRequestRaw

type ValidateTrustedClusterRequestRaw struct {
	Token string   `json:"token"`
	CAs   [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequestRaw) ToNative

type ValidateTrustedClusterResponse

type ValidateTrustedClusterResponse struct {
	CAs []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponse) ToRaw

type ValidateTrustedClusterResponseRaw

type ValidateTrustedClusterResponseRaw struct {
	CAs [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponseRaw) ToNative

type WebService

type WebService interface {
	// GetWebSessionInfo checks if a web sesion is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(user string, sid string) (services.WebSession, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
	// CreateWebSession creates a new web session for a user
	CreateWebSession(user string) (services.WebSession, error)
	// DeleteWebSession deletes a web session for this user by id
	DeleteWebSession(user string, sid string) error
}

WebService implements features used by Web UI clients

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL