services

package
v0.1.0-alpha.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 16, 2016 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.

* Local services are implemented in local package * Package suite contains the set of acceptance tests for services

Package services implements API services exposed by Teleport: * presence service that takes care of heratbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source
const (
	// TokenRoleAuth authenticates this token to provision Auth server
	TokenRoleAuth = "Auth"
	// TokenRoleNode authenticates this token to provision Node
	TokenRoleNode = "Node"
)

Variables

This section is empty.

Functions

func JoinTokenRole

func JoinTokenRole(token, role string) (ouputToken string, e error)

func SetUserUnmarshaler added in v1.0.0

func SetUserUnmarshaler(u UserUnmarshaler)

func SplitTokenRole

func SplitTokenRole(outputToken string) (token, role string, e error)

func VerifyPassword added in v1.0.0

func VerifyPassword(password []byte) error

VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in

Types

type CertAuthID added in v1.0.0

type CertAuthID struct {
	Type       CertAuthType `json:"type"`
	DomainName string       `json:"domain_name"`
}

CertAuthID - id of certificate authority (it's type and domain name)

func (*CertAuthID) Check added in v1.0.0

func (c *CertAuthID) Check() error

Check returns error if any of the id parameters are bad, nil otherwise

func (*CertAuthID) String added in v1.0.0

func (c *CertAuthID) String() string

type CertAuthType added in v1.0.0

type CertAuthType string

CertAuthType specifies certificate authority type, user or host

const (
	// HostCA identifies the key as a host certificate authority
	HostCA CertAuthType = "host"
	// UserCA identifies the key as a user certificate authority
	UserCA CertAuthType = "user"
)

func (CertAuthType) Check added in v1.0.0

func (c CertAuthType) Check() error

Check checks if certificate authority type value is correct

type CertAuthority added in v1.0.0

type CertAuthority struct {
	// Type is either user or host certificate authority
	Type CertAuthType `json:"type"`
	// DomainName identifies domain name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	DomainName string `json:"domain_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures
	CheckingKeys [][]byte `json:"checking_keys"`
	// SigningKeys is a list of private keys used for signing
	SigningKeys [][]byte `json:"signing_keys"`
	// AllowedLogins is a list of allowed logins for users within
	// this certificate authority
	AllowedLogins []string `json:"allowed_logins"`
}

CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func (*CertAuthority) Check added in v1.0.0

func (ca *CertAuthority) Check() error

Check checks if all passed parameters are valid

func (*CertAuthority) Checkers added in v1.0.0

func (ca *CertAuthority) Checkers() ([]ssh.PublicKey, error)

Checkers returns public keys that can be used to check cert authorities

func (*CertAuthority) FirstSigningKey added in v1.0.0

func (ca *CertAuthority) FirstSigningKey() ([]byte, error)

FirstSigningKey returns first signing key or returns error if it's not here

func (*CertAuthority) ID added in v1.0.0

func (ca *CertAuthority) ID() *CertAuthID

ID returns id (consisting of domain name and type) that identifies the authority this key belongs to

func (*CertAuthority) Signers added in v1.0.0

func (ca *CertAuthority) Signers() ([]ssh.Signer, error)

Signers returns a list of signers that could be used to sign keys

type CommandLabel

type CommandLabel struct {
	// Period is a time between command runs
	Period time.Duration `json:"period"`
	// Command is a command to run
	Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
	// Result captures standard output
	Result string `json:"result"`
}

CommandLabel is a label that has a value as a result of the output generated by running command, e.g. hostname

type CommandLabels

type CommandLabels map[string]CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) SetEnv

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type Identity added in v1.0.0

type Identity interface {
	// GetUsers returns a list of users registered with the local auth server
	GetUsers() ([]User, error)

	// UpsertUser updates parameters about user
	UpsertUser(user User) error

	// GetUser returns a user by name
	GetUser(user string) (User, error)

	// GetUserByOIDCIdentity returns a user by it's specified OIDC Identity, returns first
	// user specified with this identity
	GetUserByOIDCIdentity(id OIDCIdentity) (User, error)

	// DeleteUser deletes a user with all the keys from the backend
	DeleteUser(user string) error

	// UpsertPasswordHash upserts user password hash
	UpsertPasswordHash(user string, hash []byte) error

	// GetPasswordHash returns the password hash for a given user
	GetPasswordHash(user string) ([]byte, error)

	// UpsertHOTP upserts HOTP state for user
	UpsertHOTP(user string, otp *hotp.HOTP) error

	// GetHOTP gets HOTP token state for a user
	GetHOTP(user string) (*hotp.HOTP, error)

	// UpsertWebSession updates or inserts a web session for a user and session id
	UpsertWebSession(user, sid string, session WebSession, ttl time.Duration) error

	// GetWebSession returns a web session state for a given user and session id
	GetWebSession(user, sid string) (*WebSession, error)

	// DeleteWebSession deletes web session from the storage
	DeleteWebSession(user, sid string) error

	// UpsertPassword upserts new password and HOTP token
	UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)

	// CheckPassword is called on web user or tsh user login
	CheckPassword(user string, password []byte, hotpToken string) error

	// CheckPasswordWOToken checks just password without checking HOTP tokens
	// used in case of SSH authentication, when token has been validated
	CheckPasswordWOToken(user string, password []byte) error

	// UpsertSignupToken upserts signup token - one time token that lets user to create a user account
	UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error

	// GetSignupToken returns signup token data
	GetSignupToken(token string) (*SignupToken, error)

	// DeleteSignupToken deletes signup token from the storage
	DeleteSignupToken(token string) error

	// UpsertOIDCConnector upserts OIDC Connector
	UpsertOIDCConnector(connector OIDCConnector, ttl time.Duration) error

	// DeleteOIDCConnector deletes OIDC Connector
	DeleteOIDCConnector(connectorID string) error

	// GetOIDCConnector returns OIDC connector data, , withSecrets adds or removes client secret from return results
	GetOIDCConnector(id string, withSecrets bool) (*OIDCConnector, error)

	// GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results
	GetOIDCConnectors(withSecrets bool) ([]OIDCConnector, error)

	// CreateOIDCAuthRequest creates new auth request
	CreateOIDCAuthRequest(req OIDCAuthRequest, ttl time.Duration) error

	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(stateToken string) (*OIDCAuthRequest, error)
}

Identity is responsible for managing user entries

type Lock added in v1.0.0

type Lock interface {
	// AcquireLock grabs a lock that will be released automatically in ttl time
	AcquireLock(token string, ttl time.Duration) error
	// ReleaseLock releases
	ReleaseLock(token string) error
}

Lock implements distributed locking service

type OIDCAuthRequest added in v1.0.0

type OIDCAuthRequest struct {
	// ConnectorID is ID of OIDC connector this request uses
	ConnectorID string `json:"connector_id"`

	// Type is opaque string that helps callbacks identify the request type
	Type string `json:"type"`

	// CheckUser tells validator if it should expect and check user
	CheckUser bool `json:"check_user"`

	// StateToken is generated by service and is used to validate
	// reuqest coming from
	StateToken string `json:"state_token"`

	// RedirectURL will be used by browser
	RedirectURL string `json:"redirect_url"`

	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successfull auth
	PublicKey []byte `json:"public_key"`

	// CertTTL is the TTL of the certificate user wants to get
	CertTTL time.Duration `json:"cert_ttl"`

	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication
	CreateWebSession bool `json:"create_web_session"`

	// ClientRedirectURL is a URL client wants to be redirected
	// after successfull authentication
	ClientRedirectURL string `json:"client_redirect_url"`
}

OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server

func (*OIDCAuthRequest) Check added in v1.0.0

func (i *OIDCAuthRequest) Check() error

Check returns nil if all parameters are great, err otherwise

type OIDCConnector added in v1.0.0

type OIDCConnector struct {
	// ID is a provider id, 'e.g.' google, used internally
	ID string `json:"id"`
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	IssuerURL string `json:"issuer_url"`
	// ClientID is id for authentication client (in our case it's our Auth server)
	ClientID string `json:"client_id"`
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	ClientSecret string `json:"client_secret"`
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successfull authentication
	// Should match the URL on Provider's side
	RedirectURL string `json:"redirect_url"`
}

OIDCConnector specifies configuration fo Open ID Connect compatible external identity provider, e.g. google in some organisation

func (*OIDCConnector) Check added in v1.0.0

func (o *OIDCConnector) Check() error

Check returns nil if all parameters are great, err otherwise

type OIDCIdentity added in v1.0.0

type OIDCIdentity struct {
	// ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
	ConnectorID string `json:"connector_id"`

	// Email is OIDC verified email claim
	// e.g. bob@example.com
	Email string `json:"username"`
}

OIDCIdentity is OpenID Connect identity that is linked to particular user and connector and lets user to log in using external credentials, e.g. google

func (*OIDCIdentity) Check added in v1.0.0

func (i *OIDCIdentity) Check() error

Check returns nil if all parameters are great, err otherwise

func (*OIDCIdentity) Equals added in v1.0.0

func (i *OIDCIdentity) Equals(other *OIDCIdentity) bool

Equals returns true if this identity equals to passed one

func (*OIDCIdentity) String added in v1.0.0

func (i *OIDCIdentity) String() string

String returns debug friendly representation of this identity

type Presence added in v1.0.0

type Presence interface {
	// GetNodes returns a list of registered servers
	GetNodes() ([]Server, error)

	// UpsertNode registers node presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(server Server, ttl time.Duration) error

	// GetAuthServers returns a list of registered servers
	GetAuthServers() ([]Server, error)

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(server Server, ttl time.Duration) error

	// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(server Server, ttl time.Duration) error

	// GetProxies returns a list of registered proxies
	GetProxies() ([]Server, error)

	// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
	UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error

	// GetReverseTunnels returns a list of registered servers
	GetReverseTunnels() ([]ReverseTunnel, error)

	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
	DeleteReverseTunnel(domainName string) error
}

Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

type ProvisionToken

type ProvisionToken struct {
	Role string        `json:"role"`
	TTL  time.Duration `json:"-"`
}

ProvisionToken stores metadata about some provisioning token

type Provisioner added in v1.0.0

type Provisioner interface {
	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(token, role string, ttl time.Duration) error

	// GetToken finds and returns token by id
	GetToken(token string) (*ProvisionToken, error)

	// DeleteToken deletes provisioning token
	DeleteToken(token string) error
}

Provisioner governs adding new nodes to the cluster

type ReverseTunnel added in v1.0.0

type ReverseTunnel struct {
	// DomainName is a domain name of remote cluster we are connecting to
	DomainName string `json:"domain_name"`
	// DialAddrs is a list of remote address to establish a connection to
	// it's always SSH over TCP
	DialAddrs []string `json:"dial_addrs"`
}

ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved

func (*ReverseTunnel) Check added in v1.0.0

func (r *ReverseTunnel) Check() error

Check returns nil if all parameters are good, error otherwise

type Server

type Server struct {
	ID        string                  `json:"id"`
	Addr      string                  `json:"addr"`
	Hostname  string                  `json:"hostname"`
	Labels    map[string]string       `json:"labels"`
	CmdLabels map[string]CommandLabel `json:"cmd_labels"`
}

Server represents a node in a Teleport cluster

func (*Server) LabelsMap added in v1.0.0

func (s *Server) LabelsMap() map[string]string

LabelsMap returns the full key:value map of both static labels and "command labels"

func (*Server) LabelsString added in v1.0.0

func (s *Server) LabelsString() string

LabelsString returns a comma separated string with all node's labels

func (*Server) MatchAgainst added in v1.0.0

func (s *Server) MatchAgainst(labels map[string]string) bool

MatchAgainst takes a map of labels and returns True if this server has ALL of them

Any server matches against an empty label set

type SignupToken

type SignupToken struct {
	Token           string       `json:"token"`
	User            TeleportUser `json:"user"`
	Hotp            []byte       `json:"hotp"`
	HotpFirstValues []string     `json:"hotp_first_values"`
	HotpQR          []byte       `json:"hotp_qr"`
}

SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed

type Site added in v1.0.0

type Site struct {
	Name          string    `json:"name"`
	LastConnected time.Time `json:"lastconnected"`
	Status        string    `json:"status"`
}

Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.

The CA is represented by an auth server (or multiple auth servers, if running in HA mode)

type TeleportUser added in v1.0.0

type TeleportUser struct {
	// Name is a user name
	Name string `json:"name"`

	// AllowedLogins represents a list of OS users this teleport
	// user is allowed to login as
	AllowedLogins []string `json:"allowed_logins"`

	// OIDCIdentities lists associated OpenID Connect identities
	// that let user log in using externally verified identity
	OIDCIdentities []OIDCIdentity `json:"oidc_identities"`
}

TeleportUser is an optional user entry in the database

func (*TeleportUser) Check added in v1.0.0

func (u *TeleportUser) Check() error

Check checks validity of all parameters

func (*TeleportUser) Equals added in v1.0.0

func (u *TeleportUser) Equals(other User) bool

Equals checks if user equals to another

func (*TeleportUser) GetAllowedLogins added in v1.0.0

func (u *TeleportUser) GetAllowedLogins() []string

GetAllowedLogins returns user's allowed linux logins

func (*TeleportUser) GetIdentities added in v1.0.0

func (u *TeleportUser) GetIdentities() []OIDCIdentity

GetIdentities returns a list of connected OIDCIdentities

func (*TeleportUser) GetName added in v1.0.0

func (u *TeleportUser) GetName() string

GetName returns user name

func (*TeleportUser) String added in v1.0.0

func (u *TeleportUser) String() string

type Trust added in v1.0.0

type Trust interface {

	// UpsertCertAuthority updates or inserts a new certificate authority
	UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error

	// DeleteCertAuthority deletes particular certificate authority
	DeleteCertAuthority(id CertAuthID) error

	// GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys
	// controls if signing keys are loaded
	GetCertAuthority(id CertAuthID, loadSigningKeys bool) (*CertAuthority, error)

	// GetCertAuthorities returns a list of authorities of a given type
	// loadSigningKeys controls whether signing keys should be loaded or not
	GetCertAuthorities(caType CertAuthType, loadSigningKeys bool) ([]*CertAuthority, error)
}

Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

type User added in v1.0.0

type User interface {
	// GetName returns user name
	GetName() string
	// GetAllowedLogins returns user's allowed linux logins
	GetAllowedLogins() []string
	// GetIdentities returns a list of connected OIDCIdentities
	GetIdentities() []OIDCIdentity
	// String returns user
	String() string
	// Check checks if all parameters are correct
	Check() error
	// Equals checks if user equals to another
	Equals(other User) bool
}

User represents teleport or external user

func TeleportUserUnmarshaler added in v1.0.0

func TeleportUserUnmarshaler(bytes []byte) (User, error)

type UserUnmarshaler added in v1.0.0

type UserUnmarshaler func(bytes []byte) (User, error)

func GetUserUnmarshaler added in v1.0.0

func GetUserUnmarshaler() UserUnmarshaler

type Users added in v1.0.0

type Users []User

Users represents a slice of users, makes it sort compatible (sorts by username)

func (Users) Len added in v1.0.0

func (u Users) Len() int

func (Users) Less added in v1.0.0

func (u Users) Less(i, j int) bool

func (Users) Swap added in v1.0.0

func (u Users) Swap(i, j int)

type WebSession

type WebSession struct {
	// Pub is a public certificate signed by auth server
	Pub []byte `json:"pub"`
	// Priv is a private OpenSSH key used to auth with SSH nodes
	Priv []byte `json:"priv"`
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	BearerToken string `json:"bearer_token"`
	// Expires - absolute time when token expires
	Expires time.Time `json:"expires"`
}

WebSession stores key and value used to authenticate with SSH notes on behalf of user

Directories

Path Synopsis
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL