auth

package
v0.0.11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2016 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Overview

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const (
	Week          = time.Hour * 24 * 7
	WebSessionTTL = time.Hour * 10
)
View Source 
const (
	SignupTokenTTL            = time.Hour * 24
	SignupTokenUserActionsTTL = time.Hour
	HOTPFirstTokensRange      = 5
)
View Source 
const (
	RoleAuth           = "Auth"
	RoleUser           = "User"
	RoleWeb            = "Web"
	RoleNode           = "Node"
	RoleAdmin          = "Admin"
	RoleProvisionToken = "ProvisionToken"
	RoleSignup         = "Signup"

	ActionGetSessions                   = "GetSession"
	ActionGetSession                    = "GetSession"
	ActionDeleteSession                 = "DeleteSession"
	ActionUpsertSession                 = "UpsertSession"
	ActionUpsertParty                   = "UpsertParty"
	ActionUpsertRemoteCertificate       = "UpsertRemoteCertificate"
	ActionGetRemoteCertificates         = "GetRemoteCertificates"
	ActionDeleteRemoteCertificate       = "DeleteRemoteCerts"
	ActionGetTrustedCertificates        = "GetTrustedCertificates"
	ActionGenerateToken                 = "GenerateToken"
	ActionRegisterUsingToken            = "RegisterUsingToken"
	ActionRegisterNewAuthServer         = "RegisterNewAuthServer"
	ActionLog                           = "Log"
	ActionLogEntry                      = "LogEntry"
	ActionGetEvents                     = "GetEvents"
	ActionGetChunkWriter                = "GetChunkWriter"
	ActionGetChunkReader                = "GetChunkReader"
	ActionUpsertServer                  = "UpsertServer"
	ActionGetServers                    = "GetServers"
	ActionUpsertWebTun                  = "UpsertWebTun"
	ActionGetWebTuns                    = "GetWebTuns"
	ActionGetWebTun                     = "GetWebTun"
	ActionDeleteWebTun                  = "DeleteWebTun"
	ActionUpsertPassword                = "UpsertPassword"
	ActionCheckPassword                 = "CheckPassword"
	ActionSignIn                        = "SignIn"
	ActionGetWebSession                 = "GetWebSession"
	ActionGetWebSessionsKeys            = "GetWebSessionsKeys"
	ActionDeleteWebSession              = "DeleteWebSession"
	ActionGetUsers                      = "GetUsers"
	ActionDeleteUser                    = "DeleteUser"
	ActionUpsertUserKey                 = "UpsertUserKey"
	ActionGetUserKeys                   = "GetUserKeys"
	ActionDeleteUserKey                 = "DeleteUserKey"
	ActionGetHostCertificateAuthority   = "GetHostCertificateAuthority"
	ActionGetUserCertificateAuthority   = "GetUserCertificateAuthority"
	ActionGenerateKeyPair               = "GenerateKeyPair"
	ActionGenerateHostCert              = "GenerateHostCert"
	ActionGenerateUserCert              = "GenerateUserCert"
	ActionResetHostCertificateAuthority = "ResetHostCertificateAuthority"
	ActionResetUserCertificateAuthority = "ResetUserCertificateAuthority"
	ActionGenerateSealKey               = "GenerateSealKey"
	ActionGetSealKeys                   = "GetSeakKeys"
	ActionGetSealKey                    = "GetSealKey"
	ActionDeleteSealKey                 = "DeleteSealKey"
	ActionAddSealKey                    = "AddSealKey"
	ActionCreateSignupToken             = "CreateSignupToken"
	ActionGetSignupTokenData            = "GetSignupTokenData"
	ActionCreateUserWithToken           = "CreateUserWithToken"
)
View Source 
const (
	ReqWebSessionAgent = "web-session-agent@teleport"
	ReqProvision       = "provision@teleport"
	ReqDirectTCPIP     = "direct-tcpip"
	ReqNewAuth         = "new-auth@teleport"

	ExtWebSession  = "web-session@teleport"
	ExtWebPassword = "web-password@teleport"
	ExtToken       = "provision@teleport"
	ExtHost        = "host@teleport"

	AuthWebPassword = "password"
	AuthWebSession  = "session"
	AuthToken       = "provision-token"
	AuthSignupToken = "signup-token"
)
View Source 
const CurrentVersion = "v1"

Variables

View Source 
var StandardRoles = []string{
	RoleAuth,
	RoleUser,
	RoleWeb,
	RoleNode,
	RoleAdmin,
	RoleProvisionToken,
	RoleSignup,
}
View Source 
var TokenTTLAfterUse = time.Second * 10

Functions

func HaveKeys 

func HaveKeys(domainName, dataDir string) (bool, error)

func InitKeys 

func InitKeys(a *AuthServer, domainName, dataDir string) (ssh.Signer, error)

initialize this node's host certificate signed by host authority

func InitSecret 

func InitSecret(dataDir, secretKey string) (secret.SecretService, error)

func NewHostAuth 

func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)

func NewSignupTokenAuth 

func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)

func NewTokenAuth 

func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)

func NewWebPasswordAuth 

func NewWebPasswordAuth(user string, password []byte, hotpToken string) ([]ssh.AuthMethod, error)

func NewWebSessionAuth 

func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)

func ReadKeys 

func ReadKeys(domainName, dataDir string) (ssh.Signer, error)

func ReadSecret 

func ReadSecret(dataDir string) (secret.SecretService, error)

func Register 

func Register(domainName, dataDir, token, role string, servers []utils.NetAddr) error

func RegisterNewAuth 

func RegisterNewAuth(domainName, token string, publicSealKey encryptor.Key,
	servers []utils.NetAddr) (masterKey encryptor.Key, e error)

Types

type APIServer 

type APIServer struct {
	httprouter.Router
	// contains filtered or unexported fields
}

APISrv implements http API server for authority

func NewAPIServer 

func NewAPIServer(a *AuthWithRoles) *APIServer

type APIWithRoles 

type APIWithRoles struct {
	// contains filtered or unexported fields
}

func NewAPIWithRoles 

func NewAPIWithRoles(authServer *AuthServer, elog events.Log,
	sessions session.SessionServer, recorder recorder.Recorder,
	permChecker PermissionChecker,
	roles []string) *APIWithRoles

func (*APIWithRoles) Close 

func (api *APIWithRoles) Close()

func (*APIWithRoles) HandleConn 

func (api *APIWithRoles) HandleConn(conn net.Conn, role string) error

func (*APIWithRoles) Serve 

func (api *APIWithRoles) Serve()

type AccessPoint 

type AccessPoint interface {
	// GetServers returns a list of registered servers
	GetServers() ([]services.Server, error)

	// UpsertServer registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertServer(s services.Server, ttl time.Duration) error

	// GetUserCAPub returns the user certificate authority public key
	GetUserCertificateAuthority() (*services.CertificateAuthority, error)

	// GetUserCAPub returns the host certificate authority public key
	GetHostCertificateAuthority() (*services.CertificateAuthority, error)

	// GetUserKeys returns a list of authorized keys for a given user
	// in a OpenSSH key authorized_keys format
	GetUserKeys(user string) ([]services.AuthorizedKey, error)

	// GetWebSessionsKeys returns a list of generated public keys
	// associated with user web session
	GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)

	// GetRemoteCerts returns a list of trusted remote certificates
	GetRemoteCertificates(certType, domainName string) ([]services.CertificateAuthority, error)

	// GetTrustedCerts returns a list of trusted certificates
	GetTrustedCertificates(certType string) ([]services.CertificateAuthority, error)
}

AccessPoint is a interface needed by nodes to control the access to the node, and provide heartbeats

type AccessPointDialer 

type AccessPointDialer func() (net.Conn, error)

AccessPointDialer dials to auth access point remote HTTP api

type AuthServer 

type AuthServer struct {
	Authority

	Hostname string

	*services.CAService
	*services.LockService
	*services.PresenceService
	*services.ProvisioningService
	*services.UserService
	*services.WebService
	*services.BkKeysService
	// contains filtered or unexported fields
}

AuthServer implements key signing, generation and ACL functionality used by teleport

func Init 

func Init(cfg InitConfig) (*AuthServer, ssh.Signer, error)

func NewAuthServer 

func NewAuthServer(bk *encryptedbk.ReplicatedBackend, a Authority,
	scrt secret.SecretService, hostname string) *AuthServer

func (*AuthServer) CreateSignupToken 

func (s *AuthServer) CreateSignupToken(user string) (token string, e error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

func (*AuthServer) CreateUserWithToken 

func (s *AuthServer) CreateUserWithToken(token, password, hotpToken string) error

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) DeleteToken 

func (s *AuthServer) DeleteToken(outputToken string) error

func (*AuthServer) DeleteWebSession 

func (s *AuthServer) DeleteWebSession(user string, sid session.SecureID) error

func (*AuthServer) GenerateHostCert 

func (s *AuthServer) GenerateHostCert(
	key []byte, id, hostname, role string,
	ttl time.Duration) ([]byte, error)

GenerateHostCert generates host certificate, it takes pkey as a signing private key (host certificate authority)

func (*AuthServer) GenerateToken 

func (s *AuthServer) GenerateToken(domainName, role string, ttl time.Duration) (string, error)

func (*AuthServer) GenerateUserCert 

func (s *AuthServer) GenerateUserCert(
	key []byte, id, username string, ttl time.Duration) ([]byte, error)

GenerateHostCert generates user certificate, it takes pkey as a signing private key (user certificate authority)

func (*AuthServer) GetSignupTokenData 

func (s *AuthServer) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*AuthServer) GetWebSession 

func (s *AuthServer) GetWebSession(user string, sid session.SecureID) (*Session, error)

func (*AuthServer) NewWebSession 

func (s *AuthServer) NewWebSession(user string) (*Session, error)

func (*AuthServer) RegisterNewAuthServer 

func (s *AuthServer) RegisterNewAuthServer(domainName, outputToken string,
	publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)

func (*AuthServer) RegisterUsingToken 

func (s *AuthServer) RegisterUsingToken(outputToken, domainName, role string) (keys PackedKeys, e error)

func (*AuthServer) ResetHostCertificateAuthority 

func (s *AuthServer) ResetHostCertificateAuthority(pass string) error

ResetHostCertificateAuthority generates host certificate authority and updates the backend

func (*AuthServer) ResetUserCertificateAuthority 

func (s *AuthServer) ResetUserCertificateAuthority(pass string) error

ResetHostCertificateAuthority generates user certificate authority and updates the backend

func (*AuthServer) SignIn 

func (s *AuthServer) SignIn(user string, password []byte) (*Session, error)

func (*AuthServer) UpsertUserKey 

func (s *AuthServer) UpsertUserKey(
	user string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error)

UpsertUserKey takes user's public key, generates certificate for it and adds it to the authorized keys database. It returns certificate signed by user Certificate Authority in case of success, error otherwise. The certificate will be valid for the duration of the ttl passed in.

func (*AuthServer) UpsertWebSession 

func (s *AuthServer) UpsertWebSession(user string, sess *Session, ttl time.Duration) error

func (*AuthServer) ValidateToken 

func (s *AuthServer) ValidateToken(token, domainName string) (role string, e error)

type AuthWithRoles 

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles 

func NewAuthWithRoles(authServer *AuthServer, permChecker PermissionChecker,
	elog events.Log, sessions session.SessionServer,
	role string, recorder recorder.Recorder) *AuthWithRoles

func (*AuthWithRoles) AddSealKey 

func (a *AuthWithRoles) AddSealKey(key encryptor.Key) error

func (*AuthWithRoles) CheckPassword 

func (a *AuthWithRoles) CheckPassword(user string, password []byte, hotpToken string) error

func (*AuthWithRoles) CreateSignupToken 

func (a *AuthWithRoles) CreateSignupToken(user string) (token string, e error)

func (*AuthWithRoles) CreateUserWithToken 

func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) error

func (*AuthWithRoles) DeleteRemoteCertificate 

func (a *AuthWithRoles) DeleteRemoteCertificate(ctype string, domainName, id string) error

func (*AuthWithRoles) DeleteSealKey 

func (a *AuthWithRoles) DeleteSealKey(keyID string) error

func (*AuthWithRoles) DeleteSession 

func (a *AuthWithRoles) DeleteSession(id string) error

func (*AuthWithRoles) DeleteUser 

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteUserKey 

func (a *AuthWithRoles) DeleteUserKey(username string, id string) error

func (*AuthWithRoles) DeleteWebSession 

func (a *AuthWithRoles) DeleteWebSession(user string, sid websession.SecureID) error

func (*AuthWithRoles) DeleteWebTun 

func (a *AuthWithRoles) DeleteWebTun(prefix string) error

func (*AuthWithRoles) GenerateHostCert 

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, id, hostname, role string,
	ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair 

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateSealKey 

func (a *AuthWithRoles) GenerateSealKey(keyName string) (encryptor.Key, error)

func (*AuthWithRoles) GenerateToken 

func (a *AuthWithRoles) GenerateToken(domainName, role string, ttl time.Duration) (string, error)

func (*AuthWithRoles) GenerateUserCert 

func (a *AuthWithRoles) GenerateUserCert(key []byte, id, user string, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GetChunkReader 

func (a *AuthWithRoles) GetChunkReader(id string) (recorder.ChunkReadCloser, error)

func (*AuthWithRoles) GetChunkWriter 

func (a *AuthWithRoles) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)

func (*AuthWithRoles) GetEvents 

func (a *AuthWithRoles) GetEvents(filter events.Filter) ([]lunk.Entry, error)

func (*AuthWithRoles) GetHostCertificateAuthority 

func (a *AuthWithRoles) GetHostCertificateAuthority() (*services.CertificateAuthority, error)

func (*AuthWithRoles) GetRemoteCertificates 

func (a *AuthWithRoles) GetRemoteCertificates(ctype string, domainName string) ([]services.CertificateAuthority, error)

func (*AuthWithRoles) GetSealKey 

func (a *AuthWithRoles) GetSealKey(keyID string) (encryptor.Key, error)

func (*AuthWithRoles) GetSealKeys 

func (a *AuthWithRoles) GetSealKeys() ([]encryptor.Key, error)

func (*AuthWithRoles) GetServers 

func (a *AuthWithRoles) GetServers() ([]services.Server, error)

func (*AuthWithRoles) GetSession 

func (a *AuthWithRoles) GetSession(id string) (*session.Session, error)

func (*AuthWithRoles) GetSessions 

func (a *AuthWithRoles) GetSessions() ([]session.Session, error)

func (*AuthWithRoles) GetSignupTokenData 

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

func (*AuthWithRoles) GetTrustedCertificates 

func (a *AuthWithRoles) GetTrustedCertificates(ctype string) ([]services.CertificateAuthority, error)

func (*AuthWithRoles) GetUserCertificateAuthority 

func (a *AuthWithRoles) GetUserCertificateAuthority() (*services.CertificateAuthority, error)

func (*AuthWithRoles) GetUserKeys 

func (a *AuthWithRoles) GetUserKeys(user string) ([]services.AuthorizedKey, error)

func (*AuthWithRoles) GetUsers 

func (a *AuthWithRoles) GetUsers() ([]string, error)

func (*AuthWithRoles) GetWebSession 

func (a *AuthWithRoles) GetWebSession(user string, sid websession.SecureID) (*Session, error)

func (*AuthWithRoles) GetWebSessionsKeys 

func (a *AuthWithRoles) GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)

func (*AuthWithRoles) GetWebTun 

func (a *AuthWithRoles) GetWebTun(prefix string) (*services.WebTun, error)

func (*AuthWithRoles) GetWebTuns 

func (a *AuthWithRoles) GetWebTuns() ([]services.WebTun, error)

func (*AuthWithRoles) Log 

func (a *AuthWithRoles) Log(id lunk.EventID, e lunk.Event)

func (*AuthWithRoles) LogEntry 

func (a *AuthWithRoles) LogEntry(en lunk.Entry) error

func (*AuthWithRoles) RegisterNewAuthServer 

func (a *AuthWithRoles) RegisterNewAuthServer(domainName, token string,
	publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)

func (*AuthWithRoles) RegisterUsingToken 

func (a *AuthWithRoles) RegisterUsingToken(token, domainName, role string) (keys PackedKeys, e error)

func (*AuthWithRoles) ResetHostCertificateAuthority 

func (a *AuthWithRoles) ResetHostCertificateAuthority(pass string) error

func (*AuthWithRoles) ResetUserCertificateAuthority 

func (a *AuthWithRoles) ResetUserCertificateAuthority(pass string) error

func (*AuthWithRoles) SignIn 

func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error)

func (*AuthWithRoles) UpsertParty 

func (a *AuthWithRoles) UpsertParty(id string, p session.Party, ttl time.Duration) error

func (*AuthWithRoles) UpsertPassword 

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)

func (*AuthWithRoles) UpsertRemoteCertificate 

func (a *AuthWithRoles) UpsertRemoteCertificate(cert services.CertificateAuthority, ttl time.Duration) error

func (*AuthWithRoles) UpsertServer 

func (a *AuthWithRoles) UpsertServer(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertSession 

func (a *AuthWithRoles) UpsertSession(id string, ttl time.Duration) error

func (*AuthWithRoles) UpsertUserKey 

func (a *AuthWithRoles) UpsertUserKey(username string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) UpsertWebTun 

func (a *AuthWithRoles) UpsertWebTun(wt services.WebTun, ttl time.Duration) error

type Authority 

type Authority interface {
	GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error)
	GetNewKeyPairFromPool() (privKey []byte, pubKey []byte, err error)

	// GenerateHostCert generates host certificate, it takes pkey as a signing
	// private key (host certificate authority)
	GenerateHostCert(pkey, key []byte, id, hostname, role string, ttl time.Duration) ([]byte, error)

	// GenerateHostCert generates user certificate, it takes pkey as a signing
	// private key (user certificate authority)
	GenerateUserCert(pkey, key []byte, id, username string, ttl time.Duration) ([]byte, error)
}

Authority implements minimal key-management facility for generating OpenSSH compatible public/private key pairs and OpenSSH certificates

type BackendAccessPoint 

type BackendAccessPoint struct {
	*services.CAService
	*services.PresenceService
	*services.ProvisioningService
	*services.UserService
	*services.WebService
}

func NewBackendAccessPoint 

func NewBackendAccessPoint(bk backend.Backend) *BackendAccessPoint

type Client 

type Client struct {
	roundtrip.Client
}

Certificate authority endpoints control user and host Certificate Authorities. They are central mechanism for authenticating users and hosts within the cluster.

Client is HTTP API client that connects to the remote server

func NewClient 

func NewClient(addr string, params ...roundtrip.ClientParam) (*Client, error)

func NewClientFromNetAddr 

func NewClientFromNetAddr(
	a utils.NetAddr, params ...roundtrip.ClientParam) (*Client, error)

func (*Client) AddSealKey 

func (c *Client) AddSealKey(key encryptor.Key) error

AddBackendKey adds the given encrypting key. If backend works not in readonly mode, backend makes a copy of the data using the key for encryption

func (*Client) CheckPassword 

func (c *Client) CheckPassword(user string,
	password []byte, hotpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) CreateSignupToken 

func (c *Client) CreateSignupToken(user string) (token string, e error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and hotp generator

func (*Client) CreateUserWithToken 

func (c *Client) CreateUserWithToken(token, password, hotpToken string) error

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*Client) Delete 

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteRemoteCertificate 

func (c *Client) DeleteRemoteCertificate(ctype string, domainName, id string) error

func (*Client) DeleteSealKey 

func (c *Client) DeleteSealKey(keyID string) error

DeleteBackendKey deletes the backend encrypting key and all the data encrypted with the key

func (*Client) DeleteSession 

func (c *Client) DeleteSession(id string) error

func (*Client) DeleteUser 

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteUserKey 

func (c *Client) DeleteUserKey(username string, id string) error

DeleteUserKey deletes a key by id for a given user

func (*Client) DeleteWebSession 

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) DeleteWebTun 

func (c *Client) DeleteWebTun(prefix string) error

DeleteWebTun deletes the tunnel by prefix

func (*Client) GenerateHostCert 

func (c *Client) GenerateHostCert(
	key []byte, id, hostname, role string, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair 

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateSealKey 

func (c *Client) GenerateSealKey(keyName string) (encryptor.Key, error)

GenerateBackendKey generates a new backend encrypting key with the given id and then backend makes a copy of all the data using the generated key for encryption

func (*Client) GenerateToken 

func (c *Client) GenerateToken(domainName, role string, ttl time.Duration) (string, error)

GenerateToken creates a special provisioning token for the SSH server with the specified domainName that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

The token can be used only once and only to generate the domainName specified in it.

func (*Client) GenerateUserCert 

func (c *Client) GenerateUserCert(
	key []byte, id, user string, ttl time.Duration) ([]byte, error)

GenerateUserCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) Get 

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetChunkReader 

func (c *Client) GetChunkReader(id string) (recorder.ChunkReadCloser, error)

func (*Client) GetChunkWriter 

func (c *Client) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)

func (*Client) GetEvents 

func (c *Client) GetEvents(filter events.Filter) ([]lunk.Entry, error)

func (*Client) GetHostCertificateAuthority 

func (c *Client) GetHostCertificateAuthority() (*services.CertificateAuthority, error)

Returns host certificate authority public key. This public key is used to validate if host certificates were signed by the proper key.

func (*Client) GetRemoteCertificates 

func (c *Client) GetRemoteCertificates(ctype string, domainName string) ([]services.CertificateAuthority, error)

func (*Client) GetSealKey 

func (c *Client) GetSealKey(keyID string) (encryptor.Key, error)

GetBackendKeys returns the backend encrypting key.

func (*Client) GetSealKeys 

func (c *Client) GetSealKeys() ([]encryptor.Key, error)

GetBackendKeys returns IDs of all the backend encrypting keys that this server has

func (*Client) GetServers 

func (c *Client) GetServers() ([]services.Server, error)

GetServers returns the list of servers registered in the cluster.

func (*Client) GetSession 

func (c *Client) GetSession(id string) (*session.Session, error)

func (*Client) GetSessions 

func (c *Client) GetSessions() ([]session.Session, error)

func (*Client) GetSignupTokenData 

func (c *Client) GetSignupTokenData(token string) (user string,
	QRImg []byte, hotpFirstValues []string, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetTrustedCertificates 

func (c *Client) GetTrustedCertificates(certType string) ([]services.CertificateAuthority, error)

func (*Client) GetUserCertificateAuthority 

func (c *Client) GetUserCertificateAuthority() (*services.CertificateAuthority, error)

Returns user certificate authority public key. This public key is used to check if the users certificate is valid and was signed by this authority.

func (*Client) GetUserKeys 

func (c *Client) GetUserKeys(user string) ([]services.AuthorizedKey, error)

GetUserKeys returns a list of keys registered for this user. This list does not include the temporary keys associated with user web sessions.

func (*Client) GetUsers 

func (c *Client) GetUsers() ([]string, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSession 

func (c *Client) GetWebSession(user string, sid string) (string, error)

GetWebSession check if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) GetWebSessionsKeys 

func (c *Client) GetWebSessionsKeys(
	user string) ([]services.AuthorizedKey, error)

GetWebSessionKeys returns the list of temporary keys generated for this user web session. Each web session has a temporary user ssh key and certificate generated, that is stored for the duration of this web session. These keys are used to access SSH servers via web portal.

func (*Client) GetWebTun 

func (c *Client) GetWebTun(prefix string) (*services.WebTun, error)

GetWebTun retruns the web tunel details by it unique prefix

func (*Client) GetWebTuns 

func (c *Client) GetWebTuns() ([]services.WebTun, error)

GetWebTuns returns a list of web tunnels supported by the system

func (*Client) Log 

func (c *Client) Log(id lunk.EventID, e lunk.Event)

func (*Client) LogEntry 

func (c *Client) LogEntry(en lunk.Entry) error

func (*Client) PostForm 

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) RegisterNewAuthServer 

func (c *Client) RegisterNewAuthServer(domainName, token string,
	publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)

func (*Client) RegisterUsingToken 

func (c *Client) RegisterUsingToken(token, domainName, role string) (PackedKeys, error)

func (*Client) ResetHostCertificateAuthority 

func (c *Client) ResetHostCertificateAuthority() error

All host certificate keys will have to be regenerated and all SSH nodes will have to be re-provisioned after calling this method.

func (*Client) ResetUserCertificateAuthority 

func (c *Client) ResetUserCertificateAuthority() error

Regenerates user certificate authority private key. User authority certificate is used to sign User SSH public keys, so auth server can check if that is a valid key before even hitting the database.

All user certificates will have to be regenerated.

func (*Client) SignIn 

func (c *Client) SignIn(user string, password []byte) (string, error)

SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.

func (*Client) UpsertParty 

func (c *Client) UpsertParty(id string, p session.Party, ttl time.Duration) error

func (*Client) UpsertPassword 

func (c *Client) UpsertPassword(user string,
	password []byte) (hotpURL string, hotpQR []byte, err error)

UpsertPassword updates web access password for the user

func (*Client) UpsertRemoteCertificate 

func (c *Client) UpsertRemoteCertificate(cert services.CertificateAuthority, ttl time.Duration) error

func (*Client) UpsertServer 

func (c *Client) UpsertServer(s services.Server, ttl time.Duration) error

UpsertServer is used by SSH servers to reprt their presense to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertSession 

func (c *Client) UpsertSession(id string, ttl time.Duration) error

func (*Client) UpsertUserKey 

func (c *Client) UpsertUserKey(username string,
	key services.AuthorizedKey, ttl time.Duration) ([]byte, error)

UpsertUserKey takes public key of the user, generates certificate for it and adds it to the authorized keys database. It returns certificate signed by user Certificate Authority in case of success, error otherwise. The certificate will be valid for the duration of the ttl passed in.

func (*Client) UpsertWebTun 

func (c *Client) UpsertWebTun(wt services.WebTun, ttl time.Duration) error

UpsertWebTun creates a persistent SSH tunnel to the specified web target server that is valid for ttl period. See services.WebTun documentation for details

type ClientI 

type ClientI interface {
	GetSessions() ([]session.Session, error)
	GetSession(id string) (*session.Session, error)
	DeleteSession(id string) error
	UpsertSession(id string, ttl time.Duration) error
	UpsertParty(id string, p session.Party, ttl time.Duration) error
	UpsertRemoteCertificate(cert services.CertificateAuthority, ttl time.Duration) error
	GetRemoteCertificates(ctype string, domainName string) ([]services.CertificateAuthority, error)
	DeleteRemoteCertificate(ctype string, domainName, id string) error
	GetTrustedCertificates(certType string) ([]services.CertificateAuthority, error)
	GenerateToken(domainName, role string, ttl time.Duration) (string, error)
	RegisterUsingToken(token, domainName, role string) (keys PackedKeys, e error)
	RegisterNewAuthServer(domainName, token string, publicSealKey encryptor.Key) (masterKey encryptor.Key, e error)
	Log(id lunk.EventID, e lunk.Event)
	LogEntry(en lunk.Entry) error
	GetEvents(filter events.Filter) ([]lunk.Entry, error)
	GetChunkWriter(id string) (recorder.ChunkWriteCloser, error)
	GetChunkReader(id string) (recorder.ChunkReadCloser, error)
	UpsertServer(s services.Server, ttl time.Duration) error
	GetServers() ([]services.Server, error)
	UpsertWebTun(wt services.WebTun, ttl time.Duration) error
	GetWebTuns() ([]services.WebTun, error)
	GetWebTun(prefix string) (*services.WebTun, error)
	DeleteWebTun(prefix string) error
	UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
	CheckPassword(user string, password []byte, hotpToken string) error
	SignIn(user string, password []byte) (string, error)
	GetWebSession(user string, sid string) (string, error)
	GetWebSessionsKeys(user string) ([]services.AuthorizedKey, error)
	DeleteWebSession(user string, sid string) error
	GetUsers() ([]string, error)
	DeleteUser(user string) error
	UpsertUserKey(username string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error)
	GetUserKeys(user string) ([]services.AuthorizedKey, error)
	DeleteUserKey(username string, id string) error
	GetHostCertificateAuthority() (*services.CertificateAuthority, error)
	GetUserCertificateAuthority() (*services.CertificateAuthority, error)
	GenerateKeyPair(pass string) ([]byte, []byte, error)
	GenerateHostCert(key []byte, id, hostname, role string, ttl time.Duration) ([]byte, error)
	GenerateUserCert(key []byte, id, user string, ttl time.Duration) ([]byte, error)
	ResetHostCertificateAuthority() error
	ResetUserCertificateAuthority() error
	GetSignupTokenData(token string) (user string, QRImg []byte, hotpFirstValues []string, e error)
	CreateUserWithToken(token, password, hotpToken string) error
}

TOODO(klizhentas) this should be just including appropriate backends

type Config 

type Config struct {
	Backend backend.Backend
	Addr    string
}

type InitConfig 

type InitConfig struct {
	Backend            *encryptedbk.ReplicatedBackend
	Authority          Authority
	DomainName         string
	AuthDomain         string
	DataDir            string
	SecretKey          string
	AllowedTokens      map[string]string
	TrustedAuthorities []services.CertificateAuthority
	// HostCA is an optional host certificate authority keypair
	HostCA *services.LocalCertificateAuthority
	// UserCA is an optional user certificate authority keypair
	UserCA *services.LocalCertificateAuthority
}

type PackedKeys 

type PackedKeys struct {
	Key  []byte `json:"key"`
	Cert []byte `json:"cert"`
}

type PermissionChecker 

type PermissionChecker interface {
	HasPermission(role, action string) error
}

func NewAllowAllPermissions 

func NewAllowAllPermissions() PermissionChecker

func NewStandardPermissions 

func NewStandardPermissions() PermissionChecker

type ServerOption 

type ServerOption func(s *TunServer) error

type Session 

type Session struct {
	SID session.SecureID
	PID session.PlainID
	WS  services.WebSession
}

type TunClient 

type TunClient struct {
	Client
	// contains filtered or unexported fields
}

func NewTunClient 

func NewTunClient(addr utils.NetAddr, user string, auth []ssh.AuthMethod) (*TunClient, error)

func (*TunClient) Close 

func (c *TunClient) Close() error

func (*TunClient) GetAgent 

func (c *TunClient) GetAgent() (agent.Agent, error)

func (*TunClient) GetDialer 

func (c *TunClient) GetDialer() AccessPointDialer

type TunDialer 

type TunDialer struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*TunDialer) Close 

func (t *TunDialer) Close() error

func (*TunDialer) Dial 

func (t *TunDialer) Dial(network, address string) (net.Conn, error)

func (*TunDialer) GetAgent 

func (t *TunDialer) GetAgent() (agent.Agent, error)

type TunServer 

type TunServer struct {
	// contains filtered or unexported fields
}

func NewTunServer 

func NewTunServer(addr utils.NetAddr, hostSigners []ssh.Signer,
	apiServer *APIWithRoles, a *AuthServer,
	limiter *limiter.Limiter,
	opts ...ServerOption) (*TunServer, error)

New returns an unstarted server

func (*TunServer) Addr 

func (s *TunServer) Addr() string

func (*TunServer) Close 

func (s *TunServer) Close() error

func (*TunServer) HandleNewChan 

func (s *TunServer) HandleNewChan(sconn *ssh.ServerConn, nch ssh.NewChannel)

func (*TunServer) Start 

func (s *TunServer) Start() error

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.