identity

Documentation

Index

• Constants
• func ListKeys(kinds ...ArtifactKind) []string
• func ParseTLSIdentity(keyBytes []byte, certBytes []byte, caCertsBytes [][]byte) (clusterName string, x509Cert *x509.Certificate, tlsCert *tls.Certificate, ...)
• func SaveIdentity(ctx context.Context, id *Identity, d bot.Destination, kinds ...ArtifactKind) error
• func VerifyWrite(ctx context.Context, dest bot.Destination) error
• type Artifact
  • func GetArtifacts() []Artifact
  • func (a *Artifact) Matches(kinds ...ArtifactKind) bool
• type ArtifactKind
  • func BotKinds() []ArtifactKind
  • func DestinationKinds() []ArtifactKind
• type Facade
  • func NewFacade(fips bool, insecure bool, initialIdentity *Identity) *Facade
  • func (f *Facade) Dialer(_ client.Config) (client.ContextDialer, error)
  • func (f *Facade) Get() *Identity
  • func (f *Facade) SSHClientConfig() (*ssh.ClientConfig, error)
  • func (f *Facade) Set(newIdentity *Identity)
  • func (f *Facade) TLSConfig() (*tls.Config, error)
• type Identity
  • func LoadIdentity(ctx context.Context, d bot.Destination, kinds ...ArtifactKind) (*Identity, error)
  • func ReadIdentityFromStore(params *LoadIdentityParams, certs *proto.Certs) (*Identity, error)
  • func (i *Identity) Params() *LoadIdentityParams
  • func (i *Identity) String() string
• type LoadIdentityParams

Constants

const (
	// TLSCertKey is the name under which TLS certificates exist in a destination.
	TLSCertKey = "tlscert"

	// SSHCertKey is the name under which SSH certificates exist in a destination.
	SSHCertKey = "key-cert.pub"

	// SSHCACertsKey is the name under which SSH CA certificates exist in a destination.
	SSHCACertsKey = "sshcacerts"

	// TLSCACertsKey is the name under which SSH CA certificates exist in a destination.
	TLSCACertsKey = "tlscacerts"

	// PrivateKeyKey is the name under which the private key exists in a destination.
	// The same private key is used for SSH and TLS certificates.
	PrivateKeyKey = "key"

	// PublicKeyKey is the ssh public key, required for successful SSH connections.
	PublicKeyKey = "key.pub"

	// TokenHashKey is the key where a hash of the onboarding token will be stored.
	TokenHashKey = "tokenhash"

	// WriteTestKey is the key for a file used to check that the destination is
	// writable.
	WriteTestKey = ".write-test"
)

Functions

func ListKeys

func ListKeys(kinds ...ArtifactKind) []string

ListKeys returns a list of artifact keys that will be written given a list of artifacts.

func ParseTLSIdentity

func ParseTLSIdentity(
	keyBytes []byte, certBytes []byte, caCertsBytes [][]byte,
) (clusterName string, x509Cert *x509.Certificate, tlsCert *tls.Certificate, certPool *x509.CertPool, err error)

ParseTLSIdentity reads TLS identity from key pair

func SaveIdentity

func SaveIdentity(ctx context.Context, id *Identity, d bot.Destination, kinds ...ArtifactKind) error

SaveIdentity saves a bot identity to a destination.

func VerifyWrite

func VerifyWrite(ctx context.Context, dest bot.Destination) error

VerifyWrite attempts to write to the .write-test artifact inside the given destination. It should be called before attempting a renewal to help ensure we won't then fail to save the identity.

Types

type Artifact

type Artifact struct {
	// Key is the name that this artifact should be stored under within a
	// destination. For a file based destination, this will be the file name.
	Key       string
	Kind      ArtifactKind
	ToBytes   func(*Identity) []byte
	FromBytes func(*proto.Certs, *LoadIdentityParams, []byte)

	// Optional indicates whether or not an identity should fail to load if this
	// key is missing.
	Optional bool

	// OldKey allows an artifact to be migrated from an older key to a new key.
	// If this value is set, and we are unable to load from Key, we will try
	// and load from OldKey
	OldKey string
}

Artifact is a component of a serialized identity.

func GetArtifacts

func GetArtifacts() []Artifact

func (*Artifact) Matches

func (a *Artifact) Matches(kinds ...ArtifactKind) bool

Matches returns true if this artifact's Kind matches any one of the given kinds or if it's kind is KindAlways

type ArtifactKind

type ArtifactKind string

ArtifactKind is a type of identity artifact that can be stored and loaded.

const (
	// KindAlways identifies identity resources that should always be
	// generated.
	KindAlways ArtifactKind = "always"

	// KindBotInternal identifies resources that should only be stored in the
	// bot's internal data directory.
	KindBotInternal ArtifactKind = "bot-internal"
)

func BotKinds

func BotKinds() []ArtifactKind

BotKinds returns a list of all artifact kinds used internally by the bot. End-user destinations may contain a different set of artifacts.

func DestinationKinds

func DestinationKinds() []ArtifactKind

DestinationKinds returns a list of all artifact kinds that should be written to end-user destinations.

type Facade

type Facade struct {
	// contains filtered or unexported fields
}

Facade manages storing a rotating identity, and presenting it as something compatible with a client.Credentials

func NewFacade

func NewFacade(
	fips bool,
	insecure bool,
	initialIdentity *Identity,
) *Facade

func (*Facade) Dialer

func (f *Facade) Dialer(_ client.Config) (client.ContextDialer, error)

func (*Facade) Get

func (f *Facade) Get() *Identity

func (*Facade) SSHClientConfig

func (f *Facade) SSHClientConfig() (*ssh.ClientConfig, error)

func (*Facade) Set

func (f *Facade) Set(newIdentity *Identity)

func (*Facade) TLSConfig

func (f *Facade) TLSConfig() (*tls.Config, error)

type Identity

type Identity struct {
	// PrivateKeyBytes is a PEM encoded private key
	PrivateKeyBytes []byte
	// PublicKeyBytes contains bytes of the original SSH public key
	PublicKeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format.
	SSHCACertBytes [][]byte
	// TokenHashBytes is the hash of the original join token
	TokenHashBytes []byte

	// Below fields are "computed" by ReadIdentityFromStore - this essentially
	// validates the raw data and saves these being continually recomputed.
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// SSHCert is a parsed SSH certificate
	SSHCert *ssh.Certificate
	// SSHHostCheckers holds the parsed SSH CAs
	SSHHostCheckers []ssh.PublicKey
	// X509Cert is the parsed X509 client certificate
	X509Cert *x509.Certificate
	// TLSCAPool is the parsed TLS CAs
	TLSCAPool *x509.CertPool
	// TLSCert is the parsed TLS client certificate
	TLSCert *tls.Certificate
	// ClusterName is a name of host's cluster determined from the
	// x509 certificate.
	ClusterName string
}

Identity is collection of raw key and certificate data as well as the parsed equivalents that make up a Teleport identity.

func LoadIdentity

func LoadIdentity(ctx context.Context, d bot.Destination, kinds ...ArtifactKind) (*Identity, error)

LoadIdentity loads a bot identity from a destination.

func ReadIdentityFromStore

func ReadIdentityFromStore(params *LoadIdentityParams, certs *proto.Certs) (*Identity, error)

ReadIdentityFromStore reads stored identity credentials

func (*Identity) Params

func (i *Identity) Params() *LoadIdentityParams

Params returns the LoadIdentityParams for this Identity, which are the local-only parameters to be carried over to a renewed identity.

func (*Identity) String

func (i *Identity) String() string

String returns user-friendly representation of the identity.

type LoadIdentityParams

type LoadIdentityParams struct {
	PrivateKeyBytes []byte
	PublicKeyBytes  []byte
	TokenHashBytes  []byte
}

LoadIdentityParams contains parameters beyond proto.Certs needed to load a stored identity.