Documentation ¶
Overview ¶
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Index ¶
- Constants
- func GetCheckerForBuiltinRole(role teleport.Role) (services.AccessChecker, error)
- func HaveHostKeys(dataDir string, id IdentityID) (bool, error)
- func Init(cfg InitConfig) (*AuthServer, *Identity, error)
- func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer) error
- func NewAPIServer(config *APIConfig) http.Handler
- func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)
- func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)
- func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)
- func NewTracer() roundtrip.RequestTracer
- func NewValidateTrustedClusterAuth(token string) ([]ssh.AuthMethod, error)
- func NewWebPasswordAuth(user string, password []byte, otpToken string) ([]ssh.AuthMethod, error)
- func NewWebPasswordU2FSignAuth(user string, password []byte) ([]ssh.AuthMethod, error)
- func NewWebPasswordWithoutOTPAuth(user string, password []byte) ([]ssh.AuthMethod, error)
- func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)
- func NewWebU2FSignResponseAuth(user string, u2fSignResponse *u2f.SignResponse) ([]ssh.AuthMethod, error)
- func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr) error
- func RegisterNewAuth(domainName, token string, servers []utils.NetAddr) error
- func WriteIdentity(dataDir string, identity *Identity) error
- type APIConfig
- type APIServer
- type AccessPoint
- type AccessPointDialer
- type AgentCloser
- type AuthContext
- type AuthServer
- func (s *AuthServer) CheckOTP(user string, otpToken string) error
- func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error
- func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error
- func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error
- func (a *AuthServer) Close() error
- func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
- func (s *AuthServer) CreateSignupToken(userv1 services.UserV1) (string, error)
- func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
- func (s *AuthServer) CreateUserWithOTP(token string, password string, otpToken string) (services.WebSession, error)
- func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (services.WebSession, error)
- func (s *AuthServer) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
- func (s *AuthServer) CreateWebSession(user string) (services.WebSession, error)
- func (s *AuthServer) DeleteNamespace(namespace string) error
- func (s *AuthServer) DeleteOIDCConnector(connectorName string) error
- func (a *AuthServer) DeleteRole(name string) error
- func (s *AuthServer) DeleteSAMLConnector(connectorName string) error
- func (s *AuthServer) DeleteToken(token string) (err error)
- func (a *AuthServer) DeleteTrustedCluster(name string) error
- func (a *AuthServer) DeleteUser(user string) error
- func (s *AuthServer) DeleteWebSession(user string, id string) error
- func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
- func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName, clusterName string, ...) ([]byte, error)
- func (s *AuthServer) GenerateServerKeys(hostID string, nodeName string, roles teleport.Roles) (*PackedKeys, error)
- func (s *AuthServer) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)
- func (s *AuthServer) GenerateUserCert(key []byte, user services.User, allowedLogins []string, ttl time.Duration, ...) ([]byte, error)
- func (a *AuthServer) GetDomainName() (string, error)
- func (s *AuthServer) GetOTPData(user string) (string, []byte, error)
- func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)
- func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)
- func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)
- func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)
- func (s *AuthServer) NewWebSession(userName string) (services.WebSession, error)
- func (s *AuthServer) PreAuthenticatedSignIn(user string) (services.WebSession, error)
- func (s *AuthServer) RegisterNewAuthServer(token string) error
- func (s *AuthServer) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)
- func (a *AuthServer) SetClock(clock clockwork.Clock)
- func (s *AuthServer) SignIn(user string, password []byte) (services.WebSession, error)
- func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
- func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector) error
- func (s *AuthServer) UpsertSAMLConnector(connector services.SAMLConnector) error
- func (a *AuthServer) UpsertTrustedCluster(trustedCluster services.TrustedCluster) error
- func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error
- func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
- func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)
- func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)
- func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error
- type AuthServerOption
- type AuthTunnel
- type AuthWithRoles
- func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error
- func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error
- func (a *AuthWithRoles) Close() error
- func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error
- func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (a *AuthWithRoles) CreateRole(role services.Role, ttl time.Duration) error
- func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
- func (a *AuthWithRoles) CreateSAMLConnector(connector services.SAMLConnector) error
- func (a *AuthWithRoles) CreateSession(s session.Session) error
- func (a *AuthWithRoles) CreateSignupToken(user services.UserV1) (token string, e error)
- func (a *AuthWithRoles) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
- func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
- func (a *AuthWithRoles) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
- func (a *AuthWithRoles) CreateWebSession(user string) (services.WebSession, error)
- func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error
- func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error
- func (a *AuthWithRoles) DeleteAllNamespaces() error
- func (a *AuthWithRoles) DeleteAllNodes(namespace string) error
- func (a *AuthWithRoles) DeleteAllProxies() error
- func (a *AuthWithRoles) DeleteAllReverseTunnels() error
- func (a *AuthWithRoles) DeleteAllRoles() error
- func (a *AuthWithRoles) DeleteAllUsers() error
- func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error
- func (a *AuthWithRoles) DeleteNamespace(name string) error
- func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error
- func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error
- func (a *AuthWithRoles) DeleteRole(name string) error
- func (a *AuthWithRoles) DeleteSAMLConnector(connectorID string) error
- func (a *AuthWithRoles) DeleteToken(token string) error
- func (a *AuthWithRoles) DeleteTrustedCluster(name string) error
- func (a *AuthWithRoles) DeleteUser(user string) error
- func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error
- func (a *AuthWithRoles) EmitAuditEvent(eventType string, fields events.EventFields) error
- func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)
- func (a *AuthWithRoles) GenerateHostCert(key []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ...) ([]byte, error)
- func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)
- func (a *AuthWithRoles) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)
- func (a *AuthWithRoles) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)
- func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)
- func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)
- func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)
- func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool) (services.CertAuthority, error)
- func (a *AuthWithRoles) GetClusterName() (services.ClusterName, error)
- func (a *AuthWithRoles) GetDomainName() (string, error)
- func (a *AuthWithRoles) GetLocalClusterName() (string, error)
- func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)
- func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)
- func (a *AuthWithRoles) GetNodes(namespace string) ([]services.Server, error)
- func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)
- func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
- func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)
- func (a *AuthWithRoles) GetProxies() ([]services.Server, error)
- func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)
- func (a *AuthWithRoles) GetRole(name string) (services.Role, error)
- func (a *AuthWithRoles) GetRoles() ([]services.Role, error)
- func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)
- func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
- func (a *AuthWithRoles) GetSession(namespace string, id session.ID) (*session.Session, error)
- func (a *AuthWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
- func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int) ([]events.EventFields, error)
- func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)
- func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)
- func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)
- func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
- func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)
- func (a *AuthWithRoles) GetToken(token string) (*services.ProvisionToken, error)
- func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)
- func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)
- func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)
- func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
- func (a *AuthWithRoles) GetUser(name string) (services.User, error)
- func (a *AuthWithRoles) GetUsers() ([]services.User, error)
- func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)
- func (a *AuthWithRoles) PostSessionChunk(namespace string, sid session.ID, reader io.Reader) error
- func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error
- func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)
- func (a *AuthWithRoles) RegisterNewAuthServer(token string) error
- func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)
- func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string) ([]events.EventFields, error)
- func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time) ([]events.EventFields, error)
- func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error
- func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error
- func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error
- func (a *AuthWithRoles) SignIn(user string, password []byte) (services.WebSession, error)
- func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error
- func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error
- func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error
- func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error
- func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error
- func (a *AuthWithRoles) UpsertNode(s services.Server) error
- func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) error
- func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error
- func (a *AuthWithRoles) UpsertProxy(s services.Server) error
- func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error
- func (a *AuthWithRoles) UpsertRole(role services.Role, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) error
- func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error
- func (a *AuthWithRoles) UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertTrustedCluster(tc services.TrustedCluster) error
- func (a *AuthWithRoles) UpsertUser(u services.User) error
- func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
- func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
- func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
- type Authority
- type Authorizer
- type Client
- func (c *Client) ActivateCertAuthority(id services.CertAuthID) error
- func (c *Client) CheckPassword(user string, password []byte, otpToken string) error
- func (c *Client) Close() error
- func (c *Client) CreateCertAuthority(ca services.CertAuthority) error
- func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (c *Client) CreateRole(role services.Role, ttl time.Duration) error
- func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
- func (c *Client) CreateSAMLConnector(connector services.SAMLConnector) error
- func (c *Client) CreateSession(sess session.Session) error
- func (c *Client) CreateSignupToken(user services.UserV1) (string, error)
- func (c *Client) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
- func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
- func (c *Client) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
- func (c *Client) CreateWebSession(user string) (services.WebSession, error)
- func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error
- func (c *Client) Delete(u string) (*roundtrip.Response, error)
- func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error
- func (c *Client) DeleteAllNamespaces() error
- func (c *Client) DeleteAllNodes(namespace string) error
- func (c *Client) DeleteAllProxies() error
- func (c *Client) DeleteAllReverseTunnels() error
- func (c *Client) DeleteAllRoles() error
- func (c *Client) DeleteAllUsers() error
- func (c *Client) DeleteCertAuthority(id services.CertAuthID) error
- func (c *Client) DeleteNamespace(name string) error
- func (c *Client) DeleteOIDCConnector(connectorID string) error
- func (c *Client) DeleteReverseTunnel(domainName string) error
- func (c *Client) DeleteRole(name string) error
- func (c *Client) DeleteSAMLConnector(connectorID string) error
- func (c *Client) DeleteSession(namespace, id string) error
- func (c *Client) DeleteToken(token string) error
- func (c *Client) DeleteTrustedCluster(name string) error
- func (c *Client) DeleteUser(user string) error
- func (c *Client) DeleteWebSession(user string, sid string) error
- func (c *Client) EmitAuditEvent(eventType string, fields events.EventFields) error
- func (c *Client) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
- func (c *Client) GenerateHostCert(key []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ...) ([]byte, error)
- func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)
- func (c *Client) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)
- func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)
- func (c *Client) GenerateUserCertBundle(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, []services.CertAuthorityV1, error)
- func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)
- func (c *Client) GetAuthPreference() (services.AuthPreference, error)
- func (c *Client) GetAuthServers() ([]services.Server, error)
- func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)
- func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool) (services.CertAuthority, error)
- func (c *Client) GetClusterName() (services.ClusterName, error)
- func (c *Client) GetDomainName() (string, error)
- func (c *Client) GetLocalClusterName() (string, error)
- func (c *Client) GetNamespace(name string) (*services.Namespace, error)
- func (c *Client) GetNamespaces() ([]services.Namespace, error)
- func (c *Client) GetNodes(namespace string) ([]services.Server, error)
- func (c *Client) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)
- func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
- func (c *Client) GetProxies() ([]services.Server, error)
- func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)
- func (c *Client) GetRole(name string) (services.Role, error)
- func (c *Client) GetRoles() ([]services.Role, error)
- func (c *Client) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)
- func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
- func (c *Client) GetSession(namespace string, id session.ID) (*session.Session, error)
- func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
- func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int) (retval []events.EventFields, err error)
- func (c *Client) GetSessions(namespace string) ([]session.Session, error)
- func (c *Client) GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)
- func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
- func (c *Client) GetStaticTokens() (services.StaticTokens, error)
- func (c *Client) GetToken(token string) (*services.ProvisionToken, error)
- func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)
- func (c *Client) GetTransport() *http.Transport
- func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)
- func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)
- func (c *Client) GetU2FAppID() (string, error)
- func (c *Client) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
- func (c *Client) GetUser(name string) (services.User, error)
- func (c *Client) GetUsers() ([]services.User, error)
- func (c *Client) GetWebSessionInfo(user string, sid string) (services.WebSession, error)
- func (c *Client) PostForm(endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
- func (c *Client) PostJSON(endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) PostSessionChunk(namespace string, sid session.ID, reader io.Reader) error
- func (c *Client) PostSessionSlice(slice events.SessionSlice) error
- func (c *Client) PreAuthenticatedSignIn(user string) (services.WebSession, error)
- func (c *Client) PutJSON(endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) RegisterNewAuthServer(token string) error
- func (c *Client) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)
- func (c *Client) SearchEvents(from, to time.Time, query string) ([]events.EventFields, error)
- func (c *Client) SearchSessionEvents(from, to time.Time) ([]events.EventFields, error)
- func (c *Client) SetAuthPreference(cap services.AuthPreference) error
- func (c *Client) SetClusterName(cn services.ClusterName) error
- func (c *Client) SetStaticTokens(st services.StaticTokens) error
- func (c *Client) SignIn(user string, password []byte) (services.WebSession, error)
- func (c *Client) UpdateSession(req session.UpdateRequest) error
- func (c *Client) UpsertAuthServer(s services.Server) error
- func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error
- func (c *Client) UpsertLocalClusterName(string) error
- func (c *Client) UpsertNamespace(ns services.Namespace) error
- func (c *Client) UpsertNode(s services.Server) error
- func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector) error
- func (c *Client) UpsertPassword(user string, password []byte) error
- func (c *Client) UpsertProxy(s services.Server) error
- func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error
- func (c *Client) UpsertRole(role services.Role, ttl time.Duration) error
- func (c *Client) UpsertSAMLConnector(connector services.SAMLConnector) error
- func (c *Client) UpsertTrustedCluster(trustedCluster services.TrustedCluster) error
- func (c *Client) UpsertUser(user services.User) error
- func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
- func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
- func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
- type ClientI
- type Dialer
- type FakeSSHConnection
- func (conn *FakeSSHConnection) Close() error
- func (conn *FakeSSHConnection) LocalAddr() net.Addr
- func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)
- func (conn *FakeSSHConnection) RemoteAddr() net.Addr
- func (conn *FakeSSHConnection) SetDeadline(t time.Time) error
- func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error
- func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error
- func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)
- type HandlerWithAuthFunc
- type Identity
- type IdentityID
- type IdentityService
- type InitConfig
- type OIDCAuthResponse
- type PackedKeys
- type ProvisioningService
- type SAMLAuthResponse
- type ServerOption
- type TunClient
- type TunClientOption
- type ValidateTrustedClusterRequest
- type ValidateTrustedClusterRequestRaw
- type ValidateTrustedClusterResponse
- type ValidateTrustedClusterResponseRaw
- type WebService
Constants ¶
const ( // BearerTokenTTL specifies standard bearer token to exist before // it has to be renewed by the client BearerTokenTTL = 10 * time.Minute // TokenLenBytes is len in bytes of the invite token TokenLenBytes = 16 )
const ( // CurrentVersion is a current API version CurrentVersion = services.V2 // MissingNamespaceError is a _very_ common error this file generatets MissingNamespaceError = "missing required parameter: namespace" )
const ( // DialerRetryAttempts is the amount of attempts for dialer to try and // connect to the remote destination DialerRetryAttempts = 3 // DialerPeriodBetweenAttempts is the period between retry attempts DialerPeriodBetweenAttempts = time.Second )
const ( ReqWebSessionAgent = "web-session-agent@teleport" ReqProvision = "provision@teleport" ReqDirectTCPIP = "direct-tcpip" ReqNewAuth = "new-auth@teleport" ExtWebSession = "web-session@teleport" ExtWebPassword = "web-password@teleport" ExtWebU2F = "web-u2f@teleport" ExtToken = "provision@teleport" ExtHost = "host@teleport" ExtRole = "role@teleport" ExtOrigin = "origin@teleport" AuthWebPassword = "password" AuthWebPasswordWithoutOTP = "password-without-otp" AuthWebU2FSign = "u2f-sign" AuthWebU2F = "u2f" AuthWebSession = "session" AuthToken = "provision-token" AuthSignupToken = "signup-token" AuthValidateTrustedCluster = "trusted-cluster" )
Variables ¶
This section is empty.
Functions ¶
func GetCheckerForBuiltinRole ¶
func GetCheckerForBuiltinRole(role teleport.Role) (services.AccessChecker, error)
GetCheckerForBuiltinRole returns checkers for embedded builtin role
func HaveHostKeys ¶ added in v1.0.0
func HaveHostKeys(dataDir string, id IdentityID) (bool, error)
HaveHostKeys checks either the host keys are in place
func Init ¶
func Init(cfg InitConfig) (*AuthServer, *Identity, error)
Init instantiates and configures an instance of AuthServer
func LocalRegister ¶ added in v1.0.0
func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer) error
LocalRegister is used to generate host keys when a node or proxy is running within the same process as the auth server. This method does not need to use provisioning tokens.
func NewAPIServer ¶
NewAPIServer returns a new instance of APIServer HTTP handler
func NewHostAuth ¶
func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)
func NewSignupTokenAuth ¶
func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)
func NewTokenAuth ¶
func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)
func NewTracer ¶
func NewTracer() roundtrip.RequestTracer
NewTracer returns request tracer based on the logging level
func NewValidateTrustedClusterAuth ¶
func NewValidateTrustedClusterAuth(token string) ([]ssh.AuthMethod, error)
func NewWebPasswordAuth ¶
func NewWebPasswordU2FSignAuth ¶ added in v1.3.0
func NewWebPasswordU2FSignAuth(user string, password []byte) ([]ssh.AuthMethod, error)
NewWebPasswordU2FSignAuth is for getting a U2F sign challenge
func NewWebPasswordWithoutOTPAuth ¶
func NewWebPasswordWithoutOTPAuth(user string, password []byte) ([]ssh.AuthMethod, error)
func NewWebSessionAuth ¶
func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)
func NewWebU2FSignResponseAuth ¶ added in v1.3.0
func NewWebU2FSignResponseAuth(user string, u2fSignResponse *u2f.SignResponse) ([]ssh.AuthMethod, error)
NewWebU2FSignResponseAuth is for signing in with a U2F sign response
func Register ¶
func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr) error
Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request.
func RegisterNewAuth ¶
func WriteIdentity ¶ added in v1.0.0
WriteIdentity writes identity keypair to disk
Types ¶
type APIConfig ¶ added in v1.0.0
type APIConfig struct { AuthServer *AuthServer SessionService session.Service AuditLog events.IAuditLog Authorizer Authorizer }
type APIServer ¶
type APIServer struct { APIConfig httprouter.Router clockwork.Clock }
APIServer implements http API server for AuthServer interface
type AccessPoint ¶
type AccessPoint interface { // GetReverseTunnels returns a list of reverse tunnels GetReverseTunnels() ([]services.ReverseTunnel, error) // GetDomainName returns domain name AKA ("cluster name") of the auth // server / certificate authority (CA) GetDomainName() (string, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]services.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*services.Namespace, error) // GetServers returns a list of registered servers GetNodes(namespace string) ([]services.Server, error) // UpsertServer registers server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertNode(s services.Server) error // UpsertProxy registers server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertProxy(s services.Server) error // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]services.Server, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error) // GetUsers returns a list of local users registered with this domain GetUsers() ([]services.User, error) // GetRole returns role by name GetRole(name string) (services.Role, error) // GetRoles returns a list of roles GetRoles() ([]services.Role, error) }
AccessPoint is an API interface implemented by a certificate authority (CA)
type AccessPointDialer ¶
AccessPointDialer dials to auth access point remote HTTP api
type AuthContext ¶
type AuthContext struct { // User is the user name User services.User // Checker is access checker Checker services.AccessChecker }
AuthzContext is authorization context
type AuthServer ¶
type AuthServer struct { Authority // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string services.Trust services.Presence services.Provisioner services.Identity services.Access services.ClusterConfiguration // contains filtered or unexported fields }
AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:
- generates the keypair for the node it's running on
- invites other SSH nodes to a cluster, by issuing invite tokens
- adds other SSH nodes to a cluster, by checking their token and signing their keys
- same for users and their sessions
- checks public keys to see if they're signed by it (can be trusted or not)
func NewAuthServer ¶
func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) *AuthServer
NewAuthServer creates and configures a new AuthServer instance
func (*AuthServer) CheckOTP ¶
func (s *AuthServer) CheckOTP(user string, otpToken string) error
CheckOTP determines the type of OTP token used (for legacy HOTP support), fetches the appropriate type from the backend, and checks if the token is valid.
func (*AuthServer) CheckPassword ¶
func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error
CheckPassword checks the password and OTP token. Called by tsh or lib/web/*.
func (*AuthServer) CheckPasswordWOToken ¶
func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error
CheckPasswordWOToken checks just password without checking OTP tokens used in case of SSH authentication, when token has been validated.
func (*AuthServer) CheckU2FSignResponse ¶ added in v1.3.0
func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error
func (*AuthServer) Close ¶ added in v1.0.0
func (a *AuthServer) Close() error
func (*AuthServer) CreateOIDCAuthRequest ¶ added in v1.0.0
func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
func (*AuthServer) CreateSAMLAuthRequest ¶
func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
func (*AuthServer) CreateSignupToken ¶
func (s *AuthServer) CreateSignupToken(userv1 services.UserV1) (string, error)
CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator
func (*AuthServer) CreateSignupU2FRegisterRequest ¶ added in v1.3.0
func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
func (*AuthServer) CreateUserWithOTP ¶
func (s *AuthServer) CreateUserWithOTP(token string, password string, otpToken string) (services.WebSession, error)
CreateUserWithOTP creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.
func (*AuthServer) CreateUserWithU2FToken ¶ added in v1.3.0
func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (services.WebSession, error)
func (*AuthServer) CreateUserWithoutOTP ¶
func (s *AuthServer) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
CreateUserWithoutOTP creates an account with the provided password and deletes the token afterwards.
func (*AuthServer) CreateWebSession ¶ added in v1.0.0
func (s *AuthServer) CreateWebSession(user string) (services.WebSession, error)
CreateWebSession creates a new web session for user without any checks, is used by admins
func (*AuthServer) DeleteNamespace ¶
func (s *AuthServer) DeleteNamespace(namespace string) error
func (*AuthServer) DeleteOIDCConnector ¶
func (s *AuthServer) DeleteOIDCConnector(connectorName string) error
func (*AuthServer) DeleteRole ¶
func (a *AuthServer) DeleteRole(name string) error
func (*AuthServer) DeleteSAMLConnector ¶
func (s *AuthServer) DeleteSAMLConnector(connectorName string) error
func (*AuthServer) DeleteToken ¶
func (s *AuthServer) DeleteToken(token string) (err error)
func (*AuthServer) DeleteTrustedCluster ¶
func (a *AuthServer) DeleteTrustedCluster(name string) error
DeleteTrustedCluster removes services.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.
func (*AuthServer) DeleteUser ¶
func (a *AuthServer) DeleteUser(user string) error
func (*AuthServer) DeleteWebSession ¶
func (s *AuthServer) DeleteWebSession(user string, id string) error
func (*AuthServer) ExtendWebSession ¶ added in v1.0.0
func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user
func (*AuthServer) GenerateHostCert ¶
func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)
GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.
func (*AuthServer) GenerateServerKeys ¶ added in v1.0.0
func (s *AuthServer) GenerateServerKeys(hostID string, nodeName string, roles teleport.Roles) (*PackedKeys, error)
GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.
func (*AuthServer) GenerateToken ¶
func (*AuthServer) GenerateUserCert ¶
func (s *AuthServer) GenerateUserCert(key []byte, user services.User, allowedLogins []string, ttl time.Duration, canForwardAgents bool, compatibility string) ([]byte, error)
GenerateUserCert generates user certificate, it takes pkey as a signing private key (user certificate authority)
func (*AuthServer) GetDomainName ¶ added in v1.2.6
func (a *AuthServer) GetDomainName() (string, error)
GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"
func (*AuthServer) GetOTPData ¶
func (s *AuthServer) GetOTPData(user string) (string, []byte, error)
GetOTPData returns the OTP Key, Key URL, and the QR code.
func (*AuthServer) GetSignupTokenData ¶
func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)
GetSignupTokenData returns token data for a valid token
func (*AuthServer) GetTokens ¶ added in v1.0.0
func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)
GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role
func (*AuthServer) GetWebSession ¶
func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)
func (*AuthServer) GetWebSessionInfo ¶ added in v1.0.0
func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)
func (*AuthServer) NewWebSession ¶
func (s *AuthServer) NewWebSession(userName string) (services.WebSession, error)
func (*AuthServer) PreAuthenticatedSignIn ¶ added in v1.3.0
func (s *AuthServer) PreAuthenticatedSignIn(user string) (services.WebSession, error)
PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issueing the second factor challenge
func (*AuthServer) RegisterNewAuthServer ¶
func (s *AuthServer) RegisterNewAuthServer(token string) error
func (*AuthServer) RegisterUsingToken ¶
func (s *AuthServer) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)
RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).
If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.
func (*AuthServer) SetClock ¶
func (a *AuthServer) SetClock(clock clockwork.Clock)
SetClock sets clock, used in tests
func (*AuthServer) SignIn ¶
func (s *AuthServer) SignIn(user string, password []byte) (services.WebSession, error)
func (*AuthServer) U2FSignRequest ¶ added in v1.3.0
func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
func (*AuthServer) UpsertOIDCConnector ¶
func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector) error
func (*AuthServer) UpsertSAMLConnector ¶
func (s *AuthServer) UpsertSAMLConnector(connector services.SAMLConnector) error
func (*AuthServer) UpsertTrustedCluster ¶
func (a *AuthServer) UpsertTrustedCluster(trustedCluster services.TrustedCluster) error
UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.
func (*AuthServer) UpsertWebSession ¶
func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error
func (*AuthServer) ValidateOIDCAuthCallback ¶ added in v1.0.0
func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error
func (*AuthServer) ValidateSAMLResponse ¶
func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)
ValidateSAMLResponse consumes attribute statements from SAML identity provider
func (*AuthServer) ValidateToken ¶
func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)
ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found
func (*AuthServer) WithUserLock ¶
func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error
WithUserLock executes function authenticateFn that perorms user authenticaton if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval
type AuthServerOption ¶ added in v1.0.0
type AuthServerOption func(*AuthServer)
AuthServerOption allows setting options as functional arguments to AuthServer
type AuthTunnel ¶ added in v1.0.0
type AuthTunnel struct {
// contains filtered or unexported fields
}
AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then establishes an SSH tunnel which HTTP requests travel over. In other words, the Auth Service API runs on HTTP-via-SSH-tunnel.
Use auth.TunClient to connect to AuthTunnel
func NewTunnel ¶ added in v1.0.0
func NewTunnel(addr utils.NetAddr, hostSigner ssh.Signer, apiConf *APIConfig, opts ...ServerOption) (tunnel *AuthTunnel, err error)
NewTunnel creates a new SSH tunnel server which is not started yet. This is how "site API" (aka "auth API") is served: by creating an "tunnel server" which serves HTTP via SSH.
func (*AuthTunnel) Addr ¶ added in v1.0.0
func (s *AuthTunnel) Addr() string
func (*AuthTunnel) Close ¶ added in v1.0.0
func (s *AuthTunnel) Close() error
func (*AuthTunnel) HandleNewChan ¶ added in v1.0.0
func (s *AuthTunnel) HandleNewChan(_ net.Conn, sconn *ssh.ServerConn, nch ssh.NewChannel)
HandleNewChan implements NewChanHandler interface: it gets called every time a new SSH connection is established
func (*AuthTunnel) Start ¶ added in v1.0.0
func (s *AuthTunnel) Start() error
type AuthWithRoles ¶
type AuthWithRoles struct {
// contains filtered or unexported fields
}
func NewAuthWithRoles ¶
func NewAuthWithRoles(authServer *AuthServer, checker services.AccessChecker, user services.User, sessions session.Service, alog events.IAuditLog) *AuthWithRoles
NewAuthWithRoles creates new auth server with access control
func (*AuthWithRoles) ActivateCertAuthority ¶
func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error
func (*AuthWithRoles) CheckPassword ¶
func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error
func (*AuthWithRoles) Close ¶
func (a *AuthWithRoles) Close() error
func (*AuthWithRoles) CreateCertAuthority ¶
func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error
func (*AuthWithRoles) CreateOIDCAuthRequest ¶ added in v1.0.0
func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
func (*AuthWithRoles) CreateRole ¶
CreateRole creates a role.
func (*AuthWithRoles) CreateSAMLAuthRequest ¶
func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
func (*AuthWithRoles) CreateSAMLConnector ¶
func (a *AuthWithRoles) CreateSAMLConnector(connector services.SAMLConnector) error
func (*AuthWithRoles) CreateSession ¶ added in v1.0.0
func (a *AuthWithRoles) CreateSession(s session.Session) error
func (*AuthWithRoles) CreateSignupToken ¶
func (a *AuthWithRoles) CreateSignupToken(user services.UserV1) (token string, e error)
func (*AuthWithRoles) CreateUserWithOTP ¶
func (a *AuthWithRoles) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
func (*AuthWithRoles) CreateUserWithU2FToken ¶ added in v1.3.0
func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
func (*AuthWithRoles) CreateUserWithoutOTP ¶
func (a *AuthWithRoles) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
func (*AuthWithRoles) CreateWebSession ¶ added in v1.0.0
func (a *AuthWithRoles) CreateWebSession(user string) (services.WebSession, error)
func (*AuthWithRoles) DeactivateCertAuthority ¶
func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error
func (*AuthWithRoles) DeleteAllCertAuthorities ¶
func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error
DeleteAllCertAuthorities deletes all certificate authorities of a certain type
func (*AuthWithRoles) DeleteAllNamespaces ¶
func (a *AuthWithRoles) DeleteAllNamespaces() error
DeleteAllCertNamespaces deletes all namespaces
func (*AuthWithRoles) DeleteAllNodes ¶
func (a *AuthWithRoles) DeleteAllNodes(namespace string) error
DeleteAllNodes deletes all nodes in a given namespace
func (*AuthWithRoles) DeleteAllProxies ¶
func (a *AuthWithRoles) DeleteAllProxies() error
DeleteAllProxies deletes all proxies
func (*AuthWithRoles) DeleteAllReverseTunnels ¶
func (a *AuthWithRoles) DeleteAllReverseTunnels() error
DeleteAllReverseTunnels deletes all reverse tunnels
func (*AuthWithRoles) DeleteAllRoles ¶
func (a *AuthWithRoles) DeleteAllRoles() error
DeleteAllRoles deletes all roles
func (*AuthWithRoles) DeleteAllUsers ¶
func (a *AuthWithRoles) DeleteAllUsers() error
DeleteAllUsers deletes all users
func (*AuthWithRoles) DeleteCertAuthority ¶ added in v1.0.0
func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error
func (*AuthWithRoles) DeleteNamespace ¶
func (a *AuthWithRoles) DeleteNamespace(name string) error
DeleteNamespace deletes namespace by name
func (*AuthWithRoles) DeleteOIDCConnector ¶ added in v1.0.0
func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error
func (*AuthWithRoles) DeleteReverseTunnel ¶ added in v1.0.0
func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error
func (*AuthWithRoles) DeleteRole ¶
func (a *AuthWithRoles) DeleteRole(name string) error
DeleteRole deletes role by name
func (*AuthWithRoles) DeleteSAMLConnector ¶
func (a *AuthWithRoles) DeleteSAMLConnector(connectorID string) error
func (*AuthWithRoles) DeleteToken ¶ added in v1.0.0
func (a *AuthWithRoles) DeleteToken(token string) error
func (*AuthWithRoles) DeleteTrustedCluster ¶
func (a *AuthWithRoles) DeleteTrustedCluster(name string) error
func (*AuthWithRoles) DeleteUser ¶
func (a *AuthWithRoles) DeleteUser(user string) error
func (*AuthWithRoles) DeleteWebSession ¶
func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error
func (*AuthWithRoles) EmitAuditEvent ¶ added in v1.0.0
func (a *AuthWithRoles) EmitAuditEvent(eventType string, fields events.EventFields) error
func (*AuthWithRoles) ExtendWebSession ¶ added in v1.0.0
func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)
func (*AuthWithRoles) GenerateHostCert ¶
func (*AuthWithRoles) GenerateKeyPair ¶
func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)
func (*AuthWithRoles) GenerateToken ¶
func (*AuthWithRoles) GenerateUserCert ¶
func (*AuthWithRoles) GetAuthPreference ¶
func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)
func (*AuthWithRoles) GetAuthServers ¶ added in v1.0.0
func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)
func (*AuthWithRoles) GetCertAuthorities ¶ added in v1.0.0
func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)
func (*AuthWithRoles) GetCertAuthority ¶
func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool) (services.CertAuthority, error)
func (*AuthWithRoles) GetClusterName ¶
func (a *AuthWithRoles) GetClusterName() (services.ClusterName, error)
GetClusterName gets the name of the cluster.
func (*AuthWithRoles) GetDomainName ¶ added in v1.2.6
func (a *AuthWithRoles) GetDomainName() (string, error)
func (*AuthWithRoles) GetLocalClusterName ¶
func (a *AuthWithRoles) GetLocalClusterName() (string, error)
func (*AuthWithRoles) GetNamespace ¶
func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)
GetNamespace returns namespace by name
func (*AuthWithRoles) GetNamespaces ¶
func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)
GetNamespaces returns a list of namespaces
func (*AuthWithRoles) GetNodes ¶ added in v1.0.0
func (a *AuthWithRoles) GetNodes(namespace string) ([]services.Server, error)
func (*AuthWithRoles) GetOIDCConnector ¶ added in v1.0.0
func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)
func (*AuthWithRoles) GetOIDCConnectors ¶ added in v1.0.0
func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
func (*AuthWithRoles) GetOTPData ¶
func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)
func (*AuthWithRoles) GetProxies ¶ added in v1.0.0
func (a *AuthWithRoles) GetProxies() ([]services.Server, error)
func (*AuthWithRoles) GetReverseTunnels ¶ added in v1.0.0
func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)
func (*AuthWithRoles) GetRole ¶
func (a *AuthWithRoles) GetRole(name string) (services.Role, error)
GetRole returns role by name
func (*AuthWithRoles) GetRoles ¶
func (a *AuthWithRoles) GetRoles() ([]services.Role, error)
GetRoles returns a list of roles
func (*AuthWithRoles) GetSAMLConnector ¶
func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)
func (*AuthWithRoles) GetSAMLConnectors ¶
func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
func (*AuthWithRoles) GetSession ¶
func (*AuthWithRoles) GetSessionChunk ¶ added in v1.0.0
func (*AuthWithRoles) GetSessionEvents ¶ added in v1.0.0
func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int) ([]events.EventFields, error)
func (*AuthWithRoles) GetSessions ¶
func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)
func (*AuthWithRoles) GetSignupToken ¶
func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)
func (*AuthWithRoles) GetSignupTokenData ¶
func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)
func (*AuthWithRoles) GetSignupU2FRegisterRequest ¶ added in v1.3.0
func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
func (*AuthWithRoles) GetStaticTokens ¶
func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)
GetStaticTokens gets the list of static tokens used to provision nodes.
func (*AuthWithRoles) GetToken ¶
func (a *AuthWithRoles) GetToken(token string) (*services.ProvisionToken, error)
func (*AuthWithRoles) GetTokens ¶ added in v1.0.0
func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)
func (*AuthWithRoles) GetTrustedCluster ¶
func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)
func (*AuthWithRoles) GetTrustedClusters ¶
func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)
func (*AuthWithRoles) GetU2FSignRequest ¶ added in v1.3.0
func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
func (*AuthWithRoles) GetUser ¶ added in v1.0.0
func (a *AuthWithRoles) GetUser(name string) (services.User, error)
func (*AuthWithRoles) GetWebSessionInfo ¶ added in v1.0.0
func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)
func (*AuthWithRoles) PostSessionChunk ¶ added in v1.0.0
func (*AuthWithRoles) PostSessionSlice ¶
func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error
func (*AuthWithRoles) PreAuthenticatedSignIn ¶ added in v1.3.0
func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)
func (*AuthWithRoles) RegisterNewAuthServer ¶
func (a *AuthWithRoles) RegisterNewAuthServer(token string) error
func (*AuthWithRoles) RegisterUsingToken ¶
func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)
func (*AuthWithRoles) SearchEvents ¶ added in v1.0.0
func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string) ([]events.EventFields, error)
func (*AuthWithRoles) SearchSessionEvents ¶
func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time) ([]events.EventFields, error)
func (*AuthWithRoles) SetAuthPreference ¶
func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error
func (*AuthWithRoles) SetClusterName ¶
func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error
SetClusterName sets the name of the cluster. SetClusterName can only be called once.
func (*AuthWithRoles) SetStaticTokens ¶
func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error
SetStaticTokens sets the list of static tokens used to provision nodes.
func (*AuthWithRoles) SignIn ¶
func (a *AuthWithRoles) SignIn(user string, password []byte) (services.WebSession, error)
func (*AuthWithRoles) UpdateSession ¶ added in v1.0.0
func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error
func (*AuthWithRoles) UpsertAuthServer ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error
func (*AuthWithRoles) UpsertCertAuthority ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error
func (*AuthWithRoles) UpsertLocalClusterName ¶
func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error
func (*AuthWithRoles) UpsertNamespace ¶
func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error
UpsertNamespace upserts namespace
func (*AuthWithRoles) UpsertNode ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertNode(s services.Server) error
func (*AuthWithRoles) UpsertOIDCConnector ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) error
func (*AuthWithRoles) UpsertPassword ¶
func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error
func (*AuthWithRoles) UpsertProxy ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertProxy(s services.Server) error
func (*AuthWithRoles) UpsertReverseTunnel ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error
func (*AuthWithRoles) UpsertRole ¶
UpsertRole creates or updates role
func (*AuthWithRoles) UpsertSAMLConnector ¶
func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) error
func (*AuthWithRoles) UpsertTOTP ¶
func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error
func (*AuthWithRoles) UpsertToken ¶
func (*AuthWithRoles) UpsertTrustedCluster ¶
func (a *AuthWithRoles) UpsertTrustedCluster(tc services.TrustedCluster) error
func (*AuthWithRoles) UpsertUser ¶ added in v1.0.0
func (a *AuthWithRoles) UpsertUser(u services.User) error
func (*AuthWithRoles) ValidateOIDCAuthCallback ¶ added in v1.0.0
func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
func (*AuthWithRoles) ValidateSAMLResponse ¶
func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
func (*AuthWithRoles) ValidateTrustedCluster ¶
func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
type Authority ¶
type Authority interface { // GenerateKeyPair generates new keypair GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error) // GetNewKeyPairFromPool returns new keypair from pre-generated in memory pool GetNewKeyPairFromPool() (privKey []byte, pubKey []byte, err error) // GenerateHostCert takes the private key of the CA, public key of the new host, // along with metadata (host ID, node name, cluster name, roles, and ttl) and generates // a host certificate. GenerateHostCert(certParams services.HostCertParams) ([]byte, error) // GenerateUserCert generates user certificate, it takes pkey as a signing // private key (user certificate authority) GenerateUserCert(certParams services.UserCertParams) ([]byte, error) }
Authority implements minimal key-management facility for generating OpenSSH compatible public/private key pairs and OpenSSH certificates
type Authorizer ¶
type Authorizer interface { // Authorize authorizes user based on identity supplied via context Authorize(ctx context.Context) (*AuthContext, error) }
Authorizer authorizes identity and returns auth context
func NewAuthorizer ¶
func NewAuthorizer(access services.Access, identity services.Identity, trust services.Trust) (Authorizer, error)
NewAuthorizer returns new authorizer using backends
func NewRoleAuthorizer ¶
func NewRoleAuthorizer(r teleport.Role) (Authorizer, error)
NewRoleAuthorizer authorizes everyone as predefined role
func NewUserAuthorizer ¶
func NewUserAuthorizer(username string, identity services.Identity, access services.Access) (Authorizer, error)
NewUserAuthorizer authorizes everyone as predefined local user
type Client ¶
Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.
When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go
func NewClient ¶
NewAuthClient returns a new instance of the client which talks to an Auth server API (aka "site API") via HTTP-over-SSH
func (*Client) ActivateCertAuthority ¶
func (c *Client) ActivateCertAuthority(id services.CertAuthID) error
ActivateCertAuthority moves a CertAuthority from the deactivated list to the normal list.
func (*Client) CheckPassword ¶
CheckPassword checks if the suplied web access password is valid.
func (*Client) CreateCertAuthority ¶
func (c *Client) CreateCertAuthority(ca services.CertAuthority) error
CreateCertAuthority inserts new cert authority
func (*Client) CreateOIDCAuthRequest ¶ added in v1.0.0
func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
CreateOIDCAuthRequest creates OIDCAuthRequest
func (*Client) CreateRole ¶
CreateRole creates a role.
func (*Client) CreateSAMLAuthRequest ¶
func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
CreateSAMLAuthRequest creates SAML AuthnRequest
func (*Client) CreateSAMLConnector ¶
func (c *Client) CreateSAMLConnector(connector services.SAMLConnector) error
CreateOIDCConnector creates SAML connector
func (*Client) CreateSession ¶ added in v1.0.0
CreateSession creates new session
func (*Client) CreateSignupToken ¶
CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator
func (*Client) CreateUserWithOTP ¶
func (c *Client) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
CreateUserWithOTP creates account with provided token and password. Account username and OTP key are taken from token data. Deletes token after account creation.
func (*Client) CreateUserWithU2FToken ¶ added in v1.3.0
func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
CreateUserWithU2FToken creates user account with provided token and U2F sign response
func (*Client) CreateUserWithoutOTP ¶
CreateUserWithoutOTP validates a given token creates a user with the given password and deletes the token afterwards.
func (*Client) CreateWebSession ¶ added in v1.0.0
func (c *Client) CreateWebSession(user string) (services.WebSession, error)
CreateWebSession creates a new web session for a user
func (*Client) DeactivateCertAuthority ¶
func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error
DeactivateCertAuthority moves a CertAuthority from the normal list to the deactivated list.
func (*Client) DeleteAllCertAuthorities ¶
func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error
DeleteAllCertAuthorities deletes all certificate authorities of a certain type
func (*Client) DeleteAllNamespaces ¶
DeleteAllCertNamespaces deletes all namespaces
func (*Client) DeleteAllNodes ¶
DeleteAllNodes deletes all nodes in a given namespace
func (*Client) DeleteAllProxies ¶
DeleteAllProxies deletes all proxies
func (*Client) DeleteAllReverseTunnels ¶
DeleteAllReverseTunnels deletes all reverse tunnels
func (*Client) DeleteAllRoles ¶
DeleteAllRoles deletes all roles
func (*Client) DeleteAllUsers ¶
DeleteAllUsers deletes all users
func (*Client) DeleteCertAuthority ¶ added in v1.0.0
func (c *Client) DeleteCertAuthority(id services.CertAuthID) error
DeleteCertAuthority deletes cert authority by ID
func (*Client) DeleteNamespace ¶
DeleteNamespace deletes namespace by name
func (*Client) DeleteOIDCConnector ¶ added in v1.0.0
DeleteOIDCConnector deletes OIDC connector by ID
func (*Client) DeleteReverseTunnel ¶ added in v1.0.0
DeleteReverseTunnel deletes reverse tunnel by domain name
func (*Client) DeleteRole ¶
DeleteRole deletes role by name
func (*Client) DeleteSAMLConnector ¶
DeleteSAMLConnector deletes SAML connector by ID
func (*Client) DeleteSession ¶
DeleteSession deletes a session by ID
func (*Client) DeleteToken ¶ added in v1.0.0
DeleteToken deletes a given provisioning token on the auth server (CA). It could be a user token or a machine token
func (*Client) DeleteTrustedCluster ¶
func (*Client) DeleteUser ¶
DeleteUser deletes a user by username
func (*Client) DeleteWebSession ¶
DeleteWebSession deletes a web session for this user by id
func (*Client) EmitAuditEvent ¶ added in v1.0.0
func (c *Client) EmitAuditEvent(eventType string, fields events.EventFields) error
EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)
func (*Client) ExtendWebSession ¶ added in v1.0.0
ExtendWebSession creates a new web session for a user based on another valid web session
func (*Client) GenerateHostCert ¶
func (c *Client) GenerateHostCert( key []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)
GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.
func (*Client) GenerateKeyPair ¶
GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.
func (*Client) GenerateToken ¶
GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.
This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.
The token can be used only once.
func (*Client) GenerateUserCert ¶
func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)
GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.
func (*Client) GenerateUserCertBundle ¶
func (c *Client) GenerateUserCertBundle(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, []services.CertAuthorityV1, error)
GenerateUserCertBundle takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate. It also includes the host certificate that can be added to the known_hosts file.
func (*Client) GetAuthPreference ¶
func (c *Client) GetAuthPreference() (services.AuthPreference, error)
func (*Client) GetAuthServers ¶ added in v1.0.0
GetAuthServers returns the list of auth servers registered in the cluster.
func (*Client) GetCertAuthorities ¶ added in v1.0.0
func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)
GetCertAuthorities returns a list of certificate authorities
func (*Client) GetCertAuthority ¶
func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool) (services.CertAuthority, error)
GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded
func (*Client) GetClusterName ¶
func (c *Client) GetClusterName() (services.ClusterName, error)
func (*Client) GetDomainName ¶ added in v1.2.6
GetDomainName returns local auth domain of the current auth server
func (*Client) GetLocalClusterName ¶
GetLocalClusterName returns local cluster name
func (*Client) GetNamespace ¶
GetNamespace returns namespace by name
func (*Client) GetNamespaces ¶
GetNamespaces returns a list of namespaces
func (*Client) GetNodes ¶ added in v1.0.0
GetNodes returns the list of servers registered in the cluster.
func (*Client) GetOIDCConnector ¶ added in v1.0.0
GetOIDCConnector returns OIDC connector information by id
func (*Client) GetOIDCConnectors ¶ added in v1.0.0
func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
GetOIDCConnector gets OIDC connectors list
func (*Client) GetProxies ¶ added in v1.0.0
GetProxies returns the list of auth servers registered in the cluster.
func (*Client) GetReverseTunnels ¶ added in v1.0.0
func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)
GetReverseTunnels returns the list of created reverse tunnels
func (*Client) GetSAMLConnector ¶
GetOIDCConnector returns SAML connector information by id
func (*Client) GetSAMLConnectors ¶
func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
GetSAMLConnectors gets SAML connectors list
func (*Client) GetSession ¶
GetSession returns a session by ID
func (*Client) GetSessionChunk ¶ added in v1.0.0
func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes
func (*Client) GetSessionEvents ¶ added in v1.0.0
func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int) (retval []events.EventFields, err error)
Returns events that happen during a session sorted by time (oldest first).
afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)
This function is usually used in conjunction with GetSessionReader to replay recorded session streams.
func (*Client) GetSessions ¶
GetSessions returns a list of active sessions in the cluster as reported by auth server
func (*Client) GetSignupTokenData ¶
GetSignupTokenData returns token data for a valid token
func (*Client) GetSignupU2FRegisterRequest ¶ added in v1.3.0
func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite tokenx
func (*Client) GetStaticTokens ¶
func (c *Client) GetStaticTokens() (services.StaticTokens, error)
func (*Client) GetToken ¶
func (c *Client) GetToken(token string) (*services.ProvisionToken, error)
GetToken returns provisioning token
func (*Client) GetTokens ¶ added in v1.0.0
func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)
GetTokens returns a list of active invitation tokens for nodes and users
func (*Client) GetTransport ¶ added in v1.0.0
func (*Client) GetTrustedCluster ¶
func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)
func (*Client) GetTrustedClusters ¶
func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)
func (*Client) GetU2FAppID ¶ added in v1.3.0
GetU2FAppID returns U2F settings, like App ID and Facets
func (*Client) GetU2FSignRequest ¶ added in v1.3.0
GetU2FSignRequest generates request for user trying to authenticate with U2F token
func (*Client) GetUser ¶ added in v1.0.0
GetUser returns a list of usernames registered in the system
func (*Client) GetWebSessionInfo ¶ added in v1.0.0
GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.
func (*Client) PostForm ¶
func (c *Client) PostForm( endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
PostForm is a generic method that issues http POST request to the server
func (*Client) PostJSON ¶ added in v1.0.0
PostJSON is a generic method that issues http POST request to the server
func (*Client) PostSessionChunk ¶ added in v1.0.0
PostSessionChunk allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)
The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)
func (*Client) PostSessionSlice ¶
func (c *Client) PostSessionSlice(slice events.SessionSlice) error
PostSessionSlice allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)
The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)
func (*Client) PreAuthenticatedSignIn ¶ added in v1.3.0
func (c *Client) PreAuthenticatedSignIn(user string) (services.WebSession, error)
PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issueing the second factor challenge
func (*Client) PutJSON ¶ added in v1.0.0
PutJSON is a generic method that issues http PUT request to the server
func (*Client) RegisterNewAuthServer ¶
RegisterNewAuthServer is used to register new auth server with token
func (*Client) RegisterUsingToken ¶
func (c *Client) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error)
RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.
func (*Client) SearchEvents ¶ added in v1.0.0
SearchEvents returns events that fit the criteria
func (*Client) SearchSessionEvents ¶
SearchSessionEvents returns session related events to find completed sessions.
func (*Client) SetAuthPreference ¶
func (c *Client) SetAuthPreference(cap services.AuthPreference) error
func (*Client) SetClusterName ¶
func (c *Client) SetClusterName(cn services.ClusterName) error
func (*Client) SetStaticTokens ¶
func (c *Client) SetStaticTokens(st services.StaticTokens) error
func (*Client) SignIn ¶
SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.
func (*Client) UpdateSession ¶ added in v1.0.0
func (c *Client) UpdateSession(req session.UpdateRequest) error
UpdateSession updates existing session
func (*Client) UpsertAuthServer ¶ added in v1.0.0
UpsertAuthServer is used by auth servers to report their presense to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertCertAuthority ¶ added in v1.0.0
func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error
UpsertCertAuthority updates or inserts new cert authority
func (*Client) UpsertLocalClusterName ¶
UpsertLocalClusterName upserts local cluster name
func (*Client) UpsertNamespace ¶
UpsertNamespace upserts namespace
func (*Client) UpsertNode ¶ added in v1.0.0
UpsertNode is used by SSH servers to reprt their presense to the auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertOIDCConnector ¶ added in v1.0.0
func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector) error
UpsertOIDCConnector updates or creates OIDC connector
func (*Client) UpsertPassword ¶
UpsertPassword updates web access password for the user
func (*Client) UpsertProxy ¶ added in v1.0.0
UpsertProxy is used by proxies to report their presense to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertReverseTunnel ¶ added in v1.0.0
func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error
UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions
func (*Client) UpsertRole ¶
UpsertRole creates or updates role
func (*Client) UpsertSAMLConnector ¶
func (c *Client) UpsertSAMLConnector(connector services.SAMLConnector) error
UpsertSAMLConnector updates or creates OIDC connector
func (*Client) UpsertTrustedCluster ¶
func (c *Client) UpsertTrustedCluster(trustedCluster services.TrustedCluster) error
func (*Client) UpsertUser ¶ added in v1.0.0
UpsertUser user updates or inserts user entry
func (*Client) ValidateOIDCAuthCallback ¶ added in v1.0.0
func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
func (*Client) ValidateSAMLResponse ¶
func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
ValidateSAMLResponse validates response returned by SAML identity provider
func (*Client) ValidateTrustedCluster ¶
func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
type ClientI ¶
type ClientI interface { IdentityService ProvisioningService services.Trust events.IAuditLog services.Presence services.Access WebService session.Service services.ClusterConfiguration ValidateTrustedCluster(*ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error) GetDomainName() (string, error) }
ClientI is a client to Auth service
type FakeSSHConnection ¶ added in v1.0.0
type FakeSSHConnection struct {
// contains filtered or unexported fields
}
FakeSSHConnection implements net.Conn interface on top of the ssh.Cnahhel object. This allows us to run non-SSH servers (like HTTP) on top of an existing SSH connection
func (*FakeSSHConnection) Close ¶ added in v1.0.0
func (conn *FakeSSHConnection) Close() error
func (*FakeSSHConnection) LocalAddr ¶ added in v1.0.0
func (conn *FakeSSHConnection) LocalAddr() net.Addr
func (*FakeSSHConnection) Read ¶ added in v1.0.0
func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)
func (*FakeSSHConnection) RemoteAddr ¶ added in v1.0.0
func (conn *FakeSSHConnection) RemoteAddr() net.Addr
func (*FakeSSHConnection) SetDeadline ¶ added in v1.0.0
func (conn *FakeSSHConnection) SetDeadline(t time.Time) error
SetDeadline is needed to implement net.Conn interface
func (*FakeSSHConnection) SetReadDeadline ¶ added in v1.0.0
func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error
SetReadDeadline is needed to implement net.Conn interface
func (*FakeSSHConnection) SetWriteDeadline ¶ added in v1.0.0
func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error
SetWriteDeadline is needed to implement net.Conn interface
type HandlerWithAuthFunc ¶
type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)
HandlerWithAuthFunc is http handler with passed auth context
type Identity ¶ added in v1.0.0
type Identity struct { ID IdentityID KeyBytes []byte CertBytes []byte KeySigner ssh.Signer Cert *ssh.Certificate AuthorityDomain string }
Identity is a collection of certificates and signers that represent identity
func ReadIdentity ¶ added in v1.0.0
func ReadIdentity(dataDir string, id IdentityID) (i *Identity, err error)
ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).
func ReadIdentityFromKeyPair ¶ added in v1.0.0
ReadIdentityFromKeyPair reads identity from initialized keypair
type IdentityID ¶ added in v1.0.0
IdentityID is a combination of role, host UUID, and node name.
func (*IdentityID) Equals ¶ added in v1.0.0
func (id *IdentityID) Equals(other IdentityID) bool
Equals returns true if two identities are equal
func (*IdentityID) String ¶ added in v1.0.0
func (id *IdentityID) String() string
String returns debug friendly representation of this identity
type IdentityService ¶
type IdentityService interface { // UpsertPassword updates web access password for the user UpsertPassword(user string, password []byte) error // UpsertOIDCConnector updates or creates OIDC connector UpsertOIDCConnector(connector services.OIDCConnector) error // GetOIDCConnector returns OIDC connector information by id GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error) // GetOIDCConnector gets OIDC connectors list GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error) // DeleteOIDCConnector deletes OIDC connector by ID DeleteOIDCConnector(connectorID string) error // CreateOIDCAuthRequest creates OIDCAuthRequest CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error) // ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error) // CreateSAMLConnector creates SAML connector CreateSAMLConnector(connector services.SAMLConnector) error // UpsertSAMLConnector updates or creates SAML connector UpsertSAMLConnector(connector services.SAMLConnector) error // GetSAMLConnector returns SAML connector information by id GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error) // GetSAMLConnector gets SAML connectors list GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error) // DeleteSAMLConnector deletes SAML connector by ID DeleteSAMLConnector(connectorID string) error // CreateSAMLAuthRequest creates SAML AuthnRequest CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error) // ValidateSAMLResponse validates SAML auth response ValidateSAMLResponse(re string) (*SAMLAuthResponse, error) // GetU2FSignRequest generates request for user trying to authenticate with U2F token GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error) // GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite token GetSignupU2FRegisterRequest(token string) (*u2f.RegisterRequest, error) // CreateUserWithU2FToken creates user account with provided token and U2F sign response CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error) // PreAuthenticatedSignIn is used get web session for a user that is already authenticated PreAuthenticatedSignIn(user string) (services.WebSession, error) // GetUser returns user by name GetUser(name string) (services.User, error) // UpsertUser user updates or inserts user entry UpsertUser(user services.User) error // DeleteUser deletes a user by username DeleteUser(user string) error // GetUsers returns a list of usernames registered in the system GetUsers() ([]services.User, error) // CheckPassword checks if the suplied web access password is valid. CheckPassword(user string, password []byte, otpToken string) error // SignIn checks if the web access password is valid, and if it is valid // returns a secure web session id. SignIn(user string, password []byte) (services.WebSession, error) // CreateUserWithOTP creates account with provided token and password. // Account username and OTP key are taken from token data. // Deletes token after account creation. CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error) // CreateUserWithoutOTP validates a given token creates a user // with the given password and deletes the token afterwards. CreateUserWithoutOTP(token string, password string) (services.WebSession, error) // GenerateToken creates a special provisioning token for a new SSH server // that is valid for ttl period seconds. // // This token is used by SSH server to authenticate with Auth server // and get signed certificate and private key from the auth server. // // The token can be used only once. GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error) // GenerateKeyPair generates SSH private/public key pair optionally protected // by password. If the pass parameter is an empty string, the key pair // is not password-protected. GenerateKeyPair(pass string) ([]byte, []byte, error) // GenerateHostCert takes the public key in the Open SSH “authorized_keys“ // plain text format, signs it using Host Certificate Authority private key and returns the // resulting certificate. GenerateHostCert(key []byte, hostID, nodeName, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error) // GenerateUserCert takes the public key in the OpenSSH `authorized_keys` // plain text format, signs it using User Certificate Authority signing key and returns the // resulting certificate. GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error) // GetSignupTokenData returns token data for a valid token GetSignupTokenData(token string) (user string, otpQRCode []byte, e error) // CreateSignupToken creates one time token for creating account for the user // For each token it creates username and OTP key CreateSignupToken(user services.UserV1) (string, error) }
IdentityService manages identities and users
type InitConfig ¶
type InitConfig struct { // Backend is auth backend to use Backend backend.Backend // Authority is key generator that we use Authority Authority // HostUUID is a UUID of this host HostUUID string // NodeName is the DNS name of the node NodeName string // ClusterName stores the FQDN of the signing CA (its certificate will have this // name embedded). It is usually set to the GUID of the host the Auth service runs on ClusterName services.ClusterName // Authorities is a list of pre-configured authorities to supply on first start Authorities []services.CertAuthority // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string // DataDir is the full path to the directory where keys, events and logs are kept DataDir string // ReverseTunnels is a list of reverse tunnels statically supplied // in configuration, so auth server will init the tunnels on the first start ReverseTunnels []services.ReverseTunnel // OIDCConnectors is a list of trusted OpenID Connect identity providers // in configuration, so auth server will init the tunnels on the first start OIDCConnectors []services.OIDCConnector // Trust is a service that manages users and credentials Trust services.Trust // Presence service is a discovery and hearbeat tracker Presence services.Presence // Provisioner is a service that keeps track of provisioning tokens Provisioner services.Provisioner // Identity is a service that manages users and credentials Identity services.Identity // Access is service controlling access to resources Access services.Access // ClusterConfiguration is a services that holds cluster wide configuration. ClusterConfiguration services.ClusterConfiguration // Roles is a set of roles to create Roles []services.Role // StaticTokens are pre-defined host provisioning tokens supplied via config file for // environments where paranoid security is not needed //StaticTokens []services.ProvisionToken StaticTokens services.StaticTokens // AuthPreference defines the authentication type (local, oidc) and second // factor (off, otp, u2f) passed in from a configuration file. AuthPreference services.AuthPreference }
InitConfig is auth server init config
type OIDCAuthResponse ¶ added in v1.0.0
type OIDCAuthResponse struct { // Username is authenticated teleport username Username string `json:"username"` // Identity contains validated OIDC identity Identity services.ExternalIdentity `json:"identity"` // Web session will be generated by auth server if requested in OIDCAuthRequest Session services.WebSession `json:"session,omitempty"` // Cert will be generated by certificate authority Cert []byte `json:"cert,omitempty"` // Req is original oidc auth request Req services.OIDCAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []services.CertAuthority `json:"host_signers"` }
OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider
type PackedKeys ¶
type ProvisioningService ¶
type ProvisioningService interface { // GetTokens returns a list of active invitation tokens for nodes and users GetTokens() (tokens []services.ProvisionToken, err error) // GetToken returns provisioning token GetToken(token string) (*services.ProvisionToken, error) // DeleteToken deletes a given provisioning token on the auth server (CA). It // could be a user token or a machine token DeleteToken(token string) error // RegisterUsingToken calls the auth service API to register a new node via registration token // which has been previously issued via GenerateToken RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error) // RegisterNewAuthServer is used to register new auth server with token RegisterNewAuthServer(token string) error }
ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster
type SAMLAuthResponse ¶
type SAMLAuthResponse struct { // Username is authenticated teleport username Username string `json:"username"` // Identity contains validated SAML identity Identity services.ExternalIdentity `json:"identity"` // Web session will be generated by auth server if requested in SAMLAuthRequest Session services.WebSession `json:"session,omitempty"` // Cert will be generated by certificate authority Cert []byte `json:"cert,omitempty"` // Req is original SAML auth request Req services.SAMLAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []services.CertAuthority `json:"host_signers"` }
SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider
type ServerOption ¶
type ServerOption func(s *AuthTunnel) error
ServerOption is the functional argument passed to the server
func SetLimiter ¶ added in v1.0.0
func SetLimiter(limiter *limiter.Limiter) ServerOption
SetLimiter sets rate and connection limiter for auth tunnel server
type TunClient ¶
type TunClient struct { sync.Mutex // embed auth API HTTP client Client // contains filtered or unexported fields }
TunClient is HTTP client that works over SSH tunnel This is done in order to authenticate various teleport roles using existing SSH certificate infrastructure
func NewTunClient ¶
func NewTunClient(purpose string, authServers []utils.NetAddr, user string, authMethods []ssh.AuthMethod, opts ...TunClientOption) (*TunClient, error)
NewTunClient returns an instance of new HTTP client to Auth server API exposed over SSH tunnel, so client uses SSH credentials to dial and authenticate
- purpose is mostly for debuggin, like "web client" or "reverse tunnel client"
- authServers: list of auth servers in this cluster (they are supposed to be in sync)
- authMethods: how to authenticate (via cert, web passwowrd, etc)
- opts : functional arguments for further extending
func (*TunClient) GetAgent ¶
func (c *TunClient) GetAgent() (AgentCloser, error)
GetAgent creates an SSH key agent (similar object to what CLI uses), this key agent fetches user keys directly from the auth server using a custom channel created via "ReqWebSessionAgent" reguest
func (*TunClient) GetDialer ¶
func (c *TunClient) GetDialer() AccessPointDialer
GetDialer returns dialer that will connect to auth server API
type TunClientOption ¶ added in v1.0.0
type TunClientOption func(t *TunClient)
TunClientOption is functional option for tunnel client
func TunClientStorage ¶ added in v1.0.0
func TunClientStorage(storage utils.AddrStorage) TunClientOption
TunClientStorage allows tun client to set local presence service that it will use to sync up the latest information about auth servers
func TunDisableRefresh ¶
func TunDisableRefresh() TunClientOption
TunDisableRefresh will disable refreshing the list of auth servers. This is required when requesting user certificates because we only allow a single HTTP request to be made over the tunnel. This is because each request does keyAuth, and for situations like password+otp where the OTP token is invalid after the first use, that means all other requests would fail.
type ValidateTrustedClusterRequest ¶
type ValidateTrustedClusterRequest struct { Token string `json:"token"` CAs []services.CertAuthority `json:"certificate_authorities"` }
func (*ValidateTrustedClusterRequest) ToRaw ¶
func (v *ValidateTrustedClusterRequest) ToRaw() (*ValidateTrustedClusterRequestRaw, error)
type ValidateTrustedClusterRequestRaw ¶
type ValidateTrustedClusterRequestRaw struct { Token string `json:"token"` CAs [][]byte `json:"certificate_authorities"` }
func (*ValidateTrustedClusterRequestRaw) ToNative ¶
func (v *ValidateTrustedClusterRequestRaw) ToNative() (*ValidateTrustedClusterRequest, error)
type ValidateTrustedClusterResponse ¶
type ValidateTrustedClusterResponse struct {
CAs []services.CertAuthority `json:"certificate_authorities"`
}
func (*ValidateTrustedClusterResponse) ToRaw ¶
func (v *ValidateTrustedClusterResponse) ToRaw() (*ValidateTrustedClusterResponseRaw, error)
type ValidateTrustedClusterResponseRaw ¶
type ValidateTrustedClusterResponseRaw struct {
CAs [][]byte `json:"certificate_authorities"`
}
func (*ValidateTrustedClusterResponseRaw) ToNative ¶
func (v *ValidateTrustedClusterResponseRaw) ToNative() (*ValidateTrustedClusterResponse, error)
type WebService ¶
type WebService interface { // GetWebSessionInfo checks if a web sesion is valid, returns session id in case if // it is valid, or error otherwise. GetWebSessionInfo(user string, sid string) (services.WebSession, error) // ExtendWebSession creates a new web session for a user based on another // valid web session ExtendWebSession(user string, prevSessionID string) (services.WebSession, error) // CreateWebSession creates a new web session for a user CreateWebSession(user string) (services.WebSession, error) // DeleteWebSession deletes a web session for this user by id DeleteWebSession(user string, sid string) error }
WebService implements features used by Web UI clients