services

package
v0.1.0-alpha.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 28, 2016 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package services implements API services exposed by Teleport: * presence service that takes care of heratbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source 
const (
	Leader   = Event(1)
	Follower = Event(2)
)
View Source 
const (
	// TokenRoleAuth specifies
	TokenRoleAuth = "Auth"
	TokenRoleNode = "Node"
)

Variables

This section is empty.

Functions

func JoinTokenRole 

func JoinTokenRole(token, role string) (ouputToken string, e error)

func SplitTokenRole 

func SplitTokenRole(outputToken string) (token, role string, e error)

Types

type AuthorizedKey 

type AuthorizedKey struct {
	// ID is a unique key id
	ID string `json:"id"`
	// Value is a value of the public key
	Value []byte `json:"value"`
}

AuthorizedKey is a public key that is authorized to access SSH servers

type BkKeysService 

type BkKeysService struct {
	// contains filtered or unexported fields
}

func NewBkKeysService 

func NewBkKeysService(backend backend.Backend) *BkKeysService

type CAService 

type CAService struct {
	// contains filtered or unexported fields
}

CAService is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

func NewCAService 

func NewCAService(backend backend.Backend) *CAService

NewCAService returns new instance of CAService

func (*CAService) DeleteCertAuthority 

func (s *CAService) DeleteCertAuthority(id CertAuthID) error

DeleteCertAuthority deletes particular certificate authority

func (*CAService) GetCertAuthorities 

func (s *CAService) GetCertAuthorities(caType CertAuthType, loadSigningKeys bool) ([]*CertAuthority, error)

GetCertAuthorities returns a list of authorities of a given type loadSigningKeys controls whether signing keys should be loaded or not

func (*CAService) GetCertAuthority 

func (s *CAService) GetCertAuthority(id CertAuthID, loadSigningKeys bool) (*CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*CAService) UpsertCertAuthority 

func (s *CAService) UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error

UpsertCertAuthority updates or inserts a new certificate authority

type CertAuthID added in v1.0.0 

type CertAuthID struct {
	Type       CertAuthType `json:"type"`
	DomainName string       `json:"domain_name"`
}

CertAuthID - id of certificate authority (it's type and domain name)

func (*CertAuthID) Check added in v1.0.0 

func (c *CertAuthID) Check() error

Check returns error if any of the id parameters are bad, nil otherwise

func (*CertAuthID) String added in v1.0.0 

func (c *CertAuthID) String() string

type CertAuthType added in v1.0.0 

type CertAuthType string

CertAuthType specifies certificate authority type, user or host 

const (
	// HostCA identifies the key as a host certificate authority
	HostCA CertAuthType = "host"
	// UserCA identifies the key as a user certificate authority
	UserCA CertAuthType = "user"
)

func (CertAuthType) Check added in v1.0.0 

func (c CertAuthType) Check() error

Check checks if certificate authority type value is correct

type CertAuthority added in v1.0.0 

type CertAuthority struct {
	// Type is either user or host certificate authority
	Type CertAuthType `json:"type"`
	// DomainName identifies domain name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	DomainName string `json:"domain_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures
	CheckingKeys [][]byte `json:"checking_keys"`
	// SigningKeys is a list of private keys used for signing
	SigningKeys [][]byte `json:"signing_keys"`
	// AllowedLogins is a list of allowed logins for users within
	// this certificate authority
	AllowedLogins []string `json:"allowed_logins"`
}

CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func NewTestCA 

func NewTestCA(caType CertAuthType, domainName string) *CertAuthority

NewTestCA returns new test authority with a test key as a public and signing key

func (*CertAuthority) Check added in v1.0.0 

func (ca *CertAuthority) Check() error

Check checks if all passed parameters are valid

func (*CertAuthority) Checkers added in v1.0.0 

func (ca *CertAuthority) Checkers() ([]ssh.PublicKey, error)

Checkers returns public keys that can be used to check cert authorities

func (*CertAuthority) FirstSigningKey added in v1.0.0 

func (ca *CertAuthority) FirstSigningKey() ([]byte, error)

FirstSigningKey returns first signing key or returns error if it's not here

func (*CertAuthority) ID added in v1.0.0 

func (ca *CertAuthority) ID() *CertAuthID

ID returns id (consisting of domain name and type) that identifies the authority this key belongs to

func (*CertAuthority) Signers added in v1.0.0 

func (ca *CertAuthority) Signers() ([]ssh.Signer, error)

Signers returns a list of signers that could be used to sign keys

type CommandLabel 

type CommandLabel struct {
	// Period is a time between command runs
	Period time.Duration `json:"period"`
	// Command is a command to run
	Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
	// Result captures standard output
	Result string `json:"result"`
}

CommandLabel is a label that has a value as a result of the output generated by running command, e.g. hostname

type CommandLabels 

type CommandLabels map[string]CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) SetEnv 

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type Event 

type Event int

type LeaderElectionService 

type LeaderElectionService struct {
	// contains filtered or unexported fields
}

func NewLeaderElectionService 

func NewLeaderElectionService(backend backend.Backend, path []string, serverID string) *LeaderElectionService

func (*LeaderElectionService) AcquireMaster 

func (les *LeaderElectionService) AcquireMaster() bool

func (*LeaderElectionService) Disable 

func (les *LeaderElectionService) Disable()

func (*LeaderElectionService) Start 

func (les *LeaderElectionService) Start()

func (*LeaderElectionService) Subscribe 

func (les *LeaderElectionService) Subscribe(c chan Event)

type LockService 

type LockService struct {
	// contains filtered or unexported fields
}

func NewLockService 

func NewLockService(backend backend.Backend) *LockService

func (*LockService) AcquireLock 

func (s *LockService) AcquireLock(token string, ttl time.Duration) error

Grab a lock that will be released automatically in ttl time

func (*LockService) ReleaseLock 

func (s *LockService) ReleaseLock(token string) error

type PresenceService 

type PresenceService struct {
	// contains filtered or unexported fields
}

PresenceService records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

func NewPresenceService 

func NewPresenceService(backend backend.Backend) *PresenceService

NewPresenceService returns new presence service instance

func (*PresenceService) DeleteReverseTunnel 

func (s *PresenceService) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by it's domain name

func (*PresenceService) GetAuthServers 

func (s *PresenceService) GetAuthServers() ([]Server, error)

GetAuthServers returns a list of registered servers

func (*PresenceService) GetNodes 

func (s *PresenceService) GetNodes() ([]Server, error)

GetNodes returns a list of registered servers

func (*PresenceService) GetProxies 

func (s *PresenceService) GetProxies() ([]Server, error)

GetProxies returns a list of registered proxies

func (*PresenceService) GetReverseTunnels 

func (s *PresenceService) GetReverseTunnels() ([]ReverseTunnel, error)

GetReverseTunnels returns a list of registered servers

func (*PresenceService) UpsertAuthServer 

func (s *PresenceService) UpsertAuthServer(server Server, ttl time.Duration) error

UpsertAuthServer registers auth server presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second

func (*PresenceService) UpsertNode 

func (s *PresenceService) UpsertNode(server Server, ttl time.Duration) error

UpsertNode registers node presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second

func (*PresenceService) UpsertProxy 

func (s *PresenceService) UpsertProxy(server Server, ttl time.Duration) error

UpsertProxy registers proxy server presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second

func (*PresenceService) UpsertReverseTunnel 

func (s *PresenceService) UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error

UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently

type ProvisionToken 

type ProvisionToken struct {
	Role string        `json:"role"`
	TTL  time.Duration `json:"-"`
}

ProvisionToken stores metadata about some provisioning token

type ProvisioningService 

type ProvisioningService struct {
	// contains filtered or unexported fields
}

ProvisioningService governs adding new nodes to the cluster

func NewProvisioningService 

func NewProvisioningService(backend backend.Backend) *ProvisioningService

NewProvisioningService returns a new instance of provisioning service

func (*ProvisioningService) DeleteToken 

func (s *ProvisioningService) DeleteToken(token string) error

func (*ProvisioningService) GetToken 

func (s *ProvisioningService) GetToken(token string) (*ProvisionToken, error)

GetToken finds and returns token by id

func (*ProvisioningService) UpsertToken 

func (s *ProvisioningService) UpsertToken(token, role string, ttl time.Duration) error

UpsertToken adds provisioning tokens for the auth server

type ReverseTunnel added in v1.0.0 

type ReverseTunnel struct {
	// DomainName is a domain name of remote cluster we are connecting to
	DomainName string `json:"domain_name"`
	// DialAddrs is a list of remote address to establish a connection to
	// it's always SSH over TCP
	DialAddrs []string `json:"dial_addrs"`
}

ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved

func (*ReverseTunnel) Check added in v1.0.0 

func (r *ReverseTunnel) Check() error

Check returns nil if all parameters are good, error otherwise

type Server 

type Server struct {
	ID        string                  `json:"id"`
	Addr      string                  `json:"addr"`
	Hostname  string                  `json:"hostname"`
	Labels    map[string]string       `json:"labels"`
	CmdLabels map[string]CommandLabel `json:"cmd_labels"`
}

Server represents a node in a Teleport cluster

func (*Server) LabelsMap added in v1.0.0 

func (s *Server) LabelsMap() map[string]string

LabelsMap returns the full key:value map of both static labels and "command labels"

func (*Server) LabelsString added in v1.0.0 

func (s *Server) LabelsString() string

LabelsString returns a comma separated string with all node's labels

func (*Server) MatchAgainst added in v1.0.0 

func (s *Server) MatchAgainst(labels map[string]string) bool

MatchAgainst takes a map of labels and returns True if this server has ALL of them

Any server matches against an empty label set

type ServicesTestSuite 

type ServicesTestSuite struct {
	CAS           *CAService
	LockS         *LockService
	PresenceS     *PresenceService
	ProvisioningS *ProvisioningService
	WebS          *WebService
	ChangesC      chan interface{}
}

func NewServicesTestSuite 

func NewServicesTestSuite(backend backend.Backend) *ServicesTestSuite

func (*ServicesTestSuite) CertAuthCRUD 

func (s *ServicesTestSuite) CertAuthCRUD(c *C)

func (*ServicesTestSuite) Locking 

func (s *ServicesTestSuite) Locking(c *C)

func (*ServicesTestSuite) PasswordCRUD 

func (s *ServicesTestSuite) PasswordCRUD(c *C)

func (*ServicesTestSuite) PasswordGarbage 

func (s *ServicesTestSuite) PasswordGarbage(c *C)

func (*ServicesTestSuite) PasswordHashCRUD 

func (s *ServicesTestSuite) PasswordHashCRUD(c *C)

func (*ServicesTestSuite) ReverseTunnelsCRUD 

func (s *ServicesTestSuite) ReverseTunnelsCRUD(c *C)

func (*ServicesTestSuite) ServerCRUD 

func (s *ServicesTestSuite) ServerCRUD(c *C)

func (*ServicesTestSuite) TokenCRUD 

func (s *ServicesTestSuite) TokenCRUD(c *C)

func (*ServicesTestSuite) UsersCRUD 

func (s *ServicesTestSuite) UsersCRUD(c *C)

func (*ServicesTestSuite) WebSessionCRUD 

func (s *ServicesTestSuite) WebSessionCRUD(c *C)

type SignupToken 

type SignupToken struct {
	Token           string   `json:"token"`
	User            string   `json:"user"`
	Hotp            []byte   `json:"hotp"`
	HotpFirstValues []string `json:"hotp_first_values"`
	HotpQR          []byte   `json:"hotp_qr"`
	AllowedLogins   []string `json:"allowed_logins"`
}

SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed

type Site added in v1.0.0 

type Site struct {
	Name          string    `json:"name"`
	LastConnected time.Time `json:"lastconnected"`
	Status        string    `json:"status"`
}

Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.

The CA is represented by an auth server (or multiple auth servers, if running in HA mode)

type User added in v1.0.0 

type User struct {
	// Name is a user name
	Name string `json:"name"`

	// AllowedLogins represents a list of OS users this teleport
	// user is allowed to login as
	AllowedLogins []string `json:"allowed_logins"`
}

User is an optional user entry in the database

type WebService 

type WebService struct {
	SignupMutex *sync.Mutex
	// contains filtered or unexported fields
}

WebService is responsible for managing web users and currently user accounts as well

func NewWebService 

func NewWebService(backend backend.Backend) *WebService

NewWebService returns new instance of WebService

func (*WebService) CheckPassword 

func (s *WebService) CheckPassword(user string, password []byte, hotpToken string) error

CheckPassword is called on web user or tsh user login

func (*WebService) CheckPasswordWOToken 

func (s *WebService) CheckPasswordWOToken(user string, password []byte) error

CheckPasswordWOToken checks just password without checking HOTP tokens used in case of SSH authentication, when token has been validated

func (*WebService) DeleteSignupToken 

func (s *WebService) DeleteSignupToken(token string) error

DeleteSignupToken deletes signup token from the storage

func (*WebService) DeleteUser 

func (s *WebService) DeleteUser(user string) error

DeleteUser deletes a user with all the keys from the backend

func (*WebService) DeleteWebSession 

func (s *WebService) DeleteWebSession(user, sid string) error

DeleteWebSession deletes web session from the storage

func (*WebService) GetHOTP 

func (s *WebService) GetHOTP(user string) (*hotp.HOTP, error)

GetHOTP gets HOTP token state for a user

func (*WebService) GetPasswordHash 

func (s *WebService) GetPasswordHash(user string) ([]byte, error)

GetPasswordHash returns the password hash for a given user

func (*WebService) GetSignupToken 

func (s *WebService) GetSignupToken(token string) (*SignupToken, error)

GetSignupToken returns signup token data

func (*WebService) GetUser 

func (s *WebService) GetUser(user string) (*User, error)

GetUser returns a user by name

func (*WebService) GetUsers 

func (s *WebService) GetUsers() ([]User, error)

GetUsers returns a list of users registered with the local auth server

func (*WebService) GetWebSession 

func (s *WebService) GetWebSession(user, sid string) (*WebSession, error)

GetWebSession returns a web session state for a given user and session id

func (*WebService) GetWebSessionsKeys 

func (s *WebService) GetWebSessionsKeys(user string) ([]AuthorizedKey, error)

GetWebSessionsKeys returns public keys associated with the session

func (*WebService) UpsertHOTP 

func (s *WebService) UpsertHOTP(user string, otp *hotp.HOTP) error

UpsertHOTP upserts HOTP state for user

func (*WebService) UpsertPassword 

func (s *WebService) UpsertPassword(user string,
	password []byte) (hotpURL string, hotpQR []byte, err error)

UpsertPassword upserts new password and HOTP token

func (*WebService) UpsertPasswordHash 

func (s *WebService) UpsertPasswordHash(user string, hash []byte) error

UpsertPasswordHash upserts user password hash

func (*WebService) UpsertSignupToken 

func (s *WebService) UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error

UpsertSignupToken upserts signup token - one time token that lets user to create a user account

func (*WebService) UpsertUser 

func (s *WebService) UpsertUser(user User) error

UpsertUser updates parameters about user

func (*WebService) UpsertWebSession 

func (s *WebService) UpsertWebSession(user, sid string, session WebSession, ttl time.Duration) error

UpsertWebSession updates or inserts a web session for a user and session id

type WebSession 

type WebSession struct {
	// Pub is a public certificate signed by auth server
	Pub []byte `json:"pub"`
	// Priv is a private OpenSSH key used to auth with SSH nodes
	Priv []byte `json:"priv"`
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	BearerToken string `json:"bearer_token"`
	// Expires - absolute time when token expires
	Expires time.Time `json:"expires"`
}

WebSession stores key and value used to authenticate with SSH notes on behalf of user

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.