Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

web

package

v1.3.2 Latest Latest Go to latest Published: Jan 4, 2017 License: Apache-2.0 Imports: 43 Imported by: 59

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Links

Open Source Insights

Documentation ¶

Overview ¶

Package web implements web proxy handler that provides web interface to view and connect to teleport nodes

Index ¶

Constants
func ClearSession(w http.ResponseWriter) error
func ConstructSSHResponse(response *auth.OIDCAuthResponse) (*url.URL, error)
func CreateSignupLink(hostPort string, token string) string
func EncodeCookie(user, sid string) (string, error)
func NewStaticFileSystem(debugMode bool) (http.FileSystem, error)
func Ping(proxyAddr string, insecure bool, pool *x509.CertPool) error
func SetSession(w http.ResponseWriter, user, sid string) error
type Config
type CreateSessionResponse
- func NewSessionResponse(ctx *SessionContext) (*CreateSessionResponse, error)
type Handler
- func NewHandler(cfg Config, opts ...HandlerOption) (*Handler, error)
- func (h *Handler) AuthenticateRequest(w http.ResponseWriter, r *http.Request, checkBearerToken bool) (*SessionContext, error)
- func (m *Handler) Close() error
- func (h *Handler) String() string
type HandlerOption
- func SetSessionStreamPollPeriod(period time.Duration) HandlerOption
type ResourceMap
- func (rm ResourceMap) Open(name string) (http.File, error)
type SSHLoginResponse
- func SSHAgentLogin(proxyAddr, user, password, hotpToken string, pubKey []byte, ttl time.Duration, ...) (*SSHLoginResponse, error)
- func SSHAgentOIDCLogin(proxyAddr, connectorID string, pubKey []byte, ttl time.Duration, insecure bool, ...) (*SSHLoginResponse, error)
- func SSHAgentU2FLogin(proxyAddr, user, password string, pubKey []byte, ttl time.Duration, ...) (*SSHLoginResponse, error)
type Server
type SessionContext
- func (c *SessionContext) AddClosers(closers ...io.Closer)
- func (c *SessionContext) Close() error
- func (c *SessionContext) ExtendWebSession() (*auth.Session, error)
- func (c *SessionContext) GetAgent() (auth.AgentCloser, error)
- func (c *SessionContext) GetClient() (auth.ClientI, error)
- func (c *SessionContext) GetUser() string
- func (c *SessionContext) GetWebSession() *auth.Session
- func (c *SessionContext) Invalidate() error
- func (c *SessionContext) TransferClosers() []io.Closer
- func (c *SessionContext) UpdateSessionTerminal(sessionID session.ID, params session.TerminalParams) error
type SessionCookie
- func DecodeCookie(b string) (*SessionCookie, error)

Constants ¶

View Source

const (
	// HTTPS is https prefix
	HTTPS = "https"
	// WSS is secure web sockets prefix
	WSS = "wss"
)

View Source

const APIVersion = "v1"

Version is a current webapi version

Variables ¶

This section is empty.

Functions ¶

func ClearSession ¶ added in v1.0.0

func ClearSession(w http.ResponseWriter) error

func ConstructSSHResponse ¶ added in v1.0.0

func ConstructSSHResponse(response *auth.OIDCAuthResponse) (*url.URL, error)

ConstructSSHResponse creates a special SSH response for SSH login method that encodes everything using the client's secret key

func CreateSignupLink ¶

func CreateSignupLink(hostPort string, token string) string

CreateSignupLink generates and returns a URL which is given to a new user to complete registration with Teleport via Web UI

func EncodeCookie ¶

func EncodeCookie(user, sid string) (string, error)

func NewStaticFileSystem ¶ added in v1.2.6

func NewStaticFileSystem(debugMode bool) (http.FileSystem, error)

NewStaticFileSystem returns the initialized implementation of http.FileSystem interface which can be used to serve Teleport Proxy Web UI

If 'debugMode' is true, it will load the web assets from the same git repo directory where the executable is, otherwise it will load them from the embedded zip archive.

func Ping ¶ added in v1.0.0

func Ping(proxyAddr string, insecure bool, pool *x509.CertPool) error

Ping is used to validate HTTPS endpoing of Teleport proxy. This leads to better user experience: they get connection errors before being asked for passwords

func SetSession ¶ added in v1.0.0

func SetSession(w http.ResponseWriter, user, sid string) error

Types ¶

type Config ¶ added in v1.0.0

type Config struct {
	// Proxy is a reverse tunnel proxy that handles connections
	// to various sites
	Proxy reversetunnel.Server
	// AuthServers is a list of auth servers this proxy talks to
	AuthServers utils.NetAddr
	// DomainName is a domain name served by web handler
	DomainName string
	// ProxyClient is a client that authenticated as proxy
	ProxyClient auth.ClientI
	// DisableUI allows to turn off serving web based UI
	DisableUI bool
}

Config represents web handler configuration parameters

type CreateSessionResponse ¶ added in v1.0.0

type CreateSessionResponse struct {
	// Type is token type (bearer)
	Type string `json:"type"`
	// Token value
	Token string `json:"token"`
	// User represents the user
	User services.User `json:"user"`
	// ExpiresIn sets seconds before this token is not valid
	ExpiresIn int `json:"expires_in"`
}

CreateSessionResponse returns OAuth compabible data about access token: https://tools.ietf.org/html/rfc6749

func NewSessionResponse ¶ added in v1.0.0

func NewSessionResponse(ctx *SessionContext) (*CreateSessionResponse, error)

type Handler ¶ added in v1.0.0

type Handler struct {
	sync.Mutex
	httprouter.Router
	// contains filtered or unexported fields
}

Handler is HTTP web proxy handler

func NewHandler ¶ added in v1.0.0

func NewHandler(cfg Config, opts ...HandlerOption) (*Handler, error)

NewHandler returns a new instance of web proxy handler

func (*Handler) AuthenticateRequest ¶ added in v1.0.0

func (h *Handler) AuthenticateRequest(w http.ResponseWriter, r *http.Request, checkBearerToken bool) (*SessionContext, error)

authenticateRequest authenticates request using combination of a session cookie and bearer token

func (*Handler) Close ¶ added in v1.0.0

func (m *Handler) Close() error

Close closes associated session cache operations

func (*Handler) String ¶ added in v1.0.0

func (h *Handler) String() string

type HandlerOption ¶ added in v1.0.0

type HandlerOption func(h *Handler) error

HandlerOption is a functional argument - an option that can be passed to NewHandler function

func SetSessionStreamPollPeriod ¶ added in v1.0.0

func SetSessionStreamPollPeriod(period time.Duration) HandlerOption

SetSessionStreamPollPeriod sets polling period for session streams

type ResourceMap ¶ added in v1.2.6

type ResourceMap map[string]*zip.File

func (ResourceMap) Open ¶ added in v1.2.6

func (rm ResourceMap) Open(name string) (http.File, error)

type SSHLoginResponse ¶ added in v1.0.0

type SSHLoginResponse struct {
	// User contains a logged in user informationn
	Username string `json:"username"`
	// Cert is a signed certificate
	Cert []byte `json:"cert"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy
	HostSigners []services.CertAuthority `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy

func SSHAgentLogin ¶

func SSHAgentLogin(proxyAddr, user, password, hotpToken string, pubKey []byte, ttl time.Duration, insecure bool, pool *x509.CertPool) (*SSHLoginResponse, error)

SSHAgentLogin issues call to web proxy and receives temp certificate if credentials are valid

proxyAddr must be specified as host:port

func SSHAgentOIDCLogin ¶ added in v1.0.0

func SSHAgentOIDCLogin(proxyAddr, connectorID string, pubKey []byte, ttl time.Duration, insecure bool, pool *x509.CertPool) (*SSHLoginResponse, error)

SSHAgentOIDCLogin is used by SSH Agent to login using OpenID connect

func SSHAgentU2FLogin ¶ added in v1.3.0

func SSHAgentU2FLogin(proxyAddr, user, password string, pubKey []byte, ttl time.Duration, insecure bool, pool *x509.CertPool) (*SSHLoginResponse, error)

SSHAgentU2FLogin requests a U2F sign request (authentication challenge) via the proxy. If the credentials are valid, the proxy wiil return a challenge. We then call the official u2f-host binary to perform the signing and pass the signature to the proxy. If the authentication succeeds, we will get a temporary certificate back

type Server ¶

type Server struct {
	http.Server
}

type SessionContext ¶ added in v1.0.0

type SessionContext struct {
	sync.Mutex
	*log.Entry
	// contains filtered or unexported fields
}

SessionContext is a context associated with users' web session, it stores connected client that persists between requests for example to avoid connecting to the auth server on every page hit

func (*SessionContext) AddClosers ¶ added in v1.0.0

func (c *SessionContext) AddClosers(closers ...io.Closer)

func (*SessionContext) Close ¶ added in v1.0.0

func (c *SessionContext) Close() error

Close cleans up connections associated with requests

func (*SessionContext) ExtendWebSession ¶ added in v1.0.0

func (c *SessionContext) ExtendWebSession() (*auth.Session, error)

ExtendWebSession creates a new web session for this user based on the previous session

func (*SessionContext) GetAgent ¶ added in v1.0.0

func (c *SessionContext) GetAgent() (auth.AgentCloser, error)

GetAgent returns agent that can we used to answer challenges for the web to ssh connection

func (*SessionContext) GetClient ¶ added in v1.0.0

func (c *SessionContext) GetClient() (auth.ClientI, error)

GetClient returns the client connected to the auth server

func (*SessionContext) GetUser ¶ added in v1.0.0

func (c *SessionContext) GetUser() string

GetUser returns the authenticated teleport user

func (*SessionContext) GetWebSession ¶ added in v1.0.0

func (c *SessionContext) GetWebSession() *auth.Session

GetWebSession returns a web session

func (*SessionContext) Invalidate ¶ added in v1.0.0

func (c *SessionContext) Invalidate() error

func (*SessionContext) TransferClosers ¶ added in v1.0.0

func (c *SessionContext) TransferClosers() []io.Closer

func (*SessionContext) UpdateSessionTerminal ¶ added in v1.0.0

func (c *SessionContext) UpdateSessionTerminal(sessionID session.ID, params session.TerminalParams) error

type SessionCookie ¶ added in v1.0.0

type SessionCookie struct {
	User string `json:"user"`
	SID  string `json:"sid"`
}

SessionCookie stores information about active user and session

func DecodeCookie ¶

func DecodeCookie(b string) (*SessionCookie, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL