services

package
v2.0.0-alpha.7+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 19, 2017 License: Apache-2.0 Imports: 15 Imported by: 669

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.

* Local services are implemented in local package * Package suite contains the set of acceptance tests for services

Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source
const (
	// DefaultAPIGroup is a default group of permissions API,
	// lets us to add different permission types
	DefaultAPIGroup = "gravitational.io/teleport"

	// ActionRead grants read access (get, list)
	ActionRead = "read"

	// ActionWrite allows to write (create, update, delete)
	ActionWrite = "write"

	// Wildcard is a special wildcard character matching everything
	Wildcard = "*"

	// KindNamespace is a namespace
	KindNamespace = "namespace"

	// KindUser is a user resource
	KindUser = "user"

	// KindKeyPair is a public/private key pair
	KindKeyPair = "key_pair"

	// KindHostCert is a host certificate
	KindHostCert = "host_cert"

	// KindRole is a role resource
	KindRole = "role"

	// KindOIDC is oidc connector resource
	KindOIDC = "oidc"

	// KindOIDCReques is oidc auth request resource
	KindOIDCRequest = "oidc_request"

	// KindSession is a recorded session resource
	KindSession = "session"

	// KindWebSession is a web session resource
	KindWebSession = "web_session"

	// KindEvent is structured audit logging event
	KindEvent = "event"

	// KindAuthServer is auth server resource
	KindAuthServer = "auth_server"

	// KindProxy is proxy resource
	KindProxy = "proxy"

	// KindNode is node resource
	KindNode = "node"

	// KindToken is a provisioning token resource
	KindToken = "token"

	// KindCertAuthority is a certificate authority resource
	KindCertAuthority = "cert_authority"

	// KindReverseTunnel is a reverse tunnel connection
	KindReverseTunnel = "tunnel"

	// KindOIDCConnector is a OIDC connector resource
	KindOIDCConnector = "oidc"

	// V2 is our current version
	V2 = "v2"

	// V1 is our first version
	// resources were not explicitly versioned at that point
	V1 = "v1"
)
View Source
const CertAuthoritySpecV2Schema = `` /* 506-byte string literal not displayed */

CertAuthoritySpecV2Schema is JSON schema for cert authority V2

View Source
const ClaimMappingSchema = `` /* 296-byte string literal not displayed */

ClaimMappingSchema is JSON schema for claim mapping

View Source
const CreatedBySchema = `` /* 486-byte string literal not displayed */
View Source
const LoginStatusSchema = `` /* 242-byte string literal not displayed */
View Source
const MetadataSchema = `` /* 383-byte string literal not displayed */

MetadataSchema is a schema for resource metadata

View Source
const NamespaceSchemaTemplate = `` /* 258-byte string literal not displayed */
View Source
const NamespaceSpecSchema = `{
  "type": "object",
  "additionalProperties": false,
  "default": {}
}`
View Source
const OIDCConnectorV2SchemaTemplate = `` /* 252-byte string literal not displayed */

OIDCConnectorV2SchemaTemplate is a template JSON Schema for user

View Source
const OIDCIDentitySchema = `` /* 158-byte string literal not displayed */
View Source
const ReverseTunnelSpecV2Schema = `` /* 263-byte string literal not displayed */

ReverseTunnelSpecV2Schema is JSON schema for reverse tunnel spec

View Source
const RoleSpecSchemaTemplate = `` /* 625-byte string literal not displayed */
View Source
const ServerSpecV2Schema = `` /* 680-byte string literal not displayed */

ServerSpecV2Schema is JSON schema for server

View Source
const UserSpecV2SchemaTemplate = `` /* 322-byte string literal not displayed */

UserSpecV2SchemaTemplate is JSON schema for V2 user

View Source
const V2SchemaTemplate = `` /* 252-byte string literal not displayed */

V2SchemaTemplate is a template JSON Schema for V2 style objects

View Source
const WebSessionSpecV2Schema = `` /* 379-byte string literal not displayed */

WebSessionSpecV2Schema is JSON schema for cert authority V2

Variables

View Source
var OIDCConnectorSpecV2Schema = fmt.Sprintf(`{
  "type": "object",
  "additionalProperties": false,
  "required": ["issuer_url", "client_id", "client_secret", "redirect_url"],
  "properties": {
    "issuer_url": {"type": "string"},
    "client_id": {"type": "string"},
    "client_secret": {"type": "string"},
    "redirect_url": {"type": "string"},
    "display": {"type": "string"},
    "scope": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "claims_to_roles": {
      "type": "array",
      "items": %v
    }
  }
}`, ClaimMappingSchema)

OIDCConnectorSpecV2Schema is a JSON Schema for OIDC Connector

Functions

func ConvertV1CertAuthority

func ConvertV1CertAuthority(v1 *CertAuthorityV1) (CertAuthority, Role)

ConvertV1CertAuthority converts V1 cert authority for new CA and Role

func GetCertAuthoritySchema

func GetCertAuthoritySchema() string

GetCertAuthoritySchema returns JSON Schema for cert authorities

func GetClaimNames

func GetClaimNames(claims jose.Claims) []string

GetClaimNames returns a list of claim names from the claim values

func GetNamespaceSchema

func GetNamespaceSchema() string

GetNamespaceSchema returns namespace schema

func GetOIDCConnectorSchema

func GetOIDCConnectorSchema() string

GetOIDCConnectorSchema returns schema for OIDCConnector

func GetReverseTunnelSchema

func GetReverseTunnelSchema() string

GetReverseTunnelSchema returns role schema with optionally injected schema for extensions

func GetRoleSchema

func GetRoleSchema(extensionSchema string) string

GetRoleSchema returns role schema with optionally injected schema for extensions

func GetServerSchema

func GetServerSchema() string

GetServerSchema returns role schema with optionally injected schema for extensions

func GetUserSchema

func GetUserSchema(extensionSchema string) string

GetRoleSchema returns role schema with optionally injected schema for extensions

func GetWebSessionSchema

func GetWebSessionSchema() string

GetWebSessionSchema returns JSON Schema for web session

func GetWebSessionSchemaWithExtensions

func GetWebSessionSchemaWithExtensions(extension string) string

GetWebSessionSchemaWithExtensions returns JSON Schema for web session with user-supplied extensions

func LabelsToV2

func LabelsToV2(labels map[string]CommandLabel) map[string]CommandLabelV2

LabelsToV2 converts labels from interface to V2 spec

func LastFailed

func LastFailed(x int, attempts []LoginAttempt) bool

LastFailed calculates last x successive attempts are failed

func MatchLabels

func MatchLabels(selector map[string]string, target map[string]string) bool

MatchLabels matches selector against target

func MatchLogin

func MatchLogin(logins []string, login string) bool

MatchLogin returns true if attempted login matches any of the logins

func MatchNamespace

func MatchNamespace(selector []string, namespace string) bool

MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything

func MatchResourceAction

func MatchResourceAction(selector map[string][]string, resourceName, resourceAction string) bool

MatchResourceAction tests if selector matches required resource action in a given namespace

func ParseShortcut

func ParseShortcut(in string) (string, error)

ParseShortcut parses resource shortcut

func ProcessNamespace

func ProcessNamespace(namespace string) string

ProcessNamespace sets default namespace in case if namespace is empty

func RO

func RO() []string

RO returns read only action list

func RW

func RW() []string

RW returns read write action list

func RoleNameForCertAuthority

func RoleNameForCertAuthority(name string) string

RoleNameForCertAuthority returns role name associated with cert authority

func RoleNameForUser

func RoleNameForUser(name string) string

RoleNameForUser returns role name associated with user

func SetCertAuthorityMarshaler

func SetCertAuthorityMarshaler(u CertAuthorityMarshaler)

SetCertAuthorityMarshaler sets global user marshaler

func SetOIDCConnectorMarshaler

func SetOIDCConnectorMarshaler(m OIDCConnectorMarshaler)

SetOIDCConnectorMarshaler sets global user marshaler

func SetReerseTunnelMarshaler

func SetReerseTunnelMarshaler(m ReverseTunnelMarshaler)

func SetRoleMarshaler

func SetRoleMarshaler(m RoleMarshaler)

func SetServerMarshaler

func SetServerMarshaler(m ServerMarshaler)

func SetUserMarshaler

func SetUserMarshaler(u UserMarshaler)

SetUserMarshaler sets global user marshaler

func SetWebSessionMarshaler

func SetWebSessionMarshaler(u WebSessionMarshaler)

SetWebSessionMarshaler sets global user marshaler

func VerifyPassword added in v1.0.0

func VerifyPassword(password []byte) error

VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in

Types

type Access

type Access interface {
	// GetRoles returns a list of roles
	GetRoles() ([]Role, error)

	// UpsertRole creates or updates role
	UpsertRole(role Role) error

	// GetRole returns role by name
	GetRole(name string) (Role, error)

	// DeleteRole deletes role by name
	DeleteRole(name string) error
}

Access service manages roles and permissions

type AccessChecker

type AccessChecker interface {
	// CheckAccessToServer checks access to server
	CheckAccessToServer(login string, server Server) error
	// CheckResourceAction check access to resource action
	CheckResourceAction(resourceNamespace, resourceName, accessType string) error
	// CheckLogins checks if role set can login up to given duration
	// and returns a combined list of allowed logins
	CheckLogins(ttl time.Duration) ([]string, error)
	// AdjustSessionTTL will reduce the requested ttl to lowes max allowed TTL
	// for this role set, otherwise it returns ttl unchanges
	AdjustSessionTTL(ttl time.Duration) time.Duration
}

AccessChecker interface implements access checks for given role

type CertAuthID added in v1.0.0

type CertAuthID struct {
	Type       CertAuthType `json:"type"`
	DomainName string       `json:"domain_name"`
}

CertAuthID - id of certificate authority (it's type and domain name)

func (*CertAuthID) Check added in v1.0.0

func (c *CertAuthID) Check() error

Check returns error if any of the id parameters are bad, nil otherwise

func (*CertAuthID) String added in v1.0.0

func (c *CertAuthID) String() string

type CertAuthType added in v1.0.0

type CertAuthType string

CertAuthType specifies certificate authority type, user or host

const (
	// HostCA identifies the key as a host certificate authority
	HostCA CertAuthType = "host"
	// UserCA identifies the key as a user certificate authority
	UserCA CertAuthType = "user"
)

func (CertAuthType) Check added in v1.0.0

func (c CertAuthType) Check() error

Check checks if certificate authority type value is correct

type CertAuthority added in v1.0.0

type CertAuthority interface {
	// GetID returns certificate authority ID -
	// combined type and name
	GetID() CertAuthID
	// GetName returns cert authority name
	GetName() string
	// GetType returns user or host certificate authority
	GetType() CertAuthType
	// GetClusterName returns cluster name this cert authority
	// is associated with
	GetClusterName() string
	// GetCheckingKeys returns public keys to check signature
	GetCheckingKeys() [][]byte
	// GetSigning keys returns signing keys
	GetSigningKeys() [][]byte
	// GetRoles returns a list of roles assumed by users signed by this CA
	GetRoles() []string
	// FirstSigningKey returns first signing key or returns error if it's not here
	// The first key is returned because multiple keys can exist during key rotation.
	FirstSigningKey() ([]byte, error)
	// GetRawObject returns raw object data, used for migrations
	GetRawObject() interface{}
	// Check checks object for errors
	Check() error
	// SetSigningKeys sets signing keys
	SetSigningKeys([][]byte) error
	// AddRole adds a role to ca role list
	AddRole(name string)
	// Checkers returns public keys that can be used to check cert authorities
	Checkers() ([]ssh.PublicKey, error)
	// Signers returns a list of signers that could be used to sign keys
	Signers() ([]ssh.Signer, error)
	// V1 returns V1 version of the resource
	V1() *CertAuthorityV1
	// V2 returns V2 version of the resource
	V2() *CertAuthorityV2
}

CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func NewCertAuthority

func NewCertAuthority(caType CertAuthType, clusterName string, signingKeys, checkingKeys [][]byte, roles []string) CertAuthority

NewCertAuthority returns new cert authority

type CertAuthorityMarshaler

type CertAuthorityMarshaler interface {
	// UnmarshalCertAuthority unmarhsals cert authority from binary representation
	UnmarshalCertAuthority(bytes []byte) (CertAuthority, error)
	// MarshalCertAuthority to binary representation
	MarshalCertAuthority(c CertAuthority, opts ...MarshalOption) ([]byte, error)
	// GenerateCertAuthority is used to generate new cert authority
	// based on standard teleport one and is used to add custom
	// parameters and extend it in extensions of teleport
	GenerateCertAuthority(CertAuthority) (CertAuthority, error)
}

CertAuthorityMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetCertAuthorityMarshaler

func GetCertAuthorityMarshaler() CertAuthorityMarshaler

GetCertAuthorityMarshaler returns currently set user marshaler

type CertAuthoritySpecV2

type CertAuthoritySpecV2 struct {
	// Type is either user or host certificate authority
	Type CertAuthType `json:"type"`
	// ClusterName identifies cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"cluster_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures
	CheckingKeys [][]byte `json:"checking_keys"`
	// SigningKeys is a list of private keys used for signing
	SigningKeys [][]byte `json:"signing_keys,omitempty"`
	// Roles is a list of roles assumed by users signed by this CA
	Roles []string `json:"roles,omitempty"`
}

CertAuthoritySpecV2 is a host or user certificate authority that can check and if it has private key stored as well, sign it too

type CertAuthorityV1

type CertAuthorityV1 struct {
	// Type is either user or host certificate authority
	Type CertAuthType `json:"type"`
	// DomainName identifies domain name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	DomainName string `json:"domain_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures
	CheckingKeys [][]byte `json:"checking_keys"`
	// SigningKeys is a list of private keys used for signing
	SigningKeys [][]byte `json:"signing_keys"`
	// AllowedLogins is a list of allowed logins for users within
	// this certificate authority
	AllowedLogins []string `json:"allowed_logins"`
}

CertAuthorityV1 is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func CertAuthoritiesToV1

func CertAuthoritiesToV1(in []CertAuthority) ([]CertAuthorityV1, error)

CertAuthoritiesToV1 converts list of cert authorities to V1 slice

func (*CertAuthorityV1) V1

V1 returns V1 version of the resource

func (*CertAuthorityV1) V2

V2 returns V2 version of the resource

type CertAuthorityV2

type CertAuthorityV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// Version is version
	Version string `json:"version"`
	// Metadata is connector metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains cert authority specification
	Spec CertAuthoritySpecV2 `json:"spec"`
	// contains filtered or unexported fields
}

CertAuthorityV2 is version 1 resource spec for Cert Authority

func (*CertAuthorityV2) AddRole

func (ca *CertAuthorityV2) AddRole(name string)

AddRole adds a role to ca role list

func (*CertAuthorityV2) Check

func (ca *CertAuthorityV2) Check() error

Check checks if all passed parameters are valid

func (*CertAuthorityV2) Checkers

func (ca *CertAuthorityV2) Checkers() ([]ssh.PublicKey, error)

Checkers returns public keys that can be used to check cert authorities

func (*CertAuthorityV2) FirstSigningKey

func (ca *CertAuthorityV2) FirstSigningKey() ([]byte, error)

FirstSigningKey returns first signing key or returns error if it's not here

func (*CertAuthorityV2) GetCheckingKeys

func (ca *CertAuthorityV2) GetCheckingKeys() [][]byte

GetCheckingKeys returns public keys to check signature

func (*CertAuthorityV2) GetClusterName

func (ca *CertAuthorityV2) GetClusterName() string

GetClusterName returns cluster name this cert authority is associated with

func (*CertAuthorityV2) GetID

func (ca *CertAuthorityV2) GetID() CertAuthID

GetID returns certificate authority ID - combined type and name

func (*CertAuthorityV2) GetName

func (ca *CertAuthorityV2) GetName() string

GetName returns cert authority name

func (*CertAuthorityV2) GetRawObject

func (ca *CertAuthorityV2) GetRawObject() interface{}

GetRawObject returns raw object data, used for migrations

func (*CertAuthorityV2) GetRoles

func (ca *CertAuthorityV2) GetRoles() []string

GetRoles returns a list of roles assumed by users signed by this CA

func (*CertAuthorityV2) GetSigningKeys

func (ca *CertAuthorityV2) GetSigningKeys() [][]byte

GetSigning keys returns signing keys

func (*CertAuthorityV2) GetType

func (ca *CertAuthorityV2) GetType() CertAuthType

GetType returns user or host certificate authority

func (*CertAuthorityV2) ID

func (ca *CertAuthorityV2) ID() *CertAuthID

ID returns id (consisting of domain name and type) that identifies the authority this key belongs to

func (*CertAuthorityV2) SetSigningKeys

func (ca *CertAuthorityV2) SetSigningKeys(keys [][]byte) error

SetSigningKeys sets signing keys

func (*CertAuthorityV2) Signers

func (ca *CertAuthorityV2) Signers() ([]ssh.Signer, error)

Signers returns a list of signers that could be used to sign keys

func (*CertAuthorityV2) V1

V1 returns V1 version of the object

func (*CertAuthorityV2) V2

V2 returns V2 version of the resouirce - itself

type CertParams

type CertParams struct {
	PrivateCASigningKey []byte         // PrivateCASigningKey is the private key of the CA that will sign the public key of the host.
	PublicHostKey       []byte         // PublicHostKey is the public key of the host.
	HostID              string         // HostID is used by Teleport to uniquely identify a node within a cluster.
	NodeName            string         // NodeName is the DNS name of the node.
	ClusterName         string         // ClusterName is the name of the cluster within which a node lives.
	Roles               teleport.Roles // Roles identifies the roles of a Teleport instance.
	TTL                 time.Duration  // TTL defines how long a certificate is valid for.
}

CertParams defines all parameters needed to generate a host certificate.

func (*CertParams) Check

func (c *CertParams) Check() error

type ClaimMapping

type ClaimMapping struct {
	// Claim is OIDC claim name
	Claim string `json:"claim"`
	// Value is claim value to match
	Value string `json:"value"`
	// Roles is a list of teleport roles to match
	Roles []string `json:"roles"`
}

ClaimMapping is OIDC claim mapping that maps claim name to teleport roles

type CommandLabel

type CommandLabel interface {
	// GetPeriod returns label period
	GetPeriod() time.Duration
	// SetPeriod sets label period
	SetPeriod(time.Duration)
	// GetResult returns label result
	GetResult() string
	// SetResult sets label result
	SetResult(string)
	// GetCommand returns to execute and set as a label result
	GetCommand() []string
	// Clone returns label copy
	Clone() CommandLabel
}

CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname

type CommandLabelV1

type CommandLabelV1 struct {
	// Period is a time between command runs
	Period time.Duration `json:"period"`
	// Command is a command to run
	Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
	// Result captures standard output
	Result string `json:"result"`
}

CommandLabelV1 is a label that has a value as a result of the output generated by running command, e.g. hostname

type CommandLabelV2

type CommandLabelV2 struct {
	// Period is a time between command runs
	Period Duration `json:"period"`
	// Command is a command to run
	Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
	// Result captures standard output
	Result string `json:"result"`
}

CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname

func (*CommandLabelV2) Clone

func (c *CommandLabelV2) Clone() CommandLabel

Clone returns label copy

func (*CommandLabelV2) GetCommand

func (c *CommandLabelV2) GetCommand() []string

GetCommand returns to execute and set as a label result

func (*CommandLabelV2) GetPeriod

func (c *CommandLabelV2) GetPeriod() time.Duration

GetPeriod returns label period

func (*CommandLabelV2) GetResult

func (c *CommandLabelV2) GetResult() string

GetResult returns label result

func (*CommandLabelV2) SetPeriod

func (c *CommandLabelV2) SetPeriod(p time.Duration)

SetPeriod sets label period

func (*CommandLabelV2) SetResult

func (c *CommandLabelV2) SetResult(r string)

SetResult sets label result

type CommandLabels

type CommandLabels map[string]CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) SetEnv

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type ConnectorRef

type ConnectorRef struct {
	// Type is connector type
	Type string `json:"type"`
	// ID is connector ID
	ID string `json:"id"`
	// Identity is external identity of the user
	Identity string `json:"identity"`
}

ConnectorRef holds information about OIDC connector

type CreatedBy

type CreatedBy struct {
	// Identity if present means that user was automatically created by identity
	Connector *ConnectorRef `json:"connector,omitempty"`
	// Time specifies when user was created
	Time time.Time `json:"time"`
	// User holds information about user
	User UserRef `json:"user"`
}

CreatedBy holds information about the person or agent who created the user

func (CreatedBy) IsEmpty

func (c CreatedBy) IsEmpty() bool

IsEmpty returns true if there's no info about who created this user

func (CreatedBy) String

func (c CreatedBy) String() string

String returns human readable information about the user

type Duration

type Duration struct {
	time.Duration
}

Duration is a wrapper around duration to set up custom marshal/unmarshal

func MaxDuration

func MaxDuration() Duration

MaxDuration returns maximum duration that is possible

func NewDuration

func NewDuration(d time.Duration) Duration

NewDuration returns Duration struct based on time.Duration

func (Duration) MarshalJSON

func (d Duration) MarshalJSON() ([]byte, error)

MarshalJSON marshals Duration to string

func (*Duration) UnmarshalJSON

func (d *Duration) UnmarshalJSON(data []byte) error

UnmarshalJSON marshals Duration to string

type Identity added in v1.0.0

type Identity interface {
	// GetUsers returns a list of users registered with the local auth server
	GetUsers() ([]User, error)

	// AddUserLoginAttempt logs user login attempt
	AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error

	// GetUserLoginAttempts returns user login attempts
	GetUserLoginAttempts(user string) ([]LoginAttempt, error)

	// CreateUser creates user if it does not exist
	CreateUser(user User) error

	// UpsertUser updates parameters about user
	UpsertUser(user User) error

	// GetUser returns a user by name
	GetUser(user string) (User, error)

	// GetUserByOIDCIdentity returns a user by it's specified OIDC Identity, returns first
	// user specified with this identity
	GetUserByOIDCIdentity(id OIDCIdentity) (User, error)

	// DeleteUser deletes a user with all the keys from the backend
	DeleteUser(user string) error

	// UpsertPasswordHash upserts user password hash
	UpsertPasswordHash(user string, hash []byte) error

	// GetPasswordHash returns the password hash for a given user
	GetPasswordHash(user string) ([]byte, error)

	// UpsertHOTP upserts HOTP state for user
	// Deprecated: HOTP use is deprecated, use UpsertTOTP instead.
	UpsertHOTP(user string, otp *hotp.HOTP) error

	// GetHOTP gets HOTP token state for a user
	// Deprecated: HOTP use is deprecated, use GetTOTP instead.
	GetHOTP(user string) (*hotp.HOTP, error)

	// UpsertTOTP upserts TOTP secret key for a user that can be used to generate and validate tokens.
	UpsertTOTP(user string, secretKey string) error

	// GetTOTP returns the secret key used by the TOTP algorithm to validate tokens.
	GetTOTP(user string) (string, error)

	// UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again
	// during the 30 second window it's valid.
	UpsertUsedTOTPToken(user string, otpToken string) error

	// GetUsedTOTPToken returns the last successfully used TOTP token.
	GetUsedTOTPToken(user string) (string, error)

	// DeleteUsedTOTPToken removes the used token from the backend. This should only
	// be used during tests.
	DeleteUsedTOTPToken(user string) error

	// UpsertWebSession updates or inserts a web session for a user and session
	UpsertWebSession(user, sid string, session WebSession) error

	// GetWebSession returns a web session state for a given user and session id
	GetWebSession(user, sid string) (WebSession, error)

	// DeleteWebSession deletes web session from the storage
	DeleteWebSession(user, sid string) error

	// UpsertPassword upserts new password and OTP token
	UpsertPassword(user string, password []byte) error

	// UpsertSignupToken upserts signup token - one time token that lets user to create a user account
	UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error

	// GetSignupToken returns signup token data
	GetSignupToken(token string) (*SignupToken, error)

	// GetSignupTokens returns a list of signup tokens
	GetSignupTokens() ([]SignupToken, error)

	// DeleteSignupToken deletes signup token from the storage
	DeleteSignupToken(token string) error

	// UpsertU2FRegisterChallenge upserts a U2F challenge for a new user corresponding to the token
	UpsertU2FRegisterChallenge(token string, u2fChallenge *u2f.Challenge) error

	// GetU2FRegisterChallenge returns a U2F challenge for a new user corresponding to the token
	GetU2FRegisterChallenge(token string) (*u2f.Challenge, error)

	// UpsertU2FRegistration upserts a U2F registration from a valid register response
	UpsertU2FRegistration(user string, u2fReg *u2f.Registration) error

	// GetU2FRegistration returns a U2F registration from a valid register response
	GetU2FRegistration(user string) (*u2f.Registration, error)

	// UpsertU2FSignChallenge upserts a U2F sign (auth) challenge
	UpsertU2FSignChallenge(user string, u2fChallenge *u2f.Challenge) error

	// GetU2FSignChallenge returns a U2F sign (auth) challenge
	GetU2FSignChallenge(user string) (*u2f.Challenge, error)

	// UpsertU2FRegistrationCounter upserts a counter associated with a U2F registration
	UpsertU2FRegistrationCounter(user string, counter uint32) error

	// GetU2FRegistrationCounter returns a counter associated with a U2F registration
	GetU2FRegistrationCounter(user string) (uint32, error)

	// UpsertOIDCConnector upserts OIDC Connector
	UpsertOIDCConnector(connector OIDCConnector, ttl time.Duration) error

	// DeleteOIDCConnector deletes OIDC Connector
	DeleteOIDCConnector(connectorID string) error

	// GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results
	GetOIDCConnector(id string, withSecrets bool) (OIDCConnector, error)

	// GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results
	GetOIDCConnectors(withSecrets bool) ([]OIDCConnector, error)

	// CreateOIDCAuthRequest creates new auth request
	CreateOIDCAuthRequest(req OIDCAuthRequest, ttl time.Duration) error

	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(stateToken string) (*OIDCAuthRequest, error)
}

Identity is responsible for managing user entries

type LoginAttempt

type LoginAttempt struct {
	// Time is time of the attempt
	Time time.Time `json:"time"`
	// Sucess indicates whether attempt was successfull
	Success bool `json:"bool"`
}

LoginAttempt represents successfull or unsuccessful attempt for user to login

func (*LoginAttempt) Check

func (la *LoginAttempt) Check() error

Check checks parameters

type LoginStatus

type LoginStatus struct {
	// IsLocked tells us if user is locked
	IsLocked bool `json:"is_locked"`
	// LockedMessage contains the message in case if user is locked
	LockedMessage string `json:"locked_message,omitempty"`
	// LockedTime contains time when user was locked
	LockedTime time.Time `json:"locked_time,omitempty"`
	// LockExpires contains time when this lock will expire
	LockExpires time.Time `json:"lock_expires,omitempty"`
}

LoginStatus is a login status of the user

type MarshalConfig

type MarshalConfig struct {
	// Version specifies particular version we should marshal resources with
	Version string
}

MarshalConfig specify marshalling options

func (*MarshalConfig) GetVersion

func (m *MarshalConfig) GetVersion() string

GetVersion returns explicitly provided version or sets latest as default

type MarshalOption

type MarshalOption func(c *MarshalConfig) error

MarshalOption sets marshalling option

func WithVersion

func WithVersion(v string) MarshalOption

WithVersion sets marshal version

type Metadata

type Metadata struct {
	// Name is an object name
	Name string `json:"name"`
	// Namespace is object namespace
	Namespace string `json:"namespace"`
	// Description is object description
	Description string `json:"description,omitempty"`
	// Labels is a set of labels
	Labels map[string]string `json:"labels,omitempty"`
}

Metadata is resource metadata

func (*Metadata) Check

func (m *Metadata) Check() error

Check checks validity of all parameters and sets defaults

type Namespace

type Namespace struct {
	// Kind is a resource kind - always namespace
	Kind string `json:"kind"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains namespace specification
	Spec NamespaceSpec `json:"spec"`
}

Namespace represents namespace resource specification

func NewNamespace

func NewNamespace(name string) Namespace

NewNamespace returns new namespace

func UnmarshalNamespace

func UnmarshalNamespace(data []byte) (*Namespace, error)

UnmarshalNamespace unmarshals role from JSON or YAML, sets defaults and checks the schema

func (*Namespace) CheckAndSetDefaults

func (n *Namespace) CheckAndSetDefaults() error

Check checks validity of all parameters and sets defaults

type NamespaceSpec

type NamespaceSpec struct {
}

NamespaceSpec is namespace spec

type OIDCAuthRequest added in v1.0.0

type OIDCAuthRequest struct {
	// ConnectorID is ID of OIDC connector this request uses
	ConnectorID string `json:"connector_id"`

	// Type is opaque string that helps callbacks identify the request type
	Type string `json:"type"`

	// CheckUser tells validator if it should expect and check user
	CheckUser bool `json:"check_user"`

	// StateToken is generated by service and is used to validate
	// reuqest coming from
	StateToken string `json:"state_token"`

	// RedirectURL will be used by browser
	RedirectURL string `json:"redirect_url"`

	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successfull auth
	PublicKey []byte `json:"public_key"`

	// CertTTL is the TTL of the certificate user wants to get
	CertTTL time.Duration `json:"cert_ttl"`

	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication
	CreateWebSession bool `json:"create_web_session"`

	// ClientRedirectURL is a URL client wants to be redirected
	// after successfull authentication
	ClientRedirectURL string `json:"client_redirect_url"`
}

OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server

func (*OIDCAuthRequest) Check added in v1.0.0

func (i *OIDCAuthRequest) Check() error

Check returns nil if all parameters are great, err otherwise

type OIDCConnector added in v1.0.0

type OIDCConnector interface {
	// Name is a provider name, 'e.g.' google, used internally
	GetName() string
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	GetIssuerURL() string
	// ClientID is id for authentication client (in our case it's our Auth server)
	GetClientID() string
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	GetClientSecret() string
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successfull authentication
	// Should match the URL on Provider's side
	GetRedirectURL() string
	// Display - Friendly name for this provider.
	GetDisplay() string
	// Scope is additional scopes set by provder
	GetScope() []string
	// ClaimsToRoles specifies dynamic mapping from claims to roles
	GetClaimsToRoles() []ClaimMapping
	// GetClaims returns list of claims expected by mappings
	GetClaims() []string
	// MapClaims maps claims to roles
	MapClaims(claims jose.Claims) []string
	// Check checks OIDC connector for errors
	Check() error
	// SetClientSecret sets client secret to some value
	SetClientSecret(secret string)
	// SetClientID sets id for authentication client (in our case it's our Auth server)
	SetClientID(string)
	// SetName sets a provider name
	SetName(string)
	// SetIssuerURL sets the endpoint of the provider
	SetIssuerURL(string)
	// SetRedirectURL sets RedirectURL
	SetRedirectURL(string)
	// SetScope sets additional scopes set by provider
	SetScope([]string)
	// SetClaimsToRoles sets dynamic mapping from claims to roles
	SetClaimsToRoles([]ClaimMapping)
	// SetDisplay sets friendly name for this provider.
	SetDisplay(string)
}

OIDCConnector specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation

type OIDCConnectorMarshaler

type OIDCConnectorMarshaler interface {
	// UnmarshalOIDCConnector unmarshals connector from binary representation
	UnmarshalOIDCConnector(bytes []byte) (OIDCConnector, error)
	// MarshalOIDCConnector marshals connector to binary representation
	MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error)
}

OIDCConnectorMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetOIDCConnectorMarshaler

func GetOIDCConnectorMarshaler() OIDCConnectorMarshaler

GetOIDCConnectorMarshaler returns currently set user marshaler

type OIDCConnectorSpecV2

type OIDCConnectorSpecV2 struct {
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	IssuerURL string `json:"issuer_url"`
	// ClientID is id for authentication client (in our case it's our Auth server)
	ClientID string `json:"client_id"`
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	ClientSecret string `json:"client_secret"`
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successfull authentication
	// Should match the URL on Provider's side
	RedirectURL string `json:"redirect_url"`
	// Display - Friendly name for this provider.
	Display string `json:"display,omitempty"`
	// Scope is additional scopes set by provder
	Scope []string `json:"scope,omitempty"`
	// ClaimsToRoles specifies dynamic mapping from claims to roles
	ClaimsToRoles []ClaimMapping `json:"claims_to_roles,omitempty"`
}

OIDCConnectorSpecV2 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation

type OIDCConnectorV1

type OIDCConnectorV1 struct {
	// ID is a provider id, 'e.g.' google, used internally
	ID string `json:"id"`
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	IssuerURL string `json:"issuer_url"`
	// ClientID is id for authentication client (in our case it's our Auth server)
	ClientID string `json:"client_id"`
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	ClientSecret string `json:"client_secret"`
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successfull authentication
	// Should match the URL on Provider's side
	RedirectURL string `json:"redirect_url"`
	// Display - Friendly name for this provider.
	Display string `json:"display"`
	// Scope is additional scopes set by provder
	Scope []string `json:"scope"`
	// ClaimsToRoles specifies dynamic mapping from claims to roles
	ClaimsToRoles []ClaimMapping `json:"claims_to_roles"`
}

OIDCConnectorV1 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation

func (*OIDCConnectorV1) V1

V1 returns V1 version of the resource

func (*OIDCConnectorV1) V2

V2 returns V2 version of the connector

type OIDCConnectorV2

type OIDCConnectorV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// Version is version
	Version string `json:"version"`
	// Metadata is connector metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains connector specification
	Spec OIDCConnectorSpecV2 `json:"spec"`
}

OIDCConnectorV2 is version 1 resource spec for OIDC connector

func (*OIDCConnectorV2) Check

func (o *OIDCConnectorV2) Check() error

Check returns nil if all parameters are great, err otherwise

func (*OIDCConnectorV2) GetClaims

func (o *OIDCConnectorV2) GetClaims() []string

GetClaims returns list of claims expected by mappings

func (*OIDCConnectorV2) GetClaimsToRoles

func (o *OIDCConnectorV2) GetClaimsToRoles() []ClaimMapping

ClaimsToRoles specifies dynamic mapping from claims to roles

func (*OIDCConnectorV2) GetClientID

func (o *OIDCConnectorV2) GetClientID() string

ClientID is id for authentication client (in our case it's our Auth server)

func (*OIDCConnectorV2) GetClientSecret

func (o *OIDCConnectorV2) GetClientSecret() string

ClientSecret is used to authenticate our client and should not be visible to end user

func (*OIDCConnectorV2) GetDisplay

func (o *OIDCConnectorV2) GetDisplay() string

Display - Friendly name for this provider.

func (*OIDCConnectorV2) GetIssuerURL

func (o *OIDCConnectorV2) GetIssuerURL() string

Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com

func (*OIDCConnectorV2) GetName

func (o *OIDCConnectorV2) GetName() string

ID is a provider id, 'e.g.' google, used internally

func (*OIDCConnectorV2) GetRedirectURL

func (o *OIDCConnectorV2) GetRedirectURL() string

RedirectURL - Identity provider will use this URL to redirect client's browser back to it after successfull authentication Should match the URL on Provider's side

func (*OIDCConnectorV2) GetScope

func (o *OIDCConnectorV2) GetScope() []string

Scope is additional scopes set by provder

func (*OIDCConnectorV2) MapClaims

func (o *OIDCConnectorV2) MapClaims(claims jose.Claims) []string

MapClaims maps claims to roles

func (*OIDCConnectorV2) SetClaimsToRoles

func (o *OIDCConnectorV2) SetClaimsToRoles(claims []ClaimMapping)

SetClaimsToRoles sets dynamic mapping from claims to roles

func (*OIDCConnectorV2) SetClientID

func (o *OIDCConnectorV2) SetClientID(clintID string)

SetClientID sets id for authentication client (in our case it's our Auth server)

func (*OIDCConnectorV2) SetClientSecret

func (o *OIDCConnectorV2) SetClientSecret(secret string)

SetClientSecret sets client secret to some value

func (*OIDCConnectorV2) SetDisplay

func (o *OIDCConnectorV2) SetDisplay(display string)

SetDisplay sets friendly name for this provider.

func (*OIDCConnectorV2) SetIssuerURL

func (o *OIDCConnectorV2) SetIssuerURL(issuerURL string)

SetIssuerURL sets client secret to some value

func (*OIDCConnectorV2) SetName

func (o *OIDCConnectorV2) SetName(name string)

SetName sets client secret to some value

func (*OIDCConnectorV2) SetRedirectURL

func (o *OIDCConnectorV2) SetRedirectURL(redirectURL string)

SetRedirectURL sets client secret to some value

func (*OIDCConnectorV2) SetScope

func (o *OIDCConnectorV2) SetScope(scope []string)

SetScope sets additional scopes set by provider

func (*OIDCConnectorV2) V1

V1 converts OIDCConnectorV2 to OIDCConnectorV1 format

func (*OIDCConnectorV2) V2

V2 returns V2 version of the resource

type OIDCIdentity added in v1.0.0

type OIDCIdentity struct {
	// ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
	ConnectorID string `json:"connector_id"`

	// Email is OIDC verified email claim
	// e.g. bob@example.com
	Email string `json:"username"`
}

OIDCIdentity is OpenID Connect identity that is linked to particular user and connector and lets user to log in using external credentials, e.g. google

func (*OIDCIdentity) Check added in v1.0.0

func (i *OIDCIdentity) Check() error

Check returns nil if all parameters are great, err otherwise

func (*OIDCIdentity) Equals added in v1.0.0

func (i *OIDCIdentity) Equals(other *OIDCIdentity) bool

Equals returns true if this identity equals to passed one

func (*OIDCIdentity) String added in v1.0.0

func (i *OIDCIdentity) String() string

String returns debug friendly representation of this identity

type Presence added in v1.0.0

type Presence interface {
	// GetNodes returns a list of registered servers
	GetNodes(namespace string) ([]Server, error)

	// UpsertNode registers node presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(server Server, ttl time.Duration) error

	// GetAuthServers returns a list of registered servers
	GetAuthServers() ([]Server, error)

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(server Server, ttl time.Duration) error

	// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(server Server, ttl time.Duration) error

	// GetProxies returns a list of registered proxies
	GetProxies() ([]Server, error)

	// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
	UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error

	// GetReverseTunnels returns a list of registered servers
	GetReverseTunnels() ([]ReverseTunnel, error)

	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
	DeleteReverseTunnel(domainName string) error

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*Namespace, error)

	// UpsertNamespace upserts namespace
	UpsertNamespace(Namespace) error

	// DeleteNamespace deletes namespace by name
	DeleteNamespace(name string) error
}

Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

type ProvisionToken

type ProvisionToken struct {
	Roles   teleport.Roles `json:"roles"`
	Expires time.Time      `json:"expires"`
	Token   string         `json:"token"`
}

ProvisionToken stores metadata about some provisioning token

type Provisioner added in v1.0.0

type Provisioner interface {
	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error

	// GetToken finds and returns token by id
	GetToken(token string) (*ProvisionToken, error)

	// DeleteToken deletes provisioning token
	DeleteToken(token string) error

	// GetTokens returns all non-expired tokens
	GetTokens() ([]ProvisionToken, error)
}

Provisioner governs adding new nodes to the cluster

type Ref

type Ref struct {
	Kind string
	Name string
}

Ref is a resource refernece

func ParseRef

func ParseRef(ref string) (*Ref, error)

ParseRef parses resource reference eg daemonsets/ds1

func (*Ref) IsEmtpy

func (r *Ref) IsEmtpy() bool

func (*Ref) Set

func (r *Ref) Set(v string) error

func (*Ref) String

func (r *Ref) String() string

type ResourceHeader

type ResourceHeader struct {
	// Kind is a resource kind - always resource
	Kind string `json:"kind"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata Metadata `json:"metadata"`
}

ResorceHeader is a shared resource header

type ReverseTunnel added in v1.0.0

type ReverseTunnel interface {
	// GetName returns tunnel object name
	GetName() string
	// GetClusterName returns name of the cluster
	GetClusterName() string
	// GetDialAddrs returns list of dial addresses for this cluster
	GetDialAddrs() []string
	// Check checks tunnel for errors
	Check() error
}

ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved

func NewReverseTunnel

func NewReverseTunnel(clusterName string, dialAddrs []string) ReverseTunnel

NewReverseTunnel returns new version of reverse tunnel

func UnmarshalReverseTunnel

func UnmarshalReverseTunnel(data []byte) (ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML, sets defaults and checks the schema

type ReverseTunnelMarshaler

type ReverseTunnelMarshaler interface {
	// UnmarshalReverseTunnel unmarshals reverse tunnel from binary representation
	UnmarshalReverseTunnel(bytes []byte) (ReverseTunnel, error)
	// MarshalReverseTunnel marshals reverse tunnel to binary representation
	MarshalReverseTunnel(ReverseTunnel, ...MarshalOption) ([]byte, error)
}

ReverseTunnelMarshaler implements marshal/unmarshal of reverse tunnel implementations

func GetReverseTunnelMarshaler

func GetReverseTunnelMarshaler() ReverseTunnelMarshaler

type ReverseTunnelSpecV2

type ReverseTunnelSpecV2 struct {
	// ClusterName is a domain name of remote cluster we are connecting to
	ClusterName string `json:"cluster_name"`
	// DialAddrs is a list of remote address to establish a connection to
	// it's always SSH over TCP
	DialAddrs []string `json:"dial_addrs,omitempty"`
}

ReverseTunnelSpecV2 is a specification for V2 reverse tunnel

type ReverseTunnelV1

type ReverseTunnelV1 struct {
	// DomainName is a domain name of remote cluster we are connecting to
	DomainName string `json:"domain_name"`
	// DialAddrs is a list of remote address to establish a connection to
	// it's always SSH over TCP
	DialAddrs []string `json:"dial_addrs"`
}

ReverseTunnelV1 is V1 version of reverse tunnel

func (*ReverseTunnelV1) V1

V1 returns V1 version of the resource

func (*ReverseTunnelV1) V2

V2 returns V2 version of reverse tunnel

type ReverseTunnelV2

type ReverseTunnelV2 struct {
	// Kind is a resource kind - always resource
	Kind string `json:"kind"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains user specification
	Spec ReverseTunnelSpecV2 `json:"spec"`
}

ReverseTunnelV2 is version 1 resource spec of the reverse tunnel

func (*ReverseTunnelV2) Check

func (r *ReverseTunnelV2) Check() error

Check returns nil if all parameters are good, error otherwise

func (*ReverseTunnelV2) GetClusterName

func (r *ReverseTunnelV2) GetClusterName() string

GetClusterName returns name of the cluster

func (*ReverseTunnelV2) GetDialAddrs

func (r *ReverseTunnelV2) GetDialAddrs() []string

GetDialAddrs returns list of dial addresses for this cluster

func (*ReverseTunnelV2) GetName

func (r *ReverseTunnelV2) GetName() string

GetName returns tunnel object name

func (*ReverseTunnelV2) V1

V1 returns V1 version of the resource

func (*ReverseTunnelV2) V2

V2 returns V2 version of the resource

type Role

type Role interface {
	// GetMetadata returns role metadata
	GetMetadata() Metadata
	// GetName returns role name and is a shortcut for GetMetadata().Name
	GetName() string
	// GetMaxSessionTTL is a maximum SSH or Web session TTL
	GetMaxSessionTTL() Duration
	// SetLogins sets logins for role
	SetLogins(logins []string)
	// GetLogins returns a list of linux logins allowed for this role
	GetLogins() []string
	// GetNodeLabels returns a list of matching nodes this role has access to
	GetNodeLabels() map[string]string
	// GetNamespaces returns a list of namespaces this role has access to
	GetNamespaces() []string
	// GetResources returns access to resources
	GetResources() map[string][]string
	// SetResource sets resource rule
	SetResource(kind string, actions []string)
}

Role contains a set of permissions or settings

func NewRole

func NewRole(name string, spec RoleSpecV2) (Role, error)

NewRole constructs new standard role

func RoleForCertAuthority

func RoleForCertAuthority(ca CertAuthority) Role

RoleForCertauthority creates role using AllowedLogins parameter

func RoleForUser

func RoleForUser(u User) Role

RoleForUser creates role using AllowedLogins parameter

type RoleGetter

type RoleGetter interface {
	// GetRole returns role by name
	GetRole(name string) (Role, error)
}

RoleGetter is an interface that defines GetRole method

type RoleMarshaler

type RoleMarshaler interface {
	// UnmarshalRole from binary representation
	UnmarshalRole(bytes []byte) (Role, error)
	// MarshalRole to binary representation
	MarshalRole(u Role, opts ...MarshalOption) ([]byte, error)
}

RoleMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions

func GetRoleMarshaler

func GetRoleMarshaler() RoleMarshaler

type RoleSet

type RoleSet []Role

RoleSet is a set of roles that implements access control functionality

func FetchRoles

func FetchRoles(roleNames []string, access RoleGetter) (RoleSet, error)

FetchRoles fetches roles by their names and returns role set

func FromSpec

func FromSpec(name string, spec RoleSpecV2) (RoleSet, error)

FromSpec returns new RoleSet created from spec

func NewRoleSet

func NewRoleSet(roles ...Role) RoleSet

NewRoleSet returns new RoleSet based on the roles

func (RoleSet) AdjustSessionTTL

func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration

AdjustSessionTTL will reduce the requested ttl to lowes max allowed TTL for this role set, otherwise it returns ttl unchanges

func (RoleSet) CheckAccessToServer

func (set RoleSet) CheckAccessToServer(login string, s Server) error

CheckAccessToServer checks if role set has access to server based on combined role's selector and attempted login

func (RoleSet) CheckLogins

func (set RoleSet) CheckLogins(ttl time.Duration) ([]string, error)

CheckLogins checks if role set can login up to given duration and returns a combined list of allowed logins

func (RoleSet) CheckResourceAction

func (set RoleSet) CheckResourceAction(resourceNamespace, resourceName, accessType string) error

CheckResourceAction checks if role set has access to this resource action

func (RoleSet) String

func (set RoleSet) String() string

type RoleSpecV2

type RoleSpecV2 struct {
	// MaxSessionTTL is a maximum SSH or Web session TTL
	MaxSessionTTL Duration `json:"max_session_ttl"`
	// Logins is a list of linux logins allowed for this role
	Logins []string `json:"logins,omitempty"`
	// NodeLabels is a set of matching labels that users of this role
	// will be allowed to access
	NodeLabels map[string]string `json:"node_labels,omitempty"`
	// Namespaces is a list of namespaces, guarding accesss to resources
	Namespaces []string `json:"namespaces,omitempty"`
	// Resources limits access to resources
	Resources map[string][]string `json:"resources,omitempty"`
}

RoleSpecV2 is role specification for RoleV2

type RoleV2

type RoleV2 struct {
	// Kind is a resource kind - always resource
	Kind string `json:"kind"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains role specification
	Spec RoleSpecV2 `json:"spec"`
}

RoleV2 represents role resource specification

func UnmarshalRole

func UnmarshalRole(data []byte) (*RoleV2, error)

UnmarshalRole unmarshals role from JSON or YAML, sets defaults and checks the schema

func (*RoleV2) CheckAndSetDefaults

func (r *RoleV2) CheckAndSetDefaults() error

Check checks validity of all parameters and sets defaults

func (*RoleV2) GetLogins

func (r *RoleV2) GetLogins() []string

GetLogins returns a list of linux logins allowed for this role

func (*RoleV2) GetMaxSessionTTL

func (r *RoleV2) GetMaxSessionTTL() Duration

GetMaxSessionTTL is a maximum SSH or Web session TTL

func (*RoleV2) GetMetadata

func (r *RoleV2) GetMetadata() Metadata

GetMetadata returns role metadata

func (*RoleV2) GetName

func (r *RoleV2) GetName() string

GetName returns role name and is a shortcut for GetMetadata().Name

func (*RoleV2) GetNamespaces

func (r *RoleV2) GetNamespaces() []string

GetNamespaces returns a list of namespaces this role has access to

func (*RoleV2) GetNodeLabels

func (r *RoleV2) GetNodeLabels() map[string]string

GetNodeLabels returns a list of matchign nodes this role has access to

func (*RoleV2) GetResources

func (r *RoleV2) GetResources() map[string][]string

GetResources returns access to resources

func (*RoleV2) SetLogins

func (r *RoleV2) SetLogins(logins []string)

SetLogins sets logins for role

func (*RoleV2) SetResource

func (r *RoleV2) SetResource(kind string, actions []string)

SetResource sets resource rule

type Server

type Server interface {
	// GetName returns server name
	GetName() string
	// GetAddr return server address
	GetAddr() string
	// GetHostname returns server hostname
	GetHostname() string
	// GetNamespace returns server namespace
	GetNamespace() string
	// GetAllLabels returns server's static and dynamic label values merged together
	GetAllLabels() map[string]string
	// GetLabels returns server's static label key pairs
	GetLabels() map[string]string
	// GetCmdLabels returns command labels
	GetCmdLabels() map[string]CommandLabel
	// String returns string representation of the server
	String() string
	// SetAddr sets server address
	SetAddr(addr string)
	// SetNamespace sets server namespace
	SetNamespace(namespace string)
	// V1 returns V1 version for backwards compatibility
	V1() *ServerV1
	// MatchAgainst takes a map of labels and returns True if this server
	// has ALL of them
	//
	// Any server matches against an empty label set
	MatchAgainst(labels map[string]string) bool
	// LabelsString returns a comma separated string with all node's labels
	LabelsString() string
}

Server represents a Node, Proxy or Auth server in a Teleport cluster

func UnmarshalServerResource

func UnmarshalServerResource(data []byte, kind string) (Server, error)

UnmarshalServerResource unmarshals role from JSON or YAML, sets defaults and checks the schema

type ServerMarshaler

type ServerMarshaler interface {
	// UnmarshalServer from binary representation
	UnmarshalServer(bytes []byte, kind string) (Server, error)
	// MarshalServer to binary representation
	MarshalServer(Server, ...MarshalOption) ([]byte, error)
}

ServerMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions

func GetServerMarshaler

func GetServerMarshaler() ServerMarshaler

type ServerSpecV2

type ServerSpecV2 struct {
	// Addr is server host:port address
	Addr string `json:"addr"`
	// Hostname is server hostname
	Hostname string `json:"hostname"`
	// CmdLabels is server dynamic labels
	CmdLabels map[string]CommandLabelV2 `json:"cmd_labels,omitempty"`
}

ServerSpecV2 is a specification for V2 Server

type ServerV1

type ServerV1 struct {
	Kind      string                    `json:"kind"`
	ID        string                    `json:"id"`
	Addr      string                    `json:"addr"`
	Hostname  string                    `json:"hostname"`
	Namespace string                    `json:"namespace"`
	Labels    map[string]string         `json:"labels"`
	CmdLabels map[string]CommandLabelV1 `json:"cmd_labels"`
}

ServerV1 represents V1 spec of the server

func ServersToV1

func ServersToV1(in []Server) []ServerV1

ServersToV1 converts list of servers to slice of V1 style ones

func (*ServerV1) V1

func (s *ServerV1) V1() *ServerV1

V1 returns V1 version of the resource

func (*ServerV1) V2

func (s *ServerV1) V2() *ServerV2

V2 returns V2 version of the resource

type ServerV2

type ServerV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// Version is version
	Version string `json:"version"`
	// Metadata is User metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains user specification
	Spec ServerSpecV2 `json:"spec"`
}

ServerV2 is version1 resource spec of the server

func (*ServerV2) GetAddr

func (s *ServerV2) GetAddr() string

GetAddr return server address

func (*ServerV2) GetAllLabels

func (s *ServerV2) GetAllLabels() map[string]string

GetAllLabels returns the full key:value map of both static labels and "command labels"

func (*ServerV2) GetCmdLabels

func (s *ServerV2) GetCmdLabels() map[string]CommandLabel

GetCmdLabels returns command labels

func (*ServerV2) GetHostname

func (s *ServerV2) GetHostname() string

GetHostname returns server hostname

func (*ServerV2) GetLabels

func (s *ServerV2) GetLabels() map[string]string

GetLabels returns server's static label key pairs

func (*ServerV2) GetName

func (s *ServerV2) GetName() string

GetName returns server name

func (*ServerV2) GetNamespace

func (s *ServerV2) GetNamespace() string

GetNamespace returns server namespace

func (*ServerV2) LabelsString

func (s *ServerV2) LabelsString() string

LabelsString returns a comma separated string with all node's labels

func (*ServerV2) MatchAgainst

func (s *ServerV2) MatchAgainst(labels map[string]string) bool

MatchAgainst takes a map of labels and returns True if this server has ALL of them

Any server matches against an empty label set

func (*ServerV2) SetAddr

func (s *ServerV2) SetAddr(addr string)

SetAddr sets server address

func (*ServerV2) SetNamespace

func (s *ServerV2) SetNamespace(namespace string)

SetNamespace sets server namespace

func (*ServerV2) String

func (s *ServerV2) String() string

func (*ServerV2) V1

func (s *ServerV2) V1() *ServerV1

V1 returns V1 version of the resource

func (*ServerV2) V2

func (s *ServerV2) V2() *ServerV2

V2 returns version 2 of the resource, itself

type SignupToken

type SignupToken struct {
	Token     string    `json:"token"`
	User      UserV1    `json:"user"`
	OTPKey    string    `json:"otp_key"`
	OTPQRCode []byte    `json:"otp_qr_code"`
	Expires   time.Time `json:"expires"`
}

SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed

type Site added in v1.0.0

type Site struct {
	Name          string    `json:"name"`
	LastConnected time.Time `json:"lastconnected"`
	Status        string    `json:"status"`
}

Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.

The CA is represented by an auth server (or multiple auth servers, if running in HA mode)

type SortedLoginAttempts

type SortedLoginAttempts []LoginAttempt

SortedLoginAttempts sorts login attempts by time

func (SortedLoginAttempts) Len

func (s SortedLoginAttempts) Len() int

Len returns length of a role list

func (SortedLoginAttempts) Less

func (s SortedLoginAttempts) Less(i, j int) bool

Less stacks latest attempts to the end of the list

func (SortedLoginAttempts) Swap

func (s SortedLoginAttempts) Swap(i, j int)

Swap swaps two attempts

type SortedNamespaces

type SortedNamespaces []Namespace

SortedNamespaces sorts namespaces

func (SortedNamespaces) Len

func (s SortedNamespaces) Len() int

Len returns length of a role list

func (SortedNamespaces) Less

func (s SortedNamespaces) Less(i, j int) bool

Less compares roles by name

func (SortedNamespaces) Swap

func (s SortedNamespaces) Swap(i, j int)

Swap swaps two roles in a list

type SortedReverseTunnels

type SortedReverseTunnels []ReverseTunnel

SortedReverseTunnels sorts reverse tunnels by cluster name

func (SortedReverseTunnels) Len

func (s SortedReverseTunnels) Len() int

func (SortedReverseTunnels) Less

func (s SortedReverseTunnels) Less(i, j int) bool

func (SortedReverseTunnels) Swap

func (s SortedReverseTunnels) Swap(i, j int)

type SortedRoles

type SortedRoles []Role

SortedRoles sorts roles by name

func (SortedRoles) Len

func (s SortedRoles) Len() int

Len returns length of a role list

func (SortedRoles) Less

func (s SortedRoles) Less(i, j int) bool

Less compares roles by name

func (SortedRoles) Swap

func (s SortedRoles) Swap(i, j int)

Swap swaps two roles in a list

type SortedServers

type SortedServers []Server

SortedServers is a sort wrapper that sorts servers by name

func (SortedServers) Len

func (s SortedServers) Len() int

func (SortedServers) Less

func (s SortedServers) Less(i, j int) bool

func (SortedServers) Swap

func (s SortedServers) Swap(i, j int)

type TeleportCertAuthorityMarshaler

type TeleportCertAuthorityMarshaler struct{}

func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority

func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority(ca CertAuthority) (CertAuthority, error)

GenerateCertAuthority is used to generate new cert authority based on standard teleport one and is used to add custom parameters and extend it in extensions of teleport

func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority

func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority(ca CertAuthority, opts ...MarshalOption) ([]byte, error)

MarshalUser marshalls cert authority into JSON

func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority

func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority(bytes []byte) (CertAuthority, error)

UnmarshalUser unmarshals user from JSON

type TeleportOIDCConnectorMarshaler

type TeleportOIDCConnectorMarshaler struct{}

func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector

func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error)

MarshalUser marshals OIDC connector into JSON

func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector

func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector(bytes []byte) (OIDCConnector, error)

UnmarshalOIDCConnector unmarshals connector from

type TeleportRoleMarshaler

type TeleportRoleMarshaler struct{}

func (*TeleportRoleMarshaler) MarshalRole

func (*TeleportRoleMarshaler) MarshalRole(u Role, opts ...MarshalOption) ([]byte, error)

MarshalRole marshalls role into JSON

func (*TeleportRoleMarshaler) UnmarshalRole

func (*TeleportRoleMarshaler) UnmarshalRole(bytes []byte) (Role, error)

UnmarshalRole unmarshals role from JSON

type TeleportServerMarshaler

type TeleportServerMarshaler struct{}

func (*TeleportServerMarshaler) MarshalServer

func (*TeleportServerMarshaler) MarshalServer(s Server, opts ...MarshalOption) ([]byte, error)

MarshalServer marshals server into JSON

func (*TeleportServerMarshaler) UnmarshalServer

func (*TeleportServerMarshaler) UnmarshalServer(bytes []byte, kind string) (Server, error)

UnmarshalServer unmarshals server from JSON

type TeleportTunnelMarshaler

type TeleportTunnelMarshaler struct{}

func (*TeleportTunnelMarshaler) MarshalReverseTunnel

func (*TeleportTunnelMarshaler) MarshalReverseTunnel(rt ReverseTunnel, opts ...MarshalOption) ([]byte, error)

MarshalRole marshalls role into JSON

func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel

func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel(bytes []byte) (ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML

type TeleportUserMarshaler

type TeleportUserMarshaler struct{}

func (*TeleportUserMarshaler) GenerateUser

func (*TeleportUserMarshaler) GenerateUser(in User) (User, error)

GenerateUser generates new user

func (*TeleportUserMarshaler) MarshalUser

func (*TeleportUserMarshaler) MarshalUser(u User, opts ...MarshalOption) ([]byte, error)

MarshalUser marshalls user into JSON

func (*TeleportUserMarshaler) UnmarshalUser

func (*TeleportUserMarshaler) UnmarshalUser(bytes []byte) (User, error)

UnmarshalUser unmarshals user from JSON

type TeleportWebSessionMarshaler

type TeleportWebSessionMarshaler struct{}

func (*TeleportWebSessionMarshaler) ExtendWebSession

func (*TeleportWebSessionMarshaler) ExtendWebSession(ws WebSession) (WebSession, error)

ExtendWebSession renews web session and is used to inject additional data in extenstions when session is getting renewed

func (*TeleportWebSessionMarshaler) GenerateWebSession

func (*TeleportWebSessionMarshaler) GenerateWebSession(ws WebSession) (WebSession, error)

GenerateWebSession generates new web session and is used to inject additional data in extenstions

func (*TeleportWebSessionMarshaler) MarshalWebSession

func (*TeleportWebSessionMarshaler) MarshalWebSession(ws WebSession, opts ...MarshalOption) ([]byte, error)

MarshalWebSession marshals web session into on-disk representation

func (*TeleportWebSessionMarshaler) UnmarshalWebSession

func (*TeleportWebSessionMarshaler) UnmarshalWebSession(bytes []byte) (WebSession, error)

UnmarshalWebSession unmarshals web session from on-disk byte format

type Trust added in v1.0.0

type Trust interface {

	// UpsertCertAuthority updates or inserts a new certificate authority
	UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error

	// DeleteCertAuthority deletes particular certificate authority
	DeleteCertAuthority(id CertAuthID) error

	// GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys
	// controls if signing keys are loaded
	GetCertAuthority(id CertAuthID, loadSigningKeys bool) (CertAuthority, error)

	// GetCertAuthorities returns a list of authorities of a given type
	// loadSigningKeys controls whether signing keys should be loaded or not
	GetCertAuthorities(caType CertAuthType, loadSigningKeys bool) ([]CertAuthority, error)
}

Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

type U2F added in v1.3.0

type U2F struct {
	Enabled bool
	// AppID identifies the website to the U2F keys. It should not be changed once a U2F
	// key is registered or all existing registrations will become invalid.
	AppID string
	// Facets should include the domain name of all proxies.
	Facets []string
}

U2F is a configuration of the U2F two factor authentication

func (*U2F) Check added in v1.3.0

func (u *U2F) Check() error

type UnknownResource

type UnknownResource struct {
	ResourceHeader
	// Raw is raw representation of the resource
	Raw []byte
}

UnknownResource is used to detect resources

func (*UnknownResource) UnmarshalJSON

func (u *UnknownResource) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals header and captures raw state

type User added in v1.0.0

type User interface {
	// GetName returns user name
	GetName() string
	// GetIdentities returns a list of connected OIDCIdentities
	GetIdentities() []OIDCIdentity
	// GetRoles returns a list of roles assigned to user
	GetRoles() []string
	// String returns user
	String() string
	// Equals checks if user equals to another
	Equals(other User) bool
	// GetStatus return user login status
	GetStatus() LoginStatus
	// SetLocked sets login status to locked
	SetLocked(until time.Time, reason string)
	// SetRoles sets user roles
	SetRoles(roles []string)
	// AddRole adds role to the users' role list
	AddRole(name string)
	// GetExpiry returns ttl of the user
	GetExpiry() time.Time
	// GetCreatedBy returns information about user
	GetCreatedBy() CreatedBy
	// SetCreatedBy sets created by information
	SetCreatedBy(CreatedBy)
	// Check checks basic user parameters for errors
	Check() error
	// GetRawObject returns raw object data, used for migrations
	GetRawObject() interface{}
	// WebSessionInfo returns web session information about user
	WebSessionInfo(allowedLogins []string) interface{}
}

User represents teleport embedded user or external user

func NewUser

func NewUser(name string) (User, error)

NewUser creates new empty user

type UserMarshaler

type UserMarshaler interface {
	// UnmarshalUser from binary representation
	UnmarshalUser(bytes []byte) (User, error)
	// MarshalUser to binary representation
	MarshalUser(u User, opts ...MarshalOption) ([]byte, error)
	// GenerateUser generates new user based on standard teleport user
	// it gives external implementations to add more app-specific
	// data to the user
	GenerateUser(User) (User, error)
}

UserMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetUserMarshaler

func GetUserMarshaler() UserMarshaler

GetUserMarshaler returns currently set user marshaler

type UserRef

type UserRef struct {
	// Name is name of the user
	Name string `json:"name"`
}

UserRef holds refernce to user

type UserSpecV2

type UserSpecV2 struct {
	// OIDCIdentities lists associated OpenID Connect identities
	// that let user log in using externally verified identity
	OIDCIdentities []OIDCIdentity `json:"oidc_identities,omitempty"`

	// Roles is a list of roles assigned to user
	Roles []string `json:"roles,omitempty"`

	// Status is a login status of the user
	Status LoginStatus `json:"status"`

	// Expires if set sets TTL on the user
	Expires time.Time `json:"expires"`

	// CreatedBy holds information about agent or person created this usre
	CreatedBy CreatedBy `json:"created_by"`
}

UserSpecV2 is a specification for V2 user

type UserV1

type UserV1 struct {
	// Name is a user name
	Name string `json:"name"`

	// AllowedLogins represents a list of OS users this teleport
	// user is allowed to login as
	AllowedLogins []string `json:"allowed_logins"`

	// OIDCIdentities lists associated OpenID Connect identities
	// that let user log in using externally verified identity
	OIDCIdentities []OIDCIdentity `json:"oidc_identities"`

	// Status is a login status of the user
	Status LoginStatus `json:"status"`

	// Expires if set sets TTL on the user
	Expires time.Time `json:"expires"`

	// CreatedBy holds information about agent or person created this usre
	CreatedBy CreatedBy `json:"created_by"`

	// Roles is a list of roles
	Roles []string `json:"roles"`
}

UserV1 is V1 version of the user

func (*UserV1) Check

func (u *UserV1) Check() error

Check checks validity of all parameters

func (*UserV1) V1

func (u *UserV1) V1() *UserV1

V1 returns itself

func (*UserV1) V2

func (u *UserV1) V2() *UserV2

V2 converts UserV1 to UserV2 format

type UserV2

type UserV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// Version is version
	Version string `json:"version"`
	// Metadata is User metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains user specification
	Spec UserSpecV2 `json:"spec"`
	// contains filtered or unexported fields
}

UserV2 is version1 resource spec of the user

func (*UserV2) AddRole

func (u *UserV2) AddRole(name string)

AddRole adds a role to user's role list

func (*UserV2) Check

func (u *UserV2) Check() error

Check checks validity of all parameters

func (*UserV2) Equals

func (u *UserV2) Equals(other User) bool

Equals checks if user equals to another

func (*UserV2) GetCreatedBy

func (u *UserV2) GetCreatedBy() CreatedBy

GetCreatedBy returns information about who created user

func (*UserV2) GetExpiry

func (u *UserV2) GetExpiry() time.Time

GetExpiry returns expiry time for temporary users

func (*UserV2) GetIdentities

func (u *UserV2) GetIdentities() []OIDCIdentity

GetIdentities returns a list of connected OIDCIdentities

func (*UserV2) GetName

func (u *UserV2) GetName() string

GetName returns user name

func (*UserV2) GetRawObject

func (u *UserV2) GetRawObject() interface{}

GetObject returns raw object data, used for migrations

func (*UserV2) GetRoles

func (u *UserV2) GetRoles() []string

GetRoles returns a list of roles assigned to user

func (*UserV2) GetStatus

func (u *UserV2) GetStatus() LoginStatus

GetStatus returns login status of the user

func (*UserV2) SetCreatedBy

func (u *UserV2) SetCreatedBy(b CreatedBy)

SetCreatedBy sets created by information

func (*UserV2) SetLocked

func (u *UserV2) SetLocked(until time.Time, reason string)

func (*UserV2) SetRoles

func (u *UserV2) SetRoles(roles []string)

SetRoles sets a list of roles for user

func (*UserV2) String

func (u *UserV2) String() string

func (*UserV2) V1

func (u *UserV2) V1() *UserV1

V1 converts UserV2 to UserV1 format

func (*UserV2) V2

func (u *UserV2) V2() *UserV2

V2 converts UserV2 to UserV2 format

func (*UserV2) WebSessionInfo

func (u *UserV2) WebSessionInfo(allowedLogins []string) interface{}

WebSessionInfo returns web session information about user

type Users added in v1.0.0

type Users []User

Users represents a slice of users, makes it sort compatible (sorts by username)

func (Users) Len added in v1.0.0

func (u Users) Len() int

func (Users) Less added in v1.0.0

func (u Users) Less(i, j int) bool

func (Users) Swap added in v1.0.0

func (u Users) Swap(i, j int)

type WebSession

type WebSession interface {
	// GetShortName returns visible short name used in logging
	GetShortName() string
	// GetName returns session name
	GetName() string
	// GetUser returns the user this session is associated with
	GetUser() string
	// SetName sets session name
	SetName(string)
	// SetUser sets user associated with this session
	SetUser(string)
	// GetPub is returns public certificate signed by auth server
	GetPub() []byte
	// GetPriv returns private OpenSSH key used to auth with SSH nodes
	GetPriv() []byte
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	GetBearerToken() string
	// SetBearerTokenExpiryTime sets bearer token expiry time
	SetBearerTokenExpiryTime(time.Time)
	// SetExpiryTime sets session expiry time
	SetExpiryTime(time.Time)
	// GetBearerTokenExpiryTime - absolute time when token expires
	GetBearerTokenExpiryTime() time.Time
	// GetExpiryTime - absolute time when web session expires
	GetExpiryTime() time.Time
	// V1 returns V1 version of the resource
	V1() *WebSessionV1
	// V2 returns V2 version of the resource
	V2() *WebSessionV2
	// WithoutSecrets returns copy of the web session but without private keys
	WithoutSecrets() WebSession
}

WebSession stores key and value used to authenticate with SSH notes on behalf of user

func NewWebSession

func NewWebSession(name string, spec WebSessionSpecV2) WebSession

NewWebSession returns new instance of the web session based on the V2 spec

type WebSessionMarshaler

type WebSessionMarshaler interface {
	// UnmarshalWebSession unmarhsals cert authority from binary representation
	UnmarshalWebSession(bytes []byte) (WebSession, error)
	// MarshalWebSession to binary representation
	MarshalWebSession(c WebSession, opts ...MarshalOption) ([]byte, error)
	// GenerateWebSession generates new web session and is used to
	// inject additional data in extenstions
	GenerateWebSession(WebSession) (WebSession, error)
	// ExtendWebSession extends web session and is used to
	// inject additional data in extenstions when session is getting renewed
	ExtendWebSession(WebSession) (WebSession, error)
}

WebSessionMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetWebSessionMarshaler

func GetWebSessionMarshaler() WebSessionMarshaler

GetWebSessionMarshaler returns currently set user marshaler

type WebSessionSpecV2

type WebSessionSpecV2 struct {
	// User is a user this web session belongs to
	User string `json:"user"`
	// Pub is a public certificate signed by auth server
	Pub []byte `json:"pub"`
	// Priv is a private OpenSSH key used to auth with SSH nodes
	Priv []byte `json:"priv,omitempty"`
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	BearerToken string `json:"bearer_token"`
	// BearerTokenExpires - absolute time when token expires
	BearerTokenExpires time.Time `json:"bearer_token_expires"`
	// Expires - absolute time when session expires
	Expires time.Time `json:"expires"`
}

WebSessionSpecV2 is a spec for V2 session

type WebSessionV1

type WebSessionV1 struct {
	// ID is session ID
	ID string `json:"id"`
	// User is a user this web session is associated with
	User string `json:"user"`
	// Pub is a public certificate signed by auth server
	Pub []byte `json:"pub"`
	// Priv is a private OpenSSH key used to auth with SSH nodes
	Priv []byte `json:"priv,omitempty"`
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	BearerToken string `json:"bearer_token"`
	// Expires - absolute time when token expires
	Expires time.Time `json:"expires"`
}

WebSession stores key and value used to authenticate with SSH nodes on behalf of user

func (*WebSessionV1) GetBearerToken

func (ws *WebSessionV1) GetBearerToken() string

BearerToken is a special bearer token used for additional bearer authentication

func (*WebSessionV1) GetBearerTokenExpiryTime

func (ws *WebSessionV1) GetBearerTokenExpiryTime() time.Time

GetBearerRoken - absolute time when token expires

func (*WebSessionV1) GetExpiryTime

func (ws *WebSessionV1) GetExpiryTime() time.Time

Expires - absolute time when token expires

func (*WebSessionV1) GetName

func (ws *WebSessionV1) GetName() string

GetName returns session name

func (*WebSessionV1) GetPriv

func (ws *WebSessionV1) GetPriv() []byte

GetPriv returns private OpenSSH key used to auth with SSH nodes

func (*WebSessionV1) GetPub

func (ws *WebSessionV1) GetPub() []byte

GetPub is returns public certificate signed by auth server

func (*WebSessionV1) GetShortName

func (ws *WebSessionV1) GetShortName() string

GetShortName returns visible short name used in logging

func (*WebSessionV1) GetUser

func (ws *WebSessionV1) GetUser() string

GetUser returns the user this session is associated with

func (*WebSessionV1) SetBearerTokenExpiryTime

func (ws *WebSessionV1) SetBearerTokenExpiryTime(tm time.Time)

SetBearerTokenExpiryTime sets session expiry time

func (*WebSessionV1) SetExpiryTime

func (ws *WebSessionV1) SetExpiryTime(tm time.Time)

SetExpiryTime sets session expiry time

func (*WebSessionV1) SetName

func (ws *WebSessionV1) SetName(name string)

SetName sets session name

func (*WebSessionV1) SetUser

func (ws *WebSessionV1) SetUser(u string)

SetUser sets user associated with this session

func (*WebSessionV1) V1

func (s *WebSessionV1) V1() *WebSessionV1

V1 returns V1 version of the resource

func (*WebSessionV1) V2

func (s *WebSessionV1) V2() *WebSessionV2

V2 returns V2 version of the resource

func (*WebSessionV1) WithoutSecrets

func (ws *WebSessionV1) WithoutSecrets() WebSession

WithoutSecrets returns copy of the web session but without private keys

type WebSessionV2

type WebSessionV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// Version is version
	Version string `json:"version"`
	// Metadata is connector metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains cert authority specification
	Spec WebSessionSpecV2 `json:"spec"`
}

WebSessionV2 is version 2 spec for session

func (*WebSessionV2) GetBearerToken

func (ws *WebSessionV2) GetBearerToken() string

BearerToken is a special bearer token used for additional bearer authentication

func (*WebSessionV2) GetBearerTokenExpiryTime

func (ws *WebSessionV2) GetBearerTokenExpiryTime() time.Time

GetBearerTokenExpiryTime - absolute time when token expires

func (*WebSessionV2) GetExpiryTime

func (ws *WebSessionV2) GetExpiryTime() time.Time

GetExpiryTime - absolute time when web session expires

func (*WebSessionV2) GetName

func (ws *WebSessionV2) GetName() string

GetName returns session name

func (*WebSessionV2) GetPriv

func (ws *WebSessionV2) GetPriv() []byte

GetPriv returns private OpenSSH key used to auth with SSH nodes

func (*WebSessionV2) GetPub

func (ws *WebSessionV2) GetPub() []byte

GetPub is returns public certificate signed by auth server

func (*WebSessionV2) GetShortName

func (ws *WebSessionV2) GetShortName() string

GetShortName returns visible short name used in logging

func (*WebSessionV2) GetUser

func (ws *WebSessionV2) GetUser() string

GetUser returns the user this session is associated with

func (*WebSessionV2) SetBearerTokenExpiryTime

func (ws *WebSessionV2) SetBearerTokenExpiryTime(tm time.Time)

SetBearerTokenExpiryTime sets bearer token expiry time

func (*WebSessionV2) SetExpiryTime

func (ws *WebSessionV2) SetExpiryTime(tm time.Time)

SetExpiryTime sets session expiry time

func (*WebSessionV2) SetName

func (ws *WebSessionV2) SetName(name string)

SetName sets session name

func (*WebSessionV2) SetUser

func (ws *WebSessionV2) SetUser(u string)

SetUser sets user associated with this session

func (*WebSessionV2) V1

func (ws *WebSessionV2) V1() *WebSessionV1

V1 returns V1 version of the object

func (*WebSessionV2) V2

func (ws *WebSessionV2) V2() *WebSessionV2

V2 returns V2 version of the resource

func (*WebSessionV2) WithoutSecrets

func (ws *WebSessionV2) WithoutSecrets() WebSession

WithoutSecrets returns copy of the object but without secrets

Directories

Path Synopsis
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL