Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

postgres

package

v1.2.3-fred.11 Latest Latest Go to latest Published: Oct 31, 2022 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Overview ¶

Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness.

It understands Postgres wire protocol version 3 which is supported by Postgres 7.4 and later:

https://www.postgresql.org/docs/13/protocol-flow.html https://www.postgresql.org/docs/13/protocol-message-formats.html

The package provides the following main types:

Proxy. Runs inside Teleport proxy and proxies connections from Postgres clients to appropriate database servers over reverse tunnel.
Engine. Runs inside Teleport database service, accepts connections coming from proxy over reversetunnel and proxies them to databases.
TestServer. Fake Postgres server that implements a small part of its wire protocol, used in functional tests.

Protocol --------

When connecting to a database server (or a Teleport proxy in our case), Postgres clients start on a plain connection to check whether the server supports TLS and then upgrade the connection.

Because of that, the proxy implements a part of the startup protocol that indicates TLS support to the client to get it to send a client certificate and extracts the identity/routing information from it.

After that proxy hands off the connection to an appropriate database server based on the extracted routing info over reverse tunnel.

The database server in turn connects to the database and starts relaying messages between the database and the client.

The sequence diagram roughly looks like this:

psql proxy

|                       |
| ---- SSLRequest ----> |
|                       |
| <------  'S' -------- |
|                       |
| -- StartupMessage --> |                     engine
|                       |                       |
|                       | -- StartupMessage --> |                  Postgres
|                       |                       |                     |
|                       |                       | ----- connect ----> |
|                       |                       |                     |
| <-------------- ReadyForQuery --------------- |                     |
|                       |                       |                     |
| ------------------------------ Query -----------------------------> |
| <---------------------------- DataRow ----------------------------- |
| <------------------------- ReadyForQuery -------------------------- |
|                       |                       |                     |
| ----------------------------- Terminate --------------------------> |
|                       |                       |                     |

Index ¶

Variables
func MakeTestClient(ctx context.Context, config common.TestClientConfig) (*pgconn.PgConn, error)
type Engine
type Proxy
- func (p *Proxy) HandleConnection(ctx context.Context, clientConn net.Conn) (err error)
type TestServer
- func NewTestServer(config common.TestServerConfig) (svr *TestServer, err error)

Constants ¶

This section is empty.

Variables ¶

View Source

var TestQueryResponse = &pgconn.Result{
	FieldDescriptions: []pgproto3.FieldDescription{{Name: []byte("test-field")}},
	Rows:              [][][]byte{{[]byte("test-value")}},
	CommandTag:        pgconn.CommandTag("select 1"),
}

TestQueryResponse is the response test Postgres server sends to every query.

Functions ¶

func MakeTestClient ¶

func MakeTestClient(ctx context.Context, config common.TestClientConfig) (*pgconn.PgConn, error)

MakeTestClient returns Postgres client connection according to the provided parameters.

Types ¶

type Engine ¶

type Engine struct {
	// EngineConfig is the common database engine configuration.
	common.EngineConfig
	// contains filtered or unexported fields
}

Engine implements the Postgres database service that accepts client connections coming over reverse tunnel from the proxy and proxies them between the proxy and the Postgres database instance.

Implements common.Engine.

func (*Engine) HandleConnection ¶

func (e *Engine) HandleConnection(ctx context.Context, sessionCtx *common.Session) error

HandleConnection processes the connection from Postgres proxy coming over reverse tunnel.

It handles all necessary startup actions, authorization and acts as a middleman between the proxy and the database intercepting and interpreting all messages i.e. doing protocol parsing.

func (*Engine) InitializeConnection ¶

func (e *Engine) InitializeConnection(clientConn net.Conn, sessionCtx *common.Session) error

InitializeConnection initializes the client connection.

func (*Engine) SendError ¶

func (e *Engine) SendError(err error)

SendError sends an error to connected client in a Postgres understandable format.

type Proxy ¶

type Proxy struct {
	// TLSConfig is the proxy TLS configuration.
	TLSConfig *tls.Config
	// Middleware is the auth middleware.
	Middleware *auth.Middleware
	// Service is used to connect to a remote database service.
	Service common.Service
	// Log is used for logging.
	Log logrus.FieldLogger
	// Limiter limits the number of active connections per client IP.
	Limiter *limiter.Limiter
}

Proxy proxies connections from Postgres clients to database services over reverse tunnel. It runs inside Teleport proxy service.

Implements common.Proxy.

func (*Proxy) HandleConnection ¶

func (p *Proxy) HandleConnection(ctx context.Context, clientConn net.Conn) (err error)

HandleConnection accepts connection from a Postgres client, authenticates it and proxies it to an appropriate database service.

type TestServer ¶

type TestServer struct {
	// contains filtered or unexported fields
}

TestServer is a test Postgres server used in functional database access tests.

It supports a very small subset of Postgres wire protocol that can:

Accept a TLS connection from Postgres client.
Reply with the same TestQueryResponse to every query the client sends.
Recognize terminate messages from clients closing connections.

func NewTestServer ¶

func NewTestServer(config common.TestServerConfig) (svr *TestServer, err error)

NewTestServer returns a new instance of a test Postgres server.

func (*TestServer) Close ¶

func (s *TestServer) Close() error

Close closes the server listener.

func (*TestServer) ParametersCh ¶

func (s *TestServer) ParametersCh() chan map[string]string

ParametersCh returns channel that receives startup message parameters.

func (*TestServer) Port ¶

func (s *TestServer) Port() string

Port returns the port server is listening on.

func (*TestServer) QueryCount ¶

func (s *TestServer) QueryCount() uint32

QueryCount returns the number of queries the server has received.

func (*TestServer) Serve ¶

func (s *TestServer) Serve() error

Serve starts serving client connections.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL