Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

common

package

v1.3.3-0...-f31c912 Latest Latest Go to latest Published: Jan 9, 2024 License: AGPL-3.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Index ¶

Variables
func HasPingSupport(protocol Protocol) bool
func IsDBTLSProtocol(protocol Protocol) bool
func IsPingProtocol(protocol Protocol) bool
func KubeLocalProxySNI(teleportCluster, kubeCluster string) string
func KubeLocalProxyWildcardDomain(teleportCluster string) string
func ProtocolsToString(protocols []Protocol) []string
func TeleportClusterFromKubeLocalProxySNI(serverName string) string
type Protocol

Constants ¶

This section is empty.

Variables ¶

View Source

var DatabaseProtocols = []Protocol{
	ProtocolPostgres,
	ProtocolMySQL,
	ProtocolMongoDB,
	ProtocolOracle,
	ProtocolRedisDB,
	ProtocolSQLServer,
	ProtocolSnowflake,
	ProtocolCassandra,
	ProtocolElasticsearch,
	ProtocolOpenSearch,
	ProtocolDynamoDB,
	ProtocolClickhouse,
}

DatabaseProtocols is the list of the database protocols supported.

View Source

var ProtocolsWithPingSupport = append(
	DatabaseProtocols,
	ProtocolTCP,
)

ProtocolsWithPingSupport is the list of protocols that Ping connection is supported. For now, only database protocols are supported.

View Source

var SupportedProtocols = WithPingProtocols(
	append([]Protocol{

		ProtocolHTTP,
		ProtocolHTTP2,
		ProtocolProxySSH,
		ProtocolReverseTunnel,
		ProtocolAuth,
		ProtocolTCP,
		ProtocolProxySSHGRPC,
		ProtocolProxyGRPCInsecure,
		ProtocolProxyGRPCSecure,
	}, DatabaseProtocols...),
)

SupportedProtocols is the list of supported ALPN protocols.

Functions ¶

func HasPingSupport ¶

func HasPingSupport(protocol Protocol) bool

HasPingSupport checks if the provided protocol supports Ping protocol.

func IsDBTLSProtocol ¶

func IsDBTLSProtocol(protocol Protocol) bool

IsDBTLSProtocol returns if DB protocol has supported native TLS protocol. where connection can be TLS terminated on ALPN proxy side. For protocol like MySQL or Postgres where custom TLS implementation is used the incoming connection needs to be forwarded to proxy database service where custom TLS handler is invoked to terminated DB connection.

func IsPingProtocol ¶

func IsPingProtocol(protocol Protocol) bool

IsPingProtocol checks if the provided protocol is suffixed with Ping.

func KubeLocalProxySNI ¶

func KubeLocalProxySNI(teleportCluster, kubeCluster string) string

KubeLocalProxySNI generates the SNI used for Kube local proxy.

func KubeLocalProxyWildcardDomain ¶

func KubeLocalProxyWildcardDomain(teleportCluster string) string

KubeLocalProxyWildcardDomain returns the wildcard domain used to generate local self-signed CA for provided Teleport cluster.

func ProtocolsToString ¶

func ProtocolsToString(protocols []Protocol) []string

ProtocolsToString converts the list of Protocols to the list of strings.

func TeleportClusterFromKubeLocalProxySNI ¶

func TeleportClusterFromKubeLocalProxySNI(serverName string) string

TeleportClusterFromKubeLocalProxySNI returns Teleport cluster name from SNI.

Types ¶

type Protocol ¶

type Protocol string

Protocol is the TLS ALPN protocol type.

const (
	// ProtocolPostgres is TLS ALPN protocol value used to indicate Postgres protocol.
	ProtocolPostgres Protocol = "teleport-postgres"

	// ProtocolMySQL is TLS ALPN protocol value used to indicate MySQL protocol.
	ProtocolMySQL Protocol = "teleport-mysql"

	// ProtocolMongoDB is TLS ALPN protocol value used to indicate Mongo protocol.
	ProtocolMongoDB Protocol = "teleport-mongodb"

	// ProtocolOracle is TLS ALPN protocol value used to indicate Oracle protocol.
	ProtocolOracle Protocol = "teleport-oracle"

	// ProtocolRedisDB is TLS ALPN protocol value used to indicate Redis protocol.
	ProtocolRedisDB Protocol = "teleport-redis"

	// ProtocolSQLServer is the TLS ALPN protocol value used to indicate SQL Server protocol.
	ProtocolSQLServer Protocol = "teleport-sqlserver"

	// ProtocolSnowflake is TLS ALPN protocol value used to indicate Snowflake protocol.
	ProtocolSnowflake Protocol = "teleport-snowflake"

	// ProtocolCassandra is the TLS ALPN protocol value used to indicate Cassandra protocol.
	ProtocolCassandra Protocol = "teleport-cassandra"

	// ProtocolElasticsearch is TLS ALPN protocol value used to indicate Elasticsearch protocol.
	ProtocolElasticsearch Protocol = "teleport-elasticsearch"

	// ProtocolOpenSearch is TLS ALPN protocol value used to indicate OpenSearch protocol.
	ProtocolOpenSearch Protocol = "teleport-opensearch"

	// ProtocolDynamoDB is TLS ALPN protocol value used to indicate DynamoDB protocol.
	ProtocolDynamoDB Protocol = "teleport-dynamodb"

	// ProtocolClickhouse is TLS ALPN protocol value used to indicate Clickhouse Protocol.
	ProtocolClickhouse Protocol = "teleport-clickhouse"

	// ProtocolProxySSH is TLS ALPN protocol value used to indicate Proxy SSH protocol.
	ProtocolProxySSH Protocol = "teleport-proxy-ssh"

	// ProtocolProxySSHGRPC is TLS ALPN protocol value used to indicate gRPC
	// traffic intended for the Teleport Proxy on the SSH port.
	ProtocolProxySSHGRPC Protocol = "teleport-proxy-ssh-grpc"

	// ProtocolReverseTunnel is TLS ALPN protocol value used to indicate Proxy reversetunnel protocol.
	ProtocolReverseTunnel Protocol = "teleport-reversetunnel"

	// ProtocolReverseTunnelV2 is TLS ALPN protocol value used to indicate reversetunnel clients
	// that are aware of proxy peering. This is only used on the client side to allow intermediate
	// load balancers to make decisions based on the ALPN header. ProtocolReverseTunnel should still
	// be included in the list of ALPN header for the proxy server to handle the connection properly.
	ProtocolReverseTunnelV2 Protocol = "teleport-reversetunnelv2"

	// ProtocolHTTP is TLS ALPN protocol value used to indicate HTTP 1.1 protocol
	ProtocolHTTP Protocol = "http/1.1"

	// ProtocolHTTP2 is TLS ALPN protocol value used to indicate HTTP2 protocol.
	ProtocolHTTP2 Protocol = "h2"

	// ProtocolDefault is default TLS ALPN value.
	ProtocolDefault Protocol = ""

	// ProtocolAuth allows dialing local/remote auth service based on SNI cluster name value.
	ProtocolAuth Protocol = "teleport-auth@"

	// ProtocolProxyGRPCInsecure is TLS ALPN protocol value used to indicate gRPC
	// traffic intended for the Teleport proxy join service.
	// Credentials are not verified since this is used for node joining.
	ProtocolProxyGRPCInsecure Protocol = "teleport-proxy-grpc"

	// ProtocolProxyGRPCSecure is TLS ALPN protocol value used to indicate gRPC
	// traffic intended for the Teleport proxy service with mTLS authentication.
	ProtocolProxyGRPCSecure Protocol = "teleport-proxy-grpc-mtls"

	// ProtocolMySQLWithVerPrefix is TLS ALPN prefix used by tsh to carry
	// MySQL server version.
	ProtocolMySQLWithVerPrefix = Protocol(string(ProtocolMySQL) + "-")

	// ProtocolTCP is TLS ALPN protocol value used to indicate plain TCP connection.
	ProtocolTCP Protocol = "teleport-tcp"

	// ProtocolPingSuffix is TLS ALPN suffix used to wrap connections with
	// Ping.
	ProtocolPingSuffix Protocol = "-ping"
)

func ProtocolWithPing ¶

func ProtocolWithPing(protocol Protocol) Protocol

ProtocolWithPing receives a protocol and returns it with the Ping protocol suffix.

func ToALPNProtocol ¶

func ToALPNProtocol(dbProtocol string) (Protocol, error)

ToALPNProtocol maps provided database protocol to ALPN protocol.

func WithPingProtocols ¶

func WithPingProtocols(protocols []Protocol) []Protocol

WithPingProtocols adds Ping protocols to the list for each protocol that supports Ping.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL