Documentation ¶
Index ¶
- Constants
- func AuthorizeConnection(ctx context.Context, sessionRepoFn *Repository, ...) (*Connection, []*ConnectionState, *AuthzSummary, error)
- func CloseConnections(ctx context.Context, sessionRepoFn *Repository, ...) ([]closeConnectionResp, error)
- func DeriveED25519Key(ctx context.Context, wrapper wrapping.Wrapper, userId, jobId string) (ed25519.PublicKey, ed25519.PrivateKey, error)
- func RegisterJobs(ctx context.Context, scheduler *scheduler.Scheduler, w db.Writer, r db.Reader, ...) error
- func TestCert(jobId string) (ed25519.PrivateKey, []byte, error)
- func TestSessionHostSetHost(t testing.TB, conn *db.DB, sessionId, hostSetId, hostId string)
- func TestSessionTargetAddress(t testing.TB, conn *db.DB, sessionId, targetId string)
- func TestTofu(t testing.TB) []byte
- type AuthzSummary
- type Cloneable
- type CloseWith
- type ClosedReason
- type ComposedOf
- type ConnectWith
- type Connection
- type ConnectionRepository
- func (r *ConnectionRepository) AuthorizeConnection(ctx context.Context, sessionId, workerId string) (*Connection, []*ConnectionState, error)
- func (r *ConnectionRepository) ConnectConnection(ctx context.Context, c ConnectWith) (*Connection, []*ConnectionState, error)
- func (r *ConnectionRepository) DeleteConnection(ctx context.Context, publicId string, _ ...Option) (int, error)
- func (r *ConnectionRepository) ListConnectionsBySessionId(ctx context.Context, sessionId string, opt ...Option) ([]*Connection, error)
- func (r *ConnectionRepository) LookupConnection(ctx context.Context, connectionId string, _ ...Option) (*Connection, []*ConnectionState, error)
- type ConnectionState
- type ConnectionStatus
- type Credential
- type DynamicCredential
- type Option
- func WithDbOpts(opts ...db.Option) Option
- func WithExpirationTime(exp *timestamp.Timestamp) Option
- func WithIgnoreDecryptionFailures(ignoreFailures bool) Option
- func WithLimit(limit int) Option
- func WithOrderByCreateTime(orderBy db.OrderBy) Option
- func WithPermissions(p *perms.UserPermissions) Option
- func WithProjectIds(projectIds []string) Option
- func WithRandomReader(rand io.Reader) Option
- func WithSessionIds(ids ...string) Option
- func WithTerminated(withTerminated bool) Option
- func WithTestTofu(tofu []byte) Option
- func WithUserId(userId string) Option
- func WithWorkerStateDelay(d time.Duration) Option
- type Repository
- func (r *Repository) ActivateSession(ctx context.Context, sessionId string, sessionVersion uint32, tofuToken []byte) (*Session, []*State, error)
- func (r *Repository) AddSessionCredentials(ctx context.Context, sessProjectId, sessionId string, credData []Credential, ...) error
- func (r *Repository) CancelSession(ctx context.Context, sessionId string, sessionVersion uint32, opt ...Option) (*Session, error)
- func (r *Repository) CheckIfNotActive(ctx context.Context, reportedSessions []string) ([]*StateReport, error)
- func (r *Repository) CreateSession(ctx context.Context, sessionWrapper wrapping.Wrapper, newSession *Session, ...) (*Session, error)
- func (r *Repository) DeleteSession(ctx context.Context, publicId string, _ ...Option) (int, error)
- func (r *Repository) ListSessionCredentials(ctx context.Context, sessProjectId, sessionId string, _ ...Option) ([]Credential, error)
- func (r *Repository) ListSessions(ctx context.Context, opt ...Option) ([]*Session, error)
- func (r *Repository) LookupSession(ctx context.Context, sessionId string, opt ...Option) (*Session, *AuthzSummary, error)
- func (r *Repository) TerminateCompletedSessions(ctx context.Context) (int, error)
- type RepositoryFactory
- type Session
- func AllocSession() Session
- func New(ctx context.Context, c ComposedOf, _ ...Option) (*Session, error)
- func TestDefaultSession(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, iamRepo *iam.Repository, ...) *Session
- func TestSession(t testing.TB, conn *db.DB, rootWrapper wrapping.Wrapper, c ComposedOf, ...) *Session
- func TestSessionWithTargetAddress(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, iamRepo *iam.Repository, ...) *Session
- func (s *Session) Clone() any
- func (s Session) GetProjectId() string
- func (s Session) GetPublicId() string
- func (s Session) GetUserId() string
- func (s *Session) SetTableName(n string)
- func (s *Session) TableName() string
- func (s *Session) VetForWrite(ctx context.Context, _ db.Reader, opType db.OpType, opt ...db.Option) error
- type SessionHostSetHost
- type SessionTargetAddress
- type SessionWorkerProtocol
- type State
- type StateReport
- type StaticCredential
- type Status
- type TerminationReason
Constants ¶
const ( // StatePrefix for state PK ids StatePrefix = "ss" // ConnectionPrefix for connection PK ids ConnectionPrefix = "sc" // ConnectionStatePrefix for connection state PK ids ConnectionStatePrefix = "scs" )
Variables ¶
This section is empty.
Functions ¶
func AuthorizeConnection ¶ added in v0.7.6
func AuthorizeConnection(ctx context.Context, sessionRepoFn *Repository, connectionRepoFn *ConnectionRepository, sessionId, workerId string, opt ...Option, ) (*Connection, []*ConnectionState, *AuthzSummary, error)
AuthorizeConnection is a domain service function that will create a Connection for a session if the following criteria are met: * The session is active. * The session is not expired. * The session has not reached its connection limit or has a connection limit of -1. If any of these criteria is not met, it returns an error with Code InvalidSessionState.
func CloseConnections ¶ added in v0.7.6
func CloseConnections(ctx context.Context, sessionRepoFn *Repository, connectionRepoFn *ConnectionRepository, closeWiths []CloseWith, ) ([]closeConnectionResp, error)
CloseConnections is a domain service function that: * closes requested connections * uses the sessionId of the connection to see if the session meets conditions for termination
func DeriveED25519Key ¶
func DeriveED25519Key(ctx context.Context, wrapper wrapping.Wrapper, userId, jobId string) (ed25519.PublicKey, ed25519.PrivateKey, error)
DeriveED25519Key generates a key based on the project's session DEK, the requesting user, and the generated job ID.
func RegisterJobs ¶ added in v0.9.0
func RegisterJobs(ctx context.Context, scheduler *scheduler.Scheduler, w db.Writer, r db.Reader, k *kms.Kms, gracePeriod *atomic.Int64) error
RegisterJobs registers session related jobs with the provided scheduler.
func TestCert ¶
func TestCert(jobId string) (ed25519.PrivateKey, []byte, error)
TestCert is a temporary test func that intentionally doesn't take testing.T as a parameter. It's currently used in controller.jobTestingHandler() and should be deprecated once that function is refactored to use sessions properly.
func TestSessionHostSetHost ¶ added in v0.12.0
TestSessionHostSetHost creates a test session to host set host association for the sessionId in the repository.
func TestSessionTargetAddress ¶ added in v0.12.0
TestSessionTargetAddress creates a test session to target address association for the sessionId in the repository.
Types ¶
type AuthzSummary ¶ added in v0.7.6
type CloseWith ¶
type CloseWith struct { ConnectionId string BytesUp int64 BytesDown int64 ClosedReason ClosedReason }
CloseWith defines the boundary data that is saved in the repo when the worker closes a connection between the client and the endpoint.
type ClosedReason ¶
type ClosedReason string
ClosedReason of the connection
const ( UnknownReason ClosedReason = "unknown" ConnectionTimedOut ClosedReason = "timed out" ConnectionClosedByUser ClosedReason = "closed by end-user" ConnectionCanceled ClosedReason = "canceled" ConnectionNetworkError ClosedReason = "network error" ConnectionSystemError ClosedReason = "system error" )
func (ClosedReason) String ¶
func (r ClosedReason) String() string
String representation of the termination reason
type ComposedOf ¶
type ComposedOf struct { // UserId of the session UserId string // HostId of the session HostId string // TargetId of the session TargetId string // HostSetId of the session HostSetId string // AuthTokenId of the session AuthTokenId string // ProjectId of the session ProjectId string // Endpoint. This is generated by the target, but is not stored in the // warehouse as the worker may need to e.g. resolve DNS. This is to round // trip the information to the worker when it validates a session. Endpoint string // Expiration time for the session ExpirationTime *timestamp.Timestamp // Max connections for the session ConnectionLimit int32 // Ingress and egress worker filters. Active filters when the session was created, used to // validate the session via the same set of rules at consumption time as // existed at creation time. Round tripping it through here saves a lookup // in the DB. It is not stored in the warehouse. WorkerFilter string EgressWorkerFilter string IngressWorkerFilter string // DynamicCredentials are dynamic credentials that will be retrieved // for the session. DynamicCredentials optional. DynamicCredentials []*DynamicCredential // StaticCredentials are static credentials that will be retrieved // for the session. StaticCredentials optional. StaticCredentials []*StaticCredential // Which worker is performing protocol-related tasks ProtocolWorkerId string }
ComposedOf defines the boundary data that is referenced to compose a session.
func TestSessionParams ¶
func TestSessionParams(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, iamRepo *iam.Repository) ComposedOf
TestSessionParams returns an initialized ComposedOf which can be used to create a session in the repository.
func TestSessionTargetAddressParams ¶ added in v0.12.0
func TestSessionTargetAddressParams(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, iamRepo *iam.Repository) ComposedOf
type ConnectWith ¶
type ConnectWith struct { ConnectionId string ClientTcpAddress string ClientTcpPort uint32 EndpointTcpAddress string EndpointTcpPort uint32 UserClientIp string }
ConnectWith defines the boundary data that is saved in the repo when the worker has established a connection between the client and the endpoint.
type Connection ¶
type Connection struct { // PublicId is used to access the connection via an API PublicId string `json:"public_id,omitempty" gorm:"primary_key"` // SessionId of the connection SessionId string `json:"session_id,omitempty" gorm:"default:null"` // ClientTcpAddress of the connection ClientTcpAddress string `json:"client_tcp_address,omitempty" gorm:"default:null"` // ClientTcpPort of the connection ClientTcpPort uint32 `json:"client_tcp_port,omitempty" gorm:"default:null"` // UserClientIp is the user's client IP UserClientIp string `json:"user_client_ip,omitempty" gorm:"default:null"` // EndpointTcpAddress of the connection EndpointTcpAddress string `json:"endpoint_tcp_address,omitempty" gorm:"default:null"` // EndpointTcpPort of the connection EndpointTcpPort uint32 `json:"endpoint_tcp_port,omitempty" gorm:"default:null"` // BytesUp of the connection BytesUp int64 `json:"bytes_up,omitempty" gorm:"default:null"` // BytesDown of the connection BytesDown int64 `json:"bytes_down,omitempty" gorm:"default:null"` // ClosedReason of the connection ClosedReason string `json:"closed_reason,omitempty" gorm:"default:null"` // CreateTime from the RDBMS CreateTime *timestamp.Timestamp `json:"create_time,omitempty" gorm:"default:current_timestamp"` // UpdateTime from the RDBMS UpdateTime *timestamp.Timestamp `json:"update_time,omitempty" gorm:"default:current_timestamp"` // Version of the connection Version uint32 `json:"version,omitempty" gorm:"default:null"` // contains filtered or unexported fields }
Connection contains information about session's connection to a target
func AllocConnection ¶
func AllocConnection() Connection
AllocConnection will allocate a Connection.
func NewConnection ¶
func NewConnection(ctx context.Context, sessionID, clientTcpAddress string, clientTcpPort uint32, endpointTcpAddr string, endpointTcpPort uint32, userClientIp string, _ ...Option) (*Connection, error)
NewConnection creates a new in memory connection. No options are currently supported.
func TestConnection ¶
func TestConnection(t testing.TB, conn *db.DB, sessionId, clientTcpAddr string, clientTcpPort uint32, endpointTcpAddr string, endpointTcpPort uint32, userClientIp string) *Connection
TestConnection creates a test connection for the sessionId in the repository.
func (*Connection) Clone ¶
func (c *Connection) Clone() any
Clone creates a clone of the Connection.
func (*Connection) GetPublicId ¶
func (c *Connection) GetPublicId() string
func (*Connection) SetTableName ¶
func (c *Connection) SetTableName(n string)
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
func (*Connection) TableName ¶
func (c *Connection) TableName() string
TableName returns the tablename to override the default gorm table name
type ConnectionRepository ¶ added in v0.7.6
type ConnectionRepository struct {
// contains filtered or unexported fields
}
ConnectionRepository is the session connection database repository.
func NewConnectionRepository ¶ added in v0.7.6
func NewConnectionRepository(ctx context.Context, r db.Reader, w db.Writer, kms *kms.Kms, opt ...Option) (*ConnectionRepository, error)
NewConnectionRepository creates a new session Connection Repository. Supports the options: WithLimit which sets a default limit on results returned by repo operations.
func (*ConnectionRepository) AuthorizeConnection ¶ added in v0.7.6
func (r *ConnectionRepository) AuthorizeConnection(ctx context.Context, sessionId, workerId string) (*Connection, []*ConnectionState, error)
AuthorizeConnection will check to see if a connection is allowed. Currently, that authorization checks: * the hasn't expired based on the session.Expiration * number of connections already created is less than session.ConnectionLimit If authorization is success, it creates/stores a new connection in the repo and returns it, along with its states. If the authorization fails, it an error with Code InvalidSessionState.
func (*ConnectionRepository) ConnectConnection ¶ added in v0.7.6
func (r *ConnectionRepository) ConnectConnection(ctx context.Context, c ConnectWith) (*Connection, []*ConnectionState, error)
ConnectConnection updates a connection in the repo with a state of "connected".
func (*ConnectionRepository) DeleteConnection ¶ added in v0.7.6
func (r *ConnectionRepository) DeleteConnection(ctx context.Context, publicId string, _ ...Option) (int, error)
DeleteConnection will delete a connection from the repository.
func (*ConnectionRepository) ListConnectionsBySessionId ¶ added in v0.7.6
func (r *ConnectionRepository) ListConnectionsBySessionId(ctx context.Context, sessionId string, opt ...Option) ([]*Connection, error)
ListConnectionsBySessionId will list connections by session ID. Supports the WithLimit and WithOrder options.
func (*ConnectionRepository) LookupConnection ¶ added in v0.7.6
func (r *ConnectionRepository) LookupConnection(ctx context.Context, connectionId string, _ ...Option) (*Connection, []*ConnectionState, error)
LookupConnection will look up a connection in the repository and return the connection with its states. If the connection is not found, it will return nil, nil, nil. No options are currently supported.
type ConnectionState ¶
type ConnectionState struct { // ConnectionId is used to access the state via an API ConnectionId string `json:"public_id,omitempty" gorm:"primary_key"` // status of the connection Status ConnectionStatus `protobuf:"bytes,20,opt,name=status,proto3" json:"status,omitempty" gorm:"column:state"` // PreviousEndTime from the RDBMS PreviousEndTime *timestamp.Timestamp `json:"previous_end_time,omitempty" gorm:"default:current_timestamp"` // StartTime from the RDBMS StartTime *timestamp.Timestamp `json:"start_time,omitempty" gorm:"default:current_timestamp;primary_key"` // EndTime from the RDBMS EndTime *timestamp.Timestamp `json:"end_time,omitempty" gorm:"default:current_timestamp"` // contains filtered or unexported fields }
ConnectionState of the state of the connection
func NewConnectionState ¶
func NewConnectionState(ctx context.Context, connectionId string, state ConnectionStatus, _ ...Option) (*ConnectionState, error)
NewConnectionState creates a new in memory connection state. No options are currently supported.
func TestConnectionState ¶
func TestConnectionState(t testing.TB, conn *db.DB, connectionId string, state ConnectionStatus) *ConnectionState
TestConnectionState creates a test connection state for the connectionId in the repository.
func (*ConnectionState) Clone ¶
func (s *ConnectionState) Clone() any
Clone creates a clone of the State
func (*ConnectionState) SetTableName ¶
func (s *ConnectionState) SetTableName(n string)
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
func (*ConnectionState) TableName ¶
func (s *ConnectionState) TableName() string
TableName returns the tablename to override the default gorm table name
type ConnectionStatus ¶
type ConnectionStatus string
ConnectionStatus of the connection's state
const ( StatusAuthorized ConnectionStatus = "authorized" StatusConnected ConnectionStatus = "connected" StatusClosed ConnectionStatus = "closed" StatusUnspecified ConnectionStatus = "unspecified" // Utility state not valid in the DB )
func ConnectionStatusFromProtoVal ¶ added in v0.4.0
func ConnectionStatusFromProtoVal(s workerpbs.CONNECTIONSTATUS) ConnectionStatus
ConnectionStatusFromProtoVal is the reverse of ConnectionStatus.ProtoVal.
func (ConnectionStatus) ProtoVal ¶
func (s ConnectionStatus) ProtoVal() workerpbs.CONNECTIONSTATUS
ProtoVal returns the enum value corresponding to the state
func (ConnectionStatus) String ¶
func (s ConnectionStatus) String() string
String representation of the state's status
type Credential ¶ added in v0.7.4
type Credential []byte
Credential represents the credential data which is sent to the worker.
type DynamicCredential ¶ added in v0.4.0
type DynamicCredential struct { SessionId string `json:"session_id,omitempty" gorm:"primary_key"` LibraryId string `json:"library_id,omitempty" gorm:"primary_key"` CredentialPurpose string `json:"credential_purpose,omitempty" gorm:"primary_key"` CredentialId string `json:"credential_id,omitempty" gorm:"default:null"` // contains filtered or unexported fields }
A DynamicCredential represents the relationship between a session, a credential, and the credential library where the credential was retrieved plus the purpose of the credential.
func NewDynamicCredential ¶ added in v0.4.0
func NewDynamicCredential(libraryId string, purpose cred.Purpose) *DynamicCredential
NewDynamicCredential creates a new in memory Credential representing the relationship between session and a credential library.
func (*DynamicCredential) SetTableName ¶ added in v0.4.0
func (c *DynamicCredential) SetTableName(n string)
SetTableName sets the table name.
func (*DynamicCredential) TableName ¶ added in v0.4.0
func (c *DynamicCredential) TableName() string
TableName returns the table name.
type Option ¶
type Option func(*options)
Option - how Options are passed as arguments
func WithDbOpts ¶ added in v0.2.2
WithDbOpts passes through given DB options to the DB layer
func WithExpirationTime ¶
WithExpirationTime allows specifying an expiration time for the session
func WithIgnoreDecryptionFailures ¶ added in v0.11.1
WithIgnoreDecryptionFailures is used to ignore decryption failures when doing lookups. This should be used sparingly. It is currently only used to allow a user to cancel a session in the presence of a undecryptable TOFU token.
func WithLimit ¶
WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.
func WithOrderByCreateTime ¶ added in v0.2.0
WithOrderByCreateTime provides an option to specify ordering by the CreateTime field.
func WithPermissions ¶ added in v0.10.4
func WithPermissions(p *perms.UserPermissions) Option
WithPermissions is used to include user permissions when constructing a Repository.
func WithProjectIds ¶ added in v0.10.2
WithProjectIds allows specifying a project ID criteria for the function.
func WithRandomReader ¶ added in v0.11.1
WithRandomReader is used to configure the random source to use when generating secrets. Defaults to crypto/rand.Reader.
func WithSessionIds ¶
WithSessionIds allows the specification of the session ids to use for the operation.
func WithTerminated ¶ added in v0.9.0
WithTerminated is used to include terminated sessions in a list request.
func WithTestTofu ¶
WithTestTofu allows specifying a test tofu for a test session
func WithUserId ¶
WithUserId allows specifying a user ID criteria for the function.
func WithWorkerStateDelay ¶ added in v0.7.6
WithWorkerStateDelay is used by queries to account for a delay in state propagation between worker and controller.
type Repository ¶
type Repository struct {
// contains filtered or unexported fields
}
Repository is the session database repository
func NewRepository ¶
func NewRepository(ctx context.Context, r db.Reader, w db.Writer, kms *kms.Kms, opt ...Option) (*Repository, error)
NewRepository creates a new session Repository. Supports the options:
- WithLimit, which sets a default limit on results returned by repo operations.
- WithPermissions
- WithRandomReader
func (*Repository) ActivateSession ¶
func (r *Repository) ActivateSession(ctx context.Context, sessionId string, sessionVersion uint32, tofuToken []byte) (*Session, []*State, error)
ActivateSession will activate the session and is called by a worker after authenticating the session. The session must be in a "pending" state to be activated. States are ordered by start time descending. Returns an InvalidSessionState error code if a connection cannot be made because the session was canceled or terminated. If ActivateSession receives duplicate requests for the same session, it will return the already active session if the tofu token is correct
func (*Repository) AddSessionCredentials ¶ added in v0.7.4
func (r *Repository) AddSessionCredentials(ctx context.Context, sessProjectId, sessionId string, credData []Credential, _ ...Option) error
AddSessionCredentials encrypts the credData and adds the credentials to the repository. The credentials are linked to the sessionID provided, and encrypted using the sessProjectId. Session credentials are only valid for pending and active sessions, once a session ends, all session credentials are deleted. All options are ignored.
func (*Repository) CancelSession ¶
func (r *Repository) CancelSession(ctx context.Context, sessionId string, sessionVersion uint32, opt ...Option) (*Session, error)
CancelSession sets a session's state to "canceling" in the repo. It's called when the user cancels a session and the controller wants to update the session state to "canceling" for the given reason, so the workers can get the "canceling signal" during their next status heartbeat. CancelSession is idempotent. Supported Options:
- WithIgnoreDecryptionFailures
func (*Repository) CheckIfNotActive ¶ added in v0.13.0
func (r *Repository) CheckIfNotActive(ctx context.Context, reportedSessions []string) ([]*StateReport, error)
CheckIfNotActive checks the given sessions to see if they are in a non-active state, i.e. "canceling" or "terminated" It returns a *StateReport object for each session that is not active, with its current status.
func (*Repository) CreateSession ¶
func (r *Repository) CreateSession(ctx context.Context, sessionWrapper wrapping.Wrapper, newSession *Session, workerAddresses []string, _ ...Option) (*Session, error)
CreateSession inserts into the repository and returns the new Session with its State of "Pending". The following fields must be empty when creating a session: WorkerId, and PublicId. No options are currently supported.
func (*Repository) DeleteSession ¶
DeleteSession will delete a session from the repository.
func (*Repository) ListSessionCredentials ¶ added in v0.7.4
func (r *Repository) ListSessionCredentials(ctx context.Context, sessProjectId, sessionId string, _ ...Option) ([]Credential, error)
ListSessionCredentials returns all Credential attached to the sessionId. All options are ignored.
func (*Repository) ListSessions ¶
ListSessions lists sessions. Sessions returned will be limited by the list permissions of the repository. Supports the WithTerminated, WithLimit, WithOrderByCreateTime options.
func (*Repository) LookupSession ¶
func (r *Repository) LookupSession(ctx context.Context, sessionId string, opt ...Option) (*Session, *AuthzSummary, error)
LookupSession will look up a session in the repository and return the session with its states. Returned States are ordered by start time descending. If the session is not found, it will return nil, nil, nil. If the session has no user or project associated with it, decryption of fields will not be performed. Supported Options:
- WithIgnoreDecryptionFailures
func (*Repository) TerminateCompletedSessions ¶
func (r *Repository) TerminateCompletedSessions(ctx context.Context) (int, error)
TerminateCompletedSessions will terminate sessions in the repo based on:
- sessions that have exhausted their connection limit and all their connections are closed.
- sessions that are expired and all their connections are closed.
- sessions that are canceling and all their connections are closed
This function should called on a periodic basis a Controllers via it's "ticker" pattern.
type RepositoryFactory ¶ added in v0.10.4
type RepositoryFactory func(opt ...Option) (*Repository, error)
RepositoryFactory is a function that creates a Repository.
type Session ¶
type Session struct { // PublicId is used to access the session via an API PublicId string `json:"public_id,omitempty" gorm:"primary_key"` // UserId for the session UserId string `json:"user_id,omitempty" gorm:"default:null"` // TargetId for the session TargetId string `json:"target_id,omitempty" gorm:"default:null"` // AuthTokenId for the session AuthTokenId string `json:"auth_token_id,omitempty" gorm:"default:null"` // ProjectId for the session ProjectId string `json:"project_id,omitempty" gorm:"default:null"` // Certificate to use when connecting (or if using custom certs, to // serve as the "login"). Raw DER bytes. Certificate []byte `json:"certificate,omitempty" gorm:"default:null"` // CtCertificatePrivateKey is the ciphertext certificate private key which is stored in the database CtCertificatePrivateKey []byte `` /* 132-byte string literal not displayed */ // CertificatePrivateKey is the certificate private key in plaintext. // This may not be set for some sessions, in which case the private // key should be derived from the encryption key referenced in key_id. CertificatePrivateKey []byte `json:"certificate_private_key,omitempty" gorm:"-" wrapping:"pt,certificate_private_key"` // ExpirationTime - after this time the connection will be expired, e.g. forcefully terminated ExpirationTime *timestamp.Timestamp `json:"expiration_time,omitempty" gorm:"default:null"` // CtTofuToken is the ciphertext Tofutoken value stored in the database CtTofuToken []byte `json:"ct_tofu_token,omitempty" gorm:"column:tofu_token;default:null" wrapping:"ct,tofu_token"` // TofuToken - plain text of the "trust on first use" token for session TofuToken []byte `json:"tofu_token,omitempty" gorm:"-" wrapping:"pt,tofu_token"` // termination_reason for the session TerminationReason string `json:"termination_reason,omitempty" gorm:"default:null"` // CreateTime from the RDBMS CreateTime *timestamp.Timestamp `json:"create_time,omitempty" gorm:"default:current_timestamp"` // UpdateTime from the RDBMS UpdateTime *timestamp.Timestamp `json:"update_time,omitempty" gorm:"default:current_timestamp"` // Version for the session Version uint32 `json:"version,omitempty" gorm:"default:null"` // Endpoint Endpoint string `json:"-" gorm:"default:null"` // Maximum number of connections in a session ConnectionLimit int32 `json:"connection_limit,omitempty" gorm:"default:null"` // Worker filters WorkerFilter string `json:"-" gorm:"default:null"` EgressWorkerFilter string `json:"-" gorm:"default:null"` IngressWorkerFilter string `json:"-" gorm:"default:null"` // key_id is the ID of the key version used to encrypt any fields in this struct KeyId string `json:"key_id,omitempty" gorm:"default:null"` // States for the session which are for read only and are ignored during // write operations States []*State `gorm:"-"` // DynamicCredentials for the session. DynamicCredentials []*DynamicCredential `gorm:"-"` // StaticCredentials for the session. StaticCredentials []*StaticCredential `gorm:"-"` // HostSetId for the session HostSetId string `gorm:"-"` // HostId of the session HostId string `gorm:"-"` // ProtocolWorkerId of the session ProtocolWorkerId string `gorm:"-"` // Connections for the session are for read only and are ignored during write operations Connections []*Connection `gorm:"-"` // contains filtered or unexported fields }
Session contains information about a user's session with a target
func TestDefaultSession ¶
func TestDefaultSession(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, iamRepo *iam.Repository, opt ...Option) *Session
TestDefaultSession creates a test session in the repository using defaults.
func TestSession ¶
func TestSession(t testing.TB, conn *db.DB, rootWrapper wrapping.Wrapper, c ComposedOf, opt ...Option) *Session
TestSession creates a test session composed of c in the repository. Options are passed into New, and withServerId is handled locally.
func TestSessionWithTargetAddress ¶ added in v0.12.0
func (Session) GetProjectId ¶ added in v0.10.2
func (Session) GetPublicId ¶
func (*Session) SetTableName ¶
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
type SessionHostSetHost ¶ added in v0.12.0
type SessionHostSetHost struct { // SessionId of the session SessionId string `json:"session_id,omitempty" gorm:"primary_key"` // HostSetId of the session HostSetId string `json:"host_set_id,omitempty" gorm:"default:null"` // HostId of the session HostId string `json:"host_id,omitempty" gorm:"default:null"` // contains filtered or unexported fields }
SessionHostSetHost contains information about a user's session with a target that has a host source association.
func AllocSessionHostSetHost ¶ added in v0.12.0
func AllocSessionHostSetHost() *SessionHostSetHost
AllocSessionHostSet will allocate a SessionHostSetHost
func NewSessionHostSetHost ¶ added in v0.12.0
func NewSessionHostSetHost(ctx context.Context, sessionId, hostSetId, hostId string) (*SessionHostSetHost, error)
NewSessionHostSetHost creates a new in memory session to host set & host association.
func (*SessionHostSetHost) Clone ¶ added in v0.12.0
func (s *SessionHostSetHost) Clone() any
Clone creates a clone of the SessionHostSetHost
func (*SessionHostSetHost) SetTableName ¶ added in v0.12.0
func (s *SessionHostSetHost) SetTableName(n string)
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
func (*SessionHostSetHost) TableName ¶ added in v0.12.0
func (s *SessionHostSetHost) TableName() string
TableName returns the tablename to override the default gorm table name
type SessionTargetAddress ¶ added in v0.12.0
type SessionTargetAddress struct { // SessionId of the session SessionId string `json:"session_id,omitempty" gorm:"primary_key"` // TargetId of the session TargetId string `json:"target_id,omitempty" gorm:"default:null"` // contains filtered or unexported fields }
SessionTargetAddress contains information about a user's session with a target that has a direct network address association.
func AllocSessionTargetAddress ¶ added in v0.12.0
func AllocSessionTargetAddress() *SessionTargetAddress
AllocSessionTargetAddress will allocate a SessionTargetAddress
func NewSessionTargetAddress ¶ added in v0.12.0
func NewSessionTargetAddress(ctx context.Context, sessionId, targetId string) (*SessionTargetAddress, error)
NewSessionTargetAddress creates a new in memory session target address.
func (*SessionTargetAddress) Clone ¶ added in v0.12.0
func (s *SessionTargetAddress) Clone() any
Clone creates a clone of the SessionTargetAddress
func (*SessionTargetAddress) SetTableName ¶ added in v0.12.0
func (s *SessionTargetAddress) SetTableName(n string)
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
func (*SessionTargetAddress) TableName ¶ added in v0.12.0
func (s *SessionTargetAddress) TableName() string
TableName returns the tablename to override the default gorm table name
type SessionWorkerProtocol ¶ added in v0.13.0
type SessionWorkerProtocol struct { // SessionId of the session SessionId string `json:"session_id,omitempty" gorm:"primary_key"` // WorkerId chosen for protocol tasks WorkerId string `json:"worker_id,omitempty" gorm:"primary_key"` // contains filtered or unexported fields }
SessionWorkerProtocol contains information about a chosen protocol-aware worker for a session
func AllocSessionWorkerProtocol ¶ added in v0.13.0
func AllocSessionWorkerProtocol() *SessionWorkerProtocol
AllocSessionWorkerProtocol will allocate a SessionHostSetHost
func NewSessionWorkerProtocol ¶ added in v0.13.0
func NewSessionWorkerProtocol(ctx context.Context, sessionId, workerId string) (*SessionWorkerProtocol, error)
NewSessionWorkerProtocol creates a new in-memory session to protocol worker association
func (*SessionWorkerProtocol) Clone ¶ added in v0.13.0
func (s *SessionWorkerProtocol) Clone() any
Clone creates a clone of the SessionWorkerProtocol
func (*SessionWorkerProtocol) SetTableName ¶ added in v0.13.0
func (s *SessionWorkerProtocol) SetTableName(n string)
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
func (*SessionWorkerProtocol) TableName ¶ added in v0.13.0
func (s *SessionWorkerProtocol) TableName() string
TableName returns the tablename to override the default gorm table name
type State ¶
type State struct { // SessionId references the session public id SessionId string `json:"session_id,omitempty" gorm:"primary_key"` // status of the session Status Status `json:"status,omitempty" gorm:"column:state"` // PreviousEndTime from the RDBMS PreviousEndTime *timestamp.Timestamp `json:"previous_end_time,omitempty" gorm:"default:current_timestamp"` // StartTime from the RDBMS StartTime *timestamp.Timestamp `json:"start_time,omitempty" gorm:"default:current_timestamp;primary_key"` // EndTime from the RDBMS EndTime *timestamp.Timestamp `json:"end_time,omitempty" gorm:"default:current_timestamp"` // contains filtered or unexported fields }
State of the session
func (*State) SetTableName ¶
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
type StateReport ¶ added in v0.7.6
type StateReport struct { SessionId string Status Status Connections []*Connection // Unrecognized indicates that the SessionId was not found in the database. Unrecognized bool }
StateReport is used to report on the state of a Session.
func WorkerStatusReport ¶ added in v0.7.6
func WorkerStatusReport(ctx context.Context, repo *Repository, connRepo *ConnectionRepository, workerId string, report []*StateReport) ([]*StateReport, error)
WorkerStatusReport is a domain service function that, given a Worker's session state reports, performs a few tasks:
- Updates the bytes up and down statistics for each reported connection.
- Compares the state of sessions and connections as reported by a Worker, to the known state in the repositories. It returns a StateReport object for each session that is in the canceling or terminated state.
- Checks for any orphaned connections, which is defined as a connection that is in an active state, but was not reported by worker. Any orphaned connections will be marked as closed.
type StaticCredential ¶ added in v0.9.0
type StaticCredential struct { SessionId string `json:"session_id,omitempty" gorm:"primary_key"` CredentialPurpose string `json:"credential_purpose,omitempty" gorm:"primary_key"` CredentialStaticId string `json:"credential_id,omitempty" gorm:"default:null"` // contains filtered or unexported fields }
A StaticCredential represents the relationship between a session, a credential and the purpose of the credential.
func NewStaticCredential ¶ added in v0.9.0
func NewStaticCredential(id string, purpose cred.Purpose) *StaticCredential
NewStaticCredential creates a new in memory Credential representing the relationship between session a credential and the purpose of the credential.
func (*StaticCredential) SetTableName ¶ added in v0.9.0
func (c *StaticCredential) SetTableName(n string)
SetTableName sets the table name.
func (*StaticCredential) TableName ¶ added in v0.9.0
func (c *StaticCredential) TableName() string
TableName returns the table name.
type Status ¶
type Status string
Status of the session's state
func (Status) ProtoVal ¶
func (s Status) ProtoVal() workerpbs.SESSIONSTATUS
ProtoVal returns the enum value corresponding to the state
type TerminationReason ¶
type TerminationReason string
TerminationReason of the session
const ( UnknownTermination TerminationReason = "unknown" TimedOut TerminationReason = "timed out" ClosedByUser TerminationReason = "closed by end-user" Terminated TerminationReason = "terminated" NetworkError TerminationReason = "network error" SystemError TerminationReason = "system error" ConnectionLimit TerminationReason = "connection limit" SessionCanceled TerminationReason = "canceled" )
func (TerminationReason) String ¶
func (r TerminationReason) String() string
String representation of the termination reason
Source Files ¶
- connection.go
- connection_closed_reason.go
- connection_closed_with.go
- connection_state.go
- credential.go
- dynamic_credential.go
- ids.go
- job_delete_terminated_sessions.go
- job_session_cleanup.go
- jobs.go
- options.go
- query.go
- repository.go
- repository_connection.go
- repository_credential.go
- repository_session.go
- rewrapping.go
- service_authorize_connection.go
- service_close_connections.go
- service_worker_status_report.go
- session.go
- session_connect_with.go
- session_host_set_host.go
- session_target_address.go
- session_worker_protocol.go
- state.go
- static_credential.go
- term_reason.go
- testing.go
- util.go