Documentation ¶
Overview ¶
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package services implements API services exposed by Teleport: * presence service that takes care of heratbeats * web service that takes care of web logins * ca service - certificate authorities
Index ¶
- Constants
- func JoinTokenRole(token, role string) (ouputToken string, e error)
- func SplitTokenRole(outputToken string) (token, role string, e error)
- type AuthorizedKey
- type BkKeysService
- type CAService
- func (s *CAService) DeleteCertAuthority(id CertAuthID) error
- func (s *CAService) GetCertAuthorities(caType CertAuthType, loadSigningKeys bool) ([]*CertAuthority, error)
- func (s *CAService) GetCertAuthority(id CertAuthID, loadSigningKeys bool) (*CertAuthority, error)
- func (s *CAService) UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error
- type CertAuthID
- type CertAuthType
- type CertAuthority
- type CommandLabel
- type CommandLabels
- type Event
- type LeaderElectionService
- type LockService
- type PresenceService
- func (s *PresenceService) DeleteReverseTunnel(domainName string) error
- func (s *PresenceService) GetAuthServers() ([]Server, error)
- func (s *PresenceService) GetNodes() ([]Server, error)
- func (s *PresenceService) GetProxies() ([]Server, error)
- func (s *PresenceService) GetReverseTunnels() ([]ReverseTunnel, error)
- func (s *PresenceService) UpsertAuthServer(server Server, ttl time.Duration) error
- func (s *PresenceService) UpsertNode(server Server, ttl time.Duration) error
- func (s *PresenceService) UpsertProxy(server Server, ttl time.Duration) error
- func (s *PresenceService) UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error
- type ProvisionToken
- type ProvisioningService
- type ReverseTunnel
- type Server
- type ServicesTestSuite
- func (s *ServicesTestSuite) CertAuthCRUD(c *C)
- func (s *ServicesTestSuite) Locking(c *C)
- func (s *ServicesTestSuite) PasswordCRUD(c *C)
- func (s *ServicesTestSuite) PasswordGarbage(c *C)
- func (s *ServicesTestSuite) PasswordHashCRUD(c *C)
- func (s *ServicesTestSuite) ReverseTunnelsCRUD(c *C)
- func (s *ServicesTestSuite) ServerCRUD(c *C)
- func (s *ServicesTestSuite) TokenCRUD(c *C)
- func (s *ServicesTestSuite) UsersCRUD(c *C)
- func (s *ServicesTestSuite) WebSessionCRUD(c *C)
- type SignupToken
- type Site
- type User
- type WebService
- func (s *WebService) CheckPassword(user string, password []byte, hotpToken string) error
- func (s *WebService) CheckPasswordWOToken(user string, password []byte) error
- func (s *WebService) DeleteSignupToken(token string) error
- func (s *WebService) DeleteUser(user string) error
- func (s *WebService) DeleteWebSession(user, sid string) error
- func (s *WebService) GetHOTP(user string) (*hotp.HOTP, error)
- func (s *WebService) GetPasswordHash(user string) ([]byte, error)
- func (s *WebService) GetSignupToken(token string) (*SignupToken, error)
- func (s *WebService) GetUser(user string) (*User, error)
- func (s *WebService) GetUsers() ([]User, error)
- func (s *WebService) GetWebSession(user, sid string) (*WebSession, error)
- func (s *WebService) GetWebSessionsKeys(user string) ([]AuthorizedKey, error)
- func (s *WebService) UpsertHOTP(user string, otp *hotp.HOTP) error
- func (s *WebService) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
- func (s *WebService) UpsertPasswordHash(user string, hash []byte) error
- func (s *WebService) UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error
- func (s *WebService) UpsertUser(user User) error
- func (s *WebService) UpsertWebSession(user, sid string, session WebSession, ttl time.Duration) error
- type WebSession
Constants ¶
const ( Leader = Event(1) Follower = Event(2) )
const ( // TokenRoleAuth specifies TokenRoleAuth = "Auth" TokenRoleNode = "Node" )
Variables ¶
This section is empty.
Functions ¶
func JoinTokenRole ¶
func SplitTokenRole ¶
Types ¶
type AuthorizedKey ¶
type AuthorizedKey struct { // ID is a unique key id ID string `json:"id"` // Value is a value of the public key Value []byte `json:"value"` }
AuthorizedKey is a public key that is authorized to access SSH servers
type BkKeysService ¶
type BkKeysService struct {
// contains filtered or unexported fields
}
func NewBkKeysService ¶
func NewBkKeysService(backend backend.Backend) *BkKeysService
type CAService ¶
type CAService struct {
// contains filtered or unexported fields
}
CAService is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com
There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts
Remote authorities have only public keys available, so they can be only used to validate
func NewCAService ¶
NewCAService returns new instance of CAService
func (*CAService) DeleteCertAuthority ¶
func (s *CAService) DeleteCertAuthority(id CertAuthID) error
DeleteCertAuthority deletes particular certificate authority
func (*CAService) GetCertAuthorities ¶
func (s *CAService) GetCertAuthorities(caType CertAuthType, loadSigningKeys bool) ([]*CertAuthority, error)
GetCertAuthorities returns a list of authorities of a given type loadSigningKeys controls whether signing keys should be loaded or not
func (*CAService) GetCertAuthority ¶
func (s *CAService) GetCertAuthority(id CertAuthID, loadSigningKeys bool) (*CertAuthority, error)
GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded
func (*CAService) UpsertCertAuthority ¶
func (s *CAService) UpsertCertAuthority(ca CertAuthority, ttl time.Duration) error
UpsertCertAuthority updates or inserts a new certificate authority
type CertAuthID ¶ added in v1.0.0
type CertAuthID struct { Type CertAuthType `json:"type"` DomainName string `json:"domain_name"` }
CertAuthID - id of certificate authority (it's type and domain name)
func (*CertAuthID) Check ¶ added in v1.0.0
func (c *CertAuthID) Check() error
Check returns error if any of the id parameters are bad, nil otherwise
func (*CertAuthID) String ¶ added in v1.0.0
func (c *CertAuthID) String() string
type CertAuthType ¶ added in v1.0.0
type CertAuthType string
CertAuthType specifies certificate authority type, user or host
const ( // HostCA identifies the key as a host certificate authority HostCA CertAuthType = "host" // UserCA identifies the key as a user certificate authority UserCA CertAuthType = "user" )
func (CertAuthType) Check ¶ added in v1.0.0
func (c CertAuthType) Check() error
Check checks if certificate authority type value is correct
type CertAuthority ¶ added in v1.0.0
type CertAuthority struct { // Type is either user or host certificate authority Type CertAuthType `json:"type"` // DomainName identifies domain name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name DomainName string `json:"domain_name"` // Checkers is a list of SSH public keys that can be used to check // certificate signatures CheckingKeys [][]byte `json:"checking_keys"` // SigningKeys is a list of private keys used for signing SigningKeys [][]byte `json:"signing_keys"` // AllowedLogins is a list of allowed logins for users within // this certificate authority AllowedLogins []string `json:"allowed_logins"` }
CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
func NewTestCA ¶
func NewTestCA(caType CertAuthType, domainName string) *CertAuthority
NewTestCA returns new test authority with a test key as a public and signing key
func (*CertAuthority) Check ¶ added in v1.0.0
func (ca *CertAuthority) Check() error
Check checks if all passed parameters are valid
func (*CertAuthority) Checkers ¶ added in v1.0.0
func (ca *CertAuthority) Checkers() ([]ssh.PublicKey, error)
Checkers returns public keys that can be used to check cert authorities
func (*CertAuthority) FirstSigningKey ¶ added in v1.0.0
func (ca *CertAuthority) FirstSigningKey() ([]byte, error)
FirstSigningKey returns first signing key or returns error if it's not here
func (*CertAuthority) ID ¶ added in v1.0.0
func (ca *CertAuthority) ID() *CertAuthID
ID returns id (consisting of domain name and type) that identifies the authority this key belongs to
type CommandLabel ¶
type CommandLabel struct { // Period is a time between command runs Period time.Duration `json:"period"` // Command is a command to run Command []string `json:"command"` //["/usr/bin/hostname", "--long"] // Result captures standard output Result string `json:"result"` }
CommandLabel is a label that has a value as a result of the output generated by running command, e.g. hostname
type CommandLabels ¶
type CommandLabels map[string]CommandLabel
CommandLabels is a set of command labels
func (*CommandLabels) SetEnv ¶
func (c *CommandLabels) SetEnv(v string) error
SetEnv sets the value of the label from environment variable
type LeaderElectionService ¶
type LeaderElectionService struct {
// contains filtered or unexported fields
}
func NewLeaderElectionService ¶
func NewLeaderElectionService(backend backend.Backend, path []string, serverID string) *LeaderElectionService
func (*LeaderElectionService) AcquireMaster ¶
func (les *LeaderElectionService) AcquireMaster() bool
func (*LeaderElectionService) Disable ¶
func (les *LeaderElectionService) Disable()
func (*LeaderElectionService) Start ¶
func (les *LeaderElectionService) Start()
func (*LeaderElectionService) Subscribe ¶
func (les *LeaderElectionService) Subscribe(c chan Event)
type LockService ¶
type LockService struct {
// contains filtered or unexported fields
}
func NewLockService ¶
func NewLockService(backend backend.Backend) *LockService
func (*LockService) AcquireLock ¶
func (s *LockService) AcquireLock(token string, ttl time.Duration) error
Grab a lock that will be released automatically in ttl time
func (*LockService) ReleaseLock ¶
func (s *LockService) ReleaseLock(token string) error
type PresenceService ¶
type PresenceService struct {
// contains filtered or unexported fields
}
PresenceService records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes
func NewPresenceService ¶
func NewPresenceService(backend backend.Backend) *PresenceService
NewPresenceService returns new presence service instance
func (*PresenceService) DeleteReverseTunnel ¶
func (s *PresenceService) DeleteReverseTunnel(domainName string) error
DeleteReverseTunnel deletes reverse tunnel by it's domain name
func (*PresenceService) GetAuthServers ¶
func (s *PresenceService) GetAuthServers() ([]Server, error)
GetAuthServers returns a list of registered servers
func (*PresenceService) GetNodes ¶
func (s *PresenceService) GetNodes() ([]Server, error)
GetNodes returns a list of registered servers
func (*PresenceService) GetProxies ¶
func (s *PresenceService) GetProxies() ([]Server, error)
GetProxies returns a list of registered proxies
func (*PresenceService) GetReverseTunnels ¶
func (s *PresenceService) GetReverseTunnels() ([]ReverseTunnel, error)
GetReverseTunnels returns a list of registered servers
func (*PresenceService) UpsertAuthServer ¶
func (s *PresenceService) UpsertAuthServer(server Server, ttl time.Duration) error
UpsertAuthServer registers auth server presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second
func (*PresenceService) UpsertNode ¶
func (s *PresenceService) UpsertNode(server Server, ttl time.Duration) error
UpsertNode registers node presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second
func (*PresenceService) UpsertProxy ¶
func (s *PresenceService) UpsertProxy(server Server, ttl time.Duration) error
UpsertProxy registers proxy server presence, permanently if ttl is 0 or for the specified duration with second resolution if it's >= 1 second
func (*PresenceService) UpsertReverseTunnel ¶
func (s *PresenceService) UpsertReverseTunnel(tunnel ReverseTunnel, ttl time.Duration) error
UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
type ProvisionToken ¶
ProvisionToken stores metadata about some provisioning token
type ProvisioningService ¶
type ProvisioningService struct {
// contains filtered or unexported fields
}
ProvisioningService governs adding new nodes to the cluster
func NewProvisioningService ¶
func NewProvisioningService(backend backend.Backend) *ProvisioningService
NewProvisioningService returns a new instance of provisioning service
func (*ProvisioningService) DeleteToken ¶
func (s *ProvisioningService) DeleteToken(token string) error
func (*ProvisioningService) GetToken ¶
func (s *ProvisioningService) GetToken(token string) (*ProvisionToken, error)
GetToken finds and returns token by id
func (*ProvisioningService) UpsertToken ¶
func (s *ProvisioningService) UpsertToken(token, role string, ttl time.Duration) error
UpsertToken adds provisioning tokens for the auth server
type ReverseTunnel ¶ added in v1.0.0
type ReverseTunnel struct { // DomainName is a domain name of remote cluster we are connecting to DomainName string `json:"domain_name"` // DialAddrs is a list of remote address to establish a connection to // it's always SSH over TCP DialAddrs []string `json:"dial_addrs"` }
ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved
func (*ReverseTunnel) Check ¶ added in v1.0.0
func (r *ReverseTunnel) Check() error
Check returns nil if all parameters are good, error otherwise
type Server ¶
type Server struct { ID string `json:"id"` Addr string `json:"addr"` Hostname string `json:"hostname"` Labels map[string]string `json:"labels"` CmdLabels map[string]CommandLabel `json:"cmd_labels"` }
Server represents a node in a Teleport cluster
func (*Server) LabelsMap ¶ added in v1.0.0
LabelsMap returns the full key:value map of both static labels and "command labels"
func (*Server) LabelsString ¶ added in v1.0.0
LabelsString returns a comma separated string with all node's labels
type ServicesTestSuite ¶
type ServicesTestSuite struct { CAS *CAService LockS *LockService PresenceS *PresenceService ProvisioningS *ProvisioningService WebS *WebService ChangesC chan interface{} }
func NewServicesTestSuite ¶
func NewServicesTestSuite(backend backend.Backend) *ServicesTestSuite
func (*ServicesTestSuite) CertAuthCRUD ¶
func (s *ServicesTestSuite) CertAuthCRUD(c *C)
func (*ServicesTestSuite) Locking ¶
func (s *ServicesTestSuite) Locking(c *C)
func (*ServicesTestSuite) PasswordCRUD ¶
func (s *ServicesTestSuite) PasswordCRUD(c *C)
func (*ServicesTestSuite) PasswordGarbage ¶
func (s *ServicesTestSuite) PasswordGarbage(c *C)
func (*ServicesTestSuite) PasswordHashCRUD ¶
func (s *ServicesTestSuite) PasswordHashCRUD(c *C)
func (*ServicesTestSuite) ReverseTunnelsCRUD ¶
func (s *ServicesTestSuite) ReverseTunnelsCRUD(c *C)
func (*ServicesTestSuite) ServerCRUD ¶
func (s *ServicesTestSuite) ServerCRUD(c *C)
func (*ServicesTestSuite) TokenCRUD ¶
func (s *ServicesTestSuite) TokenCRUD(c *C)
func (*ServicesTestSuite) UsersCRUD ¶
func (s *ServicesTestSuite) UsersCRUD(c *C)
func (*ServicesTestSuite) WebSessionCRUD ¶
func (s *ServicesTestSuite) WebSessionCRUD(c *C)
type SignupToken ¶
type SignupToken struct { Token string `json:"token"` User string `json:"user"` Hotp []byte `json:"hotp"` HotpFirstValues []string `json:"hotp_first_values"` HotpQR []byte `json:"hotp_qr"` AllowedLogins []string `json:"allowed_logins"` }
SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed
type Site ¶ added in v1.0.0
type Site struct { Name string `json:"name"` LastConnected time.Time `json:"lastconnected"` Status string `json:"status"` }
Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.
The CA is represented by an auth server (or multiple auth servers, if running in HA mode)
type User ¶ added in v1.0.0
type User struct { // Name is a user name Name string `json:"name"` // AllowedLogins represents a list of OS users this teleport // user is allowed to login as AllowedLogins []string `json:"allowed_logins"` }
User is an optional user entry in the database
type WebService ¶
WebService is responsible for managing web users and currently user accounts as well
func NewWebService ¶
func NewWebService(backend backend.Backend) *WebService
NewWebService returns new instance of WebService
func (*WebService) CheckPassword ¶
func (s *WebService) CheckPassword(user string, password []byte, hotpToken string) error
CheckPassword is called on web user or tsh user login
func (*WebService) CheckPasswordWOToken ¶
func (s *WebService) CheckPasswordWOToken(user string, password []byte) error
CheckPasswordWOToken checks just password without checking HOTP tokens used in case of SSH authentication, when token has been validated
func (*WebService) DeleteSignupToken ¶
func (s *WebService) DeleteSignupToken(token string) error
DeleteSignupToken deletes signup token from the storage
func (*WebService) DeleteUser ¶
func (s *WebService) DeleteUser(user string) error
DeleteUser deletes a user with all the keys from the backend
func (*WebService) DeleteWebSession ¶
func (s *WebService) DeleteWebSession(user, sid string) error
DeleteWebSession deletes web session from the storage
func (*WebService) GetHOTP ¶
func (s *WebService) GetHOTP(user string) (*hotp.HOTP, error)
GetHOTP gets HOTP token state for a user
func (*WebService) GetPasswordHash ¶
func (s *WebService) GetPasswordHash(user string) ([]byte, error)
GetPasswordHash returns the password hash for a given user
func (*WebService) GetSignupToken ¶
func (s *WebService) GetSignupToken(token string) (*SignupToken, error)
GetSignupToken returns signup token data
func (*WebService) GetUser ¶
func (s *WebService) GetUser(user string) (*User, error)
GetUser returns a user by name
func (*WebService) GetUsers ¶
func (s *WebService) GetUsers() ([]User, error)
GetUsers returns a list of users registered with the local auth server
func (*WebService) GetWebSession ¶
func (s *WebService) GetWebSession(user, sid string) (*WebSession, error)
GetWebSession returns a web session state for a given user and session id
func (*WebService) GetWebSessionsKeys ¶
func (s *WebService) GetWebSessionsKeys(user string) ([]AuthorizedKey, error)
GetWebSessionsKeys returns public keys associated with the session
func (*WebService) UpsertHOTP ¶
func (s *WebService) UpsertHOTP(user string, otp *hotp.HOTP) error
UpsertHOTP upserts HOTP state for user
func (*WebService) UpsertPassword ¶
func (s *WebService) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
UpsertPassword upserts new password and HOTP token
func (*WebService) UpsertPasswordHash ¶
func (s *WebService) UpsertPasswordHash(user string, hash []byte) error
UpsertPasswordHash upserts user password hash
func (*WebService) UpsertSignupToken ¶
func (s *WebService) UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error
UpsertSignupToken upserts signup token - one time token that lets user to create a user account
func (*WebService) UpsertUser ¶
func (s *WebService) UpsertUser(user User) error
UpsertUser updates parameters about user
func (*WebService) UpsertWebSession ¶
func (s *WebService) UpsertWebSession(user, sid string, session WebSession, ttl time.Duration) error
UpsertWebSession updates or inserts a web session for a user and session id
type WebSession ¶
type WebSession struct { // Pub is a public certificate signed by auth server Pub []byte `json:"pub"` // Priv is a private OpenSSH key used to auth with SSH nodes Priv []byte `json:"priv"` // BearerToken is a special bearer token used for additional // bearer authentication BearerToken string `json:"bearer_token"` // Expires - absolute time when token expires Expires time.Time `json:"expires"` }
WebSession stores key and value used to authenticate with SSH notes on behalf of user