Documentation
¶
Index ¶
- Constants
- type ClusterGetter
- type DialParams
- type FakeRemoteSite
- func (s *FakeRemoteSite) CachingAccessPoint() (auth.RemoteProxyAccessPoint, error)
- func (s *FakeRemoteSite) Close() error
- func (s *FakeRemoteSite) Dial(params DialParams) (net.Conn, error)
- func (s *FakeRemoteSite) DialCount() int64
- func (s *FakeRemoteSite) GetName() string
- func (s *FakeRemoteSite) ProxyConn() <-chan net.Conn
- type FakeServer
- type RemoteSite
- type Resolver
- type Server
- type Tunnel
- type TunnelAuthDialer
- type TunnelAuthDialerConfig
- type TunnelWithRoles
Constants ¶
View Source
const ( // LocalNode is a special non-resolvable address that indicates the request // wants to connect to a dialed back node. LocalNode = "@local-node" // RemoteAuthServer is a special non-resolvable address that indicates client // requests a connection to the remote auth server. RemoteAuthServer = "@remote-auth-server" // LocalKubernetes is a special non-resolvable address that indicates that clients // requests a connection to the kubernetes endpoint of the local proxy. // This has to be a valid domain name, so it lacks @ LocalKubernetes = "remote.kube.proxy." + constants.APIDomain // LocalWindowsDesktop is a special non-resolvable address that indicates // that clients requests a connection to the windows service endpoint of // the local proxy. // This has to be a valid domain name, so it lacks @ LocalWindowsDesktop = "remote.windows_desktop.proxy." + constants.APIDomain )
View Source
const ( // NoApplicationTunnel is the error message returned when application // reverse tunnel cannot be found. // // It usually happens when an app agent has shut down (or crashed) but // hasn't expired from the backend yet. NoApplicationTunnel = "could not find reverse tunnel, check that Application Service agent proxying this application is up and running" // NoDatabaseTunnel is the error message returned when database reverse // tunnel cannot be found. // // It usually happens when a database agent has shut down (or crashed) but // hasn't expired from the backend yet. NoDatabaseTunnel = "could not find reverse tunnel, check that Database Service agent proxying this database is up and running" // NoOktaTunnel is the error message returned when an Okta // reverse tunnel cannot be found. // // It usually happens when an Okta service has shut down (or crashed) but // hasn't expired from the backend yet. NoOktaTunnel = "could not find reverse tunnel, check that Okta Service agent proxying this application is up and running" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClusterGetter ¶
type ClusterGetter interface {
// GetRemoteCluster returns a remote cluster by name
GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
}
ClusterGetter is an interface that defines GetRemoteCluster method
type DialParams ¶
type DialParams struct {
// From is the source address.
From net.Addr
// To is the destination address.
To net.Addr
// GetUserAgent gets an SSH agent for use in connecting to the remote host. Used by the
// forwarding proxy.
GetUserAgent teleagent.Getter
// IsAgentlessNode indicates whether the Node is an OpenSSH Node.
// This includes Nodes whose sub kind is OpenSSH and OpenSSHEICE.
IsAgentlessNode bool
// AgentlessSigner is used for authenticating to the remote host when it is an
// agentless node.
AgentlessSigner ssh.Signer
// Address is used by the forwarding proxy to generate a host certificate for
// the target node. This is needed because while dialing occurs via IP
// address, tsh thinks it's connecting via DNS name and that's how it
// validates the host certificate.
Address string
// Principals are additional principals that need to be added to the host
// certificate. Used by the recording proxy to correctly generate a host
// certificate.
Principals []string
// ServerID the hostUUID.clusterName of a Teleport node. Used with nodes
// that are connected over a reverse tunnel.
ServerID string
// ProxyIDs is a list of proxy ids the node is connected to.
ProxyIDs []string
// ConnType is the type of connection requested, either node or application.
// Only used when connecting through a tunnel.
ConnType types.TunnelType
// TargetServer is the host that the connection is being established for.
// It **MUST** only be populated when the target is a teleport ssh server
// or an agentless server.
TargetServer types.Server
// FromPeerProxy indicates that the dial request is being tunneled from
// a peer proxy.
FromPeerProxy bool
// OriginalClientDstAddr is used in PROXY headers to show where client originally contacted Teleport infrastructure
OriginalClientDstAddr net.Addr
}
DialParams is a list of parameters used to Dial to a node within a cluster.
func (DialParams) String ¶
func (params DialParams) String() string
type FakeRemoteSite ¶
type FakeRemoteSite struct {
RemoteSite
// Name is the remote site name.
Name string
// AccessPoint is the auth server client.
AccessPoint auth.RemoteProxyAccessPoint
// OfflineTunnels is a list of server IDs that will return connection error.
OfflineTunnels map[string]struct{}
// contains filtered or unexported fields
}
FakeRemoteSite is a fake reversetunnelclient.RemoteSite implementation used in tests.
func NewFakeRemoteSite ¶
func NewFakeRemoteSite(clusterName string, accessPoint auth.RemoteProxyAccessPoint) *FakeRemoteSite
NewFakeRemoteSite is a FakeRemoteSite constructor.
func (*FakeRemoteSite) CachingAccessPoint ¶
func (s *FakeRemoteSite) CachingAccessPoint() (auth.RemoteProxyAccessPoint, error)
CachingAccessPoint returns caching auth server client.
func (*FakeRemoteSite) Close ¶
func (s *FakeRemoteSite) Close() error
func (*FakeRemoteSite) Dial ¶
func (s *FakeRemoteSite) Dial(params DialParams) (net.Conn, error)
Dial returns the connection to the remote site.
func (*FakeRemoteSite) DialCount ¶
func (s *FakeRemoteSite) DialCount() int64
func (*FakeRemoteSite) GetName ¶
func (s *FakeRemoteSite) GetName() string
GetName returns the remote site name.
func (*FakeRemoteSite) ProxyConn ¶
func (s *FakeRemoteSite) ProxyConn() <-chan net.Conn
ProxyConn returns proxy connection channel with incoming connections.
type FakeServer ¶
type FakeServer struct {
Server
// Sites is a list of sites registered via this fake reverse tunnel.
Sites []RemoteSite
}
FakeServer is a fake Server implementation used in tests.
func (*FakeServer) GetSite ¶
func (s *FakeServer) GetSite(name string) (RemoteSite, error)
GetSite returns the remote site by name.
func (*FakeServer) GetSites ¶
func (s *FakeServer) GetSites() ([]RemoteSite, error)
GetSites returns all available remote sites.
type RemoteSite ¶
type RemoteSite interface {
// DialAuthServer returns a net.Conn to the Auth Server of a site.
DialAuthServer(DialParams) (conn net.Conn, err error)
// Dial dials any address within the site network, in terminating
// mode it uses local instance of forwarding server to terminate
// and record the connection.
Dial(DialParams) (conn net.Conn, err error)
// DialTCP dials any address within the site network and
// ignores recording mode, used in components that need direct dialer.
DialTCP(DialParams) (conn net.Conn, err error)
// GetLastConnected returns last time the remote site was seen connected
GetLastConnected() time.Time
// GetName returns site name (identified by authority domain's name)
GetName() string
// GetStatus returns status of this site (either offline or connected)
GetStatus() string
// GetClient returns client connected to remote auth server
GetClient() (auth.ClientI, error)
// CachingAccessPoint returns access point that is lightweight
// but is resilient to auth server crashes
CachingAccessPoint() (auth.RemoteProxyAccessPoint, error)
// NodeWatcher returns the node watcher that maintains the node set for the site
NodeWatcher() (*services.NodeWatcher, error)
// GetTunnelsCount returns the amount of active inbound tunnels
// from the remote cluster
GetTunnelsCount() int
// IsClosed reports whether this RemoteSite has been closed and should no
// longer be used.
IsClosed() bool
// Closer allows the site to be closed
io.Closer
}
RemoteSite represents remote teleport site that can be accessed via teleport tunnel or directly by proxy
There are two implementations of this interface: local and remote sites.
type Resolver ¶
Resolver looks up reverse tunnel addresses
func CachingResolver ¶
func CachingResolver(ctx context.Context, resolver Resolver, clock clockwork.Clock) (Resolver, error)
CachingResolver wraps the provided Resolver with one that will cache the previous result for 3 seconds to reduce the number of resolutions in an effort to mitigate potentially overwhelming the Resolver source.
func StaticResolver ¶
func StaticResolver(address string, mode types.ProxyListenerMode) Resolver
StaticResolver returns a Resolver which will always resolve to the provided address
func WebClientResolver ¶
WebClientResolver returns a Resolver which uses the web proxy to discover where the SSH reverse tunnel server is running.
type Server ¶
type Server interface {
Tunnel
// Start starts server
Start() error
// Close closes server's operations immediately
Close() error
// DrainConnections closes listeners and begins draining connections without
// closing open connections.
DrainConnections(context.Context) error
// Shutdown performs graceful server shutdown closing open connections.
Shutdown(context.Context) error
// Wait waits for server to close all outstanding operations
Wait(ctx context.Context)
// GetProxyPeerClient returns the proxy peer client
GetProxyPeerClient() *peer.Client
// TrackUserConnection tracks a user connection that should prevent
// the server from being terminated if active. The returned function
// should be called when the connection is terminated.
TrackUserConnection() (release func())
}
Server is a TCP/IP SSH server which listens on an SSH endpoint and remote/local sites connect and register with it.
type Tunnel ¶
type Tunnel interface {
// GetSites returns a list of connected remote sites
GetSites() ([]RemoteSite, error)
// GetSite returns remote site this node belongs to
GetSite(domainName string) (RemoteSite, error)
}
Tunnel provides access to connected local or remote clusters using unified interface.
type TunnelAuthDialer ¶
type TunnelAuthDialer struct {
// TunnelAuthDialerConfig is the TunnelAuthDialer configuration.
TunnelAuthDialerConfig
}
TunnelAuthDialer connects to the Auth Server through the reverse tunnel.
func NewTunnelAuthDialer ¶
func NewTunnelAuthDialer(config TunnelAuthDialerConfig) (*TunnelAuthDialer, error)
NewTunnelAuthDialer creates a new instance of TunnelAuthDialer
func (*TunnelAuthDialer) DialContext ¶
DialContext dials auth server via SSH tunnel
type TunnelAuthDialerConfig ¶
type TunnelAuthDialerConfig struct {
// Resolver retrieves the address of the proxy
Resolver Resolver
// ClientConfig is SSH tunnel client config
ClientConfig *ssh.ClientConfig
// Log is used for logging.
Log logrus.FieldLogger
// InsecureSkipTLSVerify is whether to skip certificate validation.
InsecureSkipTLSVerify bool
// ClusterCAs contains cluster CAs.
ClusterCAs *x509.CertPool
}
TunnelAuthDialerConfig specifies TunnelAuthDialer configuration.
func (*TunnelAuthDialerConfig) CheckAndSetDefaults ¶
func (c *TunnelAuthDialerConfig) CheckAndSetDefaults() error
type TunnelWithRoles ¶
type TunnelWithRoles struct {
// contains filtered or unexported fields
}
TunnelWithRoles authorizes requests
func NewTunnelWithRoles ¶
func NewTunnelWithRoles(tunnel Tunnel, localCluster string, accessChecker services.AccessChecker, access ClusterGetter) *TunnelWithRoles
NewTunnelWithRoles returns new authorizing tunnel
func (*TunnelWithRoles) GetSite ¶
func (t *TunnelWithRoles) GetSite(clusterName string) (RemoteSite, error)
GetSite returns remote site this node belongs to
func (*TunnelWithRoles) GetSites ¶
func (t *TunnelWithRoles) GetSites() ([]RemoteSite, error)
GetSites returns a list of connected remote sites
Source Files
Click to show internal directories.
Click to hide internal directories.