auth

package
v0.0.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 4, 2016 License: Apache-2.0 Imports: 35 Imported by: 387

Documentation

Overview

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source
const (
	Week          = time.Hour * 24 * 7
	WebSessionTTL = time.Hour * 10
)
View Source
const (
	SignupTokenTTL            = time.Hour * 24
	SignupTokenUserActionsTTL = time.Hour
	HOTPFirstTokensRange      = 5
)
View Source
const (
	RoleAuth           = "Auth"
	RoleUser           = "User"
	RoleWeb            = "Web"
	RoleNode           = "Node"
	RoleAdmin          = "Admin"
	RoleProvisionToken = "ProvisionToken"
	RoleSignup         = "Signup"

	ActionGetSessions                   = "GetSession"
	ActionGetSession                    = "GetSession"
	ActionDeleteSession                 = "DeleteSession"
	ActionUpsertSession                 = "UpsertSession"
	ActionUpsertParty                   = "UpsertParty"
	ActionUpsertRemoteCertificate       = "UpsertRemoteCertificate"
	ActionGetRemoteCertificates         = "GetRemoteCertificates"
	ActionDeleteRemoteCertificate       = "DeleteRemoteCerts"
	ActionGetTrustedCertificates        = "GetTrustedCertificates"
	ActionGenerateToken                 = "GenerateToken"
	ActionRegisterUsingToken            = "RegisterUsingToken"
	ActionRegisterNewAuthServer         = "RegisterNewAuthServer"
	ActionLog                           = "Log"
	ActionLogEntry                      = "LogEntry"
	ActionGetEvents                     = "GetEvents"
	ActionGetChunkWriter                = "GetChunkWriter"
	ActionGetChunkReader                = "GetChunkReader"
	ActionUpsertServer                  = "UpsertServer"
	ActionGetServers                    = "GetServers"
	ActionUpsertWebTun                  = "UpsertWebTun"
	ActionGetWebTuns                    = "GetWebTuns"
	ActionGetWebTun                     = "GetWebTun"
	ActionDeleteWebTun                  = "DeleteWebTun"
	ActionUpsertPassword                = "UpsertPassword"
	ActionCheckPassword                 = "CheckPassword"
	ActionSignIn                        = "SignIn"
	ActionGetWebSession                 = "GetWebSession"
	ActionGetWebSessionsKeys            = "GetWebSessionsKeys"
	ActionDeleteWebSession              = "DeleteWebSession"
	ActionGetUsers                      = "GetUsers"
	ActionDeleteUser                    = "DeleteUser"
	ActionUpsertUserKey                 = "UpsertUserKey"
	ActionGetUserKeys                   = "GetUserKeys"
	ActionDeleteUserKey                 = "DeleteUserKey"
	ActionGetHostCertificateAuthority   = "GetHostCertificateAuthority"
	ActionGetUserCertificateAuthority   = "GetUserCertificateAuthority"
	ActionGenerateKeyPair               = "GenerateKeyPair"
	ActionGenerateHostCert              = "GenerateHostCert"
	ActionGenerateUserCert              = "GenerateUserCert"
	ActionResetHostCertificateAuthority = "ResetHostCertificateAuthority"
	ActionResetUserCertificateAuthority = "ResetUserCertificateAuthority"
	ActionGenerateSealKey               = "GenerateSealKey"
	ActionGetSealKeys                   = "GetSeakKeys"
	ActionGetSealKey                    = "GetSealKey"
	ActionDeleteSealKey                 = "DeleteSealKey"
	ActionAddSealKey                    = "AddSealKey"
	ActionCreateSignupToken             = "CreateSignupToken"
	ActionGetSignupTokenData            = "GetSignupTokenData"
	ActionCreateUserWithToken           = "CreateUserWithToken"
)
View Source
const (
	ReqWebSessionAgent = "web-session-agent@teleport"
	ReqProvision       = "provision@teleport"
	ReqDirectTCPIP     = "direct-tcpip"
	ReqNewAuth         = "new-auth@teleport"

	ExtWebSession  = "web-session@teleport"
	ExtWebPassword = "web-password@teleport"
	ExtToken       = "provision@teleport"
	ExtHost        = "host@teleport"

	AuthWebPassword = "password"
	AuthWebSession  = "session"
	AuthToken       = "provision-token"
	AuthSignupToken = "signup-token"
)
View Source
const CurrentVersion = "v1"

Variables

View Source
var TokenTTLAfterUse = time.Second * 10

Functions

func HaveKeys

func HaveKeys(domainName, dataDir string) (bool, error)

func InitKeys

func InitKeys(a *AuthServer, domainName, dataDir string) (ssh.Signer, error)

initialize this node's host certificate signed by host authority

func InitSecret

func InitSecret(dataDir, secretKey string) (secret.SecretService, error)

func NewHostAuth

func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)

func NewSignupTokenAuth

func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)

func NewTokenAuth

func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)

func NewWebPasswordAuth

func NewWebPasswordAuth(user string, password []byte, hotpToken string) ([]ssh.AuthMethod, error)

func NewWebSessionAuth

func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)

func ReadKeys

func ReadKeys(domainName, dataDir string) (ssh.Signer, error)

func ReadSecret

func ReadSecret(dataDir string) (secret.SecretService, error)

func Register

func Register(domainName, dataDir, token, role string, servers []utils.NetAddr) error

func RegisterNewAuth

func RegisterNewAuth(domainName, token string, publicSealKey encryptor.Key,
	servers []utils.NetAddr) (masterKey encryptor.Key, e error)

Types

type APIServer

type APIServer struct {
	httprouter.Router
	// contains filtered or unexported fields
}

APISrv implements http API server for authority

func NewAPIServer

func NewAPIServer(a *AuthWithRoles) *APIServer

type APIWithRoles

type APIWithRoles struct {
	// contains filtered or unexported fields
}

func NewAPIWithRoles

func NewAPIWithRoles(authServer *AuthServer, elog events.Log,
	sessions session.SessionServer, recorder recorder.Recorder,
	permChecker PermissionChecker,
	roles []string) *APIWithRoles

func (*APIWithRoles) Close

func (api *APIWithRoles) Close()

func (*APIWithRoles) HandleConn

func (api *APIWithRoles) HandleConn(conn net.Conn, role string) error

func (*APIWithRoles) Serve

func (api *APIWithRoles) Serve()

type AccessPoint

type AccessPoint interface {
	// GetServers returns a list of registered servers
	GetServers() ([]services.Server, error)

	// UpsertServer registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertServer(s services.Server, ttl time.Duration) error

	// GetUserCAPub returns the user certificate authority public key
	GetUserCertificateAuthority() (*services.CertificateAuthority, error)

	// GetUserCAPub returns the host certificate authority public key
	GetHostCertificateAuthority() (*services.CertificateAuthority, error)

	// GetUserKeys returns a list of authorized keys for a given user
	// in a OpenSSH key authorized_keys format
	GetUserKeys(user string) ([]services.AuthorizedKey, error)

	// GetWebSessionsKeys returns a list of generated public keys
	// associated with user web session
	GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)

	// GetRemoteCerts returns a list of trusted remote certificates
	GetRemoteCertificates(certType, domainName string) ([]services.CertificateAuthority, error)

	// GetTrustedCerts returns a list of trusted certificates
	GetTrustedCertificates(certType string) ([]services.CertificateAuthority, error)
}

AccessPoint is a interface needed by nodes to control the access to the node, and provide heartbeats

type AccessPointDialer

type AccessPointDialer func() (net.Conn, error)

AccessPointDialer dials to auth access point remote HTTP api

type AuthServer

AuthServer implements key signing, generation and ACL functionality used by teleport

func Init

func Init(cfg InitConfig) (*AuthServer, ssh.Signer, error)

func NewAuthServer

func NewAuthServer(bk *encryptedbk.ReplicatedBackend, a Authority,
	scrt secret.SecretService, hostname string) *AuthServer

func (*AuthServer) CreateSignupToken

func (s *AuthServer) CreateSignupToken(user string) (token string, e error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

func (*AuthServer) CreateUserWithToken

func (s *AuthServer) CreateUserWithToken(token, password, hotpToken string) error

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) DeleteToken

func (s *AuthServer) DeleteToken(outputToken string) error

func (*AuthServer) DeleteWebSession

func (s *AuthServer) DeleteWebSession(user string, sid session.SecureID) error

func (*AuthServer) GenerateHostCert

func (s *AuthServer) GenerateHostCert(
	key []byte, id, hostname, role string,
	ttl time.Duration) ([]byte, error)

GenerateHostCert generates host certificate, it takes pkey as a signing private key (host certificate authority)

func (*AuthServer) GenerateToken

func (s *AuthServer) GenerateToken(domainName, role string, ttl time.Duration) (string, error)

func (*AuthServer) GenerateUserCert

func (s *AuthServer) GenerateUserCert(
	key []byte, id, username string, ttl time.Duration) ([]byte, error)

GenerateHostCert generates user certificate, it takes pkey as a signing private key (user certificate authority)

func (*AuthServer) GetSignupTokenData

func (s *AuthServer) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*AuthServer) GetWebSession

func (s *AuthServer) GetWebSession(user string, sid session.SecureID) (*Session, error)

func (*AuthServer) NewWebSession

func (s *AuthServer) NewWebSession(user string) (*Session, error)

func (*AuthServer) RegisterNewAuthServer

func (s *AuthServer) RegisterNewAuthServer(domainName, outputToken string,
	publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)

func (*AuthServer) RegisterUsingToken

func (s *AuthServer) RegisterUsingToken(outputToken, domainName, role string) (keys PackedKeys, e error)

func (*AuthServer) ResetHostCertificateAuthority

func (s *AuthServer) ResetHostCertificateAuthority(pass string) error

ResetHostCertificateAuthority generates host certificate authority and updates the backend

func (*AuthServer) ResetUserCertificateAuthority

func (s *AuthServer) ResetUserCertificateAuthority(pass string) error

ResetHostCertificateAuthority generates user certificate authority and updates the backend

func (*AuthServer) SignIn

func (s *AuthServer) SignIn(user string, password []byte) (*Session, error)

func (*AuthServer) UpsertUserKey

func (s *AuthServer) UpsertUserKey(
	user string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error)

UpsertUserKey takes user's public key, generates certificate for it and adds it to the authorized keys database. It returns certificate signed by user Certificate Authority in case of success, error otherwise. The certificate will be valid for the duration of the ttl passed in.

func (*AuthServer) UpsertWebSession

func (s *AuthServer) UpsertWebSession(user string, sess *Session, ttl time.Duration) error

func (*AuthServer) ValidateToken

func (s *AuthServer) ValidateToken(token, domainName string) (role string, e error)

type AuthWithRoles

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles

func NewAuthWithRoles(authServer *AuthServer, permChecker PermissionChecker,
	elog events.Log, sessions session.SessionServer,
	role string, recorder recorder.Recorder) *AuthWithRoles

func (*AuthWithRoles) AddSealKey

func (a *AuthWithRoles) AddSealKey(key encryptor.Key) error

func (*AuthWithRoles) CheckPassword

func (a *AuthWithRoles) CheckPassword(user string, password []byte, hotpToken string) error

func (*AuthWithRoles) CreateSignupToken

func (a *AuthWithRoles) CreateSignupToken(user string) (token string, e error)

func (*AuthWithRoles) CreateUserWithToken

func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) error

func (*AuthWithRoles) DeleteRemoteCertificate

func (a *AuthWithRoles) DeleteRemoteCertificate(ctype string, domainName, id string) error

func (*AuthWithRoles) DeleteSealKey

func (a *AuthWithRoles) DeleteSealKey(keyID string) error

func (*AuthWithRoles) DeleteSession

func (a *AuthWithRoles) DeleteSession(id string) error

func (*AuthWithRoles) DeleteUser

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteUserKey

func (a *AuthWithRoles) DeleteUserKey(username string, id string) error

func (*AuthWithRoles) DeleteWebSession

func (a *AuthWithRoles) DeleteWebSession(user string, sid websession.SecureID) error

func (*AuthWithRoles) DeleteWebTun

func (a *AuthWithRoles) DeleteWebTun(prefix string) error

func (*AuthWithRoles) GenerateHostCert

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, id, hostname, role string,
	ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateSealKey

func (a *AuthWithRoles) GenerateSealKey(keyName string) (encryptor.Key, error)

func (*AuthWithRoles) GenerateToken

func (a *AuthWithRoles) GenerateToken(domainName, role string, ttl time.Duration) (string, error)

func (*AuthWithRoles) GenerateUserCert

func (a *AuthWithRoles) GenerateUserCert(key []byte, id, user string, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GetChunkReader

func (a *AuthWithRoles) GetChunkReader(id string) (recorder.ChunkReadCloser, error)

func (*AuthWithRoles) GetChunkWriter

func (a *AuthWithRoles) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)

func (*AuthWithRoles) GetEvents

func (a *AuthWithRoles) GetEvents(filter events.Filter) ([]lunk.Entry, error)

func (*AuthWithRoles) GetHostCertificateAuthority

func (a *AuthWithRoles) GetHostCertificateAuthority() (*services.CertificateAuthority, error)

func (*AuthWithRoles) GetRemoteCertificates

func (a *AuthWithRoles) GetRemoteCertificates(ctype string, domainName string) ([]services.CertificateAuthority, error)

func (*AuthWithRoles) GetSealKey

func (a *AuthWithRoles) GetSealKey(keyID string) (encryptor.Key, error)

func (*AuthWithRoles) GetSealKeys

func (a *AuthWithRoles) GetSealKeys() ([]encryptor.Key, error)

func (*AuthWithRoles) GetServers

func (a *AuthWithRoles) GetServers() ([]services.Server, error)

func (*AuthWithRoles) GetSession

func (a *AuthWithRoles) GetSession(id string) (*session.Session, error)

func (*AuthWithRoles) GetSessions

func (a *AuthWithRoles) GetSessions() ([]session.Session, error)

func (*AuthWithRoles) GetSignupTokenData

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

func (*AuthWithRoles) GetTrustedCertificates

func (a *AuthWithRoles) GetTrustedCertificates(ctype string) ([]services.CertificateAuthority, error)

func (*AuthWithRoles) GetUserCertificateAuthority

func (a *AuthWithRoles) GetUserCertificateAuthority() (*services.CertificateAuthority, error)

func (*AuthWithRoles) GetUserKeys

func (a *AuthWithRoles) GetUserKeys(user string) ([]services.AuthorizedKey, error)

func (*AuthWithRoles) GetUsers

func (a *AuthWithRoles) GetUsers() ([]string, error)

func (*AuthWithRoles) GetWebSession

func (a *AuthWithRoles) GetWebSession(user string, sid websession.SecureID) (*Session, error)

func (*AuthWithRoles) GetWebSessionsKeys

func (a *AuthWithRoles) GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)

func (*AuthWithRoles) GetWebTun

func (a *AuthWithRoles) GetWebTun(prefix string) (*services.WebTun, error)

func (*AuthWithRoles) GetWebTuns

func (a *AuthWithRoles) GetWebTuns() ([]services.WebTun, error)

func (*AuthWithRoles) Log

func (a *AuthWithRoles) Log(id lunk.EventID, e lunk.Event)

func (*AuthWithRoles) LogEntry

func (a *AuthWithRoles) LogEntry(en lunk.Entry) error

func (*AuthWithRoles) RegisterNewAuthServer

func (a *AuthWithRoles) RegisterNewAuthServer(domainName, token string,
	publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)

func (*AuthWithRoles) RegisterUsingToken

func (a *AuthWithRoles) RegisterUsingToken(token, domainName, role string) (keys PackedKeys, e error)

func (*AuthWithRoles) ResetHostCertificateAuthority

func (a *AuthWithRoles) ResetHostCertificateAuthority(pass string) error

func (*AuthWithRoles) ResetUserCertificateAuthority

func (a *AuthWithRoles) ResetUserCertificateAuthority(pass string) error

func (*AuthWithRoles) SignIn

func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error)

func (*AuthWithRoles) UpsertParty

func (a *AuthWithRoles) UpsertParty(id string, p session.Party, ttl time.Duration) error

func (*AuthWithRoles) UpsertPassword

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)

func (*AuthWithRoles) UpsertRemoteCertificate

func (a *AuthWithRoles) UpsertRemoteCertificate(cert services.CertificateAuthority, ttl time.Duration) error

func (*AuthWithRoles) UpsertServer

func (a *AuthWithRoles) UpsertServer(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertSession

func (a *AuthWithRoles) UpsertSession(id string, ttl time.Duration) error

func (*AuthWithRoles) UpsertUserKey

func (a *AuthWithRoles) UpsertUserKey(username string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) UpsertWebTun

func (a *AuthWithRoles) UpsertWebTun(wt services.WebTun, ttl time.Duration) error

type Authority

type Authority interface {
	GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error)
	GetNewKeyPairFromPool() (privKey []byte, pubKey []byte, err error)

	// GenerateHostCert generates host certificate, it takes pkey as a signing
	// private key (host certificate authority)
	GenerateHostCert(pkey, key []byte, id, hostname, role string, ttl time.Duration) ([]byte, error)

	// GenerateHostCert generates user certificate, it takes pkey as a signing
	// private key (user certificate authority)
	GenerateUserCert(pkey, key []byte, id, username string, ttl time.Duration) ([]byte, error)
}

Authority implements minimal key-management facility for generating OpenSSH compatible public/private key pairs and OpenSSH certificates

type Client

type Client struct {
	roundtrip.Client
}

Certificate authority endpoints control user and host Certificate Authorities. They are central mechanism for authenticating users and hosts within the cluster.

Client is HTTP API client that connects to the remote server

func NewClient

func NewClient(addr string, params ...roundtrip.ClientParam) (*Client, error)

func NewClientFromNetAddr

func NewClientFromNetAddr(
	a utils.NetAddr, params ...roundtrip.ClientParam) (*Client, error)

func (*Client) AddSealKey

func (c *Client) AddSealKey(key encryptor.Key) error

AddBackendKey adds the given encrypting key. If backend works not in readonly mode, backend makes a copy of the data using the key for encryption

func (*Client) CheckPassword

func (c *Client) CheckPassword(user string,
	password []byte, hotpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) CreateSignupToken

func (c *Client) CreateSignupToken(user string) (token string, e error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

func (*Client) CreateUserWithToken

func (c *Client) CreateUserWithToken(token, password, hotpToken string) error

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*Client) Delete

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteRemoteCertificate

func (c *Client) DeleteRemoteCertificate(ctype string, domainName, id string) error

func (*Client) DeleteSealKey

func (c *Client) DeleteSealKey(keyID string) error

DeleteBackendKey deletes the backend encrypting key and all the data encrypted with the key

func (*Client) DeleteSession

func (c *Client) DeleteSession(id string) error

func (*Client) DeleteUser

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteUserKey

func (c *Client) DeleteUserKey(username string, id string) error

DeleteUserKey deletes a key by id for a given user

func (*Client) DeleteWebSession

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) DeleteWebTun

func (c *Client) DeleteWebTun(prefix string) error

DeleteWebTun deletes the tunnel by prefix

func (*Client) GenerateHostCert

func (c *Client) GenerateHostCert(
	key []byte, id, hostname, role string, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateSealKey

func (c *Client) GenerateSealKey(keyName string) (encryptor.Key, error)

GenerateBackendKey generates a new backend encrypting key with the given id and then backend makes a copy of all the data using the generated key for encryption

func (*Client) GenerateToken

func (c *Client) GenerateToken(domainName, role string, ttl time.Duration) (string, error)

GenerateToken creates a special provisioning token for the SSH server with the specified domainName that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

The token can be used only once and only to generate the domainName specified in it.

func (*Client) GenerateUserCert

func (c *Client) GenerateUserCert(
	key []byte, id, user string, ttl time.Duration) ([]byte, error)

GenerateUserCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) Get

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetChunkReader

func (c *Client) GetChunkReader(id string) (recorder.ChunkReadCloser, error)

func (*Client) GetChunkWriter

func (c *Client) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)

func (*Client) GetEvents

func (c *Client) GetEvents(filter events.Filter) ([]lunk.Entry, error)

func (*Client) GetHostCertificateAuthority

func (c *Client) GetHostCertificateAuthority() (*services.CertificateAuthority, error)

Returns host certificate authority public key. This public key is used to validate if host certificates were signed by the proper key.

func (*Client) GetRemoteCertificates

func (c *Client) GetRemoteCertificates(ctype string, domainName string) ([]services.CertificateAuthority, error)

func (*Client) GetSealKey

func (c *Client) GetSealKey(keyID string) (encryptor.Key, error)

GetBackendKeys returns the backend encrypting key.

func (*Client) GetSealKeys

func (c *Client) GetSealKeys() ([]encryptor.Key, error)

GetBackendKeys returns IDs of all the backend encrypting keys that this server has

func (*Client) GetServers

func (c *Client) GetServers() ([]services.Server, error)

GetServers returns the list of servers registered in the cluster.

func (*Client) GetSession

func (c *Client) GetSession(id string) (*session.Session, error)

func (*Client) GetSessions

func (c *Client) GetSessions() ([]session.Session, error)

func (*Client) GetSignupTokenData

func (c *Client) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetTrustedCertificates

func (c *Client) GetTrustedCertificates(certType string) ([]services.CertificateAuthority, error)

func (*Client) GetUserCertificateAuthority

func (c *Client) GetUserCertificateAuthority() (*services.CertificateAuthority, error)

Returns user certificate authority public key. This public key is used to check if the users certificate is valid and was signed by this authority.

func (*Client) GetUserKeys

func (c *Client) GetUserKeys(user string) ([]services.AuthorizedKey, error)

GetUserKeys returns a list of keys registered for this user. This list does not include the temporary keys associated with user web sessions.

func (*Client) GetUsers

func (c *Client) GetUsers() ([]string, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSession

func (c *Client) GetWebSession(user string, sid string) (string, error)

GetWebSession check if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) GetWebSessionsKeys

func (c *Client) GetWebSessionsKeys(
	user string) ([]services.AuthorizedKey, error)

GetWebSessionKeys returns the list of temporary keys generated for this user web session. Each web session has a temporary user ssh key and certificate generated, that is stored for the duration of this web session. These keys are used to access SSH servers via web portal.

func (*Client) GetWebTun

func (c *Client) GetWebTun(prefix string) (*services.WebTun, error)

GetWebTun retruns the web tunel details by it unique prefix

func (*Client) GetWebTuns

func (c *Client) GetWebTuns() ([]services.WebTun, error)

GetWebTuns returns a list of web tunnels supported by the system

func (*Client) Log

func (c *Client) Log(id lunk.EventID, e lunk.Event)

func (*Client) LogEntry

func (c *Client) LogEntry(en lunk.Entry) error

func (*Client) PostForm

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) RegisterNewAuthServer

func (c *Client) RegisterNewAuthServer(domainName, token string,
	publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)

func (*Client) RegisterUsingToken

func (c *Client) RegisterUsingToken(token, domainName, role string) (PackedKeys, error)

func (*Client) ResetHostCertificateAuthority

func (c *Client) ResetHostCertificateAuthority() error

All host certificate keys will have to be regenerated and all SSH nodes will have to be re-provisioned after calling this method.

func (*Client) ResetUserCertificateAuthority

func (c *Client) ResetUserCertificateAuthority() error

Regenerates user certificate authority private key. User authority certificate is used to sign User SSH public keys, so auth server can check if that is a valid key before even hitting the database.

All user certificates will have to be regenerated.

func (*Client) SignIn

func (c *Client) SignIn(user string, password []byte) (string, error)

SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.

func (*Client) UpsertParty

func (c *Client) UpsertParty(id string, p session.Party, ttl time.Duration) error

func (*Client) UpsertPassword

func (c *Client) UpsertPassword(user string,
	password []byte) (hotpURL string, hotpQR []byte, err error)

UpsertPassword updates web access password for the user

func (*Client) UpsertRemoteCertificate

func (c *Client) UpsertRemoteCertificate(cert services.CertificateAuthority, ttl time.Duration) error

func (*Client) UpsertServer

func (c *Client) UpsertServer(s services.Server, ttl time.Duration) error

UpsertServer is used by SSH servers to reprt their presense to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertSession

func (c *Client) UpsertSession(id string, ttl time.Duration) error

func (*Client) UpsertUserKey

func (c *Client) UpsertUserKey(username string,
	key services.AuthorizedKey, ttl time.Duration) ([]byte, error)

UpsertUserKey takes public key of the user, generates certificate for it and adds it to the authorized keys database. It returns certificate signed by user Certificate Authority in case of success, error otherwise. The certificate will be valid for the duration of the ttl passed in.

func (*Client) UpsertWebTun

func (c *Client) UpsertWebTun(wt services.WebTun, ttl time.Duration) error

UpsertWebTun creates a persistent SSH tunnel to the specified web target server that is valid for ttl period. See services.WebTun documentation for details

type ClientI

type ClientI interface {
	GetSessions() ([]session.Session, error)
	GetSession(id string) (*session.Session, error)
	DeleteSession(id string) error
	UpsertSession(id string, ttl time.Duration) error
	UpsertParty(id string, p session.Party, ttl time.Duration) error
	UpsertRemoteCertificate(cert services.CertificateAuthority, ttl time.Duration) error
	GetRemoteCertificates(ctype string, domainName string) ([]services.CertificateAuthority, error)
	DeleteRemoteCertificate(ctype string, domainName, id string) error
	GetTrustedCertificates(certType string) ([]services.CertificateAuthority, error)
	GenerateToken(domainName, role string, ttl time.Duration) (string, error)
	RegisterUsingToken(token, domainName, role string) (keys PackedKeys, e error)
	RegisterNewAuthServer(domainName, token string, publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)
	Log(id lunk.EventID, e lunk.Event)
	LogEntry(en lunk.Entry) error
	GetEvents(filter events.Filter) ([]lunk.Entry, error)
	GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)
	GetChunkReader(id string) (recorder.ChunkReadCloser, error)
	UpsertServer(s services.Server, ttl time.Duration) error
	GetServers() ([]services.Server, error)
	UpsertWebTun(wt services.WebTun, ttl time.Duration) error
	GetWebTuns() ([]services.WebTun, error)
	GetWebTun(prefix string) (*services.WebTun, error)
	DeleteWebTun(prefix string) error
	UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
	CheckPassword(user string, password []byte, hotpToken string) error
	SignIn(user string, password []byte) (string, error)
	GetWebSession(user string, sid string) (string, error)
	GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)
	DeleteWebSession(user string, sid string) error
	GetUsers() ([]string, error)
	DeleteUser(user string) error
	UpsertUserKey(username string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error)
	GetUserKeys(user string) ([]services.AuthorizedKey, error)
	DeleteUserKey(username string, id string) error
	GetHostCertificateAuthority() (*services.CertificateAuthority, error)
	GetUserCertificateAuthority() (*services.CertificateAuthority, error)
	GenerateKeyPair(pass string) ([]byte, []byte, error)
	GenerateHostCert(key []byte, id, hostname, role string, ttl time.Duration) ([]byte, error)
	GenerateUserCert(key []byte, id, user string, ttl time.Duration) ([]byte, error)
	ResetHostCertificateAuthority() error
	ResetUserCertificateAuthority() error
	GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
	CreateUserWithToken(token, password, hotpToken string) error
}

TOODO(klizhentas) this should be just including appropriate backends

type Config

type Config struct {
	Backend backend.Backend
	Addr    string
}

type InitConfig

type InitConfig struct {
	Backend            *encryptedbk.ReplicatedBackend
	Authority          Authority
	DomainName         string
	AuthDomain         string
	DataDir            string
	SecretKey          string
	AllowedTokens      map[string]string
	TrustedAuthorities []services.CertificateAuthority
	// HostCA is an optional host certificate authority keypair
	HostCA *services.LocalCertificateAuthority
	// UserCA is an optional user certificate authority keypair
	UserCA *services.LocalCertificateAuthority
}

type PackedKeys

type PackedKeys struct {
	Key  []byte `json:"key"`
	Cert []byte `json:"cert"`
}

type PermissionChecker

type PermissionChecker interface {
	HasPermission(role, action string) error
}

func NewAllowAllPermissions

func NewAllowAllPermissions() PermissionChecker

func NewStandardPermissions

func NewStandardPermissions() PermissionChecker

type ServerOption

type ServerOption func(s *TunServer) error

type Session

type Session struct {
	SID session.SecureID
	PID session.PlainID
	WS  services.WebSession
}

type TunClient

type TunClient struct {
	Client
	// contains filtered or unexported fields
}

func NewTunClient

func NewTunClient(addr utils.NetAddr, user string, auth []ssh.AuthMethod) (*TunClient, error)

func (*TunClient) Close

func (c *TunClient) Close() error

func (*TunClient) GetAgent

func (c *TunClient) GetAgent() (agent.Agent, error)

func (*TunClient) GetDialer

func (c *TunClient) GetDialer() AccessPointDialer

type TunDialer

type TunDialer struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*TunDialer) Close

func (t *TunDialer) Close() error

func (*TunDialer) Dial

func (t *TunDialer) Dial(network, address string) (net.Conn, error)

func (*TunDialer) GetAgent

func (t *TunDialer) GetAgent() (agent.Agent, error)

type TunServer

type TunServer struct {
	// contains filtered or unexported fields
}

func NewTunServer

func NewTunServer(addr utils.NetAddr, hostSigners []ssh.Signer,
	apiServer *APIWithRoles, a *AuthServer,
	limiter *limiter.Limiter,
	opts ...ServerOption) (*TunServer, error)

New returns an unstarted server

func (*TunServer) Addr

func (s *TunServer) Addr() string

func (*TunServer) Close

func (s *TunServer) Close() error

func (*TunServer) HandleNewChan

func (s *TunServer) HandleNewChan(sconn *ssh.ServerConn, nch ssh.NewChannel)

func (*TunServer) Start

func (s *TunServer) Start() error

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL