Documentation ¶
Overview ¶
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.
* Local services are implemented in local package * Package suite contains the set of acceptance tests for services
Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities
Index ¶
- Constants
- Variables
- func ConvertV1CertAuthority(v1 *CertAuthorityV1) (CertAuthority, Role)
- func GetAuthPreferenceSchema(extensionSchema string) string
- func GetCertAuthoritySchema() string
- func GetClaimNames(claims jose.Claims) []string
- func GetNamespaceSchema() string
- func GetOIDCConnectorSchema() string
- func GetReverseTunnelSchema() string
- func GetRoleSchema(extensionSchema string) string
- func GetServerSchema() string
- func GetTrustedClusterSchema(extensionSchema string) string
- func GetUniversalSecondFactorSchema(extensionSchema string) string
- func GetUserSchema(extensionSchema string) string
- func GetWebSessionSchema() string
- func GetWebSessionSchemaWithExtensions(extension string) string
- func LabelsToV2(labels map[string]CommandLabel) map[string]CommandLabelV2
- func LastFailed(x int, attempts []LoginAttempt) bool
- func MatchLabels(selector map[string]string, target map[string]string) bool
- func MatchLogin(logins []string, login string) bool
- func MatchNamespace(selector []string, namespace string) bool
- func MatchResourceAction(selector map[string][]string, resourceName, resourceAction string) bool
- func ParseShortcut(in string) (string, error)
- func ProcessNamespace(namespace string) string
- func RO() []string
- func RW() []string
- func RoleNameForCertAuthority(name string) string
- func RoleNameForUser(name string) string
- func SetAuthPreferenceMarshaler(m AuthPreferenceMarshaler)
- func SetCertAuthorityMarshaler(u CertAuthorityMarshaler)
- func SetOIDCConnectorMarshaler(m OIDCConnectorMarshaler)
- func SetReerseTunnelMarshaler(m ReverseTunnelMarshaler)
- func SetRoleMarshaler(m RoleMarshaler)
- func SetServerMarshaler(m ServerMarshaler)
- func SetTrustedClusterMarshaler(m TrustedClusterMarshaler)
- func SetUniversalSecondFactorMarshaler(m UniversalSecondFactorMarshaler)
- func SetUserMarshaler(u UserMarshaler)
- func SetWebSessionMarshaler(u WebSessionMarshaler)
- func VerifyPassword(password []byte) error
- type Access
- type AccessChecker
- type AuthPreference
- type AuthPreferenceMarshaler
- type AuthPreferenceSpecV2
- type AuthPreferenceV2
- type CertAuthID
- type CertAuthType
- type CertAuthority
- type CertAuthorityMarshaler
- type CertAuthoritySpecV2
- type CertAuthorityV1
- type CertAuthorityV2
- func (ca *CertAuthorityV2) AddRole(name string)
- func (ca *CertAuthorityV2) Check() error
- func (ca *CertAuthorityV2) Checkers() ([]ssh.PublicKey, error)
- func (ca *CertAuthorityV2) FirstSigningKey() ([]byte, error)
- func (ca *CertAuthorityV2) GetCheckingKeys() [][]byte
- func (ca *CertAuthorityV2) GetClusterName() string
- func (ca *CertAuthorityV2) GetID() CertAuthID
- func (ca *CertAuthorityV2) GetName() string
- func (ca *CertAuthorityV2) GetRawObject() interface{}
- func (ca *CertAuthorityV2) GetRoles() []string
- func (ca *CertAuthorityV2) GetSigningKeys() [][]byte
- func (ca *CertAuthorityV2) GetType() CertAuthType
- func (ca *CertAuthorityV2) ID() *CertAuthID
- func (ca *CertAuthorityV2) SetRoles(roles []string)
- func (ca *CertAuthorityV2) SetSigningKeys(keys [][]byte) error
- func (ca *CertAuthorityV2) Signers() ([]ssh.Signer, error)
- func (c *CertAuthorityV2) V1() *CertAuthorityV1
- func (c *CertAuthorityV2) V2() *CertAuthorityV2
- type CertParams
- type ClaimMapping
- type ClusterAuthPreference
- type CommandLabel
- type CommandLabelV1
- type CommandLabelV2
- type CommandLabels
- type ConnectorRef
- type CreatedBy
- type Duration
- type Identity
- type LoginAttempt
- type LoginStatus
- type MarshalConfig
- type MarshalOption
- type Metadata
- type Namespace
- type NamespaceSpec
- type OIDCAuthRequest
- type OIDCConnector
- type OIDCConnectorMarshaler
- type OIDCConnectorSpecV2
- type OIDCConnectorV1
- type OIDCConnectorV2
- func (o *OIDCConnectorV2) Check() error
- func (o *OIDCConnectorV2) GetClaims() []string
- func (o *OIDCConnectorV2) GetClaimsToRoles() []ClaimMapping
- func (o *OIDCConnectorV2) GetClientID() string
- func (o *OIDCConnectorV2) GetClientSecret() string
- func (o *OIDCConnectorV2) GetDisplay() string
- func (o *OIDCConnectorV2) GetIssuerURL() string
- func (o *OIDCConnectorV2) GetName() string
- func (o *OIDCConnectorV2) GetRedirectURL() string
- func (o *OIDCConnectorV2) GetScope() []string
- func (o *OIDCConnectorV2) MapClaims(claims jose.Claims) []string
- func (o *OIDCConnectorV2) RoleFromTemplate(claims jose.Claims) (Role, error)
- func (o *OIDCConnectorV2) SetClaimsToRoles(claims []ClaimMapping)
- func (o *OIDCConnectorV2) SetClientID(clintID string)
- func (o *OIDCConnectorV2) SetClientSecret(secret string)
- func (o *OIDCConnectorV2) SetDisplay(display string)
- func (o *OIDCConnectorV2) SetIssuerURL(issuerURL string)
- func (o *OIDCConnectorV2) SetName(name string)
- func (o *OIDCConnectorV2) SetRedirectURL(redirectURL string)
- func (o *OIDCConnectorV2) SetScope(scope []string)
- func (o *OIDCConnectorV2) V1() *OIDCConnectorV1
- func (o *OIDCConnectorV2) V2() *OIDCConnectorV2
- type OIDCIdentity
- type Presence
- type ProvisionToken
- type Provisioner
- type Ref
- type ResourceHeader
- type ReverseTunnel
- type ReverseTunnelMarshaler
- type ReverseTunnelSpecV2
- type ReverseTunnelV1
- type ReverseTunnelV2
- type Role
- type RoleGetter
- type RoleMarshaler
- type RoleSet
- func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration
- func (set RoleSet) CanForwardAgents() bool
- func (set RoleSet) CheckAccessToServer(login string, s Server) error
- func (set RoleSet) CheckAgentForward(login string) error
- func (set RoleSet) CheckLogins(ttl time.Duration) ([]string, error)
- func (set RoleSet) CheckResourceAction(resourceNamespace, resourceName, accessType string) error
- func (set RoleSet) String() string
- type RoleSpecV2
- type RoleV2
- func (r *RoleV2) CanForwardAgent() bool
- func (r *RoleV2) CheckAndSetDefaults() error
- func (r *RoleV2) GetLogins() []string
- func (r *RoleV2) GetMaxSessionTTL() Duration
- func (r *RoleV2) GetMetadata() Metadata
- func (r *RoleV2) GetName() string
- func (r *RoleV2) GetNamespaces() []string
- func (r *RoleV2) GetNodeLabels() map[string]string
- func (r *RoleV2) GetResources() map[string][]string
- func (r *RoleV2) RemoveResource(kind string)
- func (r *RoleV2) SetForwardAgent(forwardAgent bool)
- func (r *RoleV2) SetLogins(logins []string)
- func (r *RoleV2) SetMaxSessionTTL(duration time.Duration)
- func (r *RoleV2) SetName(s string)
- func (r *RoleV2) SetNamespaces(namespaces []string)
- func (r *RoleV2) SetNodeLabels(labels map[string]string)
- func (r *RoleV2) SetResource(kind string, actions []string)
- func (r *RoleV2) String() string
- type Server
- type ServerMarshaler
- type ServerSpecV2
- type ServerV1
- type ServerV2
- func (s *ServerV2) GetAddr() string
- func (s *ServerV2) GetAllLabels() map[string]string
- func (s *ServerV2) GetCmdLabels() map[string]CommandLabel
- func (s *ServerV2) GetHostname() string
- func (s *ServerV2) GetLabels() map[string]string
- func (s *ServerV2) GetName() string
- func (s *ServerV2) GetNamespace() string
- func (s *ServerV2) GetPublicAddr() string
- func (s *ServerV2) LabelsString() string
- func (s *ServerV2) MatchAgainst(labels map[string]string) bool
- func (s *ServerV2) SetAddr(addr string)
- func (s *ServerV2) SetNamespace(namespace string)
- func (s *ServerV2) SetPublicAddr(addr string)
- func (s *ServerV2) String() string
- func (s *ServerV2) V1() *ServerV1
- func (s *ServerV2) V2() *ServerV2
- type SignupToken
- type Site
- type SortedLoginAttempts
- type SortedNamespaces
- type SortedReverseTunnels
- type SortedRoles
- type SortedServers
- type SortedTrustedCluster
- type TeleportAuthPreferenceMarshaler
- type TeleportCertAuthorityMarshaler
- func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority(ca CertAuthority) (CertAuthority, error)
- func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority(ca CertAuthority, opts ...MarshalOption) ([]byte, error)
- func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority(bytes []byte) (CertAuthority, error)
- type TeleportOIDCConnectorMarshaler
- type TeleportRoleMarshaler
- type TeleportServerMarshaler
- type TeleportTrustedClusterMarshaler
- type TeleportTunnelMarshaler
- type TeleportUniversalSecondFactorMarshaler
- type TeleportUserMarshaler
- type TeleportWebSessionMarshaler
- func (*TeleportWebSessionMarshaler) ExtendWebSession(ws WebSession) (WebSession, error)
- func (*TeleportWebSessionMarshaler) GenerateWebSession(ws WebSession) (WebSession, error)
- func (*TeleportWebSessionMarshaler) MarshalWebSession(ws WebSession, opts ...MarshalOption) ([]byte, error)
- func (*TeleportWebSessionMarshaler) UnmarshalWebSession(bytes []byte) (WebSession, error)
- type Trust
- type TrustedCluster
- type TrustedClusterMarshaler
- type TrustedClusterSpecV2
- type TrustedClusterV2
- func (c *TrustedClusterV2) GetEnabled() bool
- func (c *TrustedClusterV2) GetName() string
- func (c *TrustedClusterV2) GetProxyAddress() string
- func (c *TrustedClusterV2) GetReverseTunnelAddress() string
- func (c *TrustedClusterV2) GetRoles() []string
- func (c *TrustedClusterV2) GetToken() string
- func (c *TrustedClusterV2) SetEnabled(e bool)
- func (c *TrustedClusterV2) SetName(e string)
- func (c *TrustedClusterV2) SetProxyAddress(e string)
- func (c *TrustedClusterV2) SetReverseTunnelAddress(e string)
- func (c *TrustedClusterV2) SetRoles(e []string)
- func (c *TrustedClusterV2) SetToken(e string)
- func (c *TrustedClusterV2) String() string
- type U2F
- type UniversalSecondFactor
- type UniversalSecondFactorMarshaler
- type UniversalSecondFactorSettings
- type UniversalSecondFactorSpecV2
- type UniversalSecondFactorV2
- type UnknownResource
- type User
- type UserMarshaler
- type UserRef
- type UserSpecV2
- type UserV1
- type UserV2
- func (u *UserV2) AddRole(name string)
- func (u *UserV2) Check() error
- func (u *UserV2) Equals(other User) bool
- func (u *UserV2) GetCreatedBy() CreatedBy
- func (u *UserV2) GetExpiry() time.Time
- func (u *UserV2) GetIdentities() []OIDCIdentity
- func (u *UserV2) GetName() string
- func (u *UserV2) GetRawObject() interface{}
- func (u *UserV2) GetRoles() []string
- func (u *UserV2) GetStatus() LoginStatus
- func (u *UserV2) SetCreatedBy(b CreatedBy)
- func (u *UserV2) SetLocked(until time.Time, reason string)
- func (u *UserV2) SetRoles(roles []string)
- func (u *UserV2) String() string
- func (u *UserV2) V1() *UserV1
- func (u *UserV2) V2() *UserV2
- func (u *UserV2) WebSessionInfo(allowedLogins []string) interface{}
- type Users
- type WebSession
- type WebSessionMarshaler
- type WebSessionSpecV2
- type WebSessionV1
- func (ws *WebSessionV1) GetBearerToken() string
- func (ws *WebSessionV1) GetBearerTokenExpiryTime() time.Time
- func (ws *WebSessionV1) GetExpiryTime() time.Time
- func (ws *WebSessionV1) GetName() string
- func (ws *WebSessionV1) GetPriv() []byte
- func (ws *WebSessionV1) GetPub() []byte
- func (ws *WebSessionV1) GetShortName() string
- func (ws *WebSessionV1) GetUser() string
- func (ws *WebSessionV1) SetBearerTokenExpiryTime(tm time.Time)
- func (ws *WebSessionV1) SetExpiryTime(tm time.Time)
- func (ws *WebSessionV1) SetName(name string)
- func (ws *WebSessionV1) SetUser(u string)
- func (s *WebSessionV1) V1() *WebSessionV1
- func (s *WebSessionV1) V2() *WebSessionV2
- func (ws *WebSessionV1) WithoutSecrets() WebSession
- type WebSessionV2
- func (ws *WebSessionV2) GetBearerToken() string
- func (ws *WebSessionV2) GetBearerTokenExpiryTime() time.Time
- func (ws *WebSessionV2) GetExpiryTime() time.Time
- func (ws *WebSessionV2) GetName() string
- func (ws *WebSessionV2) GetPriv() []byte
- func (ws *WebSessionV2) GetPub() []byte
- func (ws *WebSessionV2) GetShortName() string
- func (ws *WebSessionV2) GetUser() string
- func (ws *WebSessionV2) SetBearerTokenExpiryTime(tm time.Time)
- func (ws *WebSessionV2) SetExpiryTime(tm time.Time)
- func (ws *WebSessionV2) SetName(name string)
- func (ws *WebSessionV2) SetUser(u string)
- func (ws *WebSessionV2) V1() *WebSessionV1
- func (ws *WebSessionV2) V2() *WebSessionV2
- func (ws *WebSessionV2) WithoutSecrets() WebSession
Constants ¶
const ( // DefaultAPIGroup is a default group of permissions API, // lets us to add different permission types DefaultAPIGroup = "gravitational.io/teleport" // ActionRead grants read access (get, list) ActionRead = "read" // ActionWrite allows to write (create, update, delete) ActionWrite = "write" // Wildcard is a special wildcard character matching everything Wildcard = "*" // KindNamespace is a namespace KindNamespace = "namespace" // KindUser is a user resource KindUser = "user" // KindKeyPair is a public/private key pair KindKeyPair = "key_pair" // KindHostCert is a host certificate KindHostCert = "host_cert" // KindRole is a role resource KindRole = "role" // KindOIDC is oidc connector resource KindOIDC = "oidc" // KindOIDCReques is oidc auth request resource KindOIDCRequest = "oidc_request" // KindSession is a recorded session resource KindSession = "session" // KindWebSession is a web session resource KindWebSession = "web_session" // KindEvent is structured audit logging event KindEvent = "event" // KindAuthServer is auth server resource KindAuthServer = "auth_server" // KindProxy is proxy resource KindProxy = "proxy" // KindNode is node resource KindNode = "node" // KindToken is a provisioning token resource KindToken = "token" // KindCertAuthority is a certificate authority resource KindCertAuthority = "cert_authority" // KindReverseTunnel is a reverse tunnel connection KindReverseTunnel = "tunnel" // KindOIDCConnector is a OIDC connector resource KindOIDCConnector = "oidc" // KindAuthPreference is the type of authentication for this cluster. KindClusterAuthPreference = "cluster_auth_preference" // KindAuthPreference is the type of authentication for this cluster. MetaNameClusterAuthPreference = "cluster-auth-preference" // KindUniversalSecondFactor is a type of second factor authentication. KindUniversalSecondFactor = "universal_second_factor" // MetaNameUniversalSecondFactor is a type of second factor authentication. MetaNameUniversalSecondFactor = "universal-second-factor" // KindTrustedCluster is a resource that contains trusted cluster configuration. KindTrustedCluster = "trusted_cluster" // V2 is our current version V2 = "v2" // V1 is our first version // resources were not explicitly versioned at that point V1 = "v1" )
const AuthPreferenceSpecSchemaTemplate = `` /* 152-byte string literal not displayed */
const CertAuthoritySpecV2Schema = `` /* 506-byte string literal not displayed */
CertAuthoritySpecV2Schema is JSON schema for cert authority V2
const CreatedBySchema = `` /* 486-byte string literal not displayed */
const LoginStatusSchema = `` /* 242-byte string literal not displayed */
const MetadataSchema = `` /* 383-byte string literal not displayed */
MetadataSchema is a schema for resource metadata
const NamespaceSchemaTemplate = `` /* 258-byte string literal not displayed */
const NamespaceSpecSchema = `{
"type": "object",
"additionalProperties": false,
"default": {}
}`
const OIDCConnectorV2SchemaTemplate = `` /* 252-byte string literal not displayed */
OIDCConnectorV2SchemaTemplate is a template JSON Schema for user
const OIDCIDentitySchema = `` /* 158-byte string literal not displayed */
const ReverseTunnelSpecV2Schema = `` /* 263-byte string literal not displayed */
ReverseTunnelSpecV2Schema is JSON schema for reverse tunnel spec
const RoleSpecSchemaTemplate = `` /* 667-byte string literal not displayed */
const ServerSpecV2Schema = `` /* 719-byte string literal not displayed */
ServerSpecV2Schema is JSON schema for server
const TrustedClusterSpecSchemaTemplate = `` /* 324-byte string literal not displayed */
const UniversalSecondFactorSpecSchemaTemplate = `` /* 206-byte string literal not displayed */
const UserSpecV2SchemaTemplate = `` /* 322-byte string literal not displayed */
UserSpecV2SchemaTemplate is JSON schema for V2 user
const V2SchemaTemplate = `` /* 252-byte string literal not displayed */
V2SchemaTemplate is a template JSON Schema for V2 style objects
const WebSessionSpecV2Schema = `` /* 379-byte string literal not displayed */
WebSessionSpecV2Schema is JSON schema for cert authority V2
Variables ¶
var ClaimMappingSchema = fmt.Sprintf(`{ "type": "object", "additionalProperties": false, "required": ["claim", "value" ], "properties": { "claim": {"type": "string"}, "value": {"type": "string"}, "roles": { "type": "array", "items": { "type": "string" } }, "role_template": %v } }`, GetRoleSchema(""))
ClaimMappingSchema is JSON schema for claim mapping
var OIDCConnectorSpecV2Schema = fmt.Sprintf(`{ "type": "object", "additionalProperties": false, "required": ["issuer_url", "client_id", "client_secret", "redirect_url"], "properties": { "issuer_url": {"type": "string"}, "client_id": {"type": "string"}, "client_secret": {"type": "string"}, "redirect_url": {"type": "string"}, "display": {"type": "string"}, "scope": { "type": "array", "items": { "type": "string" } }, "claims_to_roles": { "type": "array", "items": %v } } }`, ClaimMappingSchema)
OIDCConnectorSpecV2Schema is a JSON Schema for OIDC Connector
Functions ¶
func ConvertV1CertAuthority ¶
func ConvertV1CertAuthority(v1 *CertAuthorityV1) (CertAuthority, Role)
ConvertV1CertAuthority converts V1 cert authority for new CA and Role
func GetAuthPreferenceSchema ¶
GetAuthPreferenceSchema returns the schema with optionally injected schema for extensions.
func GetCertAuthoritySchema ¶
func GetCertAuthoritySchema() string
GetCertAuthoritySchema returns JSON Schema for cert authorities
func GetClaimNames ¶
GetClaimNames returns a list of claim names from the claim values
func GetNamespaceSchema ¶
func GetNamespaceSchema() string
GetNamespaceSchema returns namespace schema
func GetOIDCConnectorSchema ¶
func GetOIDCConnectorSchema() string
GetOIDCConnectorSchema returns schema for OIDCConnector
func GetReverseTunnelSchema ¶
func GetReverseTunnelSchema() string
GetReverseTunnelSchema returns role schema with optionally injected schema for extensions
func GetRoleSchema ¶
GetRoleSchema returns role schema with optionally injected schema for extensions
func GetServerSchema ¶
func GetServerSchema() string
GetServerSchema returns role schema with optionally injected schema for extensions
func GetTrustedClusterSchema ¶
GetTrustedClusterSchema returns the schema with optionally injected schema for extensions.
func GetUniversalSecondFactorSchema ¶
GetUniversalSecondFactorSchema returns the schema with optionally injected schema for extensions.
func GetUserSchema ¶
GetRoleSchema returns role schema with optionally injected schema for extensions
func GetWebSessionSchema ¶
func GetWebSessionSchema() string
GetWebSessionSchema returns JSON Schema for web session
func GetWebSessionSchemaWithExtensions ¶
GetWebSessionSchemaWithExtensions returns JSON Schema for web session with user-supplied extensions
func LabelsToV2 ¶
func LabelsToV2(labels map[string]CommandLabel) map[string]CommandLabelV2
LabelsToV2 converts labels from interface to V2 spec
func LastFailed ¶
func LastFailed(x int, attempts []LoginAttempt) bool
LastFailed calculates last x successive attempts are failed
func MatchLabels ¶
MatchLabels matches selector against target
func MatchLogin ¶
MatchLogin returns true if attempted login matches any of the logins
func MatchNamespace ¶
MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything
func MatchResourceAction ¶
MatchResourceAction tests if selector matches required resource action in a given namespace
func ParseShortcut ¶
ParseShortcut parses resource shortcut
func ProcessNamespace ¶
ProcessNamespace sets default namespace in case if namespace is empty
func RoleNameForCertAuthority ¶
RoleNameForCertAuthority returns role name associated with cert authority
func RoleNameForUser ¶
RoleNameForUser returns role name associated with user
func SetAuthPreferenceMarshaler ¶
func SetAuthPreferenceMarshaler(m AuthPreferenceMarshaler)
func SetCertAuthorityMarshaler ¶
func SetCertAuthorityMarshaler(u CertAuthorityMarshaler)
SetCertAuthorityMarshaler sets global user marshaler
func SetOIDCConnectorMarshaler ¶
func SetOIDCConnectorMarshaler(m OIDCConnectorMarshaler)
SetOIDCConnectorMarshaler sets global user marshaler
func SetReerseTunnelMarshaler ¶
func SetReerseTunnelMarshaler(m ReverseTunnelMarshaler)
func SetRoleMarshaler ¶
func SetRoleMarshaler(m RoleMarshaler)
func SetServerMarshaler ¶
func SetServerMarshaler(m ServerMarshaler)
func SetTrustedClusterMarshaler ¶
func SetTrustedClusterMarshaler(m TrustedClusterMarshaler)
func SetUniversalSecondFactorMarshaler ¶
func SetUniversalSecondFactorMarshaler(m UniversalSecondFactorMarshaler)
func SetUserMarshaler ¶
func SetUserMarshaler(u UserMarshaler)
SetUserMarshaler sets global user marshaler
func SetWebSessionMarshaler ¶
func SetWebSessionMarshaler(u WebSessionMarshaler)
SetWebSessionMarshaler sets global user marshaler
func VerifyPassword ¶ added in v1.0.0
VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in
Types ¶
type Access ¶
type Access interface { // GetRoles returns a list of roles GetRoles() ([]Role, error) // UpsertRole creates or updates role UpsertRole(role Role, ttl time.Duration) error // GetRole returns role by name GetRole(name string) (Role, error) // DeleteRole deletes role by name DeleteRole(name string) error }
Access service manages roles and permissions
type AccessChecker ¶
type AccessChecker interface { // CheckAccessToServer checks access to server CheckAccessToServer(login string, server Server) error // CheckResourceAction check access to resource action CheckResourceAction(resourceNamespace, resourceName, accessType string) error // CheckLogins checks if role set can login up to given duration // and returns a combined list of allowed logins CheckLogins(ttl time.Duration) ([]string, error) // AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL // for this role set, otherwise it returns ttl unchanged AdjustSessionTTL(ttl time.Duration) time.Duration // CheckAgentForward checks if the role can request agent forward for this user CheckAgentForward(login string) error // CanForwardAgents returns true if this role set offers capability to forward agents CanForwardAgents() bool }
AccessChecker interface implements access checks for given role
type AuthPreference ¶
type AuthPreference interface { // GetType returns the type of authentication. GetType() string // SetType sets the type of authentication. SetType(string) // GetSecondFactor returns the type of second factor. GetSecondFactor() string // SetSecondFactor sets the type of second factor. SetSecondFactor(string) // CheckAndSetDefaults sets and default values and then // verifies the constraints for AuthPreference. CheckAndSetDefaults() error // String represents a human readable version of authentication settings. String() string }
AuthPreference defines the authentication preferences for a specific cluster. It defines the type (local, oidc) and second factor (off, otp, oidc).
func NewAuthPreference ¶
func NewAuthPreference(spec AuthPreferenceSpecV2) (AuthPreference, error)
NewAuthPreference is a convenience method to to create AuthPreferenceV2.
type AuthPreferenceMarshaler ¶
type AuthPreferenceMarshaler interface { Marshal(c AuthPreference, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (AuthPreference, error) }
AuthPreferenceMarshaler implements marshal/unmarshal of AuthPreference implementations mostly adds support for extended versions.
func GetAuthPreferenceMarshaler ¶
func GetAuthPreferenceMarshaler() AuthPreferenceMarshaler
type AuthPreferenceSpecV2 ¶
type AuthPreferenceSpecV2 struct { // Type is the type of authentication. Type string `json:"type"` // SecondFactor is the type of second factor. SecondFactor string `json:"second_factor"` }
AuthPreferenceSpecV2 is the actual data we care about for AuthPreferenceV2.
type AuthPreferenceV2 ¶
type AuthPreferenceV2 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec AuthPreferenceSpecV2 `json:"spec"` }
AuthPreferenceV2 implements AuthPreference.
func (*AuthPreferenceV2) CheckAndSetDefaults ¶
func (c *AuthPreferenceV2) CheckAndSetDefaults() error
CheckAndSetDefaults verifies the constraints for AuthPreference.
func (*AuthPreferenceV2) GetSecondFactor ¶
func (c *AuthPreferenceV2) GetSecondFactor() string
GetSecondFactor returns the type of second factor.
func (*AuthPreferenceV2) GetType ¶
func (c *AuthPreferenceV2) GetType() string
GetType returns the type of authentication.
func (*AuthPreferenceV2) SetSecondFactor ¶
func (c *AuthPreferenceV2) SetSecondFactor(s string)
SetSecondFactor sets the type of second factor.
func (*AuthPreferenceV2) SetType ¶
func (c *AuthPreferenceV2) SetType(s string)
SetType sets the type of authentication.
func (*AuthPreferenceV2) String ¶
func (c *AuthPreferenceV2) String() string
String represents a human readable version of authentication settings.
type CertAuthID ¶ added in v1.0.0
type CertAuthID struct { Type CertAuthType `json:"type"` DomainName string `json:"domain_name"` }
CertAuthID - id of certificate authority (it's type and domain name)
func (*CertAuthID) Check ¶ added in v1.0.0
func (c *CertAuthID) Check() error
Check returns error if any of the id parameters are bad, nil otherwise
func (*CertAuthID) String ¶ added in v1.0.0
func (c *CertAuthID) String() string
type CertAuthType ¶ added in v1.0.0
type CertAuthType string
CertAuthType specifies certificate authority type, user or host
const ( // HostCA identifies the key as a host certificate authority HostCA CertAuthType = "host" // UserCA identifies the key as a user certificate authority UserCA CertAuthType = "user" )
func (CertAuthType) Check ¶ added in v1.0.0
func (c CertAuthType) Check() error
Check checks if certificate authority type value is correct
type CertAuthority ¶ added in v1.0.0
type CertAuthority interface { // GetID returns certificate authority ID - // combined type and name GetID() CertAuthID // GetName returns cert authority name GetName() string // GetType returns user or host certificate authority GetType() CertAuthType // GetClusterName returns cluster name this cert authority // is associated with GetClusterName() string // GetCheckingKeys returns public keys to check signature GetCheckingKeys() [][]byte // GetSigning keys returns signing keys GetSigningKeys() [][]byte // GetRoles returns a list of roles assumed by users signed by this CA GetRoles() []string // SetRoles sets assigned roles for this certificate authority SetRoles(roles []string) // FirstSigningKey returns first signing key or returns error if it's not here // The first key is returned because multiple keys can exist during key rotation. FirstSigningKey() ([]byte, error) // GetRawObject returns raw object data, used for migrations GetRawObject() interface{} // Check checks object for errors Check() error // SetSigningKeys sets signing keys SetSigningKeys([][]byte) error // AddRole adds a role to ca role list AddRole(name string) // Checkers returns public keys that can be used to check cert authorities Checkers() ([]ssh.PublicKey, error) // Signers returns a list of signers that could be used to sign keys Signers() ([]ssh.Signer, error) // V1 returns V1 version of the resource V1() *CertAuthorityV1 // V2 returns V2 version of the resource V2() *CertAuthorityV2 }
CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
func NewCertAuthority ¶
func NewCertAuthority(caType CertAuthType, clusterName string, signingKeys, checkingKeys [][]byte, roles []string) CertAuthority
NewCertAuthority returns new cert authority
type CertAuthorityMarshaler ¶
type CertAuthorityMarshaler interface { // UnmarshalCertAuthority unmarhsals cert authority from binary representation UnmarshalCertAuthority(bytes []byte) (CertAuthority, error) // MarshalCertAuthority to binary representation MarshalCertAuthority(c CertAuthority, opts ...MarshalOption) ([]byte, error) // GenerateCertAuthority is used to generate new cert authority // based on standard teleport one and is used to add custom // parameters and extend it in extensions of teleport GenerateCertAuthority(CertAuthority) (CertAuthority, error) }
CertAuthorityMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetCertAuthorityMarshaler ¶
func GetCertAuthorityMarshaler() CertAuthorityMarshaler
GetCertAuthorityMarshaler returns currently set user marshaler
type CertAuthoritySpecV2 ¶
type CertAuthoritySpecV2 struct { // Type is either user or host certificate authority Type CertAuthType `json:"type"` // ClusterName identifies cluster name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name ClusterName string `json:"cluster_name"` // Checkers is a list of SSH public keys that can be used to check // certificate signatures CheckingKeys [][]byte `json:"checking_keys"` // SigningKeys is a list of private keys used for signing SigningKeys [][]byte `json:"signing_keys,omitempty"` // Roles is a list of roles assumed by users signed by this CA Roles []string `json:"roles,omitempty"` }
CertAuthoritySpecV2 is a host or user certificate authority that can check and if it has private key stored as well, sign it too
type CertAuthorityV1 ¶
type CertAuthorityV1 struct { // Type is either user or host certificate authority Type CertAuthType `json:"type"` // DomainName identifies domain name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name DomainName string `json:"domain_name"` // Checkers is a list of SSH public keys that can be used to check // certificate signatures CheckingKeys [][]byte `json:"checking_keys"` // SigningKeys is a list of private keys used for signing SigningKeys [][]byte `json:"signing_keys"` // AllowedLogins is a list of allowed logins for users within // this certificate authority AllowedLogins []string `json:"allowed_logins"` }
CertAuthorityV1 is a host or user certificate authority that can check and if it has private key stored as well, sign it too
func CertAuthoritiesToV1 ¶
func CertAuthoritiesToV1(in []CertAuthority) ([]CertAuthorityV1, error)
CertAuthoritiesToV1 converts list of cert authorities to V1 slice
func (*CertAuthorityV1) V1 ¶
func (c *CertAuthorityV1) V1() *CertAuthorityV1
V1 returns V1 version of the resource
func (*CertAuthorityV1) V2 ¶
func (c *CertAuthorityV1) V2() *CertAuthorityV2
V2 returns V2 version of the resource
type CertAuthorityV2 ¶
type CertAuthorityV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is connector metadata Metadata Metadata `json:"metadata"` // Spec contains cert authority specification Spec CertAuthoritySpecV2 `json:"spec"` // contains filtered or unexported fields }
CertAuthorityV2 is version 1 resource spec for Cert Authority
func (*CertAuthorityV2) AddRole ¶
func (ca *CertAuthorityV2) AddRole(name string)
AddRole adds a role to ca role list
func (*CertAuthorityV2) Check ¶
func (ca *CertAuthorityV2) Check() error
Check checks if all passed parameters are valid
func (*CertAuthorityV2) Checkers ¶
func (ca *CertAuthorityV2) Checkers() ([]ssh.PublicKey, error)
Checkers returns public keys that can be used to check cert authorities
func (*CertAuthorityV2) FirstSigningKey ¶
func (ca *CertAuthorityV2) FirstSigningKey() ([]byte, error)
FirstSigningKey returns first signing key or returns error if it's not here
func (*CertAuthorityV2) GetCheckingKeys ¶
func (ca *CertAuthorityV2) GetCheckingKeys() [][]byte
GetCheckingKeys returns public keys to check signature
func (*CertAuthorityV2) GetClusterName ¶
func (ca *CertAuthorityV2) GetClusterName() string
GetClusterName returns cluster name this cert authority is associated with
func (*CertAuthorityV2) GetID ¶
func (ca *CertAuthorityV2) GetID() CertAuthID
GetID returns certificate authority ID - combined type and name
func (*CertAuthorityV2) GetName ¶
func (ca *CertAuthorityV2) GetName() string
GetName returns cert authority name
func (*CertAuthorityV2) GetRawObject ¶
func (ca *CertAuthorityV2) GetRawObject() interface{}
GetRawObject returns raw object data, used for migrations
func (*CertAuthorityV2) GetRoles ¶
func (ca *CertAuthorityV2) GetRoles() []string
GetRoles returns a list of roles assumed by users signed by this CA
func (*CertAuthorityV2) GetSigningKeys ¶
func (ca *CertAuthorityV2) GetSigningKeys() [][]byte
GetSigning keys returns signing keys
func (*CertAuthorityV2) GetType ¶
func (ca *CertAuthorityV2) GetType() CertAuthType
GetType returns user or host certificate authority
func (*CertAuthorityV2) ID ¶
func (ca *CertAuthorityV2) ID() *CertAuthID
ID returns id (consisting of domain name and type) that identifies the authority this key belongs to
func (*CertAuthorityV2) SetRoles ¶
func (ca *CertAuthorityV2) SetRoles(roles []string)
SetRoles sets assigned roles for this certificate authority
func (*CertAuthorityV2) SetSigningKeys ¶
func (ca *CertAuthorityV2) SetSigningKeys(keys [][]byte) error
SetSigningKeys sets signing keys
func (*CertAuthorityV2) Signers ¶
func (ca *CertAuthorityV2) Signers() ([]ssh.Signer, error)
Signers returns a list of signers that could be used to sign keys
func (*CertAuthorityV2) V1 ¶
func (c *CertAuthorityV2) V1() *CertAuthorityV1
V1 returns V1 version of the object
func (*CertAuthorityV2) V2 ¶
func (c *CertAuthorityV2) V2() *CertAuthorityV2
V2 returns V2 version of the resouirce - itself
type CertParams ¶
type CertParams struct { PrivateCASigningKey []byte // PrivateCASigningKey is the private key of the CA that will sign the public key of the host. PublicHostKey []byte // PublicHostKey is the public key of the host. HostID string // HostID is used by Teleport to uniquely identify a node within a cluster. NodeName string // NodeName is the DNS name of the node. ClusterName string // ClusterName is the name of the cluster within which a node lives. Roles teleport.Roles // Roles identifies the roles of a Teleport instance. TTL time.Duration // TTL defines how long a certificate is valid for. }
CertParams defines all parameters needed to generate a host certificate.
func (*CertParams) Check ¶
func (c *CertParams) Check() error
type ClaimMapping ¶
type ClaimMapping struct { // Claim is OIDC claim name Claim string `json:"claim"` // Value is claim value to match Value string `json:"value"` // Roles is a list of static teleport roles to match. Roles []string `json:"roles,omitempty"` // RoleTemplate a template role that will be filled out with claims. RoleTemplate *RoleV2 `json:"role_template,omitempty"` }
ClaimMapping is OIDC claim mapping that maps claim name to teleport roles
type ClusterAuthPreference ¶
type ClusterAuthPreference interface { // GetClusterAuthPreference returns the authentication preferences for a cluster. GetClusterAuthPreference() (AuthPreference, error) // SetClusterAuthPreference sets the authentication preferences for a cluster. SetClusterAuthPreference(AuthPreference) error }
ClusterAuthPreference defines an interface to get and set authentication preferences for a cluster.
type CommandLabel ¶
type CommandLabel interface { // GetPeriod returns label period GetPeriod() time.Duration // SetPeriod sets label period SetPeriod(time.Duration) // GetResult returns label result GetResult() string // SetResult sets label result SetResult(string) // GetCommand returns to execute and set as a label result GetCommand() []string // Clone returns label copy Clone() CommandLabel }
CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname
type CommandLabelV1 ¶
type CommandLabelV1 struct { // Period is a time between command runs Period time.Duration `json:"period"` // Command is a command to run Command []string `json:"command"` //["/usr/bin/hostname", "--long"] // Result captures standard output Result string `json:"result"` }
CommandLabelV1 is a label that has a value as a result of the output generated by running command, e.g. hostname
type CommandLabelV2 ¶
type CommandLabelV2 struct { // Period is a time between command runs Period Duration `json:"period"` // Command is a command to run Command []string `json:"command"` //["/usr/bin/hostname", "--long"] // Result captures standard output Result string `json:"result"` }
CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname
func (*CommandLabelV2) Clone ¶
func (c *CommandLabelV2) Clone() CommandLabel
Clone returns label copy
func (*CommandLabelV2) GetCommand ¶
func (c *CommandLabelV2) GetCommand() []string
GetCommand returns to execute and set as a label result
func (*CommandLabelV2) GetPeriod ¶
func (c *CommandLabelV2) GetPeriod() time.Duration
GetPeriod returns label period
func (*CommandLabelV2) GetResult ¶
func (c *CommandLabelV2) GetResult() string
GetResult returns label result
func (*CommandLabelV2) SetPeriod ¶
func (c *CommandLabelV2) SetPeriod(p time.Duration)
SetPeriod sets label period
func (*CommandLabelV2) SetResult ¶
func (c *CommandLabelV2) SetResult(r string)
SetResult sets label result
type CommandLabels ¶
type CommandLabels map[string]CommandLabel
CommandLabels is a set of command labels
func (*CommandLabels) SetEnv ¶
func (c *CommandLabels) SetEnv(v string) error
SetEnv sets the value of the label from environment variable
type ConnectorRef ¶
type ConnectorRef struct { // Type is connector type Type string `json:"type"` // ID is connector ID ID string `json:"id"` // Identity is external identity of the user Identity string `json:"identity"` }
ConnectorRef holds information about OIDC connector
type CreatedBy ¶
type CreatedBy struct { // Identity if present means that user was automatically created by identity Connector *ConnectorRef `json:"connector,omitempty"` // Time specifies when user was created Time time.Time `json:"time"` // User holds information about user User UserRef `json:"user"` }
CreatedBy holds information about the person or agent who created the user
type Duration ¶
Duration is a wrapper around duration to set up custom marshal/unmarshal
func MaxDuration ¶
func MaxDuration() Duration
MaxDuration returns maximum duration that is possible
func NewDuration ¶
NewDuration returns Duration struct based on time.Duration
func (Duration) MarshalJSON ¶
MarshalJSON marshals Duration to string
func (*Duration) UnmarshalJSON ¶
UnmarshalJSON marshals Duration to string
func (*Duration) UnmarshalYAML ¶
type Identity ¶ added in v1.0.0
type Identity interface { // GetUsers returns a list of users registered with the local auth server GetUsers() ([]User, error) // AddUserLoginAttempt logs user login attempt AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error // GetUserLoginAttempts returns user login attempts GetUserLoginAttempts(user string) ([]LoginAttempt, error) // CreateUser creates user if it does not exist CreateUser(user User) error // UpsertUser updates parameters about user UpsertUser(user User) error // GetUser returns a user by name GetUser(user string) (User, error) // GetUserByOIDCIdentity returns a user by it's specified OIDC Identity, returns first // user specified with this identity GetUserByOIDCIdentity(id OIDCIdentity) (User, error) // DeleteUser deletes a user with all the keys from the backend DeleteUser(user string) error // UpsertPasswordHash upserts user password hash UpsertPasswordHash(user string, hash []byte) error // GetPasswordHash returns the password hash for a given user GetPasswordHash(user string) ([]byte, error) // UpsertHOTP upserts HOTP state for user // Deprecated: HOTP use is deprecated, use UpsertTOTP instead. UpsertHOTP(user string, otp *hotp.HOTP) error // GetHOTP gets HOTP token state for a user // Deprecated: HOTP use is deprecated, use GetTOTP instead. GetHOTP(user string) (*hotp.HOTP, error) // UpsertTOTP upserts TOTP secret key for a user that can be used to generate and validate tokens. UpsertTOTP(user string, secretKey string) error // GetTOTP returns the secret key used by the TOTP algorithm to validate tokens. GetTOTP(user string) (string, error) // UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again // during the 30 second window it's valid. UpsertUsedTOTPToken(user string, otpToken string) error // GetUsedTOTPToken returns the last successfully used TOTP token. GetUsedTOTPToken(user string) (string, error) // DeleteUsedTOTPToken removes the used token from the backend. This should only // be used during tests. DeleteUsedTOTPToken(user string) error // UpsertWebSession updates or inserts a web session for a user and session UpsertWebSession(user, sid string, session WebSession) error // GetWebSession returns a web session state for a given user and session id GetWebSession(user, sid string) (WebSession, error) // DeleteWebSession deletes web session from the storage DeleteWebSession(user, sid string) error // UpsertPassword upserts new password and OTP token UpsertPassword(user string, password []byte) error // UpsertSignupToken upserts signup token - one time token that lets user to create a user account UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error // GetSignupToken returns signup token data GetSignupToken(token string) (*SignupToken, error) // GetSignupTokens returns a list of signup tokens GetSignupTokens() ([]SignupToken, error) // DeleteSignupToken deletes signup token from the storage DeleteSignupToken(token string) error // UpsertU2FRegisterChallenge upserts a U2F challenge for a new user corresponding to the token UpsertU2FRegisterChallenge(token string, u2fChallenge *u2f.Challenge) error // GetU2FRegisterChallenge returns a U2F challenge for a new user corresponding to the token GetU2FRegisterChallenge(token string) (*u2f.Challenge, error) // UpsertU2FRegistration upserts a U2F registration from a valid register response UpsertU2FRegistration(user string, u2fReg *u2f.Registration) error // GetU2FRegistration returns a U2F registration from a valid register response GetU2FRegistration(user string) (*u2f.Registration, error) // UpsertU2FSignChallenge upserts a U2F sign (auth) challenge UpsertU2FSignChallenge(user string, u2fChallenge *u2f.Challenge) error // GetU2FSignChallenge returns a U2F sign (auth) challenge GetU2FSignChallenge(user string) (*u2f.Challenge, error) // UpsertU2FRegistrationCounter upserts a counter associated with a U2F registration UpsertU2FRegistrationCounter(user string, counter uint32) error // GetU2FRegistrationCounter returns a counter associated with a U2F registration GetU2FRegistrationCounter(user string) (uint32, error) // UpsertOIDCConnector upserts OIDC Connector UpsertOIDCConnector(connector OIDCConnector, ttl time.Duration) error // DeleteOIDCConnector deletes OIDC Connector DeleteOIDCConnector(connectorID string) error // GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results GetOIDCConnector(id string, withSecrets bool) (OIDCConnector, error) // GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results GetOIDCConnectors(withSecrets bool) ([]OIDCConnector, error) // CreateOIDCAuthRequest creates new auth request CreateOIDCAuthRequest(req OIDCAuthRequest, ttl time.Duration) error // GetOIDCAuthRequest returns OIDC auth request if found GetOIDCAuthRequest(stateToken string) (*OIDCAuthRequest, error) }
Identity is responsible for managing user entries
type LoginAttempt ¶
type LoginAttempt struct { // Time is time of the attempt Time time.Time `json:"time"` // Sucess indicates whether attempt was successfull Success bool `json:"bool"` }
LoginAttempt represents successfull or unsuccessful attempt for user to login
type LoginStatus ¶
type LoginStatus struct { // IsLocked tells us if user is locked IsLocked bool `json:"is_locked"` // LockedMessage contains the message in case if user is locked LockedMessage string `json:"locked_message,omitempty"` // LockedTime contains time when user was locked LockedTime time.Time `json:"locked_time,omitempty"` // LockExpires contains time when this lock will expire LockExpires time.Time `json:"lock_expires,omitempty"` }
LoginStatus is a login status of the user
type MarshalConfig ¶
type MarshalConfig struct { // Version specifies particular version we should marshal resources with Version string }
MarshalConfig specify marshalling options
func (*MarshalConfig) GetVersion ¶
func (m *MarshalConfig) GetVersion() string
GetVersion returns explicitly provided version or sets latest as default
type MarshalOption ¶
type MarshalOption func(c *MarshalConfig) error
MarshalOption sets marshalling option
type Metadata ¶
type Metadata struct { // Name is an object name Name string `json:"name"` // Namespace is object namespace Namespace string `json:"namespace"` // Description is object description Description string `json:"description,omitempty"` // Labels is a set of labels Labels map[string]string `json:"labels,omitempty"` }
Metadata is resource metadata
type Namespace ¶
type Namespace struct { // Kind is a resource kind - always namespace Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` // Spec contains namespace specification Spec NamespaceSpec `json:"spec"` }
Namespace represents namespace resource specification
func UnmarshalNamespace ¶
UnmarshalNamespace unmarshals role from JSON or YAML, sets defaults and checks the schema
func (*Namespace) CheckAndSetDefaults ¶
Check checks validity of all parameters and sets defaults
type OIDCAuthRequest ¶ added in v1.0.0
type OIDCAuthRequest struct { // ConnectorID is ID of OIDC connector this request uses ConnectorID string `json:"connector_id"` // Type is opaque string that helps callbacks identify the request type Type string `json:"type"` // CheckUser tells validator if it should expect and check user CheckUser bool `json:"check_user"` // StateToken is generated by service and is used to validate // reuqest coming from StateToken string `json:"state_token"` // RedirectURL will be used by browser RedirectURL string `json:"redirect_url"` // PublicKey is an optional public key, users want these // keys to be signed by auth servers user CA in case // of successfull auth PublicKey []byte `json:"public_key"` // CertTTL is the TTL of the certificate user wants to get CertTTL time.Duration `json:"cert_ttl"` // CreateWebSession indicates if user wants to generate a web // session after successful authentication CreateWebSession bool `json:"create_web_session"` // ClientRedirectURL is a URL client wants to be redirected // after successfull authentication ClientRedirectURL string `json:"client_redirect_url"` }
OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server
func (*OIDCAuthRequest) Check ¶ added in v1.0.0
func (i *OIDCAuthRequest) Check() error
Check returns nil if all parameters are great, err otherwise
type OIDCConnector ¶ added in v1.0.0
type OIDCConnector interface { // Name is a provider name, 'e.g.' google, used internally GetName() string // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com GetIssuerURL() string // ClientID is id for authentication client (in our case it's our Auth server) GetClientID() string // ClientSecret is used to authenticate our client and should not // be visible to end user GetClientSecret() string // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successfull authentication // Should match the URL on Provider's side GetRedirectURL() string // Display - Friendly name for this provider. GetDisplay() string // Scope is additional scopes set by provder GetScope() []string // ClaimsToRoles specifies dynamic mapping from claims to roles GetClaimsToRoles() []ClaimMapping // GetClaims returns list of claims expected by mappings GetClaims() []string // MapClaims maps claims to roles MapClaims(claims jose.Claims) []string // RoleFromTemplate creates a role from a template and claims. RoleFromTemplate(claims jose.Claims) (Role, error) // Check checks OIDC connector for errors Check() error // SetClientSecret sets client secret to some value SetClientSecret(secret string) // SetClientID sets id for authentication client (in our case it's our Auth server) SetClientID(string) // SetName sets a provider name SetName(string) // SetIssuerURL sets the endpoint of the provider SetIssuerURL(string) // SetRedirectURL sets RedirectURL SetRedirectURL(string) // SetScope sets additional scopes set by provider SetScope([]string) // SetClaimsToRoles sets dynamic mapping from claims to roles SetClaimsToRoles([]ClaimMapping) // SetDisplay sets friendly name for this provider. SetDisplay(string) }
OIDCConnector specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
func NewOIDCConnector ¶
func NewOIDCConnector(name string, spec OIDCConnectorSpecV2) OIDCConnector
NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV2.
type OIDCConnectorMarshaler ¶
type OIDCConnectorMarshaler interface { // UnmarshalOIDCConnector unmarshals connector from binary representation UnmarshalOIDCConnector(bytes []byte) (OIDCConnector, error) // MarshalOIDCConnector marshals connector to binary representation MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error) }
OIDCConnectorMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetOIDCConnectorMarshaler ¶
func GetOIDCConnectorMarshaler() OIDCConnectorMarshaler
GetOIDCConnectorMarshaler returns currently set user marshaler
type OIDCConnectorSpecV2 ¶
type OIDCConnectorSpecV2 struct { // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com IssuerURL string `json:"issuer_url"` // ClientID is id for authentication client (in our case it's our Auth server) ClientID string `json:"client_id"` // ClientSecret is used to authenticate our client and should not // be visible to end user ClientSecret string `json:"client_secret"` // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successfull authentication // Should match the URL on Provider's side RedirectURL string `json:"redirect_url"` // Display - Friendly name for this provider. Display string `json:"display,omitempty"` // Scope is additional scopes set by provder Scope []string `json:"scope,omitempty"` // ClaimsToRoles specifies dynamic mapping from claims to roles ClaimsToRoles []ClaimMapping `json:"claims_to_roles,omitempty"` }
OIDCConnectorSpecV2 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
type OIDCConnectorV1 ¶
type OIDCConnectorV1 struct { // ID is a provider id, 'e.g.' google, used internally ID string `json:"id"` // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com IssuerURL string `json:"issuer_url"` // ClientID is id for authentication client (in our case it's our Auth server) ClientID string `json:"client_id"` // ClientSecret is used to authenticate our client and should not // be visible to end user ClientSecret string `json:"client_secret"` // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successfull authentication // Should match the URL on Provider's side RedirectURL string `json:"redirect_url"` // Display - Friendly name for this provider. Display string `json:"display"` // Scope is additional scopes set by provder Scope []string `json:"scope"` // ClaimsToRoles specifies dynamic mapping from claims to roles ClaimsToRoles []ClaimMapping `json:"claims_to_roles"` }
OIDCConnectorV1 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnectorV1) V1 ¶
func (o *OIDCConnectorV1) V1() *OIDCConnectorV1
V1 returns V1 version of the resource
func (*OIDCConnectorV1) V2 ¶
func (o *OIDCConnectorV1) V2() *OIDCConnectorV2
V2 returns V2 version of the connector
type OIDCConnectorV2 ¶
type OIDCConnectorV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is connector metadata Metadata Metadata `json:"metadata"` // Spec contains connector specification Spec OIDCConnectorSpecV2 `json:"spec"` }
OIDCConnectorV2 is version 1 resource spec for OIDC connector
func (*OIDCConnectorV2) Check ¶
func (o *OIDCConnectorV2) Check() error
Check returns nil if all parameters are great, err otherwise
func (*OIDCConnectorV2) GetClaims ¶
func (o *OIDCConnectorV2) GetClaims() []string
GetClaims returns list of claims expected by mappings
func (*OIDCConnectorV2) GetClaimsToRoles ¶
func (o *OIDCConnectorV2) GetClaimsToRoles() []ClaimMapping
ClaimsToRoles specifies dynamic mapping from claims to roles
func (*OIDCConnectorV2) GetClientID ¶
func (o *OIDCConnectorV2) GetClientID() string
ClientID is id for authentication client (in our case it's our Auth server)
func (*OIDCConnectorV2) GetClientSecret ¶
func (o *OIDCConnectorV2) GetClientSecret() string
ClientSecret is used to authenticate our client and should not be visible to end user
func (*OIDCConnectorV2) GetDisplay ¶
func (o *OIDCConnectorV2) GetDisplay() string
Display - Friendly name for this provider.
func (*OIDCConnectorV2) GetIssuerURL ¶
func (o *OIDCConnectorV2) GetIssuerURL() string
Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
func (*OIDCConnectorV2) GetName ¶
func (o *OIDCConnectorV2) GetName() string
ID is a provider id, 'e.g.' google, used internally
func (*OIDCConnectorV2) GetRedirectURL ¶
func (o *OIDCConnectorV2) GetRedirectURL() string
RedirectURL - Identity provider will use this URL to redirect client's browser back to it after successfull authentication Should match the URL on Provider's side
func (*OIDCConnectorV2) GetScope ¶
func (o *OIDCConnectorV2) GetScope() []string
Scope is additional scopes set by provder
func (*OIDCConnectorV2) MapClaims ¶
func (o *OIDCConnectorV2) MapClaims(claims jose.Claims) []string
MapClaims maps claims to roles
func (*OIDCConnectorV2) RoleFromTemplate ¶
func (o *OIDCConnectorV2) RoleFromTemplate(claims jose.Claims) (Role, error)
RoleFromTemplate creates a role from a template and claims.
func (*OIDCConnectorV2) SetClaimsToRoles ¶
func (o *OIDCConnectorV2) SetClaimsToRoles(claims []ClaimMapping)
SetClaimsToRoles sets dynamic mapping from claims to roles
func (*OIDCConnectorV2) SetClientID ¶
func (o *OIDCConnectorV2) SetClientID(clintID string)
SetClientID sets id for authentication client (in our case it's our Auth server)
func (*OIDCConnectorV2) SetClientSecret ¶
func (o *OIDCConnectorV2) SetClientSecret(secret string)
SetClientSecret sets client secret to some value
func (*OIDCConnectorV2) SetDisplay ¶
func (o *OIDCConnectorV2) SetDisplay(display string)
SetDisplay sets friendly name for this provider.
func (*OIDCConnectorV2) SetIssuerURL ¶
func (o *OIDCConnectorV2) SetIssuerURL(issuerURL string)
SetIssuerURL sets client secret to some value
func (*OIDCConnectorV2) SetName ¶
func (o *OIDCConnectorV2) SetName(name string)
SetName sets client secret to some value
func (*OIDCConnectorV2) SetRedirectURL ¶
func (o *OIDCConnectorV2) SetRedirectURL(redirectURL string)
SetRedirectURL sets client secret to some value
func (*OIDCConnectorV2) SetScope ¶
func (o *OIDCConnectorV2) SetScope(scope []string)
SetScope sets additional scopes set by provider
func (*OIDCConnectorV2) V1 ¶
func (o *OIDCConnectorV2) V1() *OIDCConnectorV1
V1 converts OIDCConnectorV2 to OIDCConnectorV1 format
func (*OIDCConnectorV2) V2 ¶
func (o *OIDCConnectorV2) V2() *OIDCConnectorV2
V2 returns V2 version of the resource
type OIDCIdentity ¶ added in v1.0.0
type OIDCIdentity struct { // ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' ConnectorID string `json:"connector_id"` // Email is OIDC verified email claim // e.g. bob@example.com Email string `json:"username"` }
OIDCIdentity is OpenID Connect identity that is linked to particular user and connector and lets user to log in using external credentials, e.g. google
func (*OIDCIdentity) Check ¶ added in v1.0.0
func (i *OIDCIdentity) Check() error
Check returns nil if all parameters are great, err otherwise
func (*OIDCIdentity) Equals ¶ added in v1.0.0
func (i *OIDCIdentity) Equals(other *OIDCIdentity) bool
Equals returns true if this identity equals to passed one
func (*OIDCIdentity) String ¶ added in v1.0.0
func (i *OIDCIdentity) String() string
String returns debug friendly representation of this identity
type Presence ¶ added in v1.0.0
type Presence interface { // GetNodes returns a list of registered servers GetNodes(namespace string) ([]Server, error) // UpsertNode registers node presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertNode(server Server, ttl time.Duration) error // GetAuthServers returns a list of registered servers GetAuthServers() ([]Server, error) // UpsertAuthServer registers auth server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertAuthServer(server Server, ttl time.Duration) error // UpsertProxy registers proxy server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertProxy(server Server, ttl time.Duration) error // GetProxies returns a list of registered proxies GetProxies() ([]Server, error) // UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error // GetReverseTunnels returns a list of registered servers GetReverseTunnels() ([]ReverseTunnel, error) // DeleteReverseTunnel deletes reverse tunnel by it's domain name DeleteReverseTunnel(domainName string) error // GetNamespaces returns a list of namespaces GetNamespaces() ([]Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*Namespace, error) // UpsertNamespace upserts namespace UpsertNamespace(Namespace) error // DeleteNamespace deletes namespace by name DeleteNamespace(name string) error // UpsertTrustedCluster creates or updates a TrustedCluster in the backend. UpsertTrustedCluster(TrustedCluster) error // GetTrustedCluster returns a single TrustedCluster by name. GetTrustedCluster(string) (TrustedCluster, error) // GetTrustedClusters returns all TrustedClusters in the backend. GetTrustedClusters() ([]TrustedCluster, error) // DeleteTrustedCluster removes a TrustedCluster from the backend by name. DeleteTrustedCluster(string) error }
Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes
type ProvisionToken ¶
type ProvisionToken struct { Roles teleport.Roles `json:"roles"` Expires time.Time `json:"expires"` Token string `json:"token"` }
ProvisionToken stores metadata about some provisioning token
type Provisioner ¶ added in v1.0.0
type Provisioner interface { // UpsertToken adds provisioning tokens for the auth server UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error // GetToken finds and returns token by id GetToken(token string) (*ProvisionToken, error) // DeleteToken deletes provisioning token DeleteToken(token string) error // GetTokens returns all non-expired tokens GetTokens() ([]ProvisionToken, error) }
Provisioner governs adding new nodes to the cluster
type Ref ¶
Ref is a resource refernece
type ResourceHeader ¶
type ResourceHeader struct { // Kind is a resource kind - always resource Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` }
ResorceHeader is a shared resource header
type ReverseTunnel ¶ added in v1.0.0
type ReverseTunnel interface { // GetName returns tunnel object name GetName() string // GetClusterName returns name of the cluster GetClusterName() string // GetDialAddrs returns list of dial addresses for this cluster GetDialAddrs() []string // Check checks tunnel for errors Check() error }
ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved
func NewReverseTunnel ¶
func NewReverseTunnel(clusterName string, dialAddrs []string) ReverseTunnel
NewReverseTunnel returns new version of reverse tunnel
func UnmarshalReverseTunnel ¶
func UnmarshalReverseTunnel(data []byte) (ReverseTunnel, error)
UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML, sets defaults and checks the schema
type ReverseTunnelMarshaler ¶
type ReverseTunnelMarshaler interface { // UnmarshalReverseTunnel unmarshals reverse tunnel from binary representation UnmarshalReverseTunnel(bytes []byte) (ReverseTunnel, error) // MarshalReverseTunnel marshals reverse tunnel to binary representation MarshalReverseTunnel(ReverseTunnel, ...MarshalOption) ([]byte, error) }
ReverseTunnelMarshaler implements marshal/unmarshal of reverse tunnel implementations
func GetReverseTunnelMarshaler ¶
func GetReverseTunnelMarshaler() ReverseTunnelMarshaler
type ReverseTunnelSpecV2 ¶
type ReverseTunnelSpecV2 struct { // ClusterName is a domain name of remote cluster we are connecting to ClusterName string `json:"cluster_name"` // DialAddrs is a list of remote address to establish a connection to // it's always SSH over TCP DialAddrs []string `json:"dial_addrs,omitempty"` }
ReverseTunnelSpecV2 is a specification for V2 reverse tunnel
type ReverseTunnelV1 ¶
type ReverseTunnelV1 struct { // DomainName is a domain name of remote cluster we are connecting to DomainName string `json:"domain_name"` // DialAddrs is a list of remote address to establish a connection to // it's always SSH over TCP DialAddrs []string `json:"dial_addrs"` }
ReverseTunnelV1 is V1 version of reverse tunnel
func (*ReverseTunnelV1) V1 ¶
func (r *ReverseTunnelV1) V1() *ReverseTunnelV1
V1 returns V1 version of the resource
func (*ReverseTunnelV1) V2 ¶
func (r *ReverseTunnelV1) V2() *ReverseTunnelV2
V2 returns V2 version of reverse tunnel
type ReverseTunnelV2 ¶
type ReverseTunnelV2 struct { // Kind is a resource kind - always resource Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` // Spec contains user specification Spec ReverseTunnelSpecV2 `json:"spec"` }
ReverseTunnelV2 is version 1 resource spec of the reverse tunnel
func (*ReverseTunnelV2) Check ¶
func (r *ReverseTunnelV2) Check() error
Check returns nil if all parameters are good, error otherwise
func (*ReverseTunnelV2) GetClusterName ¶
func (r *ReverseTunnelV2) GetClusterName() string
GetClusterName returns name of the cluster
func (*ReverseTunnelV2) GetDialAddrs ¶
func (r *ReverseTunnelV2) GetDialAddrs() []string
GetDialAddrs returns list of dial addresses for this cluster
func (*ReverseTunnelV2) GetName ¶
func (r *ReverseTunnelV2) GetName() string
GetName returns tunnel object name
func (*ReverseTunnelV2) V1 ¶
func (r *ReverseTunnelV2) V1() *ReverseTunnelV1
V1 returns V1 version of the resource
func (*ReverseTunnelV2) V2 ¶
func (r *ReverseTunnelV2) V2() *ReverseTunnelV2
V2 returns V2 version of the resource
type Role ¶
type Role interface { // GetMetadata returns role metadata GetMetadata() Metadata // GetName returns role name and is a shortcut for GetMetadata().Name GetName() string // GetMaxSessionTTL is a maximum SSH or Web session TTL GetMaxSessionTTL() Duration // SetLogins sets logins for role SetLogins(logins []string) // GetLogins returns a list of linux logins allowed for this role GetLogins() []string // GetNodeLabels returns a list of matching nodes this role has access to GetNodeLabels() map[string]string // GetNamespaces returns a list of namespaces this role has access to GetNamespaces() []string // GetResources returns access to resources GetResources() map[string][]string // SetName is a shortcut for SetMetadata().Name SetName(string) // SetResource sets resource rule SetResource(kind string, actions []string) // RemoveResource deletes resource entry RemoveResource(kind string) // SetNodeLabels sets node labels for this rule SetNodeLabels(labels map[string]string) // SetMaxSessionTTL sets a maximum TTL for SSH or Web session SetMaxSessionTTL(duration time.Duration) // SetNamespaces sets a list of namespaces this role has access to SetNamespaces(namespaces []string) // CanForwardAgent returns true if this role is allowed // to request agent forwarding CanForwardAgent() bool // SetForwardAgent sets forward agent property SetForwardAgent(forwardAgent bool) }
Role contains a set of permissions or settings
func NewRole ¶
func NewRole(name string, spec RoleSpecV2) (Role, error)
NewRole constructs new standard role
func RoleForCertAuthority ¶
func RoleForCertAuthority(ca CertAuthority) Role
RoleForCertauthority creates role using AllowedLogins parameter
func RoleForUser ¶
RoleForUser creates role using AllowedLogins parameter
type RoleGetter ¶
RoleGetter is an interface that defines GetRole method
type RoleMarshaler ¶
type RoleMarshaler interface { // UnmarshalRole from binary representation UnmarshalRole(bytes []byte) (Role, error) // MarshalRole to binary representation MarshalRole(u Role, opts ...MarshalOption) ([]byte, error) }
RoleMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions
func GetRoleMarshaler ¶
func GetRoleMarshaler() RoleMarshaler
type RoleSet ¶
type RoleSet []Role
RoleSet is a set of roles that implements access control functionality
func FetchRoles ¶
func FetchRoles(roleNames []string, access RoleGetter) (RoleSet, error)
FetchRoles fetches roles by their names and returns role set
func FromSpec ¶
func FromSpec(name string, spec RoleSpecV2) (RoleSet, error)
FromSpec returns new RoleSet created from spec
func NewRoleSet ¶
NewRoleSet returns new RoleSet based on the roles
func (RoleSet) AdjustSessionTTL ¶
AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL for this role set, otherwise it returns ttl unchanges
func (RoleSet) CanForwardAgents ¶
CanForwardAgents returns true if role set allows forwarding agents
func (RoleSet) CheckAccessToServer ¶
CheckAccessToServer checks if role set has access to server based on combined role's selector and attempted login
func (RoleSet) CheckAgentForward ¶
CheckAgentForward checks if the role can request agent forward for this user
func (RoleSet) CheckLogins ¶
CheckLogins checks if role set can login up to given duration and returns a combined list of allowed logins
func (RoleSet) CheckResourceAction ¶
CheckResourceAction checks if role set has access to this resource action
type RoleSpecV2 ¶
type RoleSpecV2 struct { // MaxSessionTTL is a maximum SSH or Web session TTL MaxSessionTTL Duration `json:"max_session_ttl" yaml:"max_session_ttl"` // Logins is a list of linux logins allowed for this role Logins []string `json:"logins,omitempty" yaml:"logins,omitempty"` // NodeLabels is a set of matching labels that users of this role // will be allowed to access NodeLabels map[string]string `json:"node_labels,omitempty" yaml:"node_labels,omitempty"` // Namespaces is a list of namespaces, guarding accesss to resources Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` // Resources limits access to resources Resources map[string][]string `json:"resources,omitempty" yaml:"resources,omitempty"` // ForwardAgent permits SSH agent forwarding if requested by the client ForwardAgent bool `json:"forward_agent" yaml:"forward_agent"` }
RoleSpecV2 is role specification for RoleV2
type RoleV2 ¶
type RoleV2 struct { // Kind is a resource kind - always resource Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` // Spec contains role specification Spec RoleSpecV2 `json:"spec"` }
RoleV2 represents role resource specification
func UnmarshalRole ¶
UnmarshalRole unmarshals role from JSON or YAML, sets defaults and checks the schema
func (*RoleV2) CanForwardAgent ¶
CanForwardAgent returns true if this role is allowed to request agent forwarding
func (*RoleV2) CheckAndSetDefaults ¶
Check checks validity of all parameters and sets defaults
func (*RoleV2) GetMaxSessionTTL ¶
GetMaxSessionTTL is a maximum SSH or Web session TTL
func (*RoleV2) GetMetadata ¶
GetMetadata returns role metadata
func (*RoleV2) GetNamespaces ¶
GetNamespaces returns a list of namespaces this role has access to
func (*RoleV2) GetNodeLabels ¶
GetNodeLabels returns a list of matchign nodes this role has access to
func (*RoleV2) GetResources ¶
GetResources returns access to resources
func (*RoleV2) RemoveResource ¶
RemoveResource deletes resource entry
func (*RoleV2) SetForwardAgent ¶
SetForwardAgent sets forward agent property
func (*RoleV2) SetMaxSessionTTL ¶
SetMaxSessionTTL sets a maximum TTL for SSH or Web session
func (*RoleV2) SetNamespaces ¶
SetNamespaces sets a list of namespaces this role has access to
func (*RoleV2) SetNodeLabels ¶
SetNodeLabels sets node labels for role
func (*RoleV2) SetResource ¶
SetResource sets resource rule
type Server ¶
type Server interface { // GetName returns server name GetName() string // GetAddr return server address GetAddr() string // GetHostname returns server hostname GetHostname() string // GetNamespace returns server namespace GetNamespace() string // GetAllLabels returns server's static and dynamic label values merged together GetAllLabels() map[string]string // GetLabels returns server's static label key pairs GetLabels() map[string]string // GetCmdLabels returns command labels GetCmdLabels() map[string]CommandLabel // GetPublicAddr is an optional field that returns the public address this cluster can be reached at. GetPublicAddr() string // String returns string representation of the server String() string // SetAddr sets server address SetAddr(addr string) // SetPublicAddr sets the public address this cluster can be reached at. SetPublicAddr(string) // SetNamespace sets server namespace SetNamespace(namespace string) // V1 returns V1 version for backwards compatibility V1() *ServerV1 // MatchAgainst takes a map of labels and returns True if this server // has ALL of them // // Any server matches against an empty label set MatchAgainst(labels map[string]string) bool // LabelsString returns a comma separated string with all node's labels LabelsString() string }
Server represents a Node, Proxy or Auth server in a Teleport cluster
type ServerMarshaler ¶
type ServerMarshaler interface { // UnmarshalServer from binary representation UnmarshalServer(bytes []byte, kind string) (Server, error) // MarshalServer to binary representation MarshalServer(Server, ...MarshalOption) ([]byte, error) }
ServerMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions
func GetServerMarshaler ¶
func GetServerMarshaler() ServerMarshaler
type ServerSpecV2 ¶
type ServerSpecV2 struct { // Addr is server host:port address Addr string `json:"addr"` // PublicAddr is the public address this cluster can be reached at. PublicAddr string `json:"public_addr,omitempty"` // Hostname is server hostname Hostname string `json:"hostname"` // CmdLabels is server dynamic labels CmdLabels map[string]CommandLabelV2 `json:"cmd_labels,omitempty"` }
ServerSpecV2 is a specification for V2 Server
type ServerV1 ¶
type ServerV1 struct { Kind string `json:"kind"` ID string `json:"id"` Addr string `json:"addr"` Hostname string `json:"hostname"` Namespace string `json:"namespace"` Labels map[string]string `json:"labels"` CmdLabels map[string]CommandLabelV1 `json:"cmd_labels"` }
ServerV1 represents V1 spec of the server
func ServersToV1 ¶
ServersToV1 converts list of servers to slice of V1 style ones
type ServerV2 ¶
type ServerV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is User metadata Metadata Metadata `json:"metadata"` // Spec contains user specification Spec ServerSpecV2 `json:"spec"` }
ServerV2 is version1 resource spec of the server
func (*ServerV2) GetAllLabels ¶
GetAllLabels returns the full key:value map of both static labels and "command labels"
func (*ServerV2) GetCmdLabels ¶
func (s *ServerV2) GetCmdLabels() map[string]CommandLabel
GetCmdLabels returns command labels
func (*ServerV2) GetHostname ¶
GetHostname returns server hostname
func (*ServerV2) GetNamespace ¶
GetNamespace returns server namespace
func (*ServerV2) GetPublicAddr ¶
GetPublicAddr is an optional field that returns the public address this cluster can be reached at.
func (*ServerV2) LabelsString ¶
LabelsString returns a comma separated string with all node's labels
func (*ServerV2) MatchAgainst ¶
MatchAgainst takes a map of labels and returns True if this server has ALL of them
Any server matches against an empty label set
func (*ServerV2) SetNamespace ¶
SetNamespace sets server namespace
func (*ServerV2) SetPublicAddr ¶
SetPublicAddr sets the public address this cluster can be reached at.
type SignupToken ¶
type SignupToken struct { Token string `json:"token"` User UserV1 `json:"user"` OTPKey string `json:"otp_key"` OTPQRCode []byte `json:"otp_qr_code"` Expires time.Time `json:"expires"` }
SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed
type Site ¶ added in v1.0.0
type Site struct { Name string `json:"name"` LastConnected time.Time `json:"lastconnected"` Status string `json:"status"` }
Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.
The CA is represented by an auth server (or multiple auth servers, if running in HA mode)
type SortedLoginAttempts ¶
type SortedLoginAttempts []LoginAttempt
SortedLoginAttempts sorts login attempts by time
func (SortedLoginAttempts) Len ¶
func (s SortedLoginAttempts) Len() int
Len returns length of a role list
func (SortedLoginAttempts) Less ¶
func (s SortedLoginAttempts) Less(i, j int) bool
Less stacks latest attempts to the end of the list
func (SortedLoginAttempts) Swap ¶
func (s SortedLoginAttempts) Swap(i, j int)
Swap swaps two attempts
type SortedNamespaces ¶
type SortedNamespaces []Namespace
SortedNamespaces sorts namespaces
func (SortedNamespaces) Less ¶
func (s SortedNamespaces) Less(i, j int) bool
Less compares roles by name
func (SortedNamespaces) Swap ¶
func (s SortedNamespaces) Swap(i, j int)
Swap swaps two roles in a list
type SortedReverseTunnels ¶
type SortedReverseTunnels []ReverseTunnel
SortedReverseTunnels sorts reverse tunnels by cluster name
func (SortedReverseTunnels) Len ¶
func (s SortedReverseTunnels) Len() int
func (SortedReverseTunnels) Less ¶
func (s SortedReverseTunnels) Less(i, j int) bool
func (SortedReverseTunnels) Swap ¶
func (s SortedReverseTunnels) Swap(i, j int)
type SortedServers ¶
type SortedServers []Server
SortedServers is a sort wrapper that sorts servers by name
func (SortedServers) Len ¶
func (s SortedServers) Len() int
func (SortedServers) Less ¶
func (s SortedServers) Less(i, j int) bool
func (SortedServers) Swap ¶
func (s SortedServers) Swap(i, j int)
type SortedTrustedCluster ¶
type SortedTrustedCluster []TrustedCluster
SortedTrustedCluster sorts clusters by name
func (SortedTrustedCluster) Len ¶
func (s SortedTrustedCluster) Len() int
Len returns the length of a list.
func (SortedTrustedCluster) Less ¶
func (s SortedTrustedCluster) Less(i, j int) bool
Less compares items by name.
func (SortedTrustedCluster) Swap ¶
func (s SortedTrustedCluster) Swap(i, j int)
Swap swaps two items in a list.
type TeleportAuthPreferenceMarshaler ¶
type TeleportAuthPreferenceMarshaler struct{}
func (*TeleportAuthPreferenceMarshaler) Marshal ¶
func (t *TeleportAuthPreferenceMarshaler) Marshal(c AuthPreference, opts ...MarshalOption) ([]byte, error)
Marshal marshals role to JSON or YAML.
func (*TeleportAuthPreferenceMarshaler) Unmarshal ¶
func (t *TeleportAuthPreferenceMarshaler) Unmarshal(bytes []byte) (AuthPreference, error)
Unmarshal unmarshals role from JSON or YAML.
type TeleportCertAuthorityMarshaler ¶
type TeleportCertAuthorityMarshaler struct{}
func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority ¶
func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority(ca CertAuthority) (CertAuthority, error)
GenerateCertAuthority is used to generate new cert authority based on standard teleport one and is used to add custom parameters and extend it in extensions of teleport
func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority ¶
func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority(ca CertAuthority, opts ...MarshalOption) ([]byte, error)
MarshalUser marshalls cert authority into JSON
func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority ¶
func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority(bytes []byte) (CertAuthority, error)
UnmarshalUser unmarshals user from JSON
type TeleportOIDCConnectorMarshaler ¶
type TeleportOIDCConnectorMarshaler struct{}
func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector ¶
func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error)
MarshalUser marshals OIDC connector into JSON
func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector ¶
func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector(bytes []byte) (OIDCConnector, error)
UnmarshalOIDCConnector unmarshals connector from
type TeleportRoleMarshaler ¶
type TeleportRoleMarshaler struct{}
func (*TeleportRoleMarshaler) MarshalRole ¶
func (*TeleportRoleMarshaler) MarshalRole(u Role, opts ...MarshalOption) ([]byte, error)
MarshalRole marshalls role into JSON
func (*TeleportRoleMarshaler) UnmarshalRole ¶
func (*TeleportRoleMarshaler) UnmarshalRole(bytes []byte) (Role, error)
UnmarshalRole unmarshals role from JSON
type TeleportServerMarshaler ¶
type TeleportServerMarshaler struct{}
func (*TeleportServerMarshaler) MarshalServer ¶
func (*TeleportServerMarshaler) MarshalServer(s Server, opts ...MarshalOption) ([]byte, error)
MarshalServer marshals server into JSON
func (*TeleportServerMarshaler) UnmarshalServer ¶
func (*TeleportServerMarshaler) UnmarshalServer(bytes []byte, kind string) (Server, error)
UnmarshalServer unmarshals server from JSON
type TeleportTrustedClusterMarshaler ¶
type TeleportTrustedClusterMarshaler struct{}
func (*TeleportTrustedClusterMarshaler) Marshal ¶
func (t *TeleportTrustedClusterMarshaler) Marshal(c TrustedCluster, opts ...MarshalOption) ([]byte, error)
Marshal marshals role to JSON or YAML.
func (*TeleportTrustedClusterMarshaler) Unmarshal ¶
func (t *TeleportTrustedClusterMarshaler) Unmarshal(bytes []byte) (TrustedCluster, error)
Unmarshal unmarshals role from JSON or YAML.
type TeleportTunnelMarshaler ¶
type TeleportTunnelMarshaler struct{}
func (*TeleportTunnelMarshaler) MarshalReverseTunnel ¶
func (*TeleportTunnelMarshaler) MarshalReverseTunnel(rt ReverseTunnel, opts ...MarshalOption) ([]byte, error)
MarshalRole marshalls role into JSON
func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel ¶
func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel(bytes []byte) (ReverseTunnel, error)
UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML
type TeleportUniversalSecondFactorMarshaler ¶
type TeleportUniversalSecondFactorMarshaler struct{}
func (*TeleportUniversalSecondFactorMarshaler) Marshal ¶
func (t *TeleportUniversalSecondFactorMarshaler) Marshal(c UniversalSecondFactor, opts ...MarshalOption) ([]byte, error)
Marshal marshals role to JSON or YAML.
func (*TeleportUniversalSecondFactorMarshaler) Unmarshal ¶
func (t *TeleportUniversalSecondFactorMarshaler) Unmarshal(bytes []byte) (UniversalSecondFactor, error)
Unmarshal unmarshals role from JSON or YAML.
type TeleportUserMarshaler ¶
type TeleportUserMarshaler struct{}
func (*TeleportUserMarshaler) GenerateUser ¶
func (*TeleportUserMarshaler) GenerateUser(in User) (User, error)
GenerateUser generates new user
func (*TeleportUserMarshaler) MarshalUser ¶
func (*TeleportUserMarshaler) MarshalUser(u User, opts ...MarshalOption) ([]byte, error)
MarshalUser marshalls user into JSON
func (*TeleportUserMarshaler) UnmarshalUser ¶
func (*TeleportUserMarshaler) UnmarshalUser(bytes []byte) (User, error)
UnmarshalUser unmarshals user from JSON
type TeleportWebSessionMarshaler ¶
type TeleportWebSessionMarshaler struct{}
func (*TeleportWebSessionMarshaler) ExtendWebSession ¶
func (*TeleportWebSessionMarshaler) ExtendWebSession(ws WebSession) (WebSession, error)
ExtendWebSession renews web session and is used to inject additional data in extenstions when session is getting renewed
func (*TeleportWebSessionMarshaler) GenerateWebSession ¶
func (*TeleportWebSessionMarshaler) GenerateWebSession(ws WebSession) (WebSession, error)
GenerateWebSession generates new web session and is used to inject additional data in extenstions
func (*TeleportWebSessionMarshaler) MarshalWebSession ¶
func (*TeleportWebSessionMarshaler) MarshalWebSession(ws WebSession, opts ...MarshalOption) ([]byte, error)
MarshalWebSession marshals web session into on-disk representation
func (*TeleportWebSessionMarshaler) UnmarshalWebSession ¶
func (*TeleportWebSessionMarshaler) UnmarshalWebSession(bytes []byte) (WebSession, error)
UnmarshalWebSession unmarshals web session from on-disk byte format
type Trust ¶ added in v1.0.0
type Trust interface { // UpsertCertAuthority updates or inserts a new certificate authority UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error // DeleteCertAuthority deletes particular certificate authority DeleteCertAuthority(id CertAuthID) error // GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys // controls if signing keys are loaded GetCertAuthority(id CertAuthID, loadSigningKeys bool) (CertAuthority, error) // GetCertAuthorities returns a list of authorities of a given type // loadSigningKeys controls whether signing keys should be loaded or not GetCertAuthorities(caType CertAuthType, loadSigningKeys bool) ([]CertAuthority, error) }
Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com
There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts
Remote authorities have only public keys available, so they can be only used to validate
type TrustedCluster ¶
type TrustedCluster interface { // GetName returns the name of the TrustedCluster. GetName() string // SetName sets the name of the TrustedCluster. SetName(string) // GetEnabled returns the state of the TrustedCluster. GetEnabled() bool // SetEnabled enables (handshake and add ca+reverse tunnel) or disables TrustedCluster. SetEnabled(bool) // GetRoles returns the roles for the certificate authority. GetRoles() []string // SetRoles sets the roles for the certificate authority. SetRoles([]string) // GetToken returns the authorization and authentication token. GetToken() string // SetToken sets the authorization and authentication. SetToken(string) // GetProxyAddress returns the address of the proxy server. GetProxyAddress() string // SetProxyAddress sets the address of the proxy server. SetProxyAddress(string) // GetReverseTunnelAddress returns the address of the reverse tunnel. GetReverseTunnelAddress() string // SetReverseTunnelAddress sets the address of the reverse tunnel. SetReverseTunnelAddress(string) }
TrustedCluster holds information needed for a cluster that can not be directly accessed (maybe be behind firewall without any open ports) to join a parent cluster.
func NewTrustedCluster ¶
func NewTrustedCluster(name string, spec TrustedClusterSpecV2) (TrustedCluster, error)
NewTrustedCluster is a convenience wa to create a TrustedCluster resource.
type TrustedClusterMarshaler ¶
type TrustedClusterMarshaler interface { Marshal(c TrustedCluster, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (TrustedCluster, error) }
TrustedClusterMarshaler implements marshal/unmarshal of TrustedCluster implementations mostly adds support for extended versions.
func GetTrustedClusterMarshaler ¶
func GetTrustedClusterMarshaler() TrustedClusterMarshaler
type TrustedClusterSpecV2 ¶
type TrustedClusterSpecV2 struct { // Enabled is a bool that indicates if the TrustedCluster is enabled or disabled. // Setting Enabled to false has a side effect of deleting the user and host // certificate authority (CA). Enabled bool `json:"enabled"` // Roles is a list of roles that users will be assuming when connecting to this cluster. Roles []string `json:"roles"` // Token is the authorization token provided by another cluster needed by // this cluster to join. Token string `json:"token"` // ProxyAddress is the address of the web proxy server of the cluster to join. If not set, // it is derived from <metadata.name>:<default web proxy server port>. ProxyAddress string `json:"web_proxy_addr"` // ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If // not set, it is derived from <metadata.name>:<default reverse tunnel port>. ReverseTunnelAddress string `json:"tunnel_addr"` }
TrustedClusterSpecV2 is the actual data we care about for TrustedClusterSpecV2.
type TrustedClusterV2 ¶
type TrustedClusterV2 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec TrustedClusterSpecV2 `json:"spec"` }
TrustedClusterV2 implements TrustedCluster.
func (*TrustedClusterV2) GetEnabled ¶
func (c *TrustedClusterV2) GetEnabled() bool
GetEnabled returns the state of the TrustedCluster.
func (*TrustedClusterV2) GetName ¶
func (c *TrustedClusterV2) GetName() string
GetName returns the name of the TrustedCluster.
func (*TrustedClusterV2) GetProxyAddress ¶
func (c *TrustedClusterV2) GetProxyAddress() string
GetProxyAddress returns the address of the proxy server.
func (*TrustedClusterV2) GetReverseTunnelAddress ¶
func (c *TrustedClusterV2) GetReverseTunnelAddress() string
GetReverseTunnelAddress returns the address of the reverse tunnel.
func (*TrustedClusterV2) GetRoles ¶
func (c *TrustedClusterV2) GetRoles() []string
GetRoles returns the roles for the certificate authority.
func (*TrustedClusterV2) GetToken ¶
func (c *TrustedClusterV2) GetToken() string
GetToken returns the authorization and authentication token.
func (*TrustedClusterV2) SetEnabled ¶
func (c *TrustedClusterV2) SetEnabled(e bool)
SetEnabled enables (handshake and add ca+reverse tunnel) or disables TrustedCluster.
func (*TrustedClusterV2) SetName ¶
func (c *TrustedClusterV2) SetName(e string)
SetName sets the name of the TrustedCluster.
func (*TrustedClusterV2) SetProxyAddress ¶
func (c *TrustedClusterV2) SetProxyAddress(e string)
SetProxyAddress sets the address of the proxy server.
func (*TrustedClusterV2) SetReverseTunnelAddress ¶
func (c *TrustedClusterV2) SetReverseTunnelAddress(e string)
SetReverseTunnelAddress sets the address of the reverse tunnel.
func (*TrustedClusterV2) SetRoles ¶
func (c *TrustedClusterV2) SetRoles(e []string)
SetRoles sets the roles for the certificate authority.
func (*TrustedClusterV2) SetToken ¶
func (c *TrustedClusterV2) SetToken(e string)
SetToken sets the authorization and authentication.
func (*TrustedClusterV2) String ¶
func (c *TrustedClusterV2) String() string
String represents a human readable version of trusted cluster settings.
type U2F ¶ added in v1.3.0
type U2F struct { Enabled bool // AppID identifies the website to the U2F keys. It should not be changed once a U2F // key is registered or all existing registrations will become invalid. AppID string // Facets should include the domain name of all proxies. Facets []string }
U2F is a configuration of the U2F two factor authentication Deprecated: Use services.UniversalSecondFactor instead.
type UniversalSecondFactor ¶
type UniversalSecondFactor interface { // GetAppID returns the application ID for universal second factor. GetAppID() string // SetAppID sets the application ID for universal second factor. SetAppID(string) // GetFacets returns the facets for universal second factor. GetFacets() []string // SetFacets sets the facets for universal second factor. SetFacets([]string) // String represents a human readable version of U2F settings. String() string }
UniversalSecondFactor defines settings for Universal Second Factor like the AppID and Facets.
func NewUniversalSecondFactor ¶
func NewUniversalSecondFactor(spec UniversalSecondFactorSpecV2) (UniversalSecondFactor, error)
NewUniversalSecondFactor is a convenience method to to create UniversalSecondFactorV2.
type UniversalSecondFactorMarshaler ¶
type UniversalSecondFactorMarshaler interface { Marshal(c UniversalSecondFactor, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (UniversalSecondFactor, error) }
UniversalSecondFactorMarshaler implements marshal/unmarshal of UniversalSecondFactor implementations mostly adds support for extended versions.
func GetUniversalSecondFactorMarshaler ¶
func GetUniversalSecondFactorMarshaler() UniversalSecondFactorMarshaler
type UniversalSecondFactorSettings ¶
type UniversalSecondFactorSettings interface { // GetUniversalSecondFactor returns universal second factor settings. GetUniversalSecondFactor() (UniversalSecondFactor, error) // SetUniversalSecondFactor sets universal second factor settings. SetUniversalSecondFactor(UniversalSecondFactor) error }
UniversalSecondFactorSettings defines the interface to get and set Universal Second Factor settings.
type UniversalSecondFactorSpecV2 ¶
type UniversalSecondFactorSpecV2 struct { // AppID is the application ID for universal second factor. AppID string `json:"app_id"` // Facets are the facets for universal second factor. Facets []string `json:"facets"` }
UniversalSecondFactorSpecV2 is the actual data we care about for UniversalSecondFactorV2.
type UniversalSecondFactorV2 ¶
type UniversalSecondFactorV2 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec UniversalSecondFactorSpecV2 `json:"spec"` }
UniversalSecondFactorV2 implements UniversalSecondFactor.
func (*UniversalSecondFactorV2) GetAppID ¶
func (c *UniversalSecondFactorV2) GetAppID() string
GetAppID returns the application ID for universal second factor.
func (*UniversalSecondFactorV2) GetFacets ¶
func (c *UniversalSecondFactorV2) GetFacets() []string
GetFacets returns the facets for universal second factor.
func (*UniversalSecondFactorV2) SetAppID ¶
func (c *UniversalSecondFactorV2) SetAppID(s string)
SetAppID sets the application ID for universal second factor.
func (*UniversalSecondFactorV2) SetFacets ¶
func (c *UniversalSecondFactorV2) SetFacets(s []string)
SetFacets sets the facets for universal second factor.
func (*UniversalSecondFactorV2) String ¶
func (c *UniversalSecondFactorV2) String() string
String represents a human readable version of U2F settings.
type UnknownResource ¶
type UnknownResource struct { ResourceHeader // Raw is raw representation of the resource Raw []byte }
UnknownResource is used to detect resources
func (*UnknownResource) UnmarshalJSON ¶
func (u *UnknownResource) UnmarshalJSON(raw []byte) error
UnmarshalJSON unmarshals header and captures raw state
type User ¶ added in v1.0.0
type User interface { // GetName returns user name GetName() string // GetIdentities returns a list of connected OIDCIdentities GetIdentities() []OIDCIdentity // GetRoles returns a list of roles assigned to user GetRoles() []string // String returns user String() string // Equals checks if user equals to another Equals(other User) bool // GetStatus return user login status GetStatus() LoginStatus // SetLocked sets login status to locked SetLocked(until time.Time, reason string) // SetRoles sets user roles SetRoles(roles []string) // AddRole adds role to the users' role list AddRole(name string) // GetExpiry returns ttl of the user GetExpiry() time.Time // GetCreatedBy returns information about user GetCreatedBy() CreatedBy // SetCreatedBy sets created by information SetCreatedBy(CreatedBy) // Check checks basic user parameters for errors Check() error // GetRawObject returns raw object data, used for migrations GetRawObject() interface{} // WebSessionInfo returns web session information about user WebSessionInfo(allowedLogins []string) interface{} }
User represents teleport embedded user or external user
type UserMarshaler ¶
type UserMarshaler interface { // UnmarshalUser from binary representation UnmarshalUser(bytes []byte) (User, error) // MarshalUser to binary representation MarshalUser(u User, opts ...MarshalOption) ([]byte, error) // GenerateUser generates new user based on standard teleport user // it gives external implementations to add more app-specific // data to the user GenerateUser(User) (User, error) }
UserMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetUserMarshaler ¶
func GetUserMarshaler() UserMarshaler
GetUserMarshaler returns currently set user marshaler
type UserRef ¶
type UserRef struct { // Name is name of the user Name string `json:"name"` }
UserRef holds refernce to user
type UserSpecV2 ¶
type UserSpecV2 struct { // OIDCIdentities lists associated OpenID Connect identities // that let user log in using externally verified identity OIDCIdentities []OIDCIdentity `json:"oidc_identities,omitempty"` // Roles is a list of roles assigned to user Roles []string `json:"roles,omitempty"` // Status is a login status of the user Status LoginStatus `json:"status"` // Expires if set sets TTL on the user Expires time.Time `json:"expires"` // CreatedBy holds information about agent or person created this usre CreatedBy CreatedBy `json:"created_by"` }
UserSpecV2 is a specification for V2 user
type UserV1 ¶
type UserV1 struct { // Name is a user name Name string `json:"name"` // AllowedLogins represents a list of OS users this teleport // user is allowed to login as AllowedLogins []string `json:"allowed_logins"` // OIDCIdentities lists associated OpenID Connect identities // that let user log in using externally verified identity OIDCIdentities []OIDCIdentity `json:"oidc_identities"` // Status is a login status of the user Status LoginStatus `json:"status"` // Expires if set sets TTL on the user Expires time.Time `json:"expires"` // CreatedBy holds information about agent or person created this usre CreatedBy CreatedBy `json:"created_by"` // Roles is a list of roles Roles []string `json:"roles"` }
UserV1 is V1 version of the user
type UserV2 ¶
type UserV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is User metadata Metadata Metadata `json:"metadata"` // Spec contains user specification Spec UserSpecV2 `json:"spec"` // contains filtered or unexported fields }
UserV2 is version1 resource spec of the user
func (*UserV2) GetCreatedBy ¶
GetCreatedBy returns information about who created user
func (*UserV2) GetIdentities ¶
func (u *UserV2) GetIdentities() []OIDCIdentity
GetIdentities returns a list of connected OIDCIdentities
func (*UserV2) GetRawObject ¶
func (u *UserV2) GetRawObject() interface{}
GetObject returns raw object data, used for migrations
func (*UserV2) GetStatus ¶
func (u *UserV2) GetStatus() LoginStatus
GetStatus returns login status of the user
func (*UserV2) SetCreatedBy ¶
SetCreatedBy sets created by information
func (*UserV2) WebSessionInfo ¶
WebSessionInfo returns web session information about user
type Users ¶ added in v1.0.0
type Users []User
Users represents a slice of users, makes it sort compatible (sorts by username)
type WebSession ¶
type WebSession interface { // GetShortName returns visible short name used in logging GetShortName() string // GetName returns session name GetName() string // GetUser returns the user this session is associated with GetUser() string // SetName sets session name SetName(string) // SetUser sets user associated with this session SetUser(string) // GetPub is returns public certificate signed by auth server GetPub() []byte // GetPriv returns private OpenSSH key used to auth with SSH nodes GetPriv() []byte // BearerToken is a special bearer token used for additional // bearer authentication GetBearerToken() string // SetBearerTokenExpiryTime sets bearer token expiry time SetBearerTokenExpiryTime(time.Time) // SetExpiryTime sets session expiry time SetExpiryTime(time.Time) // GetBearerTokenExpiryTime - absolute time when token expires GetBearerTokenExpiryTime() time.Time // GetExpiryTime - absolute time when web session expires GetExpiryTime() time.Time // V1 returns V1 version of the resource V1() *WebSessionV1 // V2 returns V2 version of the resource V2() *WebSessionV2 // WithoutSecrets returns copy of the web session but without private keys WithoutSecrets() WebSession }
WebSession stores key and value used to authenticate with SSH notes on behalf of user
func NewWebSession ¶
func NewWebSession(name string, spec WebSessionSpecV2) WebSession
NewWebSession returns new instance of the web session based on the V2 spec
type WebSessionMarshaler ¶
type WebSessionMarshaler interface { // UnmarshalWebSession unmarhsals cert authority from binary representation UnmarshalWebSession(bytes []byte) (WebSession, error) // MarshalWebSession to binary representation MarshalWebSession(c WebSession, opts ...MarshalOption) ([]byte, error) // GenerateWebSession generates new web session and is used to // inject additional data in extenstions GenerateWebSession(WebSession) (WebSession, error) // ExtendWebSession extends web session and is used to // inject additional data in extenstions when session is getting renewed ExtendWebSession(WebSession) (WebSession, error) }
WebSessionMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetWebSessionMarshaler ¶
func GetWebSessionMarshaler() WebSessionMarshaler
GetWebSessionMarshaler returns currently set user marshaler
type WebSessionSpecV2 ¶
type WebSessionSpecV2 struct { // User is a user this web session belongs to User string `json:"user"` // Pub is a public certificate signed by auth server Pub []byte `json:"pub"` // Priv is a private OpenSSH key used to auth with SSH nodes Priv []byte `json:"priv,omitempty"` // BearerToken is a special bearer token used for additional // bearer authentication BearerToken string `json:"bearer_token"` // BearerTokenExpires - absolute time when token expires BearerTokenExpires time.Time `json:"bearer_token_expires"` // Expires - absolute time when session expires Expires time.Time `json:"expires"` }
WebSessionSpecV2 is a spec for V2 session
type WebSessionV1 ¶
type WebSessionV1 struct { // ID is session ID ID string `json:"id"` // User is a user this web session is associated with User string `json:"user"` // Pub is a public certificate signed by auth server Pub []byte `json:"pub"` // Priv is a private OpenSSH key used to auth with SSH nodes Priv []byte `json:"priv,omitempty"` // BearerToken is a special bearer token used for additional // bearer authentication BearerToken string `json:"bearer_token"` // Expires - absolute time when token expires Expires time.Time `json:"expires"` }
WebSession stores key and value used to authenticate with SSH nodes on behalf of user
func (*WebSessionV1) GetBearerToken ¶
func (ws *WebSessionV1) GetBearerToken() string
BearerToken is a special bearer token used for additional bearer authentication
func (*WebSessionV1) GetBearerTokenExpiryTime ¶
func (ws *WebSessionV1) GetBearerTokenExpiryTime() time.Time
GetBearerRoken - absolute time when token expires
func (*WebSessionV1) GetExpiryTime ¶
func (ws *WebSessionV1) GetExpiryTime() time.Time
Expires - absolute time when token expires
func (*WebSessionV1) GetName ¶
func (ws *WebSessionV1) GetName() string
GetName returns session name
func (*WebSessionV1) GetPriv ¶
func (ws *WebSessionV1) GetPriv() []byte
GetPriv returns private OpenSSH key used to auth with SSH nodes
func (*WebSessionV1) GetPub ¶
func (ws *WebSessionV1) GetPub() []byte
GetPub is returns public certificate signed by auth server
func (*WebSessionV1) GetShortName ¶
func (ws *WebSessionV1) GetShortName() string
GetShortName returns visible short name used in logging
func (*WebSessionV1) GetUser ¶
func (ws *WebSessionV1) GetUser() string
GetUser returns the user this session is associated with
func (*WebSessionV1) SetBearerTokenExpiryTime ¶
func (ws *WebSessionV1) SetBearerTokenExpiryTime(tm time.Time)
SetBearerTokenExpiryTime sets session expiry time
func (*WebSessionV1) SetExpiryTime ¶
func (ws *WebSessionV1) SetExpiryTime(tm time.Time)
SetExpiryTime sets session expiry time
func (*WebSessionV1) SetName ¶
func (ws *WebSessionV1) SetName(name string)
SetName sets session name
func (*WebSessionV1) SetUser ¶
func (ws *WebSessionV1) SetUser(u string)
SetUser sets user associated with this session
func (*WebSessionV1) V1 ¶
func (s *WebSessionV1) V1() *WebSessionV1
V1 returns V1 version of the resource
func (*WebSessionV1) V2 ¶
func (s *WebSessionV1) V2() *WebSessionV2
V2 returns V2 version of the resource
func (*WebSessionV1) WithoutSecrets ¶
func (ws *WebSessionV1) WithoutSecrets() WebSession
WithoutSecrets returns copy of the web session but without private keys
type WebSessionV2 ¶
type WebSessionV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is connector metadata Metadata Metadata `json:"metadata"` // Spec contains cert authority specification Spec WebSessionSpecV2 `json:"spec"` }
WebSessionV2 is version 2 spec for session
func (*WebSessionV2) GetBearerToken ¶
func (ws *WebSessionV2) GetBearerToken() string
BearerToken is a special bearer token used for additional bearer authentication
func (*WebSessionV2) GetBearerTokenExpiryTime ¶
func (ws *WebSessionV2) GetBearerTokenExpiryTime() time.Time
GetBearerTokenExpiryTime - absolute time when token expires
func (*WebSessionV2) GetExpiryTime ¶
func (ws *WebSessionV2) GetExpiryTime() time.Time
GetExpiryTime - absolute time when web session expires
func (*WebSessionV2) GetName ¶
func (ws *WebSessionV2) GetName() string
GetName returns session name
func (*WebSessionV2) GetPriv ¶
func (ws *WebSessionV2) GetPriv() []byte
GetPriv returns private OpenSSH key used to auth with SSH nodes
func (*WebSessionV2) GetPub ¶
func (ws *WebSessionV2) GetPub() []byte
GetPub is returns public certificate signed by auth server
func (*WebSessionV2) GetShortName ¶
func (ws *WebSessionV2) GetShortName() string
GetShortName returns visible short name used in logging
func (*WebSessionV2) GetUser ¶
func (ws *WebSessionV2) GetUser() string
GetUser returns the user this session is associated with
func (*WebSessionV2) SetBearerTokenExpiryTime ¶
func (ws *WebSessionV2) SetBearerTokenExpiryTime(tm time.Time)
SetBearerTokenExpiryTime sets bearer token expiry time
func (*WebSessionV2) SetExpiryTime ¶
func (ws *WebSessionV2) SetExpiryTime(tm time.Time)
SetExpiryTime sets session expiry time
func (*WebSessionV2) SetName ¶
func (ws *WebSessionV2) SetName(name string)
SetName sets session name
func (*WebSessionV2) SetUser ¶
func (ws *WebSessionV2) SetUser(u string)
SetUser sets user associated with this session
func (*WebSessionV2) V1 ¶
func (ws *WebSessionV2) V1() *WebSessionV1
V1 returns V1 version of the object
func (*WebSessionV2) V2 ¶
func (ws *WebSessionV2) V2() *WebSessionV2
V2 returns V2 version of the resource
func (*WebSessionV2) WithoutSecrets ¶
func (ws *WebSessionV2) WithoutSecrets() WebSession
WithoutSecrets returns copy of the object but without secrets
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd |