services

package
v0.1.0-alpha.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 24, 2016 License: Apache-2.0 Imports: 17 Imported by: 669

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package services implements API services exposed by Teleport: * presence service that takes care of heratbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source
const (
	Leader   = Event(1)
	Follower = Event(2)
)
View Source
const (
	// TokenRoleAuth specifies
	TokenRoleAuth = "Auth"
	TokenRoleNode = "Node"
)

Variables

This section is empty.

Functions

func JoinTokenRole

func JoinTokenRole(token, role string) (ouputToken string, e error)

func SplitTokenRole

func SplitTokenRole(outputToken string) (token, role string, e error)

Types

type AuthorizedKey

type AuthorizedKey struct {
	// ID is a unique key id
	ID string `json:"id"`
	// Value is a value of the public key
	Value []byte `json:"value"`
}

AuthorizedKey is a public key that is authorized to access SSH servers

type BkKeysService

type BkKeysService struct {
	// contains filtered or unexported fields
}

func NewBkKeysService

func NewBkKeysService(backend backend.Backend) *BkKeysService

type CAService

type CAService struct {
	// contains filtered or unexported fields
}

CAService is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

func NewCAService

func NewCAService(backend backend.Backend) *CAService

NewCAService returns new instance of CAService

func (*CAService) DeleteCertAuthority

func (s *CAService) DeleteCertAuthority(id CertAuthID) error

DeleteCertAuthority deletes particular certificate authority

func (*CAService) GetCertAuthorities

func (s *CAService) GetCertAuthorities(caType CertAuthType) ([]*CertAuthority, error)

GetCertAuthorities returns a list of authorities of a given type without signing keys loaded

func (*CAService) GetCertAuthority

func (s *CAService) GetCertAuthority(id CertAuthID, loadSigningKeys bool) (*CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*CAService) UpsertCertAuthority

func (s *CAService) UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error

UpsertCertAuthority updates or inserts a new certificate authority

type CertAuthID added in v1.0.0

type CertAuthID struct {
	Type       CertAuthType `json:"type"`
	DomainName string       `json:"domain_name"`
}

CertAuthID - id of certificate authority (it's type and domain name)

func (*CertAuthID) Check added in v1.0.0

func (c *CertAuthID) Check() error

Check returns error if any of the id parameters are bad, nil otherwise

func (*CertAuthID) String added in v1.0.0

func (c *CertAuthID) String() string

type CertAuthType added in v1.0.0

type CertAuthType string

CertAuthType specifies certificate authority type, user or host

const (
	// HostCA identifies the key as a host certificate authority
	HostCA CertAuthType = "host"
	// UserCA identifies the key as a user certificate authority
	UserCA CertAuthType = "user"
)

func (CertAuthType) Check added in v1.0.0

func (c CertAuthType) Check() error

Check checks if certificate authority type value is correct

type CertAuthority added in v1.0.0

type CertAuthority struct {
	// Type is either user or host certificate authority
	Type CertAuthType `json:"type"`
	// DomainName identifies domain name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	DomainName string `json:"domain_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures
	CheckingKeys [][]byte `json:"checking_keys"`
	// SigningKeys is a list of private keys used for signing
	SigningKeys [][]byte `json:"signing_keys"`
	// AllowedLogins is a list of allowed logins for users within
	// this certificate authority
	AllowedLogins []string `json:"allowed_logins"`
}

CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func NewTestCA

func NewTestCA(caType CertAuthType, domainName string) *CertAuthority

NewTestCA returns new test authority with a test key as a public and signing key

func (*CertAuthority) Check added in v1.0.0

func (ca *CertAuthority) Check() error

Check checks if all passed parameters are valid

func (*CertAuthority) Checkers added in v1.0.0

func (ca *CertAuthority) Checkers() ([]ssh.PublicKey, error)

Checkers returns public keys that can be used to check cert authorities

func (*CertAuthority) FirstSigningKey added in v1.0.0

func (ca *CertAuthority) FirstSigningKey() ([]byte, error)

FirstSigningKey returns first signing key or returns error if it's not here

func (*CertAuthority) ID added in v1.0.0

func (ca *CertAuthority) ID() *CertAuthID

ID returns id (consisting of domain name and type) that identifies the authority this key belongs to

func (*CertAuthority) Signers added in v1.0.0

func (ca *CertAuthority) Signers() ([]ssh.Signer, error)

Signers returns a list of signers that could be used to sign keys

type CommandLabel

type CommandLabel struct {
	// Period is a time between command runs
	Period time.Duration `json:"period"`
	// Command is a command to run
	Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
	// Result captures standard output
	Result string `json:"result"`
}

CommandLabel is a label that has a value as a result of the output generated by running command, e.g. hostname

type CommandLabels

type CommandLabels map[string]CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) SetEnv

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type Event

type Event int

type LeaderElectionService

type LeaderElectionService struct {
	// contains filtered or unexported fields
}

func NewLeaderElectionService

func NewLeaderElectionService(backend backend.Backend, path []string, serverID string) *LeaderElectionService

func (*LeaderElectionService) AcquireMaster

func (les *LeaderElectionService) AcquireMaster() bool

func (*LeaderElectionService) Disable

func (les *LeaderElectionService) Disable()

func (*LeaderElectionService) Start

func (les *LeaderElectionService) Start()

func (*LeaderElectionService) Subscribe

func (les *LeaderElectionService) Subscribe(c chan Event)

type LockService

type LockService struct {
	// contains filtered or unexported fields
}

func NewLockService

func NewLockService(backend backend.Backend) *LockService

func (*LockService) AcquireLock

func (s *LockService) AcquireLock(token string, ttl time.Duration) error

Grab a lock that will be released automatically in ttl time

func (*LockService) ReleaseLock

func (s *LockService) ReleaseLock(token string) error

type PresenceService

type PresenceService struct {
	// contains filtered or unexported fields
}

PresenceService records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

func NewPresenceService

func NewPresenceService(backend backend.Backend) *PresenceService

NewPresenceService returns new presence service instance

func (*PresenceService) DeleteReverseTunnel

func (s *PresenceService) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by it's domain name

func (*PresenceService) GetAuthServers

func (s *PresenceService) GetAuthServers() ([]Server, error)

GetAuthServers returns a list of registered servers

func (*PresenceService) GetNodes

func (s *PresenceService) GetNodes() ([]Server, error)

GetNodes returns a list of registered servers

func (*PresenceService) GetProxies

func (s *PresenceService) GetProxies() ([]Server, error)

GetProxies returns a list of registered proxies

func (*PresenceService) GetReverseTunnels

func (s *PresenceService) GetReverseTunnels() ([]ReverseTunnel, error)

GetReverseTunnels returns a list of registered servers

func (*PresenceService) UpsertAuthServer

func (s *PresenceService) UpsertAuthServer(server Server, ttl time.Duration) error

UpsertAuthServer registers auth server presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second

func (*PresenceService) UpsertNode

func (s *PresenceService) UpsertNode(server Server, ttl time.Duration) error

UpsertNode registers node presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second

func (*PresenceService) UpsertProxy

func (s *PresenceService) UpsertProxy(server Server, ttl time.Duration) error

UpsertProxy registers proxy server presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second

func (*PresenceService) UpsertReverseTunnel

func (s *PresenceService) UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error

UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently

type ProvisionToken

type ProvisionToken struct {
	Role string        `json:"role"`
	TTL  time.Duration `json:"-"`
}

ProvisionToken stores metadata about some provisioning token

type ProvisioningService

type ProvisioningService struct {
	// contains filtered or unexported fields
}

ProvisioningService governs adding new nodes to the cluster

func NewProvisioningService

func NewProvisioningService(backend backend.Backend) *ProvisioningService

NewProvisioningService returns a new instance of provisioning service

func (*ProvisioningService) DeleteToken

func (s *ProvisioningService) DeleteToken(token string) error

func (*ProvisioningService) GetToken

func (s *ProvisioningService) GetToken(token string) (*ProvisionToken, error)

GetToken finds and returns token by id

func (*ProvisioningService) UpsertToken

func (s *ProvisioningService) UpsertToken(token, role string, ttl time.Duration) error

UpsertToken adds provisioning tokens for the auth server

type ReverseTunnel added in v1.0.0

type ReverseTunnel struct {
	// DomainName is a domain name of remote cluster we are connecting to
	DomainName string `json:"domain_name"`
	// DialAddrs is a list of remote address to establish a connection to
	// it's always SSH over TCP
	DialAddrs []string `json:"dial_addrs"`
}

ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved

func (*ReverseTunnel) Check added in v1.0.0

func (r *ReverseTunnel) Check() error

Check returns nil if all parameters are good, error otherwise

type Server

type Server struct {
	ID        string                  `json:"id"`
	Addr      string                  `json:"addr"`
	Hostname  string                  `json:"hostname"`
	Labels    map[string]string       `json:"labels"`
	CmdLabels map[string]CommandLabel `json:"cmd_labels"`
}

Server represents a node in a Teleport cluster

func (*Server) LabelsMap added in v1.0.0

func (s *Server) LabelsMap() map[string]string

LabelsMap returns the full key:value map of both static labels and "command labels"

func (*Server) LabelsString added in v1.0.0

func (s *Server) LabelsString() string

LabelsString returns a comma separated string with all node's labels

func (*Server) MatchAgainst added in v1.0.0

func (s *Server) MatchAgainst(labels map[string]string) bool

MatchAgainst takes a map of labels and returns True if this server has ALL of them

Any server matches against an empty label set

type ServicesTestSuite

type ServicesTestSuite struct {
	CAS           *CAService
	LockS         *LockService
	PresenceS     *PresenceService
	ProvisioningS *ProvisioningService
	WebS          *WebService
	ChangesC      chan interface{}
}

func NewServicesTestSuite

func NewServicesTestSuite(backend backend.Backend) *ServicesTestSuite

func (*ServicesTestSuite) CertAuthCRUD

func (s *ServicesTestSuite) CertAuthCRUD(c *C)

func (*ServicesTestSuite) Locking

func (s *ServicesTestSuite) Locking(c *C)

func (*ServicesTestSuite) PasswordCRUD

func (s *ServicesTestSuite) PasswordCRUD(c *C)

func (*ServicesTestSuite) PasswordGarbage

func (s *ServicesTestSuite) PasswordGarbage(c *C)

func (*ServicesTestSuite) PasswordHashCRUD

func (s *ServicesTestSuite) PasswordHashCRUD(c *C)

func (*ServicesTestSuite) ReverseTunnelsCRUD

func (s *ServicesTestSuite) ReverseTunnelsCRUD(c *C)

func (*ServicesTestSuite) ServerCRUD

func (s *ServicesTestSuite) ServerCRUD(c *C)

func (*ServicesTestSuite) TokenCRUD

func (s *ServicesTestSuite) TokenCRUD(c *C)

func (*ServicesTestSuite) UsersCRUD

func (s *ServicesTestSuite) UsersCRUD(c *C)

func (*ServicesTestSuite) WebSessionCRUD

func (s *ServicesTestSuite) WebSessionCRUD(c *C)

type SignupToken

type SignupToken struct {
	Token           string   `json:"token"`
	User            string   `json:"user"`
	Hotp            []byte   `json:"hotp"`
	HotpFirstValues []string `json:"hotp_first_values"`
	HotpQR          []byte   `json:"hotp_qr"`
	AllowedLogins   []string `json:"allowed_logins"`
}

SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed

type Site added in v1.0.0

type Site struct {
	Name          string    `json:"name"`
	LastConnected time.Time `json:"lastconnected"`
	Status        string    `json:"status"`
}

Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.

The CA is represented by an auth server (or multiple auth servers, if running in HA mode)

type User added in v1.0.0

type User struct {
	// Name is a user name
	Name string `json:"name"`

	// AllowedLogins represents a list of OS users this teleport
	// user is allowed to login as
	AllowedLogins []string `json:"allowed_logins"`
}

User is an optional user entry in the database

type WebService

type WebService struct {
	SignupMutex *sync.Mutex
	// contains filtered or unexported fields
}

WebService is responsible for managing web users and currently user accounts as well

func NewWebService

func NewWebService(backend backend.Backend) *WebService

NewWebService returns new instance of WebService

func (*WebService) CheckPassword

func (s *WebService) CheckPassword(user string, password []byte, hotpToken string) error

CheckPassword is called on web user or tsh user login

func (*WebService) CheckPasswordWOToken

func (s *WebService) CheckPasswordWOToken(user string, password []byte) error

CheckPasswordWOToken checks just password without checking HOTP tokens used in case of SSH authentication, when token has been validated

func (*WebService) DeleteSignupToken

func (s *WebService) DeleteSignupToken(token string) error

DeleteSignupToken deletes signup token from the storage

func (*WebService) DeleteUser

func (s *WebService) DeleteUser(user string) error

DeleteUser deletes a user with all the keys from the backend

func (*WebService) DeleteWebSession

func (s *WebService) DeleteWebSession(user, sid string) error

DeleteWebSession deletes web session from the storage

func (*WebService) GetHOTP

func (s *WebService) GetHOTP(user string) (*hotp.HOTP, error)

GetHOTP gets HOTP token state for a user

func (*WebService) GetPasswordHash

func (s *WebService) GetPasswordHash(user string) ([]byte, error)

GetPasswordHash returns the password hash for a given user

func (*WebService) GetSignupToken

func (s *WebService) GetSignupToken(token string) (*SignupToken, error)

GetSignupToken returns signup token data

func (*WebService) GetUser

func (s *WebService) GetUser(user string) (*User, error)

GetUser returns a user by name

func (*WebService) GetUsers

func (s *WebService) GetUsers() ([]User, error)

GetUsers returns a list of users registered with the local auth server

func (*WebService) GetWebSession

func (s *WebService) GetWebSession(user, sid string) (*WebSession, error)

GetWebSession returns a web session state for a given user and session id

func (*WebService) GetWebSessionsKeys

func (s *WebService) GetWebSessionsKeys(user string) ([]AuthorizedKey, error)

GetWebSessionsKeys returns public keys associated with the session

func (*WebService) UpsertHOTP

func (s *WebService) UpsertHOTP(user string, otp *hotp.HOTP) error

UpsertHOTP upserts HOTP state for user

func (*WebService) UpsertPassword

func (s *WebService) UpsertPassword(user string,
	password []byte) (hotpURL string, hotpQR []byte, err error)

UpsertPassword upserts new password and HOTP token

func (*WebService) UpsertPasswordHash

func (s *WebService) UpsertPasswordHash(user string, hash []byte) error

UpsertPasswordHash upserts user password hash

func (*WebService) UpsertSignupToken

func (s *WebService) UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error

UpsertSignupToken upserts signup token - one time token that lets user to create a user account

func (*WebService) UpsertUser

func (s *WebService) UpsertUser(user User) error

UpsertUser updates parameters about user

func (*WebService) UpsertWebSession

func (s *WebService) UpsertWebSession(user, sid string, session WebSession, ttl time.Duration) error

UpsertWebSession updates or inserts a web session for a user and session id

type WebSession

type WebSession struct {
	// Pub is a public certificate signed by auth server
	Pub []byte `json:"pub"`
	// Priv is a private OpenSSH key used to auth with SSH nodes
	Priv []byte `json:"priv"`
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	BearerToken string `json:"bearer_token"`
	// Expires - absolute time when token expires
	Expires time.Time `json:"expires"`
}

WebSession stores key and value used to authenticate with SSH notes on behalf of user

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL