webclient

package
v0.0.0-...-5733a65 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 21, 2024 License: Apache-2.0 Imports: 25 Imported by: 12

Documentation

Overview

Package webclient provides a client for the Teleport Proxy API endpoints.

Index

Constants

View Source
const (
	// WebConfigAuthProviderOIDCType is OIDC provider type
	WebConfigAuthProviderOIDCType = "oidc"
	// WebConfigAuthProviderOIDCURL is OIDC webapi endpoint.
	// redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation.
	WebConfigAuthProviderOIDCURL = "/v1/webapi/oidc/login/web?connector_id=:providerName&redirect_url=:redirect"

	// WebConfigAuthProviderSAMLType is SAML provider type
	WebConfigAuthProviderSAMLType = "saml"
	// WebConfigAuthProviderSAMLURL is SAML webapi endpoint.
	// redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation.
	WebConfigAuthProviderSAMLURL = "/v1/webapi/saml/sso?connector_id=:providerName&redirect_url=:redirect"

	// WebConfigAuthProviderGitHubType is GitHub provider type
	WebConfigAuthProviderGitHubType = "github"
	// WebConfigAuthProviderGitHubURL is GitHub webapi endpoint
	// redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation.
	WebConfigAuthProviderGitHubURL = "/v1/webapi/github/login/web?connector_id=:providerName&redirect_url=:redirect"
)
View Source
const (
	// AgentUpdateGroupParameter is the parameter used to specify the updater
	// group when doing a Ping() or Find() query.
	// The proxy server will modulate the auto_update part of the PingResponse
	// based on the specified group. e.g. some groups might need to update
	// before others.
	AgentUpdateGroupParameter = "group"
)

Variables

This section is empty.

Functions

func ParseHostPort

func ParseHostPort(addr string, opts ...ParseHostPortOpt) (host, port string, err error)

ParseHostPort parses host and port from the given address.

Types

type AuthenticationSettings

type AuthenticationSettings struct {
	// Type is the type of authentication, can be either local or oidc.
	Type string `json:"type"`
	// SecondFactor is the type of second factor to use in authentication.
	SecondFactor constants.SecondFactorType `json:"second_factor,omitempty"`
	// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
	// when various options are available.
	// It is empty if there is nothing to suggest.
	PreferredLocalMFA constants.SecondFactorType `json:"preferred_local_mfa,omitempty"`
	// AllowPasswordless is true if passwordless logins are allowed.
	AllowPasswordless bool `json:"allow_passwordless,omitempty"`
	// AllowHeadless is true if headless logins are allowed.
	AllowHeadless bool `json:"allow_headless,omitempty"`
	// Local contains settings for local authentication.
	Local *LocalSettings `json:"local,omitempty"`
	// Webauthn contains MFA settings for Web Authentication.
	Webauthn *Webauthn `json:"webauthn,omitempty"`
	// U2F contains the Universal Second Factor settings needed for authentication.
	U2F *U2FSettings `json:"u2f,omitempty"`
	// OIDC contains OIDC connector settings needed for authentication.
	OIDC *OIDCSettings `json:"oidc,omitempty"`
	// SAML contains SAML connector settings needed for authentication.
	SAML *SAMLSettings `json:"saml,omitempty"`
	// Github contains Github connector settings needed for authentication.
	Github *GithubSettings `json:"github,omitempty"`
	// PrivateKeyPolicy contains the cluster-wide private key policy.
	PrivateKeyPolicy keys.PrivateKeyPolicy `json:"private_key_policy"`
	// PIVSlot specifies a specific PIV slot to use with hardware key support.
	PIVSlot keys.PIVSlot `json:"piv_slot"`
	// DeviceTrust holds cluster-wide device trust settings.
	DeviceTrust DeviceTrustSettings `json:"device_trust,omitempty"`
	// HasMessageOfTheDay is a flag indicating that the cluster has MOTD
	// banner text that must be retrieved, displayed and acknowledged by
	// the user.
	HasMessageOfTheDay bool `json:"has_motd"`
	// LoadAllCAs tells tsh to load CAs for all clusters when trying to ssh into a node.
	LoadAllCAs bool `json:"load_all_cas,omitempty"`
	// DefaultSessionTTL is the TTL requested for user certs if
	// a TTL is not otherwise specified.
	DefaultSessionTTL types.Duration `json:"default_session_ttl"`
	// SignatureAlgorithmSuite is the configured signature algorithm suite for
	// the cluster.
	SignatureAlgorithmSuite types.SignatureAlgorithmSuite `json:"signature_algorithm_suite,omitempty"`
}

AuthenticationSettings contains information about server authentication settings.

type AutoUpdateSettings

type AutoUpdateSettings struct {
	// ToolsVersion defines the version of {tsh, tctl} for client auto update.
	ToolsVersion string `json:"tools_version"`
	// ToolsAutoUpdate indicates if the requesting tools client should be updated.
	ToolsAutoUpdate bool `json:"tools_auto_update"`
	// AgentVersion defines the version of teleport that agents enrolled into autoupdates should run.
	AgentVersion string `json:"agent_version"`
	// AgentAutoUpdate indicates if the requesting agent should attempt to update now.
	AgentAutoUpdate bool `json:"agent_auto_update"`
	// AgentUpdateJitterSeconds defines the jitter time an agent should wait before updating.
	AgentUpdateJitterSeconds int `json:"agent_update_jitter_seconds"`
}

AutoUpdateSettings contains information about the auto update requirements.

type Config

type Config struct {
	// Context is a context for creating webclient requests.
	Context context.Context
	// ProxyAddr specifies the teleport proxy address for requests.
	ProxyAddr string
	// Insecure turns off TLS certificate verification when enabled.
	Insecure bool
	// Pool defines the set of root CAs to use when verifying server
	// certificates.
	Pool *x509.CertPool
	// ConnectorName is the name of the ODIC or SAML connector.
	ConnectorName string
	// ExtraHeaders is a map of extra HTTP headers to be included in
	// requests.
	ExtraHeaders map[string]string
	// Timeout is a timeout for requests.
	Timeout time.Duration
	// TraceProvider is used to retrieve a Tracer for creating spans
	TraceProvider oteltrace.TracerProvider
	// UpdateGroup is used to vary the webapi response based on the
	// client's auto-update group.
	UpdateGroup string
}

Config specifies information when building requests with the webclient.

func (*Config) CheckAndSetDefaults

func (c *Config) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type DBProxySettings

type DBProxySettings struct {
	// PostgresListenAddr is Postgres proxy listen address.
	PostgresListenAddr string `json:"postgres_listen_addr,omitempty"`
	// PostgresPublicAddr is advertised to Postgres clients.
	PostgresPublicAddr string `json:"postgres_public_addr,omitempty"`
	// MySQLListenAddr is MySQL proxy listen address.
	MySQLListenAddr string `json:"mysql_listen_addr,omitempty"`
	// MySQLPublicAddr is advertised to MySQL clients.
	MySQLPublicAddr string `json:"mysql_public_addr,omitempty"`
	// MongoListenAddr is Mongo proxy listen address.
	MongoListenAddr string `json:"mongo_listen_addr,omitempty"`
	// MongoPublicAddr is advertised to Mongo clients.
	MongoPublicAddr string `json:"mongo_public_addr,omitempty"`
}

DBProxySettings contains database access specific proxy settings.

type DeviceTrustSettings

type DeviceTrustSettings struct {
	Disabled   bool `json:"disabled,omitempty"`
	AutoEnroll bool `json:"auto_enroll,omitempty"`
}

DeviceTrustSettings holds cluster-wide device trust settings that are liable to change client behavior.

type EntitlementInfo

type EntitlementInfo struct {
	// Enabled indicates the feature is 'on' if true; feature is disabled if false
	Enabled bool `json:"enabled"`
	// Limit indicates the allotted amount of use when limited; if 0 use is unlimited
	Limit int32 `json:"limit"`
}

EntitlementInfo is the state and limits of a particular entitlement; Example for feature X: { Enabled: true, Limit: 0 } => unlimited access to feature X { Enabled: true, Limit: >0 } => limited access to feature X { Enabled: false, Limit: >=0 } => no access to feature X

type FeatureLimits

type FeatureLimits struct {
	// Limit for the number of access list creatable when feature is
	// not enabled.
	AccessListCreateLimit int `json:"accessListCreateLimit"`
	// Defines the max number of days to include in an access report if
	// feature is not enabled.
	AccessMonitoringMaxReportRangeLimit int `json:"accessMonitoringMaxReportRangeLimit"`
	// AccessRequestMonthlyRequestLimit is the usage-based limit for the number of
	// access requests created in a calendar month.
	AccessRequestMonthlyRequestLimit int `json:"AccessRequestMonthlyRequestLimit"`
}

featureLimits define limits for features. Typically used with feature teasers if feature is not enabled for the product type eg: Team product contains teasers to upgrade to Enterprise.

type GithubSettings

type GithubSettings struct {
	// Name is the internal name of the connector
	Name string `json:"name"`
	// Display is the connector display name
	Display string `json:"display"`
	// EndpointURL is the endpoint URL.
	EndpointURL string
}

GithubSettings contains the Name and Display string for Github connector.

type KubeProxySettings

type KubeProxySettings struct {
	// Enabled is true when kubernetes proxy is enabled
	Enabled bool `json:"enabled,omitempty"`
	// PublicAddr is a kubernetes proxy public address if set
	PublicAddr string `json:"public_addr,omitempty"`
	// ListenAddr is the address that the kubernetes proxy is listening for
	// connections on.
	ListenAddr string `json:"listen_addr,omitempty"`
}

KubeProxySettings is kubernetes proxy settings

type LocalSettings

type LocalSettings struct {
	// Name is the name of the local connector.
	Name string `json:"name"`
}

LocalSettings holds settings for local authentication.

type MotD

type MotD struct {
	Text string
}

MotD holds data about the current message of the day.

func GetMOTD

func GetMOTD(cfg *Config) (*MotD, error)

GetMOTD retrieves the Message Of The Day from the web proxy.

type OIDCSettings

type OIDCSettings struct {
	// Name is the internal name of the connector.
	Name string `json:"name"`
	// Display is the display name for the connector.
	Display string `json:"display"`
	// Issuer URL is the endpoint of the provider
	IssuerURL string
}

OIDCSettings contains the Name and Display string for OIDC.

type ParseHostPortOpt

type ParseHostPortOpt func(host, port string) (hostR, portR string)

func WithDefaultPort

func WithDefaultPort(defaultPort int) ParseHostPortOpt

WithDefaultPort replaces the parse port with the default port if empty.

func WithOverridePort

func WithOverridePort(overridePort int) ParseHostPortOpt

WithOverridePort replaces the parsed port with the override port.

type PingError

type PingError struct {
	Message string `json:"message"`
}

PingError contains the string message from /webapi/ping.

type PingErrorResponse

type PingErrorResponse struct {
	Error PingError `json:"error"`
}

PingErrorResponse contains the error from /webapi/ping.

type PingResponse

type PingResponse struct {
	// Auth contains the forms of authentication the auth server supports.
	Auth AuthenticationSettings `json:"auth"`
	// Proxy contains the proxy settings.
	Proxy ProxySettings `json:"proxy"`
	// ServerVersion is the version of Teleport that is running.
	ServerVersion string `json:"server_version"`
	// MinClientVersion is the minimum client version required by the server.
	MinClientVersion string `json:"min_client_version"`
	// AutoUpdateSettings contains the auto update settings.
	AutoUpdate AutoUpdateSettings `json:"auto_update"`
	// ClusterName contains the name of the Teleport cluster.
	ClusterName string `json:"cluster_name"`

	// reserved: license_warnings ([]string)
	// AutomaticUpgrades describes whether agents should automatically upgrade.
	AutomaticUpgrades bool `json:"automatic_upgrades"`
	// Edition represents the Teleport edition. Possible values are "oss", "ent", and "community".
	Edition string `json:"edition"`
	// FIPS represents if Teleport is using FIPS-compliant cryptography.
	FIPS bool `json:"fips"`
}

PingResponse contains data about the Teleport server like supported authentication types, server version, etc.

func Find

func Find(cfg *Config) (*PingResponse, error)

Find fetches discovery data by connecting to the given web proxy address. It is designed to fetch proxy public addresses without any inefficiencies.

func Ping

func Ping(cfg *Config) (*PingResponse, error)

Ping serves two purposes. The first is to validate the HTTP endpoint of a Teleport proxy. This leads to better user experience: users get connection errors before being asked for passwords. The second is to return the form of authentication that the server supports. This also leads to better user experience: users only get prompted for the type of authentication the server supports.

type ProxySettings

type ProxySettings struct {
	// Kube is a kubernetes specific proxy section
	Kube KubeProxySettings `json:"kube"`
	// SSH is SSH specific proxy settings
	SSH SSHProxySettings `json:"ssh"`
	// DB contains database access specific proxy settings
	DB DBProxySettings `json:"db"`
	// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
	// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
	TLSRoutingEnabled bool `json:"tls_routing_enabled"`
}

ProxySettings contains basic information about proxy settings

func (*ProxySettings) SSHProxyHostPort

func (ps *ProxySettings) SSHProxyHostPort() (host, port string, err error)

SSHProxyHostPort returns the ssh proxy host and port for the proxy settings.

func (*ProxySettings) TunnelAddr

func (ps *ProxySettings) TunnelAddr() (string, error)

type ReusableClient

type ReusableClient struct {
	// contains filtered or unexported fields
}

ReusableClient is a webproxy client that allows the caller to make multiple calls without having to buildi a new HTTP client each time. Before retiring the client, you must make sure no calls are still in-flight, then call ReusableClient.CloseIdleConnections().

func NewReusableClient

func NewReusableClient(cfg *Config) (*ReusableClient, error)

NewReusableClient creates a reusable webproxy client. If you need to do a single call, use the webclient.Ping or webclient.Find functions instead.

func (*ReusableClient) CloseIdleConnections

func (c *ReusableClient) CloseIdleConnections()

CloseIdleConnections closes any connections on its [Transport] which were previously connected from previous requests but are now sitting idle in a "keep-alive" state. It does not interrupt any connections currently in use.

This must be run before retiring the ReusableClient.

func (*ReusableClient) Find

func (c *ReusableClient) Find() (*PingResponse, error)

Find fetches discovery data by connecting to the given web proxy address. It is designed to fetch proxy public addresses without any inefficiencies.

func (*ReusableClient) GetMOTD

func (c *ReusableClient) GetMOTD() (*MotD, error)

GetMOTD retrieves the Message Of The Day from the web proxy.

func (*ReusableClient) Ping

func (c *ReusableClient) Ping() (*PingResponse, error)

Ping serves two purposes. The first is to validate the HTTP endpoint of a Teleport proxy. This leads to better user experience: users get connection errors before being asked for passwords. The second is to return the form of authentication that the server supports. This also leads to better user experience: users only get prompted for the type of authentication the server supports.

type SAMLSettings

type SAMLSettings struct {
	// Name is the internal name of the connector.
	Name string `json:"name"`
	// Display is the display name for the connector.
	Display string `json:"display"`
	// SingleLogoutEnabled is whether SAML SLO (single logout) is enabled for this auth connector.
	SingleLogoutEnabled bool `json:"singleLogoutEnabled,omitempty"`
	// SSO is the URL of the identity provider's SSO service.
	SSO string
}

SAMLSettings contains the Name and Display string for SAML

type SSHProxySettings

type SSHProxySettings struct {
	// ListenAddr is the address that the SSH proxy is listening for
	// connections on.
	ListenAddr string `json:"listen_addr,omitempty"`

	// TunnelListenAddr is the address that the SSH reverse tunnel is
	// listening for connections on.
	TunnelListenAddr string `json:"tunnel_listen_addr,omitempty"`

	// WebListenAddr is the address where the proxy web handler is listening.
	WebListenAddr string `json:"web_listen_addr,omitempty"`

	// PublicAddr is the public address of the HTTP proxy.
	PublicAddr string `json:"public_addr,omitempty"`

	// SSHPublicAddr is the public address of the SSH proxy.
	SSHPublicAddr string `json:"ssh_public_addr,omitempty"`

	// TunnelPublicAddr is the public address of the SSH reverse tunnel.
	TunnelPublicAddr string `json:"ssh_tunnel_public_addr,omitempty"`

	// DialTimeout indicates the SSH timeout clients should use.
	DialTimeout time.Duration `json:"dial_timeout,omitempty"`
}

SSHProxySettings is SSH specific proxy settings.

type U2FSettings

type U2FSettings struct {
	// AppID is the U2F AppID.
	AppID string `json:"app_id"`
}

U2FSettings contains the AppID for Universal Second Factor.

type UIConfig

type UIConfig struct {
	// ScrollbackLines is the max number of lines the UI terminal can display in its history
	ScrollbackLines int `json:"scrollbackLines,omitempty"`
	// ShowResources determines which resources are shown in the web UI. Default if unset is "requestable"
	// which means resources the user has access to and resources they can request will be shown in the
	// resources UI. If set to `accessible_only`, only resources the user already has access to will be shown.
	ShowResources constants.ShowResources `json:"showResources,omitempty"`
}

UIConfig provides config options for the web UI served by the proxy service.

type WebConfig

type WebConfig struct {
	// Auth contains Teleport auth. preferences
	Auth WebConfigAuthSettings `json:"auth,omitempty"`
	// CanJoinSessions disables joining sessions
	CanJoinSessions bool `json:"canJoinSessions"`
	// ProxyClusterName is the name of the local cluster
	ProxyClusterName string `json:"proxyCluster,omitempty"`
	// IsCloud is a flag that determines if cloud features are enabled.
	IsCloud bool `json:"isCloud,omitempty"`
	// TunnelPublicAddress is the public ssh tunnel address
	TunnelPublicAddress string `json:"tunnelPublicAddress,omitempty"`
	// RecoveryCodesEnabled is a flag that determines if recovery codes are enabled in the cluster.
	RecoveryCodesEnabled bool `json:"recoveryCodesEnabled,omitempty"`
	// UIConfig is the configuration for the web UI
	UI UIConfig `json:"ui,omitempty"`
	// IsDashboard is a flag that determines if the cluster is running as a "dashboard".
	// The web UI for dashboards provides functionality for downloading self-hosted licenses and
	// Teleport Enterprise binaries.
	IsDashboard bool `json:"isDashboard,omitempty"`
	// IsUsageBasedBilling determines if the cloud user subscription is usage-based (pay-as-you-go).
	IsUsageBasedBilling bool `json:"isUsageBasedBilling,omitempty"`
	// AutomaticUpgrades describes whether agents should automatically upgrade.
	AutomaticUpgrades bool `json:"automaticUpgrades"`
	// AutomaticUpgradesTargetVersion is the agents version (eg kube agent helm chart) that should be installed.
	// Eg, v13.4.3
	// Only present when AutomaticUpgrades are enabled.
	AutomaticUpgradesTargetVersion string `json:"automaticUpgradesTargetVersion,omitempty"`
	// CustomTheme is a string that represents the name of the custom theme that the WebUI should use.
	CustomTheme string `json:"customTheme"`
	// Questionnaire indicates whether cluster users should get an onboarding questionnaire
	Questionnaire bool `json:"questionnaire"`
	// IsStripeManaged indicates if the cluster billing & lifecycle is managed via Stripe
	IsStripeManaged bool `json:"isStripeManaged"`
	// PremiumSupport indicates whether the customer has premium support
	PremiumSupport bool `json:"premiumSupport"`
	// Edition is the edition of Teleport
	Edition string `json:"edition"`
	// PlayableDatabaseProtocols is a list of database protocols which session
	// recordings can be played.
	PlayableDatabaseProtocols []string `json:"playable_db_protocols"`
	// entitlements define a customer’s access to a specific features
	Entitlements map[string]EntitlementInfo `json:"entitlements,omitempty"`

	// Deprecated Fields
	// Deprecated: IsTeam is true if [Features.ProductType] = Team
	// Prefer checking the cluster features over this flag, as this will be removed.
	IsTeam bool `json:"isTeam"`
	// HideInaccessibleFeatures is true when features should be undiscoverable to users without the necessary permissions.
	// Usually, in order to encourage discoverability of features, we show UI elements even if the user doesn't have permission to access them,
	// this flag disables that behavior.
	// Deprecated, use entitlements
	HideInaccessibleFeatures bool `json:"hideInaccessibleFeatures"`
	// IsIGSEnabled is true if [Features.IdentityGovernance] = true
	// Deprecated, use entitlements
	IsIGSEnabled bool `json:"isIgsEnabled"`
	// IsPolicyEnabled is true if [Features.Policy] = true
	// Deprecated, use entitlements
	IsPolicyEnabled bool `json:"isPolicyEnabled"`
	// featureLimits define limits for features.
	// Typically used with feature teasers if feature is not enabled for the
	// product type eg: Team product contains teasers to upgrade to Enterprise.
	// Deprecated, use entitlements
	FeatureLimits FeatureLimits `json:"featureLimits"`
	// ExternalAuditStorage indicates whether the EAS feature is enabled in the cluster.
	// Deprecated, use entitlements
	ExternalAuditStorage bool `json:"externalAuditStorage"`
	// JoinActiveSessions indicates whether joining active sessions via web UI is enabled
	// Deprecated, use entitlements
	JoinActiveSessions bool `json:"joinActiveSessions"`
	// AccessRequests indicates whether access requests are enabled
	// Deprecated, use entitlements
	AccessRequests bool `json:"accessRequests"`
	// TrustedDevices indicates whether trusted devices page is enabled
	// Deprecated, use entitlements
	TrustedDevices bool `json:"trustedDevices"`
	// OIDC indicates whether the OIDC integration flow is enabled
	// Deprecated, use entitlements
	OIDC bool `json:"oidc"`
	// SAML indicates whether the SAML integration flow is enabled
	// Deprecated, use entitlements
	SAML bool `json:"saml"`
	// MobileDeviceManagement indicates whether adding Jamf plugin is enabled
	// Deprecated, use entitlements
	MobileDeviceManagement bool `json:"mobileDeviceManagement"`
}

WebConfig is web application configuration served by the backend to be used in frontend apps.

type WebConfigAuthProvider

type WebConfigAuthProvider struct {
	// Name is this provider ID
	Name string `json:"name,omitempty"`
	// DisplayName is this provider display name
	DisplayName string `json:"displayName,omitempty"`
	// Type is this provider type
	Type string `json:"type,omitempty"`
	// WebAPIURL is this provider webapi URL
	WebAPIURL string `json:"url,omitempty"`
}

WebConfigAuthProvider describes auth. provider

type WebConfigAuthSettings

type WebConfigAuthSettings struct {
	// SecondFactor is the type of second factor to use in authentication.
	SecondFactor constants.SecondFactorType `json:"second_factor,omitempty"`
	// Providers contains a list of configured auth providers
	Providers []WebConfigAuthProvider `json:"providers,omitempty"`
	// LocalAuthEnabled is a flag that enables local authentication
	LocalAuthEnabled bool `json:"localAuthEnabled"`
	// AllowPasswordless is true if passwordless logins are allowed.
	AllowPasswordless bool `json:"allowPasswordless,omitempty"`
	// AuthType is the authentication type.
	AuthType string `json:"authType"`
	// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
	// when various options are available.
	// It is empty if there is nothing to suggest.
	PreferredLocalMFA constants.SecondFactorType `json:"preferredLocalMfa,omitempty"`
	// LocalConnectorName is the name of the local connector.
	LocalConnectorName string `json:"localConnectorName,omitempty"`
	// PrivateKeyPolicy is the configured private key policy for the cluster.
	PrivateKeyPolicy keys.PrivateKeyPolicy `json:"privateKeyPolicy,omitempty"`
	// MOTD is message of the day. MOTD is displayed to users before login.
	MOTD string `json:"motd"`
}

WebConfigAuthSettings describes auth configuration

type Webauthn

type Webauthn struct {
	// RPID is the Webauthn Relying Party ID used by the server.
	RPID string `json:"rp_id"`
}

Webauthn holds MFA settings for Web Authentication.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL