Documentation
¶
Overview ¶
Package webclient provides a client for the Teleport Proxy API endpoints.
Index ¶
- Constants
- func ParseHostPort(addr string, opts ...ParseHostPortOpt) (host, port string, err error)
- type AuthenticationSettings
- type AutoUpdateSettings
- type Config
- type DBProxySettings
- type DeviceTrustSettings
- type EntitlementInfo
- type FeatureLimits
- type GithubSettings
- type KubeProxySettings
- type LocalSettings
- type MotD
- type OIDCSettings
- type ParseHostPortOpt
- type PingError
- type PingErrorResponse
- type PingResponse
- type ProxySettings
- type ReusableClient
- type SAMLSettings
- type SSHProxySettings
- type U2FSettings
- type UIConfig
- type WebConfig
- type WebConfigAuthProvider
- type WebConfigAuthSettings
- type Webauthn
Constants ¶
View Source
const ( // WebConfigAuthProviderOIDCType is OIDC provider type WebConfigAuthProviderOIDCType = "oidc" // WebConfigAuthProviderOIDCURL is OIDC webapi endpoint. // redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation. WebConfigAuthProviderOIDCURL = "/v1/webapi/oidc/login/web?connector_id=:providerName&redirect_url=:redirect" // WebConfigAuthProviderSAMLType is SAML provider type WebConfigAuthProviderSAMLType = "saml" // WebConfigAuthProviderSAMLURL is SAML webapi endpoint. // redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation. WebConfigAuthProviderSAMLURL = "/v1/webapi/saml/sso?connector_id=:providerName&redirect_url=:redirect" // WebConfigAuthProviderGitHubType is GitHub provider type WebConfigAuthProviderGitHubType = "github" // WebConfigAuthProviderGitHubURL is GitHub webapi endpoint // redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation. WebConfigAuthProviderGitHubURL = "/v1/webapi/github/login/web?connector_id=:providerName&redirect_url=:redirect" )
View Source
const ( // AgentUpdateGroupParameter is the parameter used to specify the updater // group when doing a Ping() or Find() query. // The proxy server will modulate the auto_update part of the PingResponse // based on the specified group. e.g. some groups might need to update // before others. AgentUpdateGroupParameter = "group" )
Variables ¶
This section is empty.
Functions ¶
func ParseHostPort ¶
func ParseHostPort(addr string, opts ...ParseHostPortOpt) (host, port string, err error)
ParseHostPort parses host and port from the given address.
Types ¶
type AuthenticationSettings ¶
type AuthenticationSettings struct {
// Type is the type of authentication, can be either local or oidc.
Type string `json:"type"`
// SecondFactor is the type of second factor to use in authentication.
SecondFactor constants.SecondFactorType `json:"second_factor,omitempty"`
// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
// when various options are available.
// It is empty if there is nothing to suggest.
PreferredLocalMFA constants.SecondFactorType `json:"preferred_local_mfa,omitempty"`
// AllowPasswordless is true if passwordless logins are allowed.
AllowPasswordless bool `json:"allow_passwordless,omitempty"`
// AllowHeadless is true if headless logins are allowed.
AllowHeadless bool `json:"allow_headless,omitempty"`
// Local contains settings for local authentication.
Local *LocalSettings `json:"local,omitempty"`
// Webauthn contains MFA settings for Web Authentication.
Webauthn *Webauthn `json:"webauthn,omitempty"`
// U2F contains the Universal Second Factor settings needed for authentication.
U2F *U2FSettings `json:"u2f,omitempty"`
// OIDC contains OIDC connector settings needed for authentication.
OIDC *OIDCSettings `json:"oidc,omitempty"`
// SAML contains SAML connector settings needed for authentication.
SAML *SAMLSettings `json:"saml,omitempty"`
// Github contains Github connector settings needed for authentication.
Github *GithubSettings `json:"github,omitempty"`
// PrivateKeyPolicy contains the cluster-wide private key policy.
PrivateKeyPolicy keys.PrivateKeyPolicy `json:"private_key_policy"`
// PIVSlot specifies a specific PIV slot to use with hardware key support.
PIVSlot keys.PIVSlot `json:"piv_slot"`
// DeviceTrust holds cluster-wide device trust settings.
DeviceTrust DeviceTrustSettings `json:"device_trust,omitempty"`
// HasMessageOfTheDay is a flag indicating that the cluster has MOTD
// banner text that must be retrieved, displayed and acknowledged by
// the user.
HasMessageOfTheDay bool `json:"has_motd"`
// LoadAllCAs tells tsh to load CAs for all clusters when trying to ssh into a node.
LoadAllCAs bool `json:"load_all_cas,omitempty"`
// DefaultSessionTTL is the TTL requested for user certs if
// a TTL is not otherwise specified.
DefaultSessionTTL types.Duration `json:"default_session_ttl"`
// SignatureAlgorithmSuite is the configured signature algorithm suite for
// the cluster.
SignatureAlgorithmSuite types.SignatureAlgorithmSuite `json:"signature_algorithm_suite,omitempty"`
}
AuthenticationSettings contains information about server authentication settings.
type AutoUpdateSettings ¶
type AutoUpdateSettings struct {
// ToolsVersion defines the version of {tsh, tctl} for client auto update.
ToolsVersion string `json:"tools_version"`
// ToolsAutoUpdate indicates if the requesting tools client should be updated.
ToolsAutoUpdate bool `json:"tools_auto_update"`
// AgentVersion defines the version of teleport that agents enrolled into autoupdates should run.
AgentVersion string `json:"agent_version"`
// AgentAutoUpdate indicates if the requesting agent should attempt to update now.
AgentAutoUpdate bool `json:"agent_auto_update"`
// AgentUpdateJitterSeconds defines the jitter time an agent should wait before updating.
AgentUpdateJitterSeconds int `json:"agent_update_jitter_seconds"`
}
AutoUpdateSettings contains information about the auto update requirements.
type Config ¶
type Config struct {
// Context is a context for creating webclient requests.
Context context.Context
// ProxyAddr specifies the teleport proxy address for requests.
ProxyAddr string
// Insecure turns off TLS certificate verification when enabled.
Insecure bool
// Pool defines the set of root CAs to use when verifying server
// certificates.
Pool *x509.CertPool
// ConnectorName is the name of the ODIC or SAML connector.
ConnectorName string
// ExtraHeaders is a map of extra HTTP headers to be included in
// requests.
ExtraHeaders map[string]string
// Timeout is a timeout for requests.
Timeout time.Duration
// TraceProvider is used to retrieve a Tracer for creating spans
TraceProvider oteltrace.TracerProvider
// UpdateGroup is used to vary the webapi response based on the
// client's auto-update group.
UpdateGroup string
}
Config specifies information when building requests with the webclient.
func (*Config) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets defaults
type DBProxySettings ¶
type DBProxySettings struct {
// PostgresListenAddr is Postgres proxy listen address.
PostgresListenAddr string `json:"postgres_listen_addr,omitempty"`
// PostgresPublicAddr is advertised to Postgres clients.
PostgresPublicAddr string `json:"postgres_public_addr,omitempty"`
// MySQLListenAddr is MySQL proxy listen address.
MySQLListenAddr string `json:"mysql_listen_addr,omitempty"`
// MySQLPublicAddr is advertised to MySQL clients.
MySQLPublicAddr string `json:"mysql_public_addr,omitempty"`
// MongoListenAddr is Mongo proxy listen address.
MongoListenAddr string `json:"mongo_listen_addr,omitempty"`
// MongoPublicAddr is advertised to Mongo clients.
MongoPublicAddr string `json:"mongo_public_addr,omitempty"`
}
DBProxySettings contains database access specific proxy settings.
type DeviceTrustSettings ¶
type DeviceTrustSettings struct {
Disabled bool `json:"disabled,omitempty"`
AutoEnroll bool `json:"auto_enroll,omitempty"`
}
DeviceTrustSettings holds cluster-wide device trust settings that are liable to change client behavior.
type EntitlementInfo ¶
type EntitlementInfo struct {
// Enabled indicates the feature is 'on' if true; feature is disabled if false
Enabled bool `json:"enabled"`
// Limit indicates the allotted amount of use when limited; if 0 use is unlimited
Limit int32 `json:"limit"`
}
EntitlementInfo is the state and limits of a particular entitlement; Example for feature X: { Enabled: true, Limit: 0 } => unlimited access to feature X { Enabled: true, Limit: >0 } => limited access to feature X { Enabled: false, Limit: >=0 } => no access to feature X
type FeatureLimits ¶
type FeatureLimits struct {
// Limit for the number of access list creatable when feature is
// not enabled.
AccessListCreateLimit int `json:"accessListCreateLimit"`
// Defines the max number of days to include in an access report if
// feature is not enabled.
AccessMonitoringMaxReportRangeLimit int `json:"accessMonitoringMaxReportRangeLimit"`
// AccessRequestMonthlyRequestLimit is the usage-based limit for the number of
// access requests created in a calendar month.
AccessRequestMonthlyRequestLimit int `json:"AccessRequestMonthlyRequestLimit"`
}
featureLimits define limits for features. Typically used with feature teasers if feature is not enabled for the product type eg: Team product contains teasers to upgrade to Enterprise.
type GithubSettings ¶
type GithubSettings struct {
// Name is the internal name of the connector
Name string `json:"name"`
// Display is the connector display name
Display string `json:"display"`
// EndpointURL is the endpoint URL.
EndpointURL string
}
GithubSettings contains the Name and Display string for Github connector.
type KubeProxySettings ¶
type KubeProxySettings struct {
// Enabled is true when kubernetes proxy is enabled
Enabled bool `json:"enabled,omitempty"`
// PublicAddr is a kubernetes proxy public address if set
PublicAddr string `json:"public_addr,omitempty"`
// ListenAddr is the address that the kubernetes proxy is listening for
// connections on.
ListenAddr string `json:"listen_addr,omitempty"`
}
KubeProxySettings is kubernetes proxy settings
type LocalSettings ¶
type LocalSettings struct {
// Name is the name of the local connector.
Name string `json:"name"`
}
LocalSettings holds settings for local authentication.
type OIDCSettings ¶
type OIDCSettings struct {
// Name is the internal name of the connector.
Name string `json:"name"`
// Display is the display name for the connector.
Display string `json:"display"`
// Issuer URL is the endpoint of the provider
IssuerURL string
}
OIDCSettings contains the Name and Display string for OIDC.
type ParseHostPortOpt ¶
func WithDefaultPort ¶
func WithDefaultPort(defaultPort int) ParseHostPortOpt
WithDefaultPort replaces the parse port with the default port if empty.
func WithOverridePort ¶
func WithOverridePort(overridePort int) ParseHostPortOpt
WithOverridePort replaces the parsed port with the override port.
type PingError ¶
type PingError struct {
Message string `json:"message"`
}
PingError contains the string message from /webapi/ping.
type PingErrorResponse ¶
type PingErrorResponse struct {
Error PingError `json:"error"`
}
PingErrorResponse contains the error from /webapi/ping.
type PingResponse ¶
type PingResponse struct {
// Auth contains the forms of authentication the auth server supports.
Auth AuthenticationSettings `json:"auth"`
// Proxy contains the proxy settings.
Proxy ProxySettings `json:"proxy"`
// ServerVersion is the version of Teleport that is running.
ServerVersion string `json:"server_version"`
// MinClientVersion is the minimum client version required by the server.
MinClientVersion string `json:"min_client_version"`
// AutoUpdateSettings contains the auto update settings.
AutoUpdate AutoUpdateSettings `json:"auto_update"`
// ClusterName contains the name of the Teleport cluster.
ClusterName string `json:"cluster_name"`
// reserved: license_warnings ([]string)
// AutomaticUpgrades describes whether agents should automatically upgrade.
AutomaticUpgrades bool `json:"automatic_upgrades"`
// Edition represents the Teleport edition. Possible values are "oss", "ent", and "community".
Edition string `json:"edition"`
// FIPS represents if Teleport is using FIPS-compliant cryptography.
FIPS bool `json:"fips"`
}
PingResponse contains data about the Teleport server like supported authentication types, server version, etc.
func Find ¶
func Find(cfg *Config) (*PingResponse, error)
Find fetches discovery data by connecting to the given web proxy address. It is designed to fetch proxy public addresses without any inefficiencies.
func Ping ¶
func Ping(cfg *Config) (*PingResponse, error)
Ping serves two purposes. The first is to validate the HTTP endpoint of a Teleport proxy. This leads to better user experience: users get connection errors before being asked for passwords. The second is to return the form of authentication that the server supports. This also leads to better user experience: users only get prompted for the type of authentication the server supports.
type ProxySettings ¶
type ProxySettings struct {
// Kube is a kubernetes specific proxy section
Kube KubeProxySettings `json:"kube"`
// SSH is SSH specific proxy settings
SSH SSHProxySettings `json:"ssh"`
// DB contains database access specific proxy settings
DB DBProxySettings `json:"db"`
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool `json:"tls_routing_enabled"`
}
ProxySettings contains basic information about proxy settings
func (*ProxySettings) SSHProxyHostPort ¶
func (ps *ProxySettings) SSHProxyHostPort() (host, port string, err error)
SSHProxyHostPort returns the ssh proxy host and port for the proxy settings.
func (*ProxySettings) TunnelAddr ¶
func (ps *ProxySettings) TunnelAddr() (string, error)
type ReusableClient ¶
type ReusableClient struct {
// contains filtered or unexported fields
}
ReusableClient is a webproxy client that allows the caller to make multiple calls without having to buildi a new HTTP client each time. Before retiring the client, you must make sure no calls are still in-flight, then call ReusableClient.CloseIdleConnections().
func NewReusableClient ¶
func NewReusableClient(cfg *Config) (*ReusableClient, error)
NewReusableClient creates a reusable webproxy client. If you need to do a single call, use the webclient.Ping or webclient.Find functions instead.
func (*ReusableClient) CloseIdleConnections ¶
func (c *ReusableClient) CloseIdleConnections()
CloseIdleConnections closes any connections on its [Transport] which were previously connected from previous requests but are now sitting idle in a "keep-alive" state. It does not interrupt any connections currently in use.
This must be run before retiring the ReusableClient.
func (*ReusableClient) Find ¶
func (c *ReusableClient) Find() (*PingResponse, error)
Find fetches discovery data by connecting to the given web proxy address. It is designed to fetch proxy public addresses without any inefficiencies.
func (*ReusableClient) GetMOTD ¶
func (c *ReusableClient) GetMOTD() (*MotD, error)
GetMOTD retrieves the Message Of The Day from the web proxy.
func (*ReusableClient) Ping ¶
func (c *ReusableClient) Ping() (*PingResponse, error)
Ping serves two purposes. The first is to validate the HTTP endpoint of a Teleport proxy. This leads to better user experience: users get connection errors before being asked for passwords. The second is to return the form of authentication that the server supports. This also leads to better user experience: users only get prompted for the type of authentication the server supports.
type SAMLSettings ¶
type SAMLSettings struct {
// Name is the internal name of the connector.
Name string `json:"name"`
// Display is the display name for the connector.
Display string `json:"display"`
// SingleLogoutEnabled is whether SAML SLO (single logout) is enabled for this auth connector.
SingleLogoutEnabled bool `json:"singleLogoutEnabled,omitempty"`
// SSO is the URL of the identity provider's SSO service.
SSO string
}
SAMLSettings contains the Name and Display string for SAML
type SSHProxySettings ¶
type SSHProxySettings struct {
// ListenAddr is the address that the SSH proxy is listening for
// connections on.
ListenAddr string `json:"listen_addr,omitempty"`
// TunnelListenAddr is the address that the SSH reverse tunnel is
// listening for connections on.
TunnelListenAddr string `json:"tunnel_listen_addr,omitempty"`
// WebListenAddr is the address where the proxy web handler is listening.
WebListenAddr string `json:"web_listen_addr,omitempty"`
// PublicAddr is the public address of the HTTP proxy.
PublicAddr string `json:"public_addr,omitempty"`
// SSHPublicAddr is the public address of the SSH proxy.
SSHPublicAddr string `json:"ssh_public_addr,omitempty"`
// TunnelPublicAddr is the public address of the SSH reverse tunnel.
TunnelPublicAddr string `json:"ssh_tunnel_public_addr,omitempty"`
// DialTimeout indicates the SSH timeout clients should use.
DialTimeout time.Duration `json:"dial_timeout,omitempty"`
}
SSHProxySettings is SSH specific proxy settings.
type U2FSettings ¶
type U2FSettings struct {
// AppID is the U2F AppID.
AppID string `json:"app_id"`
}
U2FSettings contains the AppID for Universal Second Factor.
type UIConfig ¶
type UIConfig struct {
// ScrollbackLines is the max number of lines the UI terminal can display in its history
ScrollbackLines int `json:"scrollbackLines,omitempty"`
// ShowResources determines which resources are shown in the web UI. Default if unset is "requestable"
// which means resources the user has access to and resources they can request will be shown in the
// resources UI. If set to `accessible_only`, only resources the user already has access to will be shown.
ShowResources constants.ShowResources `json:"showResources,omitempty"`
}
UIConfig provides config options for the web UI served by the proxy service.
type WebConfig ¶
type WebConfig struct {
// Auth contains Teleport auth. preferences
Auth WebConfigAuthSettings `json:"auth,omitempty"`
// CanJoinSessions disables joining sessions
CanJoinSessions bool `json:"canJoinSessions"`
// ProxyClusterName is the name of the local cluster
ProxyClusterName string `json:"proxyCluster,omitempty"`
// IsCloud is a flag that determines if cloud features are enabled.
IsCloud bool `json:"isCloud,omitempty"`
// TunnelPublicAddress is the public ssh tunnel address
TunnelPublicAddress string `json:"tunnelPublicAddress,omitempty"`
// RecoveryCodesEnabled is a flag that determines if recovery codes are enabled in the cluster.
RecoveryCodesEnabled bool `json:"recoveryCodesEnabled,omitempty"`
// UIConfig is the configuration for the web UI
UI UIConfig `json:"ui,omitempty"`
// IsDashboard is a flag that determines if the cluster is running as a "dashboard".
// The web UI for dashboards provides functionality for downloading self-hosted licenses and
// Teleport Enterprise binaries.
IsDashboard bool `json:"isDashboard,omitempty"`
// IsUsageBasedBilling determines if the cloud user subscription is usage-based (pay-as-you-go).
IsUsageBasedBilling bool `json:"isUsageBasedBilling,omitempty"`
// AutomaticUpgrades describes whether agents should automatically upgrade.
AutomaticUpgrades bool `json:"automaticUpgrades"`
// AutomaticUpgradesTargetVersion is the agents version (eg kube agent helm chart) that should be installed.
// Eg, v13.4.3
// Only present when AutomaticUpgrades are enabled.
AutomaticUpgradesTargetVersion string `json:"automaticUpgradesTargetVersion,omitempty"`
// CustomTheme is a string that represents the name of the custom theme that the WebUI should use.
CustomTheme string `json:"customTheme"`
// Questionnaire indicates whether cluster users should get an onboarding questionnaire
Questionnaire bool `json:"questionnaire"`
// IsStripeManaged indicates if the cluster billing & lifecycle is managed via Stripe
IsStripeManaged bool `json:"isStripeManaged"`
// PremiumSupport indicates whether the customer has premium support
PremiumSupport bool `json:"premiumSupport"`
// Edition is the edition of Teleport
Edition string `json:"edition"`
// PlayableDatabaseProtocols is a list of database protocols which session
// recordings can be played.
PlayableDatabaseProtocols []string `json:"playable_db_protocols"`
// entitlements define a customer’s access to a specific features
Entitlements map[string]EntitlementInfo `json:"entitlements,omitempty"`
// Deprecated Fields
// Deprecated: IsTeam is true if [Features.ProductType] = Team
// Prefer checking the cluster features over this flag, as this will be removed.
IsTeam bool `json:"isTeam"`
// HideInaccessibleFeatures is true when features should be undiscoverable to users without the necessary permissions.
// Usually, in order to encourage discoverability of features, we show UI elements even if the user doesn't have permission to access them,
// this flag disables that behavior.
// Deprecated, use entitlements
HideInaccessibleFeatures bool `json:"hideInaccessibleFeatures"`
// IsIGSEnabled is true if [Features.IdentityGovernance] = true
// Deprecated, use entitlements
IsIGSEnabled bool `json:"isIgsEnabled"`
// IsPolicyEnabled is true if [Features.Policy] = true
// Deprecated, use entitlements
IsPolicyEnabled bool `json:"isPolicyEnabled"`
// featureLimits define limits for features.
// Typically used with feature teasers if feature is not enabled for the
// product type eg: Team product contains teasers to upgrade to Enterprise.
// Deprecated, use entitlements
FeatureLimits FeatureLimits `json:"featureLimits"`
// ExternalAuditStorage indicates whether the EAS feature is enabled in the cluster.
// Deprecated, use entitlements
ExternalAuditStorage bool `json:"externalAuditStorage"`
// JoinActiveSessions indicates whether joining active sessions via web UI is enabled
// Deprecated, use entitlements
JoinActiveSessions bool `json:"joinActiveSessions"`
// AccessRequests indicates whether access requests are enabled
// Deprecated, use entitlements
AccessRequests bool `json:"accessRequests"`
// TrustedDevices indicates whether trusted devices page is enabled
// Deprecated, use entitlements
TrustedDevices bool `json:"trustedDevices"`
// OIDC indicates whether the OIDC integration flow is enabled
// Deprecated, use entitlements
OIDC bool `json:"oidc"`
// SAML indicates whether the SAML integration flow is enabled
// Deprecated, use entitlements
SAML bool `json:"saml"`
// MobileDeviceManagement indicates whether adding Jamf plugin is enabled
// Deprecated, use entitlements
MobileDeviceManagement bool `json:"mobileDeviceManagement"`
}
WebConfig is web application configuration served by the backend to be used in frontend apps.
type WebConfigAuthProvider ¶
type WebConfigAuthProvider struct {
// Name is this provider ID
Name string `json:"name,omitempty"`
// DisplayName is this provider display name
DisplayName string `json:"displayName,omitempty"`
// Type is this provider type
Type string `json:"type,omitempty"`
// WebAPIURL is this provider webapi URL
WebAPIURL string `json:"url,omitempty"`
}
WebConfigAuthProvider describes auth. provider
type WebConfigAuthSettings ¶
type WebConfigAuthSettings struct {
// SecondFactor is the type of second factor to use in authentication.
SecondFactor constants.SecondFactorType `json:"second_factor,omitempty"`
// Providers contains a list of configured auth providers
Providers []WebConfigAuthProvider `json:"providers,omitempty"`
// LocalAuthEnabled is a flag that enables local authentication
LocalAuthEnabled bool `json:"localAuthEnabled"`
// AllowPasswordless is true if passwordless logins are allowed.
AllowPasswordless bool `json:"allowPasswordless,omitempty"`
// AuthType is the authentication type.
AuthType string `json:"authType"`
// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
// when various options are available.
// It is empty if there is nothing to suggest.
PreferredLocalMFA constants.SecondFactorType `json:"preferredLocalMfa,omitempty"`
// LocalConnectorName is the name of the local connector.
LocalConnectorName string `json:"localConnectorName,omitempty"`
// PrivateKeyPolicy is the configured private key policy for the cluster.
PrivateKeyPolicy keys.PrivateKeyPolicy `json:"privateKeyPolicy,omitempty"`
// MOTD is message of the day. MOTD is displayed to users before login.
MOTD string `json:"motd"`
}
WebConfigAuthSettings describes auth configuration
Source Files
Click to show internal directories.
Click to hide internal directories.