Documentation ¶
Index ¶
- Constants
- func DeriveED25519Key(wrapper wrapping.Wrapper, userId, jobId string) (ed25519.PublicKey, ed25519.PrivateKey, error)
- func TestCert(wrapper wrapping.Wrapper, userId, jobId string) (ed25519.PrivateKey, []byte, error)
- func TestTofu(t *testing.T) []byte
- func TestWorker(t *testing.T, conn *gorm.DB, wrapper wrapping.Wrapper, opt ...Option) *servers.Server
- type Cloneable
- type CloseConnectionResp
- type CloseWith
- type ClosedReason
- type ComposedOf
- type ConnectWith
- type Connection
- type ConnectionAuthzSummary
- type ConnectionState
- type ConnectionStatus
- type Option
- func WithDbOpts(opts ...db.Option) Option
- func WithExpirationTime(exp *timestamp.Timestamp) Option
- func WithLimit(limit int) Option
- func WithOrderByCreateTime(orderBy db.OrderBy) Option
- func WithScopeIds(scopeIds []string) Option
- func WithServerId(id string) Option
- func WithSessionIds(ids ...string) Option
- func WithTestTofu(tofu []byte) Option
- func WithUserId(userId string) Option
- type Repository
- func (r *Repository) ActivateSession(ctx context.Context, sessionId string, sessionVersion uint32, ...) (*Session, []*State, error)
- func (r *Repository) AuthorizeConnection(ctx context.Context, sessionId, workerId string) (*Connection, []*ConnectionState, *ConnectionAuthzSummary, error)
- func (r *Repository) CancelSession(ctx context.Context, sessionId string, sessionVersion uint32) (*Session, error)
- func (r *Repository) CloseConnections(ctx context.Context, closeWith []CloseWith, _ ...Option) ([]CloseConnectionResp, error)
- func (r *Repository) CloseDeadConnectionsOnWorkerReport(ctx context.Context, serverId string, foundConns []string) (int, error)
- func (r *Repository) ConnectConnection(ctx context.Context, c ConnectWith) (*Connection, []*ConnectionState, error)
- func (r *Repository) CreateSession(ctx context.Context, sessionWrapper wrapping.Wrapper, newSession *Session, ...) (*Session, ed25519.PrivateKey, error)
- func (r *Repository) DeleteConnection(ctx context.Context, publicId string, _ ...Option) (int, error)
- func (r *Repository) DeleteSession(ctx context.Context, publicId string, _ ...Option) (int, error)
- func (r *Repository) ListConnectionsBySessionId(ctx context.Context, sessionId string, opt ...Option) ([]*Connection, error)
- func (r *Repository) ListSessions(ctx context.Context, opt ...Option) ([]*Session, error)
- func (r *Repository) LookupConnection(ctx context.Context, connectionId string, _ ...Option) (*Connection, []*ConnectionState, error)
- func (r *Repository) LookupSession(ctx context.Context, sessionId string, _ ...Option) (*Session, *ConnectionAuthzSummary, error)
- func (r *Repository) TerminateCompletedSessions(ctx context.Context) (int, error)
- func (r *Repository) TerminateSession(ctx context.Context, sessionId string, sessionVersion uint32, ...) (*Session, error)
- type Session
- type State
- type Status
- type TerminationReason
Constants ¶
const ( // SessionPrefix for session PK ids SessionPrefix = "s" // StatePrefix for state PK ids StatePrefix = "ss" // ConnectionPrefix for connection PK ids ConnectionPrefix = "sc" // ConnectionStatePrefix for connection state PK ids ConnectionStatePrefix = "scs" )
Variables ¶
This section is empty.
Functions ¶
func DeriveED25519Key ¶
func DeriveED25519Key(wrapper wrapping.Wrapper, userId, jobId string) (ed25519.PublicKey, ed25519.PrivateKey, error)
DeriveED25519Key generates a key based on the scope's session DEK, the requesting user, and the generated job ID.
func TestCert ¶
TestCert is a temporary test func that intentionally doesn't take testing.T as a parameter. It's currently used in controller.jobTestingHandler() and should be deprecated once that function is refactored to use sessions properly.
Types ¶
type Cloneable ¶
type Cloneable interface {
Clone() interface{}
}
Clonable provides a cloning interface
type CloseConnectionResp ¶
type CloseConnectionResp struct { Connection *Connection ConnectionStates []*ConnectionState }
CloseConnectionResp is just a wrapper for the response from CloseConnections. It wraps the connection and its states for each connection closed.
type CloseWith ¶
type CloseWith struct { ConnectionId string BytesUp uint64 BytesDown uint64 ClosedReason ClosedReason }
CloseWith defines the boundary data that is saved in the repo when the worker closes a connection between the client and the endpoint.
type ClosedReason ¶
type ClosedReason string
ClosedReason of the connection
const ( UnknownReason ClosedReason = "unknown" ConnectionTimedOut ClosedReason = "timed out" ConnectionClosedByUser ClosedReason = "closed by end-user" ConnectionCanceled ClosedReason = "canceled" ConnectionNetworkError ClosedReason = "network error" ConnectionSystemError ClosedReason = "system error" )
func (ClosedReason) String ¶
func (r ClosedReason) String() string
String representation of the termination reason
type ComposedOf ¶
type ComposedOf struct { // UserId of the session UserId string // HostId of the session HostId string // TargetId of the session TargetId string // HostSetId of the session HostSetId string // AuthTokenId of the session AuthTokenId string // ScopeId of the session ScopeId string // Endpoint. This is generated by the target, but is not stored in the // warehouse as the worker may need to e.g. resolve DNS. This is to round // trip the information to the worker when it validates a session. Endpoint string // Expiration time for the session ExpirationTime *timestamp.Timestamp // Max connections for the session ConnectionLimit int32 // Worker filter. Active filter when the session was created, used to // validate the session via the same set of rules at consumption time as // existed at creation time. Round tripping it through here saves a lookup // in the DB. It is not stored in the warehouse. WorkerFilter string }
ComposedOf defines the boundary data that is referenced to compose a session.
func TestSessionParams ¶
func TestSessionParams(t *testing.T, conn *gorm.DB, wrapper wrapping.Wrapper, iamRepo *iam.Repository) ComposedOf
TestSessionParams returns an initialized ComposedOf which can be used to create a session in the repository.
type ConnectWith ¶
type ConnectWith struct { ConnectionId string ClientTcpAddress string ClientTcpPort uint32 EndpointTcpAddress string EndpointTcpPort uint32 }
ConnectWith defines the boundary data that is saved in the repo when the worker has established a connection between the client and the endpoint.
type Connection ¶
type Connection struct { // PublicId is used to access the connection via an API PublicId string `json:"public_id,omitempty" gorm:"primary_key"` // SessionId of the connection SessionId string `json:"session_id,omitempty" gorm:"default:null"` // ClientTcpAddress of the connection ClientTcpAddress string `json:"client_tcp_address,omitempty" gorm:"default:null"` // ClientTcpPort of the connection ClientTcpPort uint32 `json:"client_tcp_port,omitempty" gorm:"default:null"` // EndpointTcpAddress of the connection EndpointTcpAddress string `json:"endpoint_tcp_address,omitempty" gorm:"default:null"` // EndpointTcpPort of the connection EndpointTcpPort uint32 `json:"endpoint_tcp_port,omitempty" gorm:"default:null"` // BytesUp of the connection BytesUp uint64 `json:"bytes_up,omitempty" gorm:"default:null"` // BytesDown of the connection BytesDown uint64 `json:"bytes_down,omitempty" gorm:"default:null"` // ClosedReason of the conneciont ClosedReason string `json:"closed_reason,omitempty" gorm:"default:null"` // CreateTime from the RDBMS CreateTime *timestamp.Timestamp `json:"create_time,omitempty" gorm:"default:current_timestamp"` // UpdateTime from the RDBMS UpdateTime *timestamp.Timestamp `json:"update_time,omitempty" gorm:"default:current_timestamp"` // Version of the connection Version uint32 `json:"version,omitempty" gorm:"default:null"` // contains filtered or unexported fields }
Connection contains information about session's connection to a target
func AllocConnection ¶
func AllocConnection() Connection
AllocConnection will allocate a Connection.
func NewConnection ¶
func NewConnection(sessionID, clientTcpAddress string, clientTcpPort uint32, endpointTcpAddr string, endpointTcpPort uint32, _ ...Option) (*Connection, error)
NewConnection creates a new in memory connection. No options are currently supported.
func TestConnection ¶
func TestConnection(t *testing.T, conn *gorm.DB, sessionId, clientTcpAddr string, clientTcpPort uint32, endpointTcpAddr string, endpointTcpPort uint32) *Connection
TestConnection creates a test connection for the sessionId in the repository.
func (*Connection) Clone ¶
func (c *Connection) Clone() interface{}
Clone creates a clone of the Connection.
func (*Connection) GetPublicId ¶
func (c *Connection) GetPublicId() string
func (*Connection) SetTableName ¶
func (c *Connection) SetTableName(n string)
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
func (*Connection) TableName ¶
func (c *Connection) TableName() string
TableName returns the tablename to override the default gorm table name
type ConnectionAuthzSummary ¶
type ConnectionState ¶
type ConnectionState struct { // ConnectionId is used to access the state via an API ConnectionId string `json:"public_id,omitempty" gorm:"primary_key"` // status of the connection Status ConnectionStatus `protobuf:"bytes,20,opt,name=status,proto3" json:"status,omitempty" gorm:"column:state"` // PreviousEndTime from the RDBMS PreviousEndTime *timestamp.Timestamp `json:"previous_end_time,omitempty" gorm:"default:current_timestamp"` // StartTime from the RDBMS StartTime *timestamp.Timestamp `json:"start_time,omitempty" gorm:"default:current_timestamp;primary_key"` // EndTime from the RDBMS EndTime *timestamp.Timestamp `json:"end_time,omitempty" gorm:"default:current_timestamp"` // contains filtered or unexported fields }
ConnectionState of the state of the connection
func NewConnectionState ¶
func NewConnectionState(connectionId string, state ConnectionStatus, _ ...Option) (*ConnectionState, error)
NewConnectionState creates a new in memory connection state. No options are currently supported.
func TestConnectionState ¶
func TestConnectionState(t *testing.T, conn *gorm.DB, connectionId string, state ConnectionStatus) *ConnectionState
TestConnectionState creates a test connection state for the connectionId in the repository.
func (*ConnectionState) Clone ¶
func (s *ConnectionState) Clone() interface{}
Clone creates a clone of the State
func (*ConnectionState) SetTableName ¶
func (s *ConnectionState) SetTableName(n string)
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
func (*ConnectionState) TableName ¶
func (s *ConnectionState) TableName() string
TableName returns the tablename to override the default gorm table name
type ConnectionStatus ¶
type ConnectionStatus string
ConnectionStatus of the connection's state
const ( StatusAuthorized ConnectionStatus = "authorized" StatusConnected ConnectionStatus = "connected" StatusClosed ConnectionStatus = "closed" )
func (ConnectionStatus) ProtoVal ¶
func (s ConnectionStatus) ProtoVal() workerpbs.CONNECTIONSTATUS
ProtoVal returns the enum value corresponding to the state
func (ConnectionStatus) String ¶
func (s ConnectionStatus) String() string
String representation of the state's status
type Option ¶
type Option func(*options)
Option - how Options are passed as arguments
func WithDbOpts ¶ added in v0.2.2
WithDbOpts passes through given DB options to the DB layer
func WithExpirationTime ¶
WithExpirationTime allows specifying an expiration time for the session
func WithLimit ¶
WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.
func WithOrderByCreateTime ¶ added in v0.2.0
WithOrderByCreateTime provides an option to specify ordering by the CreateTime field.
func WithScopeIds ¶ added in v0.1.5
WithScopeIds allows specifying a scope ID criteria for the function.
func WithServerId ¶ added in v0.2.2
WithServerId allows the specification of the server id to use for the operation.
func WithSessionIds ¶
WithSessionIds allows the specification of the session ids to use for the operation.
func WithTestTofu ¶
WithTestTofu allows specifying a test tofu for a test session
func WithUserId ¶
WithUserId allows specifying a user ID criteria for the function.
type Repository ¶
type Repository struct {
// contains filtered or unexported fields
}
Repository is the session database repository
func NewRepository ¶
NewRepository creates a new session Repository. Supports the options: WithLimit which sets a default limit on results returned by repo operations.
func (*Repository) ActivateSession ¶
func (r *Repository) ActivateSession(ctx context.Context, sessionId string, sessionVersion uint32, serverId, serverType string, tofuToken []byte) (*Session, []*State, error)
ActivateSession will activate the session and is called by a worker after authenticating the session. The session must be in a "pending" state to be activated. States are ordered by start time descending. Returns an InvalidSessionState error code if a connection cannot be made because the session was canceled or terminated.
func (*Repository) AuthorizeConnection ¶
func (r *Repository) AuthorizeConnection(ctx context.Context, sessionId, workerId string) (*Connection, []*ConnectionState, *ConnectionAuthzSummary, error)
AuthorizeConnection will check to see if a connection is allowed. Currently, that authorization checks: * the hasn't expired based on the session.Expiration * number of connections already created is less than session.ConnectionLimit If authorization is success, it creates/stores a new connection in the repo and returns it, along with its states. If the authorization fails, it an error with Code InvalidSessionState.
func (*Repository) CancelSession ¶
func (r *Repository) CancelSession(ctx context.Context, sessionId string, sessionVersion uint32) (*Session, error)
CancelSession sets a session's state to "canceling" in the repo. It's called when the user cancels a session and the controller wants to update the session state to "canceling" for the given reason, so the workers can get the "canceling signal" during their next status heartbeat. CancelSession is idempotent.
func (*Repository) CloseConnections ¶
func (r *Repository) CloseConnections(ctx context.Context, closeWith []CloseWith, _ ...Option) ([]CloseConnectionResp, error)
CloseConnections set's a connection's state to "closed" in the repo. It's called by a worker after it's closed a connection between the client and the endpoint
func (*Repository) CloseDeadConnectionsOnWorkerReport ¶ added in v0.2.2
func (r *Repository) CloseDeadConnectionsOnWorkerReport(ctx context.Context, serverId string, foundConns []string) (int, error)
CloseDeadConnectionsOnWorkerReport will run the connectionsToClose CTE to look for connections that should be marked closed because they are no longer claimed by a server. This does notdetect connections where the server is no longer reporting status; that's for a different CTE to be called by a heartbeat detector.
The foundConns input should be the currently-claimed connections; the CTE uses a NOT IN clause to ensure these are excluded. It is not an error for this to be empty as the worker could claim no connections; in that case all connections will immediately transition to closed.
func (*Repository) ConnectConnection ¶
func (r *Repository) ConnectConnection(ctx context.Context, c ConnectWith) (*Connection, []*ConnectionState, error)
ConnectConnection updates a connection in the repo with a state of "connected".
func (*Repository) CreateSession ¶
func (r *Repository) CreateSession(ctx context.Context, sessionWrapper wrapping.Wrapper, newSession *Session, _ ...Option) (*Session, ed25519.PrivateKey, error)
CreateSession inserts into the repository and returns the new Session with its State of "Pending". The following fields must be empty when creating a session: ServerId, ServerType, and PublicId. No options are currently supported.
func (*Repository) DeleteConnection ¶
func (r *Repository) DeleteConnection(ctx context.Context, publicId string, _ ...Option) (int, error)
DeleteConnection will delete a connection from the repository.
func (*Repository) DeleteSession ¶
DeleteSession will delete a session from the repository.
func (*Repository) ListConnectionsBySessionId ¶ added in v0.2.2
func (r *Repository) ListConnectionsBySessionId(ctx context.Context, sessionId string, opt ...Option) ([]*Connection, error)
ListConnectionsBySessionId will list connections by session ID. Supports the WithLimit and WithOrder options.
func (*Repository) ListSessions ¶
ListSessions will sessions. Supports the WithLimit, WithScopeId, WithSessionIds, and WithServerId options.
func (*Repository) LookupConnection ¶
func (r *Repository) LookupConnection(ctx context.Context, connectionId string, _ ...Option) (*Connection, []*ConnectionState, error)
LookupConnection will look up a connection in the repository and return the connection with its states. If the connection is not found, it will return nil, nil, nil. No options are currently supported.
func (*Repository) LookupSession ¶
func (r *Repository) LookupSession(ctx context.Context, sessionId string, _ ...Option) (*Session, *ConnectionAuthzSummary, error)
LookupSession will look up a session in the repository and return the session with its states. Returned States are ordered by start time descending. If the session is not found, it will return nil, nil, nil. No options are currently supported.
func (*Repository) TerminateCompletedSessions ¶
func (r *Repository) TerminateCompletedSessions(ctx context.Context) (int, error)
TerminateCompletedSessions will terminate sessions in the repo based on:
- sessions that have exhausted their connection limit and all their connections are closed.
- sessions that are expired and all their connections are closed.
- sessions that are canceling and all their connections are closed
This function should called on a periodic basis a Controllers via it's "ticker" pattern.
func (*Repository) TerminateSession ¶
func (r *Repository) TerminateSession(ctx context.Context, sessionId string, sessionVersion uint32, reason TerminationReason) (*Session, error)
TerminateSession sets a session's termination reason and it's state to "terminated" Sessions cannot be terminated which still have connections that are not closed.
type Session ¶
type Session struct { // PublicId is used to access the session via an API PublicId string `json:"public_id,omitempty" gorm:"primary_key"` // UserId for the session UserId string `json:"user_id,omitempty" gorm:"default:null"` // HostId of the session HostId string `json:"host_id,omitempty" gorm:"default:null"` // ServerId that proxied the session ServerId string `json:"server_id,omitempty" gorm:"default:null"` // ServerType that proxied the session ServerType string `json:"server_type,omitempty" gorm:"default:null"` // TargetId for the session TargetId string `json:"target_id,omitempty" gorm:"default:null"` // HostSetId for the session HostSetId string `json:"host_set_id,omitempty" gorm:"default:null"` // AuthTokenId for the session AuthTokenId string `json:"auth_token_id,omitempty" gorm:"default:null"` // ScopeId for the session ScopeId string `json:"scope_id,omitempty" gorm:"default:null"` // Certificate to use when connecting (or if using custom certs, to // serve as the "login"). Raw DER bytes. Private key is not, and should not be // stored in the database. Certificate []byte `json:"certificate,omitempty" gorm:"default:null"` // ExpirationTime - after this time the connection will be expired, e.g. forcefully terminated ExpirationTime *timestamp.Timestamp `json:"expiration_time,omitempty" gorm:"default:null"` // CtTofuToken is the ciphertext Tofutoken value stored in the database CtTofuToken []byte `json:"ct_tofu_token,omitempty" gorm:"column:tofu_token;default:null" wrapping:"ct,tofu_token"` // TofuToken - plain text of the "trust on first use" token for session TofuToken []byte `json:"tofu_token,omitempty" gorm:"-" wrapping:"pt,tofu_token"` // termination_reason for the session TerminationReason string `json:"termination_reason,omitempty" gorm:"default:null"` // CreateTime from the RDBMS CreateTime *timestamp.Timestamp `json:"create_time,omitempty" gorm:"default:current_timestamp"` // UpdateTime from the RDBMS UpdateTime *timestamp.Timestamp `json:"update_time,omitempty" gorm:"default:current_timestamp"` // Version for the session Version uint32 `json:"version,omitempty" gorm:"default:null"` // Endpoint Endpoint string `json:"-" gorm:"default:null"` // Maximum number of connections in a session ConnectionLimit int32 `json:"connection_limit,omitempty" gorm:"default:null"` // Worker filter WorkerFilter string `json:"-" gorm:"default:null"` // key_id is the key ID that was used for the encryption operation. It can be // used to identify a specific version of the key needed to decrypt the value, // which is useful for caching purposes. // @inject_tag: `gorm:"not_null"` KeyId string `json:"key_id,omitempty" gorm:"not_null"` // States for the session which are for read only and are ignored during // write operations States []*State `gorm:"-"` // contains filtered or unexported fields }
Session contains information about a user's session with a target
func New ¶
func New(c ComposedOf, _ ...Option) (*Session, error)
New creates a new in memory session.
func TestDefaultSession ¶
func TestDefaultSession(t *testing.T, conn *gorm.DB, wrapper wrapping.Wrapper, iamRepo *iam.Repository, opt ...Option) *Session
TestDefaultSession creates a test session in the repository using defaults.
func TestSession ¶
func TestSession(t *testing.T, conn *gorm.DB, wrapper wrapping.Wrapper, c ComposedOf, opt ...Option) *Session
TestSession creates a test session composed of c in the repository. Options are passed into New, and withServerId is handled locally.
func (*Session) GetPublicId ¶
func (*Session) SetTableName ¶
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
type State ¶
type State struct { // SessionId references the session public id SessionId string `json:"session_id,omitempty" gorm:"primary_key"` // status of the session Status Status `json:"status,omitempty" gorm:"column:state"` // PreviousEndTime from the RDBMS PreviousEndTime *timestamp.Timestamp `json:"previous_end_time,omitempty" gorm:"default:current_timestamp"` // StartTime from the RDBMS StartTime *timestamp.Timestamp `json:"start_time,omitempty" gorm:"default:current_timestamp;primary_key"` // EndTime from the RDBMS EndTime *timestamp.Timestamp `json:"end_time,omitempty" gorm:"default:current_timestamp"` // contains filtered or unexported fields }
State of the session
func (*State) SetTableName ¶
SetTableName sets the tablename and satisfies the ReplayableMessage interface. If the caller attempts to set the name to "" the name will be reset to the default name.
type Status ¶
type Status string
Status of the session's state
func (Status) ProtoVal ¶
func (s Status) ProtoVal() workerpbs.SESSIONSTATUS
ProtoVal returns the enum value corresponding to the state
type TerminationReason ¶
type TerminationReason string
TerminationReason of the session
const ( UnknownTermination TerminationReason = "unknown" TimedOut TerminationReason = "timed out" ClosedByUser TerminationReason = "closed by end-user" Terminated TerminationReason = "terminated" NetworkError TerminationReason = "network error" SystemError TerminationReason = "system error" ConnectionLimit TerminationReason = "connection limit" SessionCanceled TerminationReason = "canceled" )
func (TerminationReason) String ¶
func (r TerminationReason) String() string
String representation of the termination reason