Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

cache

package

v1.2.3-fred.11 Latest Latest Go to latest Published: Oct 31, 2022 License: Apache-2.0 Imports: 26 Imported by: 12

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Overview ¶

Package cache implements event-driven cache layer that is used by auth servers, proxies and nodes.

The cache fetches resources and then subscribes to the events watcher to receive updates.

This approach allows cache to be up to date without time based expiration and avoid re-fetching all resources reducing bandwidth.

There are two types of cache backends used:

* SQLite-based in-memory used for auth nodes * SQLite-based on disk persistent cache for nodes and proxies providing resilliency in the face of auth servers failures.

Index ¶

Constants
type Cache
- func New(config Config) (*Cache, error)
type Config
- func (c *Config) CheckAndSetDefaults() error
type Event
type SetupConfigFn

Constants ¶

View Source

const (
	// EventProcessed is emitted whenever event is processed
	EventProcessed = "event_processed"
	// WatcherStarted is emitted when a new event watcher is started
	WatcherStarted = "watcher_started"
	// WatcherFailed is emitted when event watcher has failed
	WatcherFailed = "watcher_failed"
	// Reloading is emitted when an error occurred watching events
	// and the cache is waiting to create a new watcher
	Reloading = "reloading_cache"
	// RelativeExpiry notifies that relative expiry operations have
	// been run.
	RelativeExpiry = "relative_expiry"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Cache ¶

type Cache struct {
	Config

	// Entry is a logging entry
	*log.Entry
	// contains filtered or unexported fields
}

Cache implements auth.Cache interface and remembers the previously returned upstream value for each API call.

This which can be used if the upstream AccessPoint goes offline

func New ¶

func New(config Config) (*Cache, error)

New creates a new instance of Cache

func (*Cache) Close ¶

func (c *Cache) Close() error

Close closes all outstanding and active cache operations

func (*Cache) GetAllTunnelConnections ¶

func (c *Cache) GetAllTunnelConnections(opts ...services.MarshalOption) (conns []types.TunnelConnection, err error)

GetAllTunnelConnections is a part of auth.Cache implementation

func (*Cache) GetApp ¶

func (c *Cache) GetApp(ctx context.Context, name string) (types.Application, error)

GetApp returns the specified application resource.

func (*Cache) GetAppSession ¶

func (c *Cache) GetAppSession(ctx context.Context, req types.GetAppSessionRequest) (types.WebSession, error)

GetAppSession gets an application web session.

func (*Cache) GetApplicationServers ¶

func (c *Cache) GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

GetApplicationServers returns all registered application servers.

func (*Cache) GetApps ¶

func (c *Cache) GetApps(ctx context.Context) ([]types.Application, error)

GetApps returns all application resources.

func (*Cache) GetAuthPreference ¶

func (c *Cache) GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

GetAuthPreference gets the cluster authentication config.

func (*Cache) GetAuthServers ¶

func (c *Cache) GetAuthServers() ([]types.Server, error)

GetAuthServers returns a list of registered servers

func (*Cache) GetCertAuthorities ¶

func (c *Cache) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadSigningKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

GetCertAuthorities returns a list of authorities of a given type loadSigningKeys controls whether signing keys should be loaded or not

func (*Cache) GetCertAuthority ¶

func (c *Cache) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Cache) GetClusterAuditConfig ¶

func (c *Cache) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets ClusterAuditConfig from the backend.

func (*Cache) GetClusterName ¶

func (c *Cache) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

GetClusterName gets the name of the cluster from the backend.

func (*Cache) GetClusterNetworkingConfig ¶

func (c *Cache) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets ClusterNetworkingConfig from the backend.

func (*Cache) GetDatabase ¶

func (c *Cache) GetDatabase(ctx context.Context, name string) (types.Database, error)

GetDatabase returns the specified database resource.

func (*Cache) GetDatabaseServers ¶

func (c *Cache) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database proxy servers.

func (*Cache) GetDatabases ¶

func (c *Cache) GetDatabases(ctx context.Context) ([]types.Database, error)

GetDatabases returns all database resources.

func (*Cache) GetInstaller ¶

func (c *Cache) GetInstaller(ctx context.Context, name string) (types.Installer, error)

GetInstaller gets the installer script resource for the cluster

func (*Cache) GetInstallers ¶

func (c *Cache) GetInstallers(ctx context.Context) ([]types.Installer, error)

GetInstallers gets all the installer script resources for the cluster

func (*Cache) GetKubeServices ¶

func (c *Cache) GetKubeServices(ctx context.Context) ([]types.Server, error)

GetKubeServices is a part of auth.Cache implementation

DELETE IN 12.0.0 Deprecated, use GetKubernetesServers.

func (*Cache) GetKubernetesCluster ¶

func (c *Cache) GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)

GetKubernetesCluster returns the specified kubernetes cluster resource.

func (*Cache) GetKubernetesClusters ¶

func (c *Cache) GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*Cache) GetKubernetesServers ¶

func (c *Cache) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)

GetKubernetesServers is a part of auth.Cache implementation

func (*Cache) GetLock ¶

func (c *Cache) GetLock(ctx context.Context, name string) (types.Lock, error)

GetLock gets a lock by name.

func (*Cache) GetLocks ¶

func (c *Cache) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*Cache) GetNamespace ¶

func (c *Cache) GetNamespace(name string) (*types.Namespace, error)

GetNamespace returns namespace

func (*Cache) GetNamespaces ¶

func (c *Cache) GetNamespaces() ([]types.Namespace, error)

GetNamespaces is a part of auth.Cache implementation

func (*Cache) GetNetworkRestrictions ¶

func (c *Cache) GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

GetNetworkRestrictions gets the network restrictions.

func (*Cache) GetNode ¶

func (c *Cache) GetNode(ctx context.Context, namespace, name string) (types.Server, error)

GetNode finds and returns a node by name and namespace.

func (*Cache) GetNodes ¶

func (c *Cache) GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

GetNodes is a part of auth.Cache implementation

func (*Cache) GetProxies ¶

func (c *Cache) GetProxies() ([]types.Server, error)

GetProxies is a part of auth.Cache implementation

func (*Cache) GetRemoteCluster ¶

func (c *Cache) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*Cache) GetRemoteClusters ¶

func (c *Cache) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*Cache) GetReverseTunnels ¶

func (c *Cache) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

GetReverseTunnels is a part of auth.Cache implementation

func (*Cache) GetRole ¶

func (c *Cache) GetRole(ctx context.Context, name string) (types.Role, error)

GetRole is a part of auth.Cache implementation

func (*Cache) GetRoles ¶

func (c *Cache) GetRoles(ctx context.Context) ([]types.Role, error)

GetRoles is a part of auth.Cache implementation

func (*Cache) GetSessionRecordingConfig ¶

func (c *Cache) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*Cache) GetSnowflakeSession ¶

func (c *Cache) GetSnowflakeSession(ctx context.Context, req types.GetSnowflakeSessionRequest) (types.WebSession, error)

GetSnowflakeSession gets Snowflake web session.

func (*Cache) GetStaticTokens ¶

func (c *Cache) GetStaticTokens() (types.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*Cache) GetToken ¶

func (c *Cache) GetToken(ctx context.Context, name string) (types.ProvisionToken, error)

GetToken finds and returns token by ID

func (*Cache) GetTokens ¶

func (c *Cache) GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

GetTokens returns all active (non-expired) provisioning tokens

func (*Cache) GetTunnelConnections ¶

func (c *Cache) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

GetTunnelConnections is a part of auth.Cache implementation

func (*Cache) GetUser ¶

func (c *Cache) GetUser(name string, withSecrets bool) (user types.User, err error)

GetUser is a part of auth.Cache implementation.

func (*Cache) GetUsers ¶

func (c *Cache) GetUsers(withSecrets bool) (users []types.User, err error)

GetUsers is a part of auth.Cache implementation

func (*Cache) GetWebSession ¶

func (c *Cache) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession gets a regular web session.

func (*Cache) GetWebToken ¶

func (c *Cache) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken gets a web token.

func (*Cache) GetWindowsDesktopService ¶

func (c *Cache) GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

GetWindowsDesktopService returns a registered Windows desktop service by name.

func (*Cache) GetWindowsDesktopServices ¶

func (c *Cache) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

GetWindowsDesktopServices returns all registered Windows desktop services.

func (*Cache) GetWindowsDesktops ¶

func (c *Cache) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

GetWindowsDesktops returns all registered Windows desktop hosts.

func (*Cache) ListResources ¶

func (c *Cache) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)

ListResources is a part of auth.Cache implementation

func (*Cache) ListWindowsDesktopServices ¶

func (c *Cache) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)

ListWindowsDesktopServices returns all registered Windows desktop hosts.

func (*Cache) ListWindowsDesktops ¶

func (c *Cache) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)

ListWindowsDesktops returns all registered Windows desktop hosts.

func (*Cache) NewWatcher ¶

func (c *Cache) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher returns a new event watcher. In case of a cache this watcher will return events as seen by the cache, not the backend. This feature allows auth server to handle subscribers connected to the in-memory caches instead of reading from the backend.

func (*Cache) Start ¶

func (c *Cache) Start() error

Starts the cache. Should only be called once.

type Config ¶

type Config struct {

	// Context is context for parent operations
	Context context.Context
	// Watches provides a list of resources
	// for the cache to watch
	Watches []types.WatchKind
	// Events provides events watchers
	Events types.Events
	// Trust is a service providing information about certificate
	// authorities
	Trust services.Trust
	// ClusterConfig is a cluster configuration service
	ClusterConfig services.ClusterConfiguration
	// Provisioner is a provisioning service
	Provisioner services.Provisioner
	// Users is a users service
	Users services.UsersService
	// Access is an access service
	Access services.Access
	// DynamicAccess is a dynamic access service
	DynamicAccess services.DynamicAccessCore
	// Presence is a presence service
	Presence services.Presence
	// Restrictions is a restrictions service
	Restrictions services.Restrictions
	// Apps is an apps service.
	Apps services.Apps
	// Kubernetes is an kubernetes service.
	Kubernetes services.Kubernetes
	// Databases is a databases service.
	Databases services.Databases
	// SnowflakeSession holds Snowflake sessions.
	SnowflakeSession services.SnowflakeSession
	// AppSession holds application sessions.
	AppSession services.AppSession
	// WebSession holds regular web sessions.
	WebSession types.WebSessionInterface
	// WebToken holds web tokens.
	WebToken types.WebTokenInterface
	// WindowsDesktops is a windows desktop service.
	WindowsDesktops services.WindowsDesktops
	// Backend is a backend for local cache
	Backend backend.Backend
	// MaxRetryPeriod is the maximum period between cache retries on failures
	MaxRetryPeriod time.Duration
	// WatcherInitTimeout is the maximum acceptable delay for an
	// OpInit after a watcher has been started (default=1m).
	WatcherInitTimeout time.Duration
	// CacheInitTimeout is the maximum amount of time that cache.New
	// will block, waiting for initialization (default=20s).
	CacheInitTimeout time.Duration
	// RelativeExpiryCheckInterval determines how often the cache performs special
	// "relative expiration" checks which are used to compensate for real backends
	// that have suffer from overly lazy ttl'ing of resources.
	RelativeExpiryCheckInterval time.Duration
	// RelativeExpiryLimit determines the maximum number of nodes that may be
	// removed during relative expiration.
	RelativeExpiryLimit int
	// EventsC is a channel for event notifications,
	// used in tests
	EventsC chan Event
	// Clock can be set to control time,
	// uses runtime clock by default
	Clock clockwork.Clock
	// Component is a component used in logs
	Component string
	// MetricComponent is a component used in metrics
	MetricComponent string
	// QueueSize is a desired queue Size
	QueueSize int

	// Tracer is used to create spans
	Tracer oteltrace.Tracer
	// Unstarted indicates that the cache should not be started during New. The
	// cache is usable before it's started, but it will always hit the backend.
	Unstarted bool
	// contains filtered or unexported fields
}

Config defines cache configuration parameters

func ForApps ¶

func ForApps(cfg Config) Config

ForApps sets up watch configuration for apps.

func ForAuth ¶

func ForAuth(cfg Config) Config

ForAuth sets up watch configuration for the auth server

func ForDatabases ¶

func ForDatabases(cfg Config) Config

ForDatabases sets up watch configuration for database proxy servers.

func ForDiscovery ¶

func ForDiscovery(cfg Config) Config

ForDiscovery sets up watch configuration for discovery servers.

func ForKubernetes ¶

func ForKubernetes(cfg Config) Config

ForKubernetes sets up watch configuration for a kubernetes service.

func ForNode ¶

func ForNode(cfg Config) Config

ForNode sets up watch configuration for node

func ForOldRemoteProxy ¶

func ForOldRemoteProxy(cfg Config) Config

ForOldRemoteProxy sets up watch configuration for older remote proxies. The Watches defined here are a copy of those defined in ForRemoteProxy in the v10 branch.

func ForProxy ¶

func ForProxy(cfg Config) Config

ForProxy sets up watch configuration for proxy

func ForRemoteProxy ¶

func ForRemoteProxy(cfg Config) Config

ForRemoteProxy sets up watch configuration for remote proxies.

func ForWindowsDesktop ¶

func ForWindowsDesktop(cfg Config) Config

ForWindowsDesktop sets up watch configuration for a Windows desktop service.

func (*Config) CheckAndSetDefaults ¶

func (c *Config) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values

type Event ¶

type Event struct {
	// Type is event type
	Type string
	// Event is event processed
	// by the event cycle
	Event types.Event
}

Event is event used in tests

type SetupConfigFn ¶

type SetupConfigFn func(c Config) Config

SetupConfigFn is a function that sets up configuration for cache

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL