auth

package
v4.0.7+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 11, 2019 License: Apache-2.0 Imports: 78 Imported by: 0

Documentation

Overview

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source
const (
	// BearerTokenTTL specifies standard bearer token to exist before
	// it has to be renewed by the client
	BearerTokenTTL = 10 * time.Minute
	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16
)
View Source
const (
	// CurrentVersion is a current API version
	CurrentVersion = services.V2

	// MissingNamespaceError is a _very_ common error this file generatets
	MissingNamespaceError = "missing required parameter: namespace"
)
View Source
const (
	// GithubAuthURL is the Github authorization endpoint
	GithubAuthURL = "https://github.com/login/oauth/authorize"

	// GithubTokenURL is the Github token exchange endpoint
	GithubTokenURL = "https://github.com/login/oauth/access_token"

	// GithubAPIURL is the Github base API URL
	GithubAPIURL = "https://api.github.com"

	// MaxPages is the maximum number of pagination links that will be followed.
	MaxPages = 99
)
View Source
const (
	// IdentityNameCurrent is a name for the identity credentials that are
	// currently used by the process.
	IdentityCurrent = "current"
	// IdentityReplacement is a name for the identity crdentials that are
	// replacing current identity credentials during CA rotation.
	IdentityReplacement = "replacement"
)
View Source
const ContextUser = "teleport-user"

ContextUser is a user set in the context of the request

View Source
const IdentitySpecV2Schema = `` /* 415-byte string literal not displayed */

IdentitySpecV2Schema is a schema for identity spec.

View Source
const StateSpecV2Schema = `{
  "type": "object",
  "additionalProperties": false,
  "required": ["rotation"],
  "properties": {
    "rotation": %v
  }
}`

StateSpecV2Schema is a schema for local server state.

Variables

View Source
var (
	// GithubScopes is a list of scopes requested during OAuth2 flow
	GithubScopes = []string{

		"read:org",
	}
)

Functions

func CertAuthorityInfo

func CertAuthorityInfo(ca services.CertAuthority) string

CertAuthorityInfo returns debugging information about certificate authority

func CertInfo

func CertInfo(cert *x509.Certificate) string

CertInfo returns diagnostic information about certificate

func ClientCertPool

func ClientCertPool(client AccessCache, clusterName string) (*x509.CertPool, error)

ClientCertPool returns trusted x509 cerificate authority pool

func ClientTimeout

func ClientTimeout(timeout time.Duration) roundtrip.ClientParam

ClientTimeout sets idle and dial timeouts of the HTTP transport used by the client.

func CreateUploaderDir

func CreateUploaderDir(dir string) error

CreateUploaderDir creates directory for file uploader service

func CreateUserAndRole

func CreateUserAndRole(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRole creates user and role and assignes role to a user, used in tests

func CreateUserAndRoleWithoutRoles

func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests

func DecodeClusterName

func DecodeClusterName(serverName string) (string, error)

DecodeClusterName decodes cluster name, returns NotFound if no cluster name is encoded (empty subdomain), so servers can detect cases when no server name passed returns BadParameter if encoding does not match

func EncodeClusterName

func EncodeClusterName(clusterName string) string

EncodeClusterName encodes cluster name in the SNI hostname

func ExtractHostID

func ExtractHostID(hostName string, clusterName string) (string, error)

ExtractHostID returns host id based on the hostname

func GenerateCertificate

func GenerateCertificate(authServer *AuthServer, identity TestIdentity) ([]byte, []byte, error)

GenerateCertificate generates certificate for identity, returns private public key pair

func GetCheckerForBuiltinRole

func GetCheckerForBuiltinRole(clusterName string, clusterConfig services.ClusterConfig, role teleport.Role) (services.RoleSet, error)

GetCheckerForBuiltinRole returns checkers for embedded builtin role

func GetIdentitySchema

func GetIdentitySchema() string

GetIdentitySchema returns JSON Schema for cert authorities.

func GetStateSchema

func GetStateSchema() string

GetStateSchema returns JSON Schema for cert authorities.

func HostFQDN

func HostFQDN(hostUUID, clusterName string) string

HostFQDN consits of host UUID and cluster name joined via .

func NewAPIServer

func NewAPIServer(config *APIConfig) http.Handler

NewAPIServer returns a new instance of APIServer HTTP handler

func NewGRPCServer

func NewGRPCServer(cfg APIConfig) http.Handler

NewGRPCServer returns a new instance of GRPC server

func SetPlugin

func SetPlugin(p Plugin)

SetPlugin sets plugin for the auth API server

func TLSCertInfo

func TLSCertInfo(cert *tls.Certificate) string

TLSCertInfo returns diagnostic information about certificate

Types

type APIConfig added in v1.0.0

type APIConfig struct {
	AuthServer     *AuthServer
	SessionService session.Service
	AuditLog       events.IAuditLog
	Authorizer     Authorizer
}

type APIServer

type APIServer struct {
	APIConfig
	httprouter.Router
	clockwork.Clock
}

APIServer implements http API server for AuthServer interface

type AccessCache

type AccessCache interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

	// GetClusterConfig returns cluster level configuration.
	GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)
}

AccessCache is a subset of the interface working on the certificate authorities

type AccessPoint

type AccessPoint interface {
	// ReadAccessPoint provides methods to read data
	ReadAccessPoint
	// Announcer adds methods used to announce presence
	Announcer

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(conn services.TunnelConnection) error

	// DeleteTunnelConnection deletes tunnel connection
	DeleteTunnelConnection(clusterName, connName string) error
}

AccessPoint is an API interface implemented by a certificate authority (CA)

func NewWrapper

func NewWrapper(writer AccessPoint, cache ReadAccessPoint) AccessPoint

NewWrapper returns new access point wrapper

func NoCache

func NoCache(clt ClientI, cacheName []string) (AccessPoint, error)

NoCache is a no cache used for access point

type Announcer

type Announcer interface {
	// UpsertNode registers node presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(s services.Server) (*services.KeepAlive, error)

	// UpsertProxy registers proxy presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s services.Server) error

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(s services.Server) error

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (services.KeepAliver, error)
}

Announcer specifies interface responsible for announcing presence

type AuthCache

type AuthCache interface {
	ReadAccessPoint

	// GetStaticTokens gets the list of static tokens used to provision nodes.
	GetStaticTokens() (services.StaticTokens, error)

	// GetTokens returns all active (non-expired) provisioning tokens
	GetTokens(opts ...services.MarshalOption) ([]services.ProvisionToken, error)

	// GetToken finds and returns token by ID
	GetToken(token string) (services.ProvisionToken, error)

	// NewWatcher returns a new event watcher
	NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)
}

AuthCache is a subset of the auth interface hanlding access to the discovery API and static tokens

type AuthContext

type AuthContext struct {
	// User is the user name
	User services.User
	// Checker is access checker
	Checker services.AccessChecker
	// Identity is x509 derived identity.
	Identity tlsca.Identity
}

AuthContext is authorization context

func NewAdminContext

func NewAdminContext() (*AuthContext, error)

NewAdminContext returns new admin auth context

type AuthMiddleware

type AuthMiddleware struct {
	// AccessPoint is a caching access point for auth server
	AccessPoint AccessCache
	// Handler is HTTP handler called after the middleware checks requests
	Handler http.Handler
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on certificate metadata,
	// for example middleware can reject certificates with mismatching usage.
	// If empty, will only accept certificates with non-limited usage,
	// if set, will accept certificates with non-limited usage,
	// and usage exactly matching the specified values.
	AcceptedUsage []string
}

AuthMiddleware is authentication middleware checking every request

func (*AuthMiddleware) GetUser

func (a *AuthMiddleware) GetUser(r *http.Request) (IdentityGetter, error)

GetUser returns authenticated user based on request metadata set by HTTP server

func (*AuthMiddleware) ServeHTTP

func (a *AuthMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP serves HTTP requests

func (*AuthMiddleware) Wrap

func (a *AuthMiddleware) Wrap(h http.Handler)

Wrap sets next handler in chain

type AuthServer

type AuthServer struct {
	sshca.Authority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// AuthServices encapsulate services - provisioner, trust, etc
	// used by the auth server in a separate structure
	AuthServices
	// contains filtered or unexported fields
}

AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func Init

func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error)

Init instantiates and configures an instance of AuthServer

func NewAuthServer

func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) (*AuthServer, error)

NewAuthServer creates and configures a new AuthServer instance

func (*AuthServer) AuthenticateSSHUser

func (s *AuthServer) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates web user, creates and returns web session in case if authentication is successful

func (*AuthServer) AuthenticateUser

func (s *AuthServer) AuthenticateUser(req AuthenticateUserRequest) error

AuthenticateUser authenticates user based on the request type

func (*AuthServer) AuthenticateWebUser

func (s *AuthServer) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful. In case if existing session id is used to authenticate, returns session associated with the existing session id instead of creating the new one

func (*AuthServer) ChangePassword

func (s *AuthServer) ChangePassword(req services.ChangePasswordReq) error

ChangePassword changes user passsword

func (*AuthServer) CheckOTP

func (s *AuthServer) CheckOTP(user string, otpToken string) error

CheckOTP determines the type of OTP token used (for legacy HOTP support), fetches the appropriate type from the backend, and checks if the token is valid.

func (*AuthServer) CheckPassword

func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks the password and OTP token. Called by tsh or lib/web/*.

func (*AuthServer) CheckPasswordWOToken

func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error

CheckPasswordWOToken checks just password without checking OTP tokens used in case of SSH authentication, when token has been validated.

func (*AuthServer) CheckU2FSignResponse added in v1.3.0

func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error

func (*AuthServer) Close added in v1.0.0

func (a *AuthServer) Close() error

func (*AuthServer) CreateGithubAuthRequest

func (s *AuthServer) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*AuthServer) CreateOIDCAuthRequest added in v1.0.0

func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthServer) CreateSAMLAuthRequest

func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthServer) CreateSignupToken

func (s *AuthServer) CreateSignupToken(userv1 services.UserV1, ttl time.Duration) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*AuthServer) CreateSignupU2FRegisterRequest added in v1.3.0

func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthServer) CreateUserWithOTP

func (s *AuthServer) CreateUserWithOTP(token string, password string, otpToken string) (services.WebSession, error)

CreateUserWithOTP creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) CreateUserWithU2FToken added in v1.3.0

func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (services.WebSession, error)

func (*AuthServer) CreateUserWithoutOTP

func (s *AuthServer) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

CreateUserWithoutOTP creates an account with the provided password and deletes the token afterwards.

func (*AuthServer) DeleteNamespace

func (s *AuthServer) DeleteNamespace(namespace string) error

func (*AuthServer) DeleteOIDCConnector

func (s *AuthServer) DeleteOIDCConnector(connectorName string) error

func (*AuthServer) DeleteRemoteCluster

func (a *AuthServer) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it

func (*AuthServer) DeleteRole

func (a *AuthServer) DeleteRole(name string) error

func (*AuthServer) DeleteSAMLConnector

func (s *AuthServer) DeleteSAMLConnector(connectorName string) error

func (*AuthServer) DeleteToken

func (s *AuthServer) DeleteToken(token string) (err error)

func (*AuthServer) DeleteTrustedCluster

func (a *AuthServer) DeleteTrustedCluster(name string) error

DeleteTrustedCluster removes services.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.

func (*AuthServer) DeleteUser

func (a *AuthServer) DeleteUser(user string) error

func (*AuthServer) DeleteWebSession

func (s *AuthServer) DeleteWebSession(user string, id string) error

func (*AuthServer) ExtendWebSession added in v1.0.0

func (s *AuthServer) ExtendWebSession(user string, prevSessionID string, identity *tlsca.Identity) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user

func (*AuthServer) GenerateHostCert

func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*AuthServer) GenerateServerKeys added in v1.0.0

func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthServer) GenerateToken

func (s *AuthServer) GenerateToken(req GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token

func (*AuthServer) GenerateUserCerts

func (a *AuthServer) GenerateUserCerts(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, []byte, error)

GenerateUserCerts is used to generate user certificate, used internally for tests

func (*AuthServer) GetAllTunnelConnections

func (a *AuthServer) GetAllTunnelConnections(opts ...services.MarshalOption) (conns []services.TunnelConnection, err error)

GetAllTunnelConnections is a part of auth.AccessPoint implementation GetAllTunnelConnections are not using recent cache, as they are designed to be called periodically and always return fresh data

func (*AuthServer) GetCache

func (a *AuthServer) GetCache() AuthCache

GetCache returns cache used by auth server

func (*AuthServer) GetCertAuthorities

func (a *AuthServer) GetCertAuthorities(caType services.CertAuthType, loadSigningKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

GetCertAuthorities returns a list of authorities of a given type loadSigningKeys controls whether signing keys should be loaded or not

func (*AuthServer) GetCertAuthority

func (a *AuthServer) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*AuthServer) GetClock

func (a *AuthServer) GetClock() clockwork.Clock

func (*AuthServer) GetClusterCACert

func (a *AuthServer) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*AuthServer) GetClusterConfig

func (a *AuthServer) GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfig gets ClusterConfig from the backend.

func (*AuthServer) GetClusterName

func (a *AuthServer) GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

GetClusterName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetDomainName added in v1.2.6

func (a *AuthServer) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetNamespace

func (a *AuthServer) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace

func (*AuthServer) GetNamespaces

func (a *AuthServer) GetNamespaces() ([]services.Namespace, error)

GetNamespaces is a part of auth.AccessPoint implementation

func (*AuthServer) GetNodes

func (a *AuthServer) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

GetNodes is a part of auth.AccessPoint implementation

func (*AuthServer) GetOTPData

func (s *AuthServer) GetOTPData(user string) (string, []byte, error)

GetOTPData returns the OTP Key, Key URL, and the QR code.

func (*AuthServer) GetProxies

func (a *AuthServer) GetProxies() ([]services.Server, error)

GetProxies is a part of auth.AccessPoint implementation

func (*AuthServer) GetRemoteCluster

func (a *AuthServer) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*AuthServer) GetRemoteClusters

func (a *AuthServer) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

GetRemoteClusters returns remote clusters with updated statuses

func (*AuthServer) GetReverseTunnels

func (a *AuthServer) GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

GetReverseTunnels is a part of auth.AccessPoint implementation

func (*AuthServer) GetRole

func (a *AuthServer) GetRole(name string) (services.Role, error)

GetRole is a part of auth.AccessPoint implementation

func (*AuthServer) GetRoles

func (a *AuthServer) GetRoles() ([]services.Role, error)

GetRoles is a part of auth.AccessPoint implementation

func (*AuthServer) GetSignupTokenData

func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)

GetSignupTokenData returns token data (username and QR code bytes) for a valid signup token.

func (*AuthServer) GetStaticTokens

func (a *AuthServer) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*AuthServer) GetToken

func (a *AuthServer) GetToken(token string) (services.ProvisionToken, error)

GetToken finds and returns token by ID

func (*AuthServer) GetTokens added in v1.0.0

func (s *AuthServer) GetTokens(opts ...services.MarshalOption) (tokens []services.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*AuthServer) GetTunnelConnections

func (a *AuthServer) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetTunnelConnections is a part of auth.AccessPoint implementation GetTunnelConnections are not using recent cache as they are designed to be called periodically and always return fresh data

func (*AuthServer) GetUser

func (a *AuthServer) GetUser(name string) (user services.User, err error)

GetUser is a part of auth.AccessPoint implementation.

func (*AuthServer) GetUsers

func (a *AuthServer) GetUsers() (users []services.User, err error)

GetUsers is a part of auth.AccessPoint implementation

func (*AuthServer) GetWebSession

func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)

func (*AuthServer) GetWebSessionInfo added in v1.0.0

func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)

func (*AuthServer) NewKeepAliver

func (a *AuthServer) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*AuthServer) NewWatcher

func (a *AuthServer) NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)

NewWatcher returns a new event watcher. In case of an auth server this watcher will return events as seen by the auth server's in memory cache, not the backend.

func (*AuthServer) NewWebSession

func (s *AuthServer) NewWebSession(username string, roles []string, traits wrappers.Traits) (services.WebSession, error)

func (*AuthServer) PreAuthenticatedSignIn added in v1.3.0

func (s *AuthServer) PreAuthenticatedSignIn(user string, identity *tlsca.Identity) (services.WebSession, error)

PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issuing the second factor challenge

func (*AuthServer) ProcessKubeCSR

func (s *AuthServer) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessful.

func (*AuthServer) RegisterNewAuthServer

func (s *AuthServer) RegisterNewAuthServer(token string) error

func (*AuthServer) RegisterUsingToken

func (s *AuthServer) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.

func (*AuthServer) RotateCertAuthority

func (a *AuthServer) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

Rotation procedure is based on the state machine approach.

Here are the supported rotation states:

  • Standby - the cluster is in standby mode and ready to take action.
  • In-progress - cluster CA rotation is in progress.

In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.

Here are the supported phases:

* Standby - no action is taken.

* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.

This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.

* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".

* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.

* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will loose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.

Rotation modes

There are two rotation modes supported - manual or automatic.

* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.

* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.

It is possible to switch from automatic to manual by setting the phase to the rollback phase.

func (*AuthServer) RotateExternalCertAuthority

func (a *AuthServer) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*AuthServer) SetAuditLog

func (a *AuthServer) SetAuditLog(auditLog events.IAuditLog)

SetAuditLog sets the server's audit log

func (*AuthServer) SetCache

func (a *AuthServer) SetCache(clt AuthCache)

SetCache sets cache used by auth server

func (*AuthServer) SetClock

func (a *AuthServer) SetClock(clock clockwork.Clock)

SetClock sets clock, used in tests

func (*AuthServer) U2FSignRequest added in v1.3.0

func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthServer) UpsertOIDCConnector

func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector) error

func (*AuthServer) UpsertSAMLConnector

func (s *AuthServer) UpsertSAMLConnector(connector services.SAMLConnector) error

func (*AuthServer) UpsertTrustedCluster

func (a *AuthServer) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.

func (*AuthServer) UpsertUser

func (a *AuthServer) UpsertUser(user services.User) error

func (*AuthServer) UpsertWebSession

func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error

func (*AuthServer) ValidateGithubAuthCallback

func (a *AuthServer) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback redirect

func (*AuthServer) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*AuthServer) ValidateSAMLResponse

func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)

ValidateSAMLResponse consumes attribute statements from SAML identity provider

func (*AuthServer) ValidateToken

func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)

ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found.

func (*AuthServer) WithUserLock

func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error

WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval

type AuthServerOption added in v1.0.0

type AuthServerOption func(*AuthServer)

AuthServerOption allows setting options as functional arguments to AuthServer

type AuthWithRoles

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles

func NewAuthWithRoles(ctx AuthContext, authServer *AuthServer, sessions session.Service, alog events.IAuditLog) *AuthWithRoles

func (*AuthWithRoles) ActivateCertAuthority

func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) AuthenticateSSHUser

func (a *AuthWithRoles) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*AuthWithRoles) AuthenticateWebUser

func (a *AuthWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful

func (*AuthWithRoles) ChangePassword

func (a *AuthWithRoles) ChangePassword(req services.ChangePasswordReq) error

func (*AuthWithRoles) CheckPassword

func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error

func (*AuthWithRoles) Close

func (a *AuthWithRoles) Close() error

func (*AuthWithRoles) CompareAndSwapCertAuthority

func (a *AuthWithRoles) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*AuthWithRoles) CreateCertAuthority

func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error

func (*AuthWithRoles) CreateGithubAuthRequest

func (a *AuthWithRoles) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

func (*AuthWithRoles) CreateGithubConnector

func (a *AuthWithRoles) CreateGithubConnector(connector services.GithubConnector) error

func (*AuthWithRoles) CreateOIDCAuthRequest added in v1.0.0

func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthWithRoles) CreateRemoteCluster

func (a *AuthWithRoles) CreateRemoteCluster(conn services.RemoteCluster) error

func (*AuthWithRoles) CreateRole

func (a *AuthWithRoles) CreateRole(role services.Role) error

CreateRole creates a role.

func (*AuthWithRoles) CreateSAMLAuthRequest

func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthWithRoles) CreateSAMLConnector

func (a *AuthWithRoles) CreateSAMLConnector(connector services.SAMLConnector) error

func (*AuthWithRoles) CreateSession added in v1.0.0

func (a *AuthWithRoles) CreateSession(s session.Session) error

func (*AuthWithRoles) CreateSignupToken

func (a *AuthWithRoles) CreateSignupToken(user services.UserV1, ttl time.Duration) (token string, e error)

func (*AuthWithRoles) CreateUserWithOTP

func (a *AuthWithRoles) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

func (*AuthWithRoles) CreateUserWithU2FToken added in v1.3.0

func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

func (*AuthWithRoles) CreateUserWithoutOTP

func (a *AuthWithRoles) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

func (*AuthWithRoles) DeactivateCertAuthority

func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteAllAuthServers

func (a *AuthWithRoles) DeleteAllAuthServers() error

DeleteAllAuthServers deletes all auth servers

func (*AuthWithRoles) DeleteAllCertAuthorities

func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*AuthWithRoles) DeleteAllNamespaces

func (a *AuthWithRoles) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*AuthWithRoles) DeleteAllNodes

func (a *AuthWithRoles) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*AuthWithRoles) DeleteAllProxies

func (a *AuthWithRoles) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*AuthWithRoles) DeleteAllRemoteClusters

func (a *AuthWithRoles) DeleteAllRemoteClusters() error

func (*AuthWithRoles) DeleteAllReverseTunnels

func (a *AuthWithRoles) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*AuthWithRoles) DeleteAllRoles

func (a *AuthWithRoles) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*AuthWithRoles) DeleteAllTokens

func (a *AuthWithRoles) DeleteAllTokens() error

DeleteAllTokens deletes all tokens

func (*AuthWithRoles) DeleteAllTunnelConnections

func (a *AuthWithRoles) DeleteAllTunnelConnections() error

func (*AuthWithRoles) DeleteAllUsers

func (a *AuthWithRoles) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*AuthWithRoles) DeleteAuthServer

func (a *AuthWithRoles) DeleteAuthServer(name string) error

DeleteAuthServer deletes auth server by name

func (*AuthWithRoles) DeleteCertAuthority added in v1.0.0

func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteClusterConfig

func (a *AuthWithRoles) DeleteClusterConfig() error

DeleteClusterConfig deletes cluster config

func (*AuthWithRoles) DeleteClusterName

func (a *AuthWithRoles) DeleteClusterName() error

DeleteClusterName deletes cluster name

func (*AuthWithRoles) DeleteGithubConnector

func (a *AuthWithRoles) DeleteGithubConnector(id string) error

func (*AuthWithRoles) DeleteNamespace

func (a *AuthWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*AuthWithRoles) DeleteNode

func (a *AuthWithRoles) DeleteNode(namespace, node string) error

DeleteNode deletes node in the namespace

func (*AuthWithRoles) DeleteOIDCConnector added in v1.0.0

func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error

func (*AuthWithRoles) DeleteProxy

func (a *AuthWithRoles) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*AuthWithRoles) DeleteRemoteCluster

func (a *AuthWithRoles) DeleteRemoteCluster(clusterName string) error

func (*AuthWithRoles) DeleteReverseTunnel added in v1.0.0

func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error

func (*AuthWithRoles) DeleteRole

func (a *AuthWithRoles) DeleteRole(name string) error

DeleteRole deletes role by name

func (*AuthWithRoles) DeleteSAMLConnector

func (a *AuthWithRoles) DeleteSAMLConnector(connectorID string) error

func (*AuthWithRoles) DeleteSession

func (a *AuthWithRoles) DeleteSession(namespace string, id session.ID) error

DeleteSession removes an active session from the backend.

func (*AuthWithRoles) DeleteStaticTokens

func (a *AuthWithRoles) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*AuthWithRoles) DeleteToken added in v1.0.0

func (a *AuthWithRoles) DeleteToken(token string) error

func (*AuthWithRoles) DeleteTrustedCluster

func (a *AuthWithRoles) DeleteTrustedCluster(name string) error

func (*AuthWithRoles) DeleteTunnelConnection

func (a *AuthWithRoles) DeleteTunnelConnection(clusterName string, connName string) error

func (*AuthWithRoles) DeleteTunnelConnections

func (a *AuthWithRoles) DeleteTunnelConnections(clusterName string) error

func (*AuthWithRoles) DeleteUser

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteWebSession

func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error

func (*AuthWithRoles) EmitAuditEvent added in v1.0.0

func (a *AuthWithRoles) EmitAuditEvent(event events.Event, fields events.EventFields) error

func (*AuthWithRoles) ExtendWebSession added in v1.0.0

func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)

func (*AuthWithRoles) GenerateHostCert

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateServerKeys

func (a *AuthWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthWithRoles) GenerateToken

func (a *AuthWithRoles) GenerateToken(req GenerateTokenRequest) (string, error)

func (*AuthWithRoles) GenerateUserCert

func (a *AuthWithRoles) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

func (*AuthWithRoles) GetAllTunnelConnections

func (a *AuthWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetAuthPreference

func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)

func (*AuthWithRoles) GetAuthServers added in v1.0.0

func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)

func (*AuthWithRoles) GetCertAuthorities added in v1.0.0

func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

func (*AuthWithRoles) GetCertAuthority

func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

func (*AuthWithRoles) GetClusterCACert

func (a *AuthWithRoles) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*AuthWithRoles) GetClusterConfig

func (a *AuthWithRoles) GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfig gets cluster level configuration.

func (*AuthWithRoles) GetClusterName

func (a *AuthWithRoles) GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

GetClusterName gets the name of the cluster.

func (*AuthWithRoles) GetDomainName added in v1.2.6

func (a *AuthWithRoles) GetDomainName() (string, error)

func (*AuthWithRoles) GetGithubConnector

func (a *AuthWithRoles) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

func (*AuthWithRoles) GetGithubConnectors

func (a *AuthWithRoles) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

func (*AuthWithRoles) GetLocalClusterName

func (a *AuthWithRoles) GetLocalClusterName() (string, error)

func (*AuthWithRoles) GetNamespace

func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*AuthWithRoles) GetNamespaces

func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*AuthWithRoles) GetNodes added in v1.0.0

func (a *AuthWithRoles) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

func (*AuthWithRoles) GetOIDCConnector added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

func (*AuthWithRoles) GetOIDCConnectors added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

func (*AuthWithRoles) GetOTPData

func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)

func (*AuthWithRoles) GetProxies added in v1.0.0

func (a *AuthWithRoles) GetProxies() ([]services.Server, error)

func (*AuthWithRoles) GetRemoteCluster

func (a *AuthWithRoles) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

func (*AuthWithRoles) GetRemoteClusters

func (a *AuthWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

func (*AuthWithRoles) GetReverseTunnel

func (a *AuthWithRoles) GetReverseTunnel(name string, opts ...services.MarshalOption) (services.ReverseTunnel, error)

func (*AuthWithRoles) GetReverseTunnels added in v1.0.0

func (a *AuthWithRoles) GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

func (*AuthWithRoles) GetRole

func (a *AuthWithRoles) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*AuthWithRoles) GetRoles

func (a *AuthWithRoles) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*AuthWithRoles) GetSAMLConnector

func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

func (*AuthWithRoles) GetSAMLConnectors

func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

func (*AuthWithRoles) GetSession

func (a *AuthWithRoles) GetSession(namespace string, id session.ID) (*session.Session, error)

func (*AuthWithRoles) GetSessionChunk added in v1.0.0

func (a *AuthWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*AuthWithRoles) GetSessionEvents added in v1.0.0

func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)

func (*AuthWithRoles) GetSessions

func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)

func (*AuthWithRoles) GetSignupToken

func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)

func (*AuthWithRoles) GetSignupTokenData

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)

func (*AuthWithRoles) GetSignupU2FRegisterRequest added in v1.3.0

func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthWithRoles) GetStaticTokens

func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*AuthWithRoles) GetToken

func (a *AuthWithRoles) GetToken(token string) (services.ProvisionToken, error)

func (*AuthWithRoles) GetTokens added in v1.0.0

func (a *AuthWithRoles) GetTokens(opts ...services.MarshalOption) ([]services.ProvisionToken, error)

func (*AuthWithRoles) GetTrustedCluster

func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*AuthWithRoles) GetTrustedClusters

func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*AuthWithRoles) GetTunnelConnections

func (a *AuthWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetU2FSignRequest added in v1.3.0

func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthWithRoles) GetUser added in v1.0.0

func (a *AuthWithRoles) GetUser(name string) (services.User, error)

func (*AuthWithRoles) GetUsers

func (a *AuthWithRoles) GetUsers() ([]services.User, error)

func (*AuthWithRoles) GetWebSessionInfo added in v1.0.0

func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

func (*AuthWithRoles) KeepAliveNode

func (a *AuthWithRoles) KeepAliveNode(ctx context.Context, handle services.KeepAlive) error

func (*AuthWithRoles) NewKeepAliver

func (a *AuthWithRoles) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*AuthWithRoles) NewWatcher

func (a *AuthWithRoles) NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)

NewWatcher returns a new event watcher

func (*AuthWithRoles) PostSessionSlice

func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error

func (*AuthWithRoles) PreAuthenticatedSignIn added in v1.3.0

func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)

func (*AuthWithRoles) ProcessKubeCSR

func (a *AuthWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessful.

func (*AuthWithRoles) RegisterNewAuthServer

func (a *AuthWithRoles) RegisterNewAuthServer(token string) error

func (*AuthWithRoles) RegisterUsingToken

func (a *AuthWithRoles) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

func (*AuthWithRoles) RotateCertAuthority

func (a *AuthWithRoles) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*AuthWithRoles) RotateExternalCertAuthority

func (a *AuthWithRoles) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*AuthWithRoles) SearchEvents added in v1.0.0

func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SearchSessionEvents

func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SetAuthPreference

func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error

func (*AuthWithRoles) SetClusterConfig

func (a *AuthWithRoles) SetClusterConfig(c services.ClusterConfig) error

SetClusterConfig sets cluster level configuration.

func (*AuthWithRoles) SetClusterName

func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error

SetClusterName sets the name of the cluster. SetClusterName can only be called once.

func (*AuthWithRoles) SetStaticTokens

func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*AuthWithRoles) UpdateSession added in v1.0.0

func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error

func (*AuthWithRoles) UploadSessionRecording

func (a *AuthWithRoles) UploadSessionRecording(r events.SessionRecording) error

func (*AuthWithRoles) UpsertAuthServer added in v1.0.0

func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error

func (*AuthWithRoles) UpsertCertAuthority added in v1.0.0

func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error

UpsertCertAuthority updates existing cert authority or updates the existing one.

func (*AuthWithRoles) UpsertClusterName

func (a *AuthWithRoles) UpsertClusterName(c services.ClusterName) error

UpsertClusterName sets the name of the cluster.

func (*AuthWithRoles) UpsertGithubConnector

func (a *AuthWithRoles) UpsertGithubConnector(connector services.GithubConnector) error

func (*AuthWithRoles) UpsertLocalClusterName

func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error

func (*AuthWithRoles) UpsertNamespace

func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*AuthWithRoles) UpsertNode added in v1.0.0

func (a *AuthWithRoles) UpsertNode(s services.Server) (*services.KeepAlive, error)

func (*AuthWithRoles) UpsertNodes

func (a *AuthWithRoles) UpsertNodes(namespace string, servers []services.Server) error

UpsertNodes bulk upserts nodes into the backend.

func (*AuthWithRoles) UpsertOIDCConnector added in v1.0.0

func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) error

func (*AuthWithRoles) UpsertPassword

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error

func (*AuthWithRoles) UpsertProxy added in v1.0.0

func (a *AuthWithRoles) UpsertProxy(s services.Server) error

func (*AuthWithRoles) UpsertReverseTunnel added in v1.0.0

func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error

func (*AuthWithRoles) UpsertRole

func (a *AuthWithRoles) UpsertRole(role services.Role) error

UpsertRole creates or updates role

func (*AuthWithRoles) UpsertSAMLConnector

func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) error

func (*AuthWithRoles) UpsertTOTP

func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error

func (*AuthWithRoles) UpsertToken

func (a *AuthWithRoles) UpsertToken(token services.ProvisionToken) error

func (*AuthWithRoles) UpsertTrustedCluster

func (a *AuthWithRoles) UpsertTrustedCluster(tc services.TrustedCluster) (services.TrustedCluster, error)

func (*AuthWithRoles) UpsertTunnelConnection

func (a *AuthWithRoles) UpsertTunnelConnection(conn services.TunnelConnection) error

func (*AuthWithRoles) UpsertUser added in v1.0.0

func (a *AuthWithRoles) UpsertUser(u services.User) error

func (*AuthWithRoles) ValidateGithubAuthCallback

func (a *AuthWithRoles) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

func (*AuthWithRoles) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

func (*AuthWithRoles) ValidateSAMLResponse

func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

func (*AuthWithRoles) ValidateTrustedCluster

func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*AuthWithRoles) WaitForDelivery

func (a *AuthWithRoles) WaitForDelivery(context.Context) error

type AuthenticateSSHRequest

type AuthenticateSSHRequest struct {
	// AuthenticateUserRequest is a request with credentials
	AuthenticateUserRequest
	// PublicKey is a public key in ssh authorized_keys format
	PublicKey []byte `json:"public_key"`
	// TTL is a requested TTL for certificates to be issues
	TTL time.Duration `json:"ttl"`
	// CompatibilityMode sets certificate compatibility mode with old SSH clients
	CompatibilityMode string `json:"compatibility_mode"`
}

AuthenticateSSHRequest is a request to authenticate SSH client user via CLI

func (*AuthenticateSSHRequest) CheckAndSetDefaults

func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default certificate values

type AuthenticateUserRequest

type AuthenticateUserRequest struct {
	// Username is a user name
	Username string `json:"username"`
	// Pass is a password used in local authentication schemes
	Pass *PassCreds `json:"pass,omitempty"`
	// U2F is a sign response crdedentials used to authenticate via U2F
	U2F *U2FSignResponseCreds `json:"u2f,omitempty"`
	// OTP is a password and second factor, used in two factor authentication
	OTP *OTPCreds `json:"otp,omitempty"`
	// Session is a web session credential used to authenticate web sessions
	Session *SessionCreds `json:"session,omitempty"`
}

AuthenticateUserRequest is a request to authenticate interactive user

func (*AuthenticateUserRequest) CheckAndSetDefaults

func (a *AuthenticateUserRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type Authorizer

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*AuthContext, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer

func NewAuthorizer(access services.Access, identity services.UserGetter, trust services.Trust) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

func NewRoleAuthorizer

func NewRoleAuthorizer(clusterName string, clusterConfig services.ClusterConfig, r teleport.Role) (Authorizer, error)

NewRoleAuthorizer authorizes everyone as predefined role, used in tests

type BuiltinRole

type BuiltinRole struct {
	// GetClusterConfig fetches cluster configuration.
	GetClusterConfig GetClusterConfigFunc

	// Role is the builtin role this username is associated with
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the local cluster
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

BuiltinRole is the role of the Teleport service.

func (BuiltinRole) GetIdentity

func (r BuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type BuiltinRoleSet

type BuiltinRoleSet struct {
	services.RoleSet
}

BuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is builtin or not.

type Client

type Client struct {
	sync.Mutex
	ClientConfig
	roundtrip.Client
	// contains filtered or unexported fields
}

Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

func NewTLSClient

func NewTLSClient(cfg ClientConfig, params ...roundtrip.ClientParam) (*Client, error)

NewTLSClient returns a new TLS client that uses mutual TLS authentication and dials the remote server using dialer

func (*Client) ActivateCertAuthority

func (c *Client) ActivateCertAuthority(id services.CertAuthID) error

ActivateCertAuthority moves a CertAuthority from the deactivated list to the normal list.

func (*Client) AddUserLoginAttempt

func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error

AddUserLoginAttempt logs user login attempt

func (*Client) AuthenticateSSHUser

func (c *Client) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*Client) AuthenticateWebUser

func (c *Client) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful

func (*Client) ChangePassword

func (c *Client) ChangePassword(req services.ChangePasswordReq) error

ChangePassword changes user password

func (*Client) CheckPassword

func (c *Client) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close added in v1.0.0

func (c *Client) Close() error

func (*Client) CompareAndSwapCertAuthority

func (c *Client) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*Client) CreateCertAuthority

func (c *Client) CreateCertAuthority(ca services.CertAuthority) error

CreateCertAuthority inserts new cert authority

func (*Client) CreateGithubAuthRequest

func (c *Client) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*Client) CreateGithubConnector

func (c *Client) CreateGithubConnector(connector services.GithubConnector) error

CreateGithubConnector creates a new Github connector

func (*Client) CreateOIDCAuthRequest added in v1.0.0

func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*Client) CreateRemoteCluster

func (c *Client) CreateRemoteCluster(rc services.RemoteCluster) error

CreateRemoteCluster creates remote cluster resource

func (*Client) CreateRole

func (c *Client) CreateRole(role services.Role) error

CreateRole creates a role.

func (*Client) CreateSAMLAuthRequest

func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAML AuthnRequest

func (*Client) CreateSAMLConnector

func (c *Client) CreateSAMLConnector(connector services.SAMLConnector) error

CreateOIDCConnector creates SAML connector

func (*Client) CreateSession added in v1.0.0

func (c *Client) CreateSession(sess session.Session) error

CreateSession creates new session

func (*Client) CreateSignupToken

func (c *Client) CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*Client) CreateUserWithOTP

func (c *Client) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

CreateUserWithOTP creates account with provided token and password. Account username and OTP key are taken from token data. Deletes token after account creation.

func (*Client) CreateUserWithU2FToken added in v1.3.0

func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

CreateUserWithU2FToken creates user account with provided token and U2F sign response

func (*Client) CreateUserWithoutOTP

func (c *Client) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

CreateUserWithoutOTP validates a given token creates a user with the given password and deletes the token afterwards.

func (*Client) DeactivateCertAuthority

func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error

DeactivateCertAuthority moves a CertAuthority from the normal list to the deactivated list.

func (*Client) Delete

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteAllAuthServers

func (c *Client) DeleteAllAuthServers() error

DeleteAllAuthServers deletes all auth servers

func (*Client) DeleteAllCertAuthorities

func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*Client) DeleteAllNamespaces

func (c *Client) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*Client) DeleteAllNodes

func (c *Client) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*Client) DeleteAllProxies

func (c *Client) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*Client) DeleteAllRemoteClusters

func (c *Client) DeleteAllRemoteClusters() error

DeleteAllRemoteClusters deletes all remote clusters

func (*Client) DeleteAllReverseTunnels

func (c *Client) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*Client) DeleteAllRoles

func (c *Client) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*Client) DeleteAllTokens

func (c *Client) DeleteAllTokens() error

DeleteAllTokens deletes all tokens

func (*Client) DeleteAllTunnelConnections

func (c *Client) DeleteAllTunnelConnections() error

DeleteAllTunnelConnections deletes all tunnel connections

func (*Client) DeleteAllUsers

func (c *Client) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*Client) DeleteAuthServer

func (c *Client) DeleteAuthServer(name string) error

DeleteAuthServer deletes auth server by name

func (*Client) DeleteCertAuthority added in v1.0.0

func (c *Client) DeleteCertAuthority(id services.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteClusterConfig

func (c *Client) DeleteClusterConfig() error

DeleteClusterConfig deletes cluster config

func (*Client) DeleteClusterName

func (c *Client) DeleteClusterName() error

DeleteClusterName deletes cluster name

func (*Client) DeleteGithubConnector

func (c *Client) DeleteGithubConnector(id string) error

DeleteGithubConnector deletes the specified Github connector

func (*Client) DeleteNamespace

func (c *Client) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*Client) DeleteNode

func (c *Client) DeleteNode(namespace string, name string) error

DeleteNode deletes node in the namespace by name

func (*Client) DeleteOIDCConnector added in v1.0.0

func (c *Client) DeleteOIDCConnector(connectorID string) error

DeleteOIDCConnector deletes OIDC connector by ID

func (*Client) DeleteProxy

func (c *Client) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*Client) DeleteRemoteCluster

func (c *Client) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster by name

func (*Client) DeleteReverseTunnel added in v1.0.0

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteRole

func (c *Client) DeleteRole(name string) error

DeleteRole deletes role by name

func (*Client) DeleteSAMLConnector

func (c *Client) DeleteSAMLConnector(connectorID string) error

DeleteSAMLConnector deletes SAML connector by ID

func (*Client) DeleteSession

func (c *Client) DeleteSession(namespace string, id session.ID) error

DeleteSession removes an active session from the backend.

func (*Client) DeleteStaticTokens

func (c *Client) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*Client) DeleteToken added in v1.0.0

func (c *Client) DeleteToken(token string) error

DeleteToken deletes a given provisioning token on the auth server (CA). It could be a user token or a machine token

func (*Client) DeleteTrustedCluster

func (c *Client) DeleteTrustedCluster(name string) error

func (*Client) DeleteTunnelConnection

func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error

DeleteTunnelConnection deletes tunnel connection by name

func (*Client) DeleteTunnelConnections

func (c *Client) DeleteTunnelConnections(clusterName string) error

DeleteTunnelConnections deletes all tunnel connections for cluster

func (*Client) DeleteUser

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteWebSession

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) EmitAuditEvent added in v1.0.0

func (c *Client) EmitAuditEvent(event events.Event, fields events.EventFields) error

EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)

func (*Client) ExtendWebSession added in v1.0.0

func (c *Client) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateHostCert

func (c *Client) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateServerKeys

func (c *Client) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

RenewCredentials returns a new set of credentials associated with the server with the same privileges

func (*Client) GenerateToken

func (c *Client) GenerateToken(req GenerateTokenRequest) (string, error)

GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

If token is not supplied, it will be auto generated and returned. If TTL is not supplied, token will be valid until removed.

func (*Client) GenerateUserCert

func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) Get

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAllTunnelConnections

func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetAllTunnelConnections returns all tunnel connections

func (*Client) GetAuthPreference

func (c *Client) GetAuthPreference() (services.AuthPreference, error)

func (*Client) GetAuthServers added in v1.0.0

func (c *Client) GetAuthServers() ([]services.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetCertAuthorities added in v1.0.0

func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority

func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetClusterCACert

func (c *Client) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*Client) GetClusterConfig

func (c *Client) GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfig returns cluster level configuration information.

func (*Client) GetClusterName

func (c *Client) GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

GetClusterName returns a cluster name

func (*Client) GetDomainName added in v1.2.6

func (c *Client) GetDomainName() (string, error)

GetDomainName returns local auth domain of the current auth server

func (*Client) GetGithubConnector

func (c *Client) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

GetGithubConnector returns the specified Github connector

func (*Client) GetGithubConnectors

func (c *Client) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

GetGithubConnectors returns all configured Github connectors

func (*Client) GetLocalClusterName

func (c *Client) GetLocalClusterName() (string, error)

GetLocalClusterName returns local cluster name

func (*Client) GetNamespace

func (c *Client) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*Client) GetNamespaces

func (c *Client) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*Client) GetNodes added in v1.0.0

func (c *Client) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

GetNodes returns the list of servers registered in the cluster.

func (*Client) GetOIDCConnector added in v1.0.0

func (c *Client) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

GetOIDCConnector returns OIDC connector information by id

func (*Client) GetOIDCConnectors added in v1.0.0

func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

GetOIDCConnector gets OIDC connectors list

func (*Client) GetProxies added in v1.0.0

func (c *Client) GetProxies() ([]services.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetRemoteCluster

func (c *Client) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*Client) GetRemoteClusters

func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*Client) GetReverseTunnel

func (c *Client) GetReverseTunnel(name string, opts ...services.MarshalOption) (services.ReverseTunnel, error)

GetReverseTunnel returns reverse tunnel by name

func (*Client) GetReverseTunnels added in v1.0.0

func (c *Client) GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetRole

func (c *Client) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*Client) GetRoles

func (c *Client) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*Client) GetSAMLConnector

func (c *Client) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

GetOIDCConnector returns SAML connector information by id

func (*Client) GetSAMLConnectors

func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

GetSAMLConnectors gets SAML connectors list

func (*Client) GetSession

func (c *Client) GetSession(namespace string, id session.ID) (*session.Session, error)

GetSession returns a session by ID

func (*Client) GetSessionChunk added in v1.0.0

func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents added in v1.0.0

func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessions

func (c *Client) GetSessions(namespace string) ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by auth server

func (*Client) GetSignupTokenData

func (c *Client) GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetSignupU2FRegisterRequest added in v1.3.0

func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite tokenx

func (*Client) GetStaticTokens

func (c *Client) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens returns a list of static register tokens

func (*Client) GetToken

func (c *Client) GetToken(token string) (services.ProvisionToken, error)

GetToken returns provisioning token

func (*Client) GetTokens added in v1.0.0

func (c *Client) GetTokens(opts ...services.MarshalOption) ([]services.ProvisionToken, error)

GetTokens returns a list of active invitation tokens for nodes and users

func (*Client) GetTransport added in v1.0.0

func (c *Client) GetTransport() *http.Transport

func (*Client) GetTrustedCluster

func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*Client) GetTrustedClusters

func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*Client) GetTunnelConnections

func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetTunnelConnections returns tunnel connections for a given cluster

func (*Client) GetU2FAppID added in v1.3.0

func (c *Client) GetU2FAppID() (string, error)

GetU2FAppID returns U2F settings, like App ID and Facets

func (*Client) GetU2FSignRequest added in v1.3.0

func (c *Client) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

GetU2FSignRequest generates request for user trying to authenticate with U2F token

func (*Client) GetUser added in v1.0.0

func (c *Client) GetUser(name string) (services.User, error)

GetUser returns a list of usernames registered in the system

func (*Client) GetUserLoginAttempts

func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)

GetUserLoginAttempts returns user login attempts

func (*Client) GetUsers

func (c *Client) GetUsers() ([]services.User, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSessionInfo added in v1.0.0

func (c *Client) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) KeepAliveNode

func (c *Client) KeepAliveNode(ctx context.Context, keepAlive services.KeepAlive) error

KeepAliveNode updates node keep alive information

func (*Client) NewKeepAliver

func (c *Client) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*Client) NewWatcher

func (c *Client) NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)

NewWatcher returns a new event watcher

func (*Client) PostForm

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON added in v1.0.0

func (c *Client) PostJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) PostSessionSlice

func (c *Client) PostSessionSlice(slice events.SessionSlice) error

PostSessionSlice allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)

The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)

func (*Client) ProcessKubeCSR

func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessful.

func (*Client) PutJSON added in v1.0.0

func (c *Client) PutJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterNewAuthServer

func (c *Client) RegisterNewAuthServer(token string) error

RegisterNewAuthServer is used to register new auth server with token

func (*Client) RegisterUsingToken

func (c *Client) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.

func (*Client) RotateCertAuthority

func (c *Client) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*Client) RotateExternalCertAuthority

func (c *Client) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.

func (*Client) SearchEvents added in v1.0.0

func (c *Client) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

SearchEvents returns events that fit the criteria

func (*Client) SearchSessionEvents

func (c *Client) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

SearchSessionEvents returns session related events to find completed sessions.

func (*Client) SetAuthPreference

func (c *Client) SetAuthPreference(cap services.AuthPreference) error

func (*Client) SetClusterConfig

func (c *Client) SetClusterConfig(cc services.ClusterConfig) error

SetClusterConfig sets cluster level configuration information.

func (*Client) SetClusterName

func (c *Client) SetClusterName(cn services.ClusterName) error

SetClusterName sets cluster name once, will return Already Exists error if the name is already set

func (*Client) SetStaticTokens

func (c *Client) SetStaticTokens(st services.StaticTokens) error

SetStaticTokens sets a list of static register tokens

func (*Client) TLSConfig

func (c *Client) TLSConfig() *tls.Config

TLSConfig returns TLS config used by the client, could return nil if the client is not using TLS

func (*Client) UpdateSession added in v1.0.0

func (c *Client) UpdateSession(req session.UpdateRequest) error

UpdateSession updates existing session

func (*Client) UploadSessionRecording

func (c *Client) UploadSessionRecording(r events.SessionRecording) error

UploadSessionRecording uploads session recording to the audit server

func (*Client) UpsertAuthServer added in v1.0.0

func (c *Client) UpsertAuthServer(s services.Server) error

UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority added in v1.0.0

func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertClusterName

func (c *Client) UpsertClusterName(cn services.ClusterName) error

UpsertClusterName updates or creates cluster name once

func (*Client) UpsertGithubConnector

func (c *Client) UpsertGithubConnector(connector services.GithubConnector) error

UpsertGithubConnector creates or updates a Github connector

func (*Client) UpsertLocalClusterName

func (c *Client) UpsertLocalClusterName(string) error

UpsertLocalClusterName upserts local cluster name

func (*Client) UpsertNamespace

func (c *Client) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*Client) UpsertNode added in v1.0.0

func (c *Client) UpsertNode(s services.Server) (*services.KeepAlive, error)

UpsertNode is used by SSH servers to reprt their presence to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertNodes

func (c *Client) UpsertNodes(namespace string, servers []services.Server) error

UpsertNodes bulk inserts nodes.

func (*Client) UpsertOIDCConnector added in v1.0.0

func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector) error

UpsertOIDCConnector updates or creates OIDC connector

func (*Client) UpsertPassword

func (c *Client) UpsertPassword(user string, password []byte) error

UpsertPassword updates web access password for the user

func (*Client) UpsertProxy added in v1.0.0

func (c *Client) UpsertProxy(s services.Server) error

UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel added in v1.0.0

func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertRole

func (c *Client) UpsertRole(role services.Role) error

UpsertRole creates or updates role

func (*Client) UpsertSAMLConnector

func (c *Client) UpsertSAMLConnector(connector services.SAMLConnector) error

UpsertSAMLConnector updates or creates OIDC connector

func (*Client) UpsertToken

func (c *Client) UpsertToken(tok services.ProvisionToken) error

UpsertToken adds provisioning tokens for the auth server

func (*Client) UpsertTrustedCluster

func (c *Client) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

func (*Client) UpsertTunnelConnection

func (c *Client) UpsertTunnelConnection(conn services.TunnelConnection) error

UpsertTunnelConnection upserts tunnel connection

func (*Client) UpsertUser added in v1.0.0

func (c *Client) UpsertUser(user services.User) error

UpsertUser user updates or inserts user entry

func (*Client) ValidateGithubAuthCallback

func (c *Client) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback returned from redirect

func (*Client) ValidateOIDCAuthCallback added in v1.0.0

func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

func (*Client) ValidateSAMLResponse

func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates response returned by SAML identity provider

func (*Client) ValidateTrustedCluster

func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*Client) WaitForDelivery

func (c *Client) WaitForDelivery(context.Context) error

type ClientConfig

type ClientConfig struct {
	// Addrs is a list of addresses to dial
	Addrs []utils.NetAddr
	// Dialer is a custom dialer, if provided
	// is used instead of the list of addresses
	Dialer ContextDialer
	// KeepAlivePeriod defines period between keep alives
	KeepAlivePeriod time.Duration
	// KeepAliveCount specifies amount of missed keep alives
	// to wait for until declaring connection as broken
	KeepAliveCount int
	// TLS is a TLS config
	TLS *tls.Config
}

ClientConfig contains configuration of the client

func (*ClientConfig) CheckAndSetDefaults

func (c *ClientConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values

type ClientI

type ClientI interface {
	IdentityService
	ProvisioningService
	services.Trust
	events.IAuditLog
	services.Presence
	services.Access
	WebService
	session.Service
	services.ClusterConfiguration
	services.Events

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

	// RotateCertAuthority starts or restarts certificate authority rotation process.
	RotateCertAuthority(req RotateRequest) error

	// RotateExternalCertAuthority rotates external certificate authority,
	// this method is used to update only public keys and certificates of the
	// the certificate authorities of trusted clusters.
	RotateExternalCertAuthority(ca services.CertAuthority) error

	// ValidateTrustedCluster validates trusted cluster token with
	// main cluster, in case if validation is successful, main cluster
	// adds remote cluster
	ValidateTrustedCluster(*ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

	// GetDomainName returns auth server cluster name
	GetDomainName() (string, error)

	// GetClusterCACert returns the CAs for the local cluster without signing keys.
	GetClusterCACert() (*LocalCAResponse, error)

	// GenerateServerKeys generates new host private keys and certificates (signed
	// by the host certificate authority) for a node
	GenerateServerKeys(GenerateServerKeysRequest) (*PackedKeys, error)
	// AuthenticateWebUser authenticates web user, creates and  returns web session
	// in case if authentication is successful
	AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
	// AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
	// short lived certificates as a result
	AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

	// ProcessKubeCSR processes CSR request against Kubernetes CA, returns
	// signed certificate if sucessful.
	ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
}

ClientI is a client to Auth service

func NewAdminAuthServer

func NewAdminAuthServer(authServer *AuthServer, sessions session.Service, alog events.IAuditLog) (ClientI, error)

NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access

type ContextDialer

type ContextDialer interface {
	// DialContext is a function that dials to the specified address
	DialContext(in context.Context, network, addr string) (net.Conn, error)
}

ContextDialer represents network dialer interface that uses context

func NewAddrDialer

func NewAddrDialer(addrs []utils.NetAddr, keepAliveInterval time.Duration) ContextDialer

NewAddrDialer returns new dialer from a list of addresses

type ContextDialerFunc

type ContextDialerFunc func(in context.Context, network, addr string) (net.Conn, error)

ContextDialerFunc is a function wrapper that implements ContextDialer interface

func (ContextDialerFunc) DialContext

func (f ContextDialerFunc) DialContext(in context.Context, network, addr string) (net.Conn, error)

DialContext is a function that dials to the specified address

type Dialer added in v1.0.0

type Dialer func(network, addr string) (net.Conn, error)

Dialer defines dialer function

type FakeSSHConnection added in v1.0.0

type FakeSSHConnection struct {
	// contains filtered or unexported fields
}

FakeSSHConnection implements net.Conn interface on top of the ssh.Cnahhel object. This allows us to run non-SSH servers (like HTTP) on top of an existing SSH connection

func (*FakeSSHConnection) Close added in v1.0.0

func (conn *FakeSSHConnection) Close() error

func (*FakeSSHConnection) LocalAddr added in v1.0.0

func (conn *FakeSSHConnection) LocalAddr() net.Addr

func (*FakeSSHConnection) Read added in v1.0.0

func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)

func (*FakeSSHConnection) RemoteAddr added in v1.0.0

func (conn *FakeSSHConnection) RemoteAddr() net.Addr

func (*FakeSSHConnection) SetDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetDeadline(t time.Time) error

SetDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetReadDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error

SetReadDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetWriteDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error

SetWriteDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) Write added in v1.0.0

func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)

type GLogger

type GLogger struct {
	Entry *logrus.Entry
	// Verbosity is verbosity as it's understood by GRPC
	Verbosity int
}

GLogger implements GRPC logger interface LoggerV2

func (*GLogger) Error

func (g *GLogger) Error(args ...interface{})

Error logs to ERROR log. Arguments are handled in the manner of fmt.Print.

func (*GLogger) Errorf

func (g *GLogger) Errorf(format string, args ...interface{})

Errorf logs to ERROR log. Arguments are handled in the manner of fmt.Printf.

func (*GLogger) Errorln

func (g *GLogger) Errorln(args ...interface{})

Errorln logs to ERROR log. Arguments are handled in the manner of fmt.Println.

func (*GLogger) Fatal

func (g *GLogger) Fatal(args ...interface{})

Fatal logs to ERROR log. Arguments are handled in the manner of fmt.Print. gRPC ensures that all Fatal logs will exit with os.Exit(1). Implementations may also call os.Exit() with a non-zero exit code.

func (*GLogger) Fatalf

func (g *GLogger) Fatalf(format string, args ...interface{})

Fatalf logs to ERROR log. Arguments are handled in the manner of fmt.Printf. gRPC ensures that all Fatal logs will exit with os.Exit(1). Implementations may also call os.Exit() with a non-zero exit code.

func (*GLogger) Fatalln

func (g *GLogger) Fatalln(args ...interface{})

Fatalln logs to ERROR log. Arguments are handled in the manner of fmt.Println. gRPC ensures that all Fatal logs will exit with os.Exit(1). Implementations may also call os.Exit() with a non-zero exit code.

func (*GLogger) Info

func (g *GLogger) Info(args ...interface{})

Info logs to INFO log. Arguments are handled in the manner of fmt.Print.

func (*GLogger) Infof

func (g *GLogger) Infof(format string, args ...interface{})

Infof logs to INFO log. Arguments are handled in the manner of fmt.Printf.

func (*GLogger) Infoln

func (g *GLogger) Infoln(args ...interface{})

Infoln logs to INFO log. Arguments are handled in the manner of fmt.Println.

func (*GLogger) V

func (g *GLogger) V(l int) bool

V reports whether verbosity level l is at least the requested verbose level.

func (*GLogger) Warning

func (g *GLogger) Warning(args ...interface{})

Warning logs to WARNING log. Arguments are handled in the manner of fmt.Print.

func (*GLogger) Warningf

func (g *GLogger) Warningf(format string, args ...interface{})

Warningf logs to WARNING log. Arguments are handled in the manner of fmt.Printf.

func (*GLogger) Warningln

func (g *GLogger) Warningln(args ...interface{})

Warningln logs to WARNING log. Arguments are handled in the manner of fmt.Println.

type GRPCServer

type GRPCServer struct {
	*logrus.Entry
	APIConfig
	// contains filtered or unexported fields
}

GRPCServer is GPRC Auth Server API

func (*GRPCServer) SendKeepAlives

func (g *GRPCServer) SendKeepAlives(stream proto.AuthService_SendKeepAlivesServer) error

SendKeepAlives allows node to send a stream of keep alive requests

func (*GRPCServer) ServeHTTP

func (g *GRPCServer) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP dispatches requests based on the request type

func (*GRPCServer) UpsertNode

func (g *GRPCServer) UpsertNode(ctx context.Context, server *services.ServerV2) (*services.KeepAlive, error)

UpsertNode upserts node

func (*GRPCServer) WatchEvents

func (g *GRPCServer) WatchEvents(watch *proto.Watch, stream proto.AuthService_WatchEventsServer) error

WatchEvents returns a new stream of cluster events

type GenerateServerKeysRequest

type GenerateServerKeysRequest struct {
	// HostID is a unique ID of the host
	HostID string `json:"host_id"`
	// NodeName is a user friendly host name
	NodeName string `json:"node_name"`
	// Roles is a list of roles assigned to node
	Roles teleport.Roles `json:"roles"`
	// AdditionalPrincipals is a list of additional principals
	// to include in OpenSSH and X509 certificates
	AdditionalPrincipals []string `json:"additional_principals"`
	// DNSNames is a list of DNS names
	// to include in the x509 client certificate
	DNSNames []string `json:"dns_names"`
	// PublicTLSKey is a PEM encoded public key
	// used for TLS setup
	PublicTLSKey []byte `json:"public_tls_key"`
	// PublicSSHKey is a SSH encoded public key,
	// if present will be signed as a return value
	// otherwise, new public/private key pair will be generated
	PublicSSHKey []byte `json:"public_ssh_key"`
	// RemoteAddr is the IP address of the remote host requesting a host
	// certificate. RemoteAddr is used to replace 0.0.0.0 in the list of
	// additional principals.
	RemoteAddr string `json:"remote_addr"`
	// Rotation allows clients to send the certificate authority rotation state
	// expected by client of the certificate authority backends, so auth servers
	// can avoid situation when clients request certs assuming one
	// state, and auth servers issue another
	Rotation *services.Rotation `json:"rotation,omitempty"`
	// NoCache is argument that only local callers can supply to bypass cache
	NoCache bool `json:"-"`
}

GenerateServerKeysRequest is a request to generate server keys

func (*GenerateServerKeysRequest) CheckAndSetDefaults

func (req *GenerateServerKeysRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GenerateTokenRequest

type GenerateTokenRequest struct {
	// Token if provided sets the token value, otherwise will be auto generated
	Token string `json:"token"`
	// Roles is a list of roles this token authenticates as
	Roles teleport.Roles `json:"roles"`
	// TTL is a time to live for token
	TTL time.Duration `json:"ttl"`
}

GenerateTokenRequest is a request to generate auth token

func (*GenerateTokenRequest) CheckAndSetDefaults

func (req *GenerateTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values of request

type GetClusterConfigFunc

type GetClusterConfigFunc func(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfigFunc returns a cached services.ClusterConfig.

type GithubAuthResponse

type GithubAuthResponse struct {
	// Username is the name of authenticated user
	Username string `json:"username"`
	// Identity is the external identity
	Identity services.ExternalIdentity `json:"identity"`
	// Session is the created web session
	Session services.WebSession `json:"session,omitempty"`
	// Cert is the generated SSH client certificate
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS client certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is the original auth request
	Req services.GithubAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

GithubAuthResponse represents Github auth callback validation response

type HandlerWithAuthFunc

type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type HostCredentials

CredGetter is an interface for a client that can be used to get host credentials. This interface is needed because lib/client can not be imported in lib/auth due to circular imports.

type Identity added in v1.0.0

type Identity struct {
	// ID specifies server unique ID, name and role
	ID IdentityID
	// KeyBytes is a PEM encoded private key
	KeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format.
	SSHCACertBytes [][]byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// Cert is a parsed SSH certificate
	Cert *ssh.Certificate
	// XCert is X509 client certificate
	XCert *x509.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
}

Identity is collection of certificates and signers that represent server identity

func GenerateIdentity

func GenerateIdentity(a *AuthServer, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)

GenerateIdentity generates identity for the auth server

func LocalRegister added in v1.0.0

func LocalRegister(id IdentityID, authServer *AuthServer, additionalPrincipals, dnsNames []string, remoteAddr string) (*Identity, error)

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the Auth Server and as such, does not need to use provisioning tokens.

func NewServerIdentity

func NewServerIdentity(clt *AuthServer, hostID string, role teleport.Role) (*Identity, error)

NewServerIdentity generates new server identity, used in tests

func ReRegister

func ReRegister(params ReRegisterParams) (*Identity, error)

ReRegister renews the certificates and private keys based on the client's existing identity.

func ReadIdentityFromKeyPair added in v1.0.0

func ReadIdentityFromKeyPair(keys *PackedKeys) (*Identity, error)

ReadIdentityFromKeyPair reads SSH and TLS identity from key pair.

func ReadLocalIdentity

func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)

ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadSSHIdentityFromKeyPair

func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair

func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func Register

func Register(params RegisterParams) (*Identity, error)

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.

func (*Identity) HasDNSNames

func (i *Identity) HasDNSNames(dnsNames []string) bool

HasDNSNames returns true if TLS certificate has required DNS names

func (*Identity) HasPrincipals

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasTLSConfig

func (i *Identity) HasTLSConfig() bool

HasTSLConfig returns true if this identity has TLS certificate and private key

func (*Identity) SSHClientConfig

func (i *Identity) SSHClientConfig() *ssh.ClientConfig

SSHClientConfig returns a ssh.ClientConfig used by nodes to connect to the reverse tunnel server.

func (*Identity) String

func (i *Identity) String() string

String returns user-friendly representation of the identity.

func (*Identity) TLSConfig

func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type IdentityGetter

type IdentityGetter interface {
	// GetIdentity  returns x509-derived identity of the user
	GetIdentity() tlsca.Identity
}

IdentityGetter returns client identity

type IdentityID added in v1.0.0

type IdentityID struct {
	Role     teleport.Role
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals added in v1.0.0

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) HostID

func (id *IdentityID) HostID() (string, error)

HostID is host ID part of the host UUID that consists cluster name

func (*IdentityID) String added in v1.0.0

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityService

type IdentityService interface {
	// UpsertPassword updates web access password for the user
	UpsertPassword(user string, password []byte) error

	// UpsertOIDCConnector updates or creates OIDC connector
	UpsertOIDCConnector(connector services.OIDCConnector) error

	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

	// GetOIDCConnector gets OIDC connectors list
	GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(connectorID string) error

	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

	// CreateSAMLConnector creates SAML connector
	CreateSAMLConnector(connector services.SAMLConnector) error

	// UpsertSAMLConnector updates or creates SAML connector
	UpsertSAMLConnector(connector services.SAMLConnector) error

	// GetSAMLConnector returns SAML connector information by id
	GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

	// GetSAMLConnector gets SAML connectors list
	GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

	// DeleteSAMLConnector deletes SAML connector by ID
	DeleteSAMLConnector(connectorID string) error

	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

	// CreateGithubConnector creates a new Github connector
	CreateGithubConnector(connector services.GithubConnector) error
	// UpsertGithubConnector creates or updates a Github connector
	UpsertGithubConnector(connector services.GithubConnector) error
	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
	// GetGithubConnector returns the specified Github connector
	GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)
	// DeleteGithubConnector deletes the specified Github connector
	DeleteGithubConnector(id string) error
	// CreateGithubAuthRequest creates a new request for Github OAuth2 flow
	CreateGithubAuthRequest(services.GithubAuthRequest) (*services.GithubAuthRequest, error)
	// ValidateGithubAuthCallback validates Github auth callback
	ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

	// GetU2FSignRequest generates request for user trying to authenticate with U2F token
	GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

	// GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite token
	GetSignupU2FRegisterRequest(token string) (*u2f.RegisterRequest, error)

	// CreateUserWithU2FToken creates user account with provided token and U2F sign response
	CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)

	// GetUser returns user by name
	GetUser(name string) (services.User, error)

	// UpsertUser user updates or inserts user entry
	UpsertUser(user services.User) error

	// DeleteUser deletes a user by username
	DeleteUser(user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers() ([]services.User, error)

	// ChangePassword changes user password
	ChangePassword(req services.ChangePasswordReq) error

	// CheckPassword checks if the suplied web access password is valid.
	CheckPassword(user string, password []byte, otpToken string) error

	// CreateUserWithOTP creates account with provided token and password.
	// Account username and OTP key are taken from token data.
	// Deletes token after account creation.
	CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)

	// CreateUserWithoutOTP validates a given token creates a user
	// with the given password and deletes the token afterwards.
	CreateUserWithoutOTP(token string, password string) (services.WebSession, error)

	// GenerateToken creates a special provisioning token for a new SSH server
	// that is valid for ttl period seconds.
	//
	// This token is used by SSH server to authenticate with Auth server
	// and get signed certificate and private key from the auth server.
	//
	// If token is not supplied, it will be auto generated and returned.
	// If TTL is not supplied, token will be valid until removed.
	GenerateToken(GenerateTokenRequest) (string, error)

	// GenerateKeyPair generates SSH private/public key pair optionally protected
	// by password. If the pass parameter is an empty string, the key pair
	// is not password-protected.
	GenerateKeyPair(pass string) ([]byte, []byte, error)

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

	// GenerateUserCert takes the public key in the OpenSSH `authorized_keys`
	// plain text format, signs it using User Certificate Authority signing key and returns the
	// resulting certificate.
	GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)

	// GetSignupTokenData returns token data for a valid token
	GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

	// CreateSignupToken creates one time token for creating account for the user
	// For each token it creates username and OTP key
	CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error)

	// DeleteAllUsers deletes all users
	DeleteAllUsers() error
}

IdentityService manages identities and users

type IdentitySpecV2

type IdentitySpecV2 struct {
	// Key is a PEM encoded private key.
	Key []byte `json:"key,omitempty"`
	// SSHCert is a PEM encoded SSH host cert.
	SSHCert []byte `json:"ssh_cert,omitempty"`
	// TLSCert is a PEM encoded x509 client certificate.
	TLSCert []byte `json:"tls_cert,omitempty"`
	// TLSCACert is a list of PEM encoded x509 certificate of the
	// certificate authority of the cluster.
	TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"`
	// SSHCACerts is a list of SSH certificate authorities encoded in the
	// authorized_keys format.
	SSHCACerts [][]byte `json:"ssh_ca_certs,omitempty"`
}

IdentitySpecV2 specifies credentials used by local process.

type IdentityV2

type IdentityV2 struct {
	// ResourceHeader is a common resource header.
	services.ResourceHeader
	// Spec is the identity spec.
	Spec IdentitySpecV2 `json:"spec"`
}

IdentityV2 specifies local host identity.

func (*IdentityV2) CheckAndSetDefaults

func (s *IdentityV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type InitConfig

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority sshca.Authority

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// ClusterName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	ClusterName services.ClusterName

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []services.CertAuthority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []services.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []services.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// Events is an event service
	Events services.Events

	// ClusterConfiguration is a services that holds cluster wide configuration.
	ClusterConfiguration services.ClusterConfiguration

	// Roles is a set of roles to create
	Roles []services.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//StaticTokens []services.ProvisionToken
	StaticTokens services.StaticTokens

	// AuthPreference defines the authentication type (local, oidc) and second
	// factor (off, otp, u2f) passed in from a configuration file.
	AuthPreference services.AuthPreference

	// AuditLog is used for emitting events to audit log.
	AuditLog events.IAuditLog

	// ClusterConfig holds cluster level configuration.
	ClusterConfig services.ClusterConfig

	// SkipPeriodicOperations turns off periodic operations
	// used in tests that don't need periodc operations.
	SkipPeriodicOperations bool

	// CipherSuites is a list of ciphersuites that the auth server supports.
	CipherSuites []uint16
}

InitConfig is auth server init config

type KubeCSR

type KubeCSR struct {
	// Username of user's certificate
	Username string `json:"username"`
	// ClusterName is a name of the target cluster to generate certificate for
	ClusterName string `json:"cluster_name"`
	// CSR is a kubernetes CSR
	CSR []byte `json:"csr"`
}

KubeCSR is a kubernetes CSR request

func (*KubeCSR) CheckAndSetDefaults

func (a *KubeCSR) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type KubeCSRResponse

type KubeCSRResponse struct {
	// Cert is a signed certificate PEM block
	Cert []byte `json:"cert"`
	// CertAuthorities is a list of PEM block with trusted cert authorities
	CertAuthorities [][]byte `json:"cert_authorities"`
	// TargetAddr is an optional target address
	// of the kubernetes API server that can be set
	// in the kubeconfig
	TargetAddr string `json:"target_addr"`
}

KubeCSRResponse is a response to kubernetes CSR request

type LocalCAResponse

type LocalCAResponse struct {
	// TLSCA is the PEM-encoded TLS certificate authority.
	TLSCA []byte `json:"tls_ca"`
}

LocalCAResponse contains PEM-encoded local CAs.

type LocalUser

type LocalUser struct {
	// Username is local username
	Username string
	// Identity is x509-derived identity used to build this user
	Identity tlsca.Identity
}

LocalUsername is a local username

func (LocalUser) GetIdentity

func (l LocalUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type LocalUserRoleSet

type LocalUserRoleSet struct {
	services.RoleSet
}

LocalUserRoleSet wraps a services.RoleSet. This type is used to determine if the role is a local user or not.

type NewCachingAccessPoint

type NewCachingAccessPoint func(clt ClientI, cacheName []string) (AccessPoint, error)

NewCachingAcessPoint returns new caching access point using access point policy

type OIDCAuthResponse added in v1.0.0

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req services.OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type OTPCreds

type OTPCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
	// Token is a user second factor token
	Token string `json:"token"`
}

OTPCreds is a two factor authencication credentials

type PackedKeys

type PackedKeys struct {
	// Key is a private key
	Key []byte `json:"key"`
	// Cert is an SSH host cert
	Cert []byte `json:"cert"`
	// TLSCert is an X509 certificate
	TLSCert []byte `json:"tls_cert"`
	// TLSCACerts is a list of TLS certificate authorities.
	TLSCACerts [][]byte `json:"tls_ca_certs"`
	// SSHCACerts is a list of SSH certificate authorities.
	SSHCACerts [][]byte `json:"ssh_ca_certs"`
}

PackedKeys is a collection of private key, SSH host certificate and TLS certificate and certificate authority issued the certificate

type PassCreds

type PassCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
}

PassCreds is a password credential

type Plugin

type Plugin interface {
	// AddHandlers adds handlers to the auth API server
	AddHandlers(srv *APIServer)
}

Plugin is auth API server extension setter

func GetPlugin

func GetPlugin() Plugin

GetPlugin returns auth API server plugin that allows injecting handlers

type ProcessStorage

type ProcessStorage struct {
	backend.Backend
}

ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.

func NewProcessStorage

func NewProcessStorage(ctx context.Context, path string) (*ProcessStorage, error)

NewProcessStorage returns a new instance of the process storage.

func (*ProcessStorage) Close

func (p *ProcessStorage) Close() error

Close closes all resources used by process storage backend.

func (*ProcessStorage) CreateState

func (p *ProcessStorage) CreateState(role teleport.Role, state StateV2) error

CreateState creates process state if it does not exist yet.

func (*ProcessStorage) GetState

func (p *ProcessStorage) GetState(role teleport.Role) (*StateV2, error)

GetState reads rotation state from disk.

func (*ProcessStorage) ReadIdentity

func (p *ProcessStorage) ReadIdentity(name string, role teleport.Role) (*Identity, error)

ReadIdentity reads identity using identity name and role.

func (*ProcessStorage) WriteIdentity

func (p *ProcessStorage) WriteIdentity(name string, id Identity) error

WriteIdentity writes identity to the backend.

func (*ProcessStorage) WriteState

func (p *ProcessStorage) WriteState(role teleport.Role, state StateV2) error

WriteState writes local cluster state to the backend.

type ProvisioningService

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens(opts ...services.MarshalOption) (tokens []services.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(token string) (services.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a user token or a machine token
	DeleteToken(token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(services.ProvisionToken) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

	// RegisterNewAuthServer is used to register new auth server with token
	RegisterNewAuthServer(token string) error
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type ReRegisterParams

type ReRegisterParams struct {
	// Client is an authenticated client using old credentials
	Client ClientI
	// ID is identity ID
	ID IdentityID
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS Names to add to the x509 client certificate
	DNSNames []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// Rotation is the rotation state of the certificate authority
	Rotation services.Rotation
}

ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)

type ReadAccessPoint

type ReadAccessPoint interface {
	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

	// GetClusterName returns cluster name
	GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

	// GetClusterConfig returns cluster level configuration.
	GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]services.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*services.Namespace, error)

	// GetServers returns a list of registered servers
	GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]services.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]services.Server, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

	// GetUser returns a services.User for this cluster.
	GetUser(string) (services.User, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers() ([]services.User, error)

	// GetRole returns role by name
	GetRole(name string) (services.Role, error)

	// GetRoles returns a list of roles
	GetRoles() ([]services.Role, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)
}

ReadAccessPoint is an API interface implemented by a certificate authority (CA)

type RegisterParams

type RegisterParams struct {
	// DataDir is the data directory
	// storing CA certificate
	DataDir string
	// Token is a secure token to join the cluster
	Token string
	// ID is identity ID
	ID IdentityID
	// Servers is a list of auth servers to dial
	Servers []utils.NetAddr
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS names to add to x509 certificate
	DNSNames []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// CipherSuites is a list of cipher suites to use for TLS client connection
	CipherSuites []uint16
	// CAPin is the SKPI hash of the CA used to verify the Auth Server.
	CAPin string
	// CAPath is the path to the CA file.
	CAPath string
	// GetHostCredentials is a client that can fetch host credentials.
	GetHostCredentials HostCredentials
}

RegisterParams specifies parameters for first time register operation with auth server

type RegisterUsingTokenRequest

type RegisterUsingTokenRequest struct {
	// HostID is a unique host ID, usually a UUID
	HostID string `json:"hostID"`
	// NodeName is a node name
	NodeName string `json:"node_name"`
	// Role is a system role, e.g. Proxy
	Role teleport.Role `json:"role"`
	// Token is an authentication token
	Token string `json:"token"`
	// AdditionalPrincipals is a list of additional principals
	AdditionalPrincipals []string `json:"additional_principals"`
	// DNSNames is a list of DNS names to include in the x509 client certificate
	DNSNames []string `json:"dns_names"`
	// PublicTLSKey is a PEM encoded public key
	// used for TLS setup
	PublicTLSKey []byte `json:"public_tls_key"`
	// PublicSSHKey is a SSH encoded public key,
	// if present will be signed as a return value
	// otherwise, new public/private key pair will be generated
	PublicSSHKey []byte `json:"public_ssh_key"`
	// RemoteAddr is the remote address of the host requesting a host certificate.
	// It is used to replace 0.0.0.0 in the list of additional principals.
	RemoteAddr string `json:"remote_addr"`
}

RegisterUsingTokenRequest is a request to register with auth server using authentication token

func (*RegisterUsingTokenRequest) CheckAndSetDefaults

func (r *RegisterUsingTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks for errors and sets defaults

type RemoteBuiltinRole

type RemoteBuiltinRole struct {
	// Role is the builtin role of the user
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the remote cluster.
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.

func (RemoteBuiltinRole) GetIdentity

func (r RemoteBuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RemoteBuiltinRoleSet

type RemoteBuiltinRoleSet struct {
	services.RoleSet
}

BuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is a remote builtin or not.

type RemoteUser

type RemoteUser struct {
	// Username is a name of the remote user
	Username string `json:"username"`

	// ClusterName is the name of the remote cluster
	// of the user.
	ClusterName string `json:"cluster_name"`

	// RemoteRoles is optional list of remote roles
	RemoteRoles []string `json:"remote_roles"`

	// Principals is a list of Unix logins.
	Principals []string `json:"principals"`

	// KubernetesGroups is a list of Kubernetes groups
	KubernetesGroups []string `json:"kubernetes_groups"`

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteUser defines encoded remote user.

func (RemoteUser) GetIdentity

func (r RemoteUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RemoteUserRoleSet

type RemoteUserRoleSet struct {
	services.RoleSet
}

RemoteUserRoleSet wraps a services.RoleSet. This type is used to determine if the role is a remote user or not.

type RotateRequest

type RotateRequest struct {
	// Type is a certificate authority type, if omitted, both user and host CA
	// will be rotated.
	Type services.CertAuthType `json:"type"`
	// GracePeriod is used to generate cert rotation schedule that defines
	// times at which different rotation phases will be applied by the auth server
	// in auto mode. It is not used in manual rotation mode.
	// If omitted, default value is set, if 0 is supplied, it is interpreted as
	// forcing rotation of all certificate authorities with no grace period,
	// all existing users and hosts will have to re-login and re-added
	// into the cluster.
	GracePeriod *time.Duration `json:"grace_period,omitempty"`
	// TargetPhase sets desired rotation phase to move to, if not set
	// will be set automatically, it is a required argument
	// for manual rotation.
	TargetPhase string `json:"target_phase,omitempty"`
	// Mode sets manual or auto rotation mode.
	Mode string `json:"mode"`
	// Schedule is an optional rotation schedule,
	// autogenerated based on GracePeriod parameter if not set.
	Schedule *services.RotationSchedule `json:"schedule"`
}

RotateRequest is a request to start rotation of the certificate authority.

func (*RotateRequest) CheckAndSetDefaults

func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default values.

func (*RotateRequest) Types

func (r *RotateRequest) Types() []services.CertAuthType

Types returns cert authority types requested to be rotated.

type SAMLAuthResponse

type SAMLAuthResponse struct {
	// Username is an authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated SAML identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in SAMLAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is a PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is an original SAML auth request
	Req services.SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider

type SSHLoginResponse

type SSHLoginResponse struct {
	// User contains a logged in user informationn
	Username string `json:"username"`
	// Cert is a PEM encoded  signed certificate
	Cert []byte `json:"cert"`
	// TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority
	TLSCert []byte `json:"tls_cert"`
	// HostSigners is a list of signing host public keys trusted by proxy
	HostSigners []TrustedCerts `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

type SessionCreds

type SessionCreds struct {
	// ID is a web session id
	ID string `json:"id"`
}

SessionCreds is a web session credentials

type StateSpecV2

type StateSpecV2 struct {
	// Rotation holds local process rotation state.
	Rotation services.Rotation `json:"rotation"`
}

StateSpecV2 is a state spec.

type StateV2

type StateV2 struct {
	// ResourceHeader is a common resource header.
	services.ResourceHeader
	// Spec is a process spec.
	Spec StateSpecV2 `json:"spec"`
}

StateV2 is a local process state.

func (*StateV2) CheckAndSetDefaults

func (s *StateV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type TLSServer

type TLSServer struct {
	*http.Server
	// TLSServerConfig is TLS server configuration used for auth server
	TLSServerConfig
	// Entry is TLS server logging entry
	*logrus.Entry
}

TLSServer is TLS auth server

func NewTLSServer

func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) GetConfigForClient

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve

func (t *TLSServer) Serve(listener net.Listener) error

Serve takes TCP listener, upgrades to TLS using config and starts serving

type TLSServerConfig

type TLSServerConfig struct {
	// TLS is a base TLS configuration
	TLS *tls.Config
	// API is API server configuration
	APIConfig
	// LimiterConfig is limiter config
	LimiterConfig limiter.LimiterConfig
	// AccessPoint is a caching access point
	AccessPoint AccessCache
	// Component is used for debugging purposes
	Component string
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on the metadata
	AcceptedUsage []string
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type TestAuthServer

type TestAuthServer struct {
	// TestAuthServer config is configuration used for auth server setup
	TestAuthServerConfig
	// AuthServer is an auth server
	AuthServer *AuthServer
	// AuditLog is an event audit log
	AuditLog events.IAuditLog
	// SessionLogger is a session logger
	SessionServer session.Service
	// Backend is a backend for auth server
	Backend backend.Backend
	// Authorizer is an authorizer used in tests
	Authorizer Authorizer
}

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key

func NewTestAuthServer

func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)

NewTestAuthServer returns new instances of Auth server

func (*TestAuthServer) Clock

func (a *TestAuthServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestAuthServer) GenerateUserCert

func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*TestAuthServer) NewCertificate

func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)

NewCertificate returns new TLS credentials generated by test auth server

func (*TestAuthServer) NewRemoteClient

func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)

NewRemoteClient creates new client to the remote server using identity generated for this certificate authority

func (*TestAuthServer) NewTestTLSServer

func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server

func (*TestAuthServer) Trust

func (a *TestAuthServer) Trust(remote *TestAuthServer, roleMap services.RoleMap) error

Trust adds other server host certificate authority as trusted

type TestAuthServerConfig

type TestAuthServerConfig struct {
	// ClusterName is cluster name
	ClusterName string
	// Dir is directory for local backend
	Dir string
	// AcceptedUsage is an optional list of restricted
	// server usage
	AcceptedUsage []string
	// CipherSuites is the list of ciphers that the server supports.
	CipherSuites []uint16
	// Clock is used to control time in tests.
	Clock clockwork.FakeClock
}

TestAuthServerConfig is auth server test config

func (*TestAuthServerConfig) CheckAndSetDefaults

func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type TestIdentity

type TestIdentity struct {
	I             interface{}
	TTL           time.Duration
	AcceptedUsage []string
}

TestIdentity is test identity spec used to generate identities in tests

func TestAdmin

func TestAdmin() TestIdentity

TestAdmin returns TestIdentity for admin user

func TestBuiltin

func TestBuiltin(role teleport.Role) TestIdentity

TestBuiltin returns TestIdentity for builtin user

func TestNop

func TestNop() TestIdentity

TestNop returns "Nop" - unauthenticated identity

func TestServerID

func TestServerID(serverID string) TestIdentity

TestServerID returns a TestIdentity for a node with the passed in serverID.

func TestUser

func TestUser(username string) TestIdentity

TestUser returns TestIdentity for local user

type TestTLSServer

type TestTLSServer struct {
	// TestTLSServerConfig is a configuration for TLS server
	TestTLSServerConfig
	// Identity is a generated TLS/SSH identity used to answer in TLS
	Identity *Identity
	// TLSServer is a configured TLS server
	TLSServer *TLSServer
}

TestTLSServer is a test TLS server

func NewTestTLSServer

func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port

func (*TestTLSServer) Addr

func (t *TestTLSServer) Addr() net.Addr

Addr returns address of TLS server

func (*TestTLSServer) Auth

func (t *TestTLSServer) Auth() *AuthServer

Auth returns auth server used by this TLS server

func (*TestTLSServer) CertPool

func (t *TestTLSServer) CertPool() (*x509.CertPool, error)

CertPool returns cert pool that auth server represents

func (*TestTLSServer) ClientTLSConfig

func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)

ClientTLSConfig returns client TLS config based on the identity

func (*TestTLSServer) Clock

func (t *TestTLSServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestTLSServer) CloneClient

func (t *TestTLSServer) CloneClient(clt *Client) *Client

CloneClient uses the same credentials as the passed client but forces the client to be recreated

func (*TestTLSServer) Close

func (t *TestTLSServer) Close() error

Close closes the listener and HTTP server

func (*TestTLSServer) ClusterName

func (t *TestTLSServer) ClusterName() string

ClusterName returns name of test TLS server cluster

func (*TestTLSServer) NewClient

func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)

NewClient returns new client to test server authenticated with identity

func (*TestTLSServer) NewClientFromWebSession

func (t *TestTLSServer) NewClientFromWebSession(sess services.WebSession) (*Client, error)

NewClientFromWebSession returns new authenticated client from web session

func (*TestTLSServer) Start

func (t *TestTLSServer) Start() error

Start starts TLS server on loopback address on the first lisenting socket

func (*TestTLSServer) Stop

func (t *TestTLSServer) Stop() error

Stop stops listening server, but does not close the auth backend

type TestTLSServerConfig

type TestTLSServerConfig struct {
	// APIConfig is a configuration of API server
	APIConfig *APIConfig
	// AuthServer is a test auth server used to serve requests
	AuthServer *TestAuthServer
	// Limiter is a connection and request limiter
	Limiter *limiter.LimiterConfig
	// Listener is a listener to serve requests on
	Listener net.Listener
	// AcceptedUsage is a list of accepted usage restrictions
	AcceptedUsage []string
}

TestTLSServerConfig is a configuration for test TLS server

func (*TestTLSServerConfig) CheckAndSetDefaults

func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets limiter defaults

type TrustedCerts

type TrustedCerts struct {
	// ClusterName identifies teleport cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"domain_name"`
	// HostCertificates is a list of SSH public keys that can be used to check
	// host certificate signatures
	HostCertificates [][]byte `json:"checking_keys"`
	// TLSCertificates  is a list of TLS certificates of the certificate authoritiy
	// of the authentication server
	TLSCertificates [][]byte `json:"tls_certs"`
}

TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

func AuthoritiesToTrustedCerts

func AuthoritiesToTrustedCerts(authorities []services.CertAuthority) []TrustedCerts

AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure

func (*TrustedCerts) SSHCertPublicKeys

func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)

SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys

type U2FSignResponseCreds

type U2FSignResponseCreds struct {
	// SignResponse is a U2F sign resposne
	SignResponse u2f.SignResponse `json:"sign_response"`
}

U2FSignResponseCreds is a U2F signature sent by U2F device

type ValidateTrustedClusterRequest

type ValidateTrustedClusterRequest struct {
	Token string                   `json:"token"`
	CAs   []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequest) ToRaw

type ValidateTrustedClusterRequestRaw

type ValidateTrustedClusterRequestRaw struct {
	Token string   `json:"token"`
	CAs   [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequestRaw) ToNative

type ValidateTrustedClusterResponse

type ValidateTrustedClusterResponse struct {
	CAs []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponse) ToRaw

type ValidateTrustedClusterResponseRaw

type ValidateTrustedClusterResponseRaw struct {
	CAs [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponseRaw) ToNative

type WebService

type WebService interface {
	// GetWebSessionInfo checks if a web sesion is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(user string, sid string) (services.WebSession, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
	// DeleteWebSession deletes a web session for this user by id
	DeleteWebSession(user string, sid string) error
}

WebService implements features used by Web UI clients

type Wrapper

type Wrapper struct {
	ReadAccessPoint
	Write AccessPoint
}

Wrapper wraps access point and auth cache in one client so that update operations are going through access point and read operations are going though cache

func (*Wrapper) DeleteTunnelConnection

func (w *Wrapper) DeleteTunnelConnection(clusterName, connName string) error

DeleteTunnelConnection is a part of auth.AccessPoint implementation

func (*Wrapper) NewKeepAliver

func (w *Wrapper) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*Wrapper) UpsertAuthServer

func (w *Wrapper) UpsertAuthServer(s services.Server) error

UpsertAuthServer is part of auth.AccessPoint implementation

func (*Wrapper) UpsertNode

func (w *Wrapper) UpsertNode(s services.Server) (*services.KeepAlive, error)

UpsertNode is part of auth.AccessPoint implementation

func (*Wrapper) UpsertProxy

func (w *Wrapper) UpsertProxy(s services.Server) error

UpsertProxy is part of auth.AccessPoint implementation

func (*Wrapper) UpsertTunnelConnection

func (w *Wrapper) UpsertTunnelConnection(conn services.TunnelConnection) error

UpsertTunnelConnection is a part of auth.AccessPoint implementation

Directories

Path Synopsis
package test contains CA authority acceptance test suite.
package test contains CA authority acceptance test suite.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL