auth

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2022 License: Apache-2.0 Imports: 144 Imported by: 0

Documentation

Overview

*

  • Copyright 2021 Gravitational, Inc. *
  • Licensed under the Apache License, Version 2.0 (the "License");
  • you may not use this file except in compliance with the License.
  • You may obtain a copy of the License at *
  • http://www.apache.org/licenses/LICENSE-2.0 *
  • Unless required by applicable law or agreed to in writing, software
  • distributed under the License is distributed on an "AS IS" BASIS,
  • WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  • See the License for the specific language governing permissions and
  • limitations under the License.

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source
const (

	// MaxFailedAttemptsFromStartRecoveryErrMsg is a user friendly error message to try again later.
	// This error is defined in a variable so that the root caller can determine if an email needs to be sent.
	MaxFailedAttemptsFromStartRecoveryErrMsg = "you have reached max attempts, please try again later"

	// MaxFailedAttemptsFromVerifyRecoveryErrMsg is a user friendly error message to start over.
	// This error is defined in a variable so that the root caller can determine if an email needs to be sent.
	MaxFailedAttemptsFromVerifyRecoveryErrMsg = "too many incorrect attempts, please start over with a new recovery code"
)
View Source
const (
	ErrFieldKeyUserMaxedAttempts = "maxed-attempts"

	// MaxFailedAttemptsErrMsg is a user friendly error message that tells a user that they are locked.
	MaxFailedAttemptsErrMsg = "too many incorrect attempts, please try again later"
)
View Source
const (
	// BearerTokenTTL specifies standard bearer token to exist before
	// it has to be renewed by the client
	BearerTokenTTL = 10 * time.Minute

	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16

	// RecoveryTokenLenBytes is len in bytes of a user token for recovery.
	RecoveryTokenLenBytes = 32

	// SessionTokenBytes is the number of bytes of a web or application session.
	SessionTokenBytes = 32
)
View Source
const (
	// CurrentVersion is a current API version
	CurrentVersion = types.V2

	// MissingNamespaceError indicates that the client failed to
	// provide the namespace in the request.
	MissingNamespaceError = "missing required parameter: namespace"
)
View Source
const (
	// GithubAuthPath is the GitHub authorization endpoint
	GithubAuthPath = "login/oauth/authorize"

	// GithubTokenPath is the GitHub token exchange endpoint
	GithubTokenPath = "login/oauth/access_token"

	// MaxPages is the maximum number of pagination links that will be followed.
	MaxPages = 99
)
View Source
const (
	// ContextUser is a user set in the context of the request
	ContextUser contextKey = "teleport-user"
	// ContextClientAddr is a client address set in the context of the request
	ContextClientAddr contextKey = "client-addr"
)
View Source
const (
	// IdentityCurrent is a name for the identity credentials that are
	// currently used by the process.
	IdentityCurrent = "current"
	// IdentityReplacement is a name for the identity credentials that are
	// replacing current identity credentials during CA rotation.
	IdentityReplacement = "replacement"
)
View Source
const (
	// UserTokenTypeResetPasswordInvite is a token type used for the UI invite flow that
	// allows users to change their password and set second factor (if enabled).
	UserTokenTypeResetPasswordInvite = "invite"
	// UserTokenTypeResetPassword is a token type used for the UI flow where user
	// re-sets their password and second factor (if enabled).
	UserTokenTypeResetPassword = "password"
	// UserTokenTypeRecoveryStart describes a recovery token issued to users who
	// successfully verified their recovery code.
	UserTokenTypeRecoveryStart = "recovery_start"
	// UserTokenTypeRecoveryApproved describes a recovery token issued to users who
	// successfully verified their second auth credential (either password or a second factor) and
	// can now start changing their password or add a new second factor device.
	// This token is also used to allow users to delete exisiting second factor devices
	// and retrieve their new set of recovery codes as part of the recovery flow.
	UserTokenTypeRecoveryApproved = "recovery_approved"
	// UserTokenTypePrivilege describes a token type that grants access to a privileged action
	// that requires users to re-authenticate with their second factor while looged in. This
	// token is issued to users who has successfully re-authenticated.
	UserTokenTypePrivilege = "privilege"
	// UserTokenTypePrivilegeException describes a token type that allowed a user to bypass
	// second factor re-authentication which in other cases would be required eg:
	// allowing user to add a mfa device if they don't have any registered.
	UserTokenTypePrivilegeException = "privilege_exception"
)
View Source
const LicenseExpiredNotification = "licenseExpired"

LicenseExpiredNotification defines a license expired notification

View Source
const TokenExpiredOrNotFound = "token expired or not found"

TokenExpiredOrNotFound is a special message returned by the auth server when provisioning tokens are either past their TTL, or could not be found.

Variables

View Source
var ErrDone = errors.New("done iterating")

ErrDone indicates that resource iteration is complete

View Source
var ErrGithubNoTeams = trace.BadParameter("user does not belong to any teams configured in connector; the configuration may have typos.")

ErrGithubNoTeams results from a github user not belonging to any teams.

View Source
var ErrOIDCNoRoles = trace.AccessDenied("No roles mapped from claims. The mappings may contain typos.")

ErrOIDCNoRoles results from not mapping any roles from OIDC claims.

View Source
var ErrRequiresEnterprise = services.ErrRequiresEnterprise
View Source
var ErrSAMLNoRoles = trace.AccessDenied("No roles mapped from claims. The mappings may contain typos.")

ErrSAMLNoRoles results from not mapping any roles from SAML claims.

View Source
var GithubScopes = []string{

	"read:org",
}

GithubScopes is a list of scopes requested during OAuth2 flow

View Source
var MinSupportedModeratedSessionsVersion = semver.New(utils.VersionBeforeAlpha("9.0.0"))
View Source
var (

	// UserLoginCount counts user logins
	UserLoginCount = prometheus.NewCounter(
		prometheus.CounterOpts{
			Name: teleport.MetricUserLoginCount,
			Help: "Number of times there was a user login",
		},
	)
)
View Source
var WithDelegator = utils.WithDelegator

WithDelegator alias for backwards compatibility

Functions

func BotResourceName

func BotResourceName(botName string) string

BotResourceName returns the default name for resources associated with the given named bot.

func CertAuthorityInfo

func CertAuthorityInfo(ca types.CertAuthority) string

CertAuthorityInfo returns debugging information about certificate authority

func CertInfo

func CertInfo(cert *x509.Certificate) string

CertInfo returns diagnostic information about certificate

func ClientCertPool

func ClientCertPool(client AccessCache, clusterName string, caTypes ...types.CertAuthType) (*x509.CertPool, int64, error)

ClientCertPool returns trusted x509 certificate authority pool with CAs provided as caTypes. In addition, it returns the total length of all subjects added to the cert pool, allowing the caller to validate that the pool doesn't exceed the maximum 2-byte length prefix before using it.

func ClientImpersonator

func ClientImpersonator(ctx context.Context) string

ClientImpersonator returns the impersonator username of a remote client making the call. If not present, returns an empty string

func ClientTimeout

func ClientTimeout(timeout time.Duration) roundtrip.ClientParam

ClientTimeout sets idle and dial timeouts of the HTTP transport used by the client.

func ClientUserMetadata

func ClientUserMetadata(ctx context.Context) apievents.UserMetadata

ClientUserMetadata returns a UserMetadata suitable for events caused by a remote client making a call. If ctx didn't pass through auth middleware or did not come from an HTTP request, metadata for teleport.UserSystem is returned.

func ClientUserMetadataWithUser

func ClientUserMetadataWithUser(ctx context.Context, user string) apievents.UserMetadata

ClientUserMetadataWithUser returns a UserMetadata suitable for events caused by a remote client making a call, with the specified username overriding the one from the remote client.

func ClientUsername

func ClientUsername(ctx context.Context) string

ClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, teleport.UserSystem is returned.

func ContainsSessionKind

func ContainsSessionKind(s []string, e types.SessionKind) bool

func CreateAccessPluginUser

func CreateAccessPluginUser(ctx context.Context, clt clt, username string) (types.User, error)

CreateAccessPluginUser creates a user with list/read abilites for access requests, and list/read/update abilities for access plugin data.

func CreateRole

func CreateRole(ctx context.Context, clt clt, name string, spec types.RoleSpecV5) (types.Role, error)

CreateRole creates a role without assigning any users. Used in tests.

func CreateUser

func CreateUser(clt clt, username string, roles ...types.Role) (types.User, error)

CreateUser creates user and role and assigns role to a user, used in tests

func CreateUserAndRole

func CreateUserAndRole(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)

CreateUserAndRole creates user and role and assigns role to a user, used in tests

func CreateUserAndRoleWithoutRoles

func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests

func CreateUserRoleAndRequestable

func CreateUserRoleAndRequestable(clt clt, username string, rolename string) (types.User, error)

CreateUserRoleAndRequestable creates two roles for a user, one base role with allowed login matching username, and another role with a login matching rolename that can be requested.

func DefaultClientCertPool

func DefaultClientCertPool(client AccessCache, clusterName string) (*x509.CertPool, int64, error)

DefaultClientCertPool returns default trusted x509 certificate authority pool.

func DefaultDNSNamesForRole

func DefaultDNSNamesForRole(role types.SystemRole) []string

DefaultDNSNamesForRole returns default DNS names for the specified role.

func ExtractHostID

func ExtractHostID(hostName string, clusterName string) (string, error)

ExtractHostID returns host id based on the hostname

func GetClientUsername

func GetClientUsername(ctx context.Context) (string, error)

GetClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, returns an error.

func HasBuiltinRole

func HasBuiltinRole(authContext Context, name string) bool

HasBuiltinRole checks if the identity is a builtin role with the matching name.

func HasRemoteBuiltinRole

func HasRemoteBuiltinRole(authContext Context, name string) bool

HasRemoteBuiltinRole checks if the identity is a remote builtin role with the matching name.

func HasV5Role

func HasV5Role(roles []types.Role) bool

func HostFQDN

func HostFQDN(hostUUID, clusterName string) string

HostFQDN consists of host UUID and cluster name joined via .

func IsInvalidLocalCredentialError

func IsInvalidLocalCredentialError(err error) bool

IsInvalidLocalCredentialError checks if an error resulted from an incorrect username, password, or second factor.

func NewAPIServer

func NewAPIServer(config *APIConfig) (http.Handler, error)

NewAPIServer returns a new instance of APIServer HTTP handler

func ParseSAMLInResponseTo

func ParseSAMLInResponseTo(response string) (string, error)

func PrivateKeyToPublicKeyTLS

func PrivateKeyToPublicKeyTLS(privateKey []byte) (tlsPublicKey []byte, err error)

PrivateKeyToPublicKeyTLS gets the TLS public key from a raw private key.

func Register

func Register(params RegisterParams) (*proto.Certs, error)

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.

func RoleSetForBuiltinRoles

func RoleSetForBuiltinRoles(clusterName string, recConfig types.SessionRecordingConfig, roles ...types.SystemRole) (services.RoleSet, error)

RoleSetForBuiltinRole returns RoleSet for embedded builtin role

func TLSCertInfo

func TLSCertInfo(cert *tls.Certificate) string

TLSCertInfo returns diagnostic information about certificate

func WaitForAppSession

func WaitForAppSession(ctx context.Context, sessionID, user string, ap ReadProxyAccessPoint) error

WaitForAppSession will block until the requested application session shows up in the cache or a timeout occurs.

func WaitForSnowflakeSession

func WaitForSnowflakeSession(ctx context.Context, sessionID, user string, ap SnowflakeSessionWatcher) error

WaitForSnowflakeSession waits until the requested Snowflake session shows up int the cache or a timeout occurs.

func WithClusterCAs

func WithClusterCAs(tlsConfig *tls.Config, ap AccessCache, currentClusterName string, log logrus.FieldLogger) func(*tls.ClientHelloInfo) (*tls.Config, error)

WithClusterCAs returns a TLS hello callback that returns a copy of the provided TLS config with client CAs pool of the specified cluster.

Types

type APIClient

type APIClient = client.Client

APIClient is aliased here so that it can be embedded in Client.

type APIConfig

type APIConfig struct {
	PluginRegistry plugin.Registry
	AuthServer     *Server
	SessionService session.Service
	AuditLog       events.IAuditLog
	Authorizer     Authorizer
	Emitter        apievents.Emitter
	// KeepAlivePeriod defines period between keep alives
	KeepAlivePeriod time.Duration
	// KeepAliveCount specifies amount of missed keep alives
	// to wait for until declaring connection as broken
	KeepAliveCount int
	// MetadataGetter retrieves additional metadata about session uploads.
	// Will be nil if audit logging is not enabled.
	MetadataGetter events.UploadMetadataGetter
}

func (*APIConfig) CheckAndSetDefaults

func (a *APIConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type APIServer

type APIServer struct {
	APIConfig
	httprouter.Router
	clockwork.Clock
}

APIServer implements http API server for AuthServer interface

type AccessCache

type AccessCache interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
}

AccessCache is a subset of the interface working on the certificate authorities

type Announcer

type Announcer interface {
	// UpsertNode registers node presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error)

	// UpsertProxy registers proxy presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s types.Server) error

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(s types.Server) error

	// UpsertKubeService registers kubernetes presence, permanently if ttl is 0
	// or for the specified duration with second resolution if it's >= 1 second
	// DELETE IN 11.0. Deprecated, use UpsertKubeServiceV2
	UpsertKubeService(context.Context, types.Server) error

	// UpsertKubeServiceV2 registers a kubernetes service
	// DELETE IN 13.0. Deprecated, use UpsertKubernetesServer
	UpsertKubeServiceV2(context.Context, types.Server) (*types.KeepAlive, error)

	// UpsertKubernetesServer registers a kubernetes server
	UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error)

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

	// UpsertApplicationServer registers an application server.
	UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error)

	// UpsertDatabaseServer registers a database proxy server.
	UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error)

	// UpsertWindowsDesktopService registers a Windows desktop service.
	UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error)

	// CreateWindowsDesktop registers a Windows desktop host.
	CreateWindowsDesktop(context.Context, types.WindowsDesktop) error
	// UpdateWindowsDesktop updates a Windows desktop host.
	UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error
}

Announcer specifies interface responsible for announcing presence

type AppTestCertRequest

type AppTestCertRequest struct {
	// PublicKey is the public key to sign.
	PublicKey []byte
	// Username is the Teleport user name to sign certificate for.
	Username string
	// TTL is the test certificate validity period.
	TTL time.Duration
	// PublicAddr is the application public address. Used for routing.
	PublicAddr string
	// ClusterName is the name of the cluster application resides in. Used for routing.
	ClusterName string
	// SessionID is the optional session ID to encode. Used for routing.
	SessionID string
	// AWSRoleARN is optional AWS role ARN a user wants to assume to encode.
	AWSRoleARN string
}

AppTestCertRequest combines parameters for generating a test app access cert.

type AppsAccessPoint

type AppsAccessPoint interface {
	// ReadAppsAccessPoint provides methods to read data
	ReadAppsAccessPoint
	// contains filtered or unexported methods
}

AppsAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.

func NewAppsWrapper

func NewAppsWrapper(base AppsAccessPoint, cache ReadAppsAccessPoint) AppsAccessPoint

type AppsWrapper

type AppsWrapper struct {
	ReadAppsAccessPoint

	NoCache AppsAccessPoint
	// contains filtered or unexported fields
}

func (*AppsWrapper) Close

func (w *AppsWrapper) Close() error

Close closes all associated resources

type AuthenticateSSHRequest

type AuthenticateSSHRequest struct {
	// AuthenticateUserRequest is a request with credentials
	AuthenticateUserRequest
	// PublicKey is a public key in ssh authorized_keys format
	PublicKey []byte `json:"public_key"`
	// TTL is a requested TTL for certificates to be issues
	TTL time.Duration `json:"ttl"`
	// CompatibilityMode sets certificate compatibility mode with old SSH clients
	CompatibilityMode string `json:"compatibility_mode"`
	RouteToCluster    string `json:"route_to_cluster"`
	// KubernetesCluster sets the target kubernetes cluster for the TLS
	// certificate. This can be empty on older clients.
	KubernetesCluster string `json:"kubernetes_cluster"`
	// AttestationStatement is an attestation statement associated with the given public key.
	AttestationStatement *keys.AttestationStatement `json:"attestation_statement,omitempty"`
}

AuthenticateSSHRequest is a request to authenticate SSH client user via CLI

func (*AuthenticateSSHRequest) CheckAndSetDefaults

func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default certificate values

type AuthenticateUserRequest

type AuthenticateUserRequest struct {
	// Username is a username
	Username string `json:"username"`
	// Pass is a password used in local authentication schemes
	Pass *PassCreds `json:"pass,omitempty"`
	// Webauthn is a signed credential assertion, used in MFA authentication
	Webauthn *wanlib.CredentialAssertionResponse `json:"webauthn,omitempty"`
	// OTP is a password and second factor, used for MFA authentication
	OTP *OTPCreds `json:"otp,omitempty"`
	// Session is a web session credential used to authenticate web sessions
	Session *SessionCreds `json:"session,omitempty"`
	// ClientMetadata includes forwarded information about a client
	ClientMetadata *ForwardedClientMetadata `json:"client_metadata,omitempty"`
}

AuthenticateUserRequest is a request to authenticate interactive user

func (*AuthenticateUserRequest) CheckAndSetDefaults

func (a *AuthenticateUserRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type Authorizer

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*Context, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer

func NewAuthorizer(clusterName string, accessPoint AuthorizerAccessPoint, lockWatcher *services.LockWatcher) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

type AuthorizerAccessPoint

type AuthorizerAccessPoint interface {
	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)
}

AuthorizerAccessPoint is the access point contract required by an Authorizer

type BuiltinRole

type BuiltinRole struct {
	// Role is the primary builtin role this username is associated with
	Role types.SystemRole

	// AdditionalSystemRoles is a collection of additional system roles held by
	// this identity (only currently used by identities with RoleInstance as their
	// primary role).
	AdditionalSystemRoles types.SystemRoles

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the local cluster
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

BuiltinRole is the role of the Teleport service.

func (BuiltinRole) GetIdentity

func (r BuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

func (BuiltinRole) GetServerID

func (r BuiltinRole) GetServerID() string

GetServerID extracts the identity from the full name. The username extracted from the node's identity (x.509 certificate) is expected to consist of "<server-id>.<cluster-name>" so strip the cluster name suffix to get the server id.

Note that as of right now Teleport expects server id to be a UUID4 but older Gravity clusters used to override it with strings like "192_168_1_1.<cluster-name>" so this code can't rely on it being UUID4 to account for clusters upgraded from older versions.

func (BuiltinRole) IsServer

func (r BuiltinRole) IsServer() bool

IsServer returns true if the primary role is either RoleInstance, or one of the local service roles (e.g. proxy).

type Cache

type Cache interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetClusterName returns cluster name
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers(withSecrets bool) ([]types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)

	// GetSnowflakeSession gets a Snowflake web session.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)

	// GetWebSession gets a web session for the given request
	GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken gets a web token for the given request
	GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

	// GetStaticTokens gets the list of static tokens used to provision nodes.
	GetStaticTokens() (types.StaticTokens, error)

	// GetTokens returns all active (non-expired) provisioning tokens
	GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

	// GetToken finds and returns token by ID
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// GetLock gets a lock by name.
	// NOTE: This method is intentionally available only for the auth server
	// cache, the other Teleport components should make use of
	// services.LockWatcher that provides the necessary freshness guarantees.
	GetLock(ctx context.Context, name string) (types.Lock, error)

	// GetLocks gets all/in-force locks that match at least one of the targets
	// when specified.
	// NOTE: This method is intentionally available only for the auth server
	// cache, the other Teleport components should make use of
	// services.LockWatcher that provides the necessary freshness guarantees.
	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

	// ListResources returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
	// ListWindowsDesktops returns a paginated list of windows desktops.
	ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
	// ListWindowsDesktopServices returns a paginated list of windows desktops.
	ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)

	// GetInstaller gets installer resource for this cluster
	GetInstaller(ctx context.Context, name string) (types.Installer, error)

	// GetInstallers gets all the installer resources.
	GetInstallers(ctx context.Context) ([]types.Installer, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

Cache is a subset of the auth interface handling access to the discovery API and static tokens

type CertAuthorityMap

type CertAuthorityMap = map[types.CertAuthType]types.CertAuthority

type Client

type Client struct {
	// APIClient is used to make gRPC requests to the server
	*APIClient
	// HTTPClient is used to make http requests to the server
	*HTTPClient
}

Client is the Auth API client. It works by connecting to auth servers via gRPC and HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.

func NewClient

func NewClient(cfg client.Config, params ...roundtrip.ClientParam) (*Client, error)

NewClient creates a new API client with a connection to a Teleport server.

The client will use the first credentials and the given dialer. If no dialer is given, the first address will be used. This address must be an auth server address.

NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.

func (*Client) ActivateCertAuthority

func (c *Client) ActivateCertAuthority(id types.CertAuthID) error

ActivateCertAuthority not implemented: can only be called locally.

func (*Client) AddUserLoginAttempt

func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error

AddUserLoginAttempt logs user login attempt

func (*Client) AuthenticateSSHUser

func (c *Client) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*Client) AuthenticateWebUser

func (c *Client) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful

func (*Client) ChangePassword

func (c *Client) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*Client) CheckPassword

func (c *Client) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close

func (c *Client) Close() error

func (*Client) CompareAndSwapCertAuthority

func (c *Client) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*Client) CompareAndSwapUser

func (c *Client) CompareAndSwapUser(ctx context.Context, new, expected types.User) error

CompareAndSwapUser not implemented: can only be called locally

func (*Client) CreateAuditStream

func (c *Client) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates new audit stream. This is a wrapper on the grpc endpoint and is deprecated. DELETE IN 7.0.0

func (*Client) CreateBot

CreateBot creates a bot and associated resources.

func (*Client) CreateCertAuthority

func (c *Client) CreateCertAuthority(ca types.CertAuthority) error

CreateCertAuthority not implemented: can only be called locally.

func (*Client) CreateRemoteCluster

func (c *Client) CreateRemoteCluster(rc types.RemoteCluster) error

CreateRemoteCluster creates remote cluster resource

func (*Client) CreateResetPasswordToken

func (c *Client) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

CreateResetPasswordToken creates reset password token

func (*Client) CreateRole

func (c *Client) CreateRole(ctx context.Context, role types.Role) error

CreateRole not implemented: can only be called locally.

func (*Client) CreateSession

func (c *Client) CreateSession(ctx context.Context, sess session.Session) error

CreateSession creates new session DELETE IN 12.0.0

func (*Client) CreateWebSession

func (c *Client) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for a user

func (*Client) DeactivateCertAuthority

func (c *Client) DeactivateCertAuthority(id types.CertAuthID) error

DeactivateCertAuthority not implemented: can only be called locally.

func (*Client) Delete

func (c *Client) Delete(ctx context.Context, u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteAllAuthServers

func (c *Client) DeleteAllAuthServers() error

DeleteAllAuthServers not implemented: can only be called locally.

func (*Client) DeleteAllCertAuthorities

func (c *Client) DeleteAllCertAuthorities(caType types.CertAuthType) error

DeleteAllCertAuthorities not implemented: can only be called locally.

func (*Client) DeleteAllLocks

func (c *Client) DeleteAllLocks(context.Context) error

DeleteAllLocks not implemented: can only be called locally.

func (*Client) DeleteAllNamespaces

func (c *Client) DeleteAllNamespaces() error

DeleteAllCertNamespaces not implemented: can only be called locally.

func (*Client) DeleteAllProxies

func (c *Client) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*Client) DeleteAllRemoteClusters

func (c *Client) DeleteAllRemoteClusters() error

DeleteAllRemoteClusters deletes all remote clusters

func (*Client) DeleteAllReverseTunnels

func (c *Client) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels not implemented: can only be called locally.

func (*Client) DeleteAllRoles

func (c *Client) DeleteAllRoles() error

DeleteAllRoles not implemented: can only be called locally.

func (*Client) DeleteAllTokens

func (c *Client) DeleteAllTokens() error

DeleteAllTokens not implemented: can only be called locally.

func (*Client) DeleteAllTunnelConnections

func (c *Client) DeleteAllTunnelConnections() error

DeleteAllTunnelConnections deletes all tunnel connections

func (*Client) DeleteAllUsers

func (c *Client) DeleteAllUsers() error

DeleteAllUsers not implemented: can only be called locally.

func (*Client) DeleteAuthPreference

func (c *Client) DeleteAuthPreference(context.Context) error

DeleteAuthPreference not implemented: can only be called locally.

func (*Client) DeleteAuthServer

func (c *Client) DeleteAuthServer(name string) error

DeleteAuthServer not implemented: can only be called locally.

func (*Client) DeleteBot

func (c *Client) DeleteBot(ctx context.Context, botName string) error

DeleteBot deletes a certificate renewal bot and associated resources.

func (*Client) DeleteCertAuthority

func (c *Client) DeleteCertAuthority(id types.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteClusterAuditConfig

func (c *Client) DeleteClusterAuditConfig(ctx context.Context) error

DeleteClusterAuditConfig not implemented: can only be called locally.

func (*Client) DeleteClusterName

func (c *Client) DeleteClusterName() error

DeleteClusterName not implemented: can only be called locally.

func (*Client) DeleteClusterNetworkingConfig

func (c *Client) DeleteClusterNetworkingConfig(ctx context.Context) error

DeleteClusterNetworkingConfig not implemented: can only be called locally.

func (*Client) DeleteNamespace

func (c *Client) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*Client) DeleteProxy

func (c *Client) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*Client) DeleteRemoteCluster

func (c *Client) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster by name

func (*Client) DeleteReverseTunnel

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteSession

func (c *Client) DeleteSession(ctx context.Context, namespace string, id session.ID) error

DeleteSession removes an active session from the backend. DELETE IN 12.0.0

func (*Client) DeleteSessionRecordingConfig

func (c *Client) DeleteSessionRecordingConfig(ctx context.Context) error

DeleteSessionRecordingConfig not implemented: can only be called locally.

func (*Client) DeleteStaticTokens

func (c *Client) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*Client) DeleteTunnelConnection

func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error

DeleteTunnelConnection deletes tunnel connection by name

func (*Client) DeleteTunnelConnections

func (c *Client) DeleteTunnelConnections(clusterName string) error

DeleteTunnelConnections deletes all tunnel connections for cluster

func (*Client) DeleteWebSession

func (c *Client) DeleteWebSession(ctx context.Context, user string, sid string) error

DeleteWebSession deletes the web session specified with sid for the given user

func (*Client) ExtendWebSession

func (c *Client) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateCertAuthorityCRL

func (c *Client) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for a CA.

func (*Client) GenerateHostCert

func (c *Client) GenerateHostCert(
	ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration,
) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) Get

func (c *Client) Get(ctx context.Context, u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAllTunnelConnections

func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

GetAllTunnelConnections returns all tunnel connections

func (*Client) GetAuthServers

func (c *Client) GetAuthServers() ([]types.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetBotUsers

func (c *Client) GetBotUsers(ctx context.Context) ([]types.User, error)

GetBotUsers fetches all bot users.

func (*Client) GetCertAuthorities

func (c *Client) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority

func (c *Client) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetClusterAuditConfig

func (c *Client) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*Client) GetClusterName

func (c *Client) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

GetClusterName returns a cluster name

func (*Client) GetClusterNetworkingConfig

func (c *Client) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*Client) GetDatabaseServers

func (c *Client) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database proxy servers.

func (*Client) GetNamespace

func (c *Client) GetNamespace(name string) (*types.Namespace, error)

GetNamespace returns namespace by name

func (*Client) GetNamespaces

func (c *Client) GetNamespaces() ([]types.Namespace, error)

GetNamespaces returns a list of namespaces

func (*Client) GetProxies

func (c *Client) GetProxies() ([]types.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetRemoteCluster

func (c *Client) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*Client) GetRemoteClusters

func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*Client) GetReverseTunnel

func (c *Client) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)

GetReverseTunnel not implemented: can only be called locally.

func (*Client) GetReverseTunnels

func (c *Client) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetSession

func (c *Client) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)

GetSession returns a session by ID DELETE IN 12.0.0

func (*Client) GetSessionChunk

func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents

func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessionRecordingConfig

func (c *Client) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*Client) GetSessions

func (c *Client) GetSessions(ctx context.Context, namespace string) ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by the auth server. DELETE IN 12.0.0

func (*Client) GetStaticTokens

func (c *Client) GetStaticTokens() (types.StaticTokens, error)

GetStaticTokens returns a list of static register tokens

func (*Client) GetTunnelConnections

func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

GetTunnelConnections returns tunnel connections for a given cluster

func (*Client) GetUserLoginAttempts

func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)

GetUserLoginAttempts returns user login attempts

func (*Client) GetWebSessionInfo

func (c *Client) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) KeepAliveNode

func (c *Client) KeepAliveNode(ctx context.Context, keepAlive types.KeepAlive) error

DELETE IN: 5.1.0

This logic has been moved to KeepAliveServer.

KeepAliveNode updates node keep alive information.

func (*Client) KeepAliveServer

func (c *Client) KeepAliveServer(ctx context.Context, keepAlive types.KeepAlive) error

KeepAliveServer not implemented: can only be called locally.

func (*Client) ListWindowsDesktopServices

ListWindowsDesktopServices not implemented: can only be called locally.

func (*Client) ListWindowsDesktops

ListWindowsDesktops not implemented: can only be called locally.

func (*Client) PostForm

func (c *Client) PostForm(ctx context.Context, endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON

func (c *Client) PostJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) ProcessKubeCSR

func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*Client) PutJSON

func (c *Client) PutJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterUsingToken

func (c *Client) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.

func (*Client) ResumeAuditStream

func (c *Client) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes existing audit stream. This is a wrapper on the grpc endpoint and is deprecated. DELETE IN 7.0.0

func (*Client) RotateCertAuthority

func (c *Client) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*Client) RotateExternalCertAuthority

func (c *Client) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.

func (*Client) SearchEvents

func (c *Client) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]apievents.AuditEvent, string, error)

SearchEvents allows searching for audit events with pagination support.

func (*Client) SearchSessionEvents

func (c *Client) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, cond *types.WhereExpr, sessionID string) ([]apievents.AuditEvent, string, error)

SearchSessionEvents returns session related events to find completed sessions.

func (*Client) SetClusterAuditConfig

func (c *Client) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error

SetClusterAuditConfig not implemented: can only be called locally.

func (*Client) SetClusterName

func (c *Client) SetClusterName(cn types.ClusterName) error

SetClusterName sets cluster name once, will return Already Exists error if the name is already set

func (*Client) SetStaticTokens

func (c *Client) SetStaticTokens(st types.StaticTokens) error

SetStaticTokens sets a list of static register tokens

func (*Client) StreamSessionEvents

func (c *Client) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*Client) UpdatePresence

func (c *Client) UpdatePresence(ctx context.Context, sessionID, user string) error

func (*Client) UpdateSession

func (c *Client) UpdateSession(ctx context.Context, req session.UpdateRequest) error

UpdateSession updates existing session DELETE IN 12.0.0

func (*Client) UpsertAppSession

func (c *Client) UpsertAppSession(ctx context.Context, session types.WebSession) error

UpsertAppSession not implemented: can only be called locally.

func (*Client) UpsertAuthServer

func (c *Client) UpsertAuthServer(s types.Server) error

UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority

func (c *Client) UpsertCertAuthority(ca types.CertAuthority) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertClusterName

func (c *Client) UpsertClusterName(cn types.ClusterName) error

UpsertClusterName not implemented: can only be called locally.

func (*Client) UpsertNamespace

func (c *Client) UpsertNamespace(ns types.Namespace) error

UpsertNamespace upserts namespace

func (*Client) UpsertProxy

func (c *Client) UpsertProxy(s types.Server) error

UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel

func (c *Client) UpsertReverseTunnel(tunnel types.ReverseTunnel) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertSnowflakeSession

func (c *Client) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error

UpsertSnowflakeSession not implemented: can only be called locally.

func (*Client) UpsertTunnelConnection

func (c *Client) UpsertTunnelConnection(conn types.TunnelConnection) error

UpsertTunnelConnection upserts tunnel connection

func (*Client) UpsertUser

func (c *Client) UpsertUser(user types.User) error

UpsertUser user updates user entry.

func (*Client) ValidateGithubAuthCallback

func (c *Client) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback returned from redirect

func (*Client) ValidateOIDCAuthCallback

func (c *Client) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

func (*Client) ValidateSAMLResponse

func (c *Client) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates response returned by SAML identity provider

func (*Client) ValidateTrustedCluster

func (c *Client) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

type ClientI

type ClientI interface {
	IdentityService
	ProvisioningService
	services.Trust
	events.IAuditLog
	events.Streamer
	apievents.Emitter
	services.Presence
	services.Access
	services.DynamicAccess
	services.DynamicAccessOracle
	services.Restrictions
	services.Apps
	services.Databases
	services.Kubernetes
	services.WindowsDesktops
	WebService
	services.Status
	session.Service
	services.ClusterConfiguration
	services.SessionTrackerService
	services.ConnectionsDiagnostic
	types.Events

	types.WebSessionsGetter
	types.WebTokensGetter

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

	// RotateCertAuthority starts or restarts certificate authority rotation process.
	RotateCertAuthority(ctx context.Context, req RotateRequest) error

	// RotateExternalCertAuthority rotates external certificate authority,
	// this method is used to update only public keys and certificates of the
	// the certificate authorities of trusted clusters.
	RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

	// ValidateTrustedCluster validates trusted cluster token with
	// main cluster, in case if validation is successful, main cluster
	// adds remote cluster
	ValidateTrustedCluster(context.Context, *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

	// GetDomainName returns auth server cluster name
	GetDomainName(ctx context.Context) (string, error)

	// GetClusterCACert returns the PEM-encoded TLS certs for the local cluster.
	// If the cluster has multiple TLS certs, they will all be concatenated.
	GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)

	// GenerateHostCerts generates new host certificates (signed
	// by the host certificate authority) for a node
	GenerateHostCerts(context.Context, *proto.HostCertsRequest) (*proto.Certs, error)
	// AuthenticateWebUser authenticates web user, creates and  returns web session
	// in case if authentication is successful
	AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
	// AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
	// short-lived certificates as a result
	AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

	// ProcessKubeCSR processes CSR request against Kubernetes CA, returns
	// signed certificate if successful.
	ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

	// Ping gets basic info about the auth server.
	Ping(ctx context.Context) (proto.PingResponse, error)

	// CreateAppSession creates an application web session. Application web
	// sessions represent a browser session the client holds.
	CreateAppSession(context.Context, types.CreateAppSessionRequest) (types.WebSession, error)

	// CreateSnowflakeSession creates a Snowflake web session. Snowflake web
	// sessions represent Database Access Snowflake session the client holds.
	CreateSnowflakeSession(context.Context, types.CreateSnowflakeSessionRequest) (types.WebSession, error)

	// GenerateDatabaseCert generates client certificate used by a database
	// service to authenticate with the database instance.
	GenerateDatabaseCert(context.Context, *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

	// GetWebSession queries the existing web session described with req.
	// Implements ReadAccessPoint.
	GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken queries the existing web token described with req.
	// Implements ReadAccessPoint.
	GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

	// ResetAuthPreference resets cluster auth preference to defaults.
	ResetAuthPreference(ctx context.Context) error

	// ResetClusterNetworkingConfig resets cluster networking configuration to defaults.
	ResetClusterNetworkingConfig(ctx context.Context) error

	// ResetSessionRecordingConfig resets session recording configuration to defaults.
	ResetSessionRecordingConfig(ctx context.Context) error

	// GenerateWindowsDesktopCert generates client smartcard certificate used
	// by an RDP client to authenticate with Windows.
	GenerateWindowsDesktopCert(context.Context, *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
	// GenerateCertAuthorityCRL generates an empty CRL for a CA.
	GenerateCertAuthorityCRL(context.Context, types.CertAuthType) ([]byte, error)

	// GetInventoryStatus gets basic status info about instance inventory.
	GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)

	// PingInventory attempts to trigger a downstream ping against a connected instance.
	PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)

	// SubmitUsageEvent submits an external usage event.
	SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error
}

ClientI is a client to Auth service

func NewAdminAuthServer

func NewAdminAuthServer(authServer *Server, sessions session.Service, alog events.IAuditLog) (ClientI, error)

NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access

func WithGithubConnectorConversions

func WithGithubConnectorConversions(c ClientI) ClientI

WithGithubConnectorConversions takes a ClientI and returns one that ensures returned or passed types.GithubConnector interfaces use the registered implementation for the following methods:

  • ClientI.GetGithubConnector
  • ClientI.GetGithubConnectors
  • ClientI.UpsertGithubConnector

This is function is necessary so that the github.com/gravitational/teleport/api module does not import github.com/gravitational/teleport/lib/services.

type Context

type Context struct {
	// User is the username
	User types.User
	// Checker is access checker
	Checker services.AccessChecker
	// Identity holds the caller identity:
	// 1. If caller is a user
	//   a. local user identity
	//   b. remote user identity remapped to local identity based on trusted
	//      cluster role mapping.
	// 2. If caller is a teleport instance, Identity holds their identity as-is
	//    (because there's no role mapping for non-human roles)
	Identity IdentityGetter
	// UnmappedIdentity holds the original caller identity. If this is a remote
	// user, UnmappedIdentity holds the data before role mapping. Otherwise,
	// it's identical to Identity.
	UnmappedIdentity IdentityGetter
}

Context is authorization context

func NewAdminContext

func NewAdminContext() (*Context, error)

NewAdminContext returns new admin auth context

func NewBuiltinRoleContext

func NewBuiltinRoleContext(role types.SystemRole) (*Context, error)

NewBuiltinRoleContext create auth context for the provided builtin role.

func (*Context) LockTargets

func (c *Context) LockTargets() []types.LockTarget

LockTargets returns a list of LockTargets inferred from the context's Identity and UnmappedIdentity.

func (*Context) MFAParams

func (c *Context) MFAParams(authPrefMFARequirement types.RequireMFAType) services.AccessMFAParams

MFAParams returns MFA params for the given auth context and auth preference MFA requirement.

func (*Context) UseExtraRoles

func (c *Context) UseExtraRoles(access services.RoleGetter, clusterName string, roles []string) error

UseExtraRoles extends the roles of the Checker on the current Context with the given extra roles.

type CreateUserTokenRequest

type CreateUserTokenRequest struct {
	// Name is the user name for token.
	Name string `json:"name"`
	// TTL specifies how long the generated token is valid for.
	TTL time.Duration `json:"ttl"`
	// Type is the token type.
	Type string `json:"type"`
}

CreateUserTokenRequest is a request to create a new user token.

func (*CreateUserTokenRequest) CheckAndSetDefaults

func (r *CreateUserTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets the defaults.

type DatabaseAccessPoint

type DatabaseAccessPoint interface {
	// ReadDatabaseAccessPoint provides methods to read data
	ReadDatabaseAccessPoint
	// contains filtered or unexported methods
}

DatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.

type DatabaseTestCertRequest

type DatabaseTestCertRequest struct {
	// PublicKey is the public key to sign.
	PublicKey []byte
	// Cluster is the Teleport cluster name.
	Cluster string
	// Username is the Teleport username.
	Username string
	// RouteToDatabase contains database routing information.
	RouteToDatabase tlsca.RouteToDatabase
}

DatabaseTestCertRequest combines parameters for generating test database access certificate.

type DatabaseWrapper

type DatabaseWrapper struct {
	ReadDatabaseAccessPoint

	NoCache DatabaseAccessPoint
	// contains filtered or unexported fields
}

func (*DatabaseWrapper) Close

func (w *DatabaseWrapper) Close() error

Close closes all associated resources

type DiscoveryAccessPoint

type DiscoveryAccessPoint interface {
	// ReadDiscoveryAccessPoint provides methods to read data
	ReadDiscoveryAccessPoint

	// CreateKubernetesCluster creates a new kubernetes cluster resource.
	CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
	// UpdateKubernetesCluster updates existing kubernetes cluster resource.
	UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
	// DeleteKubernetesCluster deletes specified kubernetes cluster resource.
	DeleteKubernetesCluster(ctx context.Context, name string) error
	// contains filtered or unexported methods
}

DiscoveryAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDiscovery

type DiscoveryWrapper

type DiscoveryWrapper struct {
	ReadDiscoveryAccessPoint

	NoCache DiscoveryAccessPoint
	// contains filtered or unexported fields
}

func (*DiscoveryWrapper) Close

func (w *DiscoveryWrapper) Close() error

Close closes all associated resources

func (*DiscoveryWrapper) CreateKubernetesCluster

func (w *DiscoveryWrapper) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*DiscoveryWrapper) DeleteKubernetesCluster

func (w *DiscoveryWrapper) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster deletes specified kubernetes cluster resource.

func (*DiscoveryWrapper) UpdateKubernetesCluster

func (w *DiscoveryWrapper) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

UpdateKubernetesCluster updates existing kubernetes cluster resource.

type ForwardedClientMetadata

type ForwardedClientMetadata struct {
	UserAgent  string `json:"user_agent,omitempty"`
	RemoteAddr string `json:"remote_addr,omitempty"`
}

ForwardedClientMetadata can be used by the proxy web API to forward information about the client to the auth service for logging purposes.

type GRPCServer

type GRPCServer struct {
	*logrus.Entry
	APIConfig

	// TraceServiceServer exposes the exporter server so that the auth server may
	// collect and forward spans
	collectortracepb.TraceServiceServer
	// contains filtered or unexported fields
}

GRPCServer is GPRC Auth Server API

func NewGRPCServer

func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error)

NewGRPCServer returns a new instance of GRPC server

func (*GRPCServer) AcquireSemaphore

func (g *GRPCServer) AcquireSemaphore(ctx context.Context, params *types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)

AcquireSemaphore acquires lease with requested resources from semaphore.

func (*GRPCServer) AddMFADevice

func (g *GRPCServer) AddMFADevice(stream proto.AuthService_AddMFADeviceServer) error

func (*GRPCServer) AddMFADeviceSync

AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.

func (*GRPCServer) AppendDiagnosticTrace

AppendDiagnosticTrace updates a connection diagnostic

func (*GRPCServer) CancelSemaphoreLease

func (g *GRPCServer) CancelSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)

CancelSemaphoreLease cancels semaphore lease early.

func (*GRPCServer) ChangeUserAuthentication

ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.

func (*GRPCServer) CompleteAccountRecovery

func (g *GRPCServer) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) (*emptypb.Empty, error)

CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.

func (*GRPCServer) CreateAccessRequest

func (g *GRPCServer) CreateAccessRequest(ctx context.Context, req *types.AccessRequestV3) (*emptypb.Empty, error)

func (*GRPCServer) CreateAccountRecoveryCodes

func (g *GRPCServer) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.

func (*GRPCServer) CreateApp

func (g *GRPCServer) CreateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)

CreateApp creates a new application resource.

func (*GRPCServer) CreateAppSession

CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.

func (*GRPCServer) CreateAuditStream

func (g *GRPCServer) CreateAuditStream(stream proto.AuthService_CreateAuditStreamServer) error

CreateAuditStream creates or resumes audit event stream

func (*GRPCServer) CreateAuthenticateChallenge

CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.

func (*GRPCServer) CreateBot

CreateBot creates a new bot and an optional join token.

func (*GRPCServer) CreateConnectionDiagnostic

func (g *GRPCServer) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)

CreateConnectionDiagnostic creates a connection diagnostic

func (*GRPCServer) CreateDatabase

func (g *GRPCServer) CreateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)

CreateDatabase creates a new database resource.

func (*GRPCServer) CreateGithubAuthRequest

func (g *GRPCServer) CreateGithubAuthRequest(ctx context.Context, req *types.GithubAuthRequest) (*types.GithubAuthRequest, error)

CreateGithubAuthRequest creates GithubAuthRequest.

func (*GRPCServer) CreateKubernetesCluster

func (g *GRPCServer) CreateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*GRPCServer) CreateOIDCAuthRequest

func (g *GRPCServer) CreateOIDCAuthRequest(ctx context.Context, req *types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*GRPCServer) CreatePrivilegeToken

func (g *GRPCServer) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.

func (*GRPCServer) CreateRegisterChallenge

CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.

func (*GRPCServer) CreateResetPasswordToken

func (g *GRPCServer) CreateResetPasswordToken(ctx context.Context, req *proto.CreateResetPasswordTokenRequest) (*types.UserTokenV3, error)

func (*GRPCServer) CreateSAMLAuthRequest

func (g *GRPCServer) CreateSAMLAuthRequest(ctx context.Context, req *types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAMLAuthRequest.

func (*GRPCServer) CreateSessionTracker

func (g *GRPCServer) CreateSessionTracker(ctx context.Context, req *proto.CreateSessionTrackerRequest) (*types.SessionTrackerV1, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*GRPCServer) CreateToken

func (g *GRPCServer) CreateToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)

CreateToken creates a token.

func (*GRPCServer) CreateUser

func (g *GRPCServer) CreateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)

CreateUser inserts a new user entry in a backend.

func (*GRPCServer) CreateWindowsDesktop

func (g *GRPCServer) CreateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

CreateWindowsDesktop registers a new Windows desktop host.

func (*GRPCServer) DeleteAccessRequest

func (g *GRPCServer) DeleteAccessRequest(ctx context.Context, id *proto.RequestID) (*emptypb.Empty, error)

func (*GRPCServer) DeleteAllAppSessions

func (g *GRPCServer) DeleteAllAppSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllAppSessions removes all application web sessions.

func (*GRPCServer) DeleteAllApplicationServers

func (g *GRPCServer) DeleteAllApplicationServers(ctx context.Context, req *proto.DeleteAllApplicationServersRequest) (*emptypb.Empty, error)

DeleteAllApplicationServers deletes all registered application servers.

func (*GRPCServer) DeleteAllApps

func (g *GRPCServer) DeleteAllApps(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllApps removes all application resources.

func (*GRPCServer) DeleteAllDatabaseServers

func (g *GRPCServer) DeleteAllDatabaseServers(ctx context.Context, req *proto.DeleteAllDatabaseServersRequest) (*emptypb.Empty, error)

DeleteAllDatabaseServers removes all registered database proxy servers.

func (*GRPCServer) DeleteAllDatabases

func (g *GRPCServer) DeleteAllDatabases(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllDatabases removes all databases.

func (*GRPCServer) DeleteAllInstallers

func (g *GRPCServer) DeleteAllInstallers(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteALlInstallers deletes all the installers

func (*GRPCServer) DeleteAllKubeServices

func (g *GRPCServer) DeleteAllKubeServices(ctx context.Context, req *proto.DeleteAllKubeServicesRequest) (*emptypb.Empty, error)

DeleteAllKubeServices removes all kubernetes services.

func (*GRPCServer) DeleteAllKubernetesClusters

func (g *GRPCServer) DeleteAllKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllKubernetesClusters removes all kubernetes cluster.

func (*GRPCServer) DeleteAllKubernetesServers

func (g *GRPCServer) DeleteAllKubernetesServers(ctx context.Context, req *proto.DeleteAllKubernetesServersRequest) (*emptypb.Empty, error)

DeleteAllKubernetesServers deletes all registered kubernetes servers.

func (*GRPCServer) DeleteAllNodes

func (g *GRPCServer) DeleteAllNodes(ctx context.Context, req *types.ResourcesInNamespaceRequest) (*emptypb.Empty, error)

DeleteAllNodes deletes all nodes in a given namespace.

func (*GRPCServer) DeleteAllSnowflakeSessions

func (g *GRPCServer) DeleteAllSnowflakeSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

func (*GRPCServer) DeleteAllWebSessions

func (g *GRPCServer) DeleteAllWebSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWebSessions removes all web sessions.

func (*GRPCServer) DeleteAllWebTokens

func (g *GRPCServer) DeleteAllWebTokens(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWebTokens removes all web tokens.

func (*GRPCServer) DeleteAllWindowsDesktopServices

func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWindowsDesktopServices removes all registered Windows desktop services.

func (*GRPCServer) DeleteAllWindowsDesktops

func (g *GRPCServer) DeleteAllWindowsDesktops(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWindowsDesktops removes all registered Windows desktop hosts.

func (*GRPCServer) DeleteApp

func (g *GRPCServer) DeleteApp(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteApp removes the specified application resource.

func (*GRPCServer) DeleteAppSession

func (g *GRPCServer) DeleteAppSession(ctx context.Context, req *proto.DeleteAppSessionRequest) (*emptypb.Empty, error)

DeleteAppSession removes an application web session.

func (*GRPCServer) DeleteApplicationServer

func (g *GRPCServer) DeleteApplicationServer(ctx context.Context, req *proto.DeleteApplicationServerRequest) (*emptypb.Empty, error)

DeleteApplicationServer deletes an application server.

func (*GRPCServer) DeleteBot

func (g *GRPCServer) DeleteBot(ctx context.Context, req *proto.DeleteBotRequest) (*emptypb.Empty, error)

DeleteBot removes a bot and its associated resources.

func (*GRPCServer) DeleteDatabase

func (g *GRPCServer) DeleteDatabase(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteDatabase removes the specified database.

func (*GRPCServer) DeleteDatabaseServer

func (g *GRPCServer) DeleteDatabaseServer(ctx context.Context, req *proto.DeleteDatabaseServerRequest) (*emptypb.Empty, error)

DeleteDatabaseServer removes the specified database proxy server.

func (*GRPCServer) DeleteGithubConnector

func (g *GRPCServer) DeleteGithubConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteGithubConnector deletes a Github connector by name.

func (*GRPCServer) DeleteInstaller

func (g *GRPCServer) DeleteInstaller(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteInstaller sets the installer script resource to its default

func (*GRPCServer) DeleteKubeService

func (g *GRPCServer) DeleteKubeService(ctx context.Context, req *proto.DeleteKubeServiceRequest) (*emptypb.Empty, error)

DeleteKubeService removes a kubernetes service.

func (*GRPCServer) DeleteKubernetesCluster

func (g *GRPCServer) DeleteKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteKubernetesCluster removes the specified kubernetes cluster.

func (*GRPCServer) DeleteKubernetesServer

func (g *GRPCServer) DeleteKubernetesServer(ctx context.Context, req *proto.DeleteKubernetesServerRequest) (*emptypb.Empty, error)

DeleteKubernetesServer deletes a kubernetes server.

func (*GRPCServer) DeleteLock

func (g *GRPCServer) DeleteLock(ctx context.Context, req *proto.DeleteLockRequest) (*emptypb.Empty, error)

DeleteLock deletes a lock.

func (*GRPCServer) DeleteMFADevice

func (g *GRPCServer) DeleteMFADevice(stream proto.AuthService_DeleteMFADeviceServer) error

func (*GRPCServer) DeleteMFADeviceSync

func (g *GRPCServer) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) (*emptypb.Empty, error)

DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.

func (*GRPCServer) DeleteNetworkRestrictions

func (g *GRPCServer) DeleteNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteNetworkRestrictions deletes the network restrictions.

func (*GRPCServer) DeleteNode

DeleteNode deletes a node by name.

func (*GRPCServer) DeleteOIDCConnector

func (g *GRPCServer) DeleteOIDCConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteOIDCConnector deletes an OIDC connector by name.

func (*GRPCServer) DeleteRole

func (g *GRPCServer) DeleteRole(ctx context.Context, req *proto.DeleteRoleRequest) (*emptypb.Empty, error)

DeleteRole deletes a role by name.

func (*GRPCServer) DeleteSAMLConnector

func (g *GRPCServer) DeleteSAMLConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteSAMLConnector deletes a SAML connector by name.

func (*GRPCServer) DeleteSemaphore

func (g *GRPCServer) DeleteSemaphore(ctx context.Context, req *types.SemaphoreFilter) (*emptypb.Empty, error)

DeleteSemaphore deletes a semaphore matching the supplied filter.

func (*GRPCServer) DeleteSnowflakeSession

func (g *GRPCServer) DeleteSnowflakeSession(ctx context.Context, req *proto.DeleteSnowflakeSessionRequest) (*emptypb.Empty, error)

func (*GRPCServer) DeleteToken

func (g *GRPCServer) DeleteToken(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteToken deletes a token by name.

func (*GRPCServer) DeleteTrustedCluster

func (g *GRPCServer) DeleteTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteTrustedCluster deletes a Trusted Cluster by name.

func (*GRPCServer) DeleteUser

func (g *GRPCServer) DeleteUser(ctx context.Context, req *proto.DeleteUserRequest) (*emptypb.Empty, error)

DeleteUser deletes an existng user in a backend by username.

func (*GRPCServer) DeleteUserAppSessions

func (g *GRPCServer) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) (*emptypb.Empty, error)

DeleteUserAppSessions removes user's all application web sessions.

func (*GRPCServer) DeleteWebSession

func (g *GRPCServer) DeleteWebSession(ctx context.Context, req *types.DeleteWebSessionRequest) (*emptypb.Empty, error)

DeleteWebSession removes the web session given with req.

func (*GRPCServer) DeleteWebToken

func (g *GRPCServer) DeleteWebToken(ctx context.Context, req *types.DeleteWebTokenRequest) (*emptypb.Empty, error)

DeleteWebToken removes the web token given with req.

func (*GRPCServer) DeleteWindowsDesktop

func (g *GRPCServer) DeleteWindowsDesktop(ctx context.Context, req *proto.DeleteWindowsDesktopRequest) (*emptypb.Empty, error)

DeleteWindowsDesktop removes the specified windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.

func (*GRPCServer) DeleteWindowsDesktopService

func (g *GRPCServer) DeleteWindowsDesktopService(ctx context.Context, req *proto.DeleteWindowsDesktopServiceRequest) (*emptypb.Empty, error)

DeleteWindowsDesktopService removes the specified Windows desktop service.

func (*GRPCServer) EmitAuditEvent

func (g *GRPCServer) EmitAuditEvent(ctx context.Context, req *apievents.OneOf) (*emptypb.Empty, error)

EmitAuditEvent emits audit event

func (*GRPCServer) Export

Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.

func (*GRPCServer) GenerateAppToken

GenerateAppToken creates a JWT token with application access.

func (*GRPCServer) GenerateCertAuthorityCRL

func (g *GRPCServer) GenerateCertAuthorityCRL(ctx context.Context, req *proto.CertAuthorityRequest) (*proto.CRL, error)

GenerateCertAuthorityCRL returns a CRL for a CA.

func (*GRPCServer) GenerateDatabaseCert

func (g *GRPCServer) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.

func (*GRPCServer) GenerateHostCerts

func (g *GRPCServer) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

func (*GRPCServer) GenerateSnowflakeJWT

func (g *GRPCServer) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the format required by Snowflake.

func (*GRPCServer) GenerateToken

GenerateToken generates a new auth token.

func (*GRPCServer) GenerateUserCerts

func (g *GRPCServer) GenerateUserCerts(ctx context.Context, req *proto.UserCertsRequest) (*proto.Certs, error)

func (*GRPCServer) GenerateUserSingleUseCerts

func (g *GRPCServer) GenerateUserSingleUseCerts(stream proto.AuthService_GenerateUserSingleUseCertsServer) error

func (*GRPCServer) GenerateWindowsDesktopCert

func (g *GRPCServer) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.

func (*GRPCServer) GetAccessCapabilities

func (g *GRPCServer) GetAccessCapabilities(ctx context.Context, req *types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*GRPCServer) GetAccessRequests

func (g *GRPCServer) GetAccessRequests(ctx context.Context, f *types.AccessRequestFilter) (*proto.AccessRequests, error)

DEPRECATED, DELETE IN 11.0.0: Use GetAccessRequestsV2 instead.

func (*GRPCServer) GetAccessRequestsV2

func (*GRPCServer) GetAccountRecoveryCodes

func (g *GRPCServer) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.

func (*GRPCServer) GetAccountRecoveryToken

func (g *GRPCServer) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (*types.UserTokenV3, error)

GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.

func (*GRPCServer) GetActiveSessionTrackers

func (g *GRPCServer) GetActiveSessionTrackers(_ *emptypb.Empty, stream proto.AuthService_GetActiveSessionTrackersServer) error

GetActiveSessionTrackers returns a list of active session trackers.

func (*GRPCServer) GetActiveSessionTrackersWithFilter

func (g *GRPCServer) GetActiveSessionTrackersWithFilter(filter *types.SessionTrackerFilter, stream proto.AuthService_GetActiveSessionTrackersWithFilterServer) error

GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.

func (*GRPCServer) GetApp

func (g *GRPCServer) GetApp(ctx context.Context, req *types.ResourceRequest) (*types.AppV3, error)

GetApp returns the specified application resource.

func (*GRPCServer) GetAppSession

GetAppSession gets an application web session.

func (*GRPCServer) GetAppSessions

func (g *GRPCServer) GetAppSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetAppSessionsResponse, error)

GetAppSessions gets all application web sessions.

func (*GRPCServer) GetApps

func (g *GRPCServer) GetApps(ctx context.Context, _ *emptypb.Empty) (*types.AppV3List, error)

GetApps returns all application resources.

func (*GRPCServer) GetAuthPreference

func (g *GRPCServer) GetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*types.AuthPreferenceV2, error)

GetAuthPreference gets cluster auth preference.

func (*GRPCServer) GetBotUsers

GetBotUsers lists all users with a bot label

func (*GRPCServer) GetClusterAlerts

func (*GRPCServer) GetClusterAuditConfig

func (g *GRPCServer) GetClusterAuditConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterAuditConfigV2, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*GRPCServer) GetClusterCACert

func (g *GRPCServer) GetClusterCACert(
	ctx context.Context, req *emptypb.Empty,
) (*proto.GetClusterCACertResponse, error)

GetClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be appended.

func (*GRPCServer) GetClusterNetworkingConfig

func (g *GRPCServer) GetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterNetworkingConfigV2, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*GRPCServer) GetConnectionDiagnostic

GetConnectionDiagnostic reads a connection diagnostic.

func (*GRPCServer) GetCurrentUser

func (g *GRPCServer) GetCurrentUser(ctx context.Context, req *emptypb.Empty) (*types.UserV2, error)

func (*GRPCServer) GetCurrentUserRoles

func (g *GRPCServer) GetCurrentUserRoles(_ *emptypb.Empty, stream proto.AuthService_GetCurrentUserRolesServer) error

func (*GRPCServer) GetDatabase

func (g *GRPCServer) GetDatabase(ctx context.Context, req *types.ResourceRequest) (*types.DatabaseV3, error)

GetDatabase returns the specified database resource.

func (*GRPCServer) GetDatabases

func (g *GRPCServer) GetDatabases(ctx context.Context, _ *emptypb.Empty) (*types.DatabaseV3List, error)

GetDatabases returns all database resources.

func (*GRPCServer) GetDomainName

func (g *GRPCServer) GetDomainName(ctx context.Context, req *emptypb.Empty) (*proto.GetDomainNameResponse, error)

GetDomainName returns local auth domain of the current auth server.

func (*GRPCServer) GetEvents

func (g *GRPCServer) GetEvents(ctx context.Context, req *proto.GetEventsRequest) (*proto.Events, error)

GetEvents searches for events on the backend and sends them back in a response.

func (*GRPCServer) GetGithubAuthRequest

GetGithubAuthRequest gets a GithubAuthRequest by id.

func (*GRPCServer) GetGithubConnector

GetGithubConnector retrieves a Github connector by name.

func (*GRPCServer) GetGithubConnectors

GetGithubConnectors retrieves all Github connectors.

func (*GRPCServer) GetInstaller

func (g *GRPCServer) GetInstaller(ctx context.Context, req *types.ResourceRequest) (*types.InstallerV1, error)

GetInstaller retrieves the installer script resource

func (*GRPCServer) GetInstallers

func (g *GRPCServer) GetInstallers(ctx context.Context, _ *emptypb.Empty) (*types.InstallerV1List, error)

GetInstallers returns all installer script resources registered in the cluster.

func (*GRPCServer) GetInventoryStatus

func (*GRPCServer) GetKubernetesCluster

func (g *GRPCServer) GetKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*types.KubernetesClusterV3, error)

GetKubernetesCluster returns the specified kubernetes cluster resource.

func (*GRPCServer) GetKubernetesClusters

func (g *GRPCServer) GetKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*types.KubernetesClusterV3List, error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*GRPCServer) GetLock

func (g *GRPCServer) GetLock(ctx context.Context, req *proto.GetLockRequest) (*types.LockV2, error)

GetLock retrieves a lock by name.

func (*GRPCServer) GetLocks

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*GRPCServer) GetMFADevices

func (*GRPCServer) GetNetworkRestrictions

func (g *GRPCServer) GetNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*types.NetworkRestrictionsV4, error)

GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).

func (*GRPCServer) GetNode

GetNode retrieves a node by name and namespace.

func (*GRPCServer) GetOIDCAuthRequest

func (g *GRPCServer) GetOIDCAuthRequest(ctx context.Context, req *proto.GetOIDCAuthRequestRequest) (*types.OIDCAuthRequest, error)

GetOIDCAuthRequest gets OIDC AuthnRequest

func (*GRPCServer) GetOIDCConnector

GetOIDCConnector retrieves an OIDC connector by name.

func (*GRPCServer) GetOIDCConnectors

GetOIDCConnectors retrieves all OIDC connectors.

func (*GRPCServer) GetPluginData

func (g *GRPCServer) GetPluginData(ctx context.Context, filter *types.PluginDataFilter) (*proto.PluginDataSeq, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*GRPCServer) GetResetPasswordToken

func (g *GRPCServer) GetResetPasswordToken(ctx context.Context, req *proto.GetResetPasswordTokenRequest) (*types.UserTokenV3, error)

func (*GRPCServer) GetRole

func (g *GRPCServer) GetRole(ctx context.Context, req *proto.GetRoleRequest) (*types.RoleV5, error)

GetRole retrieves a role by name.

func (*GRPCServer) GetRoles

GetRoles retrieves all roles.

func (*GRPCServer) GetSAMLAuthRequest

func (g *GRPCServer) GetSAMLAuthRequest(ctx context.Context, req *proto.GetSAMLAuthRequestRequest) (*types.SAMLAuthRequest, error)

GetSAMLAuthRequest gets a SAMLAuthRequest by id.

func (*GRPCServer) GetSAMLConnector

GetSAMLConnector retrieves a SAML connector by name.

func (*GRPCServer) GetSAMLConnectors

GetSAMLConnectors retrieves all SAML connectors.

func (*GRPCServer) GetSSODiagnosticInfo

GetSSODiagnosticInfo gets a SSO diagnostic info for a specific SSO auth request.

func (*GRPCServer) GetSemaphores

func (g *GRPCServer) GetSemaphores(ctx context.Context, req *types.SemaphoreFilter) (*proto.Semaphores, error)

GetSemaphores returns a list of all semaphores matching the supplied filter.

func (*GRPCServer) GetServer

func (g *GRPCServer) GetServer() (*grpc.Server, error)

GetServer returns an instance of grpc server

func (*GRPCServer) GetSessionEvents

func (g *GRPCServer) GetSessionEvents(ctx context.Context, req *proto.GetSessionEventsRequest) (*proto.Events, error)

GetSessionEvents searches for session events on the backend and sends them back in a response.

func (*GRPCServer) GetSessionRecordingConfig

func (g *GRPCServer) GetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*types.SessionRecordingConfigV2, error)

GetSessionRecordingConfig gets session recording configuration.

func (*GRPCServer) GetSessionTracker

GetSessionTracker returns the current state of a session tracker for an active session.

func (*GRPCServer) GetSnowflakeSessions

func (g *GRPCServer) GetSnowflakeSessions(ctx context.Context, e *emptypb.Empty) (*proto.GetSnowflakeSessionsResponse, error)

func (*GRPCServer) GetToken

GetToken retrieves a token by name.

func (*GRPCServer) GetTokens

GetTokens retrieves all tokens.

func (*GRPCServer) GetTrustedCluster

func (g *GRPCServer) GetTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*types.TrustedClusterV2, error)

GetTrustedCluster retrieves a Trusted Cluster by name.

func (*GRPCServer) GetTrustedClusters

func (g *GRPCServer) GetTrustedClusters(ctx context.Context, _ *emptypb.Empty) (*types.TrustedClusterV2List, error)

GetTrustedClusters retrieves all Trusted Clusters.

func (*GRPCServer) GetUser

func (g *GRPCServer) GetUser(ctx context.Context, req *proto.GetUserRequest) (*types.UserV2, error)

func (*GRPCServer) GetUsers

func (*GRPCServer) GetWebSession

GetWebSession gets a web session.

func (*GRPCServer) GetWebSessions

func (g *GRPCServer) GetWebSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebSessionsResponse, error)

GetWebSessions gets all web sessions.

func (*GRPCServer) GetWebToken

GetWebToken gets a web token.

func (*GRPCServer) GetWebTokens

func (g *GRPCServer) GetWebTokens(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebTokensResponse, error)

GetWebTokens gets all web tokens.

func (*GRPCServer) GetWindowsDesktopService

GetWindowsDesktopService returns a registered Windows desktop service by name.

func (*GRPCServer) GetWindowsDesktopServices

func (g *GRPCServer) GetWindowsDesktopServices(ctx context.Context, req *emptypb.Empty) (*proto.GetWindowsDesktopServicesResponse, error)

GetWindowsDesktopServices returns all registered Windows desktop services.

func (*GRPCServer) GetWindowsDesktops

GetWindowsDesktops returns all registered Windows desktop hosts.

func (*GRPCServer) InventoryControlStream

func (g *GRPCServer) InventoryControlStream(stream proto.AuthService_InventoryControlStreamServer) error

func (*GRPCServer) IsMFARequired

func (*GRPCServer) KeepAliveSemaphoreLease

func (g *GRPCServer) KeepAliveSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)

KeepAliveSemaphoreLease updates semaphore lease.

func (*GRPCServer) ListResources

ListResources retrieves a paginated list of resources.

func (*GRPCServer) MaintainSessionPresence

func (g *GRPCServer) MaintainSessionPresence(stream proto.AuthService_MaintainSessionPresenceServer) error

MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.

func (*GRPCServer) Ping

func (*GRPCServer) PingInventory

func (*GRPCServer) RemoveSessionTracker

func (g *GRPCServer) RemoveSessionTracker(ctx context.Context, req *proto.RemoveSessionTrackerRequest) (*emptypb.Empty, error)

RemoveSessionTracker removes a tracker resource for an active session.

func (*GRPCServer) ReplaceRemoteLocks

func (g *GRPCServer) ReplaceRemoteLocks(ctx context.Context, req *proto.ReplaceRemoteLocksRequest) (*emptypb.Empty, error)

ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.

func (*GRPCServer) ResetAuthPreference

func (g *GRPCServer) ResetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetAuthPreference resets cluster auth preference to defaults.

func (*GRPCServer) ResetClusterNetworkingConfig

func (g *GRPCServer) ResetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetClusterNetworkingConfig resets cluster networking configuration to defaults.

func (*GRPCServer) ResetSessionRecordingConfig

func (g *GRPCServer) ResetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetSessionRecordingConfig resets session recording configuration to defaults.

func (*GRPCServer) SendKeepAlives

func (g *GRPCServer) SendKeepAlives(stream proto.AuthService_SendKeepAlivesServer) error

SendKeepAlives allows node to send a stream of keep alive requests

func (*GRPCServer) SetAccessRequestState

func (g *GRPCServer) SetAccessRequestState(ctx context.Context, req *proto.RequestStateSetter) (*emptypb.Empty, error)

func (*GRPCServer) SetAuthPreference

func (g *GRPCServer) SetAuthPreference(ctx context.Context, authPref *types.AuthPreferenceV2) (*emptypb.Empty, error)

SetAuthPreference sets cluster auth preference.

func (*GRPCServer) SetClusterNetworkingConfig

func (g *GRPCServer) SetClusterNetworkingConfig(ctx context.Context, netConfig *types.ClusterNetworkingConfigV2) (*emptypb.Empty, error)

SetClusterNetworkingConfig sets cluster networking configuration.

func (*GRPCServer) SetInstaller

func (g *GRPCServer) SetInstaller(ctx context.Context, req *types.InstallerV1) (*emptypb.Empty, error)

SetInstaller sets the installer script resource

func (*GRPCServer) SetNetworkRestrictions

func (g *GRPCServer) SetNetworkRestrictions(ctx context.Context, nr *types.NetworkRestrictionsV4) (*emptypb.Empty, error)

SetNetworkRestrictions updates the network restrictions.

func (*GRPCServer) SetSessionRecordingConfig

func (g *GRPCServer) SetSessionRecordingConfig(ctx context.Context, recConfig *types.SessionRecordingConfigV2) (*emptypb.Empty, error)

SetSessionRecordingConfig sets session recording configuration.

func (*GRPCServer) SignDatabaseCSR

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*GRPCServer) StartAccountRecovery

func (g *GRPCServer) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (*types.UserTokenV3, error)

StartAccountRecovery is implemented by AuthService.StartAccountRecovery.

func (*GRPCServer) StreamSessionEvents

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*GRPCServer) SubmitAccessReview

func (g *GRPCServer) SubmitAccessReview(ctx context.Context, review *types.AccessReviewSubmission) (*types.AccessRequestV3, error)

func (*GRPCServer) SubmitUsageEvent

func (g *GRPCServer) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) (*emptypb.Empty, error)

SubmitUsageEvent submits an external usage event.

func (*GRPCServer) UnstableAssertSystemRole

func (g *GRPCServer) UnstableAssertSystemRole(ctx context.Context, req *proto.UnstableSystemRoleAssertion) (*emptypb.Empty, error)

DELETE IN: 12.0 (deprecated in v11, but required for back-compat with v10 clients)

func (*GRPCServer) UpdateApp

func (g *GRPCServer) UpdateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)

UpdateApp updates existing application resource.

func (*GRPCServer) UpdateConnectionDiagnostic

func (g *GRPCServer) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)

UpdateConnectionDiagnostic updates a connection diagnostic

func (*GRPCServer) UpdateDatabase

func (g *GRPCServer) UpdateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)

UpdateDatabase updates existing database resource.

func (*GRPCServer) UpdateKubernetesCluster

func (g *GRPCServer) UpdateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*GRPCServer) UpdatePluginData

func (g *GRPCServer) UpdatePluginData(ctx context.Context, params *types.PluginDataUpdateParams) (*emptypb.Empty, error)

UpdatePluginData updates a per-resource PluginData entry.

func (*GRPCServer) UpdateRemoteCluster

func (g *GRPCServer) UpdateRemoteCluster(ctx context.Context, req *types.RemoteClusterV3) (*emptypb.Empty, error)

UpdateRemoteCluster updates remote cluster

func (*GRPCServer) UpdateSessionTracker

func (g *GRPCServer) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) (*emptypb.Empty, error)

UpdateSessionTracker updates a tracker resource for an active session.

func (*GRPCServer) UpdateUser

func (g *GRPCServer) UpdateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)

UpdateUser updates an existing user in a backend.

func (*GRPCServer) UpdateWindowsDesktop

func (g *GRPCServer) UpdateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

UpdateWindowsDesktop updates an existing Windows desktop host.

func (*GRPCServer) UpsertApplicationServer

func (g *GRPCServer) UpsertApplicationServer(ctx context.Context, req *proto.UpsertApplicationServerRequest) (*types.KeepAlive, error)

UpsertApplicationServer registers an application server.

func (*GRPCServer) UpsertClusterAlert

func (g *GRPCServer) UpsertClusterAlert(ctx context.Context, req *proto.UpsertClusterAlertRequest) (*emptypb.Empty, error)

func (*GRPCServer) UpsertDatabaseServer

func (g *GRPCServer) UpsertDatabaseServer(ctx context.Context, req *proto.UpsertDatabaseServerRequest) (*types.KeepAlive, error)

UpsertDatabaseServer registers a new database proxy server.

func (*GRPCServer) UpsertGithubConnector

func (g *GRPCServer) UpsertGithubConnector(ctx context.Context, connector *types.GithubConnectorV3) (*emptypb.Empty, error)

UpsertGithubConnector upserts a Github connector.

func (*GRPCServer) UpsertKubeService

func (g *GRPCServer) UpsertKubeService(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*emptypb.Empty, error)

UpsertKubeService adds a kubernetes service.

func (*GRPCServer) UpsertKubeServiceV2

func (g *GRPCServer) UpsertKubeServiceV2(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*types.KeepAlive, error)

UpsertKubeServiceV2 adds a kubernetes service

func (*GRPCServer) UpsertKubernetesServer

func (g *GRPCServer) UpsertKubernetesServer(ctx context.Context, req *proto.UpsertKubernetesServerRequest) (*types.KeepAlive, error)

UpsertKubernetesServer registers an kubernetes server.

func (*GRPCServer) UpsertLock

func (g *GRPCServer) UpsertLock(ctx context.Context, lock *types.LockV2) (*emptypb.Empty, error)

UpsertLock upserts a lock.

func (*GRPCServer) UpsertNode

func (g *GRPCServer) UpsertNode(ctx context.Context, node *types.ServerV2) (*types.KeepAlive, error)

UpsertNode upserts a node.

func (*GRPCServer) UpsertOIDCConnector

func (g *GRPCServer) UpsertOIDCConnector(ctx context.Context, oidcConnector *types.OIDCConnectorV3) (*emptypb.Empty, error)

UpsertOIDCConnector upserts an OIDC connector.

func (*GRPCServer) UpsertRole

func (g *GRPCServer) UpsertRole(ctx context.Context, role *types.RoleV5) (*emptypb.Empty, error)

UpsertRole upserts a role.

func (*GRPCServer) UpsertSAMLConnector

func (g *GRPCServer) UpsertSAMLConnector(ctx context.Context, samlConnector *types.SAMLConnectorV2) (*emptypb.Empty, error)

UpsertSAMLConnector upserts a SAML connector.

func (*GRPCServer) UpsertToken

func (g *GRPCServer) UpsertToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)

UpsertToken upserts a token.

func (*GRPCServer) UpsertTrustedCluster

func (g *GRPCServer) UpsertTrustedCluster(ctx context.Context, cluster *types.TrustedClusterV2) (*types.TrustedClusterV2, error)

UpsertTrustedCluster upserts a Trusted Cluster.

func (*GRPCServer) UpsertWindowsDesktop

func (g *GRPCServer) UpsertWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

UpsertWindowsDesktop updates a Windows desktop host, creating it if it doesn't exist.

func (*GRPCServer) UpsertWindowsDesktopService

func (g *GRPCServer) UpsertWindowsDesktopService(ctx context.Context, service *types.WindowsDesktopServiceV3) (*types.KeepAlive, error)

UpsertWindowsDesktopService registers a new Windows desktop service.

func (*GRPCServer) VerifyAccountRecovery

func (g *GRPCServer) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (*types.UserTokenV3, error)

VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.

func (*GRPCServer) WatchEvents

func (g *GRPCServer) WatchEvents(watch *proto.Watch, stream proto.AuthService_WatchEventsServer) error

WatchEvents returns a new stream of cluster events

type GRPCServerConfig

type GRPCServerConfig struct {
	// APIConfig is GRPC server API configuration
	APIConfig
	// TLS is GRPC server config
	TLS *tls.Config
	// UnaryInterceptor intercepts individual GRPC requests
	// for authentication and rate limiting
	UnaryInterceptor grpc.UnaryServerInterceptor
	// UnaryInterceptor intercepts GRPC streams
	// for authentication and rate limiting
	StreamInterceptor grpc.StreamServerInterceptor
}

GRPCServerConfig specifies GRPC server configuration

func (*GRPCServerConfig) CheckAndSetDefaults

func (cfg *GRPCServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GithubAuthRequest

type GithubAuthRequest struct {
	// ConnectorID is the name of the connector to use.
	ConnectorID string `json:"connector_id"`
	// CSRFToken is used to protect against CSRF attacks.
	CSRFToken string `json:"csrf_token"`
	// PublicKey is an optional public key to sign in case of successful auth.
	PublicKey []byte `json:"public_key"`
	// CreateWebSession indicates that a user wants to generate a web session
	// after successful authentication.
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is the URL where client will be redirected after
	// successful auth.
	ClientRedirectURL string `json:"client_redirect_url"`
}

GithubAuthRequest is an Github auth request that supports standard json marshaling

func GithubAuthRequestFromProto

func GithubAuthRequestFromProto(req *types.GithubAuthRequest) GithubAuthRequest

GithubAuthRequestFromProto converts the types.GithubAuthRequest to GithubAuthRequest.

type GithubAuthResponse

type GithubAuthResponse struct {
	// Username is the name of authenticated user
	Username string `json:"username"`
	// Identity is the external identity
	Identity types.ExternalIdentity `json:"identity"`
	// Session is the created web session
	Session types.WebSession `json:"session,omitempty"`
	// Cert is the generated SSH client certificate
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS client certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is the original auth request
	Req GithubAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

GithubAuthResponse represents Github auth callback validation response

type GithubConverter

type GithubConverter struct {
	ClientI
}

GithubConverter is a thin wrapper around the ClientI interface that ensures GitHub auth connectors use the registered implementation.

func (*GithubConverter) GetGithubConnector

func (g *GithubConverter) GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

func (*GithubConverter) GetGithubConnectors

func (g *GithubConverter) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

func (*GithubConverter) UpsertGithubConnector

func (g *GithubConverter) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error

type HTTPClient

type HTTPClient struct {
	roundtrip.Client
	// contains filtered or unexported fields
}

HTTPClient is a teleport HTTP API client.

func NewHTTPClient

func NewHTTPClient(cfg client.Config, tls *tls.Config, params ...roundtrip.ClientParam) (*HTTPClient, error)

NewHTTPClient creates a new HTTP client with TLS authentication and the given dialer.

func (*HTTPClient) Close

func (c *HTTPClient) Close()

Close closes the HTTP client connection to the auth server.

func (*HTTPClient) GetTransport

func (c *HTTPClient) GetTransport() *http.Transport

GetTransport returns the HTTP client's transport.

func (*HTTPClient) TLSConfig

func (c *HTTPClient) TLSConfig() *tls.Config

TLSConfig returns the HTTP client's TLS config.

type HandlerWithAuthFunc

type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type HostCredentials

CredGetter is an interface for a client that can be used to get host credentials. This interface is needed because lib/client can not be imported in lib/auth due to circular imports.

type Identity

type Identity struct {
	// ID specifies server unique ID, name and role
	ID IdentityID
	// KeyBytes is a PEM encoded private key
	KeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format.
	SSHCACertBytes [][]byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// Cert is a parsed SSH certificate
	Cert *ssh.Certificate
	// XCert is X509 client certificate
	XCert *x509.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
}

Identity is collection of certificates and signers that represent server identity

func GenerateIdentity

func GenerateIdentity(a *Server, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)

GenerateIdentity generates identity for the auth server

func LocalRegister

func LocalRegister(id IdentityID, authServer *Server, additionalPrincipals, dnsNames []string, remoteAddr string, systemRoles []types.SystemRole) (*Identity, error)

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the Auth Server and as such, does not need to use provisioning tokens.

func NewServerIdentity

func NewServerIdentity(clt *Server, hostID string, role types.SystemRole) (*Identity, error)

NewServerIdentity generates new server identity, used in tests

func ReRegister

func ReRegister(params ReRegisterParams) (*Identity, error)

ReRegister renews the certificates and private keys based on the client's existing identity.

func ReadIdentityFromKeyPair

func ReadIdentityFromKeyPair(privateKey []byte, certs *proto.Certs) (*Identity, error)

ReadIdentityFromKeyPair reads SSH and TLS identity from key pair.

func ReadLocalIdentity

func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)

ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadSSHIdentityFromKeyPair

func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair

func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func (*Identity) HasDNSNames

func (i *Identity) HasDNSNames(dnsNames []string) bool

HasDNSNames returns true if TLS certificate has required DNS names

func (*Identity) HasPrincipals

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasTLSConfig

func (i *Identity) HasTLSConfig() bool

HasTLSConfig returns true if this identity has TLS certificate and private key.

func (*Identity) SSHClientConfig

func (i *Identity) SSHClientConfig(fips bool) (*ssh.ClientConfig, error)

SSHClientConfig returns a ssh.ClientConfig used by nodes to connect to the reverse tunnel server.

func (*Identity) String

func (i *Identity) String() string

String returns user-friendly representation of the identity.

func (*Identity) TLSConfig

func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type IdentityGetter

type IdentityGetter interface {
	// GetIdentity  returns x509-derived identity of the user
	GetIdentity() tlsca.Identity
}

IdentityGetter returns the unmapped client identity.

Unmapped means that if the client is a remote cluster user, the returned tlsca.Identity contains data from the remote cluster before role mapping is applied.

type IdentityID

type IdentityID struct {
	Role     types.SystemRole
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) HostID

func (id *IdentityID) HostID() string

HostID is host ID part of the host UUID that consists cluster name

func (*IdentityID) String

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityService

type IdentityService interface {
	// UpsertOIDCConnector updates or creates OIDC connector
	UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error
	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)
	// GetOIDCConnectors gets OIDC connectors list
	GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)
	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(ctx context.Context, connectorID string) error
	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)
	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

	// UpsertSAMLConnector updates or creates SAML connector
	UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error
	// GetSAMLConnector returns SAML connector information by id
	GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)
	// GetSAMLConnectors gets SAML connectors list
	GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)
	// DeleteSAMLConnector deletes SAML connector by ID
	DeleteSAMLConnector(ctx context.Context, connectorID string) error
	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)
	// GetSAMLAuthRequest returns SAML auth request if found
	GetSAMLAuthRequest(ctx context.Context, authRequestID string) (*types.SAMLAuthRequest, error)

	// UpsertGithubConnector creates or updates a Github connector
	UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error
	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)
	// GetGithubConnector returns the specified Github connector
	GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)
	// DeleteGithubConnector deletes the specified Github connector
	DeleteGithubConnector(ctx context.Context, id string) error
	// CreateGithubAuthRequest creates a new request for Github OAuth2 flow
	CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)
	// GetGithubAuthRequest returns Github auth request if found
	GetGithubAuthRequest(ctx context.Context, id string) (*types.GithubAuthRequest, error)
	// ValidateGithubAuthCallback validates Github auth callback
	ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

	// GetSSODiagnosticInfo returns SSO diagnostic info records.
	GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

	// GetUser returns user by name
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetCurrentUser returns current user as seen by the server.
	// Useful especially in the context of remote clusters which perform role and trait mapping.
	GetCurrentUser(ctx context.Context) (types.User, error)

	// GetCurrentUserRoles returns current user's roles.
	GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)

	// CreateUser inserts a new entry in a backend.
	CreateUser(ctx context.Context, user types.User) error

	// UpdateUser updates an existing user in a backend.
	UpdateUser(ctx context.Context, user types.User) error

	// UpsertUser user updates or inserts user entry
	UpsertUser(user types.User) error

	// CompareAndSwapUser updates an existing user in a backend, but fails if
	// the user in the backend does not match the expected value.
	CompareAndSwapUser(ctx context.Context, new, expected types.User) error

	// DeleteUser deletes an existng user in a backend by username.
	DeleteUser(ctx context.Context, user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers(withSecrets bool) ([]types.User, error)

	// ChangePassword changes user password
	ChangePassword(req services.ChangePasswordReq) error

	// CheckPassword checks if the suplied web access password is valid.
	CheckPassword(user string, password []byte, otpToken string) error

	// GenerateToken creates a special provisioning token for a new SSH server
	// that is valid for ttl period seconds.
	//
	// This token is used by SSH server to authenticate with Auth server
	// and get signed certificate and private key from the auth server.
	//
	// If token is not supplied, it will be auto generated and returned.
	// If TTL is not supplied, token will be valid until removed.
	GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error)

	// GenerateUserCerts takes the public key in the OpenSSH `authorized_keys` plain
	// text format, signs it using User Certificate Authority signing key and
	// returns the resulting certificates.
	GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

	// GenerateUserSingleUseCerts is like GenerateUserCerts but issues a
	// certificate for a single session
	// (https://github.com/gravitational/teleport/blob/3a1cf9111c2698aede2056513337f32bfc16f1f1/rfd/0014-session-2FA.md#sessions).
	GenerateUserSingleUseCerts(ctx context.Context) (proto.AuthService_GenerateUserSingleUseCertsClient, error)

	// IsMFARequired is a request to check whether MFA is required to
	// access the Target.
	IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)

	// DeleteAllUsers deletes all users
	DeleteAllUsers() error

	// CreateResetPasswordToken creates a new user reset token
	CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

	// CreateBot creates a new certificate renewal bot and associated resources.
	CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
	// DeleteBot removes a certificate renewal bot and associated resources.
	DeleteBot(ctx context.Context, botName string) error
	// GetBotUsers gets all bot users.
	GetBotUsers(ctx context.Context) ([]types.User, error)

	// ChangeUserAuthentication allows a user with a reset or invite token to change their password and if enabled also adds a new mfa device.
	// Upon success, creates new web session and creates new set of recovery codes (if user meets requirements).
	ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

	// GetResetPasswordToken returns a reset password token.
	GetResetPasswordToken(ctx context.Context, username string) (types.UserToken, error)

	// GetMFADevices fetches all MFA devices registered for the calling user.
	GetMFADevices(ctx context.Context, in *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
	// AddMFADevice adds a new MFA device for the calling user.
	AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADeviceClient, error)
	// DeleteMFADevice deletes a MFA device for the calling user.
	DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error)
	// AddMFADeviceSync adds a new MFA device (nonstream).
	AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
	// DeleteMFADeviceSync deletes a users MFA device (nonstream).
	DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error
	// CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices.
	CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
	// CreateRegisterChallenge creates and returns MFA register challenge for a new MFA device.
	CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

	// MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.
	MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error)

	// StartAccountRecovery creates a recovery start token for a user who successfully verified their username and their recovery code.
	// This token is used as part of a URL that will be emailed to the user (not done in this request).
	// Represents step 1 of the account recovery process.
	StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)
	// VerifyAccountRecovery creates a recovery approved token after successful verification of users password or second factor
	// (authn depending on what user needed to recover). This token will allow users to perform protected actions while not logged in.
	// Represents step 2 of the account recovery process after RPC StartAccountRecovery.
	VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)
	// CompleteAccountRecovery sets a new password or adds a new mfa device,
	// allowing user to regain access to their account using the new credentials.
	// Represents the last step in the account recovery process after RPC's StartAccountRecovery and VerifyAccountRecovery.
	CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

	// CreateAccountRecoveryCodes creates new set of recovery codes for a user, replacing and invalidating any previously owned codes.
	CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
	// GetAccountRecoveryToken returns a user token resource after verifying the token in
	// request is not expired and is of the correct recovery type.
	GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)
	// GetAccountRecoveryCodes returns the user in context their recovery codes resource without any secrets.
	GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

	// CreatePrivilegeToken creates a privilege token for the logged in user who has successfully re-authenticated with their second factor.
	// A privilege token allows users to perform privileged action eg: add/delete their MFA device.
	CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
}

IdentityService manages identities and users

type IdentitySpecV2

type IdentitySpecV2 struct {
	// Key is a PEM encoded private key.
	Key []byte `json:"key,omitempty"`
	// SSHCert is a PEM encoded SSH host cert.
	SSHCert []byte `json:"ssh_cert,omitempty"`
	// TLSCert is a PEM encoded x509 client certificate.
	TLSCert []byte `json:"tls_cert,omitempty"`
	// TLSCACert is a list of PEM encoded x509 certificate of the
	// certificate authority of the cluster.
	TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"`
	// SSHCACerts is a list of SSH certificate authorities encoded in the
	// authorized_keys format.
	SSHCACerts [][]byte `json:"ssh_ca_certs,omitempty"`
}

IdentitySpecV2 specifies credentials used by local process.

type IdentityV2

type IdentityV2 struct {
	// ResourceHeader is a common resource header.
	types.ResourceHeader
	// Spec is the identity spec.
	Spec IdentitySpecV2 `json:"spec"`
}

IdentityV2 specifies local host identity.

func (*IdentityV2) CheckAndSetDefaults

func (s *IdentityV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type InitConfig

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority sshca.Authority

	// KeyStoreConfig is the config for the KeyStore which handles private CA
	// keys that may be held in an HSM.
	KeyStoreConfig keystore.Config

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// ClusterName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	ClusterName types.ClusterName

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []types.CertAuthority

	// Resources is a list of previously backed-up resources used to
	// bootstrap backend on first start.
	Resources []types.Resource

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []types.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []types.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and heartbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// DynamicAccessExt is a service that manages dynamic RBAC.
	DynamicAccessExt services.DynamicAccessExt

	// Events is an event service
	Events types.Events

	// ClusterConfiguration is a services that holds cluster wide configuration.
	ClusterConfiguration services.ClusterConfiguration

	// Restrictions is a service to access network restrictions, etc
	Restrictions services.Restrictions

	// Apps is a service that manages application resources.
	Apps services.Apps

	// Databases is a service that manages database resources.
	Databases services.Databases

	// Status is a service that manages cluster status info.
	Status services.StatusInternal

	// Roles is a set of roles to create
	Roles []types.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens types.StaticTokens

	// AuthPreference defines the authentication type (local, oidc) and second
	// factor passed in from a configuration file.
	AuthPreference types.AuthPreference

	// AuditLog is used for emitting events to audit log.
	AuditLog events.IAuditLog

	// ClusterAuditConfig holds cluster audit configuration.
	ClusterAuditConfig types.ClusterAuditConfig

	// ClusterNetworkingConfig holds cluster networking configuration.
	ClusterNetworkingConfig types.ClusterNetworkingConfig

	// SessionRecordingConfig holds session recording configuration.
	SessionRecordingConfig types.SessionRecordingConfig

	// SkipPeriodicOperations turns off periodic operations
	// used in tests that don't need periodic operations.
	SkipPeriodicOperations bool

	// CipherSuites is a list of ciphersuites that the auth server supports.
	CipherSuites []uint16

	// Emitter is events emitter, used to submit discrete events
	Emitter apievents.Emitter

	// Streamer is events sessionstreamer, used to create continuous
	// session related streams
	Streamer events.Streamer

	// WindowsServices is a service that manages Windows desktop resources.
	WindowsDesktops services.WindowsDesktops

	// SessionTrackerService is a service that manages trackers for all active sessions.
	SessionTrackerService services.SessionTrackerService

	// Enforcer is used to enforce Teleport Enterprise license compliance.
	Enforcer services.Enforcer

	// ConnectionsDiagnostic is a service that manages Connection Diagnostics resources.
	ConnectionsDiagnostic services.ConnectionsDiagnostic

	// LoadAllCAs tells tsh to load the host CAs for all clusters when trying to ssh into a node.
	LoadAllCAs bool

	// TraceClient is used to forward spans to the upstream telemetry collector
	TraceClient otlptrace.Client

	// Kubernetes is a service that manages kubernetes cluster resources.
	Kubernetes services.Kubernetes

	// AssertionReplayService is a service that mitigatates SSO assertion replay.
	*local.AssertionReplayService

	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool

	// UsageReporter is a service that forwards cluster usage events.
	UsageReporter services.UsageReporter
}

InitConfig is auth server init config

type KubeCSR

type KubeCSR struct {
	// Username of user's certificate
	Username string `json:"username"`
	// ClusterName is a name of the target cluster to generate certificate for
	ClusterName string `json:"cluster_name"`
	// CSR is a kubernetes CSR
	CSR []byte `json:"csr"`
}

KubeCSR is a kubernetes CSR request

func (*KubeCSR) CheckAndSetDefaults

func (a *KubeCSR) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type KubeCSRResponse

type KubeCSRResponse struct {
	// Cert is a signed certificate PEM block
	Cert []byte `json:"cert"`
	// CertAuthorities is a list of PEM block with trusted cert authorities
	CertAuthorities [][]byte `json:"cert_authorities"`
	// TargetAddr is an optional target address
	// of the kubernetes API server that can be set
	// in the kubeconfig
	TargetAddr string `json:"target_addr"`
}

KubeCSRResponse is a response to kubernetes CSR request

type KubernetesAccessPoint

type KubernetesAccessPoint interface {
	// ReadKubernetesAccessPoint provides methods to read data
	ReadKubernetesAccessPoint
	// contains filtered or unexported methods
}

KubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.

type KubernetesWrapper

type KubernetesWrapper struct {
	ReadKubernetesAccessPoint

	NoCache KubernetesAccessPoint
	// contains filtered or unexported fields
}

func (*KubernetesWrapper) Close

func (w *KubernetesWrapper) Close() error

Close closes all associated resources

type LocalUser

type LocalUser struct {
	// Username is local username
	Username string
	// Identity is x509-derived identity used to build this user
	Identity tlsca.Identity
}

LocalUser is a local user

func (LocalUser) GetIdentity

func (l LocalUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type Metrics

type Metrics struct {
	GRPCServerLatency bool
}

Metrics handles optional metrics for TLSServerConfig

type Middleware

type Middleware struct {
	// AccessPoint is a caching access point for auth server
	AccessPoint AccessCache
	// Handler is HTTP handler called after the middleware checks requests
	Handler http.Handler
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on certificate metadata,
	// for example middleware can reject certificates with mismatching usage.
	// If empty, will only accept certificates with non-limited usage,
	// if set, will accept certificates with non-limited usage,
	// and usage exactly matching the specified values.
	AcceptedUsage []string
	// Limiter is a rate and connection limiter
	Limiter *limiter.Limiter
	// GRPCMetrics is the configured grpc metrics for the interceptors
	GRPCMetrics *om.ServerMetrics
}

Middleware is authentication middleware checking every request

func (*Middleware) GetUser

func (a *Middleware) GetUser(connState tls.ConnectionState) (IdentityGetter, error)

GetUser returns authenticated user based on request metadata set by HTTP server

func (*Middleware) ServeHTTP

func (a *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP serves HTTP requests

func (*Middleware) StreamInterceptor

func (a *Middleware) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns a gPRC stream interceptor which performs rate limiting, authenticates requests, and passes the user information as context metadata.

func (*Middleware) UnaryInterceptor

func (a *Middleware) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns a gPRC unary interceptor which performs rate limiting, authenticates requests, and passes the user information as context metadata.

func (*Middleware) Wrap

func (a *Middleware) Wrap(h http.Handler)

Wrap sets next handler in chain

func (*Middleware) WrapContextWithUser

func (a *Middleware) WrapContextWithUser(ctx context.Context, conn utils.TLSConn) (context.Context, error)

WrapContextWithUser enriches the provided context with the identity information extracted from the provided TLS connection.

type NewRemoteProxyCachingAccessPoint

type NewRemoteProxyCachingAccessPoint func(clt ClientI, cacheName []string) (RemoteProxyAccessPoint, error)

NewRemoteProxyCachingAccessPoint returns new caching access point using access point policy

type NodeAccessPoint

type NodeAccessPoint interface {
	// ReadNodeAccessPoint provides methods to read data
	ReadNodeAccessPoint
	// contains filtered or unexported methods
}

NodeAccessPoint is an API interface implemented by a certificate authority (CA) to be used by teleport.ComponentNode.

func NewNodeWrapper

func NewNodeWrapper(base NodeAccessPoint, cache ReadNodeAccessPoint) NodeAccessPoint

type NodeWrapper

type NodeWrapper struct {
	ReadNodeAccessPoint

	NoCache NodeAccessPoint
	// contains filtered or unexported fields
}

func (*NodeWrapper) Close

func (w *NodeWrapper) Close() error

Close closes all associated resources

type OIDCAuthRequest

type OIDCAuthRequest struct {
	// ConnectorID is ID of OIDC connector this request uses
	ConnectorID string `json:"connector_id"`
	// CSRFToken is associated with user web session token
	CSRFToken string `json:"csrf_token"`
	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth
	PublicKey []byte `json:"public_key"`
	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication
	ClientRedirectURL string `json:"client_redirect_url"`
}

OIDCAuthRequest is an OIDC auth request that supports standard json marshaling.

func OIDCAuthRequestFromProto

func OIDCAuthRequestFromProto(req *types.OIDCAuthRequest) OIDCAuthRequest

OIDCAuthRequestFromProto converts the types.OIDCAuthRequest to OIDCAuthRequest.

type OIDCAuthResponse

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session types.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type OTPCreds

type OTPCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
	// Token is a user second factor token
	Token string `json:"token"`
}

OTPCreds is a two-factor authentication credentials

type PassCreds

type PassCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
}

PassCreds is a password credential

type PolicyOptions

type PolicyOptions struct {
	TerminateOnLeave bool
}

PolicyOptions is a set of settings for the session determined by the matched require policy.

type ProcessStorage

type ProcessStorage struct {
	// BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states.
	BackendStorage backend.Backend
	// contains filtered or unexported fields
}

ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.

func NewProcessStorage

func NewProcessStorage(ctx context.Context, path string) (*ProcessStorage, error)

NewProcessStorage returns a new instance of the process storage.

func (*ProcessStorage) Close

func (p *ProcessStorage) Close() error

Close closes all resources used by process storage backend.

func (*ProcessStorage) CreateState

func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error

CreateState creates process state if it does not exist yet.

func (*ProcessStorage) GetState

func (p *ProcessStorage) GetState(role types.SystemRole) (*StateV2, error)

GetState reads rotation state from disk.

func (*ProcessStorage) ReadIdentity

func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error)

ReadIdentity reads identity using identity name and role.

func (*ProcessStorage) WriteIdentity

func (p *ProcessStorage) WriteIdentity(name string, id Identity) error

WriteIdentity writes identity to the backend.

func (*ProcessStorage) WriteState

func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error

WriteState writes local cluster state to the backend.

type ProvisioningService

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens(ctx context.Context) (tokens []types.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a reset password token or a machine token
	DeleteToken(ctx context.Context, token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ctx context.Context, token types.ProvisionToken) error

	// CreateToken creates a new provision token for the auth server
	CreateToken(ctx context.Context, token types.ProvisionToken) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type ProxyAccessPoint

type ProxyAccessPoint interface {
	// ReadProxyAccessPoint provides methods to read data
	ReadProxyAccessPoint
	// contains filtered or unexported methods
}

ProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

type ProxyWrapper

type ProxyWrapper struct {
	ReadProxyAccessPoint

	NoCache ProxyAccessPoint
	// contains filtered or unexported fields
}

func (*ProxyWrapper) Close

func (w *ProxyWrapper) Close() error

Close closes all associated resources

type ReRegisterParams

type ReRegisterParams struct {
	// Client is an authenticated client using old credentials
	Client ClientI
	// ID is identity ID
	ID IdentityID
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS Names to add to the x509 client certificate
	DNSNames []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// Rotation is the rotation state of the certificate authority
	Rotation types.Rotation
	// SystemRoles is a set of additional system roles held by the instance.
	SystemRoles []types.SystemRole
	// Used by older instances to requisition a multi-role cert by individually
	// proving which system roles are held.
	UnstableSystemRoleAssertionID string
}

ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)

type ReadAppsAccessPoint

type ReadAppsAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)
}

ReadAppsAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.

NOTE: This interface must match the resources replicated in cache.ForApps.

type ReadDatabaseAccessPoint

type ReadDatabaseAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)
}

ReadDatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.

NOTE: This interface must match the resources replicated in cache.ForDatabases.

type ReadDiscoveryAccessPoint

type ReadDiscoveryAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
	// GetKubernetesCluster returns a kubernetes cluster resource identified by name.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
}

ReadDiscoveryAccessPoint is a read only API interface to be used by a teleport.ComponentDiscovery.

NOTE: This interface must match the resources replicated in cache.ForDiscovery.

type ReadKubernetesAccessPoint

type ReadKubernetesAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

ReadKubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.

NOTE: This interface must match the resources replicated in cache.ForKubernetes.

type ReadNodeAccessPoint

type ReadNodeAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)
}

ReadNodeAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentNode.

NOTE: This interface must match the resources replicated in cache.ForNode.

type ReadProxyAccessPoint

type ReadProxyAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)

	// GetWebSession gets a web session for the given request
	GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken gets a web token for the given request
	GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)
	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

ReadProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

NOTE: This interface must match the resources replicated in cache.ForProxy.

type ReadRemoteProxyAccessPoint

type ReadRemoteProxyAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)
}

ReadRemoteProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

NOTE: This interface must match the resources replicated in cache.ForRemoteProxy.

type ReadWindowsDesktopAccessPoint

type ReadWindowsDesktopAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
}

ReadWindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.

NOTE: This interface must match the resources replicated in cache.ForWindowsDesktop.

type RegisterParams

type RegisterParams struct {
	// Token is a secure token to join the cluster
	Token string
	// ID is identity ID
	ID IdentityID
	// AuthServers is a list of auth servers to dial
	AuthServers []utils.NetAddr
	// ProxyServer is a proxy server to dial
	ProxyServer utils.NetAddr
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS names to add to x509 certificate
	DNSNames []string
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// CipherSuites is a list of cipher suites to use for TLS client connection
	CipherSuites []uint16
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// CAPath is the path to the CA file.
	CAPath string
	// GetHostCredentials is a client that can fetch host credentials.
	GetHostCredentials HostCredentials
	// Clock specifies the time provider. Will be used to override the time anchor
	// for TLS certificate verification.
	// Defaults to real clock if unspecified
	Clock clockwork.Clock
	// JoinMethod is the joining method used for this register request.
	JoinMethod types.JoinMethod

	// CircuitBreakerConfig defines how the circuit breaker should behave.
	CircuitBreakerConfig breaker.Config
	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool
	// IDToken is a token retrieved from a workload identity provider for
	// certain join types e.g GitHub, Google.
	IDToken string
	// Expires is an optional field for bots that specifies a time that the
	// certificates that are returned by registering should expire at.
	// It should not be specified for non-bot registrations.
	Expires *time.Time
	// contains filtered or unexported fields
}

RegisterParams specifies parameters for first time register operation with auth server

type RemoteBuiltinRole

type RemoteBuiltinRole struct {
	// Role is the builtin role of the user
	Role types.SystemRole

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the remote cluster.
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.

func (RemoteBuiltinRole) GetIdentity

func (r RemoteBuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RemoteProxyAccessPoint

type RemoteProxyAccessPoint interface {
	// ReadRemoteProxyAccessPoint provides methods to read data
	ReadRemoteProxyAccessPoint
	// contains filtered or unexported methods
}

RemoteProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

type RemoteProxyWrapper

type RemoteProxyWrapper struct {
	ReadRemoteProxyAccessPoint

	NoCache RemoteProxyAccessPoint
	// contains filtered or unexported fields
}

func (*RemoteProxyWrapper) Close

func (w *RemoteProxyWrapper) Close() error

Close closes all associated resources

type RemoteUser

type RemoteUser struct {
	// Username is a name of the remote user
	Username string `json:"username"`

	// ClusterName is the name of the remote cluster
	// of the user.
	ClusterName string `json:"cluster_name"`

	// RemoteRoles is optional list of remote roles
	RemoteRoles []string `json:"remote_roles"`

	// Principals is a list of Unix logins.
	Principals []string `json:"principals"`

	// KubernetesGroups is a list of Kubernetes groups
	KubernetesGroups []string `json:"kubernetes_groups"`

	// KubernetesUsers is a list of Kubernetes users
	KubernetesUsers []string `json:"kubernetes_users"`

	// DatabaseNames is a list of database names a user can connect to.
	DatabaseNames []string `json:"database_names"`

	// DatabaseUsers is a list of database users a user can connect as.
	DatabaseUsers []string `json:"database_users"`

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteUser defines encoded remote user.

func (RemoteUser) GetIdentity

func (r RemoteUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RotateRequest

type RotateRequest struct {
	// Type is a certificate authority type, if omitted, both user and host CA
	// will be rotated.
	Type types.CertAuthType `json:"type"`
	// GracePeriod is used to generate cert rotation schedule that defines
	// times at which different rotation phases will be applied by the auth server
	// in auto mode. It is not used in manual rotation mode.
	// If omitted, default value is set, if 0 is supplied, it is interpreted as
	// forcing rotation of all certificate authorities with no grace period,
	// all existing users and hosts will have to re-login and re-added
	// into the cluster.
	GracePeriod *time.Duration `json:"grace_period,omitempty"`
	// TargetPhase sets desired rotation phase to move to, if not set
	// will be set automatically, it is a required argument
	// for manual rotation.
	TargetPhase string `json:"target_phase,omitempty"`
	// Mode sets manual or auto rotation mode.
	Mode string `json:"mode"`
	// Schedule is an optional rotation schedule,
	// autogenerated based on GracePeriod parameter if not set.
	Schedule *types.RotationSchedule `json:"schedule"`
}

RotateRequest is a request to start rotation of the certificate authority.

func (*RotateRequest) CheckAndSetDefaults

func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default values.

func (*RotateRequest) Types

func (r *RotateRequest) Types() []types.CertAuthType

Types returns cert authority types requested to be rotated.

type SAMLAuthRequest

type SAMLAuthRequest struct {
	// ID is a unique request ID.
	ID string `json:"id"`
	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth.
	PublicKey []byte `json:"public_key"`
	// CSRFToken is associated with user web session token.
	CSRFToken string `json:"csrf_token"`
	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication.
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication.
	ClientRedirectURL string `json:"client_redirect_url"`
}

SAMLAuthRequest is a SAML auth request that supports standard json marshaling.

func SAMLAuthRequestFromProto

func SAMLAuthRequestFromProto(req *types.SAMLAuthRequest) SAMLAuthRequest

SAMLAuthRequestFromProto converts the types.SAMLAuthRequest to SAMLAuthRequestData.

type SAMLAuthResponse

type SAMLAuthResponse struct {
	// Username is an authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated SAML identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in SAMLAuthRequest
	Session types.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is a PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is an original SAML auth request
	Req SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider

type SSHLoginResponse

type SSHLoginResponse struct {
	// User contains a logged-in user information
	Username string `json:"username"`
	// Cert is a PEM encoded  signed certificate
	Cert []byte `json:"cert"`
	// TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority
	TLSCert []byte `json:"tls_cert"`
	// HostSigners is a list of signing host public keys trusted by proxy
	HostSigners []TrustedCerts `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

type Server

type Server struct {
	sshca.Authority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// ServerID is the server ID of this auth server.
	ServerID string

	// Services encapsulate services - provisioner, trust, etc. used by the auth
	// server in a separate structure. Reads through Services hit the backend.
	*Services

	// Cache should either be the same as Services, or a caching layer over it.
	// As it's an interface (and thus directly implementing all of its methods)
	// its embedding takes priority over Services (which only indirectly
	// implements its methods), thus any implemented GetFoo method on both Cache
	// and Services will call the one from Cache. To bypass the cache, call the
	// method on Services instead.
	Cache
	// contains filtered or unexported fields
}

Server keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func Init

func Init(cfg InitConfig, opts ...ServerOption) (*Server, error)

Init instantiates and configures an instance of AuthServer

func NewServer

func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error)

NewServer creates and configures a new Server instance

func (*Server) AddMFADeviceSync

AddMFADeviceSync implements AuthService.AddMFADeviceSync.

func (*Server) AuthenticateSSHUser

func (s *Server) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates an SSH user and returns SSH and TLS certificates for the public key in req.

func (*Server) AuthenticateUser

func (s *Server) AuthenticateUser(req AuthenticateUserRequest) (string, error)

AuthenticateUser authenticates user based on the request type. Returns the username of the authenticated user.

func (*Server) AuthenticateWebUser

func (s *Server) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns a web session if authentication is successful. In case the existing session ID is used to authenticate, returns the existing session instead of creating a new one

func (*Server) ChangePassword

func (s *Server) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*Server) ChangeUserAuthentication

ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.

func (*Server) Close

func (a *Server) Close() error

func (*Server) CloseContext

func (a *Server) CloseContext() context.Context

func (*Server) CompareAndSwapUser

func (s *Server) CompareAndSwapUser(ctx context.Context, new, existing types.User) error

CompareAndSwapUser updates a user but fails if the value on the backend does not match the expected value.

func (*Server) CompleteAccountRecovery

func (s *Server) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

CompleteAccountRecovery implements AuthService.CompleteAccountRecovery.

func (*Server) CreateAccessRequest

func (a *Server) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error

func (*Server) CreateAccountRecoveryCodes

func (s *Server) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes implements AuthService.CreateAccountRecoveryCodes.

func (*Server) CreateApp

func (a *Server) CreateApp(ctx context.Context, app types.Application) error

CreateApp creates a new application resource.

func (*Server) CreateAppSession

func (s *Server) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest, user types.User, identity tlsca.Identity, checker services.AccessChecker) (types.WebSession, error)

CreateAppSession creates and inserts a services.WebSession into the backend with the identity of the caller used to generate the certificate. The certificate is used for all access requests, which is where access control is enforced.

func (*Server) CreateAuditStream

func (a *Server) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates audit event stream

func (*Server) CreateAuthenticateChallenge

func (a *Server) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)

CreateAuthenticateChallenge implements AuthService.CreateAuthenticateChallenge.

func (*Server) CreateDatabase

func (a *Server) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*Server) CreateGithubAuthRequest

func (a *Server) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*Server) CreateKubernetesCluster

func (a *Server) CreateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*Server) CreateOIDCAuthRequest

func (a *Server) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

func (*Server) CreatePrivilegeToken

func (s *Server) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken implements AuthService.CreatePrivilegeToken.

func (*Server) CreateRegisterChallenge

func (a *Server) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

CreateRegisterChallenge implements AuthService.CreateRegisterChallenge.

func (*Server) CreateResetPasswordToken

func (s *Server) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

CreateResetPasswordToken creates a reset password token

func (*Server) CreateSAMLAuthRequest

func (a *Server) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

func (*Server) CreateSessionTracker

func (a *Server) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*Server) CreateSnowflakeSession

func (s *Server) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest,
	identity tlsca.Identity, checker services.AccessChecker,
) (types.WebSession, error)

func (*Server) CreateUser

func (s *Server) CreateUser(ctx context.Context, user types.User) error

CreateUser inserts a new user entry in a backend.

func (*Server) CreateWebSession

func (a *Server) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*Server) DeleteAccessRequest

func (a *Server) DeleteAccessRequest(ctx context.Context, name string) error

func (*Server) DeleteApp

func (a *Server) DeleteApp(ctx context.Context, name string) error

DeleteApp deletes an application resource.

func (*Server) DeleteDatabase

func (a *Server) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase deletes a database resource.

func (*Server) DeleteKubernetesCluster

func (a *Server) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster deletes a kubernetes cluster resource.

func (*Server) DeleteLock

func (a *Server) DeleteLock(ctx context.Context, lockName string) error

DeleteLock deletes a lock and emits a related audit event.

func (*Server) DeleteMFADeviceSync

func (a *Server) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error

DeleteMFADeviceSync implements AuthService.DeleteMFADeviceSync.

func (*Server) DeleteNamespace

func (a *Server) DeleteNamespace(namespace string) error

func (*Server) DeleteOIDCConnector

func (a *Server) DeleteOIDCConnector(ctx context.Context, connectorName string) error

DeleteOIDCConnector deletes an OIDC connector by name.

func (*Server) DeleteRemoteCluster

func (a *Server) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it

func (*Server) DeleteRole

func (a *Server) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes a role and emits a related audit event.

func (*Server) DeleteSAMLConnector

func (a *Server) DeleteSAMLConnector(ctx context.Context, connectorName string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*Server) DeleteToken

func (a *Server) DeleteToken(ctx context.Context, token string) (err error)

func (*Server) DeleteTrustedCluster

func (a *Server) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster removes types.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.

func (*Server) DeleteUser

func (s *Server) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes an existng user in a backend by username.

func (*Server) ExtendWebSession

func (a *Server) ExtendWebSession(ctx context.Context, req WebSessionReq, identity tlsca.Identity) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous (current) session.

If there is an approved access request, additional roles are appended to the roles that were extracted from identity. The new session expiration time will not exceed the expiration time of the previous session.

If there is a switchback request, the roles will switchback to user's default roles and the expiration time is derived from users recently logged in time.

func (*Server) GenerateCertAuthorityCRL

func (a *Server) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for the local CA of a given type.

func (*Server) GenerateDatabaseCert

func (s *Server) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.

func (*Server) GenerateDatabaseTestCert

func (a *Server) GenerateDatabaseTestCert(req DatabaseTestCertRequest) ([]byte, error)

GenerateDatabaseTestCert generates a database access certificate for the provided parameters. Used only internally in tests.

func (*Server) GenerateHostCert

func (a *Server) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*Server) GenerateHostCerts

func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.

func (*Server) GenerateSnowflakeJWT

func (s *Server) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the format required by Snowflake.

func (*Server) GenerateToken

func (a *Server) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token.

func (*Server) GenerateUserAppTestCert

func (a *Server) GenerateUserAppTestCert(req AppTestCertRequest) ([]byte, error)

GenerateUserAppTestCert generates an application specific certificate, used internally for tests.

func (*Server) GenerateUserTestCerts

func (a *Server) GenerateUserTestCerts(key []byte, username string, ttl time.Duration, compatibility, routeToCluster, sourceIP string) ([]byte, []byte, error)

GenerateUserTestCerts is used to generate user certificate, used internally for tests

func (*Server) GenerateWindowsDesktopCert

func (s *Server) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.

func (*Server) GetAccessCapabilities

func (a *Server) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*Server) GetAccountRecoveryCodes

func (s *Server) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes implements AuthService.GetAccountRecoveryCodes.

func (*Server) GetAccountRecoveryToken

func (s *Server) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)

GetAccountRecoveryToken implements AuthService.GetAccountRecoveryToken.

func (*Server) GetClock

func (a *Server) GetClock() clockwork.Clock

func (*Server) GetClusterCACert

func (a *Server) GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)

GetClusterCACert returns the PEM-encoded TLS certs for the local cluster. If the cluster has multiple TLS certs, they will all be concatenated.

func (*Server) GetDomainName

func (a *Server) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*Server) GetInventoryStatus

func (*Server) GetKeyStore

func (a *Server) GetKeyStore() *keystore.Manager

GetKeyStore returns the KeyStore used by the auth server

func (*Server) GetMFADevices

GetMFADevices returns all mfa devices for the user defined in the token or the user defined in context.

func (*Server) GetRemoteCluster

func (a *Server) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*Server) GetRemoteClusters

func (a *Server) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

GetRemoteClusters returns remote clusters with updated statuses

func (*Server) GetTokens

func (a *Server) GetTokens(ctx context.Context, opts ...services.MarshalOption) (tokens []types.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*Server) GetWebSession

func (a *Server) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns existing web session described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.

func (*Server) GetWebSessionInfo

func (a *Server) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo returns the web session specified with sessionID for the given user. The session is stripped of any authentication details. Implements auth.WebUIService

func (*Server) GetWebToken

func (a *Server) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns existing web token described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.

func (*Server) IterateResources

func (a *Server) IterateResources(ctx context.Context, req proto.ListResourcesRequest, f func(resource types.ResourceWithLabels) error) error

IterateResources loads all resources matching the provided request and passes them one by one to the provided callback function. To stop iteration callers may return ErrDone from the callback function, which will result in a nil return from IterateResources. Any other errors returned from the callback function cause iteration to stop and the error to be returned.

func (*Server) ListResources

ListResources returns paginated resources depending on the resource type..

func (*Server) MakeLocalInventoryControlStream

func (a *Server) MakeLocalInventoryControlStream(opts ...client.ICSPipeOption) client.DownstreamInventoryControlStream

MakeLocalInventoryControlStream sets up an in-memory control stream which automatically registers with this auth server upon hello exchange.

func (*Server) NewKeepAliver

func (a *Server) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*Server) NewWebSession

func (a *Server) NewWebSession(ctx context.Context, req types.NewWebSessionRequest) (types.WebSession, error)

NewWebSession creates and returns a new web session for the specified request

func (*Server) PingInventory

func (*Server) PreAuthenticatedSignIn

func (a *Server) PreAuthenticatedSignIn(ctx context.Context, user string, identity tlsca.Identity) (types.WebSession, error)

PreAuthenticatedSignIn is for MFA authentication methods where the password is already checked before issuing the second factor challenge

func (*Server) ProcessKubeCSR

func (s *Server) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*Server) RegisterInventoryControlStream

func (a *Server) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream, hello proto.UpstreamInventoryHello) error

func (*Server) RegisterUsingIAMMethod

func (a *Server) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc, opts ...iamRegisterOption) (*proto.Certs, error)

RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.

The caller must provide a ChallengeResponseFunc which returns a *types.RegisterUsingTokenRequest with a signed sts:GetCallerIdentity request including the challenge as a signed header.

func (*Server) RegisterUsingToken

func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

RegisterUsingToken returns credentials for a new node to join the Teleport cluster using a previously issued token.

A node must also request a specific role (and the role must match one of the roles the token was generated for.)

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires.)

If the token includes a specific join method, the rules for that join method will be checked.

func (*Server) ResetPassword

func (s *Server) ResetPassword(username string) (string, error)

ResetPassword securely generates a new random password and assigns it to user. This method is used to invalidate existing user password during password reset process.

func (*Server) ResumeAuditStream

func (a *Server) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes the stream that has been created

func (*Server) RotateCertAuthority

func (a *Server) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

Rotation procedure is based on the state machine approach.

Here are the supported rotation states:

  • Standby - the cluster is in standby mode and ready to take action.
  • In-progress - cluster CA rotation is in progress.

In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.

Here are the supported phases:

* Standby - no action is taken.

* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.

This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.

* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".

* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.

* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will lose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.

Rotation modes

There are two rotation modes supported - manual or automatic.

* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.

* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.

It is possible to switch from automatic to manual by setting the phase to the rollback phase.

func (*Server) RotateExternalCertAuthority

func (a *Server) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*Server) SetAccessRequestState

func (a *Server) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error

func (*Server) SetAuditLog

func (a *Server) SetAuditLog(auditLog events.IAuditLog)

SetAuditLog sets the server's audit log

func (*Server) SetClock

func (a *Server) SetClock(clock clockwork.Clock)

SetClock sets clock, used in tests

func (*Server) SetEmitter

func (a *Server) SetEmitter(emitter apievents.Emitter)

func (*Server) SetEnforcer

func (a *Server) SetEnforcer(enforcer services.Enforcer)

SetEnforcer sets the server's enforce service

func (*Server) SetLockWatcher

func (a *Server) SetLockWatcher(lockWatcher *services.LockWatcher)

SetLockWatcher sets the lock watcher.

func (*Server) SetUsageReporter

func (a *Server) SetUsageReporter(reporter services.UsageReporter)

SetUsageReporter sets the server's usage reporter

func (*Server) SignDatabaseCSR

func (s *Server) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*Server) StartAccountRecovery

func (s *Server) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)

StartAccountRecovery implements AuthService.StartAccountRecovery.

func (*Server) SubmitAccessReview

func (a *Server) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)

func (*Server) SubmitUsageEvent

func (a *Server) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*Server) UnstableAssertSystemRole

func (a *Server) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error

UnstableAssertSystemRole is not a stable part of the public API. Used by older instances to prove that they hold a given system role. DELETE IN: 12.0 (deprecated in v11, but required for back-compat with v10 clients)

func (*Server) UnstableGetSystemRoleAssertions

func (a *Server) UnstableGetSystemRoleAssertions(ctx context.Context, serverID string, assertionID string) (proto.UnstableSystemRoleAssertionSet, error)

func (*Server) UpdateApp

func (a *Server) UpdateApp(ctx context.Context, app types.Application) error

UpdateApp updates an existing application resource.

func (*Server) UpdateDatabase

func (a *Server) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates an existing database resource.

func (*Server) UpdateKubernetesCluster

func (a *Server) UpdateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error

UpdateKubernetesCluster updates an existing kubernetes cluster resource.

func (*Server) UpdateUser

func (s *Server) UpdateUser(ctx context.Context, user types.User) error

UpdateUser updates an existing user in a backend.

func (*Server) UpsertLock

func (a *Server) UpsertLock(ctx context.Context, lock types.Lock) error

UpsertLock upserts a lock and emits a related audit event.

func (*Server) UpsertOIDCConnector

func (a *Server) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error

UpsertOIDCConnector creates or updates an OIDC connector.

func (*Server) UpsertRole

func (a *Server) UpsertRole(ctx context.Context, role types.Role) error

UpsertRole creates or updates a role and emits a related audit event.

func (*Server) UpsertSAMLConnector

func (a *Server) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error

UpsertSAMLConnector creates or updates a SAML connector.

func (*Server) UpsertTrustedCluster

func (a *Server) UpsertTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)

UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.

func (*Server) UpsertUser

func (s *Server) UpsertUser(user types.User) error

UpsertUser updates a user.

func (*Server) ValidateGithubAuthCallback

func (a *Server) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback redirect

func (*Server) ValidateOIDCAuthCallback

func (a *Server) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*Server) ValidateSAMLResponse

func (a *Server) ValidateSAMLResponse(ctx context.Context, samlResponse string, connectorID string) (*SAMLAuthResponse, error)

ValidateSAMLResponse consumes attribute statements from SAML identity provider

func (*Server) ValidateToken

func (a *Server) ValidateToken(ctx context.Context, token string) (types.ProvisionToken, error)

ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume and token labels, or an error if the token cannot be found.

func (*Server) VerifyAccountRecovery

func (s *Server) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)

VerifyAccountRecovery implements AuthService.VerifyAccountRecovery.

func (*Server) WithUserLock

func (a *Server) WithUserLock(username string, authenticateFn func() error) error

WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval

type ServerOption

type ServerOption func(*Server) error

ServerOption allows setting options as functional arguments to Server

func WithClock

func WithClock(clock clockwork.Clock) ServerOption

WithClock is a functional server option that sets the server's clock

type ServerWithRoles

type ServerWithRoles struct {
	// contains filtered or unexported fields
}

ServerWithRoles is a wrapper around auth service methods that focuses on authorizing every request

func (*ServerWithRoles) AcquireSemaphore

AcquireSemaphore acquires lease with requested resources from semaphore.

func (*ServerWithRoles) ActivateCertAuthority

func (a *ServerWithRoles) ActivateCertAuthority(id types.CertAuthID) error

ActivateCertAuthority not implemented: can only be called locally.

func (*ServerWithRoles) AddMFADevice

AddMFADevice exists to satisfy auth.ClientI but is not implemented here. Use auth.GRPCServer.AddMFADevice or client.Client.AddMFADevice instead.

func (*ServerWithRoles) AddMFADeviceSync

AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.

func (*ServerWithRoles) AppendDiagnosticTrace

AppendDiagnosticTrace adds a new trace for the given ConnectionDiagnostic.

func (*ServerWithRoles) AuthenticateSSHUser

func (a *ServerWithRoles) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*ServerWithRoles) AuthenticateWebUser

func (a *ServerWithRoles) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns a web session in case authentication is successful

func (*ServerWithRoles) CancelSemaphoreLease

func (a *ServerWithRoles) CancelSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

CancelSemaphoreLease cancels semaphore lease early.

func (*ServerWithRoles) ChangePassword

func (a *ServerWithRoles) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*ServerWithRoles) ChangeUserAuthentication

ChangeUserAuthentication is implemented by AuthService.ChangeUserAuthentication.

func (*ServerWithRoles) CheckPassword

func (a *ServerWithRoles) CheckPassword(user string, password []byte, otpToken string) error

func (*ServerWithRoles) Close

func (a *ServerWithRoles) Close() error

func (*ServerWithRoles) CloseContext

func (a *ServerWithRoles) CloseContext() context.Context

CloseContext is closed when the auth server shuts down

func (*ServerWithRoles) CompareAndSwapCertAuthority

func (a *ServerWithRoles) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*ServerWithRoles) CompareAndSwapUser

func (a *ServerWithRoles) CompareAndSwapUser(ctx context.Context, new, existing types.User) error

CompareAndSwapUser updates an existing user in a backend, but fails if the backend's value does not match the expected value. Captures the auth user who modified the user record.

func (*ServerWithRoles) CompleteAccountRecovery

func (a *ServerWithRoles) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.

func (*ServerWithRoles) CreateAccessRequest

func (a *ServerWithRoles) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error

func (*ServerWithRoles) CreateAccountRecoveryCodes

func (a *ServerWithRoles) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.

func (*ServerWithRoles) CreateApp

func (a *ServerWithRoles) CreateApp(ctx context.Context, app types.Application) error

CreateApp creates a new application resource.

func (*ServerWithRoles) CreateAppSession

CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.

func (*ServerWithRoles) CreateAuditStream

func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates audit event stream

func (*ServerWithRoles) CreateAuthenticateChallenge

CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.

func (*ServerWithRoles) CreateBot

CreateBot creates a new certificate renewal bot and returns a join token.

func (*ServerWithRoles) CreateCertAuthority

func (a *ServerWithRoles) CreateCertAuthority(ca types.CertAuthority) error

CreateCertAuthority not implemented: can only be called locally.

func (*ServerWithRoles) CreateConnectionDiagnostic

func (a *ServerWithRoles) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

CreateConnectionDiagnostic creates a new connection diagnostic.

func (*ServerWithRoles) CreateDatabase

func (a *ServerWithRoles) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*ServerWithRoles) CreateGithubAuthRequest

func (a *ServerWithRoles) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)

func (*ServerWithRoles) CreateKubernetesCluster

func (a *ServerWithRoles) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*ServerWithRoles) CreateOIDCAuthRequest

func (a *ServerWithRoles) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

func (*ServerWithRoles) CreatePrivilegeToken

func (a *ServerWithRoles) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.

func (*ServerWithRoles) CreateRegisterChallenge

CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.

func (*ServerWithRoles) CreateRemoteCluster

func (a *ServerWithRoles) CreateRemoteCluster(conn types.RemoteCluster) error

func (*ServerWithRoles) CreateResetPasswordToken

func (a *ServerWithRoles) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

func (*ServerWithRoles) CreateRole

func (a *ServerWithRoles) CreateRole(ctx context.Context, role types.Role) error

CreateRole not implemented: can only be called locally.

func (*ServerWithRoles) CreateSAMLAuthRequest

func (a *ServerWithRoles) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

func (*ServerWithRoles) CreateSession

func (a *ServerWithRoles) CreateSession(ctx context.Context, s session.Session) error

DELETE IN 12.0.0

func (*ServerWithRoles) CreateSessionTracker

func (a *ServerWithRoles) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*ServerWithRoles) CreateSnowflakeSession

CreateSnowflakeSession creates a Snowflake web session.

func (*ServerWithRoles) CreateToken

func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.ProvisionToken) error

func (*ServerWithRoles) CreateUser

func (a *ServerWithRoles) CreateUser(ctx context.Context, user types.User) error

CreateUser inserts a new user entry in a backend.

func (*ServerWithRoles) CreateWebSession

func (a *ServerWithRoles) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for the specified user

func (*ServerWithRoles) CreateWindowsDesktop

func (a *ServerWithRoles) CreateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

CreateWindowsDesktop creates a new windows desktop host.

func (*ServerWithRoles) DeactivateCertAuthority

func (a *ServerWithRoles) DeactivateCertAuthority(id types.CertAuthID) error

DeactivateCertAuthority not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAccessRequest

func (a *ServerWithRoles) DeleteAccessRequest(ctx context.Context, name string) error

func (*ServerWithRoles) DeleteAllAppSessions

func (a *ServerWithRoles) DeleteAllAppSessions(ctx context.Context) error

DeleteAllAppSessions removes all application web sessions.

func (*ServerWithRoles) DeleteAllApplicationServers

func (a *ServerWithRoles) DeleteAllApplicationServers(ctx context.Context, namespace string) error

DeleteAllApplicationServers deletes all registered application servers.

func (*ServerWithRoles) DeleteAllApps

func (a *ServerWithRoles) DeleteAllApps(ctx context.Context) error

DeleteAllApps removes all application resources.

func (*ServerWithRoles) DeleteAllAuthServers

func (a *ServerWithRoles) DeleteAllAuthServers() error

DeleteAllAuthServers deletes all auth servers

func (*ServerWithRoles) DeleteAllCertAuthorities

func (a *ServerWithRoles) DeleteAllCertAuthorities(caType types.CertAuthType) error

DeleteAllCertAuthorities not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllDatabaseServers

func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespace string) error

DeleteAllDatabaseServers removes all registered database proxy servers.

func (*ServerWithRoles) DeleteAllDatabases

func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error

DeleteAllDatabases removes all database resources.

func (*ServerWithRoles) DeleteAllInstallers

func (a *ServerWithRoles) DeleteAllInstallers(ctx context.Context) error

DeleteAllInstallers removes all installer script resources

func (*ServerWithRoles) DeleteAllKubeServices

func (a *ServerWithRoles) DeleteAllKubeServices(ctx context.Context) error

DeleteAllKubeService deletes all registered kubernetes services.

func (*ServerWithRoles) DeleteAllKubernetesClusters

func (a *ServerWithRoles) DeleteAllKubernetesClusters(ctx context.Context) error

DeleteAllKubernetesClusters removes all kubernetes cluster resources.

func (*ServerWithRoles) DeleteAllKubernetesServers

func (a *ServerWithRoles) DeleteAllKubernetesServers(ctx context.Context) error

DeleteAllKubernetesServers deletes all registered kubernetes servers.

func (*ServerWithRoles) DeleteAllLocks

func (a *ServerWithRoles) DeleteAllLocks(context.Context) error

DeleteAllLocks not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllNamespaces

func (a *ServerWithRoles) DeleteAllNamespaces() error

DeleteAllCertNamespaces not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllNodes

func (a *ServerWithRoles) DeleteAllNodes(ctx context.Context, namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*ServerWithRoles) DeleteAllProxies

func (a *ServerWithRoles) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*ServerWithRoles) DeleteAllRemoteClusters

func (a *ServerWithRoles) DeleteAllRemoteClusters() error

func (*ServerWithRoles) DeleteAllReverseTunnels

func (a *ServerWithRoles) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllRoles

func (a *ServerWithRoles) DeleteAllRoles() error

DeleteAllRoles not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllSnowflakeSessions

func (a *ServerWithRoles) DeleteAllSnowflakeSessions(ctx context.Context) error

DeleteAllSnowflakeSessions removes all Snowflake web sessions.

func (*ServerWithRoles) DeleteAllTokens

func (a *ServerWithRoles) DeleteAllTokens() error

DeleteAllTokens not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllTunnelConnections

func (a *ServerWithRoles) DeleteAllTunnelConnections() error

func (*ServerWithRoles) DeleteAllUsers

func (a *ServerWithRoles) DeleteAllUsers() error

DeleteAllUsers not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllWindowsDesktopServices

func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) error

DeleteAllWindowsDesktopServices removes all registered windows desktop services.

func (*ServerWithRoles) DeleteAllWindowsDesktops

func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error

DeleteAllWindowsDesktops removes all registered windows desktop hosts.

func (*ServerWithRoles) DeleteApp

func (a *ServerWithRoles) DeleteApp(ctx context.Context, name string) error

DeleteApp removes the specified application resource.

func (*ServerWithRoles) DeleteAppSession

func (a *ServerWithRoles) DeleteAppSession(ctx context.Context, req types.DeleteAppSessionRequest) error

DeleteAppSession removes an application web session.

func (*ServerWithRoles) DeleteApplicationServer

func (a *ServerWithRoles) DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error

DeleteApplicationServer deletes specified application server.

func (*ServerWithRoles) DeleteAuthPreference

func (a *ServerWithRoles) DeleteAuthPreference(context.Context) error

DeleteAuthPreference not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAuthServer

func (a *ServerWithRoles) DeleteAuthServer(name string) error

DeleteAuthServer deletes auth server by name

func (*ServerWithRoles) DeleteBot

func (a *ServerWithRoles) DeleteBot(ctx context.Context, botName string) error

DeleteBot removes a certificate renewal bot by name.

func (*ServerWithRoles) DeleteCertAuthority

func (a *ServerWithRoles) DeleteCertAuthority(id types.CertAuthID) error

func (*ServerWithRoles) DeleteClusterAuditConfig

func (a *ServerWithRoles) DeleteClusterAuditConfig(ctx context.Context) error

DeleteClusterAuditConfig not implemented: can only be called locally.

func (*ServerWithRoles) DeleteClusterName

func (a *ServerWithRoles) DeleteClusterName() error

DeleteClusterName deletes cluster name

func (*ServerWithRoles) DeleteClusterNetworkingConfig

func (a *ServerWithRoles) DeleteClusterNetworkingConfig(ctx context.Context) error

DeleteClusterNetworkingConfig not implemented: can only be called locally.

func (*ServerWithRoles) DeleteDatabase

func (a *ServerWithRoles) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase removes the specified database resource.

func (*ServerWithRoles) DeleteDatabaseServer

func (a *ServerWithRoles) DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error

DeleteDatabaseServer removes the specified database proxy server.

func (*ServerWithRoles) DeleteGithubConnector

func (a *ServerWithRoles) DeleteGithubConnector(ctx context.Context, connectorID string) error

DeleteGithubConnector deletes a Github connector by name.

func (*ServerWithRoles) DeleteInstaller

func (a *ServerWithRoles) DeleteInstaller(ctx context.Context, name string) error

DeleteInstaller removes an installer script resource

func (*ServerWithRoles) DeleteKubeService

func (a *ServerWithRoles) DeleteKubeService(ctx context.Context, name string) error

DeleteKubeService deletes a named kubernetes service.

func (*ServerWithRoles) DeleteKubernetesCluster

func (a *ServerWithRoles) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster removes the specified kubernetes cluster resource.

func (*ServerWithRoles) DeleteKubernetesServer

func (a *ServerWithRoles) DeleteKubernetesServer(ctx context.Context, hostID, name string) error

DeleteKubernetesServer deletes specified kubernetes server.

func (*ServerWithRoles) DeleteLock

func (a *ServerWithRoles) DeleteLock(ctx context.Context, name string) error

DeleteLock deletes a lock.

func (*ServerWithRoles) DeleteMFADevice

DeleteMFADevice exists to satisfy auth.ClientI but is not implemented here. Use auth.GRPCServer.DeleteMFADevice or client.Client.DeleteMFADevice instead.

func (*ServerWithRoles) DeleteMFADeviceSync

func (a *ServerWithRoles) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error

DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.

func (*ServerWithRoles) DeleteNamespace

func (a *ServerWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*ServerWithRoles) DeleteNetworkRestrictions

func (a *ServerWithRoles) DeleteNetworkRestrictions(ctx context.Context) error

DeleteNetworkRestrictions deletes the network restrictions.

func (*ServerWithRoles) DeleteNode

func (a *ServerWithRoles) DeleteNode(ctx context.Context, namespace, node string) error

DeleteNode deletes node in the namespace

func (*ServerWithRoles) DeleteOIDCConnector

func (a *ServerWithRoles) DeleteOIDCConnector(ctx context.Context, connectorID string) error

func (*ServerWithRoles) DeleteProxy

func (a *ServerWithRoles) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*ServerWithRoles) DeleteRemoteCluster

func (a *ServerWithRoles) DeleteRemoteCluster(clusterName string) error

func (*ServerWithRoles) DeleteReverseTunnel

func (a *ServerWithRoles) DeleteReverseTunnel(domainName string) error

func (*ServerWithRoles) DeleteRole

func (a *ServerWithRoles) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes role by name

func (*ServerWithRoles) DeleteSAMLConnector

func (a *ServerWithRoles) DeleteSAMLConnector(ctx context.Context, connectorID string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*ServerWithRoles) DeleteSemaphore

func (a *ServerWithRoles) DeleteSemaphore(ctx context.Context, filter types.SemaphoreFilter) error

DeleteSemaphore deletes a semaphore matching the supplied filter.

func (*ServerWithRoles) DeleteSession

func (a *ServerWithRoles) DeleteSession(ctx context.Context, namespace string, id session.ID) error

DeleteSession removes an active session from the backend. DELETE IN 12.0.0

func (*ServerWithRoles) DeleteSessionRecordingConfig

func (a *ServerWithRoles) DeleteSessionRecordingConfig(ctx context.Context) error

DeleteSessionRecordingConfig not implemented: can only be called locally.

func (*ServerWithRoles) DeleteSnowflakeSession

func (a *ServerWithRoles) DeleteSnowflakeSession(ctx context.Context, req types.DeleteSnowflakeSessionRequest) error

DeleteSnowflakeSession removes a Snowflake web session.

func (*ServerWithRoles) DeleteStaticTokens

func (a *ServerWithRoles) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*ServerWithRoles) DeleteToken

func (a *ServerWithRoles) DeleteToken(ctx context.Context, token string) error

func (*ServerWithRoles) DeleteTrustedCluster

func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster deletes a trusted cluster by name.

func (*ServerWithRoles) DeleteTunnelConnection

func (a *ServerWithRoles) DeleteTunnelConnection(clusterName string, connName string) error

func (*ServerWithRoles) DeleteTunnelConnections

func (a *ServerWithRoles) DeleteTunnelConnections(clusterName string) error

func (*ServerWithRoles) DeleteUser

func (a *ServerWithRoles) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes an existng user in a backend by username.

func (*ServerWithRoles) DeleteUserAppSessions

func (a *ServerWithRoles) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error

DeleteUserAppSessions deletes all user’s application sessions.

func (*ServerWithRoles) DeleteWindowsDesktop

func (a *ServerWithRoles) DeleteWindowsDesktop(ctx context.Context, hostID, name string) error

DeleteWindowsDesktop removes the specified Windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.

func (*ServerWithRoles) DeleteWindowsDesktopService

func (a *ServerWithRoles) DeleteWindowsDesktopService(ctx context.Context, name string) error

DeleteWindowsDesktopService removes the specified windows desktop service.

func (*ServerWithRoles) EmitAuditEvent

func (a *ServerWithRoles) EmitAuditEvent(ctx context.Context, event apievents.AuditEvent) error

EmitAuditEvent emits a single audit event

func (*ServerWithRoles) Export

Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.

All spans received will have a `teleport.forwarded.for` attribute added to them with the value being one of two things depending on the role of the forwarder:

  1. User forwarded: `teleport.forwarded.for: alice`
  2. Instance forwarded: `teleport.forwarded.for: Proxy.clustername:Proxy,Node,Instance`

This allows upstream consumers of the spans to be able to identify forwarded spans and act on them accordingly.

func (*ServerWithRoles) ExtendWebSession

func (a *ServerWithRoles) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous session. Additional roles are appended to initial roles if there is an approved access request. The new session expiration time will not exceed the expiration time of the old session.

func (*ServerWithRoles) GenerateAppToken

func (a *ServerWithRoles) GenerateAppToken(ctx context.Context, req types.GenerateAppTokenRequest) (string, error)

GenerateAppToken creates a JWT token with application access.

func (*ServerWithRoles) GenerateCertAuthorityCRL

func (a *ServerWithRoles) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for a CA.

func (*ServerWithRoles) GenerateDatabaseCert

GenerateDatabaseCert generates a certificate used by a database service to authenticate with the database instance.

This certificate can be requested by:

  • Cluster administrator using "tctl auth sign --format=db" command locally on the auth server to produce a certificate for configuring a self-hosted database.
  • Remote user using "tctl auth sign --format=db" command with a remote proxy (e.g. Teleport Cloud), as long as they can impersonate system role Db.
  • Database service when initiating connection to a database instance to produce a client certificate.
  • Proxy service when generating mTLS files to a database

func (*ServerWithRoles) GenerateHostCert

func (a *ServerWithRoles) GenerateHostCert(
	ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration,
) ([]byte, error)

func (*ServerWithRoles) GenerateHostCerts

func (a *ServerWithRoles) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.

func (*ServerWithRoles) GenerateSnowflakeJWT

GenerateSnowflakeJWT generates JWT in the Snowflake required format.

func (*ServerWithRoles) GenerateToken

func (a *ServerWithRoles) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token.

func (*ServerWithRoles) GenerateUserCerts

func (a *ServerWithRoles) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

GenerateUserCerts generates users certificates

func (*ServerWithRoles) GenerateUserSingleUseCerts

GenerateUserSingleUseCerts exists to satisfy auth.ClientI but is not implemented here.

Use auth.GRPCServer.GenerateUserSingleUseCerts or client.Client.GenerateUserSingleUseCerts instead.

func (*ServerWithRoles) GenerateWindowsDesktopCert

GenerateWindowsDesktopCert generates a certificate for Windows RDP authentication.

func (*ServerWithRoles) GetAccessCapabilities

func (*ServerWithRoles) GetAccessRequests

func (a *ServerWithRoles) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)

func (*ServerWithRoles) GetAccountRecoveryCodes

func (a *ServerWithRoles) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.

func (*ServerWithRoles) GetAccountRecoveryToken

func (a *ServerWithRoles) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)

GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.

func (*ServerWithRoles) GetActiveSessionTrackers

func (a *ServerWithRoles) GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

GetActiveSessionTrackers returns a list of active session trackers.

func (*ServerWithRoles) GetActiveSessionTrackersWithFilter

func (a *ServerWithRoles) GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.

func (*ServerWithRoles) GetAllTunnelConnections

func (a *ServerWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

func (*ServerWithRoles) GetApp

func (a *ServerWithRoles) GetApp(ctx context.Context, name string) (types.Application, error)

GetApp returns specified application resource.

func (*ServerWithRoles) GetAppSession

GetAppSession gets an application web session.

func (*ServerWithRoles) GetAppSessions

func (a *ServerWithRoles) GetAppSessions(ctx context.Context) ([]types.WebSession, error)

GetAppSessions gets all application web sessions.

func (*ServerWithRoles) GetApplicationServers

func (a *ServerWithRoles) GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

GetApplicationServers returns all registered application servers.

func (*ServerWithRoles) GetApps

func (a *ServerWithRoles) GetApps(ctx context.Context) (result []types.Application, err error)

GetApps returns all application resources.

func (*ServerWithRoles) GetAuthPreference

func (a *ServerWithRoles) GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

GetAuthPreference gets cluster auth preference.

func (*ServerWithRoles) GetAuthServers

func (a *ServerWithRoles) GetAuthServers() ([]types.Server, error)

func (*ServerWithRoles) GetBotUsers

func (a *ServerWithRoles) GetBotUsers(ctx context.Context) ([]types.User, error)

GetBotUsers fetches all users with bot labels. It does not fetch users with secrets.

func (*ServerWithRoles) GetCertAuthorities

func (a *ServerWithRoles) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

func (*ServerWithRoles) GetCertAuthority

func (a *ServerWithRoles) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

func (*ServerWithRoles) GetClusterAlerts

func (a *ServerWithRoles) GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

func (*ServerWithRoles) GetClusterAuditConfig

func (a *ServerWithRoles) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*ServerWithRoles) GetClusterCACert

func (a *ServerWithRoles) GetClusterCACert(
	ctx context.Context,
) (*proto.GetClusterCACertResponse, error)

getClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be concatenated.

func (*ServerWithRoles) GetClusterName

func (a *ServerWithRoles) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

GetClusterName gets the name of the cluster.

func (*ServerWithRoles) GetClusterNetworkingConfig

func (a *ServerWithRoles) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*ServerWithRoles) GetConnectionDiagnostic

func (a *ServerWithRoles) GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

GetConnectionDiagnostic returns the connection diagnostic with the matching name

func (*ServerWithRoles) GetCurrentUser

func (a *ServerWithRoles) GetCurrentUser(ctx context.Context) (types.User, error)

GetCurrentUser returns current user as seen by the server. Useful especially in the context of remote clusters which perform role and trait mapping.

func (*ServerWithRoles) GetCurrentUserRoles

func (a *ServerWithRoles) GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)

GetCurrentUserRoles returns current user's roles.

func (*ServerWithRoles) GetDatabase

func (a *ServerWithRoles) GetDatabase(ctx context.Context, name string) (types.Database, error)

GetDatabase returns specified database resource.

func (*ServerWithRoles) GetDatabaseServers

func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database servers.

func (*ServerWithRoles) GetDatabases

func (a *ServerWithRoles) GetDatabases(ctx context.Context) (result []types.Database, err error)

GetDatabases returns all database resources.

func (*ServerWithRoles) GetDomainName

func (a *ServerWithRoles) GetDomainName(ctx context.Context) (string, error)

func (*ServerWithRoles) GetGithubAuthRequest

func (a *ServerWithRoles) GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

GetGithubAuthRequest returns Github auth request if found.

func (*ServerWithRoles) GetGithubConnector

func (a *ServerWithRoles) GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)

func (*ServerWithRoles) GetGithubConnectors

func (a *ServerWithRoles) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

func (*ServerWithRoles) GetInstaller

func (a *ServerWithRoles) GetInstaller(ctx context.Context, name string) (types.Installer, error)

GetInstaller retrieves an installer script resource

func (*ServerWithRoles) GetInstallers

func (a *ServerWithRoles) GetInstallers(ctx context.Context) ([]types.Installer, error)

GetInstallers gets all the installer resources.

func (*ServerWithRoles) GetInventoryStatus

func (*ServerWithRoles) GetKubeServices

func (a *ServerWithRoles) GetKubeServices(ctx context.Context) ([]types.Server, error)

GetKubeServices returns all Servers representing teleport kubernetes services. DELETE in 12.0.0

func (*ServerWithRoles) GetKubernetesCluster

func (a *ServerWithRoles) GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)

GetKubernetesCluster returns specified kubernetes cluster resource.

func (*ServerWithRoles) GetKubernetesClusters

func (a *ServerWithRoles) GetKubernetesClusters(ctx context.Context) (result []types.KubeCluster, err error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*ServerWithRoles) GetKubernetesServers

func (a *ServerWithRoles) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)

GetKubernetesServers returns all registered kubernetes servers.

func (*ServerWithRoles) GetLock

func (a *ServerWithRoles) GetLock(ctx context.Context, name string) (types.Lock, error)

GetLock gets a lock by name.

func (*ServerWithRoles) GetLocks

func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*ServerWithRoles) GetMFADevices

GetMFADevices returns a list of MFA devices.

func (*ServerWithRoles) GetNamespace

func (a *ServerWithRoles) GetNamespace(name string) (*types.Namespace, error)

GetNamespace returns namespace by name

func (*ServerWithRoles) GetNamespaces

func (a *ServerWithRoles) GetNamespaces() ([]types.Namespace, error)

GetNamespaces returns a list of namespaces

func (*ServerWithRoles) GetNetworkRestrictions

func (a *ServerWithRoles) GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).

func (*ServerWithRoles) GetNode

func (a *ServerWithRoles) GetNode(ctx context.Context, namespace, name string) (types.Server, error)

GetNode gets a node by name and namespace.

func (*ServerWithRoles) GetNodes

func (a *ServerWithRoles) GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

func (*ServerWithRoles) GetOIDCAuthRequest

func (a *ServerWithRoles) GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)

GetOIDCAuthRequest returns OIDC auth request if found.

func (*ServerWithRoles) GetOIDCConnector

func (a *ServerWithRoles) GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)

func (*ServerWithRoles) GetOIDCConnectors

func (a *ServerWithRoles) GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

func (*ServerWithRoles) GetPluginData

func (a *ServerWithRoles) GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*ServerWithRoles) GetProxies

func (a *ServerWithRoles) GetProxies() ([]types.Server, error)

func (*ServerWithRoles) GetRemoteCluster

func (a *ServerWithRoles) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

func (*ServerWithRoles) GetRemoteClusters

func (a *ServerWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

func (*ServerWithRoles) GetResetPasswordToken

func (a *ServerWithRoles) GetResetPasswordToken(ctx context.Context, tokenID string) (types.UserToken, error)

func (*ServerWithRoles) GetReverseTunnel

func (a *ServerWithRoles) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)

func (*ServerWithRoles) GetReverseTunnels

func (a *ServerWithRoles) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

func (*ServerWithRoles) GetRole

func (a *ServerWithRoles) GetRole(ctx context.Context, name string) (types.Role, error)

GetRole returns role by name

func (*ServerWithRoles) GetRoles

func (a *ServerWithRoles) GetRoles(ctx context.Context) ([]types.Role, error)

GetRoles returns a list of roles

func (*ServerWithRoles) GetSAMLAuthRequest

func (a *ServerWithRoles) GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

GetSAMLAuthRequest returns SAML auth request if found.

func (*ServerWithRoles) GetSAMLConnector

func (a *ServerWithRoles) GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)

func (*ServerWithRoles) GetSAMLConnectors

func (a *ServerWithRoles) GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

func (*ServerWithRoles) GetSSODiagnosticInfo

func (a *ServerWithRoles) GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

GetSSODiagnosticInfo returns SSO diagnostic info records.

func (*ServerWithRoles) GetSemaphores

func (a *ServerWithRoles) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error)

GetSemaphores returns a list of all semaphores matching the supplied filter.

func (*ServerWithRoles) GetSession

func (a *ServerWithRoles) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)

DELETE IN 12.0.0

func (*ServerWithRoles) GetSessionChunk

func (a *ServerWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*ServerWithRoles) GetSessionEvents

func (a *ServerWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)

func (*ServerWithRoles) GetSessionRecordingConfig

func (a *ServerWithRoles) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*ServerWithRoles) GetSessionTracker

func (a *ServerWithRoles) GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

GetSessionTracker returns the current state of a session tracker for an active session.

func (*ServerWithRoles) GetSessions

func (a *ServerWithRoles) GetSessions(ctx context.Context, namespace string) ([]session.Session, error)

DELETE IN 12.0.0

func (*ServerWithRoles) GetSnowflakeSession

GetSnowflakeSession gets a Snowflake web session.

func (*ServerWithRoles) GetSnowflakeSessions

func (a *ServerWithRoles) GetSnowflakeSessions(ctx context.Context) ([]types.WebSession, error)

GetSnowflakeSessions gets all Snowflake web sessions.

func (*ServerWithRoles) GetStaticTokens

func (a *ServerWithRoles) GetStaticTokens() (types.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*ServerWithRoles) GetToken

func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

func (*ServerWithRoles) GetTokens

func (a *ServerWithRoles) GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

func (*ServerWithRoles) GetTrustedCluster

func (a *ServerWithRoles) GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

func (*ServerWithRoles) GetTrustedClusters

func (a *ServerWithRoles) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

func (*ServerWithRoles) GetTunnelConnections

func (a *ServerWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

func (*ServerWithRoles) GetUser

func (a *ServerWithRoles) GetUser(name string, withSecrets bool) (types.User, error)

func (*ServerWithRoles) GetUsers

func (a *ServerWithRoles) GetUsers(withSecrets bool) ([]types.User, error)

func (*ServerWithRoles) GetWebSession

GetWebSession returns the web session specified with req. Implements auth.ReadAccessPoint.

func (*ServerWithRoles) GetWebSessionInfo

func (a *ServerWithRoles) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo returns the web session for the given user specified with sid. The session is stripped of any authentication details. Implements auth.WebUIService

func (*ServerWithRoles) GetWebToken

GetWebToken returns the web token specified with req. Implements auth.ReadAccessPoint.

func (*ServerWithRoles) GetWindowsDesktopService

func (a *ServerWithRoles) GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

GetWindowsDesktopService returns a registered windows desktop service by name.

func (*ServerWithRoles) GetWindowsDesktopServices

func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

GetWindowsDesktopServices returns all registered windows desktop services.

func (*ServerWithRoles) GetWindowsDesktops

func (a *ServerWithRoles) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

GetWindowsDesktops returns all registered windows desktop hosts.

func (*ServerWithRoles) IsMFARequired

func (*ServerWithRoles) KeepAliveNode

func (a *ServerWithRoles) KeepAliveNode(ctx context.Context, handle types.KeepAlive) error

DELETE IN: 5.1.0

This logic has moved to KeepAliveServer.

func (*ServerWithRoles) KeepAliveSemaphoreLease

func (a *ServerWithRoles) KeepAliveSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

KeepAliveSemaphoreLease updates semaphore lease.

func (*ServerWithRoles) KeepAliveServer

func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.KeepAlive) error

KeepAliveServer updates expiry time of a server resource.

func (*ServerWithRoles) ListResources

ListResources returns a paginated list of resources filtered by user access.

func (*ServerWithRoles) ListWindowsDesktopServices

ListWindowsDesktopServices not implemented: can only be called locally.

func (*ServerWithRoles) ListWindowsDesktops

ListWindowsDesktops not implemented: can only be called locally.

func (*ServerWithRoles) MaintainSessionPresence

UpdatePresence is coupled to the service layer and must exist here but is never actually called since it's handled by the session presence task. This is never valid to call.

func (*ServerWithRoles) NewKeepAliver

func (a *ServerWithRoles) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

NewKeepAliver not implemented: can only be called locally.

func (*ServerWithRoles) NewWatcher

func (a *ServerWithRoles) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher returns a new event watcher

func (*ServerWithRoles) Ping

Ping gets basic info about the auth server.

func (*ServerWithRoles) PingInventory

func (*ServerWithRoles) PreAuthenticatedSignIn

func (a *ServerWithRoles) PreAuthenticatedSignIn(ctx context.Context, user string) (types.WebSession, error)

func (*ServerWithRoles) ProcessKubeCSR

func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*ServerWithRoles) RegisterInventoryControlStream

func (a *ServerWithRoles) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream) error

func (*ServerWithRoles) RegisterUsingIAMMethod

func (a *ServerWithRoles) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc) (*proto.Certs, error)

RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.

See (*Server).RegisterUsingIAMMethod for further documentation.

This wrapper does not do any extra authz checks, as the register method has its own authz mechanism.

func (*ServerWithRoles) RegisterUsingToken

func (a *ServerWithRoles) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

func (*ServerWithRoles) RemoveSessionTracker

func (a *ServerWithRoles) RemoveSessionTracker(ctx context.Context, sessionID string) error

RemoveSessionTracker removes a tracker resource for an active session.

func (*ServerWithRoles) ReplaceRemoteLocks

func (a *ServerWithRoles) ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error

ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.

func (*ServerWithRoles) ResetAuthPreference

func (a *ServerWithRoles) ResetAuthPreference(ctx context.Context) error

ResetAuthPreference resets cluster auth preference to defaults.

func (*ServerWithRoles) ResetClusterNetworkingConfig

func (a *ServerWithRoles) ResetClusterNetworkingConfig(ctx context.Context) error

ResetClusterNetworkingConfig resets cluster networking configuration to defaults.

func (*ServerWithRoles) ResetSessionRecordingConfig

func (a *ServerWithRoles) ResetSessionRecordingConfig(ctx context.Context) error

ResetSessionRecordingConfig resets session recording configuration to defaults.

func (*ServerWithRoles) ResumeAuditStream

func (a *ServerWithRoles) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes the stream that has been created

func (*ServerWithRoles) RotateCertAuthority

func (a *ServerWithRoles) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*ServerWithRoles) RotateExternalCertAuthority

func (a *ServerWithRoles) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*ServerWithRoles) SearchEvents

func (a *ServerWithRoles) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) (events []apievents.AuditEvent, lastKey string, err error)

SearchEvents allows searching audit events with pagination support.

func (*ServerWithRoles) SearchSessionEvents

func (a *ServerWithRoles) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, cond *types.WhereExpr, sessionID string) (events []apievents.AuditEvent, lastKey string, err error)

SearchSessionEvents allows searching session audit events with pagination support.

func (*ServerWithRoles) SetAccessRequestState

func (a *ServerWithRoles) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error

func (*ServerWithRoles) SetAuthPreference

func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref types.AuthPreference) error

SetAuthPreference sets cluster auth preference.

func (*ServerWithRoles) SetClusterAuditConfig

func (a *ServerWithRoles) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error

SetClusterAuditConfig not implemented: can only be called locally.

func (*ServerWithRoles) SetClusterName

func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error

SetClusterName sets the name of the cluster. SetClusterName can only be called once.

func (*ServerWithRoles) SetClusterNetworkingConfig

func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNetConfig types.ClusterNetworkingConfig) error

SetClusterNetworkingConfig sets cluster networking configuration.

func (*ServerWithRoles) SetInstaller

func (a *ServerWithRoles) SetInstaller(ctx context.Context, inst types.Installer) error

SetInstaller sets an Installer script resource

func (*ServerWithRoles) SetNetworkRestrictions

func (a *ServerWithRoles) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error

SetNetworkRestrictions updates the network restrictions.

func (*ServerWithRoles) SetSessionRecordingConfig

func (a *ServerWithRoles) SetSessionRecordingConfig(ctx context.Context, newRecConfig types.SessionRecordingConfig) error

SetSessionRecordingConfig sets session recording configuration.

func (*ServerWithRoles) SetStaticTokens

func (a *ServerWithRoles) SetStaticTokens(s types.StaticTokens) error

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*ServerWithRoles) SignDatabaseCSR

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*ServerWithRoles) StartAccountRecovery

func (a *ServerWithRoles) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)

StartAccountRecovery is implemented by AuthService.StartAccountRecovery.

func (*ServerWithRoles) StreamSessionEvents

func (a *ServerWithRoles) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*ServerWithRoles) SubmitAccessReview

func (a *ServerWithRoles) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)

func (*ServerWithRoles) SubmitUsageEvent

func (a *ServerWithRoles) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*ServerWithRoles) UnstableAssertSystemRole

func (a *ServerWithRoles) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error

func (*ServerWithRoles) UpdateApp

func (a *ServerWithRoles) UpdateApp(ctx context.Context, app types.Application) error

UpdateApp updates existing application resource.

func (*ServerWithRoles) UpdateConnectionDiagnostic

func (a *ServerWithRoles) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

UpdateConnectionDiagnostic updates a connection diagnostic.

func (*ServerWithRoles) UpdateDatabase

func (a *ServerWithRoles) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates existing database resource.

func (*ServerWithRoles) UpdateKubernetesCluster

func (a *ServerWithRoles) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*ServerWithRoles) UpdatePluginData

func (a *ServerWithRoles) UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error

UpdatePluginData updates a per-resource PluginData entry.

func (*ServerWithRoles) UpdatePresence

func (a *ServerWithRoles) UpdatePresence(ctx context.Context, sessionID, user string) error

UpdatePresence is coupled to the service layer and must exist here but is never actually called since it's handled by the session presence task. This is never valid to call.

func (*ServerWithRoles) UpdateRemoteCluster

func (a *ServerWithRoles) UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error

func (*ServerWithRoles) UpdateSession

func (a *ServerWithRoles) UpdateSession(ctx context.Context, req session.UpdateRequest) error

DELETE IN 12.0.0

func (*ServerWithRoles) UpdateSessionTracker

func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

UpdateSessionTracker updates a tracker resource for an active session.

func (*ServerWithRoles) UpdateUser

func (a *ServerWithRoles) UpdateUser(ctx context.Context, user types.User) error

UpdateUser updates an existing user in a backend. Captures the auth user who modified the user record.

func (*ServerWithRoles) UpdateWindowsDesktop

func (a *ServerWithRoles) UpdateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

UpdateWindowsDesktop updates an existing windows desktop host.

func (*ServerWithRoles) UpsertAppSession

func (a *ServerWithRoles) UpsertAppSession(ctx context.Context, session types.WebSession) error

UpsertAppSession not implemented: can only be called locally.

func (*ServerWithRoles) UpsertApplicationServer

func (a *ServerWithRoles) UpsertApplicationServer(ctx context.Context, server types.AppServer) (*types.KeepAlive, error)

UpsertApplicationServer registers an application server.

func (*ServerWithRoles) UpsertAuthServer

func (a *ServerWithRoles) UpsertAuthServer(s types.Server) error

func (*ServerWithRoles) UpsertCertAuthority

func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error

UpsertCertAuthority updates existing cert authority or updates the existing one.

func (*ServerWithRoles) UpsertClusterAlert

func (a *ServerWithRoles) UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error

func (*ServerWithRoles) UpsertClusterName

func (a *ServerWithRoles) UpsertClusterName(c types.ClusterName) error

UpsertClusterName sets the name of the cluster.

func (*ServerWithRoles) UpsertDatabaseServer

func (a *ServerWithRoles) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error)

UpsertDatabaseServer creates or updates a new database proxy server.

func (*ServerWithRoles) UpsertGithubConnector

func (a *ServerWithRoles) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error

UpsertGithubConnector creates or updates a Github connector.

func (*ServerWithRoles) UpsertKubeService

func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s types.Server) error

UpsertKubeService creates or updates a Server representing a teleport kubernetes service.

func (*ServerWithRoles) UpsertKubeServiceV2

func (a *ServerWithRoles) UpsertKubeServiceV2(ctx context.Context, s types.Server) (*types.KeepAlive, error)

UpsertKubeServiceV2 creates or updates a Server representing a teleport kubernetes service.

func (*ServerWithRoles) UpsertKubernetesServer

func (a *ServerWithRoles) UpsertKubernetesServer(ctx context.Context, s types.KubeServer) (*types.KeepAlive, error)

UpsertKubernetesServer creates or updates a Server representing a teleport kubernetes server.

func (*ServerWithRoles) UpsertLock

func (a *ServerWithRoles) UpsertLock(ctx context.Context, lock types.Lock) error

UpsertLock upserts a lock.

func (*ServerWithRoles) UpsertNamespace

func (a *ServerWithRoles) UpsertNamespace(ns types.Namespace) error

UpsertNamespace upserts namespace

func (*ServerWithRoles) UpsertNode

func (a *ServerWithRoles) UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error)

func (*ServerWithRoles) UpsertOIDCConnector

func (a *ServerWithRoles) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error

UpsertOIDCConnector creates or updates an OIDC connector.

func (*ServerWithRoles) UpsertProxy

func (a *ServerWithRoles) UpsertProxy(s types.Server) error

func (*ServerWithRoles) UpsertReverseTunnel

func (a *ServerWithRoles) UpsertReverseTunnel(r types.ReverseTunnel) error

func (*ServerWithRoles) UpsertRole

func (a *ServerWithRoles) UpsertRole(ctx context.Context, role types.Role) error

UpsertRole creates or updates role.

func (*ServerWithRoles) UpsertSAMLConnector

func (a *ServerWithRoles) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error

UpsertSAMLConnector creates or updates a SAML connector.

func (*ServerWithRoles) UpsertSnowflakeSession

func (a *ServerWithRoles) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error

UpsertSnowflakeSession not implemented: can only be called locally.

func (*ServerWithRoles) UpsertToken

func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.ProvisionToken) error

func (*ServerWithRoles) UpsertTrustedCluster

func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)

UpsertTrustedCluster creates or updates a trusted cluster.

func (*ServerWithRoles) UpsertTunnelConnection

func (a *ServerWithRoles) UpsertTunnelConnection(conn types.TunnelConnection) error

func (*ServerWithRoles) UpsertUser

func (a *ServerWithRoles) UpsertUser(u types.User) error

func (*ServerWithRoles) UpsertWindowsDesktop

func (a *ServerWithRoles) UpsertWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

UpsertWindowsDesktop updates a windows desktop resource, creating it if it doesn't exist.

func (*ServerWithRoles) UpsertWindowsDesktopService

func (a *ServerWithRoles) UpsertWindowsDesktopService(ctx context.Context, s types.WindowsDesktopService) (*types.KeepAlive, error)

UpsertWindowsDesktopService creates or updates a new windows desktop service.

func (*ServerWithRoles) ValidateGithubAuthCallback

func (a *ServerWithRoles) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

func (*ServerWithRoles) ValidateOIDCAuthCallback

func (a *ServerWithRoles) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

func (*ServerWithRoles) ValidateSAMLResponse

func (a *ServerWithRoles) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates SAML auth response.

func (*ServerWithRoles) ValidateTrustedCluster

func (a *ServerWithRoles) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*ServerWithRoles) VerifyAccountRecovery

func (a *ServerWithRoles) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)

VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.

func (*ServerWithRoles) WebSessions

func (a *ServerWithRoles) WebSessions() types.WebSessionInterface

WebSessions returns the web session manager. Implements services.WebSessionsGetter.

func (*ServerWithRoles) WebTokens

func (a *ServerWithRoles) WebTokens() types.WebTokenInterface

WebTokens returns the web token manager. Implements services.WebTokensGetter.

type Services

func (*Services) GetWebSession

func (r *Services) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns existing web session described by req. Implements ReadAccessPoint

func (*Services) GetWebToken

func (r *Services) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns existing web token described by req. Implements ReadAccessPoint

type SessionAccessContext

type SessionAccessContext struct {
	Username string
	Roles    []types.Role
	Mode     types.SessionParticipantMode
}

SessionAccessContext is the context that must be provided per participant in the session.

func (*SessionAccessContext) GetIdentifier

func (ctx *SessionAccessContext) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier is used by the `predicate` library to evaluate variable expressions when evaluating policy filters. It deals with evaluating strings like `participant.name` to the appropriate value.

func (*SessionAccessContext) GetResource

func (ctx *SessionAccessContext) GetResource() (types.Resource, error)

type SessionAccessEvaluator

type SessionAccessEvaluator struct {
	// contains filtered or unexported fields
}

SessionAccessEvaluator takes a set of policies and uses rules to evaluate them to determine when a session may start and if a user can join a session.

The current implementation is very simple and uses a brute-force algorithm. More efficient implementations that run in non O(n^2)-ish time are possible but require complex code that is harder to debug in the case of misconfigured policies or other error and are harder to intuitively follow. In the real world, the number of roles and session are small enough that this doesn't have a meaningful impact.

func NewSessionAccessEvaluator

func NewSessionAccessEvaluator(policySets []*types.SessionTrackerPolicySet, kind types.SessionKind, owner string) SessionAccessEvaluator

NewSessionAccessEvaluator creates a new session access evaluator for a given session kind and a set of roles attached to the host user.

func (*SessionAccessEvaluator) CanJoin

CanJoin returns the modes a user has access to join a session with. If the list is empty, the user doesn't have access to join the session at all.

func (*SessionAccessEvaluator) FulfilledFor

func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContext) (bool, PolicyOptions, error)

FulfilledFor checks if a given session may run with a list of participants.

func (*SessionAccessEvaluator) IsModerated

func (e *SessionAccessEvaluator) IsModerated() bool

IsModerated returns true if the session needs moderation.

func (*SessionAccessEvaluator) PrettyRequirementsList

func (e *SessionAccessEvaluator) PrettyRequirementsList() string

Generate a pretty-printed string of precise requirements for session start suitable for user display.

type SessionCreds

type SessionCreds struct {
	// ID is a web session id
	ID string `json:"id"`
}

SessionCreds is a web session credentials

type SnowflakeSessionWatcher

type SnowflakeSessionWatcher interface {
	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)
	// GetSnowflakeSession gets a Snowflake web session for a given request.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)
}

SnowflakeSessionWatcher is watcher interface used by Snowflake web session watcher.

type StateSpecV2

type StateSpecV2 struct {
	// Rotation holds local process rotation state.
	Rotation types.Rotation `json:"rotation"`
}

StateSpecV2 is a state spec.

type StateV2

type StateV2 struct {
	// ResourceHeader is a common resource header.
	types.ResourceHeader
	// Spec is a process spec.
	Spec StateSpecV2 `json:"spec"`
}

StateV2 is a local process state.

func (*StateV2) CheckAndSetDefaults

func (s *StateV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type TLSServer

type TLSServer struct {
	// contains filtered or unexported fields
}

TLSServer is TLS auth server

func NewTLSServer

func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) Close

func (t *TLSServer) Close() error

Close closes TLS server non-gracefully - terminates in flight connections

func (*TLSServer) GetConfigForClient

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve

func (t *TLSServer) Serve() error

Serve starts GRPC and HTTP1.1 services on the mux listener

func (*TLSServer) Shutdown

func (t *TLSServer) Shutdown(ctx context.Context) error

Shutdown shuts down TLS server

type TLSServerConfig

type TLSServerConfig struct {
	// Listener is a listener to bind to
	Listener net.Listener
	// TLS is a base TLS configuration
	TLS *tls.Config
	// API is API server configuration
	APIConfig
	// LimiterConfig is limiter config
	LimiterConfig limiter.Config
	// AccessPoint is a caching access point
	AccessPoint AccessCache
	// Component is used for debugging purposes
	Component string
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on the metadata
	AcceptedUsage []string
	// ID is an optional debugging ID
	ID string
	// Metrics are optional TLSServer metrics
	Metrics *Metrics
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type TestAuthServer

type TestAuthServer struct {
	// TestAuthServer config is configuration used for auth server setup
	TestAuthServerConfig
	// AuthServer is an auth server
	AuthServer *Server
	// AuditLog is an event audit log
	AuditLog events.IAuditLog
	// SessionServer is a session service
	SessionServer session.Service
	// Backend is a backend for auth server
	Backend backend.Backend
	// Authorizer is an authorizer used in tests
	Authorizer Authorizer
	// LockWatcher is a lock watcher used in tests.
	LockWatcher *services.LockWatcher
}

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key

func NewTestAuthServer

func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)

NewTestAuthServer returns new instances of Auth server

func (*TestAuthServer) Clock

func (a *TestAuthServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestAuthServer) Close

func (a *TestAuthServer) Close() error

func (*TestAuthServer) GenerateUserCert

func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*TestAuthServer) NewCertificate

func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)

NewCertificate returns new TLS credentials generated by test auth server

func (*TestAuthServer) NewRemoteClient

func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)

NewRemoteClient creates new client to the remote server using identity generated for this certificate authority

func (*TestAuthServer) NewTestTLSServer

func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server

func (*TestAuthServer) Trust

func (a *TestAuthServer) Trust(ctx context.Context, remote *TestAuthServer, roleMap types.RoleMap) error

Trust adds other server host certificate authority as trusted

type TestAuthServerConfig

type TestAuthServerConfig struct {
	// ClusterName is cluster name
	ClusterName string
	// Dir is directory for local backend
	Dir string
	// AcceptedUsage is an optional list of restricted
	// server usage
	AcceptedUsage []string
	// CipherSuites is the list of ciphers that the server supports.
	CipherSuites []uint16
	// Clock is used to control time in tests.
	Clock clockwork.FakeClock
	// ClusterNetworkingConfig allows a test to change the default
	// networking configuration.
	ClusterNetworkingConfig types.ClusterNetworkingConfig
	// Streamer allows a test to set its own audit events streamer.
	Streamer events.Streamer
	// AuditLog allows a test to configure its own audit log.
	AuditLog events.IAuditLog
	// TraceClient allows a test to configure the trace client
	TraceClient otlptrace.Client
	// AuthPreferenceSpec is custom initial AuthPreference spec for the test.
	AuthPreferenceSpec *types.AuthPreferenceSpecV2
}

TestAuthServerConfig is auth server test config

func (*TestAuthServerConfig) CheckAndSetDefaults

func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type TestDevice

type TestDevice struct {
	MFA        *types.MFADevice
	TOTPSecret string
	Key        *mocku2f.Key
	// contains filtered or unexported fields
}

TestDevice is a test MFA device.

func RegisterTestDevice

func RegisterTestDevice(
	ctx context.Context, clt authClient, devName string, devType proto.DeviceType, authenticator *TestDevice, opts ...TestDeviceOpt) (*TestDevice, error)

RegisterTestDevice creates and registers a TestDevice. TOTP devices require a clock option.

func (*TestDevice) Origin

func (d *TestDevice) Origin() string

func (*TestDevice) SolveAuthn

type TestDeviceOpt

type TestDeviceOpt func(d *TestDevice)

TestDeviceOpt is a creation option for TestDevice.

func WithPasswordless

func WithPasswordless() TestDeviceOpt

func WithTestDeviceClock

func WithTestDeviceClock(clock clockwork.Clock) TestDeviceOpt

type TestIdentity

type TestIdentity struct {
	I              interface{}
	TTL            time.Duration
	AcceptedUsage  []string
	RouteToCluster string
	Renewable      bool
	Generation     uint64
}

TestIdentity is test identity spec used to generate identities in tests

func TestAdmin

func TestAdmin() TestIdentity

TestAdmin returns TestIdentity for admin user

func TestBuiltin

func TestBuiltin(role types.SystemRole) TestIdentity

TestBuiltin returns TestIdentity for builtin user

func TestNop

func TestNop() TestIdentity

TestNop returns "Nop" - unauthenticated identity

func TestRemoteBuiltin

func TestRemoteBuiltin(role types.SystemRole, remoteCluster string) TestIdentity

TestRemoteBuiltin returns TestIdentity for a remote builtin role.

func TestRenewableUser

func TestRenewableUser(username string, generation uint64) TestIdentity

TestUser returns a TestIdentity for a local user with renewable credentials.

func TestServerID

func TestServerID(role types.SystemRole, serverID string) TestIdentity

TestServerID returns a TestIdentity for a node with the passed in serverID.

func TestUser

func TestUser(username string) TestIdentity

TestUser returns TestIdentity for local user

type TestServer

type TestServer struct {
	TLS        *TestTLSServer
	AuthServer *TestAuthServer
}

TestServer defines the set of server components for a test

func NewTestServer

func NewTestServer(cfg TestServerConfig) (*TestServer, error)

NewTestServer creates a new test server configuration

func (*TestServer) Auth

func (a *TestServer) Auth() *Server

Auth returns the underlying auth server instance

func (*TestServer) ClusterName

func (a *TestServer) ClusterName() string

func (*TestServer) NewClient

func (a *TestServer) NewClient(identity TestIdentity) (*Client, error)

func (*TestServer) Shutdown

func (a *TestServer) Shutdown(ctx context.Context) error

Shutdown stops this server instance gracefully

type TestServerConfig

type TestServerConfig struct {
	// Auth specifies the auth server configuration
	Auth TestAuthServerConfig
	// TLS optionally specifies the configuration for the TLS server.
	// If unspecified, will be generated automatically
	TLS *TestTLSServerConfig
}

TestServerConfig defines the configuration for all server components

type TestTLSServer

type TestTLSServer struct {
	// TestTLSServerConfig is a configuration for TLS server
	TestTLSServerConfig
	// Identity is a generated TLS/SSH identity used to answer in TLS
	Identity *Identity
	// TLSServer is a configured TLS server
	TLSServer *TLSServer
}

TestTLSServer is a test TLS server

func NewTestTLSServer

func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port

func (*TestTLSServer) Addr

func (t *TestTLSServer) Addr() net.Addr

Addr returns address of TLS server

func (*TestTLSServer) Auth

func (t *TestTLSServer) Auth() *Server

Auth returns auth server used by this TLS server

func (*TestTLSServer) CertPool

func (t *TestTLSServer) CertPool() (*x509.CertPool, error)

CertPool returns cert pool that auth server represents

func (*TestTLSServer) ClientTLSConfig

func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)

ClientTLSConfig returns client TLS config based on the identity

func (*TestTLSServer) Clock

func (t *TestTLSServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestTLSServer) CloneClient

func (t *TestTLSServer) CloneClient(clt *Client) *Client

CloneClient uses the same credentials as the passed client but forces the client to be recreated

func (*TestTLSServer) Close

func (t *TestTLSServer) Close() error

Close closes the listener and HTTP server

func (*TestTLSServer) ClusterName

func (t *TestTLSServer) ClusterName() string

ClusterName returns name of test TLS server cluster

func (*TestTLSServer) NewClient

func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)

NewClient returns new client to test server authenticated with identity

func (*TestTLSServer) NewClientFromWebSession

func (t *TestTLSServer) NewClientFromWebSession(sess types.WebSession) (*Client, error)

NewClientFromWebSession returns new authenticated client from web session

func (*TestTLSServer) NewClientWithCert

func (t *TestTLSServer) NewClientWithCert(clientCert tls.Certificate) *Client

NewClientWithCert creates a new client using given cert and private key

func (*TestTLSServer) Shutdown

func (t *TestTLSServer) Shutdown(ctx context.Context) error

Shutdown closes the listener and HTTP server gracefully

func (*TestTLSServer) Start

func (t *TestTLSServer) Start() error

Start starts TLS server on loopback address on the first listening socket

func (*TestTLSServer) Stop

func (t *TestTLSServer) Stop() error

Stop stops listening server, but does not close the auth backend

type TestTLSServerConfig

type TestTLSServerConfig struct {
	// APIConfig is a configuration of API server
	APIConfig *APIConfig
	// AuthServer is a test auth server used to serve requests
	AuthServer *TestAuthServer
	// Limiter is a connection and request limiter
	Limiter *limiter.Config
	// Listener is a listener to serve requests on
	Listener net.Listener
	// AcceptedUsage is a list of accepted usage restrictions
	AcceptedUsage []string
}

TestTLSServerConfig is a configuration for test TLS server

func (*TestTLSServerConfig) CheckAndSetDefaults

func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets limiter defaults

type TrustedCerts

type TrustedCerts struct {
	// ClusterName identifies teleport cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"domain_name"`
	// HostCertificates is a list of SSH public keys that can be used to check
	// host certificate signatures
	HostCertificates [][]byte `json:"checking_keys"`
	// TLSCertificates  is a list of TLS certificates of the certificate authority
	// of the authentication server
	TLSCertificates [][]byte `json:"tls_certs"`
}

TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

func AuthoritiesToTrustedCerts

func AuthoritiesToTrustedCerts(authorities []types.CertAuthority) []TrustedCerts

AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure

func (*TrustedCerts) SSHCertPublicKeys

func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)

SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys

type ValidateTrustedClusterRequest

type ValidateTrustedClusterRequest struct {
	Token           string                `json:"token"`
	CAs             []types.CertAuthority `json:"certificate_authorities"`
	TeleportVersion string                `json:"teleport_version"`
}

func (*ValidateTrustedClusterRequest) ToRaw

type ValidateTrustedClusterRequestRaw

type ValidateTrustedClusterRequestRaw struct {
	Token           string   `json:"token"`
	CAs             [][]byte `json:"certificate_authorities"`
	TeleportVersion string   `json:"teleport_version"`
}

func (*ValidateTrustedClusterRequestRaw) ToNative

type ValidateTrustedClusterResponse

type ValidateTrustedClusterResponse struct {
	CAs []types.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponse) ToRaw

type ValidateTrustedClusterResponseRaw

type ValidateTrustedClusterResponseRaw struct {
	CAs [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponseRaw) ToNative

type WebService

type WebService interface {
	// GetWebSessionInfo checks if a web session is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)
	// CreateWebSession creates a new web session for a user
	CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

	// AppSession defines application session features.
	services.AppSession
	// SnowflakeSession defines Snowflake session features.
	services.SnowflakeSession
}

WebService implements features used by Web UI clients

type WebSessionReq

type WebSessionReq struct {
	// User is the user name associated with the session id.
	User string `json:"user"`
	// PrevSessionID is the id of current session.
	PrevSessionID string `json:"prev_session_id"`
	// AccessRequestID is an optional field that holds the id of an approved access request.
	AccessRequestID string `json:"access_request_id"`
	// Switchback is a flag to indicate if user is wanting to switchback from an assumed role
	// back to their default role.
	Switchback bool `json:"switchback"`
	// ReloadUser is a flag to indicate if user needs to be refetched from the backend
	// to apply new user changes e.g. user traits were updated.
	ReloadUser bool `json:"reload_user"`
}

type WindowsDesktopAccessPoint

type WindowsDesktopAccessPoint interface {
	// ReadWindowsDesktopAccessPoint provides methods to read data
	ReadWindowsDesktopAccessPoint
	// contains filtered or unexported methods
}

WindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.

type WindowsDesktopWrapper

type WindowsDesktopWrapper struct {
	ReadWindowsDesktopAccessPoint

	NoCache WindowsDesktopAccessPoint
	// contains filtered or unexported fields
}

func (*WindowsDesktopWrapper) Close

func (w *WindowsDesktopWrapper) Close() error

Close closes all associated resources

type WrapIdentity

type WrapIdentity tlsca.Identity

WrapIdentity wraps identity to return identity getter function

func (WrapIdentity) GetIdentity

func (i WrapIdentity) GetIdentity() tlsca.Identity

GetIdentity returns identity

Directories

Path Synopsis
Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.
Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.
Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.
Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.
package test contains CA authority acceptance test suite.
package test contains CA authority acceptance test suite.
Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.
Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.
Package webauthn implements server-side support for the Web Authentication specification.
Package webauthn implements server-side support for the Web Authentication specification.
Package webauthncli provides the client-side implementation for WebAuthn.
Package webauthncli provides the client-side implementation for WebAuthn.
Package webauthnwin is wrapper around Windows webauthn API.
Package webauthnwin is wrapper around Windows webauthn API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL