Documentation ¶
Overview ¶
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Index ¶
- Constants
- Variables
- func HaveHostKeys(dataDir string, id IdentityID) (bool, error)
- func Init(cfg InitConfig) (*AuthServer, *Identity, error)
- func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer) error
- func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)
- func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)
- func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)
- func NewWebPasswordAuth(user string, password []byte, hotpToken string) ([]ssh.AuthMethod, error)
- func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)
- func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr) error
- func RegisterNewAuth(domainName, token string, servers []utils.NetAddr) error
- func RetryingClient(client limitedClient, retries int) *retryingClient
- func WriteIdentity(dataDir string, identity *Identity) error
- type APIConfig
- type APIServer
- type APIWithRoles
- type AccessPoint
- type AccessPointDialer
- type AgentCloser
- type AuthServer
- func (a *AuthServer) Close() error
- func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (s *AuthServer) CreateSignupToken(user services.User) (string, error)
- func (s *AuthServer) CreateUserWithToken(token, password, hotpToken string) (*Session, error)
- func (s *AuthServer) CreateWebSession(user string) (*Session, error)
- func (s *AuthServer) DeleteToken(outputToken string) error
- func (s *AuthServer) DeleteWebSession(user string, id string) error
- func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (*Session, error)
- func (s *AuthServer) GenerateHostCert(key []byte, hostID, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)
- func (s *AuthServer) GenerateServerKeys(hostID string, role teleport.Role) (*PackedKeys, error)
- func (s *AuthServer) GenerateToken(role teleport.Role, ttl time.Duration) (string, error)
- func (s *AuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration) ([]byte, error)
- func (a *AuthServer) GetLocalDomain() (string, error)
- func (s *AuthServer) GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
- func (s *AuthServer) GetWebSession(userName string, id string) (*Session, error)
- func (s *AuthServer) GetWebSessionInfo(userName string, id string) (*Session, error)
- func (s *AuthServer) NewWebSession(userName string) (*Session, error)
- func (s *AuthServer) RegisterNewAuthServer(outputToken string) error
- func (s *AuthServer) RegisterUsingToken(outputToken, hostID string, role teleport.Role) (*PackedKeys, error)
- func (s *AuthServer) SignIn(user string, password []byte) (*Session, error)
- func (s *AuthServer) UpsertWebSession(user string, sess *Session, ttl time.Duration) error
- func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values, checkUser bool) (*OIDCAuthResponse, error)
- func (s *AuthServer) ValidateToken(token string) (role string, e error)
- type AuthServerOption
- type AuthTunnel
- type AuthWithRoles
- func (a *AuthWithRoles) CheckPassword(user string, password []byte, hotpToken string) error
- func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (a *AuthWithRoles) CreateSession(s session.Session) error
- func (a *AuthWithRoles) CreateSignupToken(user services.User) (token string, e error)
- func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) (*Session, error)
- func (a *AuthWithRoles) CreateWebSession(user string) (*Session, error)
- func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error
- func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error
- func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error
- func (a *AuthWithRoles) DeleteUser(user string) error
- func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error
- func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (*Session, error)
- func (a *AuthWithRoles) GenerateHostCert(key []byte, hostname, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)
- func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)
- func (a *AuthWithRoles) GenerateToken(role teleport.Role, ttl time.Duration) (string, error)
- func (a *AuthWithRoles) GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error)
- func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)
- func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)
- func (a *AuthWithRoles) GetChunkReader(id string) (recorder.ChunkReadCloser, error)
- func (a *AuthWithRoles) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)
- func (a *AuthWithRoles) GetEvents(filter events.Filter) ([]lunk.Entry, error)
- func (a *AuthWithRoles) GetLocalDomain() (string, error)
- func (a *AuthWithRoles) GetNodes() ([]services.Server, error)
- func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (*services.OIDCConnector, error)
- func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
- func (a *AuthWithRoles) GetProxies() ([]services.Server, error)
- func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)
- func (a *AuthWithRoles) GetSession(id session.ID) (*session.Session, error)
- func (a *AuthWithRoles) GetSessionEvents(filter events.Filter) ([]session.Session, error)
- func (a *AuthWithRoles) GetSessions() ([]session.Session, error)
- func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
- func (a *AuthWithRoles) GetUser(name string) (services.User, error)
- func (a *AuthWithRoles) GetUsers() ([]services.User, error)
- func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (*Session, error)
- func (a *AuthWithRoles) Log(id lunk.EventID, e lunk.Event)
- func (a *AuthWithRoles) LogEntry(en lunk.Entry) error
- func (a *AuthWithRoles) LogSession(sess session.Session) error
- func (a *AuthWithRoles) RegisterNewAuthServer(token string) error
- func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)
- func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error)
- func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error
- func (a *AuthWithRoles) UpsertAuthServer(s services.Server, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertNode(s services.Server, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertParty(id session.ID, p session.Party, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
- func (a *AuthWithRoles) UpsertProxy(s services.Server, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertUser(u services.User) error
- func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values, checkUser bool) (*OIDCAuthResponse, error)
- type Authority
- type Client
- func (c *Client) CheckPassword(user string, password []byte, hotpToken string) error
- func (c *Client) Close() error
- func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (c *Client) CreateSession(sess session.Session) error
- func (c *Client) CreateSignupToken(user services.User) (string, error)
- func (c *Client) CreateUserWithToken(token, password, hotpToken string) (*Session, error)
- func (c *Client) CreateWebSession(user string) (*Session, error)
- func (c *Client) Delete(u string) (*roundtrip.Response, error)
- func (c *Client) DeleteCertAuthority(id services.CertAuthID) error
- func (c *Client) DeleteOIDCConnector(connectorID string) error
- func (c *Client) DeleteReverseTunnel(domainName string) error
- func (c *Client) DeleteSession(id string) error
- func (c *Client) DeleteUser(user string) error
- func (c *Client) DeleteWebSession(user string, sid string) error
- func (c *Client) ExtendWebSession(user string, prevSessionID string) (*Session, error)
- func (c *Client) GenerateHostCert(key []byte, hostname, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)
- func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)
- func (c *Client) GenerateToken(role teleport.Role, ttl time.Duration) (string, error)
- func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error)
- func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)
- func (c *Client) GetAuthServers() ([]services.Server, error)
- func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)
- func (c *Client) GetChunkReader(id string) (recorder.ChunkReadCloser, error)
- func (c *Client) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)
- func (c *Client) GetEvents(filter events.Filter) ([]lunk.Entry, error)
- func (c *Client) GetLocalDomain() (string, error)
- func (c *Client) GetNodes() ([]services.Server, error)
- func (c *Client) GetOIDCConnector(id string, withSecrets bool) (*services.OIDCConnector, error)
- func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
- func (c *Client) GetProxies() ([]services.Server, error)
- func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)
- func (c *Client) GetSession(id session.ID) (*session.Session, error)
- func (c *Client) GetSessionEvents(filter events.Filter) ([]session.Session, error)
- func (c *Client) GetSessions() ([]session.Session, error)
- func (c *Client) GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
- func (c *Client) GetUser(name string) (services.User, error)
- func (c *Client) GetUsers() ([]services.User, error)
- func (c *Client) GetWebSessionInfo(user string, sid string) (*Session, error)
- func (c *Client) Log(id lunk.EventID, e lunk.Event)
- func (c *Client) LogEntry(en lunk.Entry) error
- func (c *Client) LogSession(sess session.Session) error
- func (c *Client) PostForm(endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
- func (c *Client) PostJSON(endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) PutJSON(endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) RegisterNewAuthServer(token string) error
- func (c *Client) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)
- func (c *Client) SignIn(user string, password []byte) (*Session, error)
- func (c *Client) UpdateSession(req session.UpdateRequest) error
- func (c *Client) UpsertAuthServer(s services.Server, ttl time.Duration) error
- func (c *Client) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error
- func (c *Client) UpsertNode(s services.Server, ttl time.Duration) error
- func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error
- func (c *Client) UpsertParty(id session.ID, p session.Party, ttl time.Duration) error
- func (c *Client) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
- func (c *Client) UpsertProxy(s services.Server, ttl time.Duration) error
- func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel, ttl time.Duration) error
- func (c *Client) UpsertUser(user services.User) error
- func (c *Client) ValidateOIDCAuthCallback(q url.Values, checkUser bool) (*OIDCAuthResponse, error)
- type ClientI
- type Config
- type FakeSSHConnection
- func (conn *FakeSSHConnection) Close() error
- func (conn *FakeSSHConnection) LocalAddr() net.Addr
- func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)
- func (conn *FakeSSHConnection) RemoteAddr() net.Addr
- func (conn *FakeSSHConnection) SetDeadline(t time.Time) error
- func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error
- func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error
- func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)
- type Identity
- type IdentityID
- type InitConfig
- type OIDCAuthResponse
- type PackedKeys
- type PermissionChecker
- type ServerOption
- type Session
- type TunClient
- type TunClientOption
Constants ¶
const ( // WebSessionTTL specifies standard web session time to live WebSessionTTL = 10 * time.Minute // TokenLenBytes is len in bytes of the invite token TokenLenBytes = 16 // WebSessionTokenLenBytes specifies len in bytes of the // web session random token WebSessionTokenLenBytes = 32 )
const ( ActionGetSessions = "GetSessions" ActionGetSession = "GetSession" ActionDeleteSession = "DeleteSession" ActionUpsertSession = "UpsertSession" ActionUpsertParty = "UpsertParty" ActionUpsertCertAuthority = "UpsertCertAuthority" ActionGetCertAuthorities = "GetCertAuthorities" ActionGetCertAuthoritiesWithSigningKeys = "GetCertAuthoritiesWithSigningKeys" ActionGetLocalDomain = "GetLocalDomain" ActionDeleteCertAuthority = "DeleteCertAuthority" ActionGenerateToken = "GenerateToken" ActionRegisterUsingToken = "RegisterUsingToken" ActionRegisterNewAuthServer = "RegisterNewAuthServer" ActionLog = "Log" ActionLogEntry = "LogEntry" ActionGetEvents = "GetEvents" ActionGetChunkWriter = "GetChunkWriter" ActionGetChunkReader = "GetChunkReader" ActionUpsertServer = "UpsertServer" ActionGetServers = "GetServers" ActionUpsertAuthServer = "UpsertAuthServer" ActionGetAuthServers = "GetAuthServers" ActionUpsertProxy = "UpsertProxy" ActionGetProxies = "GetProxies" ActionUpsertReverseTunnel = "UpsertReverseTunnel" ActionGetReverseTunnels = "GetReverseTunnels" ActionDeleteReverseTunnel = "DeleteReverseTunnel" ActionUpsertPassword = "UpsertPassword" ActionCheckPassword = "CheckPassword" ActionSignIn = "SignIn" ActionExtendWebSession = "ExtendWebSession" ActionCreateWebSession = "CreateWebSession" ActionGetWebSession = "GetWebSession" ActionDeleteWebSession = "DeleteWebSession" ActionGetUsers = "GetUsers" ActionGetUser = "GetUser" ActionDeleteUser = "DeleteUser" ActionUpsertUserKey = "UpsertUserKey" ActionGetUserKeys = "GetUserKeys" ActionDeleteUserKey = "DeleteUserKey" ActionGenerateKeyPair = "GenerateKeyPair" ActionGenerateHostCert = "GenerateHostCert" ActionGenerateUserCert = "GenerateUserCert" ActionResetHostCertificateAuthority = "ResetHostCertificateAuthority" ActionResetUserCertificateAuthority = "ResetUserCertificateAuthority" ActionGenerateSealKey = "GenerateSealKey" ActionGetSealKeys = "GetSeakKeys" ActionGetSealKey = "GetSealKey" ActionDeleteSealKey = "DeleteSealKey" ActionAddSealKey = "AddSealKey" ActionCreateSignupToken = "CreateSignupToken" ActionGetSignupTokenData = "GetSignupTokenData" ActionCreateUserWithToken = "CreateUserWithToken" ActionUpsertUser = "UpsertUser" ActionUpsertOIDCConnector = "UpsertOIDCConnector" ActionDeleteOIDCConnector = "DeleteOIDCConnector" ActionGetOIDCConnectorWithSecrets = "GetOIDCConnectorWithSecrets" ActionGetOIDCConnectorWithoutSecrets = "GetOIDCConnectorWithoutSecrets" ActionGetOIDCConnectorsWithSecrets = "GetOIDCConnectorsWithSecrets" ActionGetOIDCConnectorsWithoutSecrets = "GetOIDCConnectorsWithoutSecrets" ActionCreateOIDCAuthRequest = "CreateOIDCAuthRequest" ActionValidateOIDCAuthCallback = "ValidateOIDCAuthCallback" )
const ( // DialerRetryAttempts is the amount of attempts for dialer to try and // connect to the remote destination DialerRetryAttempts = 3 // DialerPeriodBetweenAttempts is the period between retry attempts DialerPeriodBetweenAttempts = time.Second )
const ( ReqWebSessionAgent = "web-session-agent@teleport" ReqProvision = "provision@teleport" ReqDirectTCPIP = "direct-tcpip" ReqNewAuth = "new-auth@teleport" ExtWebSession = "web-session@teleport" ExtWebPassword = "web-password@teleport" ExtToken = "provision@teleport" ExtHost = "host@teleport" ExtRole = "role@teleport" AuthWebPassword = "password" AuthWebSession = "session" AuthToken = "provision-token" AuthSignupToken = "signup-token" )
const CurrentVersion = "v1"
CurrentVersion is a current API version
Variables ¶
Functions ¶
func HaveHostKeys ¶ added in v1.0.0
func HaveHostKeys(dataDir string, id IdentityID) (bool, error)
HaveHostKeys checks either the host keys are in place
func Init ¶
func Init(cfg InitConfig) (*AuthServer, *Identity, error)
Init instantiates and configures an instance of AuthServer
func LocalRegister ¶ added in v1.0.0
func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer) error
LocalRegister is used in standalone mode to register roles without connecting to remote clients and provisioning tokens
func NewHostAuth ¶
func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)
func NewSignupTokenAuth ¶
func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)
func NewTokenAuth ¶
func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)
func NewWebPasswordAuth ¶
func NewWebSessionAuth ¶
func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)
func Register ¶
func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr) error
Register is used by auth service clients (other services, like proxy or SSH) when a new node joins the cluster
func RegisterNewAuth ¶
func RetryingClient ¶ added in v1.0.0
func RetryingClient(client limitedClient, retries int) *retryingClient
func WriteIdentity ¶ added in v1.0.0
WriteIdentity writes identity keypair to disk
Types ¶
type APIConfig ¶ added in v1.0.0
type APIConfig struct { AuthServer *AuthServer EventLog events.Log SessionService session.Service Recorder recorder.Recorder Roles []teleport.Role PermissionChecker PermissionChecker }
APIConfig is a configuration file
type APIServer ¶
type APIServer struct { httprouter.Router // contains filtered or unexported fields }
APIServer implements http API server for AuthServer interface
func NewAPIServer ¶
func NewAPIServer(a *AuthWithRoles) *APIServer
NewAPIServer returns a new instance of APIServer HTTP handler
type APIWithRoles ¶
type APIWithRoles struct {
// contains filtered or unexported fields
}
func NewAPIWithRoles ¶
func NewAPIWithRoles(config APIConfig) *APIWithRoles
func (*APIWithRoles) Close ¶
func (api *APIWithRoles) Close()
func (*APIWithRoles) HandleNewChannel ¶
func (api *APIWithRoles) HandleNewChannel(remoteAddr net.Addr, channel ssh.Channel, role teleport.Role) error
HandleNewChannel is called when a new SSH channel (SSH connection) wants to communicate via HTTP API to one of the API servers
func (*APIWithRoles) Serve ¶
func (api *APIWithRoles) Serve()
type AccessPoint ¶
type AccessPoint interface { // GetLocalDomain returns domain name of the local authority server GetLocalDomain() (string, error) // GetServers returns a list of registered servers GetNodes() ([]services.Server, error) // UpsertServer registers server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertNode(s services.Server, ttl time.Duration) error // UpsertProxy registers server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertProxy(s services.Server, ttl time.Duration) error // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]services.Server, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error) // GetUsers returns a list of local users registered with this domain GetUsers() ([]services.User, error) // GetEvents returns a list of events that GetEvents(filter events.Filter) ([]lunk.Entry, error) }
AccessPoint is a interface needed by nodes to control the access to the node, and provide heartbeats
type AccessPointDialer ¶
AccessPointDialer dials to auth access point remote HTTP api
type AuthServer ¶
type AuthServer struct { Authority // DomainName stores the FQDN of the signing CA (its certificate will have this // name embedded). It is usually set to the GUID of the host the Auth service runs on DomainName string // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string services.Trust services.Lock services.Presence services.Provisioner services.Identity // contains filtered or unexported fields }
AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:
- generates the keypair for the node it's running on
- invites other SSH nodes to a cluster, by issuing invite tokens
- adds other SSH nodes to a cluster, by checking their token and signing their keys
- same for users and their sessions
- checks public keys to see if they're signed by it (can be trusted or not)
func NewAuthServer ¶
func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) *AuthServer
NewAuthServer creates and configures a new AuthServer instance
func (*AuthServer) Close ¶ added in v1.0.0
func (a *AuthServer) Close() error
func (*AuthServer) CreateOIDCAuthRequest ¶ added in v1.0.0
func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
func (*AuthServer) CreateSignupToken ¶
func (s *AuthServer) CreateSignupToken(user services.User) (string, error)
CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator
allowedLogins are linux user logins allowed for the new user to use
func (*AuthServer) CreateUserWithToken ¶
func (s *AuthServer) CreateUserWithToken(token, password, hotpToken string) (*Session, error)
CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.
func (*AuthServer) CreateWebSession ¶ added in v1.0.0
func (s *AuthServer) CreateWebSession(user string) (*Session, error)
CreateWebSession creates a new web session for user without any checks, is used by admins
func (*AuthServer) DeleteToken ¶
func (s *AuthServer) DeleteToken(outputToken string) error
func (*AuthServer) DeleteWebSession ¶
func (s *AuthServer) DeleteWebSession(user string, id string) error
func (*AuthServer) ExtendWebSession ¶ added in v1.0.0
func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (*Session, error)
ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user
func (*AuthServer) GenerateHostCert ¶
func (s *AuthServer) GenerateHostCert(key []byte, hostID, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)
GenerateHostCert generates host certificate, it takes pkey as a signing private key (host certificate authority)
func (*AuthServer) GenerateServerKeys ¶ added in v1.0.0
func (s *AuthServer) GenerateServerKeys(hostID string, role teleport.Role) (*PackedKeys, error)
GenerateServerKeys generates private key and certificate signed by the host certificate authority, listing the role of this server
func (*AuthServer) GenerateToken ¶
func (*AuthServer) GenerateUserCert ¶
func (s *AuthServer) GenerateUserCert( key []byte, username string, ttl time.Duration) ([]byte, error)
GenerateUserCert generates user certificate, it takes pkey as a signing private key (user certificate authority)
func (*AuthServer) GetLocalDomain ¶ added in v1.0.0
func (a *AuthServer) GetLocalDomain() (string, error)
GetLocalDomain returns domain name that identifies this authority server
func (*AuthServer) GetSignupTokenData ¶
func (s *AuthServer) GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
GetSignupTokenData returns token data for a valid token
func (*AuthServer) GetWebSession ¶
func (s *AuthServer) GetWebSession(userName string, id string) (*Session, error)
func (*AuthServer) GetWebSessionInfo ¶ added in v1.0.0
func (s *AuthServer) GetWebSessionInfo(userName string, id string) (*Session, error)
func (*AuthServer) NewWebSession ¶
func (s *AuthServer) NewWebSession(userName string) (*Session, error)
func (*AuthServer) RegisterNewAuthServer ¶
func (s *AuthServer) RegisterNewAuthServer(outputToken string) error
func (*AuthServer) RegisterUsingToken ¶
func (s *AuthServer) RegisterUsingToken(outputToken, hostID string, role teleport.Role) (*PackedKeys, error)
func (*AuthServer) SignIn ¶
func (s *AuthServer) SignIn(user string, password []byte) (*Session, error)
func (*AuthServer) UpsertWebSession ¶
func (*AuthServer) ValidateOIDCAuthCallback ¶ added in v1.0.0
func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values, checkUser bool) (*OIDCAuthResponse, error)
ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error
func (*AuthServer) ValidateToken ¶
func (s *AuthServer) ValidateToken(token string) (role string, e error)
type AuthServerOption ¶ added in v1.0.0
type AuthServerOption func(*AuthServer)
AuthServerOption allows setting options as functional arguments to AuthServer
func AuthClock ¶
func AuthClock(clock clockwork.Clock) AuthServerOption
AuthClock allows setting clock for auth server (used in tests)
type AuthTunnel ¶ added in v1.0.0
type AuthTunnel struct {
// contains filtered or unexported fields
}
AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then stablishes an SSH tunnell which HTTP requests travel over. In other words, the Auth Service API runs on HTTP-via-SSH-tunnel.
func NewTunnel ¶ added in v1.0.0
func NewTunnel(addr utils.NetAddr, hostSigners []ssh.Signer, apiServer *APIWithRoles, authServer *AuthServer, opts ...ServerOption) (tunnel *AuthTunnel, err error)
NewTunnel creates a new SSH tunnel server which is not started yet
func (*AuthTunnel) Addr ¶ added in v1.0.0
func (s *AuthTunnel) Addr() string
func (*AuthTunnel) Close ¶ added in v1.0.0
func (s *AuthTunnel) Close() error
func (*AuthTunnel) HandleNewChan ¶ added in v1.0.0
func (s *AuthTunnel) HandleNewChan(_ net.Conn, sconn *ssh.ServerConn, nch ssh.NewChannel)
HandleNewChan implements NewChanHandler interface: it gets called every time a new SSH connection is established
func (*AuthTunnel) Start ¶ added in v1.0.0
func (s *AuthTunnel) Start() error
type AuthWithRoles ¶
type AuthWithRoles struct {
// contains filtered or unexported fields
}
func NewAuthWithRoles ¶
func NewAuthWithRoles(authServer *AuthServer, permChecker PermissionChecker, elog events.Log, sessions session.Service, role teleport.Role, recorder recorder.Recorder) *AuthWithRoles
func (*AuthWithRoles) CheckPassword ¶
func (a *AuthWithRoles) CheckPassword(user string, password []byte, hotpToken string) error
func (*AuthWithRoles) CreateOIDCAuthRequest ¶ added in v1.0.0
func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
func (*AuthWithRoles) CreateSession ¶ added in v1.0.0
func (a *AuthWithRoles) CreateSession(s session.Session) error
func (*AuthWithRoles) CreateSignupToken ¶
func (a *AuthWithRoles) CreateSignupToken(user services.User) (token string, e error)
func (*AuthWithRoles) CreateUserWithToken ¶
func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) (*Session, error)
func (*AuthWithRoles) CreateWebSession ¶ added in v1.0.0
func (a *AuthWithRoles) CreateWebSession(user string) (*Session, error)
func (*AuthWithRoles) DeleteCertAuthority ¶ added in v1.0.0
func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error
func (*AuthWithRoles) DeleteOIDCConnector ¶ added in v1.0.0
func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error
func (*AuthWithRoles) DeleteReverseTunnel ¶ added in v1.0.0
func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error
func (*AuthWithRoles) DeleteUser ¶
func (a *AuthWithRoles) DeleteUser(user string) error
func (*AuthWithRoles) DeleteWebSession ¶
func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error
func (*AuthWithRoles) ExtendWebSession ¶ added in v1.0.0
func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (*Session, error)
func (*AuthWithRoles) GenerateHostCert ¶
func (*AuthWithRoles) GenerateKeyPair ¶
func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)
func (*AuthWithRoles) GenerateToken ¶
func (*AuthWithRoles) GenerateUserCert ¶
func (*AuthWithRoles) GetAuthServers ¶ added in v1.0.0
func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)
func (*AuthWithRoles) GetCertAuthorities ¶ added in v1.0.0
func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)
func (*AuthWithRoles) GetChunkReader ¶
func (a *AuthWithRoles) GetChunkReader(id string) (recorder.ChunkReadCloser, error)
func (*AuthWithRoles) GetChunkWriter ¶
func (a *AuthWithRoles) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)
func (*AuthWithRoles) GetLocalDomain ¶ added in v1.0.0
func (a *AuthWithRoles) GetLocalDomain() (string, error)
func (*AuthWithRoles) GetNodes ¶ added in v1.0.0
func (a *AuthWithRoles) GetNodes() ([]services.Server, error)
func (*AuthWithRoles) GetOIDCConnector ¶ added in v1.0.0
func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (*services.OIDCConnector, error)
func (*AuthWithRoles) GetOIDCConnectors ¶ added in v1.0.0
func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
func (*AuthWithRoles) GetProxies ¶ added in v1.0.0
func (a *AuthWithRoles) GetProxies() ([]services.Server, error)
func (*AuthWithRoles) GetReverseTunnels ¶ added in v1.0.0
func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)
func (*AuthWithRoles) GetSession ¶
func (*AuthWithRoles) GetSessionEvents ¶ added in v1.0.0
func (*AuthWithRoles) GetSessions ¶
func (a *AuthWithRoles) GetSessions() ([]session.Session, error)
func (*AuthWithRoles) GetSignupTokenData ¶
func (*AuthWithRoles) GetUser ¶ added in v1.0.0
func (a *AuthWithRoles) GetUser(name string) (services.User, error)
func (*AuthWithRoles) GetWebSessionInfo ¶ added in v1.0.0
func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (*Session, error)
func (*AuthWithRoles) LogSession ¶
func (a *AuthWithRoles) LogSession(sess session.Session) error
func (*AuthWithRoles) RegisterNewAuthServer ¶
func (a *AuthWithRoles) RegisterNewAuthServer(token string) error
func (*AuthWithRoles) RegisterUsingToken ¶
func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)
func (*AuthWithRoles) SignIn ¶
func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error)
func (*AuthWithRoles) UpdateSession ¶ added in v1.0.0
func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error
func (*AuthWithRoles) UpsertAuthServer ¶ added in v1.0.0
func (*AuthWithRoles) UpsertCertAuthority ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error
func (*AuthWithRoles) UpsertNode ¶ added in v1.0.0
func (*AuthWithRoles) UpsertOIDCConnector ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error
func (*AuthWithRoles) UpsertParty ¶
func (*AuthWithRoles) UpsertPassword ¶
func (*AuthWithRoles) UpsertProxy ¶ added in v1.0.0
func (*AuthWithRoles) UpsertReverseTunnel ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel, ttl time.Duration) error
func (*AuthWithRoles) UpsertUser ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertUser(u services.User) error
func (*AuthWithRoles) ValidateOIDCAuthCallback ¶ added in v1.0.0
func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values, checkUser bool) (*OIDCAuthResponse, error)
type Authority ¶
type Authority interface { // GenerateKeyPair generates new keypair GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error) // GetNewKeyPairFromPool returns new keypair from pre-generated in memory pool GetNewKeyPairFromPool() (privKey []byte, pubKey []byte, err error) // GenerateHostCert generates host certificate, it takes pkey as a signing // private key (host certificate authority) GenerateHostCert(pkey, key []byte, hostID, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error) // GenerateHostCert generates user certificate, it takes pkey as a signing // private key (user certificate authority) GenerateUserCert(pkey, key []byte, teleportUsername string, allowedLogins []string, ttl time.Duration) ([]byte, error) }
Authority implements minimal key-management facility for generating OpenSSH compatible public/private key pairs and OpenSSH certificates
type Client ¶
Client is HTTP API client that connects to the remote server
func NewClient ¶
func NewClient(addr string, params ...roundtrip.ClientParam) (*Client, error)
NewClient returns a new instance of the client
func (*Client) CheckPassword ¶
CheckPassword checks if the suplied web access password is valid.
func (*Client) CreateOIDCAuthRequest ¶ added in v1.0.0
func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
func (*Client) CreateSession ¶ added in v1.0.0
CreateSession creates new session
func (*Client) CreateSignupToken ¶
CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator
func (*Client) CreateUserWithToken ¶
CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.
func (*Client) CreateWebSession ¶ added in v1.0.0
CreateWebSession creates a new web session for a user
func (*Client) DeleteCertAuthority ¶ added in v1.0.0
func (c *Client) DeleteCertAuthority(id services.CertAuthID) error
func (*Client) DeleteOIDCConnector ¶ added in v1.0.0
func (*Client) DeleteReverseTunnel ¶ added in v1.0.0
DeleteReverseTunnel deletes reverse tunnel by domain name
func (*Client) DeleteSession ¶
DeleteSession deletes a session by ID
func (*Client) DeleteUser ¶
DeleteUser deletes a user by username
func (*Client) DeleteWebSession ¶
DeleteWebSession deletes a web session for this user by id
func (*Client) ExtendWebSession ¶ added in v1.0.0
ExtendWebSession creates a new web session for a user based on another valid web session
func (*Client) GenerateHostCert ¶
func (c *Client) GenerateHostCert( key []byte, hostname, authDomain string, role teleport.Role, ttl time.Duration) ([]byte, error)
GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.
func (*Client) GenerateKeyPair ¶
GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.
func (*Client) GenerateToken ¶
GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.
This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.
The token can be used only once.
func (*Client) GenerateUserCert ¶
GenerateUserCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.
func (*Client) GetAuthServers ¶ added in v1.0.0
GetAuthServers returns the list of auth servers registered in the cluster.
func (*Client) GetCertAuthorities ¶ added in v1.0.0
func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error)
func (*Client) GetChunkReader ¶
func (c *Client) GetChunkReader(id string) (recorder.ChunkReadCloser, error)
GetChunkReader returns a reader of recorded session
func (*Client) GetChunkWriter ¶
func (c *Client) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)
GetChunkWriter returns a writer for chunks (parts of the recorded session)
func (*Client) GetLocalDomain ¶ added in v1.0.0
GetLocalDomain returns local auth domain of the current auth server
func (*Client) GetNodes ¶ added in v1.0.0
GetNodes returns the list of servers registered in the cluster.
func (*Client) GetOIDCConnector ¶ added in v1.0.0
func (*Client) GetOIDCConnectors ¶ added in v1.0.0
func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
func (*Client) GetProxies ¶ added in v1.0.0
GetProxies returns the list of auth servers registered in the cluster.
func (*Client) GetReverseTunnels ¶ added in v1.0.0
func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)
GetReverseTunnels returns the list of created reverse tunnels
func (*Client) GetSession ¶
GetSession returns a session by ID
func (*Client) GetSessionEvents ¶ added in v1.0.0
GetSessionEvents returns a list of filtered session events
func (*Client) GetSessions ¶
GetSessions returns a list of active sessions in the cluster as reported by auth server
func (*Client) GetSignupTokenData ¶
func (c *Client) GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
GetSignupTokenData returns token data for a valid token
func (*Client) GetUser ¶ added in v1.0.0
GetUser returns a list of usernames registered in the system
func (*Client) GetWebSessionInfo ¶ added in v1.0.0
GetWebSessionInfo check if a web sesion is valid, returns session id in case if it is valid, or error otherwise.
func (*Client) PostForm ¶
func (c *Client) PostForm( endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
PostForm is a generic method that issues http POST request to the server
func (*Client) PostJSON ¶ added in v1.0.0
PostJSON is a generic method that issues http POST request to the server
func (*Client) PutJSON ¶ added in v1.0.0
PutJSON is a generic method that issues http PUT request to the server
func (*Client) RegisterNewAuthServer ¶
func (*Client) RegisterUsingToken ¶
RegisterUserToken calls the auth service API to register a new node via registration token which has been previously issued via GenerateToken
func (*Client) SignIn ¶
SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.
func (*Client) UpdateSession ¶ added in v1.0.0
func (c *Client) UpdateSession(req session.UpdateRequest) error
UpdateSession updates existing session
func (*Client) UpsertAuthServer ¶ added in v1.0.0
UpsertAuthServer is used by auth servers to report their presense to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertCertAuthority ¶ added in v1.0.0
UpsertCertAuthority updates or inserts new cert authority
func (*Client) UpsertNode ¶ added in v1.0.0
UpsertNode is used by SSH servers to reprt their presense to the auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertOIDCConnector ¶ added in v1.0.0
func (*Client) UpsertParty ¶
UpsertParty updates existing session party or inserts new party
func (*Client) UpsertPassword ¶
func (c *Client) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
UpsertPassword updates web access password for the user
func (*Client) UpsertProxy ¶ added in v1.0.0
UpsertProxy is used by proxies to report their presense to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertReverseTunnel ¶ added in v1.0.0
UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions
func (*Client) UpsertUser ¶ added in v1.0.0
UpsertUser user updates or inserts user entry
func (*Client) ValidateOIDCAuthCallback ¶ added in v1.0.0
type ClientI ¶
type ClientI interface { GetUser(name string) (services.User, error) UpsertUser(user services.User) error GetSessions() ([]session.Session, error) GetSession(id session.ID) (*session.Session, error) CreateSession(s session.Session) error UpdateSession(req session.UpdateRequest) error UpsertParty(id session.ID, p session.Party, ttl time.Duration) error UpsertCertAuthority(cert services.CertAuthority, ttl time.Duration) error GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error) DeleteCertAuthority(caType services.CertAuthID) error GenerateToken(role teleport.Role, ttl time.Duration) (string, error) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error) RegisterNewAuthServer(token string) error Log(id lunk.EventID, e lunk.Event) LogEntry(en lunk.Entry) error LogSession(sess session.Session) error GetEvents(filter events.Filter) ([]lunk.Entry, error) GetSessionEvents(filter events.Filter) ([]session.Session, error) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error) GetChunkReader(id string) (recorder.ChunkReadCloser, error) UpsertNode(s services.Server, ttl time.Duration) error GetNodes() ([]services.Server, error) GetAuthServers() ([]services.Server, error) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error) CheckPassword(user string, password []byte, hotpToken string) error SignIn(user string, password []byte) (*Session, error) CreateWebSession(user string) (*Session, error) ExtendWebSession(user string, prevSessionID string) (*Session, error) GetWebSessionInfo(user string, sid string) (*Session, error) DeleteWebSession(user string, sid string) error GetUsers() ([]services.User, error) DeleteUser(user string) error GenerateKeyPair(pass string) ([]byte, []byte, error) GenerateHostCert(key []byte, hostname, authServer string, role teleport.Role, ttl time.Duration) ([]byte, error) GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error) GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error) CreateUserWithToken(token, password, hotpToken string) (*Session, error) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error GetOIDCConnector(id string, withSecrets bool) (*services.OIDCConnector, error) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error) DeleteOIDCConnector(connectorID string) error CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error) ValidateOIDCAuthCallback(q url.Values, checkUser bool) (*OIDCAuthResponse, error) }
TOODO(klizhentas) this should be just including appropriate service implementations
type FakeSSHConnection ¶ added in v1.0.0
type FakeSSHConnection struct {
// contains filtered or unexported fields
}
func (*FakeSSHConnection) Close ¶ added in v1.0.0
func (conn *FakeSSHConnection) Close() error
func (*FakeSSHConnection) LocalAddr ¶ added in v1.0.0
func (conn *FakeSSHConnection) LocalAddr() net.Addr
func (*FakeSSHConnection) Read ¶ added in v1.0.0
func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)
func (*FakeSSHConnection) RemoteAddr ¶ added in v1.0.0
func (conn *FakeSSHConnection) RemoteAddr() net.Addr
func (*FakeSSHConnection) SetDeadline ¶ added in v1.0.0
func (conn *FakeSSHConnection) SetDeadline(t time.Time) error
SetDeadline is needed to implement net.Conn interface
func (*FakeSSHConnection) SetReadDeadline ¶ added in v1.0.0
func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error
SetReadDeadline is needed to implement net.Conn interface
func (*FakeSSHConnection) SetWriteDeadline ¶ added in v1.0.0
func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error
SetWriteDeadline is needed to implement net.Conn interface
type Identity ¶ added in v1.0.0
type Identity struct { ID IdentityID KeyBytes []byte CertBytes []byte KeySigner ssh.Signer Cert *ssh.Certificate AuthorityDomain string }
Identity is a collection of certificates and signers that represent identity
func ReadIdentity ¶ added in v1.0.0
func ReadIdentity(dataDir string, id IdentityID) (i *Identity, err error)
ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).
func ReadIdentityFromKeyPair ¶ added in v1.0.0
ReadIdentityFromKeyPair reads identity from initialized keypair
type IdentityID ¶ added in v1.0.0
IdentityID is a combination of role and host UUID
func (*IdentityID) Equals ¶ added in v1.0.0
func (id *IdentityID) Equals(other IdentityID) bool
Equals returns true if two identities are equal
func (*IdentityID) String ¶ added in v1.0.0
func (id *IdentityID) String() string
String returns debug friendly representation of this identity
type InitConfig ¶
type InitConfig struct { // Backend is auth backend to use Backend backend.Backend // Authority is key generator that we use Authority Authority // HostUUID is a UUID of this host HostUUID string // DomainName stores the FQDN of the signing CA (its certificate will have this // name embedded). It is usually set to the GUID of the host the Auth service runs on DomainName string // Authorities is a list of pre-configured authorities to supply on first start Authorities []services.CertAuthority // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string // DataDir is the full path to the directory where keys, events and logs are kept DataDir string // AllowedTokens is a static set of allowed provisioning tokens // auth server will recognize on the first start AllowedTokens map[string]string // ReverseTunnels is a list of reverse tunnels statically supplied // in configuration, so auth server will init the tunnels on the first start ReverseTunnels []services.ReverseTunnel // OIDCConnectors is a list of trusted OpenID Connect identity providers // in configuration, so auth server will init the tunnels on the first start OIDCConnectors []services.OIDCConnector // Trust is a service that manages users and credentials Trust services.Trust // Lock is a distributed or local lock service Lock services.Lock // Presence service is a discovery and hearbeat tracker Presence services.Presence // Provisioner is a service that keeps track of provisioning tokens Provisioner services.Provisioner // Trust is a service that manages users and credentials Identity services.Identity }
InitConfig is auth server init config
type OIDCAuthResponse ¶ added in v1.0.0
type OIDCAuthResponse struct { // Username is authenticated teleport username Username string `json:"username"` // Identity contains validated OIDC identity Identity services.OIDCIdentity `json:"identity"` // Web session will be generated by auth server if requested in OIDCAuthRequest Session *Session `json:"session,omitempty"` // Cert will be generated by certificate authority Cert []byte `json:"cert,omitempty"` // Req is original oidc auth request Req services.OIDCAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []services.CertAuthority `json:"host_signers"` }
OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider
type PackedKeys ¶
type PermissionChecker ¶
type PermissionChecker interface { // HasPermission checks if the given role has a permission to execute // the action HasPermission(role teleport.Role, action string) error }
PermissionChecker interface verifies that clients have permissions to execute any action of the auth server
func NewAllowAllPermissions ¶
func NewAllowAllPermissions() PermissionChecker
func NewStandardPermissions ¶
func NewStandardPermissions() PermissionChecker
NewStandardPermissions returns permission checker with hardcoded roles that are built in when auth server starts in standard mode
type ServerOption ¶
type ServerOption func(s *AuthTunnel) error
ServerOption is the functional argument passed to the server
func SetLimiter ¶ added in v1.0.0
func SetLimiter(limiter *limiter.Limiter) ServerOption
SetLimiter sets rate and connection limiter for auth tunnel server
type Session ¶
type Session struct { // ID is a session ID ID string `json:"id"` // Username is a user this session belongs to Username string `json:"username"` // ExpiresAt is an optional expiry time, if set // that means this web session and all derived web sessions // can not continue after this time, used in OIDC use case // when expiry is set by external identity provider, so user // has to relogin (or later on we'd need to refresh the token) ExpiresAt time.Time `json:"expires_at"` // WS is a private keypair used for signing requests WS services.WebSession `json:"web"` }
Session is a web session context, stores temporary key-value pair and session id
type TunClient ¶
TunClient is HTTP client that works over SSH tunnel This is done in order to authenticate various teleport roles using existing SSH certificate infrastructure
func NewTunClient ¶
func NewTunClient(authServers []utils.NetAddr, user string, authMethods []ssh.AuthMethod, opts ...TunClientOption) (*TunClient, error)
NewTunClient returns an instance of new HTTP client to Auth server API exposed over SSH tunnel, so client uses SSH credentials to dial and authenticate
func (*TunClient) GetAgent ¶
func (c *TunClient) GetAgent() (AgentCloser, error)
GetAgent returns SSH agent that uses ReqWebSessionAgent Auth server extension
func (*TunClient) GetDialer ¶
func (c *TunClient) GetDialer() AccessPointDialer
GetDialer returns dialer that will connect to auth server API
type TunClientOption ¶ added in v1.0.0
type TunClientOption func(t *TunClient)
TunClientOption is functional option for tunnel client
func TunClientStorage ¶ added in v1.0.0
func TunClientStorage(storage utils.AddrStorage) TunClientOption
TunClientStorage allows tun client to set local presence service that it will use to sync up the latest information about auth servers