client

package
v0.0.0-...-e6c23cd Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 24, 2024 License: Apache-2.0 Imports: 121 Imported by: 41

README

This package is documented using a combination of pkg.go.dev and Teleport Docs.

Reference

Documentation

Overview

Package client provides a gRPC implementation of the Teleport Auth client. This client can be used to programatically interact with a Teleport Auth server.

Index

Examples

Constants

This section is empty.

Variables

View Source
var ErrClientCredentialsHaveExpired = &trace.AccessDeniedError{Message: "access denied: client credentials have expired, please relogin."}

ErrClientCredentialsHaveExpired means that the credentials expired on the server-side and the user should relogin.

Functions

func ConfigureALPN

func ConfigureALPN(tlsConfig *tls.Config, clusterName string) *tls.Config

ConfigureALPN configures ALPN SNI cluster routing information in TLS settings allowing for allowing to dial auth service through Teleport Proxy directly without using SSH Tunnels.

func DialALPN

func DialALPN(ctx context.Context, addr string, cfg ALPNDialerConfig) (*tls.Conn, error)

DialALPN a helper to dial using an ALPNDialer and returns a tls.Conn if successful.

func DialProxy

func DialProxy(ctx context.Context, proxyURL *url.URL, addr string, opts ...DialProxyOption) (net.Conn, error)

DialProxy creates a connection to a server via an HTTP or SOCKS5 Proxy.

func DialProxyWithDialer

func DialProxyWithDialer(
	ctx context.Context,
	proxyURL *url.URL,
	addr string,
	dialer ContextDialer,
	opts ...DialProxyOption,
) (net.Conn, error)

DialProxyWithDialer creates a connection to a server via an HTTP or SOCKS5 Proxy using a specified dialer.

func EventFromGRPC

func EventFromGRPC(in *proto.Event) (*types.Event, error)

EventFromGRPC converts proto.Event to types.Event

func EventToGRPC

func EventToGRPC(in types.Event) (*proto.Event, error)

EventToGRPC converts types.Event to proto.Event.

func EventTypeFromGRPC

func EventTypeFromGRPC(in proto.Operation) (types.OpType, error)

EventTypeFromGRPC converts proto.Operation to types.OpType

func EventTypeToGRPC

func EventTypeToGRPC(in types.OpType) (proto.Operation, error)

EventTypeToGRPC converts types.OpType to proto.Operation

func GRPCContextDialer

func GRPCContextDialer(dialer ContextDialer) func(context.Context, string) (net.Conn, error)

GRPCContextDialer converts a ContextDialer to a function used for grpc.WithContextDialer.

func GetAllResources

GetAllResources is a helper for getting all existing resources that match the provided request. In addition to iterating pages, it also correctly handles downsizing pages when LimitExceeded errors are encountered.

func GetAllUnifiedResources

GetAllUnifiedResources is a helper for getting all existing resources that match the provided request. In addition to iterating pages, it also correctly handles downsizing pages when LimitExceeded errors are encountered.

func GetKubernetesResourcesWithFilters

GetKubernetesResourcesWithFilters is a helper for getting a list of kubernetes resources with optional filtering. In addition to iterating pages, it also correctly handles downsizing pages when LimitExceeded errors are encountered.

func GetResourcesWithFilters

func GetResourcesWithFilters(ctx context.Context, clt ListResourcesClient, req proto.ListResourcesRequest) ([]types.ResourceWithLabels, error)

GetResourcesWithFilters is a helper for getting a list of resources with optional filtering. In addition to iterating pages, it also correctly handles downsizing pages when LimitExceeded errors are encountered.

GetAllResources or GetResourcePage should be preferred for client side operations to avoid converting from []types.ResourceWithLabels to concrete types.

func GetUnifiedResourcePage

GetUnifiedResourcePage is a helper for getting a single page of unified resources that match the provided request.

func InventoryControlStreamPipe

InventoryControlStreamPipe creates the two halves of an inventory control stream over an in-memory pipe.

func IsALPNConnUpgradeRequired

func IsALPNConnUpgradeRequired(ctx context.Context, addr string, insecure bool, opts ...DialOption) bool

IsALPNConnUpgradeRequired returns true if a tunnel is required through a HTTP connection upgrade for ALPN connections.

The function makes a test connection to the Proxy Service and checks if the ALPN is supported. If not, the Proxy Service is likely behind an AWS ALB or some custom proxy services that strip out ALPN and SNI information on the way to our Proxy Service.

In those cases, the Teleport client should make a HTTP "upgrade" call to the Proxy Service to establish a tunnel for the originally planned traffic to preserve the ALPN and SNI information.

Example

Perform ALPN handshake test to see if ALPN connection upgrade is required.

$ TELEPORT_ALPN_TEST_ADDR=proxy.example.com:443 go test -run=ExampleIsALPNConnUpgradeRequired -v

Note that "Output" is set to "false" to mark this as a testable example.

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/gravitational/teleport/api/client"
)

func main() {
	addr := os.Getenv("TELEPORT_ALPN_TEST_ADDR")
	fmt.Println(client.IsALPNConnUpgradeRequired(context.Background(), addr, false))
}
Output:

false

func IsALPNPingProtocol

func IsALPNPingProtocol(protocol string) bool

IsALPNPingProtocol checks if the provided protocol is suffixed with Ping.

func NewOktaClient

func NewOktaClient(ctx context.Context, cfg Config) (*okta.Client, error)

NewOktaClient creates a new Okta client for managing Okta resources.

func NewTracingClient

func NewTracingClient(ctx context.Context, cfg Config) (*tracing.Client, error)

NewTracingClient creates a new tracing.Client that will forward spans to the connected Teleport server. See New for details on how the connection it established.

func OverwriteALPNConnUpgradeRequirementByEnv

func OverwriteALPNConnUpgradeRequirementByEnv(addr string) (bool, bool)

OverwriteALPNConnUpgradeRequirementByEnv overwrites ALPN connection upgrade requirement by environment variable.

TODO(greedy52) DELETE in ??. Note that this toggle was planned to be deleted in 15.0 when the feature exits preview. However, many users still rely on this manual toggle as IsALPNConnUpgradeRequired cannot detect many situations where connection upgrade is required. This can be deleted once IsALPNConnUpgradeRequired is improved.

Types

type ALPNDialer

type ALPNDialer struct {
	// contains filtered or unexported fields
}

ALPNDialer is a ContextDialer that dials a connection to the Proxy Service with ALPN and SNI configured in the provided TLSConfig. An ALPN connection upgrade is also performed at the initial connection, if an upgrade is required.

func (*ALPNDialer) DialContext

func (d *ALPNDialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error)

DialContext implements ContextDialer.

type ALPNDialerConfig

type ALPNDialerConfig struct {
	// KeepAlivePeriod defines period between keep alives.
	KeepAlivePeriod time.Duration
	// DialTimeout defines how long to attempt dialing before timing out.
	DialTimeout time.Duration
	// TLSConfig is the TLS config used for the TLS connection.
	TLSConfig *tls.Config
	// ALPNConnUpgradeRequired specifies if ALPN connection upgrade is required.
	ALPNConnUpgradeRequired bool
	// GetClusterCAs is an optional callback function to fetch cluster
	// CAs when connection upgrade is required. If not provided, it's assumed
	// the proper CAs are already present in TLSConfig.
	GetClusterCAs GetClusterCAsFunc
	// PROXYHeaderGetter is used if present to get signed PROXY headers to propagate client's IP.
	// Used by proxy's web server to make calls on behalf of connected clients.
	PROXYHeaderGetter PROXYHeaderGetter
}

ALPNDialerConfig is the config for ALPNDialer.

type AuthServiceClient

AuthServiceClient keeps the interfaces implemented by the auth service.

type Client

type Client struct {

	// JoinServiceClient is a client for the JoinService, which runs on both the
	// auth and proxy.
	*JoinServiceClient
	// contains filtered or unexported fields
}

Client is a gRPC Client that connects to a Teleport Auth server either locally or over ssh through a Teleport web proxy or tunnel proxy.

This client can be used to cover a variety of Teleport use cases, such as programmatically handling access requests, integrating with external tools, or dynamically configuring Teleport.

Example (RoleCRUD)

Below is an example of creating a new Teleport Auth client with Profile credentials, and using that client to create, get, and delete a Role resource object.

Make sure to look at the Getting Started guide before attempting to run this example.

package main

import (
	"context"
	"log"
	"time"

	"github.com/gravitational/teleport/api/client"
	"github.com/gravitational/teleport/api/types"
)

func main() {
	ctx := context.Background()

	// Create a new client in your go file.
	clt, err := client.New(ctx, client.Config{
		Credentials: []client.Credentials{
			client.LoadProfile("", ""),
		},
		// set to true if your Teleport web proxy doesn't have HTTP/TLS certificate
		// configured yet (never use this in production).
		InsecureAddressDiscovery: false,
	})
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	defer clt.Close()

	// Resource Spec structs reflect their Resource's yaml definition.
	roleSpec := types.RoleSpecV6{
		Options: types.RoleOptions{
			MaxSessionTTL: types.Duration(time.Hour),
		},
		Allow: types.RoleConditions{
			Logins: []string{"role1"},
			Rules: []types.Rule{
				types.NewRule(types.KindAccessRequest, []string{types.VerbList, types.VerbRead}),
			},
		},
		Deny: types.RoleConditions{
			NodeLabels: types.Labels{"*": []string{"*"}},
		},
	}

	// There are helper functions for creating Teleport resources.
	role, err := types.NewRole("role1", roleSpec)
	if err != nil {
		log.Fatalf("failed to get role: %v", err)
	}

	// Getters and setters can be used to alter specs.
	role.SetLogins(types.Allow, []string{"root"})

	// Upsert overwrites the resource if it exists. Use this to create/update resources.
	// Equivalent to `tctl create -f role1.yaml`.
	role, err = clt.UpsertRole(ctx, role)
	if err != nil {
		log.Fatalf("failed to create role: %v", err)
	}

	// Equivalent to `tctl get role/role1`.
	role, err = clt.GetRole(ctx, "role1")
	if err != nil {
		log.Fatalf("failed to get role: %v", err)
	}

	// Equivalent to `tctl rm role/role1`.
	err = clt.DeleteRole(ctx, "role1")
	if err != nil {
		log.Fatalf("failed to delete role: %v", err)
	}
}
Output:

func New

func New(ctx context.Context, cfg Config) (*Client, error)

New creates a new Client with an open connection to a Teleport server.

New will try to open a connection with all combinations of addresses and credentials. The first successful connection to a server will be used, or an aggregated error will be returned if all combinations fail.

cfg.Credentials must be non-empty. One of cfg.Addrs and cfg.Dialer must be non-empty, unless LoadProfile is used to fetch Credentials and load a web proxy dialer.

See the example below for usage.

Example
package main

import (
	"context"
	"log"
	"os"

	"github.com/gravitational/teleport/api/client"
)

func main() {
	ctx := context.Background()
	clt, err := client.New(ctx, client.Config{
		// Multiple Addresses can be provided to attempt to
		// connect to the auth server. At least one address
		// must be provided, except when using the ProfileCreds.
		Addrs: []string{
			// The Auth server address can be provided to connect locally.
			"auth.example.com:3025",
			// The tunnel proxy address can be provided
			// to connect to the Auth server over SSH.
			"proxy.example.com:3024",
			// The web proxy address can be provided to automatically
			// find the tunnel proxy address and connect using it.
			"proxy.example.com:3080",
		},
		// Multiple Credentials can be provided to attempt to authenticate
		// the client. At least one Credentials object must be provided.
		Credentials: []client.Credentials{
			client.LoadProfile("", ""),
			client.LoadIdentityFile("identity-path"),
			client.LoadKeyPair("cert.crt", "cert.key", "cert.cas"),
			client.LoadIdentityFileFromString(os.Getenv("TELEPORT_IDENTITY")),
		},
		// set to true if your web proxy doesn't have HTTP/TLS certificate
		// configured yet (never use this in production).
		InsecureAddressDiscovery: false,
	})
	if err != nil {
		log.Fatal(err)
	}
	defer clt.Close()

	clt.Ping(ctx)
}
Output:

func (*Client) AccessListClient

func (c *Client) AccessListClient() *accesslist.Client

AccessListClient returns an access list client. Clients connecting to older Teleport versions, still get an access list client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) AccessMonitoringRulesClient

func (c *Client) AccessMonitoringRulesClient() *accessmonitoringrules.Client

AccessMonitoringRulesClient returns an Access Monitoring Rules client. Clients connecting to older Teleport versions, still get an access list client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) AcquireSemaphore

func (c *Client) AcquireSemaphore(ctx context.Context, params types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)

AcquireSemaphore acquires lease with requested resources from semaphore.

func (*Client) AddMFADeviceSync

AddMFADeviceSync adds a new MFA device.

func (*Client) AppendDiagnosticTrace

func (c *Client) AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)

AppendDiagnosticTrace adds a new trace for the given ConnectionDiagnostic.

func (*Client) AssertSystemRole

func (c *Client) AssertSystemRole(ctx context.Context, req proto.SystemRoleAssertion) error

AssertSystemRole is used by agents to prove that they have a given system role when their credentials originate from multiple separate join tokens so that they can be issued an instance certificate that encompasses all of their capabilities. This method will be deprecated once we have a more comprehensive model for join token joining/replacement.

func (*Client) BotInstanceServiceClient

func (c *Client) BotInstanceServiceClient() machineidv1pb.BotInstanceServiceClient

BotInstanceServiceClient returns an unadorned client for the bot instance service

func (*Client) BotServiceClient

func (c *Client) BotServiceClient() machineidv1pb.BotServiceClient

BotServiceClient returns an unadorned client for the bot service.

func (*Client) CancelSemaphoreLease

func (c *Client) CancelSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

CancelSemaphoreLease cancels semaphore lease early.

func (*Client) ChangePassword

func (c *Client) ChangePassword(ctx context.Context, req *proto.ChangePasswordRequest) error

func (*Client) ChangeUserAuthentication

ChangeUserAuthentication allows a user with a reset or invite token to change their password and if enabled also adds a new mfa device. Upon success, creates new web session and creates new set of recovery codes (if user meets requirements).

func (*Client) ClearAlertAcks

func (c *Client) ClearAlertAcks(ctx context.Context, req proto.ClearAlertAcksRequest) error

ClearAlertAcks clears alert acknowledgments.

func (*Client) Close

func (c *Client) Close() error

Close closes the Client connection to the auth server.

func (*Client) ClusterConfigClient

func (c *Client) ClusterConfigClient() clusterconfigpb.ClusterConfigServiceClient

ClusterConfigClient returns an unadorned Cluster Configuration client, using the underlying Auth gRPC connection.

func (*Client) CompleteAccountRecovery

func (c *Client) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

CompleteAccountRecovery sets a new password or adds a new mfa device, allowing user to regain access to their account using the new credentials. Represents the last step in the account recovery process after RPC's StartAccountRecovery and VerifyAccountRecovery.

func (*Client) Config

func (c *Client) Config() *tls.Config

Config returns the tls.Config the client connected with.

func (*Client) CreateAccessRequestV2

func (c *Client) CreateAccessRequestV2(ctx context.Context, req types.AccessRequest) (types.AccessRequest, error)

CreateAccessRequestV2 registers a new access request with the auth server.

func (*Client) CreateAccountRecoveryCodes

func (c *Client) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes creates new set of recovery codes for a user, replacing and invalidating any previously owned codes.

func (*Client) CreateAlertAck

func (c *Client) CreateAlertAck(ctx context.Context, ack types.AlertAcknowledgement) error

CreateAlertAck marks a cluster alert as acknowledged.

func (*Client) CreateApp

func (c *Client) CreateApp(ctx context.Context, app types.Application) error

CreateApp creates a new application resource.

func (*Client) CreateAppSession

func (c *Client) CreateAppSession(ctx context.Context, req *proto.CreateAppSessionRequest) (types.WebSession, error)

CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.

func (*Client) CreateAuditStream

func (c *Client) CreateAuditStream(ctx context.Context, sessionID string) (events.Stream, error)

CreateAuditStream creates new audit stream.

func (*Client) CreateAuthenticateChallenge

CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices.

func (*Client) CreateAutoUpdateAgentRollout

func (c *Client) CreateAutoUpdateAgentRollout(ctx context.Context, rollout *autoupdatev1pb.AutoUpdateAgentRollout) (*autoupdatev1pb.AutoUpdateAgentRollout, error)

CreateAutoUpdateAgentRollout creates AutoUpdateAgentRollout resource.

func (*Client) CreateAutoUpdateConfig

func (c *Client) CreateAutoUpdateConfig(ctx context.Context, config *autoupdatev1pb.AutoUpdateConfig) (*autoupdatev1pb.AutoUpdateConfig, error)

CreateAutoUpdateConfig creates AutoUpdateConfig resource.

func (*Client) CreateAutoUpdateVersion

func (c *Client) CreateAutoUpdateVersion(ctx context.Context, version *autoupdatev1pb.AutoUpdateVersion) (*autoupdatev1pb.AutoUpdateVersion, error)

CreateAutoUpdateVersion creates AutoUpdateVersion resource.

func (*Client) CreateConnectionDiagnostic

func (c *Client) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

CreateConnectionDiagnostic creates a new connection diagnostic.

func (*Client) CreateDatabase

func (c *Client) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*Client) CreateDeviceResource

func (c *Client) CreateDeviceResource(ctx context.Context, res *types.DeviceV1) (*types.DeviceV1, error)

CreateDeviceResource creates a device using its resource representation. Prefer using [DevicesClient] directly if you can.

func (*Client) CreateGithubAuthRequest

func (c *Client) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)

CreateGithubAuthRequest creates GithubAuthRequest.

func (*Client) CreateGithubConnector

func (c *Client) CreateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

CreateGithubConnector creates a Github connector.

func (*Client) CreateGlobalNotification

CreateGlobalNotification creates a global notification.

func (*Client) CreateIntegration

func (c *Client) CreateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error)

CreateIntegration creates a new Integration.

func (*Client) CreateKubernetesCluster

func (c *Client) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*Client) CreateKubernetesWaitingContainer

CreateKubernetesWaitingContainer creates a Kubernetes ephemeral container that are waiting to be created until moderated session conditions are met.

func (*Client) CreateLoginRule

func (c *Client) CreateLoginRule(ctx context.Context, rule *loginrulepb.LoginRule) (*loginrulepb.LoginRule, error)

CreateLoginRule creates a login rule if one with the same name does not already exist, else it returns an error.

func (*Client) CreateOIDCAuthRequest

func (c *Client) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest.

func (*Client) CreateOIDCConnector

func (c *Client) CreateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

CreateOIDCConnector creates an OIDC connector.

func (*Client) CreatePrivilegeToken

func (c *Client) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.

func (*Client) CreateRegisterChallenge

func (c *Client) CreateRegisterChallenge(ctx context.Context, in *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

CreateRegisterChallenge creates and returns MFA register challenge for a new MFA device.

func (*Client) CreateResetPasswordToken

func (c *Client) CreateResetPasswordToken(ctx context.Context, req *proto.CreateResetPasswordTokenRequest) (types.UserToken, error)

CreateResetPasswordToken creates reset password token.

func (*Client) CreateRole

func (c *Client) CreateRole(ctx context.Context, role types.Role) (types.Role, error)

CreateRole creates a new role.

func (*Client) CreateSAMLAuthRequest

func (c *Client) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAMLAuthRequest.

func (*Client) CreateSAMLConnector

func (c *Client) CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

CreateSAMLConnector creates a SAML connector.

func (*Client) CreateSAMLIdPServiceProvider

func (c *Client) CreateSAMLIdPServiceProvider(ctx context.Context, sp types.SAMLIdPServiceProvider) error

CreateSAMLIdPServiceProvider creates a new SAML IdP service provider resource.

func (*Client) CreateSAMLIdPSession

func (c *Client) CreateSAMLIdPSession(ctx context.Context, req types.CreateSAMLIdPSessionRequest) (types.WebSession, error)

CreateSAMLIdPSession creates a SAML IdP session. Deprecated: Do not use. The Concept of SAML IdP Sessions is no longer in use. SAML IdP Sessions are directly tied to their parent web sessions instead.

func (*Client) CreateSessionTracker

func (c *Client) CreateSessionTracker(ctx context.Context, st types.SessionTracker) (types.SessionTracker, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*Client) CreateSnowflakeSession

func (c *Client) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest) (types.WebSession, error)

CreateSnowflakeSession creates a Snowflake web session.

func (*Client) CreateToken

func (c *Client) CreateToken(ctx context.Context, token types.ProvisionToken) error

CreateToken creates a provision token.

func (*Client) CreateTrustedCluster

func (c *Client) CreateTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)

CreateTrustedCluster creates a Trusted Cluster.

func (*Client) CreateUser

func (c *Client) CreateUser(ctx context.Context, user types.User) (types.User, error)

CreateUser creates a new user from the specified descriptor.

func (*Client) CreateUserGroup

func (c *Client) CreateUserGroup(ctx context.Context, ug types.UserGroup) error

CreateUserGroup creates a new user group resource.

func (*Client) CreateUserNotification

CreateUserNotification creates a user-specific notification.

func (*Client) CreateWindowsDesktop

func (c *Client) CreateWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error

CreateWindowsDesktop registers a new windows desktop host.

func (*Client) CreateWorkloadIdentity

CreateWorkloadIdentity creates a new workload identity, it will not overwrite an existing workload identity with the same name.

func (*Client) CrownJewelServiceClient

func (c *Client) CrownJewelServiceClient() *crownjewelapi.Client

CrownJewelServiceClient returns a CrownJewel client. Clients connecting to older Teleport versions, still get a CrownJewel client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) DatabaseObjectClient

func (c *Client) DatabaseObjectClient() dbobjectv1.DatabaseObjectServiceClient

DatabaseObjectClient returns a client for managing database objects.

func (*Client) DatabaseObjectImportRuleClient

func (c *Client) DatabaseObjectImportRuleClient() dbobjectimportrulev1.DatabaseObjectImportRuleServiceClient

DatabaseObjectImportRuleClient returns a client for managing database object import rules.

func (*Client) DecisionClient

func (c *Client) DecisionClient() decisionpb.DecisionServiceClient

DecisionClient returns an unadorned DecisionService client using the underlying Auth gRPC connection.

func (*Client) DeleteAccessRequest

func (c *Client) DeleteAccessRequest(ctx context.Context, reqID string) error

DeleteAccessRequest deletes an access request.

func (*Client) DeleteAllAppSessions

func (c *Client) DeleteAllAppSessions(ctx context.Context) error

DeleteAllAppSessions removes all application web sessions.

func (*Client) DeleteAllApplicationServers

func (c *Client) DeleteAllApplicationServers(ctx context.Context, namespace string) error

DeleteAllApplicationServers removes all registered application servers.

func (*Client) DeleteAllApps

func (c *Client) DeleteAllApps(ctx context.Context) error

DeleteAllApps deletes all application resources.

func (*Client) DeleteAllDatabaseServers

func (c *Client) DeleteAllDatabaseServers(ctx context.Context, namespace string) error

DeleteAllDatabaseServers removes all registered database proxy servers.

func (*Client) DeleteAllDatabaseServices

func (c *Client) DeleteAllDatabaseServices(ctx context.Context) error

DeleteAllDatabaseServices deletes all DatabaseService resources. If an error occurs, a partial delete may happen.

func (*Client) DeleteAllDatabases

func (c *Client) DeleteAllDatabases(ctx context.Context) error

DeleteAllDatabases deletes all database resources.

func (*Client) DeleteAllInstallers

func (c *Client) DeleteAllInstallers(ctx context.Context) error

DeleteAllInstallers deletes all the installer resources.

func (*Client) DeleteAllIntegrations

func (c *Client) DeleteAllIntegrations(ctx context.Context) error

DeleteAllIntegrations removes all Integrations.

func (*Client) DeleteAllKubernetesClusters

func (c *Client) DeleteAllKubernetesClusters(ctx context.Context) error

DeleteAllKubernetesClusters deletes all kubernetes cluster resources.

func (*Client) DeleteAllKubernetesServers

func (c *Client) DeleteAllKubernetesServers(ctx context.Context) error

DeleteAllKubernetesServers deletes all registered kubernetes servers.

func (*Client) DeleteAllNodes

func (c *Client) DeleteAllNodes(ctx context.Context, namespace string) error

DeleteAllNodes deletes all nodes in a given namespace.

func (*Client) DeleteAllSAMLIdPServiceProviders

func (c *Client) DeleteAllSAMLIdPServiceProviders(ctx context.Context) error

DeleteAllSAMLIdPServiceProviders removes all SAML IdP service providers.

func (*Client) DeleteAllSAMLIdPSessions

func (c *Client) DeleteAllSAMLIdPSessions(ctx context.Context) error

DeleteAllSAMLIdPSessions removes all SAML IdP sessions. Deprecated: Do not use. The Concept of SAML IdP Sessions is no longer in use. SAML IdP Sessions are directly tied to their parent web sessions instead.

func (*Client) DeleteAllServerInfos

func (c *Client) DeleteAllServerInfos(ctx context.Context) error

DeleteAllServerInfos deletes all ServerInfos.

func (*Client) DeleteAllSnowflakeSessions

func (c *Client) DeleteAllSnowflakeSessions(ctx context.Context) error

DeleteAllSnowflakeSessions removes all Snowflake web sessions.

func (*Client) DeleteAllUserGroups

func (c *Client) DeleteAllUserGroups(ctx context.Context) error

DeleteAllUserGroups removes all user groups.

func (*Client) DeleteAllWindowsDesktopServices

func (c *Client) DeleteAllWindowsDesktopServices(ctx context.Context) error

DeleteAllWindowsDesktopServices removes all registered windows desktop services.

func (*Client) DeleteAllWindowsDesktops

func (c *Client) DeleteAllWindowsDesktops(ctx context.Context) error

DeleteAllWindowsDesktops removes all registered windows desktop hosts.

func (*Client) DeleteApp

func (c *Client) DeleteApp(ctx context.Context, name string) error

DeleteApp deletes specified application resource.

func (*Client) DeleteAppSession

func (c *Client) DeleteAppSession(ctx context.Context, req types.DeleteAppSessionRequest) error

DeleteAppSession removes an application web session.

func (*Client) DeleteApplicationServer

func (c *Client) DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error

DeleteApplicationServer removes specified application server.

func (*Client) DeleteAutoUpdateAgentRollout

func (c *Client) DeleteAutoUpdateAgentRollout(ctx context.Context) error

DeleteAutoUpdateAgentRollout deletes AutoUpdateAgentRollout resource.

func (*Client) DeleteAutoUpdateConfig

func (c *Client) DeleteAutoUpdateConfig(ctx context.Context) error

DeleteAutoUpdateConfig deletes AutoUpdateConfig resource.

func (*Client) DeleteAutoUpdateVersion

func (c *Client) DeleteAutoUpdateVersion(ctx context.Context) error

DeleteAutoUpdateVersion deletes AutoUpdateVersion resource.

func (*Client) DeleteCertAuthority

func (c *Client) DeleteCertAuthority(ctx context.Context, id types.CertAuthID) error

DeleteCertAuthority removes a CA matching the type and domain.

func (*Client) DeleteClusterMaintenanceConfig

func (c *Client) DeleteClusterMaintenanceConfig(ctx context.Context) error

DeleteClusterMaintenanceConfig deletes the current maintenance window config singleton.

func (*Client) DeleteDatabase

func (c *Client) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase deletes specified database resource.

func (*Client) DeleteDatabaseServer

func (c *Client) DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error

DeleteDatabaseServer removes the specified database proxy server.

func (*Client) DeleteDatabaseService

func (c *Client) DeleteDatabaseService(ctx context.Context, name string) error

DeleteDatabaseService deletes a specific DatabaseService resource.

func (*Client) DeleteDeviceResource

func (c *Client) DeleteDeviceResource(ctx context.Context, id string) error

DeleteDeviceResource deletes a device using its ID (either devicepb.Device.Id or its Metadata.Name). Prefer using [DevicesClient] directly if you can.

func (*Client) DeleteGithubConnector

func (c *Client) DeleteGithubConnector(ctx context.Context, name string) error

DeleteGithubConnector deletes a Github connector by name.

func (*Client) DeleteGlobalNotification

func (c *Client) DeleteGlobalNotification(ctx context.Context, req *notificationsv1pb.DeleteGlobalNotificationRequest) error

DeleteGlobalNotification deletes a global notification.

func (*Client) DeleteInstaller

func (c *Client) DeleteInstaller(ctx context.Context, name string) error

DeleteInstaller deletes the cluster installer resource

func (*Client) DeleteIntegration

func (c *Client) DeleteIntegration(ctx context.Context, name string) error

DeleteIntegration removes an Integration by its name.

func (*Client) DeleteKubernetesCluster

func (c *Client) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster deletes specified kubernetes cluster resource.

func (*Client) DeleteKubernetesServer

func (c *Client) DeleteKubernetesServer(ctx context.Context, hostID, name string) error

DeleteKubernetesServer deletes a named kubernetes server.

func (*Client) DeleteKubernetesWaitingContainer

func (c *Client) DeleteKubernetesWaitingContainer(ctx context.Context, req *kubewaitingcontainerpb.DeleteKubernetesWaitingContainerRequest) error

DeleteKubernetesWaitingContainer deletes a Kubernetes ephemeral container that are waiting to be created until moderated session conditions are met.

func (*Client) DeleteLock

func (c *Client) DeleteLock(ctx context.Context, name string) error

DeleteLock deletes a lock.

func (*Client) DeleteLoginRule

func (c *Client) DeleteLoginRule(ctx context.Context, name string) error

DeleteLoginRule deletes an existing login rule by name.

func (*Client) DeleteMFADeviceSync

func (c *Client) DeleteMFADeviceSync(ctx context.Context, in *proto.DeleteMFADeviceSyncRequest) error

DeleteMFADeviceSync deletes a users MFA device.

func (*Client) DeleteNetworkRestrictions

func (c *Client) DeleteNetworkRestrictions(ctx context.Context) error

DeleteNetworkRestrictions deletes the network restrictions

func (*Client) DeleteNode

func (c *Client) DeleteNode(ctx context.Context, namespace, name string) error

DeleteNode deletes a node by name and namespace.

func (*Client) DeleteOIDCConnector

func (c *Client) DeleteOIDCConnector(ctx context.Context, name string) error

DeleteOIDCConnector deletes an OIDC connector by name.

func (*Client) DeleteRemoteCluster

func (c *Client) DeleteRemoteCluster(ctx context.Context, name string) error

DeleteRemoteCluster creates remote cluster resource

func (*Client) DeleteReverseTunnel

func (c *Client) DeleteReverseTunnel(ctx context.Context, name string) error

DeleteReverseTunnel deletes a reverse tunnel resource

func (*Client) DeleteRole

func (c *Client) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes role by name

func (*Client) DeleteSAMLConnector

func (c *Client) DeleteSAMLConnector(ctx context.Context, name string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*Client) DeleteSAMLIdPServiceProvider

func (c *Client) DeleteSAMLIdPServiceProvider(ctx context.Context, name string) error

DeleteSAMLIdPServiceProvider removes the specified SAML IdP service provider resource.

func (*Client) DeleteSAMLIdPSession

func (c *Client) DeleteSAMLIdPSession(ctx context.Context, req types.DeleteSAMLIdPSessionRequest) error

DeleteSAMLIdPSession removes a SAML IdP session. Deprecated: Do not use. As of v16, the Concept of SAML IdP Sessions is no longer in use. SAML IdP Sessions are directly tied to their parent web sessions instead. This endpoint will be removed in v17.

func (*Client) DeleteSemaphore

func (c *Client) DeleteSemaphore(ctx context.Context, filter types.SemaphoreFilter) error

DeleteSemaphore deletes a semaphore matching the supplied filter.

func (*Client) DeleteServerInfo

func (c *Client) DeleteServerInfo(ctx context.Context, name string) error

DeleteServerInfo deletes a ServerInfo by name.

func (*Client) DeleteSnowflakeSession

func (c *Client) DeleteSnowflakeSession(ctx context.Context, req types.DeleteSnowflakeSessionRequest) error

DeleteSnowflakeSession removes a Snowflake web session.

func (*Client) DeleteToken

func (c *Client) DeleteToken(ctx context.Context, name string) error

DeleteToken deletes a provision token by name.

func (*Client) DeleteTrustedCluster

func (c *Client) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster deletes a Trusted Cluster by name.

func (*Client) DeleteUIConfig

func (c *Client) DeleteUIConfig(ctx context.Context) error

func (*Client) DeleteUser

func (c *Client) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes a user by name.

func (*Client) DeleteUserAppSessions

func (c *Client) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error

DeleteUserAppSessions deletes all user’s application sessions.

func (*Client) DeleteUserGroup

func (c *Client) DeleteUserGroup(ctx context.Context, name string) error

DeleteUserGroup removes the specified user group resource.

func (*Client) DeleteUserNotification

func (c *Client) DeleteUserNotification(ctx context.Context, req *notificationsv1pb.DeleteUserNotificationRequest) error

DeleteUserNotification not implemented: can only be called locally.

func (*Client) DeleteUserSAMLIdPSessions

func (c *Client) DeleteUserSAMLIdPSessions(ctx context.Context, username string) error

DeleteUserSAMLIdPSessions deletes all user’s SAML IdP sessions. Deprecated: Do not use. The Concept of SAML IdP Sessions is no longer in use. SAML IdP Sessions are directly tied to their parent web sessions instead.

func (*Client) DeleteWindowsDesktop

func (c *Client) DeleteWindowsDesktop(ctx context.Context, hostID, name string) error

DeleteWindowsDesktop removes the specified windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.

func (*Client) DeleteWindowsDesktopService

func (c *Client) DeleteWindowsDesktopService(ctx context.Context, name string) error

DeleteWindowsDesktopService removes the specified windows desktop service.

func (*Client) DeleteWorkloadIdentity

func (c *Client) DeleteWorkloadIdentity(ctx context.Context, name string) error

DeleteWorkloadIdentity deletes a workload identity by name. It will throw an error if the workload identity does not exist.

func (*Client) DevicesClient

func (c *Client) DevicesClient() devicepb.DeviceTrustServiceClient

DevicesClient returns an unadorned Device Trust client, using the underlying Auth gRPC connection. Clients connecting to non-Enterprise clusters, or older Teleport versions, still get a devices client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) Dialer

func (c *Client) Dialer() ContextDialer

Dialer returns the ContextDialer the client connected with.

func (*Client) DiscoveryConfigClient

func (c *Client) DiscoveryConfigClient() *discoveryconfig.Client

DiscoveryConfigClient returns a DiscoveryConfig client. Clients connecting to older Teleport versions, still get an DiscoveryConfig client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) DynamicDesktopClient

func (c *Client) DynamicDesktopClient() *dynamicwindows.Client

func (*Client) EmitAuditEvent

func (c *Client) EmitAuditEvent(ctx context.Context, event events.AuditEvent) error

EmitAuditEvent sends an auditable event to the auth server.

func (*Client) ExportUnstructuredEvents

ExportUnstructuredEvents exports events from a given event chunk returned by GetEventExportChunks. This API prioritizes performance over ordering and filtering, and is intended for bulk export of events.

func (*Client) ExportUpgradeWindows

ExportUpgradeWindows is used to load derived upgrade window values for agents that need to export schedules to external upgraders.

func (*Client) ExternalAuditStorageClient

func (c *Client) ExternalAuditStorageClient() *externalauditstorage.Client

ExternalAuditStorageClient returns an unadorned External Audit Storage client, using the underlying Auth gRPC connection. Clients connecting to non-Enterprise clusters, or older Teleport versions, still get a external audit client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) GenerateAWSOIDCToken

func (c *Client) GenerateAWSOIDCToken(ctx context.Context, integration string) (string, error)

GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.

func (*Client) GenerateAppToken

func (c *Client) GenerateAppToken(ctx context.Context, req types.GenerateAppTokenRequest) (string, error)

GenerateAppToken creates a JWT token with application access.

func (*Client) GenerateCertAuthorityCRL

func (c *Client) GenerateCertAuthorityCRL(ctx context.Context, req *proto.CertAuthorityRequest) (*proto.CRL, error)

GenerateCertAuthorityCRL generates an empty CRL for a CA.

func (*Client) GenerateDatabaseCert

func (c *Client) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates a client certificate used by a database service to authenticate with the database instance, or a server certificate for configuring a self-hosted database, depending on the requester_name.

func (*Client) GenerateHostCerts

func (c *Client) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

GenerateHostCerts generates host certificates.

func (*Client) GenerateOpenSSHCert

func (c *Client) GenerateOpenSSHCert(ctx context.Context, req *proto.OpenSSHCertRequest) (*proto.OpenSSHCert, error)

GenerateOpenSSHCert signs a SSH certificate that can be used to connect to Agentless nodes.

func (*Client) GenerateSnowflakeJWT

func (c *Client) GenerateSnowflakeJWT(ctx context.Context, req types.GenerateSnowflakeJWT) (string, error)

GenerateSnowflakeJWT generates JWT in the Snowflake required format.

func (*Client) GenerateUserCerts

func (c *Client) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

GenerateUserCerts takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificates.

func (*Client) GenerateWindowsDesktopCert

func (c *Client) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.

func (*Client) GetAccessCapabilities

func (c *Client) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

GetAccessCapabilities requests the access capabilities of a user.

func (*Client) GetAccessRequestAllowedPromotions

func (c *Client) GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)

GetAccessRequestAllowedPromotions returns the list of promotions allowed for the given access request.

func (*Client) GetAccessRequests

func (c *Client) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)

GetAccessRequests retrieves a list of all access requests matching the provided filter.

func (*Client) GetAccountRecoveryCodes

func (c *Client) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes returns the user in context their recovery codes resource without any secrets.

func (*Client) GetAccountRecoveryToken

func (c *Client) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)

GetAccountRecoveryToken returns a user token resource after verifying the token in request is not expired and is of the correct recovery type.

func (*Client) GetActiveSessionTrackers

func (c *Client) GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

GetActiveSessionTrackers returns a list of active session trackers.

func (*Client) GetActiveSessionTrackersWithFilter

func (c *Client) GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.

func (*Client) GetAlertAcks

func (c *Client) GetAlertAcks(ctx context.Context) ([]types.AlertAcknowledgement, error)

GetAlertAcks gets active alert acknowledgements.

func (*Client) GetApp

func (c *Client) GetApp(ctx context.Context, name string) (types.Application, error)

GetApp returns the specified application resource.

Note that application resources here refers to "dynamically-added" applications such as applications created by `tctl create`, or the CreateApp API. Applications defined in the `app_service.apps` section of the service YAML configuration are not collected in this API.

For a full list of registered applications that are served by an application service, use GetApplicationServers instead.

func (*Client) GetAppSession

func (c *Client) GetAppSession(ctx context.Context, req types.GetAppSessionRequest) (types.WebSession, error)

GetAppSession gets an application web session.

func (*Client) GetApplicationServers

func (c *Client) GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

GetApplicationServers returns all registered application servers.

func (*Client) GetApps

func (c *Client) GetApps(ctx context.Context) ([]types.Application, error)

GetApps returns all application resources.

Note that application resources here refers to "dynamically-added" applications such as applications created by `tctl create`, or the CreateApp API. Applications defined in the `app_service.apps` section of the service YAML configuration are not collected in this API.

For a full list of registered applications that are served by an application service, use GetApplicationServers instead.

func (*Client) GetAuthPreference

func (c *Client) GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

GetAuthPreference gets the active cluster auth preference.

func (*Client) GetAutoUpdateAgentRollout

func (c *Client) GetAutoUpdateAgentRollout(ctx context.Context) (*autoupdatev1pb.AutoUpdateAgentRollout, error)

GetAutoUpdateAgentRollout gets AutoUpdateAgentRollout resource.

func (*Client) GetAutoUpdateConfig

func (c *Client) GetAutoUpdateConfig(ctx context.Context) (*autoupdatev1pb.AutoUpdateConfig, error)

GetAutoUpdateConfig gets AutoUpdateConfig resource.

func (*Client) GetAutoUpdateVersion

func (c *Client) GetAutoUpdateVersion(ctx context.Context) (*autoupdatev1pb.AutoUpdateVersion, error)

GetAutoUpdateVersion gets AutoUpdateVersion resource.

func (*Client) GetCertAuthorities

func (c *Client) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

GetCertAuthorities retrieves CAs by type.

func (*Client) GetCertAuthority

func (c *Client) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

GetCertAuthority retrieves a CA by type and domain.

func (*Client) GetClusterAccessGraphConfig

func (c *Client) GetClusterAccessGraphConfig(ctx context.Context) (*clusterconfigpb.AccessGraphConfig, error)

GetClusterAccessGraphConfig retrieves the Cluster Access Graph configuration from Auth server.

func (*Client) GetClusterAlerts

func (c *Client) GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

GetClusterAlerts loads matching cluster alerts.

func (*Client) GetClusterAuditConfig

func (c *Client) GetClusterAuditConfig(ctx context.Context) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*Client) GetClusterCACert

func (c *Client) GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)

GetClusterCACert returns the PEM-encoded TLS certs for the local cluster. If the cluster has multiple TLS certs, they will all be concatenated.

func (*Client) GetClusterMaintenanceConfig

func (c *Client) GetClusterMaintenanceConfig(ctx context.Context) (types.ClusterMaintenanceConfig, error)

GetClusterMaintenanceConfig gets the current maintenance window config singleton.

func (*Client) GetClusterNetworkingConfig

func (c *Client) GetClusterNetworkingConfig(ctx context.Context) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*Client) GetConnection

func (c *Client) GetConnection() *grpc.ClientConn

GetConnection returns gRPC connection.

func (*Client) GetConnectionDiagnostic

func (c *Client) GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

GetConnectionDiagnostic reads a connection diagnostic

func (*Client) GetCurrentUser

func (c *Client) GetCurrentUser(ctx context.Context) (types.User, error)

GetCurrentUser returns current user as seen by the server. Useful especially in the context of remote clusters which perform role and trait mapping.

func (*Client) GetCurrentUserRoles

func (c *Client) GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)

GetCurrentUserRoles returns current user's roles.

func (*Client) GetDatabase

func (c *Client) GetDatabase(ctx context.Context, name string) (types.Database, error)

GetDatabase returns the specified database resource.

Note that database resources here refers to "dynamically-added" databases such as databases created by `tctl create`, the discovery service, or the CreateDatabase API. Databases discovered by the database agent (legacy discovery flow using `database_service.aws/database_service.azure`) and static databases defined in the `database_service.databases` section of the service YAML configuration are not collected in this API.

For a full list of registered databases that are served by a database service, use GetDatabaseServers instead.

func (*Client) GetDatabaseObjectImportRules

func (c *Client) GetDatabaseObjectImportRules(ctx context.Context) ([]*dbobjectimportrulev1.DatabaseObjectImportRule, error)

GetDatabaseObjectImportRules retrieves all database object import rules.

func (*Client) GetDatabaseObjects

func (c *Client) GetDatabaseObjects(ctx context.Context) ([]*dbobjectv1.DatabaseObject, error)

GetDatabaseObjects retrieves all database objects.

func (*Client) GetDatabaseServers

func (c *Client) GetDatabaseServers(ctx context.Context, namespace string) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database proxy servers.

Note that in HA setups, a registered database may have multiple DatabaseServer entries. Web UI and `tsh db ls` extract databases from this list and remove duplicates by name.

func (*Client) GetDatabases

func (c *Client) GetDatabases(ctx context.Context) ([]types.Database, error)

GetDatabases returns all database resources.

Note that database resources here refers to "dynamically-added" databases such as databases created by `tctl create`, the discovery service, or the CreateDatabase API. Databases discovered by the database agent (legacy discovery flow using `database_service.aws/database_service.azure`) and static databases defined in the `database_service.databases` section of the service YAML configuration are not collected in this API.

For a full list of registered databases that are served by a database service, use GetDatabaseServers instead.

func (*Client) GetDesktopBootstrapScript

func (c *Client) GetDesktopBootstrapScript(ctx context.Context) (string, error)

func (*Client) GetDeviceResource

func (c *Client) GetDeviceResource(ctx context.Context, id string) (*types.DeviceV1, error)

GetDeviceResource reads a device using its ID (either devicepb.Device.Id or its Metadata.Name). Prefer using [DevicesClient] directly if you can.

func (*Client) GetDomainName

func (c *Client) GetDomainName(ctx context.Context) (string, error)

GetDomainName returns local auth domain of the current auth server

func (*Client) GetEventExportChunks

GetEventExportChunks returns a stream of event chunks that can be exported via ExportUnstructuredEvents. The returned list isn't ordered and polling for new chunks requires re-consuming the entire stream from the beginning.

func (*Client) GetGithubAuthRequest

func (c *Client) GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

GetGithubAuthRequest gets a GithubAuthRequest by state token.

func (*Client) GetGithubConnector

func (c *Client) GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

GetGithubConnector returns a Github connector by name.

func (*Client) GetGithubConnectors

func (c *Client) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

GetGithubConnectors returns a list of Github connectors.

func (*Client) GetHeadlessAuthentication

func (c *Client) GetHeadlessAuthentication(ctx context.Context, id string) (*types.HeadlessAuthentication, error)

GetHeadlessAuthentication retrieves a headless authentication by id.

func (*Client) GetInstaller

func (c *Client) GetInstaller(ctx context.Context, name string) (types.Installer, error)

GetInstaller gets the cluster installer resource

func (*Client) GetInstallers

func (c *Client) GetInstallers(ctx context.Context) ([]types.Installer, error)

GetInstaller gets all installer script resources

func (*Client) GetInstances

func (c *Client) GetInstances(ctx context.Context, filter types.InstanceFilter) stream.Stream[types.Instance]

func (*Client) GetIntegration

func (c *Client) GetIntegration(ctx context.Context, name string) (types.Integration, error)

GetIntegration returns an Integration by its name.

func (*Client) GetInventoryStatus

func (*Client) GetKubernetesCluster

func (c *Client) GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)

GetKubernetesCluster returns the specified kubernetes resource.

func (*Client) GetKubernetesClusters

func (c *Client) GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*Client) GetKubernetesServers

func (c *Client) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)

GetKubernetesServers returns the list of kubernetes servers registered in the cluster.

func (*Client) GetKubernetesWaitingContainer

GetKubernetesWaitingContainer returns a Kubernetes ephemeral container that are waiting to be created until moderated session conditions are met.

func (*Client) GetKubernetesWaitingContainerClient

func (c *Client) GetKubernetesWaitingContainerClient() *kubewaitingcontainerclient.Client

GetKubernetesWaitingContainerClient an unadorned KubeWaitingContainers client, using the underlying Auth gRPC connection.

func (*Client) GetLicense

func (c *Client) GetLicense(ctx context.Context) (string, error)

GetLicense returns the license used to start the teleport enterprise auth server

func (*Client) GetLock

func (c *Client) GetLock(ctx context.Context, name string) (types.Lock, error)

GetLock gets a lock by name.

func (*Client) GetLocks

func (c *Client) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*Client) GetLoginRule

func (c *Client) GetLoginRule(ctx context.Context, name string) (*loginrulepb.LoginRule, error)

GetLoginRule retrieves a login rule described by name.

func (*Client) GetMFADevices

func (*Client) GetNetworkRestrictions

func (c *Client) GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

GetNetworkRestrictions retrieves the network restrictions

func (*Client) GetNode

func (c *Client) GetNode(ctx context.Context, namespace, name string) (types.Server, error)

GetNode returns a node by name and namespace.

func (*Client) GetNodes

func (c *Client) GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

GetNodes returns a complete list of nodes that the user has access to in the given namespace.

func (*Client) GetOIDCAuthRequest

func (c *Client) GetOIDCAuthRequest(ctx context.Context, stateToken string) (*types.OIDCAuthRequest, error)

GetOIDCAuthRequest gets an OIDCAuthRequest by state token.

func (*Client) GetOIDCConnector

func (c *Client) GetOIDCConnector(ctx context.Context, name string, withSecrets bool) (types.OIDCConnector, error)

GetOIDCConnector returns an OIDC connector by name.

func (*Client) GetOIDCConnectors

func (c *Client) GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

GetOIDCConnectors returns a list of OIDC connectors.

func (*Client) GetPluginData

func (c *Client) GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*Client) GetRemoteCluster

func (c *Client) GetRemoteCluster(ctx context.Context, name string) (types.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*Client) GetRemoteClusters

func (c *Client) GetRemoteClusters(ctx context.Context) ([]types.RemoteCluster, error)

GetRemoteClusters returns all remote clusters. Deprecated: use ListRemoteClusters instead.

func (*Client) GetResetPasswordToken

func (c *Client) GetResetPasswordToken(ctx context.Context, tokenID string) (types.UserToken, error)

GetResetPasswordToken returns a reset password token for the specified tokenID.

func (*Client) GetResources

GetResources returns a paginated list of resources that the user has access to. `nextKey` is used as `startKey` in another call to GetResources to retrieve the next page. It will return a `trace.LimitExceeded` error if the page exceeds gRPC max message size.

func (*Client) GetRole

func (c *Client) GetRole(ctx context.Context, name string) (types.Role, error)

GetRole returns role by name

func (*Client) GetRoles

func (c *Client) GetRoles(ctx context.Context) ([]types.Role, error)

GetRoles returns a list of roles

func (*Client) GetSAMLAuthRequest

func (c *Client) GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

GetSAMLAuthRequest gets a SAMLAuthRequest by id.

func (*Client) GetSAMLConnector

func (c *Client) GetSAMLConnector(ctx context.Context, name string, withSecrets bool) (types.SAMLConnector, error)

GetSAMLConnector returns a SAML connector by name.

func (*Client) GetSAMLConnectors

func (c *Client) GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

GetSAMLConnectors returns a list of SAML connectors.

func (*Client) GetSAMLIdPServiceProvider

func (c *Client) GetSAMLIdPServiceProvider(ctx context.Context, name string) (types.SAMLIdPServiceProvider, error)

GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.

func (*Client) GetSAMLIdPSession

func (c *Client) GetSAMLIdPSession(ctx context.Context, req types.GetSAMLIdPSessionRequest) (types.WebSession, error)

GetSAMLIdPSession gets a SAML IdP session. Deprecated: Do not use. The Concept of SAML IdP Sessions is no longer in use. SAML IdP Sessions are directly tied to their parent web sessions instead.

func (*Client) GetSSHTargets

GetSSHTargets gets all servers that would match an equivalent ssh dial request. Note that this method returns all resources directly accessible to the user *and* all resources available via 'SearchAsRoles', which is what we want when handling things like ambiguous host errors and resource-based access requests, but may result in confusing behavior if it is used outside of those contexts.

func (*Client) GetSSODiagnosticInfo

func (c *Client) GetSSODiagnosticInfo(ctx context.Context, authRequestKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

GetSSODiagnosticInfo returns SSO diagnostic info records for a specific SSO Auth request.

func (*Client) GetSemaphores

func (c *Client) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error)

GetSemaphores returns a list of all semaphores matching the supplied filter.

func (*Client) GetServerInfo

func (c *Client) GetServerInfo(ctx context.Context, name string) (types.ServerInfo, error)

GetServerInfo returns a ServerInfo by name.

func (*Client) GetServerInfos

func (c *Client) GetServerInfos(ctx context.Context) stream.Stream[types.ServerInfo]

GetServerInfos returns a stream of ServerInfos.

func (*Client) GetSessionRecordingConfig

func (c *Client) GetSessionRecordingConfig(ctx context.Context) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*Client) GetSessionTracker

func (c *Client) GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

GetSessionTracker returns the current state of a session tracker for an active session.

func (*Client) GetSnowflakeSession

func (c *Client) GetSnowflakeSession(ctx context.Context, req types.GetSnowflakeSessionRequest) (types.WebSession, error)

GetSnowflakeSession gets a Snowflake web session.

func (*Client) GetSnowflakeSessions

func (c *Client) GetSnowflakeSessions(ctx context.Context) ([]types.WebSession, error)

GetSnowflakeSessions gets all Snowflake web sessions.

func (*Client) GetToken

func (c *Client) GetToken(ctx context.Context, name string) (types.ProvisionToken, error)

GetToken returns a provision token by name.

func (*Client) GetTokens

func (c *Client) GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

GetTokens returns a list of active provision tokens for nodes and users.

func (*Client) GetTrustedCluster

func (c *Client) GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

GetTrustedCluster returns a Trusted Cluster by name.

func (*Client) GetTrustedClusters

func (c *Client) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

GetTrustedClusters returns a list of Trusted Clusters.

func (*Client) GetUIConfig

func (c *Client) GetUIConfig(ctx context.Context) (types.UIConfig, error)

GetUIConfig gets the configuration for the UI served by the proxy service

func (*Client) GetUser

func (c *Client) GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

GetUser returns a list of usernames registered in the system. withSecrets controls whether authentication details are returned.

func (*Client) GetUserGroup

func (c *Client) GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)

GetUserGroup returns the specified SAML IdP service provider resources.

func (*Client) GetUserPreferences

GetUserPreferences returns the user preferences for a given user.

func (*Client) GetUsers

func (c *Client) GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)

GetUsers returns all currently registered users. withSecrets controls whether authentication details are returned.

func (*Client) GetVnetConfig

func (c *Client) GetVnetConfig(ctx context.Context) (*vnet.VnetConfig, error)

GetVnetConfig returns the singleton VnetConfig resource.

func (*Client) GetWebSession

func (c *Client) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns the web session for the specified request. Implements ReadAccessPoint

func (*Client) GetWebToken

func (c *Client) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns the web token for the specified request. Implements ReadAccessPoint

func (*Client) GetWindowsDesktopService

func (c *Client) GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

GetWindowsDesktopService returns a registered windows desktop service by name.

func (*Client) GetWindowsDesktopServices

func (c *Client) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

GetWindowsDesktopServices returns all registered windows desktop services.

func (*Client) GetWindowsDesktops

func (c *Client) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

GetWindowsDesktops returns all registered windows desktop hosts.

func (*Client) GetWorkloadIdentity

func (c *Client) GetWorkloadIdentity(ctx context.Context, name string) (*workloadidentityv1pb.WorkloadIdentity, error)

GetWorkloadIdentity returns a workload identity by name.

func (*Client) GitServerClient

func (c *Client) GitServerClient() *gitserverclient.Client

GitServerClient returns a client for managing git servers

func (*Client) IdentityCenterClient

func (c *Client) IdentityCenterClient() identitycenterv1.IdentityCenterServiceClient

IdentityCenterClient returns Identity Center service client using an underlying gRPC connection.

func (*Client) IntegrationsClient

func (c *Client) IntegrationsClient() integrationpb.IntegrationServiceClient

IntegrationsClient returns integrations client.

func (*Client) InventoryControlStream

func (c *Client) InventoryControlStream(ctx context.Context) (DownstreamInventoryControlStream, error)

InventoryControlStream opens a new control stream. The first message sent must be an UpstreamInventoryHello, and the first message received must be a DownstreamInventoryHello.

func (*Client) IsMFARequired

func (*Client) KeepAliveSemaphoreLease

func (c *Client) KeepAliveSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

KeepAliveSemaphoreLease updates semaphore lease.

func (*Client) ListAccessRequests

ListAccessRequests is an access request getter with pagination and sorting options.

func (*Client) ListAllAccessRequests

func (c *Client) ListAllAccessRequests(ctx context.Context, req *proto.ListAccessRequestsRequest) ([]*types.AccessRequestV3, error)

ListAllAccessRequests aggregates all access requests via the ListAccessRequests api. This is equivalent to calling GetAccessRequests except that it supports custom sort order/indexes. Calling this method rather than ListAccessRequests also provides the advantage that it can fallback to calling the old GetAccessRequests grpc method if it encounters and outdated control plane. For that reason, implementations that don't actually *need* pagination are better served by calling this method.

func (*Client) ListAllIntegrations

func (c *Client) ListAllIntegrations(ctx context.Context) ([]types.Integration, error)

ListAllIntegrations returns the list of all Integrations.

func (*Client) ListAppSessions

func (c *Client) ListAppSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)

ListAppSessions gets a paginated list of application web sessions.

func (*Client) ListIntegrations

func (c *Client) ListIntegrations(ctx context.Context, pageSize int, nextKey string) ([]types.Integration, string, error)

ListIntegrations returns a paginated list of Integrations. The response includes a nextKey which must be used to fetch the next page.

func (*Client) ListKubernetesWaitingContainers

func (c *Client) ListKubernetesWaitingContainers(ctx context.Context, pageSize int, pageToken string) ([]*kubewaitingcontainerpb.KubernetesWaitingContainer, string, error)

ListKubernetesWaitingContainers lists Kubernetes ephemeral containers that are waiting to be created until moderated session conditions are met.

func (*Client) ListNotifications

ListNotifications returns a paginated list of notifications for the user. This includes global notifications which match the user, as well as user-specific notifications for the user.

func (*Client) ListReleases

func (c *Client) ListReleases(ctx context.Context, req *proto.ListReleasesRequest) ([]*types.Release, error)

ListReleases returns a list of teleport enterprise releases

func (*Client) ListRemoteClusters

func (c *Client) ListRemoteClusters(ctx context.Context, pageSize int, nextToken string) ([]types.RemoteCluster, string, error)

ListRemoteClusters returns a page of remote clusters.

func (*Client) ListResources

ListResources returns a paginated list of nodes that the user has access to. `nextKey` is used as `startKey` in another call to ListResources to retrieve the next page. If you want to list all resources pages, check the `GetResourcesWithFilters` function. It will return a `trace.LimitExceeded` error if the page exceeds gRPC max message size.

func (*Client) ListReverseTunnels

func (c *Client) ListReverseTunnels(ctx context.Context, pageSize int, nextToken string) ([]types.ReverseTunnel, string, error)

ListReverseTunnels returns a page of remote clusters.

func (*Client) ListRoles

ListRoles is a paginated role getter.

func (*Client) ListSAMLIdPServiceProviders

func (c *Client) ListSAMLIdPServiceProviders(ctx context.Context, pageSize int, nextKey string) ([]types.SAMLIdPServiceProvider, string, error)

ListSAMLIdPServiceProviders returns a paginated list of SAML IdP service provider resources.

func (*Client) ListSAMLIdPSessions

func (c *Client) ListSAMLIdPSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)

ListSAMLIdPSessions gets a paginated list of SAML IdP sessions. Deprecated: Do not use. The Concept of SAML IdP Sessions is no longer in use. SAML IdP Sessions are directly tied to their parent web sessions instead.

func (*Client) ListUnifiedResources

ListUnifiedResources returns a paginated list of unified resources that the user has access to. `nextKey` is used as `startKey` in another call to ListUnifiedResources to retrieve the next page. It will return a `trace.LimitExceeded` error if the page exceeds gRPC max message size.

func (*Client) ListUserGroups

func (c *Client) ListUserGroups(ctx context.Context, pageSize int, nextKey string) ([]types.UserGroup, string, error)

ListUserGroups returns a paginated list of SAML IdP service provider resources.

func (*Client) ListUsers

ListUsers returns a page of users.

func (*Client) LoginRuleClient

func (c *Client) LoginRuleClient() loginrulepb.LoginRuleServiceClient

LoginRuleClient returns an unadorned Login Rule client, using the underlying Auth gRPC connection. Clients connecting to non-Enterprise clusters, or older Teleport versions, still get a login rule client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) MaintainSessionPresence

func (c *Client) MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error)

MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.

func (*Client) NewKeepAliver

func (c *Client) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver. It is the caller's responsibility to invoke Close on the returned value to release the keepAliver resources.

func (*Client) NewWatcher

func (c *Client) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher returns a new streamWatcher

func (*Client) NotificationServiceClient

func (c *Client) NotificationServiceClient() notificationsv1pb.NotificationServiceClient

NotificationServiceClient returns a notification service client that can be used to fetch notifications.

func (*Client) OktaClient

func (c *Client) OktaClient() *okta.Client

OktaClient returns an Okta client. Clients connecting older Teleport versions still get an okta client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) PerformMFACeremony

func (c *Client) PerformMFACeremony(ctx context.Context, challengeRequest *proto.CreateAuthenticateChallengeRequest, promptOpts ...mfa.PromptOpt) (*proto.MFAAuthenticateResponse, error)

PerformMFACeremony retrieves an MFA challenge from the server with the given challenge extensions and prompts the user to answer the challenge with the given promptOpts, and ultimately returning an MFA challenge response for the user.

func (*Client) Ping

func (c *Client) Ping(ctx context.Context) (proto.PingResponse, error)

Ping gets basic info about the auth server.

func (*Client) PingInventory

func (*Client) PluginsClient

func (c *Client) PluginsClient() pluginspb.PluginServiceClient

PluginsClient returns an unadorned Plugins client, using the underlying Auth gRPC connection. Clients connecting to non-Enterprise clusters, or older Teleport versions, still get a plugins client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) PresenceServiceClient

func (c *Client) PresenceServiceClient() presencepb.PresenceServiceClient

PresenceServiceClient returns an unadorned client for the presence service.

func (*Client) ProvisioningServiceClient

func (c *Client) ProvisioningServiceClient() provisioningv1.ProvisioningServiceClient

ProvisioningServiceClient returns provisioning service client using an underlying gRPC connection.

func (*Client) RemoveSessionTracker

func (c *Client) RemoveSessionTracker(ctx context.Context, sessionID string) error

RemoveSessionTracker removes a tracker resource for an active session.

func (*Client) ReplaceRemoteLocks

func (c *Client) ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error

ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.

func (*Client) ResetAuthPreference

func (c *Client) ResetAuthPreference(ctx context.Context) error

ResetAuthPreference resets cluster auth preference to defaults.

func (*Client) ResetClusterNetworkingConfig

func (c *Client) ResetClusterNetworkingConfig(ctx context.Context) error

ResetClusterNetworkingConfig resets cluster networking configuration to defaults.

func (*Client) ResetSessionRecordingConfig

func (c *Client) ResetSessionRecordingConfig(ctx context.Context) error

ResetSessionRecordingConfig resets session recording configuration to defaults.

func (*Client) ResolveSSHTarget

ResolveSSHTarget gets a server that would match an equivalent ssh dial request.

func (*Client) ResourceUsageClient

func (c *Client) ResourceUsageClient() resourceusagepb.ResourceUsageServiceClient

ResourceUsageClient returns an unadorned Resource Usage service client, using the underlying Auth gRPC connection. Clients connecting to non-Enterprise clusters, or older Teleport versions, still get a plugins client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) ResumeAuditStream

func (c *Client) ResumeAuditStream(ctx context.Context, sessionID, uploadID string) (events.Stream, error)

ResumeAuditStream resumes existing audit stream.

func (*Client) RotateCertAuthority

func (c *Client) RotateCertAuthority(ctx context.Context, rr types.RotateRequest) error

RotateCertAuthority updates or inserts new cert authority

func (*Client) RotateExternalCertAuthority

func (c *Client) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates the provided cert authority.

func (*Client) SAMLIdPClient

func (c *Client) SAMLIdPClient() samlidppb.SAMLIdPServiceClient

SAMLIdPClient returns an unadorned SAML IdP client, using the underlying Auth gRPC connection. Clients connecting to non-Enterprise clusters, or older Teleport versions, still get a SAML IdP client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) SCIMClient

func (c *Client) SCIMClient() *scim.Client

func (*Client) SPIFFEFederationServiceClient

func (c *Client) SPIFFEFederationServiceClient() machineidv1pb.SPIFFEFederationServiceClient

func (*Client) SearchEvents

func (c *Client) SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]events.AuditEvent, string, error)

SearchEvents allows searching for events with a full pagination support.

func (*Client) SearchSessionEvents

func (c *Client) SearchSessionEvents(ctx context.Context, fromUTC time.Time, toUTC time.Time, limit int, order types.EventOrder, startKey string) ([]events.AuditEvent, string, error)

SearchSessionEvents allows searching for session events with a full pagination support.

func (*Client) SearchUnstructuredEvents

func (c *Client) SearchUnstructuredEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]*auditlogpb.EventUnstructured, string, error)

SearchUnstructuredEvents allows searching for events with a full pagination support and returns events in an unstructured format (json like). This method is used by the Teleport event-handler plugin to receive events from the auth server wihout having to support the Protobuf event schema.

func (*Client) SecReportsClient

func (c *Client) SecReportsClient() *secreport.Client

SecReportsClient returns Security client that can be used to fetch security reports.

func (*Client) SetAccessRequestState

func (c *Client) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error

SetAccessRequestState updates the state of an existing access request.

func (*Client) SetAuthPreference

func (c *Client) SetAuthPreference(ctx context.Context, authPref types.AuthPreference) error

SetAuthPreference sets cluster auth preference via the legacy mechanism. Deprecated: Use UpdateAuthPreference or UpsertAuthPreference instead. TODO(tross) DELETE IN v18.0.0

func (*Client) SetClusterNetworkingConfig

func (c *Client) SetClusterNetworkingConfig(ctx context.Context, netConfig *types.ClusterNetworkingConfigV2) error

SetClusterNetworkingConfig sets cluster networking configuration. Deprecated: Use UpdateClusterNetworkingConfig or UpsertClusterNetworkingConfig instead.

func (*Client) SetInstaller

func (c *Client) SetInstaller(ctx context.Context, inst types.Installer) error

SetInstaller sets the cluster installer resource

func (*Client) SetMFAPromptConstructor

func (c *Client) SetMFAPromptConstructor(pc mfa.PromptConstructor)

SetMFAPromptConstructor sets the MFA prompt constructor for this client.

func (*Client) SetNetworkRestrictions

func (c *Client) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error

SetNetworkRestrictions updates the network restrictions

func (*Client) SetSSOMFACeremonyConstructor

func (c *Client) SetSSOMFACeremonyConstructor(scc mfa.SSOMFACeremonyConstructor)

SetSSOMFACeremonyConstructor sets the SSO MFA ceremony constructor for this client.

func (*Client) SetSessionRecordingConfig

func (c *Client) SetSessionRecordingConfig(ctx context.Context, recConfig types.SessionRecordingConfig) error

SetSessionRecordingConfig sets session recording configuration. Deprecated: Use UpdateSessionRecordingConfig or UpsertSessionRecordingConfig instead.

func (*Client) SetUIConfig

func (c *Client) SetUIConfig(ctx context.Context, uic types.UIConfig) error

SetUIConfig sets the configuration for the UI served by the proxy service

func (*Client) SignDatabaseCSR

func (c *Client) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*Client) StartAccountRecovery

func (c *Client) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)

StartAccountRecovery creates a recovery start token for a user who successfully verified their username and their recovery code. This token is used as part of a URL that will be emailed to the user (not done in this request). Represents step 1 of the account recovery process.

func (*Client) StaticHostUserClient

func (c *Client) StaticHostUserClient() *statichostuserclient.Client

StaticHostUserClient returns a new static host user client.

func (*Client) StreamSessionEvents

func (c *Client) StreamSessionEvents(ctx context.Context, sessionID string, startIndex int64) (chan events.AuditEvent, chan error)

StreamSessionEvents streams audit events from a given session recording.

func (*Client) StreamUnstructuredSessionEvents

func (c *Client) StreamUnstructuredSessionEvents(ctx context.Context, sessionID string, startIndex int64) (chan *auditlogpb.EventUnstructured, chan error)

StreamUnstructuredSessionEvents streams audit events from a given session recording in an unstructured format. This method is used by the Teleport event-handler plugin to receive events from the auth server wihout having to support the Protobuf event schema.

func (*Client) SubmitAccessReview

func (c *Client) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)

SubmitAccessReview applies a review to a request and returns the post-application state.

func (*Client) SubmitUsageEvent

func (c *Client) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*Client) TrustClient

func (c *Client) TrustClient() trustpb.TrustServiceClient

TrustClient returns an unadorned Trust client, using the underlying Auth gRPC connection.

func (*Client) UpdateApp

func (c *Client) UpdateApp(ctx context.Context, app types.Application) error

UpdateApp updates existing application resource.

func (*Client) UpdateAuthPreference

func (c *Client) UpdateAuthPreference(ctx context.Context, p types.AuthPreference) (types.AuthPreference, error)

UpdateAuthPreference updates an existing auth preference.

func (*Client) UpdateAutoUpdateAgentRollout

func (c *Client) UpdateAutoUpdateAgentRollout(ctx context.Context, rollout *autoupdatev1pb.AutoUpdateAgentRollout) (*autoupdatev1pb.AutoUpdateAgentRollout, error)

UpdateAutoUpdateAgentRollout updates AutoUpdateAgentRollout resource.

func (*Client) UpdateAutoUpdateConfig

func (c *Client) UpdateAutoUpdateConfig(ctx context.Context, config *autoupdatev1pb.AutoUpdateConfig) (*autoupdatev1pb.AutoUpdateConfig, error)

UpdateAutoUpdateConfig updates AutoUpdateConfig resource.

func (*Client) UpdateAutoUpdateVersion

func (c *Client) UpdateAutoUpdateVersion(ctx context.Context, version *autoupdatev1pb.AutoUpdateVersion) (*autoupdatev1pb.AutoUpdateVersion, error)

UpdateAutoUpdateVersion updates AutoUpdateVersion resource.

func (*Client) UpdateClusterMaintenanceConfig

func (c *Client) UpdateClusterMaintenanceConfig(ctx context.Context, cmc types.ClusterMaintenanceConfig) error

UpdateClusterMaintenanceConfig updates the current maintenance window config singleton.

func (*Client) UpdateClusterNetworkingConfig

func (c *Client) UpdateClusterNetworkingConfig(ctx context.Context, cfg types.ClusterNetworkingConfig) (types.ClusterNetworkingConfig, error)

UpdateClusterNetworkingConfig updates an existing cluster networking configuration.

func (*Client) UpdateConnectionDiagnostic

func (c *Client) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

UpdateConnectionDiagnostic updates a connection diagnostic.

func (*Client) UpdateDatabase

func (c *Client) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates existing database resource.

func (*Client) UpdateGithubConnector

func (c *Client) UpdateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

UpdateGithubConnector updates a Github connector.

func (*Client) UpdateHeadlessAuthenticationState

func (c *Client) UpdateHeadlessAuthenticationState(ctx context.Context, id string, state types.HeadlessAuthenticationState, mfaResponse *proto.MFAAuthenticateResponse) error

UpdateHeadlessAuthenticationState updates a headless authentication state.

func (*Client) UpdateIntegration

func (c *Client) UpdateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error)

UpdateIntegration updates an existing Integration.

func (*Client) UpdateKubernetesCluster

func (c *Client) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*Client) UpdateOIDCConnector

func (c *Client) UpdateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

UpdateOIDCConnector updates an OIDC connector.

func (*Client) UpdatePluginData

func (c *Client) UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error

UpdatePluginData updates a per-resource PluginData entry.

func (*Client) UpdateRemoteCluster

func (c *Client) UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) (types.RemoteCluster, error)

UpdateRemoteCluster updates remote cluster from the specified value.

func (*Client) UpdateRole

func (c *Client) UpdateRole(ctx context.Context, role types.Role) (types.Role, error)

UpdateRole updates an already existing role.

func (*Client) UpdateSAMLConnector

func (c *Client) UpdateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

UpdateSAMLConnector updates a SAML connector.

func (*Client) UpdateSAMLIdPServiceProvider

func (c *Client) UpdateSAMLIdPServiceProvider(ctx context.Context, sp types.SAMLIdPServiceProvider) error

UpdateSAMLIdPServiceProvider updates an existing SAML IdP service provider resource.

func (*Client) UpdateSessionRecordingConfig

func (c *Client) UpdateSessionRecordingConfig(ctx context.Context, cfg types.SessionRecordingConfig) (types.SessionRecordingConfig, error)

UpdateSessionRecordingConfig updates an existing session recording configuration.

func (*Client) UpdateSessionTracker

func (c *Client) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

UpdateSessionTracker updates a tracker resource for an active session.

func (*Client) UpdateTrustedCluster

func (c *Client) UpdateTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)

UpdateTrustedCluster updates a Trusted Cluster.

func (*Client) UpdateUser

func (c *Client) UpdateUser(ctx context.Context, user types.User) (types.User, error)

UpdateUser updates an existing user in a backend.

func (*Client) UpdateUserGroup

func (c *Client) UpdateUserGroup(ctx context.Context, ug types.UserGroup) error

UpdateUserGroup updates an existing user group resource.

func (*Client) UpdateWindowsDesktop

func (c *Client) UpdateWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error

UpdateWindowsDesktop updates an existing windows desktop host.

func (*Client) UpsertApplicationServer

func (c *Client) UpsertApplicationServer(ctx context.Context, server types.AppServer) (*types.KeepAlive, error)

UpsertApplicationServer registers an application server.

func (*Client) UpsertAuthPreference

func (c *Client) UpsertAuthPreference(ctx context.Context, p types.AuthPreference) (types.AuthPreference, error)

UpsertAuthPreference creates a new preference or overwrites the existing auth preference.

func (*Client) UpsertAutoUpdateAgentRollout

func (c *Client) UpsertAutoUpdateAgentRollout(ctx context.Context, rollout *autoupdatev1pb.AutoUpdateAgentRollout) (*autoupdatev1pb.AutoUpdateAgentRollout, error)

UpsertAutoUpdateAgentRollout updates or creates AutoUpdateAgentRollout resource.

func (*Client) UpsertAutoUpdateConfig

func (c *Client) UpsertAutoUpdateConfig(ctx context.Context, config *autoupdatev1pb.AutoUpdateConfig) (*autoupdatev1pb.AutoUpdateConfig, error)

UpsertAutoUpdateConfig updates or creates AutoUpdateConfig resource.

func (*Client) UpsertAutoUpdateVersion

func (c *Client) UpsertAutoUpdateVersion(ctx context.Context, version *autoupdatev1pb.AutoUpdateVersion) (*autoupdatev1pb.AutoUpdateVersion, error)

UpsertAutoUpdateVersion updates or creates AutoUpdateVersion resource.

func (*Client) UpsertCertAuthority

func (c *Client) UpsertCertAuthority(ctx context.Context, ca types.CertAuthority) (types.CertAuthority, error)

UpsertCertAuthority creates or updates the provided cert authority.

func (*Client) UpsertClusterAlert

func (c *Client) UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error

UpsertClusterAlert creates a cluster alert.

func (*Client) UpsertClusterNetworkingConfig

func (c *Client) UpsertClusterNetworkingConfig(ctx context.Context, cfg types.ClusterNetworkingConfig) (types.ClusterNetworkingConfig, error)

UpsertClusterNetworkingConfig creates a new configuration or overwrites the existing cluster networking configuration.

func (*Client) UpsertDatabaseServer

func (c *Client) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error)

UpsertDatabaseServer registers a new database proxy server.

func (*Client) UpsertDatabaseService

func (c *Client) UpsertDatabaseService(ctx context.Context, service types.DatabaseService) (*types.KeepAlive, error)

UpsertDatabaseService creates or updates existing DatabaseService resource.

func (*Client) UpsertDeviceResource

func (c *Client) UpsertDeviceResource(ctx context.Context, res *types.DeviceV1) (*types.DeviceV1, error)

UpsertDeviceResource creates or updates a device using its resource representation. Prefer using [DevicesClient] directly if you can.

func (*Client) UpsertGithubConnector

func (c *Client) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

UpsertGithubConnector creates or updates a Github connector.

func (*Client) UpsertKubernetesServer

func (c *Client) UpsertKubernetesServer(ctx context.Context, s types.KubeServer) (*types.KeepAlive, error)

UpsertKubernetesServer is used by kubernetes services to report their presence to other auth servers in form of heartbeat expiring after ttl period.

func (*Client) UpsertLock

func (c *Client) UpsertLock(ctx context.Context, lock types.Lock) error

UpsertLock upserts a lock.

func (*Client) UpsertLoginRule

func (c *Client) UpsertLoginRule(ctx context.Context, rule *loginrulepb.LoginRule) (*loginrulepb.LoginRule, error)

UpsertLoginRule creates a login rule if one with the same name does not already exist, else it replaces the existing login rule.

func (*Client) UpsertNode

func (c *Client) UpsertNode(ctx context.Context, node types.Server) (*types.KeepAlive, error)

UpsertNode is used by SSH servers to report their presence to the auth servers in form of heartbeat expiring after ttl period.

func (*Client) UpsertOIDCConnector

func (c *Client) UpsertOIDCConnector(ctx context.Context, oidcConnector types.OIDCConnector) (types.OIDCConnector, error)

UpsertOIDCConnector creates or updates an OIDC connector.

func (*Client) UpsertReverseTunnel

func (c *Client) UpsertReverseTunnel(ctx context.Context, rt types.ReverseTunnel) (types.ReverseTunnel, error)

UpsertReverseTunnel creates or updates reverse tunnel resource

func (*Client) UpsertRole

func (c *Client) UpsertRole(ctx context.Context, role types.Role) (types.Role, error)

UpsertRole creates or updates a role.

func (*Client) UpsertSAMLConnector

func (c *Client) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

UpsertSAMLConnector creates or updates a SAML connector.

func (*Client) UpsertServerInfo

func (c *Client) UpsertServerInfo(ctx context.Context, serverInfo types.ServerInfo) error

UpsertServerInfo upserts a ServerInfo.

func (*Client) UpsertSessionRecordingConfig

func (c *Client) UpsertSessionRecordingConfig(ctx context.Context, cfg types.SessionRecordingConfig) (types.SessionRecordingConfig, error)

UpsertSessionRecordingConfig creates a new configuration or overwrites the existing session recording configuration.

func (*Client) UpsertToken

func (c *Client) UpsertToken(ctx context.Context, token types.ProvisionToken) error

UpsertToken creates or updates a provision token.

func (*Client) UpsertTrustedCluster deprecated

func (c *Client) UpsertTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)

UpsertTrustedCluster creates or updates a Trusted Cluster.

Deprecated: Use Client.UpsertTrustedClusterV2 instead.

func (*Client) UpsertTrustedClusterV2

func (c *Client) UpsertTrustedClusterV2(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)

UpsertTrustedClusterV2 creates or updates a Trusted Cluster.

func (*Client) UpsertUser

func (c *Client) UpsertUser(ctx context.Context, user types.User) (types.User, error)

UpsertUser creates a new user or updates an existing user.

func (*Client) UpsertUserLastSeenNotification

UpsertUserLastSeenNotification creates or updates a user's last seen notification timestamp.

func (*Client) UpsertUserNotificationState

UpsertUserNotificationState creates or updates a user notification state which records whether the user has clicked on or dismissed a notification.

func (*Client) UpsertUserPreferences

func (c *Client) UpsertUserPreferences(ctx context.Context, in *userpreferencespb.UpsertUserPreferencesRequest) error

UpsertUserPreferences creates or updates user preferences for a given username.

func (*Client) UpsertWindowsDesktop

func (c *Client) UpsertWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error

UpsertWindowsDesktop updates a windows desktop resource, creating it if it doesn't exist.

func (*Client) UpsertWindowsDesktopService

func (c *Client) UpsertWindowsDesktopService(ctx context.Context, service types.WindowsDesktopService) (*types.KeepAlive, error)

UpsertWindowsDesktopService registers a new windows desktop service.

func (*Client) UpsertWorkloadIdentity

UpsertWorkloadIdentity creates or updates a workload identity.

func (*Client) UserLoginStateClient

func (c *Client) UserLoginStateClient() *userloginstate.Client

UserLoginStateClient returns a user login state client. Clients connecting to older Teleport versions, still get a user login state client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) UserTasksServiceClient

func (c *Client) UserTasksServiceClient() *usertaskapi.Client

UserTasksServiceClient returns a UserTask client. Clients connecting to older Teleport versions, still get a UserTask client when calling this method, but all RPCs will return "not implemented" errors (as per the default gRPC behavior).

func (*Client) VerifyAccountRecovery

func (c *Client) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)

VerifyAccountRecovery creates a recovery approved token after successful verification of users password or second factor (authn depending on what user needed to recover). This token will allow users to perform protected actions while not logged in. Represents step 2 of the account recovery process after RPC StartAccountRecovery.

func (*Client) VnetConfigServiceClient

func (c *Client) VnetConfigServiceClient() vnet.VnetConfigServiceClient

VnetConfigServiceClient returns an unadorned client for the VNet config service.

func (*Client) WatchPendingHeadlessAuthentications

func (c *Client) WatchPendingHeadlessAuthentications(ctx context.Context) (types.Watcher, error)

WatchPendingHeadlessAuthentications creates a watcher for pending headless authentication for the current user.

func (*Client) WebSessions

func (c *Client) WebSessions() types.WebSessionInterface

WebSessions returns the web sessions controller

func (*Client) WebTokens

func (c *Client) WebTokens() types.WebTokenInterface

WebTokens returns the web tokens controller

func (*Client) WorkloadIdentityResourceServiceClient

func (c *Client) WorkloadIdentityResourceServiceClient() workloadidentityv1pb.WorkloadIdentityResourceServiceClient

WorkloadIdentityResourceServiceClient returns an unadorned client for the workload identity resource service.

func (*Client) WorkloadIdentityServiceClient

func (c *Client) WorkloadIdentityServiceClient() machineidv1pb.WorkloadIdentityServiceClient

WorkloadIdentityServiceClient returns an unadorned client for the workload identity service.

type Config

type Config struct {
	// Addrs is a list of teleport auth/proxy server addresses to dial.
	// If you are using identity file credentials, at least one address must be supplied.
	// This field is optional if you are using tsh profile credentials.
	Addrs []string
	// Credentials are a list of credentials to use when attempting
	// to connect to the server.
	Credentials []Credentials
	// Dialer is a custom dialer used to dial a server. The Dialer should
	// have custom logic to provide an address to the dialer. If set, Dialer
	// takes precedence over all other connection options.
	Dialer ContextDialer
	// DialOpts define options for dialing the client connection.
	DialOpts []grpc.DialOption
	// DialInBackground specifies to dial the connection in the background
	// rather than blocking until the connection is up. A predefined Dialer
	// or an auth server address must be provided.
	DialInBackground bool
	// DialTimeout defines how long to attempt dialing before timing out.
	DialTimeout time.Duration
	// KeepAlivePeriod defines period between keep alives.
	KeepAlivePeriod time.Duration
	// KeepAliveCount specifies the amount of missed keep alives
	// to wait for before declaring the connection as broken.
	KeepAliveCount int
	// The web proxy uses a self-signed TLS certificate by default, which
	// requires this field to be set. If the web proxy was provided with
	// signed TLS certificates, this field should not be set.
	InsecureAddressDiscovery bool
	// ALPNSNIAuthDialClusterName if present the client will include ALPN SNI routing information in TLS Hello message
	// allowing to dial auth service through Teleport Proxy directly without using SSH Tunnels.
	ALPNSNIAuthDialClusterName string
	// CircuitBreakerConfig defines how the circuit breaker should behave.
	CircuitBreakerConfig breaker.Config
	// Context is the base context to use for dialing. If not provided context.Background is used
	Context context.Context
	// ALPNConnUpgradeRequired indicates that ALPN connection upgrades are
	// required for making TLS Routing requests.
	//
	// In DialInBackground mode without a Dialer, a valid value must be
	// provided as it's assumed that the caller knows the context if connection
	// upgrades are required for TLS Routing.
	//
	// In default mode, this value is optional as some of the connect methods
	// will perform necessary tests to decide if connection upgrade is
	// required.
	ALPNConnUpgradeRequired bool
	// PROXYHeaderGetter returns signed PROXY header that is sent to allow Proxy to propagate client's real IP to the
	// auth server from the Proxy's web server, when we create user's client for the web session.
	PROXYHeaderGetter PROXYHeaderGetter
	// MFAPromptConstructor is used to create MFA prompts when needed.
	// If nil, the client will not prompt for MFA.
	MFAPromptConstructor mfa.PromptConstructor
	// SSOMFACeremonyConstructor is used to handle SSO MFA when needed.
	// If nil, the client will not prompt for MFA.
	SSOMFACeremonyConstructor mfa.SSOMFACeremonyConstructor
}

Config contains configuration of the client

func (*Config) CheckAndSetDefaults

func (c *Config) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values.

type ContextDialer

type ContextDialer interface {
	// DialContext is a function that dials the specified address
	DialContext(ctx context.Context, network, addr string) (net.Conn, error)
}

ContextDialer represents network dialer interface that uses context

func NewALPNDialer

func NewALPNDialer(cfg ALPNDialerConfig) ContextDialer

NewALPNDialer creates a new ALPNDialer.

func NewDialer

func NewDialer(ctx context.Context, keepAlivePeriod, dialTimeout time.Duration, opts ...DialOption) ContextDialer

NewDialer makes a new dialer that connects to an Auth server either directly or via an HTTP proxy, depending on the environment.

func NewPROXYHeaderDialer

func NewPROXYHeaderDialer(dialer ContextDialer, headerGetter PROXYHeaderGetter) ContextDialer

NewPROXYHeaderDialer makes a new dialer that can propagate client IP if signed PROXY header getter is present

func NewProxyDialer

func NewProxyDialer(ssh ssh.ClientConfig, keepAlivePeriod, dialTimeout time.Duration, discoveryAddr string, insecure bool, opts ...DialProxyOption) ContextDialer

NewProxyDialer makes a dialer to connect to an Auth server through the SSH reverse tunnel on the proxy. The dialer will ping the web client to discover the tunnel proxy address on each dial.

type ContextDialerFunc

type ContextDialerFunc func(ctx context.Context, network, addr string) (net.Conn, error)

ContextDialerFunc is a function wrapper that implements the ContextDialer interface.

func (ContextDialerFunc) DialContext

func (f ContextDialerFunc) DialContext(ctx context.Context, network, addr string) (net.Conn, error)

DialContext is a function that dials to the specified address

type Credentials

type Credentials interface {
	// TLSConfig returns TLS configuration used to authenticate the client.
	TLSConfig() (*tls.Config, error)
	// SSHClientConfig returns SSH configuration used to connect to the
	// Auth server through a reverse tunnel.
	SSHClientConfig() (*ssh.ClientConfig, error)
	// Expiry returns the Credentials expiry if it's possible to know its expiry.
	// When expiry can be determined returns true, else returns false.
	// If the Credentials don't expire, returns the zero time.
	// If the Credential is dynamically refreshed or reloaded, (e.g filesystem
	// reload or tbot renewal), Expiry returns the expiry of the currently active
	// Credentials.
	Expiry() (time.Time, bool)
}

Credentials are used to authenticate the API auth client. Some Credentials also provide other functionality, such as automatic address discovery and ssh connectivity.

See the examples below for an example of each loader.

Example (LoadIdentity)

Generate identity file with tsh or tctl.

$ tsh login --user=api-user --out=identity-file-path
$ tctl auth sign --user=api-user --out=identity-file-path

Load credentials from the specified identity file.

package main

import (
	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadIdentityFile("identity-file-path")
}
Output:

Example (LoadIdentityString)

Generate identity file with tsh or tctl.

$ tsh login --user=api-user --out=identity-file-path
$ tctl auth sign --user=api-user --out=identity-file-path
$ export TELEPORT_IDENTITY=$(cat identity-file-path)

Load credentials from the envrironment variable.

package main

import (
	"os"

	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadIdentityFileFromString(os.Getenv("TELEPORT_IDENTITY"))
}
Output:

Example (LoadKeyPair)

Generate certificate key pair with tctl.

$ tctl auth sign --format=tls --user=api-user --out=path/to/certs

Load credentials from the specified certificate files.

package main

import (
	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadKeyPair(
		"path/to/certs.crt",
		"path/to/certs.key",
		"path/to/certs.cas",
	)
}
Output:

Example (LoadProfile)

Generate tsh profile with tsh.

$ tsh login --user=api-user

Load credentials from the default directory and current profile, or specify the directory and profile.

package main

import (
	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadProfile("", "")
	client.LoadProfile("profile-directory", "api-user")
}
Output:

func KeyPair

func KeyPair(certPEM, keyPEM, caPEM []byte) (Credentials, error)

KeyPair returns a Credential give a TLS key, certificate and CA certificates PEM-encoded. It behaves live LoadKeyPair except it doesn't read the TLS material from a file. This is useful when key and certs are not on the disk (e.g. environment variables). This should be preferred over manually building a tls.Config and calling LoadTLS as Credentials returned by KeyPair can report their expiry, which allows to warn the user in case of expired certificates.

func LoadIdentityFile

func LoadIdentityFile(path string) Credentials

LoadIdentityFile is used to load Credentials from an identity file on disk.

Identity Credentials can be used to connect to an auth server directly or through a reverse tunnel.

A new identity file can be generated with tsh or tctl.

$ tsh login --user=api-user --out=identity-file-path
$ tctl auth sign --user=api-user --out=identity-file-path

The identity file's time to live can be specified with --ttl.

See the example below for usage.

Example

Load credentials from the specified identity file.

package main

import (
	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadIdentityFile("identity-file-path")
}
Output:

func LoadIdentityFileFromString

func LoadIdentityFileFromString(content string) Credentials

LoadIdentityFileFromString is used to load Credentials from a string containing identity file contents.

Identity Credentials can be used to connect to an auth server directly or through a reverse tunnel.

A new identity file can be generated with tsh or tctl.

$ tsh login --user=api-user --out=identity-file-path
$ tctl auth sign --user=api-user --out=identity-file-path

The identity file's time to live can be specified with --ttl.

See the example below for usage.

Example

Load credentials from the specified environment variable.

package main

import (
	"os"

	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadIdentityFileFromString(os.Getenv("TELEPORT_IDENTITY"))
}
Output:

func LoadKeyPair

func LoadKeyPair(certFile, keyFile, caFile string) Credentials

LoadKeyPair is used to load Credentials from a certicate keypair on disk.

KeyPair Credentials can only be used to connect directly to a Teleport Auth server.

New KeyPair files can be generated with tsh or tctl.

$ tctl auth sign --format=tls --user=api-user --out=path/to/certs

The certificates' time to live can be specified with --ttl.

See the example below for usage.

Example

Load credentials from the specified certificate files.

package main

import (
	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadKeyPair(
		"path/to/certs.crt",
		"path/to/certs.key",
		"path/to/certs.cas",
	)
}
Output:

func LoadProfile

func LoadProfile(dir, name string) Credentials

LoadProfile is used to load Credentials from a tsh profile on disk.

dir is the profile directory. It will defaults to "~/.tsh".

name is the profile name. It will default to the currently active tsh profile.

Profile Credentials can be used to connect to an auth server directly or through a reverse tunnel.

Profile Credentials will automatically attempt to find your reverse tunnel address and make a connection through it.

A new profile can be generated with tsh.

$ tsh login --user=api-user
Example

Load credentials from the default directory and current profile, or specify the directory and profile.

package main

import (
	"github.com/gravitational/teleport/api/client"
)

func main() {
	client.LoadProfile("", "")
	client.LoadProfile("profile-directory", "api-user")
}
Output:

func LoadTLS

func LoadTLS(tlsConfig *tls.Config) Credentials

LoadTLS is used to load Credentials directly from a *tls.Config.

TLS creds can only be used to connect directly to a Teleport Auth server.

type CredentialsWithDefaultAddrs

type CredentialsWithDefaultAddrs interface {
	Credentials
	// DefaultAddrs is called by the API client when it has not been
	// explicitly configured with an address to connect to. It may return a
	// slice of addresses to be tried.
	DefaultAddrs() ([]string, error)
}

CredentialsWithDefaultAddrs additionally provides default addresses sourced from the credential which are used when the client has not been explicitly configured with an address.

type DialOption

type DialOption func(cfg *dialConfig)

DialOption allows setting options as functional arguments to api.NewDialer.

func WithALPNConnUpgrade

func WithALPNConnUpgrade(alpnConnUpgradeRequired bool) DialOption

WithALPNConnUpgrade specifies if ALPN connection upgrade is required.

func WithALPNConnUpgradePing

func WithALPNConnUpgradePing(alpnConnUpgradeWithPing bool) DialOption

WithALPNConnUpgradePing specifies if Ping is required during ALPN connection upgrade. This is only effective when alpnConnUpgradeRequired is true.

func WithInsecureSkipVerify

func WithInsecureSkipVerify(insecure bool) DialOption

WithInsecureSkipVerify specifies if dialing insecure when using an HTTPS proxy.

type DialProxyOption

type DialProxyOption = DialOption

DialProxyOption allows setting options as functional arguments to DialProxy.

func WithPROXYHeaderGetter

func WithPROXYHeaderGetter(proxyHeaderGetter PROXYHeaderGetter) DialProxyOption

WithPROXYHeaderGetter provides PROXY headers signer so client's real IP could be propagated. Used by proxy's web server to make calls on behalf of connected clients.

func WithTLSConfig

func WithTLSConfig(tlsConfig *tls.Config) DialProxyOption

WithTLSConfig provides the dialer with the TLS config to use when using an HTTPS proxy.

type DownstreamInventoryControlStream

type DownstreamInventoryControlStream interface {
	// Send attempts to send an upstream message. An error returned from this
	// method either indicates that the stream itself has failed, or that the
	// supplied context was canceled.
	Send(ctx context.Context, msg proto.UpstreamInventoryMessage) error
	// Recv accesses the incoming/downstream message channel.
	Recv() <-chan proto.DownstreamInventoryMessage
	// Close closes the underlying stream without error.
	Close() error
	// CloseWithError closes the underlying stream with an error that can later
	// be retrieved with Error(). Subsequent calls to CloseWithError have no effect.
	CloseWithError(err error) error
	// Done signals that the stream has been closed.
	Done() <-chan struct{}
	// Error checks for any error associated with stream closure (returns `nil` if
	// the stream is open, or io.EOF if the stream was closed without error).
	Error() error
}

DownstreamInventoryControlStream is the client/agent side of a bidirectional stream established between teleport instances and auth servers.

type DynamicIdentityFileCreds

type DynamicIdentityFileCreds struct {

	// Path is the path to the identity file to load and reload.
	Path string
	// contains filtered or unexported fields
}

DynamicIdentityFileCreds allows a changing identity file to be used as the source of authentication for Client. It does not automatically watch the identity file or reload on an interval, this is left as an exercise for the consumer.

DynamicIdentityFileCreds is the recommended Credentials implementation for tools that use Machine ID certificates.

Example
// load credentials from identity files on disk
cred, err := NewDynamicIdentityFileCreds("./identity")
if err != nil {
	log.Fatal(err)
}

// periodically reload credentials from disk
go func() {
	for {
		log.Println("reloading credentials")
		if err := cred.Reload(); err != nil {
			log.Fatal(err)
		}
		log.Println("reloaded credentials")
		time.Sleep(5 * time.Minute)
	}
}()

ctx := context.Background()
clt, err := New(ctx, Config{
	Addrs:       []string{"leaf.tele.ottr.sh:443"},
	Credentials: []Credentials{cred},
})
if err != nil {
	panic(err)
}

for {
	log.Println("Fetching nodes")
	_, err := clt.GetNodes(ctx, defaults.Namespace)
	if err != nil {
		log.Printf("ERROR Fetching nodes: %v", err)
	} else {
		log.Println("Fetching nodes: OK")
	}
	time.Sleep(1 * time.Second)
}
Output:

func NewDynamicIdentityFileCreds

func NewDynamicIdentityFileCreds(path string) (*DynamicIdentityFileCreds, error)

NewDynamicIdentityFileCreds returns a DynamicIdentityFileCreds which has been initially loaded and is ready for use.

func (*DynamicIdentityFileCreds) Expiry

func (d *DynamicIdentityFileCreds) Expiry() (time.Time, bool)

Expiry returns the current credential expiry.

func (*DynamicIdentityFileCreds) Reload

func (d *DynamicIdentityFileCreds) Reload() error

Reload causes the identity file to be re-read from the disk. It will return an error if loading the credentials fails.

func (*DynamicIdentityFileCreds) SSHClientConfig

func (d *DynamicIdentityFileCreds) SSHClientConfig() (*ssh.ClientConfig, error)

SSHClientConfig returns SSH configuration, implementing the Credentials interface.

func (*DynamicIdentityFileCreds) TLSConfig

func (d *DynamicIdentityFileCreds) TLSConfig() (*tls.Config, error)

TLSConfig returns TLS configuration. Implementing the Credentials interface.

type GetClusterCAsFunc

type GetClusterCAsFunc func(ctx context.Context) (*x509.CertPool, error)

GetClusterCAsFunc is a function to fetch cluster CAs.

func ClusterCAsFromCertPool

func ClusterCAsFromCertPool(cas *x509.CertPool) GetClusterCAsFunc

ClusterCAsFromCertPool returns a GetClusterCAsFunc with provided static cert pool.

type GetResourcesClient

type GetResourcesClient interface {
	GetResources(ctx context.Context, req *proto.ListResourcesRequest) (*proto.ListResourcesResponse, error)
}

GetResourcesClient is an interface used by GetResources to abstract over implementations of the ListResources method.

type ICSPipeOption

type ICSPipeOption func(*pipeOptions)

func ICSPipePeerAddr

func ICSPipePeerAddr(peerAddr string) ICSPipeOption

func ICSPipePeerAddrFn

func ICSPipePeerAddrFn(fn func() string) ICSPipeOption

type JoinServiceClient

type JoinServiceClient struct {
	// contains filtered or unexported fields
}

JoinServiceClient is a client for the JoinService, which runs on both the auth and proxy.

func NewJoinServiceClient

func NewJoinServiceClient(grpcClient proto.JoinServiceClient) *JoinServiceClient

NewJoinServiceClient returns a new JoinServiceClient wrapping the given grpc client.

func (*JoinServiceClient) RegisterUsingAzureMethod

func (c *JoinServiceClient) RegisterUsingAzureMethod(ctx context.Context, challengeResponse RegisterAzureChallengeResponseFunc) (*proto.Certs, error)

RegisterUsingAzureMethod registers the caller using the Azure join method and returns signed certs to join the cluster.

The caller must provide a ChallengeResponseFunc which returns a *proto.RegisterUsingAzureMethodRequest with a signed attested data document including the challenge as a nonce.

func (*JoinServiceClient) RegisterUsingIAMMethod

func (c *JoinServiceClient) RegisterUsingIAMMethod(ctx context.Context, challengeResponse RegisterIAMChallengeResponseFunc) (*proto.Certs, error)

RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.

The caller must provide a ChallengeResponseFunc which returns a *types.RegisterUsingTokenRequest with a signed sts:GetCallerIdentity request including the challenge as a signed header.

func (*JoinServiceClient) RegisterUsingTPMMethod

func (c *JoinServiceClient) RegisterUsingTPMMethod(
	ctx context.Context,
	initReq *proto.RegisterUsingTPMMethodInitialRequest,
	solveChallenge RegisterTPMChallengeResponseFunc,
) (*proto.Certs, error)

RegisterUsingTPMMethod registers the caller using the TPM join method and returns signed certs to join the cluster. The caller must provide a ChallengeResponseFunc which returns a *proto.RegisterUsingTPMMethodRequest for a given challenge, or an error.

func (*JoinServiceClient) RegisterUsingToken

func (c *JoinServiceClient) RegisterUsingToken(
	ctx context.Context, req *types.RegisterUsingTokenRequest,
) (*proto.Certs, error)

RegisterUsingToken registers the caller using a token and returns signed certs. This is used where a more specific RPC has not been introduced for the join method.

type ListResourcesClient

type ListResourcesClient interface {
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

ListResourcesClient is an interface used by GetResourcesWithFilters to abstract over implementations of the ListResources method.

type ListUnifiedResourcesClient

type ListUnifiedResourcesClient interface {
	ListUnifiedResources(ctx context.Context, req *proto.ListUnifiedResourcesRequest) (*proto.ListUnifiedResourcesResponse, error)
}

ListUnifiedResourcesClient is an interface used by ListUnifiedResources to abstract over implementations of the ListUnifiedResources method.

type PROXYHeaderGetter

type PROXYHeaderGetter func() ([]byte, error)

PROXYHeaderGetter is used if present to get signed PROXY headers to propagate client's IP. Used by proxy's web server to make calls on behalf of connected clients.

type RegisterAzureChallengeResponseFunc

type RegisterAzureChallengeResponseFunc func(challenge string) (*proto.RegisterUsingAzureMethodRequest, error)

RegisterAzureChallengeResponseFunc is a function type meant to be passed to RegisterUsingAzureMethod. It must return a *proto.RegisterUsingAzureMethodRequest for a given challenge, or an error.

type RegisterIAMChallengeResponseFunc

type RegisterIAMChallengeResponseFunc func(challenge string) (*proto.RegisterUsingIAMMethodRequest, error)

RegisterIAMChallengeResponseFunc is a function type meant to be passed to RegisterUsingIAMMethod. It must return a *proto.RegisterUsingIAMMethodRequest for a given challenge, or an error.

type RegisterTPMChallengeResponseFunc

type RegisterTPMChallengeResponseFunc func(challenge *proto.TPMEncryptedCredential) (*proto.RegisterUsingTPMMethodChallengeResponse, error)

RegisterTPMChallengeResponseFunc is a function type meant to be passed to RegisterUsingTPMMethod. It must return a *proto.RegisterUsingTPMMethodChallengeResponse for a given challenge, or an error.

type ResourcePage

type ResourcePage[T types.ResourceWithLabels] struct {
	// Resources retrieved for a single [proto.ListResourcesRequest]. The length of
	// the slice will be at most [proto.ListResourcesRequest.Limit].
	Resources []T
	// Total number of all resources matching the request. It will be greater than
	// the length of [Resources] if the number of matches exceeds the request limit.
	Total int
	// NextKey is the start of the next page
	NextKey string
}

ResourcePage holds a page of results from GetResourcePage.

func GetEnrichedResourcePage

GetEnrichedResourcePage is a helper for getting a single page of enriched resources.

func GetResourcePage

GetResourcePage is a helper for getting a single page of resources that match the provide request.

type UpstreamInventoryControlStream

type UpstreamInventoryControlStream interface {
	// Send attempts to send a downstream message.  An error returned from this
	// method either indicates that the stream itself has failed, or that the
	// supplied context was canceled.
	Send(ctx context.Context, msg proto.DownstreamInventoryMessage) error
	// Recv access the incoming/upstream message channel.
	Recv() <-chan proto.UpstreamInventoryMessage
	// PeerAddr gets the underlying TCP peer address (may be empty in some cases).
	PeerAddr() string
	// Close closes the underlying stream without error.
	Close() error
	// CloseWithError closes the underlying stream with an error that can later
	// be retrieved with Error(). Subsequent calls to CloseWithError have no effect.
	CloseWithError(err error) error
	// Done signals that the stream has been closed.
	Done() <-chan struct{}
	// Error checks for any error associated with stream closure (returns `nil` if
	// the stream is open, or io.EOF if the stream closed without error).
	Error() error
}

UpstreamInventoryControlStream is the server/controller side of a bidirectional stream established between teleport instances and auth servers.

func NewUpstreamInventoryControlStream

func NewUpstreamInventoryControlStream(stream proto.AuthService_InventoryControlStreamServer, peerAddr string) UpstreamInventoryControlStream

NewUpstreamInventoryControlStream wraps the server-side control stream handle. For use as part of the internals of the auth server's gRPC API implementation.

Directories

Path Synopsis
Package proto provides the protobuf API specification for Teleport.
Package proto provides the protobuf API specification for Teleport.
Package webclient provides a client for the Teleport Proxy API endpoints.
Package webclient provides a client for the Teleport Proxy API endpoints.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL