Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

app

package

v1.2.3-fred.6 Latest Latest Go to latest Published: Oct 20, 2022 License: Apache-2.0 Imports: 33 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Overview ¶

Package app connections to applications over a reverse tunnel and forwards HTTP requests to them.

Index ¶

Constants
func HasClientCert(r *http.Request) bool
func HasFragment(r *http.Request) bool
func HasName(r *http.Request, proxyPublicAddrs []utils.NetAddr) (string, bool)
func HasSession(r *http.Request) bool
func Match(ctx context.Context, authClient Getter, fn Matcher) ([]types.AppServer, error)
func ResolveFQDN(ctx context.Context, clt Getter, tunnel reversetunnel.Tunnel, ...) (types.AppServer, string, error)
func SetRedirectPageHeaders(h http.Header, nonce string)
type Getter
type Handler
- func NewHandler(ctx context.Context, c *HandlerConfig) (*Handler, error)
- func (h *Handler) HandleConnection(ctx context.Context, clientConn net.Conn) error
- func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type HandlerConfig
- func (c *HandlerConfig) CheckAndSetDefaults() error
type Matcher

Constants ¶

View Source

const (
	// CookieName is the name of the application session cookie.
	CookieName = "__Host-grv_app_session"

	// AuthStateCookieName is the name of the state cookie used during the
	// initial authentication flow.
	AuthStateCookieName = "__Host-grv_app_auth_state"
)

Variables ¶

This section is empty.

Functions ¶

func HasClientCert ¶

func HasClientCert(r *http.Request) bool

HasClientCert checks if the request has a client certificate.

func HasFragment ¶

func HasFragment(r *http.Request) bool

HasFragment checks if the request is coming to the fragment authentication endpoint.

func HasName ¶

func HasName(r *http.Request, proxyPublicAddrs []utils.NetAddr) (string, bool)

HasName checks if the client is attempting to connect to a host that is different than the public address of the proxy. If it is, it redirects back to the application launcher in the Web UI.

func HasSession ¶

func HasSession(r *http.Request) bool

HasSession checks if an application specific cookie exists.

func Match ¶

func Match(ctx context.Context, authClient Getter, fn Matcher) ([]types.AppServer, error)

Match will match a list of applications with the passed in matcher function. Matcher functions that can match on public address and name are available. The resulting list is shuffled before it is returned.

func ResolveFQDN ¶

func ResolveFQDN(ctx context.Context, clt Getter, tunnel reversetunnel.Tunnel, proxyDNSNames []string, fqdn string) (types.AppServer, string, error)

ResolveFQDN makes a best effort attempt to resolve FQDN to an application running a root or leaf cluster.

Note: This function can incorrectly resolve application names. For example, if you have an application named "acme" within both the root and leaf cluster, this method will always return "acme" running within the root cluster. Always supply public address and cluster name to deterministically resolve an application.

func SetRedirectPageHeaders ¶

func SetRedirectPageHeaders(h http.Header, nonce string)

Types ¶

type Getter ¶

type Getter interface {
	// GetApplicationServers returns registered application servers.
	GetApplicationServers(context.Context, string) ([]types.AppServer, error)

	// GetClusterName returns cluster name
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
}

Getter returns a list of registered apps and the local cluster name.

type Handler ¶

type Handler struct {
	// contains filtered or unexported fields
}

Handler is an application handler.

func NewHandler ¶

func NewHandler(ctx context.Context, c *HandlerConfig) (*Handler, error)

NewHandler returns a new application handler.

func (*Handler) HandleConnection ¶

func (h *Handler) HandleConnection(ctx context.Context, clientConn net.Conn) error

HandleConnection handles connections from plain TCP applications.

func (*Handler) ServeHTTP ¶

func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP hands the request to the request router.

type HandlerConfig ¶

type HandlerConfig struct {
	// Clock is used to control time in tests.
	Clock clockwork.Clock
	// AuthClient is a direct client to auth.
	AuthClient auth.ClientI
	// AccessPoint is caching client to auth.
	AccessPoint auth.ProxyAccessPoint
	// ProxyClient holds connections to leaf clusters.
	ProxyClient reversetunnel.Tunnel
	// CipherSuites is the list of TLS cipher suites that have been configured
	// for this process.
	CipherSuites []uint16
	// WebPublicAddr
	WebPublicAddr string
}

HandlerConfig is the configuration for an application handler.

func (*HandlerConfig) CheckAndSetDefaults ¶

func (c *HandlerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults validates configuration.

type Matcher ¶

type Matcher func(types.AppServer) bool

Matcher allows matching on different properties of an application.

func MatchAll ¶

func MatchAll(matchers ...Matcher) Matcher

MatchAll matches if all the Matcher functions return true.

func MatchHealthy ¶

func MatchHealthy(proxyClient reversetunnel.Tunnel, identity *tlsca.Identity) Matcher

MatchHealthy tries to establish a connection with the server using the `dialAppServer` function. The app server is matched if the function call doesn't return any error.

func MatchName ¶

func MatchName(name string) Matcher

MatchName matches on the name of an application.

func MatchPublicAddr ¶

func MatchPublicAddr(publicAddr string) Matcher

MatchPublicAddr matches on the public address of an application.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL