Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

aws

package

v1.2.3-fred.7 Latest Latest Go to latest Published: Oct 20, 2022 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Index ¶

Constants
func GetAndReplaceReqBody(req *http.Request) ([]byte, error)
func IsSignedByAWSSigV4(r *http.Request) bool
func NewSigner(credentials *credentials.Credentials, signingServiceName string) *v4.Signer
func VerifyAWSSignature(req *http.Request, credentials *credentials.Credentials) error
type Role
type Roles
- func FilterAWSRoles(arns []string, accountID string) (result Roles)
type SigV4
- func ParseSigV4(header string) (*SigV4, error)

Constants ¶

View Source

const (
	// AmazonSigV4AuthorizationPrefix is AWS Authorization prefix indicating that the request
	// was signed by AWS Signature Version 4.
	// https://github.com/aws/aws-sdk-go/blob/main/aws/signer/v4/v4.go#L83
	// https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
	AmazonSigV4AuthorizationPrefix = "AWS4-HMAC-SHA256"

	// AmzDateTimeFormat is time format used in X-Amz-Date header.
	// https://github.com/aws/aws-sdk-go/blob/main/aws/signer/v4/v4.go#L84
	AmzDateTimeFormat = "20060102T150405Z"

	// AmzDateHeader is header name containing timestamp when signature was generated.
	// https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
	AmzDateHeader = "X-Amz-Date"

	AuthorizationHeader = "Authorization"
)

Variables ¶

This section is empty.

Functions ¶

func GetAndReplaceReqBody ¶

func GetAndReplaceReqBody(req *http.Request) ([]byte, error)

GetAndReplaceReqBody returns the request and replace the drained body reader with io.NopCloser allowing for further body processing by http transport.

func IsSignedByAWSSigV4 ¶

func IsSignedByAWSSigV4(r *http.Request) bool

IsSignedByAWSSigV4 checks is the request was signed by AWS Signature Version 4 algorithm. https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html

func VerifyAWSSignature ¶

func VerifyAWSSignature(req *http.Request, credentials *credentials.Credentials) error

VerifyAWSSignature verifies the request signature ensuring that the request originates from tsh aws command execution AWS CLI signs the request with random generated credentials that are passed to LocalProxy by the AWSCredentials LocalProxyConfig configuration.

Types ¶

type Role ¶

type Role struct {
	// Name is the full role name with the entire path.
	Name string `json:"name"`
	// Display is the role display name.
	Display string `json:"display"`
	// ARN is the full role ARN.
	ARN string `json:"arn"`
}

Role describes an AWS IAM role for AWS console access.

type Roles ¶

type Roles []Role

Roles is a slice of roles.

func FilterAWSRoles ¶

func FilterAWSRoles(arns []string, accountID string) (result Roles)

FilterAWSRoles returns role ARNs from the provided list that belong to the specified AWS account ID.

If AWS account ID is empty, all roles are returned.

func (Roles) FindRoleByARN ¶

func (roles Roles) FindRoleByARN(arn string) (Role, bool)

FindRoleByARN finds the role with the provided ARN.

func (Roles) FindRolesByName ¶

func (roles Roles) FindRolesByName(name string) (result Roles)

FindRolesByName finds all roles matching the provided name.

func (Roles) Sort ¶

func (roles Roles) Sort()

Sort sorts the roles by their display names.

type SigV4 ¶

type SigV4 struct {
	// KeyIS is an AWS access-key-id
	KeyID string
	// Date value is specified using YYYYMMDD format.
	Date string
	// Region is an AWS Region.
	Region string
	// Service is an AWS Service.
	Service string
	// SignedHeaders is a  list of request headers that you used to compute Signature.
	SignedHeaders []string
	// Signature is the 256-bit Signature of the request.
	Signature string
}

SigV4 contains parsed content of the AWS Authorization header.

func ParseSigV4 ¶

func ParseSigV4(header string) (*SigV4, error)

ParseSigV4 AWS SigV4 credentials string sections. AWS SigV4 header example: Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, SignedHeaders=host;range;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024

Source Files ¶

View all Source files

aws.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL