Documentation ¶
Overview ¶
*
- Copyright 2021 Gravitational, Inc. *
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at *
- http://www.apache.org/licenses/LICENSE-2.0 *
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Index ¶
- Constants
- Variables
- func BotResourceName(botName string) string
- func CertAuthorityInfo(ca types.CertAuthority) string
- func CertInfo(cert *x509.Certificate) string
- func ClientCertPool(client AccessCache, clusterName string, caTypes ...types.CertAuthType) (*x509.CertPool, int64, error)
- func ClientImpersonator(ctx context.Context) string
- func ClientTimeout(timeout time.Duration) roundtrip.ClientParam
- func ClientUserMetadata(ctx context.Context) apievents.UserMetadata
- func ClientUserMetadataWithUser(ctx context.Context, user string) apievents.UserMetadata
- func ClientUsername(ctx context.Context) string
- func ContainsSessionKind(s []string, e types.SessionKind) bool
- func CreateAccessPluginUser(ctx context.Context, clt clt, username string) (types.User, error)
- func CreateRole(ctx context.Context, clt clt, name string, spec types.RoleSpecV5) (types.Role, error)
- func CreateUser(clt clt, username string, roles ...types.Role) (types.User, error)
- func CreateUserAndRole(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)
- func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)
- func CreateUserRoleAndRequestable(clt clt, username string, rolename string) (types.User, error)
- func DefaultClientCertPool(client AccessCache, clusterName string) (*x509.CertPool, int64, error)
- func DefaultDNSNamesForRole(role types.SystemRole) []string
- func ExtractHostID(hostName string, clusterName string) (string, error)
- func GetClientUsername(ctx context.Context) (string, error)
- func HasBuiltinRole(authContext Context, name string) bool
- func HasRemoteBuiltinRole(authContext Context, name string) bool
- func HasV5Role(roles []types.Role) bool
- func HostFQDN(hostUUID, clusterName string) string
- func IsInvalidLocalCredentialError(err error) bool
- func NewAPIServer(config *APIConfig) (http.Handler, error)
- func ParseSAMLInResponseTo(response string) (string, error)
- func PrivateKeyToPublicKeyTLS(privateKey []byte) (tlsPublicKey []byte, err error)
- func Register(params RegisterParams) (*proto.Certs, error)
- func RoleSetForBuiltinRoles(clusterName string, recConfig types.SessionRecordingConfig, ...) (services.RoleSet, error)
- func SliceContainsMode(s []types.SessionParticipantMode, e types.SessionParticipantMode) bool
- func TLSCertInfo(cert *tls.Certificate) string
- func WaitForAppSession(ctx context.Context, sessionID, user string, ap ReadProxyAccessPoint) error
- func WaitForSnowflakeSession(ctx context.Context, sessionID, user string, ap SnowflakeSessionWatcher) error
- func WithClusterCAs(tlsConfig *tls.Config, ap AccessCache, currentClusterName string, ...) func(*tls.ClientHelloInfo) (*tls.Config, error)
- type APIClient
- type APIConfig
- type APIServer
- type AccessCache
- type Announcer
- type AppTestCertRequest
- type AppsAccessPoint
- type AppsWrapper
- type AuthenticateSSHRequest
- type AuthenticateUserRequest
- type Authorizer
- type AuthorizerAccessPoint
- type BuiltinRole
- type Cache
- type CertAuthorityMap
- type Client
- func (c *Client) ActivateCertAuthority(id types.CertAuthID) error
- func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error
- func (c *Client) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)
- func (c *Client) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
- func (c *Client) ChangePassword(req services.ChangePasswordReq) error
- func (c *Client) CheckPassword(user string, password []byte, otpToken string) error
- func (c *Client) Close() error
- func (c *Client) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error
- func (c *Client) CompareAndSwapUser(ctx context.Context, new, expected types.User) error
- func (c *Client) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)
- func (c *Client) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
- func (c *Client) CreateCertAuthority(ca types.CertAuthority) error
- func (c *Client) CreateRemoteCluster(rc types.RemoteCluster) error
- func (c *Client) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)
- func (c *Client) CreateRole(ctx context.Context, role types.Role) error
- func (c *Client) CreateSession(ctx context.Context, sess session.Session) error
- func (c *Client) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)
- func (c *Client) DeactivateCertAuthority(id types.CertAuthID) error
- func (c *Client) Delete(ctx context.Context, u string) (*roundtrip.Response, error)
- func (c *Client) DeleteAllAuthServers() error
- func (c *Client) DeleteAllCertAuthorities(caType types.CertAuthType) error
- func (c *Client) DeleteAllLocks(context.Context) error
- func (c *Client) DeleteAllNamespaces() error
- func (c *Client) DeleteAllProxies() error
- func (c *Client) DeleteAllRemoteClusters() error
- func (c *Client) DeleteAllReverseTunnels() error
- func (c *Client) DeleteAllRoles() error
- func (c *Client) DeleteAllTokens() error
- func (c *Client) DeleteAllTunnelConnections() error
- func (c *Client) DeleteAllUsers() error
- func (c *Client) DeleteAuthPreference(context.Context) error
- func (c *Client) DeleteAuthServer(name string) error
- func (c *Client) DeleteBot(ctx context.Context, botName string) error
- func (c *Client) DeleteCertAuthority(id types.CertAuthID) error
- func (c *Client) DeleteClusterAuditConfig(ctx context.Context) error
- func (c *Client) DeleteClusterName() error
- func (c *Client) DeleteClusterNetworkingConfig(ctx context.Context) error
- func (c *Client) DeleteNamespace(name string) error
- func (c *Client) DeleteProxy(name string) error
- func (c *Client) DeleteRemoteCluster(clusterName string) error
- func (c *Client) DeleteReverseTunnel(domainName string) error
- func (c *Client) DeleteSession(ctx context.Context, namespace string, id session.ID) error
- func (c *Client) DeleteSessionRecordingConfig(ctx context.Context) error
- func (c *Client) DeleteStaticTokens() error
- func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error
- func (c *Client) DeleteTunnelConnections(clusterName string) error
- func (c *Client) DeleteWebSession(ctx context.Context, user string, sid string) error
- func (c *Client) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)
- func (c *Client) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)
- func (c *Client) GenerateHostCert(ctx context.Context, key []byte, hostID, nodeName string, principals []string, ...) ([]byte, error)
- func (c *Client) Get(ctx context.Context, u string, params url.Values) (*roundtrip.Response, error)
- func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)
- func (c *Client) GetAuthServers() ([]types.Server, error)
- func (c *Client) GetBotUsers(ctx context.Context) ([]types.User, error)
- func (c *Client) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, ...) ([]types.CertAuthority, error)
- func (c *Client) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadSigningKeys bool, ...) (types.CertAuthority, error)
- func (c *Client) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)
- func (c *Client) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
- func (c *Client) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)
- func (c *Client) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)
- func (c *Client) GetNamespace(name string) (*types.Namespace, error)
- func (c *Client) GetNamespaces() ([]types.Namespace, error)
- func (c *Client) GetProxies() ([]types.Server, error)
- func (c *Client) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
- func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)
- func (c *Client) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)
- func (c *Client) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)
- func (c *Client) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)
- func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
- func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)
- func (c *Client) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)
- func (c *Client) GetSessions(ctx context.Context, namespace string) ([]session.Session, error)
- func (c *Client) GetStaticTokens() (types.StaticTokens, error)
- func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)
- func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)
- func (c *Client) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
- func (c *Client) KeepAliveNode(ctx context.Context, keepAlive types.KeepAlive) error
- func (c *Client) KeepAliveServer(ctx context.Context, keepAlive types.KeepAlive) error
- func (c *Client) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
- func (c *Client) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
- func (c *Client) PostForm(ctx context.Context, endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
- func (c *Client) PostJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
- func (c *Client) PutJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
- func (c *Client) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)
- func (c *Client) RotateCertAuthority(ctx context.Context, req RotateRequest) error
- func (c *Client) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error
- func (c *Client) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, ...) ([]apievents.AuditEvent, string, error)
- func (c *Client) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, ...) ([]apievents.AuditEvent, string, error)
- func (c *Client) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error
- func (c *Client) SetClusterName(cn types.ClusterName) error
- func (c *Client) SetStaticTokens(st types.StaticTokens) error
- func (c *Client) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)
- func (c *Client) UpdatePresence(ctx context.Context, sessionID, user string) error
- func (c *Client) UpdateSession(ctx context.Context, req session.UpdateRequest) error
- func (c *Client) UpsertAppSession(ctx context.Context, session types.WebSession) error
- func (c *Client) UpsertAuthServer(s types.Server) error
- func (c *Client) UpsertCertAuthority(ca types.CertAuthority) error
- func (c *Client) UpsertClusterName(cn types.ClusterName) error
- func (c *Client) UpsertNamespace(ns types.Namespace) error
- func (c *Client) UpsertProxy(s types.Server) error
- func (c *Client) UpsertReverseTunnel(tunnel types.ReverseTunnel) error
- func (c *Client) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error
- func (c *Client) UpsertTunnelConnection(conn types.TunnelConnection) error
- func (c *Client) UpsertUser(user types.User) error
- func (c *Client) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)
- func (c *Client) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)
- func (c *Client) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)
- func (c *Client) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
- type ClientI
- type Context
- type CreateUserTokenRequest
- type DatabaseAccessPoint
- type DatabaseTestCertRequest
- type DatabaseWrapper
- type DiscoveryAccessPoint
- type DiscoveryWrapper
- func (w *DiscoveryWrapper) Close() error
- func (w *DiscoveryWrapper) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
- func (w *DiscoveryWrapper) DeleteKubernetesCluster(ctx context.Context, name string) error
- func (w *DiscoveryWrapper) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
- type ForwardedClientMetadata
- type GRPCServer
- func (g *GRPCServer) AcquireSemaphore(ctx context.Context, params *types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)
- func (g *GRPCServer) AddMFADevice(stream proto.AuthService_AddMFADeviceServer) error
- func (g *GRPCServer) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
- func (g *GRPCServer) AppendDiagnosticTrace(ctx context.Context, in *proto.AppendDiagnosticTraceRequest) (*types.ConnectionDiagnosticV1, error)
- func (g *GRPCServer) CancelSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)
- func (g *GRPCServer) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)
- func (g *GRPCServer) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateAccessRequest(ctx context.Context, req *types.AccessRequestV3) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
- func (g *GRPCServer) CreateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateAppSession(ctx context.Context, req *proto.CreateAppSessionRequest) (*proto.CreateAppSessionResponse, error)
- func (g *GRPCServer) CreateAuditStream(stream proto.AuthService_CreateAuditStreamServer) error
- func (g *GRPCServer) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
- func (g *GRPCServer) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
- func (g *GRPCServer) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateGithubAuthRequest(ctx context.Context, req *types.GithubAuthRequest) (*types.GithubAuthRequest, error)
- func (g *GRPCServer) CreateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateOIDCAuthRequest(ctx context.Context, req *types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
- func (g *GRPCServer) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
- func (g *GRPCServer) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)
- func (g *GRPCServer) CreateResetPasswordToken(ctx context.Context, req *proto.CreateResetPasswordTokenRequest) (*types.UserTokenV3, error)
- func (g *GRPCServer) CreateSAMLAuthRequest(ctx context.Context, req *types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
- func (g *GRPCServer) CreateSessionTracker(ctx context.Context, req *proto.CreateSessionTrackerRequest) (*types.SessionTrackerV1, error)
- func (g *GRPCServer) CreateSnowflakeSession(ctx context.Context, req *proto.CreateSnowflakeSessionRequest) (*proto.CreateSnowflakeSessionResponse, error)
- func (g *GRPCServer) CreateToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)
- func (g *GRPCServer) CreateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAccessRequest(ctx context.Context, id *proto.RequestID) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllAppSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllApplicationServers(ctx context.Context, req *proto.DeleteAllApplicationServersRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllApps(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllDatabaseServers(ctx context.Context, req *proto.DeleteAllDatabaseServersRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllDatabases(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllInstallers(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllKubeServices(ctx context.Context, req *proto.DeleteAllKubeServicesRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllKubernetesServers(ctx context.Context, req *proto.DeleteAllKubernetesServersRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllNodes(ctx context.Context, req *types.ResourcesInNamespaceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllSnowflakeSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllWebSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllWebTokens(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAllWindowsDesktops(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteApp(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteAppSession(ctx context.Context, req *proto.DeleteAppSessionRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteApplicationServer(ctx context.Context, req *proto.DeleteApplicationServerRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteBot(ctx context.Context, req *proto.DeleteBotRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteDatabase(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteDatabaseServer(ctx context.Context, req *proto.DeleteDatabaseServerRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteGithubConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteInstaller(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteKubeService(ctx context.Context, req *proto.DeleteKubeServiceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteKubernetesServer(ctx context.Context, req *proto.DeleteKubernetesServerRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteLock(ctx context.Context, req *proto.DeleteLockRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteMFADevice(stream proto.AuthService_DeleteMFADeviceServer) error
- func (g *GRPCServer) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteOIDCConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteRole(ctx context.Context, req *proto.DeleteRoleRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteSAMLConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteSemaphore(ctx context.Context, req *types.SemaphoreFilter) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteSnowflakeSession(ctx context.Context, req *proto.DeleteSnowflakeSessionRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteToken(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteUser(ctx context.Context, req *proto.DeleteUserRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteWebSession(ctx context.Context, req *types.DeleteWebSessionRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteWebToken(ctx context.Context, req *types.DeleteWebTokenRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteWindowsDesktop(ctx context.Context, req *proto.DeleteWindowsDesktopRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) DeleteWindowsDesktopService(ctx context.Context, req *proto.DeleteWindowsDesktopServiceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) EmitAuditEvent(ctx context.Context, req *apievents.OneOf) (*emptypb.Empty, error)
- func (g *GRPCServer) Export(ctx context.Context, req *collectortracepb.ExportTraceServiceRequest) (*collectortracepb.ExportTraceServiceResponse, error)
- func (g *GRPCServer) GenerateAppToken(ctx context.Context, req *proto.GenerateAppTokenRequest) (*proto.GenerateAppTokenResponse, error)
- func (g *GRPCServer) GenerateCertAuthorityCRL(ctx context.Context, req *proto.CertAuthorityRequest) (*proto.CRL, error)
- func (g *GRPCServer) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)
- func (g *GRPCServer) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)
- func (g *GRPCServer) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)
- func (g *GRPCServer) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (*proto.GenerateTokenResponse, error)
- func (g *GRPCServer) GenerateUserCerts(ctx context.Context, req *proto.UserCertsRequest) (*proto.Certs, error)
- func (g *GRPCServer) GenerateUserSingleUseCerts(stream proto.AuthService_GenerateUserSingleUseCertsServer) error
- func (g *GRPCServer) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
- func (g *GRPCServer) GetAccessCapabilities(ctx context.Context, req *types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
- func (g *GRPCServer) GetAccessRequests(ctx context.Context, f *types.AccessRequestFilter) (*proto.AccessRequests, error)
- func (g *GRPCServer) GetAccessRequestsV2(f *types.AccessRequestFilter, ...) error
- func (g *GRPCServer) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
- func (g *GRPCServer) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (*types.UserTokenV3, error)
- func (g *GRPCServer) GetActiveSessionTrackers(_ *emptypb.Empty, stream proto.AuthService_GetActiveSessionTrackersServer) error
- func (g *GRPCServer) GetActiveSessionTrackersWithFilter(filter *types.SessionTrackerFilter, ...) error
- func (g *GRPCServer) GetApp(ctx context.Context, req *types.ResourceRequest) (*types.AppV3, error)
- func (g *GRPCServer) GetAppSession(ctx context.Context, req *proto.GetAppSessionRequest) (*proto.GetAppSessionResponse, error)
- func (g *GRPCServer) GetAppSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetAppSessionsResponse, error)
- func (g *GRPCServer) GetApps(ctx context.Context, _ *emptypb.Empty) (*types.AppV3List, error)
- func (g *GRPCServer) GetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*types.AuthPreferenceV2, error)
- func (g *GRPCServer) GetBotUsers(_ *proto.GetBotUsersRequest, stream proto.AuthService_GetBotUsersServer) error
- func (g *GRPCServer) GetClusterAlerts(ctx context.Context, query *types.GetClusterAlertsRequest) (*proto.GetClusterAlertsResponse, error)
- func (g *GRPCServer) GetClusterAuditConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterAuditConfigV2, error)
- func (g *GRPCServer) GetClusterCACert(ctx context.Context, req *emptypb.Empty) (*proto.GetClusterCACertResponse, error)
- func (g *GRPCServer) GetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterNetworkingConfigV2, error)
- func (g *GRPCServer) GetConnectionDiagnostic(ctx context.Context, req *proto.GetConnectionDiagnosticRequest) (*types.ConnectionDiagnosticV1, error)
- func (g *GRPCServer) GetCurrentUser(ctx context.Context, req *emptypb.Empty) (*types.UserV2, error)
- func (g *GRPCServer) GetCurrentUserRoles(_ *emptypb.Empty, stream proto.AuthService_GetCurrentUserRolesServer) error
- func (g *GRPCServer) GetDatabase(ctx context.Context, req *types.ResourceRequest) (*types.DatabaseV3, error)
- func (g *GRPCServer) GetDatabases(ctx context.Context, _ *emptypb.Empty) (*types.DatabaseV3List, error)
- func (g *GRPCServer) GetDomainName(ctx context.Context, req *emptypb.Empty) (*proto.GetDomainNameResponse, error)
- func (g *GRPCServer) GetEvents(ctx context.Context, req *proto.GetEventsRequest) (*proto.Events, error)
- func (g *GRPCServer) GetGithubAuthRequest(ctx context.Context, req *proto.GetGithubAuthRequestRequest) (*types.GithubAuthRequest, error)
- func (g *GRPCServer) GetGithubConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.GithubConnectorV3, error)
- func (g *GRPCServer) GetGithubConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.GithubConnectorV3List, error)
- func (g *GRPCServer) GetInstaller(ctx context.Context, req *types.ResourceRequest) (*types.InstallerV1, error)
- func (g *GRPCServer) GetInstallers(ctx context.Context, _ *emptypb.Empty) (*types.InstallerV1List, error)
- func (g *GRPCServer) GetInventoryStatus(ctx context.Context, req *proto.InventoryStatusRequest) (*proto.InventoryStatusSummary, error)
- func (g *GRPCServer) GetKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*types.KubernetesClusterV3, error)
- func (g *GRPCServer) GetKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*types.KubernetesClusterV3List, error)
- func (g *GRPCServer) GetLock(ctx context.Context, req *proto.GetLockRequest) (*types.LockV2, error)
- func (g *GRPCServer) GetLocks(ctx context.Context, req *proto.GetLocksRequest) (*proto.GetLocksResponse, error)
- func (g *GRPCServer) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
- func (g *GRPCServer) GetNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*types.NetworkRestrictionsV4, error)
- func (g *GRPCServer) GetNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*types.ServerV2, error)
- func (g *GRPCServer) GetOIDCAuthRequest(ctx context.Context, req *proto.GetOIDCAuthRequestRequest) (*types.OIDCAuthRequest, error)
- func (g *GRPCServer) GetOIDCConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.OIDCConnectorV3, error)
- func (g *GRPCServer) GetOIDCConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.OIDCConnectorV3List, error)
- func (g *GRPCServer) GetPluginData(ctx context.Context, filter *types.PluginDataFilter) (*proto.PluginDataSeq, error)
- func (g *GRPCServer) GetResetPasswordToken(ctx context.Context, req *proto.GetResetPasswordTokenRequest) (*types.UserTokenV3, error)
- func (g *GRPCServer) GetRole(ctx context.Context, req *proto.GetRoleRequest) (*types.RoleV5, error)
- func (g *GRPCServer) GetRoles(ctx context.Context, _ *emptypb.Empty) (*proto.GetRolesResponse, error)
- func (g *GRPCServer) GetSAMLAuthRequest(ctx context.Context, req *proto.GetSAMLAuthRequestRequest) (*types.SAMLAuthRequest, error)
- func (g *GRPCServer) GetSAMLConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.SAMLConnectorV2, error)
- func (g *GRPCServer) GetSAMLConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.SAMLConnectorV2List, error)
- func (g *GRPCServer) GetSSODiagnosticInfo(ctx context.Context, req *proto.GetSSODiagnosticInfoRequest) (*types.SSODiagnosticInfo, error)
- func (g *GRPCServer) GetSemaphores(ctx context.Context, req *types.SemaphoreFilter) (*proto.Semaphores, error)
- func (g *GRPCServer) GetServer() (*grpc.Server, error)
- func (g *GRPCServer) GetSessionEvents(ctx context.Context, req *proto.GetSessionEventsRequest) (*proto.Events, error)
- func (g *GRPCServer) GetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*types.SessionRecordingConfigV2, error)
- func (g *GRPCServer) GetSessionTracker(ctx context.Context, req *proto.GetSessionTrackerRequest) (*types.SessionTrackerV1, error)
- func (g *GRPCServer) GetSnowflakeSession(ctx context.Context, req *proto.GetSnowflakeSessionRequest) (*proto.GetSnowflakeSessionResponse, error)
- func (g *GRPCServer) GetSnowflakeSessions(ctx context.Context, e *emptypb.Empty) (*proto.GetSnowflakeSessionsResponse, error)
- func (g *GRPCServer) GetToken(ctx context.Context, req *types.ResourceRequest) (*types.ProvisionTokenV2, error)
- func (g *GRPCServer) GetTokens(ctx context.Context, _ *emptypb.Empty) (*types.ProvisionTokenV2List, error)
- func (g *GRPCServer) GetTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*types.TrustedClusterV2, error)
- func (g *GRPCServer) GetTrustedClusters(ctx context.Context, _ *emptypb.Empty) (*types.TrustedClusterV2List, error)
- func (g *GRPCServer) GetUser(ctx context.Context, req *proto.GetUserRequest) (*types.UserV2, error)
- func (g *GRPCServer) GetUsers(req *proto.GetUsersRequest, stream proto.AuthService_GetUsersServer) error
- func (g *GRPCServer) GetWebSession(ctx context.Context, req *types.GetWebSessionRequest) (*proto.GetWebSessionResponse, error)
- func (g *GRPCServer) GetWebSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebSessionsResponse, error)
- func (g *GRPCServer) GetWebToken(ctx context.Context, req *types.GetWebTokenRequest) (*proto.GetWebTokenResponse, error)
- func (g *GRPCServer) GetWebTokens(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebTokensResponse, error)
- func (g *GRPCServer) GetWindowsDesktopService(ctx context.Context, req *proto.GetWindowsDesktopServiceRequest) (*proto.GetWindowsDesktopServiceResponse, error)
- func (g *GRPCServer) GetWindowsDesktopServices(ctx context.Context, req *emptypb.Empty) (*proto.GetWindowsDesktopServicesResponse, error)
- func (g *GRPCServer) GetWindowsDesktops(ctx context.Context, filter *types.WindowsDesktopFilter) (*proto.GetWindowsDesktopsResponse, error)
- func (g *GRPCServer) InventoryControlStream(stream proto.AuthService_InventoryControlStreamServer) error
- func (g *GRPCServer) IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)
- func (g *GRPCServer) KeepAliveSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)
- func (g *GRPCServer) ListResources(ctx context.Context, req *proto.ListResourcesRequest) (*proto.ListResourcesResponse, error)
- func (g *GRPCServer) MaintainSessionPresence(stream proto.AuthService_MaintainSessionPresenceServer) error
- func (g *GRPCServer) Ping(ctx context.Context, req *proto.PingRequest) (*proto.PingResponse, error)
- func (g *GRPCServer) PingInventory(ctx context.Context, req *proto.InventoryPingRequest) (*proto.InventoryPingResponse, error)
- func (g *GRPCServer) RemoveSessionTracker(ctx context.Context, req *proto.RemoveSessionTrackerRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) ReplaceRemoteLocks(ctx context.Context, req *proto.ReplaceRemoteLocksRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) ResetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) ResetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) ResetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
- func (g *GRPCServer) SendKeepAlives(stream proto.AuthService_SendKeepAlivesServer) error
- func (g *GRPCServer) SetAccessRequestState(ctx context.Context, req *proto.RequestStateSetter) (*emptypb.Empty, error)
- func (g *GRPCServer) SetAuthPreference(ctx context.Context, authPref *types.AuthPreferenceV2) (*emptypb.Empty, error)
- func (g *GRPCServer) SetClusterNetworkingConfig(ctx context.Context, netConfig *types.ClusterNetworkingConfigV2) (*emptypb.Empty, error)
- func (g *GRPCServer) SetInstaller(ctx context.Context, req *types.InstallerV1) (*emptypb.Empty, error)
- func (g *GRPCServer) SetNetworkRestrictions(ctx context.Context, nr *types.NetworkRestrictionsV4) (*emptypb.Empty, error)
- func (g *GRPCServer) SetSessionRecordingConfig(ctx context.Context, recConfig *types.SessionRecordingConfigV2) (*emptypb.Empty, error)
- func (g *GRPCServer) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)
- func (g *GRPCServer) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (*types.UserTokenV3, error)
- func (g *GRPCServer) StreamSessionEvents(req *proto.StreamSessionEventsRequest, ...) error
- func (g *GRPCServer) SubmitAccessReview(ctx context.Context, review *types.AccessReviewSubmission) (*types.AccessRequestV3, error)
- func (g *GRPCServer) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) UnstableAssertSystemRole(ctx context.Context, req *proto.UnstableSystemRoleAssertion) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdatePluginData(ctx context.Context, params *types.PluginDataUpdateParams) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateRemoteCluster(ctx context.Context, req *types.RemoteClusterV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)
- func (g *GRPCServer) UpdateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertApplicationServer(ctx context.Context, req *proto.UpsertApplicationServerRequest) (*types.KeepAlive, error)
- func (g *GRPCServer) UpsertClusterAlert(ctx context.Context, req *proto.UpsertClusterAlertRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertDatabaseServer(ctx context.Context, req *proto.UpsertDatabaseServerRequest) (*types.KeepAlive, error)
- func (g *GRPCServer) UpsertGithubConnector(ctx context.Context, connector *types.GithubConnectorV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertKubeService(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertKubeServiceV2(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*types.KeepAlive, error)
- func (g *GRPCServer) UpsertKubernetesServer(ctx context.Context, req *proto.UpsertKubernetesServerRequest) (*types.KeepAlive, error)
- func (g *GRPCServer) UpsertLock(ctx context.Context, lock *types.LockV2) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertNode(ctx context.Context, node *types.ServerV2) (*types.KeepAlive, error)
- func (g *GRPCServer) UpsertOIDCConnector(ctx context.Context, oidcConnector *types.OIDCConnectorV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertRole(ctx context.Context, role *types.RoleV5) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertSAMLConnector(ctx context.Context, samlConnector *types.SAMLConnectorV2) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertTrustedCluster(ctx context.Context, cluster *types.TrustedClusterV2) (*types.TrustedClusterV2, error)
- func (g *GRPCServer) UpsertWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)
- func (g *GRPCServer) UpsertWindowsDesktopService(ctx context.Context, service *types.WindowsDesktopServiceV3) (*types.KeepAlive, error)
- func (g *GRPCServer) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (*types.UserTokenV3, error)
- func (g *GRPCServer) WatchEvents(watch *proto.Watch, stream proto.AuthService_WatchEventsServer) error
- type GRPCServerConfig
- type GithubAuthRequest
- type GithubAuthResponse
- type GithubConverter
- func (g *GithubConverter) GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)
- func (g *GithubConverter) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)
- func (g *GithubConverter) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error
- type HTTPClient
- type HandlerWithAuthFunc
- type HostCredentials
- type Identity
- func GenerateIdentity(a *Server, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)
- func LocalRegister(id IdentityID, authServer *Server, additionalPrincipals, dnsNames []string, ...) (*Identity, error)
- func NewServerIdentity(clt *Server, hostID string, role types.SystemRole) (*Identity, error)
- func ReRegister(params ReRegisterParams) (*Identity, error)
- func ReadIdentityFromKeyPair(privateKey []byte, certs *proto.Certs) (*Identity, error)
- func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)
- func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)
- func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)
- func (i *Identity) HasDNSNames(dnsNames []string) bool
- func (i *Identity) HasPrincipals(additionalPrincipals []string) bool
- func (i *Identity) HasTLSConfig() bool
- func (i *Identity) SSHClientConfig(fips bool) (*ssh.ClientConfig, error)
- func (i *Identity) String() string
- func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)
- type IdentityGetter
- type IdentityID
- type IdentityService
- type IdentitySpecV2
- type IdentityV2
- type InitConfig
- type KubeCSR
- type KubeCSRResponse
- type KubernetesAccessPoint
- type KubernetesWrapper
- type LocalUser
- type Metrics
- type Middleware
- func (a *Middleware) GetUser(connState tls.ConnectionState) (IdentityGetter, error)
- func (a *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request)
- func (a *Middleware) StreamInterceptor() grpc.StreamServerInterceptor
- func (a *Middleware) UnaryInterceptor() grpc.UnaryServerInterceptor
- func (a *Middleware) Wrap(h http.Handler)
- func (a *Middleware) WrapContextWithUser(ctx context.Context, conn utils.TLSConn) (context.Context, error)
- type NewRemoteProxyCachingAccessPoint
- type NodeAccessPoint
- type NodeWrapper
- type OIDCAuthRequest
- type OIDCAuthResponse
- type OTPCreds
- type PassCreds
- type PolicyOptions
- type ProcessStorage
- func (p *ProcessStorage) Close() error
- func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error
- func (p *ProcessStorage) GetState(role types.SystemRole) (*StateV2, error)
- func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error)
- func (p *ProcessStorage) WriteIdentity(name string, id Identity) error
- func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error
- type ProvisioningService
- type ProxyAccessPoint
- type ProxyWrapper
- type ReRegisterParams
- type ReadAppsAccessPoint
- type ReadDatabaseAccessPoint
- type ReadDiscoveryAccessPoint
- type ReadKubernetesAccessPoint
- type ReadNodeAccessPoint
- type ReadProxyAccessPoint
- type ReadRemoteProxyAccessPoint
- type ReadWindowsDesktopAccessPoint
- type RegisterParams
- type RemoteBuiltinRole
- type RemoteProxyAccessPoint
- type RemoteProxyWrapper
- type RemoteUser
- type RotateRequest
- type SAMLAuthRequest
- type SAMLAuthResponse
- type SSHLoginResponse
- type Server
- func (a *Server) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
- func (s *Server) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)
- func (s *Server) AuthenticateUser(req AuthenticateUserRequest) (string, error)
- func (s *Server) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
- func (s *Server) ChangePassword(req services.ChangePasswordReq) error
- func (s *Server) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)
- func (a *Server) Close() error
- func (a *Server) CloseContext() context.Context
- func (s *Server) CompareAndSwapUser(ctx context.Context, new, existing types.User) error
- func (s *Server) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error
- func (a *Server) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error
- func (s *Server) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
- func (a *Server) CreateApp(ctx context.Context, app types.Application) error
- func (s *Server) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest, user types.User, ...) (types.WebSession, error)
- func (a *Server) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)
- func (a *Server) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
- func (a *Server) CreateDatabase(ctx context.Context, database types.Database) error
- func (a *Server) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)
- func (a *Server) CreateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error
- func (a *Server) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
- func (s *Server) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
- func (a *Server) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)
- func (s *Server) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)
- func (a *Server) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
- func (a *Server) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)
- func (s *Server) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest, ...) (types.WebSession, error)
- func (s *Server) CreateUser(ctx context.Context, user types.User) error
- func (a *Server) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)
- func (a *Server) DeleteAccessRequest(ctx context.Context, name string) error
- func (a *Server) DeleteApp(ctx context.Context, name string) error
- func (a *Server) DeleteDatabase(ctx context.Context, name string) error
- func (a *Server) DeleteKubernetesCluster(ctx context.Context, name string) error
- func (a *Server) DeleteLock(ctx context.Context, lockName string) error
- func (a *Server) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error
- func (a *Server) DeleteNamespace(namespace string) error
- func (a *Server) DeleteOIDCConnector(ctx context.Context, connectorName string) error
- func (a *Server) DeleteRemoteCluster(clusterName string) error
- func (a *Server) DeleteRole(ctx context.Context, name string) error
- func (a *Server) DeleteSAMLConnector(ctx context.Context, connectorName string) error
- func (a *Server) DeleteToken(ctx context.Context, token string) (err error)
- func (a *Server) DeleteTrustedCluster(ctx context.Context, name string) error
- func (s *Server) DeleteUser(ctx context.Context, user string) error
- func (a *Server) ExtendWebSession(ctx context.Context, req WebSessionReq, identity tlsca.Identity) (types.WebSession, error)
- func (a *Server) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)
- func (s *Server) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)
- func (a *Server) GenerateDatabaseTestCert(req DatabaseTestCertRequest) ([]byte, error)
- func (a *Server) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, ...) ([]byte, error)
- func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)
- func (s *Server) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)
- func (a *Server) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)
- func (a *Server) GenerateUserAppTestCert(req AppTestCertRequest) ([]byte, error)
- func (a *Server) GenerateUserTestCerts(key []byte, username string, ttl time.Duration, ...) ([]byte, []byte, error)
- func (s *Server) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
- func (a *Server) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
- func (s *Server) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
- func (s *Server) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)
- func (a *Server) GetClock() clockwork.Clock
- func (a *Server) GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)
- func (a *Server) GetDomainName() (string, error)
- func (a *Server) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) proto.InventoryStatusSummary
- func (a *Server) GetKeyStore() *keystore.Manager
- func (a *Server) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
- func (a *Server) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
- func (a *Server) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)
- func (a *Server) GetTokens(ctx context.Context, opts ...services.MarshalOption) (tokens []types.ProvisionToken, err error)
- func (a *Server) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)
- func (a *Server) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
- func (a *Server) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)
- func (a *Server) IterateResources(ctx context.Context, req proto.ListResourcesRequest, ...) error
- func (a *Server) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
- func (a *Server) MakeLocalInventoryControlStream(opts ...client.ICSPipeOption) client.DownstreamInventoryControlStream
- func (a *Server) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)
- func (a *Server) NewWebSession(ctx context.Context, req types.NewWebSessionRequest) (types.WebSession, error)
- func (a *Server) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)
- func (a *Server) PreAuthenticatedSignIn(ctx context.Context, user string, identity tlsca.Identity) (types.WebSession, error)
- func (s *Server) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
- func (a *Server) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream, hello proto.UpstreamInventoryHello) error
- func (a *Server) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc, ...) (*proto.Certs, error)
- func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
- func (s *Server) ResetPassword(username string) (string, error)
- func (a *Server) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)
- func (a *Server) RotateCertAuthority(ctx context.Context, req RotateRequest) error
- func (a *Server) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error
- func (a *Server) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error
- func (a *Server) SetAuditLog(auditLog events.IAuditLog)
- func (a *Server) SetClock(clock clockwork.Clock)
- func (a *Server) SetEmitter(emitter apievents.Emitter)
- func (a *Server) SetEnforcer(enforcer services.Enforcer)
- func (a *Server) SetLockWatcher(lockWatcher *services.LockWatcher)
- func (a *Server) SetUsageReporter(reporter services.UsageReporter)
- func (s *Server) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)
- func (s *Server) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)
- func (a *Server) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
- func (a *Server) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error
- func (a *Server) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error
- func (a *Server) UnstableGetSystemRoleAssertions(ctx context.Context, serverID string, assertionID string) (proto.UnstableSystemRoleAssertionSet, error)
- func (a *Server) UpdateApp(ctx context.Context, app types.Application) error
- func (a *Server) UpdateDatabase(ctx context.Context, database types.Database) error
- func (a *Server) UpdateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error
- func (s *Server) UpdateUser(ctx context.Context, user types.User) error
- func (a *Server) UpsertLock(ctx context.Context, lock types.Lock) error
- func (a *Server) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error
- func (a *Server) UpsertRole(ctx context.Context, role types.Role) error
- func (a *Server) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error
- func (a *Server) UpsertTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)
- func (s *Server) UpsertUser(user types.User) error
- func (a *Server) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)
- func (a *Server) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)
- func (a *Server) ValidateSAMLResponse(ctx context.Context, samlResponse string, connectorID string) (*SAMLAuthResponse, error)
- func (a *Server) ValidateToken(ctx context.Context, token string) (types.ProvisionToken, error)
- func (s *Server) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)
- func (a *Server) WithUserLock(username string, authenticateFn func() error) error
- type ServerOption
- type ServerWithRoles
- func (a *ServerWithRoles) AcquireSemaphore(ctx context.Context, params types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)
- func (a *ServerWithRoles) ActivateCertAuthority(id types.CertAuthID) error
- func (a *ServerWithRoles) AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADeviceClient, error)
- func (a *ServerWithRoles) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
- func (a *ServerWithRoles) AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)
- func (a *ServerWithRoles) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)
- func (a *ServerWithRoles) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
- func (a *ServerWithRoles) CancelSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error
- func (a *ServerWithRoles) ChangePassword(req services.ChangePasswordReq) error
- func (a *ServerWithRoles) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)
- func (a *ServerWithRoles) CheckPassword(user string, password []byte, otpToken string) error
- func (a *ServerWithRoles) Close() error
- func (a *ServerWithRoles) CloseContext() context.Context
- func (a *ServerWithRoles) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error
- func (a *ServerWithRoles) CompareAndSwapUser(ctx context.Context, new, existing types.User) error
- func (a *ServerWithRoles) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error
- func (a *ServerWithRoles) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error
- func (a *ServerWithRoles) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
- func (a *ServerWithRoles) CreateApp(ctx context.Context, app types.Application) error
- func (a *ServerWithRoles) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest) (types.WebSession, error)
- func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)
- func (a *ServerWithRoles) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
- func (a *ServerWithRoles) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
- func (a *ServerWithRoles) CreateCertAuthority(ca types.CertAuthority) error
- func (a *ServerWithRoles) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error
- func (a *ServerWithRoles) CreateDatabase(ctx context.Context, database types.Database) error
- func (a *ServerWithRoles) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)
- func (a *ServerWithRoles) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
- func (a *ServerWithRoles) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
- func (a *ServerWithRoles) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
- func (a *ServerWithRoles) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)
- func (a *ServerWithRoles) CreateRemoteCluster(conn types.RemoteCluster) error
- func (a *ServerWithRoles) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)
- func (a *ServerWithRoles) CreateRole(ctx context.Context, role types.Role) error
- func (a *ServerWithRoles) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
- func (a *ServerWithRoles) CreateSession(ctx context.Context, s session.Session) error
- func (a *ServerWithRoles) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)
- func (a *ServerWithRoles) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest) (types.WebSession, error)
- func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.ProvisionToken) error
- func (a *ServerWithRoles) CreateUser(ctx context.Context, user types.User) error
- func (a *ServerWithRoles) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)
- func (a *ServerWithRoles) CreateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error
- func (a *ServerWithRoles) DeactivateCertAuthority(id types.CertAuthID) error
- func (a *ServerWithRoles) DeleteAccessRequest(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteAllAppSessions(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllApplicationServers(ctx context.Context, namespace string) error
- func (a *ServerWithRoles) DeleteAllApps(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllAuthServers() error
- func (a *ServerWithRoles) DeleteAllCertAuthorities(caType types.CertAuthType) error
- func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespace string) error
- func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllInstallers(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllKubeServices(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllKubernetesClusters(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllKubernetesServers(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllLocks(context.Context) error
- func (a *ServerWithRoles) DeleteAllNamespaces() error
- func (a *ServerWithRoles) DeleteAllNodes(ctx context.Context, namespace string) error
- func (a *ServerWithRoles) DeleteAllProxies() error
- func (a *ServerWithRoles) DeleteAllRemoteClusters() error
- func (a *ServerWithRoles) DeleteAllReverseTunnels() error
- func (a *ServerWithRoles) DeleteAllRoles() error
- func (a *ServerWithRoles) DeleteAllSnowflakeSessions(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllTokens() error
- func (a *ServerWithRoles) DeleteAllTunnelConnections() error
- func (a *ServerWithRoles) DeleteAllUsers() error
- func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) error
- func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error
- func (a *ServerWithRoles) DeleteApp(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteAppSession(ctx context.Context, req types.DeleteAppSessionRequest) error
- func (a *ServerWithRoles) DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error
- func (a *ServerWithRoles) DeleteAuthPreference(context.Context) error
- func (a *ServerWithRoles) DeleteAuthServer(name string) error
- func (a *ServerWithRoles) DeleteBot(ctx context.Context, botName string) error
- func (a *ServerWithRoles) DeleteCertAuthority(id types.CertAuthID) error
- func (a *ServerWithRoles) DeleteClusterAuditConfig(ctx context.Context) error
- func (a *ServerWithRoles) DeleteClusterName() error
- func (a *ServerWithRoles) DeleteClusterNetworkingConfig(ctx context.Context) error
- func (a *ServerWithRoles) DeleteDatabase(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error
- func (a *ServerWithRoles) DeleteGithubConnector(ctx context.Context, connectorID string) error
- func (a *ServerWithRoles) DeleteInstaller(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteKubeService(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteKubernetesCluster(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteKubernetesServer(ctx context.Context, hostID, name string) error
- func (a *ServerWithRoles) DeleteLock(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error)
- func (a *ServerWithRoles) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error
- func (a *ServerWithRoles) DeleteNamespace(name string) error
- func (a *ServerWithRoles) DeleteNetworkRestrictions(ctx context.Context) error
- func (a *ServerWithRoles) DeleteNode(ctx context.Context, namespace, node string) error
- func (a *ServerWithRoles) DeleteOIDCConnector(ctx context.Context, connectorID string) error
- func (a *ServerWithRoles) DeleteProxy(name string) error
- func (a *ServerWithRoles) DeleteRemoteCluster(clusterName string) error
- func (a *ServerWithRoles) DeleteReverseTunnel(domainName string) error
- func (a *ServerWithRoles) DeleteRole(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteSAMLConnector(ctx context.Context, connectorID string) error
- func (a *ServerWithRoles) DeleteSemaphore(ctx context.Context, filter types.SemaphoreFilter) error
- func (a *ServerWithRoles) DeleteSession(ctx context.Context, namespace string, id session.ID) error
- func (a *ServerWithRoles) DeleteSessionRecordingConfig(ctx context.Context) error
- func (a *ServerWithRoles) DeleteSnowflakeSession(ctx context.Context, req types.DeleteSnowflakeSessionRequest) error
- func (a *ServerWithRoles) DeleteStaticTokens() error
- func (a *ServerWithRoles) DeleteToken(ctx context.Context, token string) error
- func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string) error
- func (a *ServerWithRoles) DeleteTunnelConnection(clusterName string, connName string) error
- func (a *ServerWithRoles) DeleteTunnelConnections(clusterName string) error
- func (a *ServerWithRoles) DeleteUser(ctx context.Context, user string) error
- func (a *ServerWithRoles) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error
- func (a *ServerWithRoles) DeleteWindowsDesktop(ctx context.Context, hostID, name string) error
- func (a *ServerWithRoles) DeleteWindowsDesktopService(ctx context.Context, name string) error
- func (a *ServerWithRoles) EmitAuditEvent(ctx context.Context, event apievents.AuditEvent) error
- func (a *ServerWithRoles) Export(ctx context.Context, req *collectortracev1.ExportTraceServiceRequest) (*collectortracev1.ExportTraceServiceResponse, error)
- func (a *ServerWithRoles) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)
- func (a *ServerWithRoles) GenerateAppToken(ctx context.Context, req types.GenerateAppTokenRequest) (string, error)
- func (a *ServerWithRoles) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)
- func (a *ServerWithRoles) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)
- func (a *ServerWithRoles) GenerateHostCert(ctx context.Context, key []byte, hostID, nodeName string, principals []string, ...) ([]byte, error)
- func (a *ServerWithRoles) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)
- func (a *ServerWithRoles) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)
- func (a *ServerWithRoles) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)
- func (a *ServerWithRoles) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)
- func (a *ServerWithRoles) GenerateUserSingleUseCerts(ctx context.Context) (proto.AuthService_GenerateUserSingleUseCertsClient, error)
- func (a *ServerWithRoles) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
- func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
- func (a *ServerWithRoles) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
- func (a *ServerWithRoles) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
- func (a *ServerWithRoles) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)
- func (a *ServerWithRoles) GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)
- func (a *ServerWithRoles) GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)
- func (a *ServerWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)
- func (a *ServerWithRoles) GetApp(ctx context.Context, name string) (types.Application, error)
- func (a *ServerWithRoles) GetAppSession(ctx context.Context, req types.GetAppSessionRequest) (types.WebSession, error)
- func (a *ServerWithRoles) GetAppSessions(ctx context.Context) ([]types.WebSession, error)
- func (a *ServerWithRoles) GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)
- func (a *ServerWithRoles) GetApps(ctx context.Context) (result []types.Application, err error)
- func (a *ServerWithRoles) GetAuthPreference(ctx context.Context) (types.AuthPreference, error)
- func (a *ServerWithRoles) GetAuthServers() ([]types.Server, error)
- func (a *ServerWithRoles) GetBotUsers(ctx context.Context) ([]types.User, error)
- func (a *ServerWithRoles) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, ...) ([]types.CertAuthority, error)
- func (a *ServerWithRoles) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, ...) (types.CertAuthority, error)
- func (a *ServerWithRoles) GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)
- func (a *ServerWithRoles) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)
- func (a *ServerWithRoles) GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)
- func (a *ServerWithRoles) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
- func (a *ServerWithRoles) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)
- func (a *ServerWithRoles) GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)
- func (a *ServerWithRoles) GetCurrentUser(ctx context.Context) (types.User, error)
- func (a *ServerWithRoles) GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)
- func (a *ServerWithRoles) GetDatabase(ctx context.Context, name string) (types.Database, error)
- func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)
- func (a *ServerWithRoles) GetDatabases(ctx context.Context) (result []types.Database, err error)
- func (a *ServerWithRoles) GetDomainName(ctx context.Context) (string, error)
- func (a *ServerWithRoles) GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)
- func (a *ServerWithRoles) GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)
- func (a *ServerWithRoles) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)
- func (a *ServerWithRoles) GetInstaller(ctx context.Context, name string) (types.Installer, error)
- func (a *ServerWithRoles) GetInstallers(ctx context.Context) ([]types.Installer, error)
- func (a *ServerWithRoles) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)
- func (a *ServerWithRoles) GetKubeServices(ctx context.Context) ([]types.Server, error)
- func (a *ServerWithRoles) GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
- func (a *ServerWithRoles) GetKubernetesClusters(ctx context.Context) (result []types.KubeCluster, err error)
- func (a *ServerWithRoles) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)
- func (a *ServerWithRoles) GetLock(ctx context.Context, name string) (types.Lock, error)
- func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
- func (a *ServerWithRoles) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
- func (a *ServerWithRoles) GetNamespace(name string) (*types.Namespace, error)
- func (a *ServerWithRoles) GetNamespaces() ([]types.Namespace, error)
- func (a *ServerWithRoles) GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)
- func (a *ServerWithRoles) GetNode(ctx context.Context, namespace, name string) (types.Server, error)
- func (a *ServerWithRoles) GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
- func (a *ServerWithRoles) GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)
- func (a *ServerWithRoles) GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)
- func (a *ServerWithRoles) GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)
- func (a *ServerWithRoles) GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)
- func (a *ServerWithRoles) GetProxies() ([]types.Server, error)
- func (a *ServerWithRoles) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
- func (a *ServerWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)
- func (a *ServerWithRoles) GetResetPasswordToken(ctx context.Context, tokenID string) (types.UserToken, error)
- func (a *ServerWithRoles) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)
- func (a *ServerWithRoles) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)
- func (a *ServerWithRoles) GetRole(ctx context.Context, name string) (types.Role, error)
- func (a *ServerWithRoles) GetRoles(ctx context.Context) ([]types.Role, error)
- func (a *ServerWithRoles) GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)
- func (a *ServerWithRoles) GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)
- func (a *ServerWithRoles) GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)
- func (a *ServerWithRoles) GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)
- func (a *ServerWithRoles) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error)
- func (a *ServerWithRoles) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)
- func (a *ServerWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
- func (a *ServerWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)
- func (a *ServerWithRoles) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)
- func (a *ServerWithRoles) GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)
- func (a *ServerWithRoles) GetSessions(ctx context.Context, namespace string) ([]session.Session, error)
- func (a *ServerWithRoles) GetSnowflakeSession(ctx context.Context, req types.GetSnowflakeSessionRequest) (types.WebSession, error)
- func (a *ServerWithRoles) GetSnowflakeSessions(ctx context.Context) ([]types.WebSession, error)
- func (a *ServerWithRoles) GetStaticTokens() (types.StaticTokens, error)
- func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.ProvisionToken, error)
- func (a *ServerWithRoles) GetTokens(ctx context.Context) ([]types.ProvisionToken, error)
- func (a *ServerWithRoles) GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)
- func (a *ServerWithRoles) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)
- func (a *ServerWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)
- func (a *ServerWithRoles) GetUser(name string, withSecrets bool) (types.User, error)
- func (a *ServerWithRoles) GetUsers(withSecrets bool) ([]types.User, error)
- func (a *ServerWithRoles) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)
- func (a *ServerWithRoles) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
- func (a *ServerWithRoles) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)
- func (a *ServerWithRoles) GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
- func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)
- func (a *ServerWithRoles) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)
- func (a *ServerWithRoles) IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)
- func (a *ServerWithRoles) KeepAliveNode(ctx context.Context, handle types.KeepAlive) error
- func (a *ServerWithRoles) KeepAliveSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error
- func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.KeepAlive) error
- func (a *ServerWithRoles) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
- func (a *ServerWithRoles) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
- func (a *ServerWithRoles) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
- func (a *ServerWithRoles) MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error)
- func (a *ServerWithRoles) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)
- func (a *ServerWithRoles) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)
- func (a *ServerWithRoles) Ping(ctx context.Context) (proto.PingResponse, error)
- func (a *ServerWithRoles) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)
- func (a *ServerWithRoles) PreAuthenticatedSignIn(ctx context.Context, user string) (types.WebSession, error)
- func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
- func (a *ServerWithRoles) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream) error
- func (a *ServerWithRoles) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc) (*proto.Certs, error)
- func (a *ServerWithRoles) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
- func (a *ServerWithRoles) RemoveSessionTracker(ctx context.Context, sessionID string) error
- func (a *ServerWithRoles) ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error
- func (a *ServerWithRoles) ResetAuthPreference(ctx context.Context) error
- func (a *ServerWithRoles) ResetClusterNetworkingConfig(ctx context.Context) error
- func (a *ServerWithRoles) ResetSessionRecordingConfig(ctx context.Context) error
- func (a *ServerWithRoles) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)
- func (a *ServerWithRoles) RotateCertAuthority(ctx context.Context, req RotateRequest) error
- func (a *ServerWithRoles) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error
- func (a *ServerWithRoles) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, ...) (events []apievents.AuditEvent, lastKey string, err error)
- func (a *ServerWithRoles) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, ...) (events []apievents.AuditEvent, lastKey string, err error)
- func (a *ServerWithRoles) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error
- func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref types.AuthPreference) error
- func (a *ServerWithRoles) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error
- func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error
- func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNetConfig types.ClusterNetworkingConfig) error
- func (a *ServerWithRoles) SetInstaller(ctx context.Context, inst types.Installer) error
- func (a *ServerWithRoles) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error
- func (a *ServerWithRoles) SetSessionRecordingConfig(ctx context.Context, newRecConfig types.SessionRecordingConfig) error
- func (a *ServerWithRoles) SetStaticTokens(s types.StaticTokens) error
- func (a *ServerWithRoles) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)
- func (a *ServerWithRoles) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)
- func (a *ServerWithRoles) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)
- func (a *ServerWithRoles) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
- func (a *ServerWithRoles) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error
- func (a *ServerWithRoles) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error
- func (a *ServerWithRoles) UpdateApp(ctx context.Context, app types.Application) error
- func (a *ServerWithRoles) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error
- func (a *ServerWithRoles) UpdateDatabase(ctx context.Context, database types.Database) error
- func (a *ServerWithRoles) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
- func (a *ServerWithRoles) UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error
- func (a *ServerWithRoles) UpdatePresence(ctx context.Context, sessionID, user string) error
- func (a *ServerWithRoles) UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error
- func (a *ServerWithRoles) UpdateSession(ctx context.Context, req session.UpdateRequest) error
- func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error
- func (a *ServerWithRoles) UpdateUser(ctx context.Context, user types.User) error
- func (a *ServerWithRoles) UpdateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error
- func (a *ServerWithRoles) UpsertAppSession(ctx context.Context, session types.WebSession) error
- func (a *ServerWithRoles) UpsertApplicationServer(ctx context.Context, server types.AppServer) (*types.KeepAlive, error)
- func (a *ServerWithRoles) UpsertAuthServer(s types.Server) error
- func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error
- func (a *ServerWithRoles) UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error
- func (a *ServerWithRoles) UpsertClusterName(c types.ClusterName) error
- func (a *ServerWithRoles) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error)
- func (a *ServerWithRoles) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error
- func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s types.Server) error
- func (a *ServerWithRoles) UpsertKubeServiceV2(ctx context.Context, s types.Server) (*types.KeepAlive, error)
- func (a *ServerWithRoles) UpsertKubernetesServer(ctx context.Context, s types.KubeServer) (*types.KeepAlive, error)
- func (a *ServerWithRoles) UpsertLock(ctx context.Context, lock types.Lock) error
- func (a *ServerWithRoles) UpsertNamespace(ns types.Namespace) error
- func (a *ServerWithRoles) UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error)
- func (a *ServerWithRoles) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error
- func (a *ServerWithRoles) UpsertProxy(s types.Server) error
- func (a *ServerWithRoles) UpsertReverseTunnel(r types.ReverseTunnel) error
- func (a *ServerWithRoles) UpsertRole(ctx context.Context, role types.Role) error
- func (a *ServerWithRoles) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error
- func (a *ServerWithRoles) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error
- func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.ProvisionToken) error
- func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)
- func (a *ServerWithRoles) UpsertTunnelConnection(conn types.TunnelConnection) error
- func (a *ServerWithRoles) UpsertUser(u types.User) error
- func (a *ServerWithRoles) UpsertWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error
- func (a *ServerWithRoles) UpsertWindowsDesktopService(ctx context.Context, s types.WindowsDesktopService) (*types.KeepAlive, error)
- func (a *ServerWithRoles) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)
- func (a *ServerWithRoles) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)
- func (a *ServerWithRoles) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)
- func (a *ServerWithRoles) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
- func (a *ServerWithRoles) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)
- func (a *ServerWithRoles) WebSessions() types.WebSessionInterface
- func (a *ServerWithRoles) WebTokens() types.WebTokenInterface
- type Services
- type SessionAccessContext
- type SessionAccessEvaluator
- func (e *SessionAccessEvaluator) CanJoin(user SessionAccessContext) []types.SessionParticipantMode
- func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContext) (bool, PolicyOptions, error)
- func (e *SessionAccessEvaluator) IsModerated() bool
- func (e *SessionAccessEvaluator) PrettyRequirementsList() string
- type SessionCreds
- type SnowflakeSessionWatcher
- type StateSpecV2
- type StateV2
- type TLSServer
- type TLSServerConfig
- type TestAuthServer
- func (a *TestAuthServer) Clock() clockwork.Clock
- func (a *TestAuthServer) Close() error
- func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)
- func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)
- func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)
- func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)
- func (a *TestAuthServer) Trust(ctx context.Context, remote *TestAuthServer, roleMap types.RoleMap) error
- type TestAuthServerConfig
- type TestDevice
- type TestDeviceOpt
- type TestIdentity
- func TestAdmin() TestIdentity
- func TestBuiltin(role types.SystemRole) TestIdentity
- func TestNop() TestIdentity
- func TestRemoteBuiltin(role types.SystemRole, remoteCluster string) TestIdentity
- func TestRenewableUser(username string, generation uint64) TestIdentity
- func TestServerID(role types.SystemRole, serverID string) TestIdentity
- func TestUser(username string) TestIdentity
- type TestServer
- type TestServerConfig
- type TestTLSServer
- func (t *TestTLSServer) Addr() net.Addr
- func (t *TestTLSServer) Auth() *Server
- func (t *TestTLSServer) CertPool() (*x509.CertPool, error)
- func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)
- func (t *TestTLSServer) Clock() clockwork.Clock
- func (t *TestTLSServer) CloneClient(clt *Client) *Client
- func (t *TestTLSServer) Close() error
- func (t *TestTLSServer) ClusterName() string
- func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)
- func (t *TestTLSServer) NewClientFromWebSession(sess types.WebSession) (*Client, error)
- func (t *TestTLSServer) NewClientWithCert(clientCert tls.Certificate) *Client
- func (t *TestTLSServer) Shutdown(ctx context.Context) error
- func (t *TestTLSServer) Start() error
- func (t *TestTLSServer) Stop() error
- type TestTLSServerConfig
- type TrustedCerts
- type ValidateTrustedClusterRequest
- type ValidateTrustedClusterRequestRaw
- type ValidateTrustedClusterResponse
- type ValidateTrustedClusterResponseRaw
- type WebService
- type WebSessionReq
- type WindowsDesktopAccessPoint
- type WindowsDesktopWrapper
- type WrapIdentity
Constants ¶
const ( // MaxFailedAttemptsFromStartRecoveryErrMsg is a user friendly error message to try again later. // This error is defined in a variable so that the root caller can determine if an email needs to be sent. MaxFailedAttemptsFromStartRecoveryErrMsg = "you have reached max attempts, please try again later" // MaxFailedAttemptsFromVerifyRecoveryErrMsg is a user friendly error message to start over. // This error is defined in a variable so that the root caller can determine if an email needs to be sent. MaxFailedAttemptsFromVerifyRecoveryErrMsg = "too many incorrect attempts, please start over with a new recovery code" )
const ( ErrFieldKeyUserMaxedAttempts = "maxed-attempts" // MaxFailedAttemptsErrMsg is a user friendly error message that tells a user that they are locked. MaxFailedAttemptsErrMsg = "too many incorrect attempts, please try again later" )
const ( // BearerTokenTTL specifies standard bearer token to exist before // it has to be renewed by the client BearerTokenTTL = 10 * time.Minute // TokenLenBytes is len in bytes of the invite token TokenLenBytes = 16 // RecoveryTokenLenBytes is len in bytes of a user token for recovery. RecoveryTokenLenBytes = 32 // SessionTokenBytes is the number of bytes of a web or application session. SessionTokenBytes = 32 )
const ( // CurrentVersion is a current API version CurrentVersion = types.V2 // MissingNamespaceError indicates that the client failed to // provide the namespace in the request. MissingNamespaceError = "missing required parameter: namespace" )
const ( // GithubAuthPath is the GitHub authorization endpoint GithubAuthPath = "login/oauth/authorize" // GithubTokenPath is the GitHub token exchange endpoint GithubTokenPath = "login/oauth/access_token" // MaxPages is the maximum number of pagination links that will be followed. MaxPages = 99 )
const ( // ContextUser is a user set in the context of the request ContextUser contextKey = "teleport-user" // ContextClientAddr is a client address set in the context of the request ContextClientAddr contextKey = "client-addr" )
const ( // IdentityCurrent is a name for the identity credentials that are // currently used by the process. IdentityCurrent = "current" // IdentityReplacement is a name for the identity credentials that are // replacing current identity credentials during CA rotation. IdentityReplacement = "replacement" )
const ( // UserTokenTypeResetPasswordInvite is a token type used for the UI invite flow that // allows users to change their password and set second factor (if enabled). UserTokenTypeResetPasswordInvite = "invite" // UserTokenTypeResetPassword is a token type used for the UI flow where user // re-sets their password and second factor (if enabled). UserTokenTypeResetPassword = "password" // UserTokenTypeRecoveryStart describes a recovery token issued to users who // successfully verified their recovery code. UserTokenTypeRecoveryStart = "recovery_start" // UserTokenTypeRecoveryApproved describes a recovery token issued to users who // successfully verified their second auth credential (either password or a second factor) and // can now start changing their password or add a new second factor device. // This token is also used to allow users to delete exisiting second factor devices // and retrieve their new set of recovery codes as part of the recovery flow. UserTokenTypeRecoveryApproved = "recovery_approved" // UserTokenTypePrivilege describes a token type that grants access to a privileged action // that requires users to re-authenticate with their second factor while looged in. This // token is issued to users who has successfully re-authenticated. UserTokenTypePrivilege = "privilege" // UserTokenTypePrivilegeException describes a token type that allowed a user to bypass // second factor re-authentication which in other cases would be required eg: // allowing user to add a mfa device if they don't have any registered. UserTokenTypePrivilegeException = "privilege_exception" )
const LicenseExpiredNotification = "licenseExpired"
LicenseExpiredNotification defines a license expired notification
const TokenExpiredOrNotFound = "token expired or not found"
TokenExpiredOrNotFound is a special message returned by the auth server when provisioning tokens are either past their TTL, or could not be found.
Variables ¶
var ErrDone = errors.New("done iterating")
ErrDone indicates that resource iteration is complete
var ErrGithubNoTeams = trace.BadParameter("user does not belong to any teams configured in connector; the configuration may have typos.")
ErrGithubNoTeams results from a github user not belonging to any teams.
var ErrOIDCNoRoles = trace.AccessDenied("No roles mapped from claims. The mappings may contain typos.")
ErrOIDCNoRoles results from not mapping any roles from OIDC claims.
var ErrRequiresEnterprise = services.ErrRequiresEnterprise
var ErrSAMLNoRoles = trace.AccessDenied("No roles mapped from claims. The mappings may contain typos.")
ErrSAMLNoRoles results from not mapping any roles from SAML claims.
var GithubScopes = []string{
"read:org",
}
GithubScopes is a list of scopes requested during OAuth2 flow
var MinSupportedModeratedSessionsVersion = semver.New(utils.VersionBeforeAlpha("9.0.0"))
var ( // UserLoginCount counts user logins UserLoginCount = prometheus.NewCounter( prometheus.CounterOpts{ Name: teleport.MetricUserLoginCount, Help: "Number of times there was a user login", }, ) )
var WithDelegator = utils.WithDelegator
WithDelegator alias for backwards compatibility
Functions ¶
func BotResourceName ¶
BotResourceName returns the default name for resources associated with the given named bot.
func CertAuthorityInfo ¶
func CertAuthorityInfo(ca types.CertAuthority) string
CertAuthorityInfo returns debugging information about certificate authority
func CertInfo ¶
func CertInfo(cert *x509.Certificate) string
CertInfo returns diagnostic information about certificate
func ClientCertPool ¶
func ClientCertPool(client AccessCache, clusterName string, caTypes ...types.CertAuthType) (*x509.CertPool, int64, error)
ClientCertPool returns trusted x509 certificate authority pool with CAs provided as caTypes. In addition, it returns the total length of all subjects added to the cert pool, allowing the caller to validate that the pool doesn't exceed the maximum 2-byte length prefix before using it.
func ClientImpersonator ¶
ClientImpersonator returns the impersonator username of a remote client making the call. If not present, returns an empty string
func ClientTimeout ¶
func ClientTimeout(timeout time.Duration) roundtrip.ClientParam
ClientTimeout sets idle and dial timeouts of the HTTP transport used by the client.
func ClientUserMetadata ¶
func ClientUserMetadata(ctx context.Context) apievents.UserMetadata
ClientUserMetadata returns a UserMetadata suitable for events caused by a remote client making a call. If ctx didn't pass through auth middleware or did not come from an HTTP request, metadata for teleport.UserSystem is returned.
func ClientUserMetadataWithUser ¶
func ClientUserMetadataWithUser(ctx context.Context, user string) apievents.UserMetadata
ClientUserMetadataWithUser returns a UserMetadata suitable for events caused by a remote client making a call, with the specified username overriding the one from the remote client.
func ClientUsername ¶
ClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, teleport.UserSystem is returned.
func ContainsSessionKind ¶
func ContainsSessionKind(s []string, e types.SessionKind) bool
func CreateAccessPluginUser ¶
CreateAccessPluginUser creates a user with list/read abilites for access requests, and list/read/update abilities for access plugin data.
func CreateRole ¶
func CreateRole(ctx context.Context, clt clt, name string, spec types.RoleSpecV5) (types.Role, error)
CreateRole creates a role without assigning any users. Used in tests.
func CreateUser ¶
CreateUser creates user and role and assigns role to a user, used in tests
func CreateUserAndRole ¶
func CreateUserAndRole(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)
CreateUserAndRole creates user and role and assigns role to a user, used in tests
func CreateUserAndRoleWithoutRoles ¶
func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)
CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests
func CreateUserRoleAndRequestable ¶
CreateUserRoleAndRequestable creates two roles for a user, one base role with allowed login matching username, and another role with a login matching rolename that can be requested.
func DefaultClientCertPool ¶
DefaultClientCertPool returns default trusted x509 certificate authority pool.
func DefaultDNSNamesForRole ¶
func DefaultDNSNamesForRole(role types.SystemRole) []string
DefaultDNSNamesForRole returns default DNS names for the specified role.
func ExtractHostID ¶
ExtractHostID returns host id based on the hostname
func GetClientUsername ¶
GetClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, returns an error.
func HasBuiltinRole ¶
HasBuiltinRole checks if the identity is a builtin role with the matching name.
func HasRemoteBuiltinRole ¶
HasRemoteBuiltinRole checks if the identity is a remote builtin role with the matching name.
func IsInvalidLocalCredentialError ¶
IsInvalidLocalCredentialError checks if an error resulted from an incorrect username, password, or second factor.
func NewAPIServer ¶
NewAPIServer returns a new instance of APIServer HTTP handler
func ParseSAMLInResponseTo ¶
func PrivateKeyToPublicKeyTLS ¶
PrivateKeyToPublicKeyTLS gets the TLS public key from a raw private key.
func Register ¶
func Register(params RegisterParams) (*proto.Certs, error)
Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.
func RoleSetForBuiltinRoles ¶
func RoleSetForBuiltinRoles(clusterName string, recConfig types.SessionRecordingConfig, roles ...types.SystemRole) (services.RoleSet, error)
RoleSetForBuiltinRole returns RoleSet for embedded builtin role
func SliceContainsMode ¶
func SliceContainsMode(s []types.SessionParticipantMode, e types.SessionParticipantMode) bool
func TLSCertInfo ¶
func TLSCertInfo(cert *tls.Certificate) string
TLSCertInfo returns diagnostic information about certificate
func WaitForAppSession ¶
func WaitForAppSession(ctx context.Context, sessionID, user string, ap ReadProxyAccessPoint) error
WaitForAppSession will block until the requested application session shows up in the cache or a timeout occurs.
func WaitForSnowflakeSession ¶
func WaitForSnowflakeSession(ctx context.Context, sessionID, user string, ap SnowflakeSessionWatcher) error
WaitForSnowflakeSession waits until the requested Snowflake session shows up int the cache or a timeout occurs.
func WithClusterCAs ¶
func WithClusterCAs(tlsConfig *tls.Config, ap AccessCache, currentClusterName string, log logrus.FieldLogger) func(*tls.ClientHelloInfo) (*tls.Config, error)
WithClusterCAs returns a TLS hello callback that returns a copy of the provided TLS config with client CAs pool of the specified cluster.
Types ¶
type APIConfig ¶
type APIConfig struct { PluginRegistry plugin.Registry AuthServer *Server SessionService session.Service AuditLog events.IAuditLog Authorizer Authorizer Emitter apievents.Emitter // KeepAlivePeriod defines period between keep alives KeepAlivePeriod time.Duration // KeepAliveCount specifies amount of missed keep alives // to wait for until declaring connection as broken KeepAliveCount int // MetadataGetter retrieves additional metadata about session uploads. // Will be nil if audit logging is not enabled. MetadataGetter events.UploadMetadataGetter }
func (*APIConfig) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets default values
type APIServer ¶
type APIServer struct { APIConfig httprouter.Router clockwork.Clock }
APIServer implements http API server for AuthServer interface
type AccessCache ¶
type AccessCache interface { // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) }
AccessCache is a subset of the interface working on the certificate authorities
type Announcer ¶
type Announcer interface { // UpsertNode registers node presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error) // UpsertProxy registers proxy presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertProxy(s types.Server) error // UpsertAuthServer registers auth server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertAuthServer(s types.Server) error // UpsertKubeService registers kubernetes presence, permanently if ttl is 0 // or for the specified duration with second resolution if it's >= 1 second // DELETE IN 11.0. Deprecated, use UpsertKubeServiceV2 UpsertKubeService(context.Context, types.Server) error // UpsertKubeServiceV2 registers a kubernetes service // DELETE IN 13.0. Deprecated, use UpsertKubernetesServer UpsertKubeServiceV2(context.Context, types.Server) (*types.KeepAlive, error) // UpsertKubernetesServer registers a kubernetes server UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error) // NewKeepAliver returns a new instance of keep aliver NewKeepAliver(ctx context.Context) (types.KeepAliver, error) // UpsertApplicationServer registers an application server. UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error) // UpsertDatabaseServer registers a database proxy server. UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error) // UpsertWindowsDesktopService registers a Windows desktop service. UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error) // CreateWindowsDesktop registers a Windows desktop host. CreateWindowsDesktop(context.Context, types.WindowsDesktop) error // UpdateWindowsDesktop updates a Windows desktop host. UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error }
Announcer specifies interface responsible for announcing presence
type AppTestCertRequest ¶
type AppTestCertRequest struct { // PublicKey is the public key to sign. PublicKey []byte // Username is the Teleport user name to sign certificate for. Username string // TTL is the test certificate validity period. TTL time.Duration // PublicAddr is the application public address. Used for routing. PublicAddr string // ClusterName is the name of the cluster application resides in. Used for routing. ClusterName string // SessionID is the optional session ID to encode. Used for routing. SessionID string // AWSRoleARN is optional AWS role ARN a user wants to assume to encode. AWSRoleARN string }
AppTestCertRequest combines parameters for generating a test app access cert.
type AppsAccessPoint ¶
type AppsAccessPoint interface { // ReadAppsAccessPoint provides methods to read data ReadAppsAccessPoint // contains filtered or unexported methods }
AppsAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.
func NewAppsWrapper ¶
func NewAppsWrapper(base AppsAccessPoint, cache ReadAppsAccessPoint) AppsAccessPoint
type AppsWrapper ¶
type AppsWrapper struct { ReadAppsAccessPoint NoCache AppsAccessPoint // contains filtered or unexported fields }
func (*AppsWrapper) Close ¶
func (w *AppsWrapper) Close() error
Close closes all associated resources
type AuthenticateSSHRequest ¶
type AuthenticateSSHRequest struct { // AuthenticateUserRequest is a request with credentials AuthenticateUserRequest // PublicKey is a public key in ssh authorized_keys format PublicKey []byte `json:"public_key"` // TTL is a requested TTL for certificates to be issues TTL time.Duration `json:"ttl"` // CompatibilityMode sets certificate compatibility mode with old SSH clients CompatibilityMode string `json:"compatibility_mode"` RouteToCluster string `json:"route_to_cluster"` // KubernetesCluster sets the target kubernetes cluster for the TLS // certificate. This can be empty on older clients. KubernetesCluster string `json:"kubernetes_cluster"` // AttestationStatement is an attestation statement associated with the given public key. AttestationStatement *keys.AttestationStatement `json:"attestation_statement,omitempty"` }
AuthenticateSSHRequest is a request to authenticate SSH client user via CLI
func (*AuthenticateSSHRequest) CheckAndSetDefaults ¶
func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default certificate values
type AuthenticateUserRequest ¶
type AuthenticateUserRequest struct { // Username is a username Username string `json:"username"` // Pass is a password used in local authentication schemes Pass *PassCreds `json:"pass,omitempty"` // Webauthn is a signed credential assertion, used in MFA authentication Webauthn *wanlib.CredentialAssertionResponse `json:"webauthn,omitempty"` // OTP is a password and second factor, used for MFA authentication OTP *OTPCreds `json:"otp,omitempty"` // Session is a web session credential used to authenticate web sessions Session *SessionCreds `json:"session,omitempty"` // ClientMetadata includes forwarded information about a client ClientMetadata *ForwardedClientMetadata `json:"client_metadata,omitempty"` }
AuthenticateUserRequest is a request to authenticate interactive user
func (*AuthenticateUserRequest) CheckAndSetDefaults ¶
func (a *AuthenticateUserRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type Authorizer ¶
type Authorizer interface { // Authorize authorizes user based on identity supplied via context Authorize(ctx context.Context) (*Context, error) }
Authorizer authorizes identity and returns auth context
func NewAuthorizer ¶
func NewAuthorizer(clusterName string, accessPoint AuthorizerAccessPoint, lockWatcher *services.LockWatcher) (Authorizer, error)
NewAuthorizer returns new authorizer using backends
type AuthorizerAccessPoint ¶
type AuthorizerAccessPoint interface { // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetUser returns a services.User for this cluster. GetUser(name string, withSecrets bool) (types.User, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) }
AuthorizerAccessPoint is the access point contract required by an Authorizer
type BuiltinRole ¶
type BuiltinRole struct { // Role is the primary builtin role this username is associated with Role types.SystemRole // AdditionalSystemRoles is a collection of additional system roles held by // this identity (only currently used by identities with RoleInstance as their // primary role). AdditionalSystemRoles types.SystemRoles // Username is for authentication tracking purposes Username string // ClusterName is the name of the local cluster ClusterName string // Identity is source x509 used to build this role Identity tlsca.Identity }
BuiltinRole is the role of the Teleport service.
func (BuiltinRole) GetIdentity ¶
func (r BuiltinRole) GetIdentity() tlsca.Identity
GetIdentity returns client identity
func (BuiltinRole) GetServerID ¶
func (r BuiltinRole) GetServerID() string
GetServerID extracts the identity from the full name. The username extracted from the node's identity (x.509 certificate) is expected to consist of "<server-id>.<cluster-name>" so strip the cluster name suffix to get the server id.
Note that as of right now Teleport expects server id to be a UUID4 but older Gravity clusters used to override it with strings like "192_168_1_1.<cluster-name>" so this code can't rely on it being UUID4 to account for clusters upgraded from older versions.
func (BuiltinRole) IsServer ¶
func (r BuiltinRole) IsServer() bool
IsServer returns true if the primary role is either RoleInstance, or one of the local service roles (e.g. proxy).
type Cache ¶
type Cache interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetReverseTunnels returns a list of reverse tunnels GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error) // GetClusterName returns cluster name GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetNode returns a node by name and namespace. GetNode(ctx context.Context, namespace, name string) (types.Server, error) // GetNodes returns a list of registered servers for this cluster. GetNodes(ctx context.Context, namespace string) ([]types.Server, error) // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]types.Server, error) // GetAuthServers returns a list of auth servers registered in the cluster GetAuthServers() ([]types.Server, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetUser returns a services.User for this cluster. GetUser(name string, withSecrets bool) (types.User, error) // GetUsers returns a list of local users registered with this domain GetUsers(withSecrets bool) ([]types.User, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetAllTunnelConnections returns all tunnel connections GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error) // GetTunnelConnections returns tunnel connections for a given cluster GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error) // GetApps returns all application resources. GetApps(ctx context.Context) ([]types.Application, error) // GetApp returns the specified application resource. GetApp(ctx context.Context, name string) (types.Application, error) // GetApplicationServers returns all registered application servers. GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error) // GetAppSession gets an application web session. GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error) // GetSnowflakeSession gets a Snowflake web session. GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error) // GetWebSession gets a web session for the given request GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error) // GetWebToken gets a web token for the given request GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error) // GetRemoteClusters returns a list of remote clusters GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error) // GetRemoteCluster returns a remote cluster by name GetRemoteCluster(clusterName string) (types.RemoteCluster, error) // GetKubeServices returns a list of kubernetes services registered in the cluster // DELETE IN 13.0. Deprecated, use GetKubernetesServers. GetKubeServices(context.Context) ([]types.Server, error) // GetKubernetesServers returns a list of kubernetes servers registered in the cluster GetKubernetesServers(context.Context) ([]types.KubeServer, error) // GetDatabaseServers returns all registered database proxy servers. GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error) // GetDatabases returns all database resources. GetDatabases(ctx context.Context) ([]types.Database, error) // GetDatabase returns the specified database resource. GetDatabase(ctx context.Context, name string) (types.Database, error) // GetNetworkRestrictions returns networking restrictions for restricted shell to enforce GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error) // GetWindowsDesktops returns windows desktop hosts. GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error) // GetWindowsDesktopServices returns windows desktop hosts. GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error) // GetWindowsDesktopService returns a windows desktop host by name. GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error) // GetStaticTokens gets the list of static tokens used to provision nodes. GetStaticTokens() (types.StaticTokens, error) // GetTokens returns all active (non-expired) provisioning tokens GetTokens(ctx context.Context) ([]types.ProvisionToken, error) // GetToken finds and returns token by ID GetToken(ctx context.Context, token string) (types.ProvisionToken, error) // GetLock gets a lock by name. // NOTE: This method is intentionally available only for the auth server // cache, the other Teleport components should make use of // services.LockWatcher that provides the necessary freshness guarantees. GetLock(ctx context.Context, name string) (types.Lock, error) // GetLocks gets all/in-force locks that match at least one of the targets // when specified. // NOTE: This method is intentionally available only for the auth server // cache, the other Teleport components should make use of // services.LockWatcher that provides the necessary freshness guarantees. GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error) // ListResources returns a paginated list of resources. ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error) // ListWindowsDesktops returns a paginated list of windows desktops. ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error) // ListWindowsDesktopServices returns a paginated list of windows desktops. ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error) // GetInstaller gets installer resource for this cluster GetInstaller(ctx context.Context, name string) (types.Installer, error) // GetInstallers gets all the installer resources. GetInstallers(ctx context.Context) ([]types.Installer, error) // GetKubernetesClusters returns all kubernetes cluster resources. GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error) // GetKubernetesCluster returns the specified kubernetes cluster resource. GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error) }
Cache is a subset of the auth interface handling access to the discovery API and static tokens
type CertAuthorityMap ¶
type CertAuthorityMap = map[types.CertAuthType]types.CertAuthority
type Client ¶
type Client struct { // APIClient is used to make gRPC requests to the server *APIClient // HTTPClient is used to make http requests to the server *HTTPClient }
Client is the Auth API client. It works by connecting to auth servers via gRPC and HTTP.
When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go
NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.
func NewClient ¶
NewClient creates a new API client with a connection to a Teleport server.
The client will use the first credentials and the given dialer. If no dialer is given, the first address will be used. This address must be an auth server address.
NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.
func (*Client) ActivateCertAuthority ¶
func (c *Client) ActivateCertAuthority(id types.CertAuthID) error
ActivateCertAuthority not implemented: can only be called locally.
func (*Client) AddUserLoginAttempt ¶
func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error
AddUserLoginAttempt logs user login attempt
func (*Client) AuthenticateSSHUser ¶
func (c *Client) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)
AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result
func (*Client) AuthenticateWebUser ¶
func (c *Client) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful
func (*Client) ChangePassword ¶
func (c *Client) ChangePassword(req services.ChangePasswordReq) error
ChangePassword updates users password based on the old password.
func (*Client) CheckPassword ¶
CheckPassword checks if the suplied web access password is valid.
func (*Client) CompareAndSwapCertAuthority ¶
func (c *Client) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error
CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.
func (*Client) CompareAndSwapUser ¶
CompareAndSwapUser not implemented: can only be called locally
func (*Client) CreateAuditStream ¶
CreateAuditStream creates new audit stream. This is a wrapper on the grpc endpoint and is deprecated. DELETE IN 7.0.0
func (*Client) CreateBot ¶
func (c *Client) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
CreateBot creates a bot and associated resources.
func (*Client) CreateCertAuthority ¶
func (c *Client) CreateCertAuthority(ca types.CertAuthority) error
CreateCertAuthority not implemented: can only be called locally.
func (*Client) CreateRemoteCluster ¶
func (c *Client) CreateRemoteCluster(rc types.RemoteCluster) error
CreateRemoteCluster creates remote cluster resource
func (*Client) CreateResetPasswordToken ¶
func (c *Client) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)
CreateResetPasswordToken creates reset password token
func (*Client) CreateRole ¶
CreateRole not implemented: can only be called locally.
func (*Client) CreateSession ¶
CreateSession creates new session DELETE IN 12.0.0
func (*Client) CreateWebSession ¶
CreateWebSession creates a new web session for a user
func (*Client) DeactivateCertAuthority ¶
func (c *Client) DeactivateCertAuthority(id types.CertAuthID) error
DeactivateCertAuthority not implemented: can only be called locally.
func (*Client) DeleteAllAuthServers ¶
DeleteAllAuthServers not implemented: can only be called locally.
func (*Client) DeleteAllCertAuthorities ¶
func (c *Client) DeleteAllCertAuthorities(caType types.CertAuthType) error
DeleteAllCertAuthorities not implemented: can only be called locally.
func (*Client) DeleteAllLocks ¶
DeleteAllLocks not implemented: can only be called locally.
func (*Client) DeleteAllNamespaces ¶
DeleteAllCertNamespaces not implemented: can only be called locally.
func (*Client) DeleteAllProxies ¶
DeleteAllProxies deletes all proxies
func (*Client) DeleteAllRemoteClusters ¶
DeleteAllRemoteClusters deletes all remote clusters
func (*Client) DeleteAllReverseTunnels ¶
DeleteAllReverseTunnels not implemented: can only be called locally.
func (*Client) DeleteAllRoles ¶
DeleteAllRoles not implemented: can only be called locally.
func (*Client) DeleteAllTokens ¶
DeleteAllTokens not implemented: can only be called locally.
func (*Client) DeleteAllTunnelConnections ¶
DeleteAllTunnelConnections deletes all tunnel connections
func (*Client) DeleteAllUsers ¶
DeleteAllUsers not implemented: can only be called locally.
func (*Client) DeleteAuthPreference ¶
DeleteAuthPreference not implemented: can only be called locally.
func (*Client) DeleteAuthServer ¶
DeleteAuthServer not implemented: can only be called locally.
func (*Client) DeleteCertAuthority ¶
func (c *Client) DeleteCertAuthority(id types.CertAuthID) error
DeleteCertAuthority deletes cert authority by ID
func (*Client) DeleteClusterAuditConfig ¶
DeleteClusterAuditConfig not implemented: can only be called locally.
func (*Client) DeleteClusterName ¶
DeleteClusterName not implemented: can only be called locally.
func (*Client) DeleteClusterNetworkingConfig ¶
DeleteClusterNetworkingConfig not implemented: can only be called locally.
func (*Client) DeleteNamespace ¶
DeleteNamespace deletes namespace by name
func (*Client) DeleteProxy ¶
DeleteProxy deletes proxy by name
func (*Client) DeleteRemoteCluster ¶
DeleteRemoteCluster deletes remote cluster by name
func (*Client) DeleteReverseTunnel ¶
DeleteReverseTunnel deletes reverse tunnel by domain name
func (*Client) DeleteSession ¶
DeleteSession removes an active session from the backend. DELETE IN 12.0.0
func (*Client) DeleteSessionRecordingConfig ¶
DeleteSessionRecordingConfig not implemented: can only be called locally.
func (*Client) DeleteStaticTokens ¶
DeleteStaticTokens deletes static tokens
func (*Client) DeleteTunnelConnection ¶
DeleteTunnelConnection deletes tunnel connection by name
func (*Client) DeleteTunnelConnections ¶
DeleteTunnelConnections deletes all tunnel connections for cluster
func (*Client) DeleteWebSession ¶
DeleteWebSession deletes the web session specified with sid for the given user
func (*Client) ExtendWebSession ¶
func (c *Client) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)
ExtendWebSession creates a new web session for a user based on another valid web session
func (*Client) GenerateCertAuthorityCRL ¶
func (c *Client) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)
GenerateCertAuthorityCRL generates an empty CRL for a CA.
func (*Client) GenerateHostCert ¶
func (c *Client) GenerateHostCert( ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration, ) ([]byte, error)
GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.
func (*Client) GetAllTunnelConnections ¶
func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)
GetAllTunnelConnections returns all tunnel connections
func (*Client) GetAuthServers ¶
GetAuthServers returns the list of auth servers registered in the cluster.
func (*Client) GetBotUsers ¶
GetBotUsers fetches all bot users.
func (*Client) GetCertAuthorities ¶
func (c *Client) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)
GetCertAuthorities returns a list of certificate authorities
func (*Client) GetCertAuthority ¶
func (c *Client) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)
GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded
func (*Client) GetClusterAuditConfig ¶
func (c *Client) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)
GetClusterAuditConfig gets cluster audit configuration.
func (*Client) GetClusterName ¶
func (c *Client) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
GetClusterName returns a cluster name
func (*Client) GetClusterNetworkingConfig ¶
func (c *Client) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)
GetClusterNetworkingConfig gets cluster networking configuration.
func (*Client) GetDatabaseServers ¶
func (c *Client) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)
GetDatabaseServers returns all registered database proxy servers.
func (*Client) GetNamespace ¶
GetNamespace returns namespace by name
func (*Client) GetNamespaces ¶
GetNamespaces returns a list of namespaces
func (*Client) GetProxies ¶
GetProxies returns the list of auth servers registered in the cluster.
func (*Client) GetRemoteCluster ¶
func (c *Client) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
GetRemoteCluster returns a remote cluster by name
func (*Client) GetRemoteClusters ¶
func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)
GetRemoteClusters returns a list of remote clusters
func (*Client) GetReverseTunnel ¶
func (c *Client) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)
GetReverseTunnel not implemented: can only be called locally.
func (*Client) GetReverseTunnels ¶
func (c *Client) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)
GetReverseTunnels returns the list of created reverse tunnels
func (*Client) GetSession ¶
func (c *Client) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)
GetSession returns a session by ID DELETE IN 12.0.0
func (*Client) GetSessionChunk ¶
func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes
func (*Client) GetSessionEvents ¶
func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)
Returns events that happen during a session sorted by time (oldest first).
afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)
This function is usually used in conjunction with GetSessionReader to replay recorded session streams.
func (*Client) GetSessionRecordingConfig ¶
func (c *Client) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)
GetSessionRecordingConfig gets session recording configuration.
func (*Client) GetSessions ¶
GetSessions returns a list of active sessions in the cluster as reported by the auth server. DELETE IN 12.0.0
func (*Client) GetStaticTokens ¶
func (c *Client) GetStaticTokens() (types.StaticTokens, error)
GetStaticTokens returns a list of static register tokens
func (*Client) GetTunnelConnections ¶
func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)
GetTunnelConnections returns tunnel connections for a given cluster
func (*Client) GetUserLoginAttempts ¶
func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)
GetUserLoginAttempts returns user login attempts
func (*Client) GetWebSessionInfo ¶
func (c *Client) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.
func (*Client) KeepAliveNode ¶
DELETE IN: 5.1.0
This logic has been moved to KeepAliveServer.
KeepAliveNode updates node keep alive information.
func (*Client) KeepAliveServer ¶
KeepAliveServer not implemented: can only be called locally.
func (*Client) ListWindowsDesktopServices ¶
func (c *Client) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
ListWindowsDesktopServices not implemented: can only be called locally.
func (*Client) ListWindowsDesktops ¶
func (c *Client) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
ListWindowsDesktops not implemented: can only be called locally.
func (*Client) PostForm ¶
func (c *Client) PostForm(ctx context.Context, endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
PostForm is a generic method that issues http POST request to the server
func (*Client) PostJSON ¶
func (c *Client) PostJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)
PostJSON is a generic method that issues http POST request to the server
func (*Client) ProcessKubeCSR ¶
func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.
func (*Client) PutJSON ¶
func (c *Client) PutJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)
PutJSON is a generic method that issues http PUT request to the server
func (*Client) RegisterUsingToken ¶
func (c *Client) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.
func (*Client) ResumeAuditStream ¶
func (c *Client) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)
ResumeAuditStream resumes existing audit stream. This is a wrapper on the grpc endpoint and is deprecated. DELETE IN 7.0.0
func (*Client) RotateCertAuthority ¶
func (c *Client) RotateCertAuthority(ctx context.Context, req RotateRequest) error
RotateCertAuthority starts or restarts certificate authority rotation process.
func (*Client) RotateExternalCertAuthority ¶
RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.
func (*Client) SearchEvents ¶
func (c *Client) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]apievents.AuditEvent, string, error)
SearchEvents allows searching for audit events with pagination support.
func (*Client) SearchSessionEvents ¶
func (c *Client) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, cond *types.WhereExpr, sessionID string) ([]apievents.AuditEvent, string, error)
SearchSessionEvents returns session related events to find completed sessions.
func (*Client) SetClusterAuditConfig ¶
func (c *Client) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error
SetClusterAuditConfig not implemented: can only be called locally.
func (*Client) SetClusterName ¶
func (c *Client) SetClusterName(cn types.ClusterName) error
SetClusterName sets cluster name once, will return Already Exists error if the name is already set
func (*Client) SetStaticTokens ¶
func (c *Client) SetStaticTokens(st types.StaticTokens) error
SetStaticTokens sets a list of static register tokens
func (*Client) StreamSessionEvents ¶
func (c *Client) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)
StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.
func (*Client) UpdatePresence ¶
func (*Client) UpdateSession ¶
UpdateSession updates existing session DELETE IN 12.0.0
func (*Client) UpsertAppSession ¶
UpsertAppSession not implemented: can only be called locally.
func (*Client) UpsertAuthServer ¶
UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertCertAuthority ¶
func (c *Client) UpsertCertAuthority(ca types.CertAuthority) error
UpsertCertAuthority updates or inserts new cert authority
func (*Client) UpsertClusterName ¶
func (c *Client) UpsertClusterName(cn types.ClusterName) error
UpsertClusterName not implemented: can only be called locally.
func (*Client) UpsertNamespace ¶
UpsertNamespace upserts namespace
func (*Client) UpsertProxy ¶
UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertReverseTunnel ¶
func (c *Client) UpsertReverseTunnel(tunnel types.ReverseTunnel) error
UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions
func (*Client) UpsertSnowflakeSession ¶
UpsertSnowflakeSession not implemented: can only be called locally.
func (*Client) UpsertTunnelConnection ¶
func (c *Client) UpsertTunnelConnection(conn types.TunnelConnection) error
UpsertTunnelConnection upserts tunnel connection
func (*Client) UpsertUser ¶
UpsertUser user updates user entry.
func (*Client) ValidateGithubAuthCallback ¶
func (c *Client) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)
ValidateGithubAuthCallback validates Github auth callback returned from redirect
func (*Client) ValidateOIDCAuthCallback ¶
func (c *Client) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)
ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
func (*Client) ValidateSAMLResponse ¶
func (c *Client) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)
ValidateSAMLResponse validates response returned by SAML identity provider
func (*Client) ValidateTrustedCluster ¶
func (c *Client) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
type ClientI ¶
type ClientI interface { IdentityService ProvisioningService services.Trust events.IAuditLog events.Streamer apievents.Emitter services.Presence services.Access services.DynamicAccess services.DynamicAccessOracle services.Restrictions services.Apps services.Databases services.Kubernetes services.WindowsDesktops WebService services.Status session.Service services.ClusterConfiguration services.SessionTrackerService services.ConnectionsDiagnostic types.Events types.WebSessionsGetter types.WebTokensGetter // NewKeepAliver returns a new instance of keep aliver NewKeepAliver(ctx context.Context) (types.KeepAliver, error) // RotateCertAuthority starts or restarts certificate authority rotation process. RotateCertAuthority(ctx context.Context, req RotateRequest) error // RotateExternalCertAuthority rotates external certificate authority, // this method is used to update only public keys and certificates of the // the certificate authorities of trusted clusters. RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error // ValidateTrustedCluster validates trusted cluster token with // main cluster, in case if validation is successful, main cluster // adds remote cluster ValidateTrustedCluster(context.Context, *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error) // GetDomainName returns auth server cluster name GetDomainName(ctx context.Context) (string, error) // GetClusterCACert returns the PEM-encoded TLS certs for the local cluster. // If the cluster has multiple TLS certs, they will all be concatenated. GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error) // GenerateHostCerts generates new host certificates (signed // by the host certificate authority) for a node GenerateHostCerts(context.Context, *proto.HostCertsRequest) (*proto.Certs, error) // AuthenticateWebUser authenticates web user, creates and returns web session // in case if authentication is successful AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error) // AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH // short-lived certificates as a result AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error) // ProcessKubeCSR processes CSR request against Kubernetes CA, returns // signed certificate if successful. ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error) // Ping gets basic info about the auth server. Ping(ctx context.Context) (proto.PingResponse, error) // CreateAppSession creates an application web session. Application web // sessions represent a browser session the client holds. CreateAppSession(context.Context, types.CreateAppSessionRequest) (types.WebSession, error) // CreateSnowflakeSession creates a Snowflake web session. Snowflake web // sessions represent Database Access Snowflake session the client holds. CreateSnowflakeSession(context.Context, types.CreateSnowflakeSessionRequest) (types.WebSession, error) // GenerateDatabaseCert generates client certificate used by a database // service to authenticate with the database instance. GenerateDatabaseCert(context.Context, *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error) // GetWebSession queries the existing web session described with req. // Implements ReadAccessPoint. GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error) // GetWebToken queries the existing web token described with req. // Implements ReadAccessPoint. GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error) // ResetAuthPreference resets cluster auth preference to defaults. ResetAuthPreference(ctx context.Context) error // ResetClusterNetworkingConfig resets cluster networking configuration to defaults. ResetClusterNetworkingConfig(ctx context.Context) error // ResetSessionRecordingConfig resets session recording configuration to defaults. ResetSessionRecordingConfig(ctx context.Context) error // GenerateWindowsDesktopCert generates client smartcard certificate used // by an RDP client to authenticate with Windows. GenerateWindowsDesktopCert(context.Context, *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error) // GenerateCertAuthorityCRL generates an empty CRL for a CA. GenerateCertAuthorityCRL(context.Context, types.CertAuthType) ([]byte, error) // GetInventoryStatus gets basic status info about instance inventory. GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error) // PingInventory attempts to trigger a downstream ping against a connected instance. PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error) // SubmitUsageEvent submits an external usage event. SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error }
ClientI is a client to Auth service
func NewAdminAuthServer ¶
func NewAdminAuthServer(authServer *Server, sessions session.Service, alog events.IAuditLog) (ClientI, error)
NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access
func WithGithubConnectorConversions ¶
WithGithubConnectorConversions takes a ClientI and returns one that ensures returned or passed types.GithubConnector interfaces use the registered implementation for the following methods:
- ClientI.GetGithubConnector
- ClientI.GetGithubConnectors
- ClientI.UpsertGithubConnector
This is function is necessary so that the github.com/gravitational/teleport/api module does not import github.com/gravitational/teleport/lib/services.
type Context ¶
type Context struct { // User is the username User types.User // Checker is access checker Checker services.AccessChecker // Identity holds the caller identity: // 1. If caller is a user // a. local user identity // b. remote user identity remapped to local identity based on trusted // cluster role mapping. // 2. If caller is a teleport instance, Identity holds their identity as-is // (because there's no role mapping for non-human roles) Identity IdentityGetter // UnmappedIdentity holds the original caller identity. If this is a remote // user, UnmappedIdentity holds the data before role mapping. Otherwise, // it's identical to Identity. UnmappedIdentity IdentityGetter }
Context is authorization context
func NewAdminContext ¶
NewAdminContext returns new admin auth context
func NewBuiltinRoleContext ¶
func NewBuiltinRoleContext(role types.SystemRole) (*Context, error)
NewBuiltinRoleContext create auth context for the provided builtin role.
func (*Context) LockTargets ¶
func (c *Context) LockTargets() []types.LockTarget
LockTargets returns a list of LockTargets inferred from the context's Identity and UnmappedIdentity.
func (*Context) MFAParams ¶
func (c *Context) MFAParams(authPrefMFARequirement types.RequireMFAType) services.AccessMFAParams
MFAParams returns MFA params for the given auth context and auth preference MFA requirement.
func (*Context) UseExtraRoles ¶
func (c *Context) UseExtraRoles(access services.RoleGetter, clusterName string, roles []string) error
UseExtraRoles extends the roles of the Checker on the current Context with the given extra roles.
type CreateUserTokenRequest ¶
type CreateUserTokenRequest struct { // Name is the user name for token. Name string `json:"name"` // TTL specifies how long the generated token is valid for. TTL time.Duration `json:"ttl"` // Type is the token type. Type string `json:"type"` }
CreateUserTokenRequest is a request to create a new user token.
func (*CreateUserTokenRequest) CheckAndSetDefaults ¶
func (r *CreateUserTokenRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets the defaults.
type DatabaseAccessPoint ¶
type DatabaseAccessPoint interface { // ReadDatabaseAccessPoint provides methods to read data ReadDatabaseAccessPoint // contains filtered or unexported methods }
DatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.
func NewDatabaseWrapper ¶
func NewDatabaseWrapper(base DatabaseAccessPoint, cache ReadDatabaseAccessPoint) DatabaseAccessPoint
type DatabaseTestCertRequest ¶
type DatabaseTestCertRequest struct { // PublicKey is the public key to sign. PublicKey []byte // Cluster is the Teleport cluster name. Cluster string // Username is the Teleport username. Username string // RouteToDatabase contains database routing information. RouteToDatabase tlsca.RouteToDatabase }
DatabaseTestCertRequest combines parameters for generating test database access certificate.
type DatabaseWrapper ¶
type DatabaseWrapper struct { ReadDatabaseAccessPoint NoCache DatabaseAccessPoint // contains filtered or unexported fields }
func (*DatabaseWrapper) Close ¶
func (w *DatabaseWrapper) Close() error
Close closes all associated resources
type DiscoveryAccessPoint ¶
type DiscoveryAccessPoint interface { // ReadDiscoveryAccessPoint provides methods to read data ReadDiscoveryAccessPoint // CreateKubernetesCluster creates a new kubernetes cluster resource. CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error // UpdateKubernetesCluster updates existing kubernetes cluster resource. UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error // DeleteKubernetesCluster deletes specified kubernetes cluster resource. DeleteKubernetesCluster(ctx context.Context, name string) error // contains filtered or unexported methods }
DiscoveryAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDiscovery
func NewDiscoveryWrapper ¶
func NewDiscoveryWrapper(base DiscoveryAccessPoint, cache ReadDiscoveryAccessPoint) DiscoveryAccessPoint
type DiscoveryWrapper ¶
type DiscoveryWrapper struct { ReadDiscoveryAccessPoint NoCache DiscoveryAccessPoint // contains filtered or unexported fields }
func (*DiscoveryWrapper) Close ¶
func (w *DiscoveryWrapper) Close() error
Close closes all associated resources
func (*DiscoveryWrapper) CreateKubernetesCluster ¶
func (w *DiscoveryWrapper) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
CreateKubernetesCluster creates a new kubernetes cluster resource.
func (*DiscoveryWrapper) DeleteKubernetesCluster ¶
func (w *DiscoveryWrapper) DeleteKubernetesCluster(ctx context.Context, name string) error
DeleteKubernetesCluster deletes specified kubernetes cluster resource.
func (*DiscoveryWrapper) UpdateKubernetesCluster ¶
func (w *DiscoveryWrapper) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
UpdateKubernetesCluster updates existing kubernetes cluster resource.
type ForwardedClientMetadata ¶
type ForwardedClientMetadata struct { UserAgent string `json:"user_agent,omitempty"` RemoteAddr string `json:"remote_addr,omitempty"` }
ForwardedClientMetadata can be used by the proxy web API to forward information about the client to the auth service for logging purposes.
type GRPCServer ¶
type GRPCServer struct { *logrus.Entry APIConfig // TraceServiceServer exposes the exporter server so that the auth server may // collect and forward spans collectortracepb.TraceServiceServer // contains filtered or unexported fields }
GRPCServer is GPRC Auth Server API
func NewGRPCServer ¶
func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error)
NewGRPCServer returns a new instance of GRPC server
func (*GRPCServer) AcquireSemaphore ¶
func (g *GRPCServer) AcquireSemaphore(ctx context.Context, params *types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)
AcquireSemaphore acquires lease with requested resources from semaphore.
func (*GRPCServer) AddMFADevice ¶
func (g *GRPCServer) AddMFADevice(stream proto.AuthService_AddMFADeviceServer) error
func (*GRPCServer) AddMFADeviceSync ¶
func (g *GRPCServer) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.
func (*GRPCServer) AppendDiagnosticTrace ¶
func (g *GRPCServer) AppendDiagnosticTrace(ctx context.Context, in *proto.AppendDiagnosticTraceRequest) (*types.ConnectionDiagnosticV1, error)
AppendDiagnosticTrace updates a connection diagnostic
func (*GRPCServer) CancelSemaphoreLease ¶
func (g *GRPCServer) CancelSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)
CancelSemaphoreLease cancels semaphore lease early.
func (*GRPCServer) ChangeUserAuthentication ¶
func (g *GRPCServer) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)
ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.
func (*GRPCServer) CompleteAccountRecovery ¶
func (g *GRPCServer) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) (*emptypb.Empty, error)
CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.
func (*GRPCServer) CreateAccessRequest ¶
func (g *GRPCServer) CreateAccessRequest(ctx context.Context, req *types.AccessRequestV3) (*emptypb.Empty, error)
func (*GRPCServer) CreateAccountRecoveryCodes ¶
func (g *GRPCServer) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.
func (*GRPCServer) CreateAppSession ¶
func (g *GRPCServer) CreateAppSession(ctx context.Context, req *proto.CreateAppSessionRequest) (*proto.CreateAppSessionResponse, error)
CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.
func (*GRPCServer) CreateAuditStream ¶
func (g *GRPCServer) CreateAuditStream(stream proto.AuthService_CreateAuditStreamServer) error
CreateAuditStream creates or resumes audit event stream
func (*GRPCServer) CreateAuthenticateChallenge ¶
func (g *GRPCServer) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.
func (*GRPCServer) CreateBot ¶
func (g *GRPCServer) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
CreateBot creates a new bot and an optional join token.
func (*GRPCServer) CreateConnectionDiagnostic ¶
func (g *GRPCServer) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)
CreateConnectionDiagnostic creates a connection diagnostic
func (*GRPCServer) CreateDatabase ¶
func (g *GRPCServer) CreateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)
CreateDatabase creates a new database resource.
func (*GRPCServer) CreateGithubAuthRequest ¶
func (g *GRPCServer) CreateGithubAuthRequest(ctx context.Context, req *types.GithubAuthRequest) (*types.GithubAuthRequest, error)
CreateGithubAuthRequest creates GithubAuthRequest.
func (*GRPCServer) CreateKubernetesCluster ¶
func (g *GRPCServer) CreateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)
CreateKubernetesCluster creates a new kubernetes cluster resource.
func (*GRPCServer) CreateOIDCAuthRequest ¶
func (g *GRPCServer) CreateOIDCAuthRequest(ctx context.Context, req *types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
CreateOIDCAuthRequest creates OIDCAuthRequest
func (*GRPCServer) CreatePrivilegeToken ¶
func (g *GRPCServer) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.
func (*GRPCServer) CreateRegisterChallenge ¶
func (g *GRPCServer) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)
CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.
func (*GRPCServer) CreateResetPasswordToken ¶
func (g *GRPCServer) CreateResetPasswordToken(ctx context.Context, req *proto.CreateResetPasswordTokenRequest) (*types.UserTokenV3, error)
func (*GRPCServer) CreateSAMLAuthRequest ¶
func (g *GRPCServer) CreateSAMLAuthRequest(ctx context.Context, req *types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
CreateSAMLAuthRequest creates SAMLAuthRequest.
func (*GRPCServer) CreateSessionTracker ¶
func (g *GRPCServer) CreateSessionTracker(ctx context.Context, req *proto.CreateSessionTrackerRequest) (*types.SessionTrackerV1, error)
CreateSessionTracker creates a tracker resource for an active session.
func (*GRPCServer) CreateSnowflakeSession ¶
func (g *GRPCServer) CreateSnowflakeSession(ctx context.Context, req *proto.CreateSnowflakeSessionRequest) (*proto.CreateSnowflakeSessionResponse, error)
func (*GRPCServer) CreateToken ¶
func (g *GRPCServer) CreateToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)
CreateToken creates a token.
func (*GRPCServer) CreateUser ¶
CreateUser inserts a new user entry in a backend.
func (*GRPCServer) CreateWindowsDesktop ¶
func (g *GRPCServer) CreateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)
CreateWindowsDesktop registers a new Windows desktop host.
func (*GRPCServer) DeleteAccessRequest ¶
func (*GRPCServer) DeleteAllAppSessions ¶
func (g *GRPCServer) DeleteAllAppSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteAllAppSessions removes all application web sessions.
func (*GRPCServer) DeleteAllApplicationServers ¶
func (g *GRPCServer) DeleteAllApplicationServers(ctx context.Context, req *proto.DeleteAllApplicationServersRequest) (*emptypb.Empty, error)
DeleteAllApplicationServers deletes all registered application servers.
func (*GRPCServer) DeleteAllApps ¶
DeleteAllApps removes all application resources.
func (*GRPCServer) DeleteAllDatabaseServers ¶
func (g *GRPCServer) DeleteAllDatabaseServers(ctx context.Context, req *proto.DeleteAllDatabaseServersRequest) (*emptypb.Empty, error)
DeleteAllDatabaseServers removes all registered database proxy servers.
func (*GRPCServer) DeleteAllDatabases ¶
func (g *GRPCServer) DeleteAllDatabases(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteAllDatabases removes all databases.
func (*GRPCServer) DeleteAllInstallers ¶
func (g *GRPCServer) DeleteAllInstallers(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteALlInstallers deletes all the installers
func (*GRPCServer) DeleteAllKubeServices ¶
func (g *GRPCServer) DeleteAllKubeServices(ctx context.Context, req *proto.DeleteAllKubeServicesRequest) (*emptypb.Empty, error)
DeleteAllKubeServices removes all kubernetes services.
func (*GRPCServer) DeleteAllKubernetesClusters ¶
func (g *GRPCServer) DeleteAllKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteAllKubernetesClusters removes all kubernetes cluster.
func (*GRPCServer) DeleteAllKubernetesServers ¶
func (g *GRPCServer) DeleteAllKubernetesServers(ctx context.Context, req *proto.DeleteAllKubernetesServersRequest) (*emptypb.Empty, error)
DeleteAllKubernetesServers deletes all registered kubernetes servers.
func (*GRPCServer) DeleteAllNodes ¶
func (g *GRPCServer) DeleteAllNodes(ctx context.Context, req *types.ResourcesInNamespaceRequest) (*emptypb.Empty, error)
DeleteAllNodes deletes all nodes in a given namespace.
func (*GRPCServer) DeleteAllSnowflakeSessions ¶
func (*GRPCServer) DeleteAllWebSessions ¶
func (g *GRPCServer) DeleteAllWebSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteAllWebSessions removes all web sessions.
func (*GRPCServer) DeleteAllWebTokens ¶
func (g *GRPCServer) DeleteAllWebTokens(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteAllWebTokens removes all web tokens.
func (*GRPCServer) DeleteAllWindowsDesktopServices ¶
func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteAllWindowsDesktopServices removes all registered Windows desktop services.
func (*GRPCServer) DeleteAllWindowsDesktops ¶
func (g *GRPCServer) DeleteAllWindowsDesktops(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteAllWindowsDesktops removes all registered Windows desktop hosts.
func (*GRPCServer) DeleteApp ¶
func (g *GRPCServer) DeleteApp(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteApp removes the specified application resource.
func (*GRPCServer) DeleteAppSession ¶
func (g *GRPCServer) DeleteAppSession(ctx context.Context, req *proto.DeleteAppSessionRequest) (*emptypb.Empty, error)
DeleteAppSession removes an application web session.
func (*GRPCServer) DeleteApplicationServer ¶
func (g *GRPCServer) DeleteApplicationServer(ctx context.Context, req *proto.DeleteApplicationServerRequest) (*emptypb.Empty, error)
DeleteApplicationServer deletes an application server.
func (*GRPCServer) DeleteBot ¶
func (g *GRPCServer) DeleteBot(ctx context.Context, req *proto.DeleteBotRequest) (*emptypb.Empty, error)
DeleteBot removes a bot and its associated resources.
func (*GRPCServer) DeleteDatabase ¶
func (g *GRPCServer) DeleteDatabase(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteDatabase removes the specified database.
func (*GRPCServer) DeleteDatabaseServer ¶
func (g *GRPCServer) DeleteDatabaseServer(ctx context.Context, req *proto.DeleteDatabaseServerRequest) (*emptypb.Empty, error)
DeleteDatabaseServer removes the specified database proxy server.
func (*GRPCServer) DeleteGithubConnector ¶
func (g *GRPCServer) DeleteGithubConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteGithubConnector deletes a Github connector by name.
func (*GRPCServer) DeleteInstaller ¶
func (g *GRPCServer) DeleteInstaller(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteInstaller sets the installer script resource to its default
func (*GRPCServer) DeleteKubeService ¶
func (g *GRPCServer) DeleteKubeService(ctx context.Context, req *proto.DeleteKubeServiceRequest) (*emptypb.Empty, error)
DeleteKubeService removes a kubernetes service.
func (*GRPCServer) DeleteKubernetesCluster ¶
func (g *GRPCServer) DeleteKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteKubernetesCluster removes the specified kubernetes cluster.
func (*GRPCServer) DeleteKubernetesServer ¶
func (g *GRPCServer) DeleteKubernetesServer(ctx context.Context, req *proto.DeleteKubernetesServerRequest) (*emptypb.Empty, error)
DeleteKubernetesServer deletes a kubernetes server.
func (*GRPCServer) DeleteLock ¶
func (g *GRPCServer) DeleteLock(ctx context.Context, req *proto.DeleteLockRequest) (*emptypb.Empty, error)
DeleteLock deletes a lock.
func (*GRPCServer) DeleteMFADevice ¶
func (g *GRPCServer) DeleteMFADevice(stream proto.AuthService_DeleteMFADeviceServer) error
func (*GRPCServer) DeleteMFADeviceSync ¶
func (g *GRPCServer) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) (*emptypb.Empty, error)
DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.
func (*GRPCServer) DeleteNetworkRestrictions ¶
func (g *GRPCServer) DeleteNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
DeleteNetworkRestrictions deletes the network restrictions.
func (*GRPCServer) DeleteNode ¶
func (g *GRPCServer) DeleteNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*emptypb.Empty, error)
DeleteNode deletes a node by name.
func (*GRPCServer) DeleteOIDCConnector ¶
func (g *GRPCServer) DeleteOIDCConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteOIDCConnector deletes an OIDC connector by name.
func (*GRPCServer) DeleteRole ¶
func (g *GRPCServer) DeleteRole(ctx context.Context, req *proto.DeleteRoleRequest) (*emptypb.Empty, error)
DeleteRole deletes a role by name.
func (*GRPCServer) DeleteSAMLConnector ¶
func (g *GRPCServer) DeleteSAMLConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteSAMLConnector deletes a SAML connector by name.
func (*GRPCServer) DeleteSemaphore ¶
func (g *GRPCServer) DeleteSemaphore(ctx context.Context, req *types.SemaphoreFilter) (*emptypb.Empty, error)
DeleteSemaphore deletes a semaphore matching the supplied filter.
func (*GRPCServer) DeleteSnowflakeSession ¶
func (g *GRPCServer) DeleteSnowflakeSession(ctx context.Context, req *proto.DeleteSnowflakeSessionRequest) (*emptypb.Empty, error)
func (*GRPCServer) DeleteToken ¶
func (g *GRPCServer) DeleteToken(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteToken deletes a token by name.
func (*GRPCServer) DeleteTrustedCluster ¶
func (g *GRPCServer) DeleteTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)
DeleteTrustedCluster deletes a Trusted Cluster by name.
func (*GRPCServer) DeleteUser ¶
func (g *GRPCServer) DeleteUser(ctx context.Context, req *proto.DeleteUserRequest) (*emptypb.Empty, error)
DeleteUser deletes an existng user in a backend by username.
func (*GRPCServer) DeleteUserAppSessions ¶
func (g *GRPCServer) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) (*emptypb.Empty, error)
DeleteUserAppSessions removes user's all application web sessions.
func (*GRPCServer) DeleteWebSession ¶
func (g *GRPCServer) DeleteWebSession(ctx context.Context, req *types.DeleteWebSessionRequest) (*emptypb.Empty, error)
DeleteWebSession removes the web session given with req.
func (*GRPCServer) DeleteWebToken ¶
func (g *GRPCServer) DeleteWebToken(ctx context.Context, req *types.DeleteWebTokenRequest) (*emptypb.Empty, error)
DeleteWebToken removes the web token given with req.
func (*GRPCServer) DeleteWindowsDesktop ¶
func (g *GRPCServer) DeleteWindowsDesktop(ctx context.Context, req *proto.DeleteWindowsDesktopRequest) (*emptypb.Empty, error)
DeleteWindowsDesktop removes the specified windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.
func (*GRPCServer) DeleteWindowsDesktopService ¶
func (g *GRPCServer) DeleteWindowsDesktopService(ctx context.Context, req *proto.DeleteWindowsDesktopServiceRequest) (*emptypb.Empty, error)
DeleteWindowsDesktopService removes the specified Windows desktop service.
func (*GRPCServer) EmitAuditEvent ¶
func (g *GRPCServer) EmitAuditEvent(ctx context.Context, req *apievents.OneOf) (*emptypb.Empty, error)
EmitAuditEvent emits audit event
func (*GRPCServer) Export ¶
func (g *GRPCServer) Export(ctx context.Context, req *collectortracepb.ExportTraceServiceRequest) (*collectortracepb.ExportTraceServiceResponse, error)
Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.
func (*GRPCServer) GenerateAppToken ¶
func (g *GRPCServer) GenerateAppToken(ctx context.Context, req *proto.GenerateAppTokenRequest) (*proto.GenerateAppTokenResponse, error)
GenerateAppToken creates a JWT token with application access.
func (*GRPCServer) GenerateCertAuthorityCRL ¶
func (g *GRPCServer) GenerateCertAuthorityCRL(ctx context.Context, req *proto.CertAuthorityRequest) (*proto.CRL, error)
GenerateCertAuthorityCRL returns a CRL for a CA.
func (*GRPCServer) GenerateDatabaseCert ¶
func (g *GRPCServer) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)
GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.
func (*GRPCServer) GenerateHostCerts ¶
func (g *GRPCServer) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)
func (*GRPCServer) GenerateSnowflakeJWT ¶
func (g *GRPCServer) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)
GenerateSnowflakeJWT generates JWT in the format required by Snowflake.
func (*GRPCServer) GenerateToken ¶
func (g *GRPCServer) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (*proto.GenerateTokenResponse, error)
GenerateToken generates a new auth token.
func (*GRPCServer) GenerateUserCerts ¶
func (g *GRPCServer) GenerateUserCerts(ctx context.Context, req *proto.UserCertsRequest) (*proto.Certs, error)
func (*GRPCServer) GenerateUserSingleUseCerts ¶
func (g *GRPCServer) GenerateUserSingleUseCerts(stream proto.AuthService_GenerateUserSingleUseCertsServer) error
func (*GRPCServer) GenerateWindowsDesktopCert ¶
func (g *GRPCServer) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.
func (*GRPCServer) GetAccessCapabilities ¶
func (g *GRPCServer) GetAccessCapabilities(ctx context.Context, req *types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
func (*GRPCServer) GetAccessRequests ¶
func (g *GRPCServer) GetAccessRequests(ctx context.Context, f *types.AccessRequestFilter) (*proto.AccessRequests, error)
DEPRECATED, DELETE IN 11.0.0: Use GetAccessRequestsV2 instead.
func (*GRPCServer) GetAccessRequestsV2 ¶
func (g *GRPCServer) GetAccessRequestsV2(f *types.AccessRequestFilter, stream proto.AuthService_GetAccessRequestsV2Server) error
func (*GRPCServer) GetAccountRecoveryCodes ¶
func (g *GRPCServer) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.
func (*GRPCServer) GetAccountRecoveryToken ¶
func (g *GRPCServer) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (*types.UserTokenV3, error)
GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.
func (*GRPCServer) GetActiveSessionTrackers ¶
func (g *GRPCServer) GetActiveSessionTrackers(_ *emptypb.Empty, stream proto.AuthService_GetActiveSessionTrackersServer) error
GetActiveSessionTrackers returns a list of active session trackers.
func (*GRPCServer) GetActiveSessionTrackersWithFilter ¶
func (g *GRPCServer) GetActiveSessionTrackersWithFilter(filter *types.SessionTrackerFilter, stream proto.AuthService_GetActiveSessionTrackersWithFilterServer) error
GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.
func (*GRPCServer) GetApp ¶
func (g *GRPCServer) GetApp(ctx context.Context, req *types.ResourceRequest) (*types.AppV3, error)
GetApp returns the specified application resource.
func (*GRPCServer) GetAppSession ¶
func (g *GRPCServer) GetAppSession(ctx context.Context, req *proto.GetAppSessionRequest) (*proto.GetAppSessionResponse, error)
GetAppSession gets an application web session.
func (*GRPCServer) GetAppSessions ¶
func (g *GRPCServer) GetAppSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetAppSessionsResponse, error)
GetAppSessions gets all application web sessions.
func (*GRPCServer) GetAuthPreference ¶
func (g *GRPCServer) GetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*types.AuthPreferenceV2, error)
GetAuthPreference gets cluster auth preference.
func (*GRPCServer) GetBotUsers ¶
func (g *GRPCServer) GetBotUsers(_ *proto.GetBotUsersRequest, stream proto.AuthService_GetBotUsersServer) error
GetBotUsers lists all users with a bot label
func (*GRPCServer) GetClusterAlerts ¶
func (g *GRPCServer) GetClusterAlerts(ctx context.Context, query *types.GetClusterAlertsRequest) (*proto.GetClusterAlertsResponse, error)
func (*GRPCServer) GetClusterAuditConfig ¶
func (g *GRPCServer) GetClusterAuditConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterAuditConfigV2, error)
GetClusterAuditConfig gets cluster audit configuration.
func (*GRPCServer) GetClusterCACert ¶
func (g *GRPCServer) GetClusterCACert( ctx context.Context, req *emptypb.Empty, ) (*proto.GetClusterCACertResponse, error)
GetClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be appended.
func (*GRPCServer) GetClusterNetworkingConfig ¶
func (g *GRPCServer) GetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterNetworkingConfigV2, error)
GetClusterNetworkingConfig gets cluster networking configuration.
func (*GRPCServer) GetConnectionDiagnostic ¶
func (g *GRPCServer) GetConnectionDiagnostic(ctx context.Context, req *proto.GetConnectionDiagnosticRequest) (*types.ConnectionDiagnosticV1, error)
GetConnectionDiagnostic reads a connection diagnostic.
func (*GRPCServer) GetCurrentUser ¶
func (*GRPCServer) GetCurrentUserRoles ¶
func (g *GRPCServer) GetCurrentUserRoles(_ *emptypb.Empty, stream proto.AuthService_GetCurrentUserRolesServer) error
func (*GRPCServer) GetDatabase ¶
func (g *GRPCServer) GetDatabase(ctx context.Context, req *types.ResourceRequest) (*types.DatabaseV3, error)
GetDatabase returns the specified database resource.
func (*GRPCServer) GetDatabases ¶
func (g *GRPCServer) GetDatabases(ctx context.Context, _ *emptypb.Empty) (*types.DatabaseV3List, error)
GetDatabases returns all database resources.
func (*GRPCServer) GetDomainName ¶
func (g *GRPCServer) GetDomainName(ctx context.Context, req *emptypb.Empty) (*proto.GetDomainNameResponse, error)
GetDomainName returns local auth domain of the current auth server.
func (*GRPCServer) GetEvents ¶
func (g *GRPCServer) GetEvents(ctx context.Context, req *proto.GetEventsRequest) (*proto.Events, error)
GetEvents searches for events on the backend and sends them back in a response.
func (*GRPCServer) GetGithubAuthRequest ¶
func (g *GRPCServer) GetGithubAuthRequest(ctx context.Context, req *proto.GetGithubAuthRequestRequest) (*types.GithubAuthRequest, error)
GetGithubAuthRequest gets a GithubAuthRequest by id.
func (*GRPCServer) GetGithubConnector ¶
func (g *GRPCServer) GetGithubConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.GithubConnectorV3, error)
GetGithubConnector retrieves a Github connector by name.
func (*GRPCServer) GetGithubConnectors ¶
func (g *GRPCServer) GetGithubConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.GithubConnectorV3List, error)
GetGithubConnectors retrieves all Github connectors.
func (*GRPCServer) GetInstaller ¶
func (g *GRPCServer) GetInstaller(ctx context.Context, req *types.ResourceRequest) (*types.InstallerV1, error)
GetInstaller retrieves the installer script resource
func (*GRPCServer) GetInstallers ¶
func (g *GRPCServer) GetInstallers(ctx context.Context, _ *emptypb.Empty) (*types.InstallerV1List, error)
GetInstallers returns all installer script resources registered in the cluster.
func (*GRPCServer) GetInventoryStatus ¶
func (g *GRPCServer) GetInventoryStatus(ctx context.Context, req *proto.InventoryStatusRequest) (*proto.InventoryStatusSummary, error)
func (*GRPCServer) GetKubernetesCluster ¶
func (g *GRPCServer) GetKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*types.KubernetesClusterV3, error)
GetKubernetesCluster returns the specified kubernetes cluster resource.
func (*GRPCServer) GetKubernetesClusters ¶
func (g *GRPCServer) GetKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*types.KubernetesClusterV3List, error)
GetKubernetesClusters returns all kubernetes cluster resources.
func (*GRPCServer) GetLock ¶
func (g *GRPCServer) GetLock(ctx context.Context, req *proto.GetLockRequest) (*types.LockV2, error)
GetLock retrieves a lock by name.
func (*GRPCServer) GetLocks ¶
func (g *GRPCServer) GetLocks(ctx context.Context, req *proto.GetLocksRequest) (*proto.GetLocksResponse, error)
GetLocks gets all/in-force locks that match at least one of the targets when specified.
func (*GRPCServer) GetMFADevices ¶
func (g *GRPCServer) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
func (*GRPCServer) GetNetworkRestrictions ¶
func (g *GRPCServer) GetNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*types.NetworkRestrictionsV4, error)
GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).
func (*GRPCServer) GetNode ¶
func (g *GRPCServer) GetNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*types.ServerV2, error)
GetNode retrieves a node by name and namespace.
func (*GRPCServer) GetOIDCAuthRequest ¶
func (g *GRPCServer) GetOIDCAuthRequest(ctx context.Context, req *proto.GetOIDCAuthRequestRequest) (*types.OIDCAuthRequest, error)
GetOIDCAuthRequest gets OIDC AuthnRequest
func (*GRPCServer) GetOIDCConnector ¶
func (g *GRPCServer) GetOIDCConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.OIDCConnectorV3, error)
GetOIDCConnector retrieves an OIDC connector by name.
func (*GRPCServer) GetOIDCConnectors ¶
func (g *GRPCServer) GetOIDCConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.OIDCConnectorV3List, error)
GetOIDCConnectors retrieves all OIDC connectors.
func (*GRPCServer) GetPluginData ¶
func (g *GRPCServer) GetPluginData(ctx context.Context, filter *types.PluginDataFilter) (*proto.PluginDataSeq, error)
GetPluginData loads all plugin data matching the supplied filter.
func (*GRPCServer) GetResetPasswordToken ¶
func (g *GRPCServer) GetResetPasswordToken(ctx context.Context, req *proto.GetResetPasswordTokenRequest) (*types.UserTokenV3, error)
func (*GRPCServer) GetRole ¶
func (g *GRPCServer) GetRole(ctx context.Context, req *proto.GetRoleRequest) (*types.RoleV5, error)
GetRole retrieves a role by name.
func (*GRPCServer) GetRoles ¶
func (g *GRPCServer) GetRoles(ctx context.Context, _ *emptypb.Empty) (*proto.GetRolesResponse, error)
GetRoles retrieves all roles.
func (*GRPCServer) GetSAMLAuthRequest ¶
func (g *GRPCServer) GetSAMLAuthRequest(ctx context.Context, req *proto.GetSAMLAuthRequestRequest) (*types.SAMLAuthRequest, error)
GetSAMLAuthRequest gets a SAMLAuthRequest by id.
func (*GRPCServer) GetSAMLConnector ¶
func (g *GRPCServer) GetSAMLConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.SAMLConnectorV2, error)
GetSAMLConnector retrieves a SAML connector by name.
func (*GRPCServer) GetSAMLConnectors ¶
func (g *GRPCServer) GetSAMLConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.SAMLConnectorV2List, error)
GetSAMLConnectors retrieves all SAML connectors.
func (*GRPCServer) GetSSODiagnosticInfo ¶
func (g *GRPCServer) GetSSODiagnosticInfo(ctx context.Context, req *proto.GetSSODiagnosticInfoRequest) (*types.SSODiagnosticInfo, error)
GetSSODiagnosticInfo gets a SSO diagnostic info for a specific SSO auth request.
func (*GRPCServer) GetSemaphores ¶
func (g *GRPCServer) GetSemaphores(ctx context.Context, req *types.SemaphoreFilter) (*proto.Semaphores, error)
GetSemaphores returns a list of all semaphores matching the supplied filter.
func (*GRPCServer) GetServer ¶
func (g *GRPCServer) GetServer() (*grpc.Server, error)
GetServer returns an instance of grpc server
func (*GRPCServer) GetSessionEvents ¶
func (g *GRPCServer) GetSessionEvents(ctx context.Context, req *proto.GetSessionEventsRequest) (*proto.Events, error)
GetSessionEvents searches for session events on the backend and sends them back in a response.
func (*GRPCServer) GetSessionRecordingConfig ¶
func (g *GRPCServer) GetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*types.SessionRecordingConfigV2, error)
GetSessionRecordingConfig gets session recording configuration.
func (*GRPCServer) GetSessionTracker ¶
func (g *GRPCServer) GetSessionTracker(ctx context.Context, req *proto.GetSessionTrackerRequest) (*types.SessionTrackerV1, error)
GetSessionTracker returns the current state of a session tracker for an active session.
func (*GRPCServer) GetSnowflakeSession ¶
func (g *GRPCServer) GetSnowflakeSession(ctx context.Context, req *proto.GetSnowflakeSessionRequest) (*proto.GetSnowflakeSessionResponse, error)
func (*GRPCServer) GetSnowflakeSessions ¶
func (g *GRPCServer) GetSnowflakeSessions(ctx context.Context, e *emptypb.Empty) (*proto.GetSnowflakeSessionsResponse, error)
func (*GRPCServer) GetToken ¶
func (g *GRPCServer) GetToken(ctx context.Context, req *types.ResourceRequest) (*types.ProvisionTokenV2, error)
GetToken retrieves a token by name.
func (*GRPCServer) GetTokens ¶
func (g *GRPCServer) GetTokens(ctx context.Context, _ *emptypb.Empty) (*types.ProvisionTokenV2List, error)
GetTokens retrieves all tokens.
func (*GRPCServer) GetTrustedCluster ¶
func (g *GRPCServer) GetTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*types.TrustedClusterV2, error)
GetTrustedCluster retrieves a Trusted Cluster by name.
func (*GRPCServer) GetTrustedClusters ¶
func (g *GRPCServer) GetTrustedClusters(ctx context.Context, _ *emptypb.Empty) (*types.TrustedClusterV2List, error)
GetTrustedClusters retrieves all Trusted Clusters.
func (*GRPCServer) GetUser ¶
func (g *GRPCServer) GetUser(ctx context.Context, req *proto.GetUserRequest) (*types.UserV2, error)
func (*GRPCServer) GetUsers ¶
func (g *GRPCServer) GetUsers(req *proto.GetUsersRequest, stream proto.AuthService_GetUsersServer) error
func (*GRPCServer) GetWebSession ¶
func (g *GRPCServer) GetWebSession(ctx context.Context, req *types.GetWebSessionRequest) (*proto.GetWebSessionResponse, error)
GetWebSession gets a web session.
func (*GRPCServer) GetWebSessions ¶
func (g *GRPCServer) GetWebSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebSessionsResponse, error)
GetWebSessions gets all web sessions.
func (*GRPCServer) GetWebToken ¶
func (g *GRPCServer) GetWebToken(ctx context.Context, req *types.GetWebTokenRequest) (*proto.GetWebTokenResponse, error)
GetWebToken gets a web token.
func (*GRPCServer) GetWebTokens ¶
func (g *GRPCServer) GetWebTokens(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebTokensResponse, error)
GetWebTokens gets all web tokens.
func (*GRPCServer) GetWindowsDesktopService ¶
func (g *GRPCServer) GetWindowsDesktopService(ctx context.Context, req *proto.GetWindowsDesktopServiceRequest) (*proto.GetWindowsDesktopServiceResponse, error)
GetWindowsDesktopService returns a registered Windows desktop service by name.
func (*GRPCServer) GetWindowsDesktopServices ¶
func (g *GRPCServer) GetWindowsDesktopServices(ctx context.Context, req *emptypb.Empty) (*proto.GetWindowsDesktopServicesResponse, error)
GetWindowsDesktopServices returns all registered Windows desktop services.
func (*GRPCServer) GetWindowsDesktops ¶
func (g *GRPCServer) GetWindowsDesktops(ctx context.Context, filter *types.WindowsDesktopFilter) (*proto.GetWindowsDesktopsResponse, error)
GetWindowsDesktops returns all registered Windows desktop hosts.
func (*GRPCServer) InventoryControlStream ¶
func (g *GRPCServer) InventoryControlStream(stream proto.AuthService_InventoryControlStreamServer) error
func (*GRPCServer) IsMFARequired ¶
func (g *GRPCServer) IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)
func (*GRPCServer) KeepAliveSemaphoreLease ¶
func (g *GRPCServer) KeepAliveSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)
KeepAliveSemaphoreLease updates semaphore lease.
func (*GRPCServer) ListResources ¶
func (g *GRPCServer) ListResources(ctx context.Context, req *proto.ListResourcesRequest) (*proto.ListResourcesResponse, error)
ListResources retrieves a paginated list of resources.
func (*GRPCServer) MaintainSessionPresence ¶
func (g *GRPCServer) MaintainSessionPresence(stream proto.AuthService_MaintainSessionPresenceServer) error
MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.
func (*GRPCServer) Ping ¶
func (g *GRPCServer) Ping(ctx context.Context, req *proto.PingRequest) (*proto.PingResponse, error)
func (*GRPCServer) PingInventory ¶
func (g *GRPCServer) PingInventory(ctx context.Context, req *proto.InventoryPingRequest) (*proto.InventoryPingResponse, error)
func (*GRPCServer) RemoveSessionTracker ¶
func (g *GRPCServer) RemoveSessionTracker(ctx context.Context, req *proto.RemoveSessionTrackerRequest) (*emptypb.Empty, error)
RemoveSessionTracker removes a tracker resource for an active session.
func (*GRPCServer) ReplaceRemoteLocks ¶
func (g *GRPCServer) ReplaceRemoteLocks(ctx context.Context, req *proto.ReplaceRemoteLocksRequest) (*emptypb.Empty, error)
ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.
func (*GRPCServer) ResetAuthPreference ¶
func (g *GRPCServer) ResetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
ResetAuthPreference resets cluster auth preference to defaults.
func (*GRPCServer) ResetClusterNetworkingConfig ¶
func (g *GRPCServer) ResetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
ResetClusterNetworkingConfig resets cluster networking configuration to defaults.
func (*GRPCServer) ResetSessionRecordingConfig ¶
func (g *GRPCServer) ResetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)
ResetSessionRecordingConfig resets session recording configuration to defaults.
func (*GRPCServer) SendKeepAlives ¶
func (g *GRPCServer) SendKeepAlives(stream proto.AuthService_SendKeepAlivesServer) error
SendKeepAlives allows node to send a stream of keep alive requests
func (*GRPCServer) SetAccessRequestState ¶
func (g *GRPCServer) SetAccessRequestState(ctx context.Context, req *proto.RequestStateSetter) (*emptypb.Empty, error)
func (*GRPCServer) SetAuthPreference ¶
func (g *GRPCServer) SetAuthPreference(ctx context.Context, authPref *types.AuthPreferenceV2) (*emptypb.Empty, error)
SetAuthPreference sets cluster auth preference.
func (*GRPCServer) SetClusterNetworkingConfig ¶
func (g *GRPCServer) SetClusterNetworkingConfig(ctx context.Context, netConfig *types.ClusterNetworkingConfigV2) (*emptypb.Empty, error)
SetClusterNetworkingConfig sets cluster networking configuration.
func (*GRPCServer) SetInstaller ¶
func (g *GRPCServer) SetInstaller(ctx context.Context, req *types.InstallerV1) (*emptypb.Empty, error)
SetInstaller sets the installer script resource
func (*GRPCServer) SetNetworkRestrictions ¶
func (g *GRPCServer) SetNetworkRestrictions(ctx context.Context, nr *types.NetworkRestrictionsV4) (*emptypb.Empty, error)
SetNetworkRestrictions updates the network restrictions.
func (*GRPCServer) SetSessionRecordingConfig ¶
func (g *GRPCServer) SetSessionRecordingConfig(ctx context.Context, recConfig *types.SessionRecordingConfigV2) (*emptypb.Empty, error)
SetSessionRecordingConfig sets session recording configuration.
func (*GRPCServer) SignDatabaseCSR ¶
func (g *GRPCServer) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)
SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.
func (*GRPCServer) StartAccountRecovery ¶
func (g *GRPCServer) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (*types.UserTokenV3, error)
StartAccountRecovery is implemented by AuthService.StartAccountRecovery.
func (*GRPCServer) StreamSessionEvents ¶
func (g *GRPCServer) StreamSessionEvents(req *proto.StreamSessionEventsRequest, stream proto.AuthService_StreamSessionEventsServer) error
StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.
func (*GRPCServer) SubmitAccessReview ¶
func (g *GRPCServer) SubmitAccessReview(ctx context.Context, review *types.AccessReviewSubmission) (*types.AccessRequestV3, error)
func (*GRPCServer) SubmitUsageEvent ¶
func (g *GRPCServer) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) (*emptypb.Empty, error)
SubmitUsageEvent submits an external usage event.
func (*GRPCServer) UnstableAssertSystemRole ¶
func (g *GRPCServer) UnstableAssertSystemRole(ctx context.Context, req *proto.UnstableSystemRoleAssertion) (*emptypb.Empty, error)
DELETE IN: 12.0 (deprecated in v11, but required for back-compat with v10 clients)
func (*GRPCServer) UpdateConnectionDiagnostic ¶
func (g *GRPCServer) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)
UpdateConnectionDiagnostic updates a connection diagnostic
func (*GRPCServer) UpdateDatabase ¶
func (g *GRPCServer) UpdateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)
UpdateDatabase updates existing database resource.
func (*GRPCServer) UpdateKubernetesCluster ¶
func (g *GRPCServer) UpdateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)
UpdateKubernetesCluster updates existing kubernetes cluster resource.
func (*GRPCServer) UpdatePluginData ¶
func (g *GRPCServer) UpdatePluginData(ctx context.Context, params *types.PluginDataUpdateParams) (*emptypb.Empty, error)
UpdatePluginData updates a per-resource PluginData entry.
func (*GRPCServer) UpdateRemoteCluster ¶
func (g *GRPCServer) UpdateRemoteCluster(ctx context.Context, req *types.RemoteClusterV3) (*emptypb.Empty, error)
UpdateRemoteCluster updates remote cluster
func (*GRPCServer) UpdateSessionTracker ¶
func (g *GRPCServer) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) (*emptypb.Empty, error)
UpdateSessionTracker updates a tracker resource for an active session.
func (*GRPCServer) UpdateUser ¶
UpdateUser updates an existing user in a backend.
func (*GRPCServer) UpdateWindowsDesktop ¶
func (g *GRPCServer) UpdateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)
UpdateWindowsDesktop updates an existing Windows desktop host.
func (*GRPCServer) UpsertApplicationServer ¶
func (g *GRPCServer) UpsertApplicationServer(ctx context.Context, req *proto.UpsertApplicationServerRequest) (*types.KeepAlive, error)
UpsertApplicationServer registers an application server.
func (*GRPCServer) UpsertClusterAlert ¶
func (g *GRPCServer) UpsertClusterAlert(ctx context.Context, req *proto.UpsertClusterAlertRequest) (*emptypb.Empty, error)
func (*GRPCServer) UpsertDatabaseServer ¶
func (g *GRPCServer) UpsertDatabaseServer(ctx context.Context, req *proto.UpsertDatabaseServerRequest) (*types.KeepAlive, error)
UpsertDatabaseServer registers a new database proxy server.
func (*GRPCServer) UpsertGithubConnector ¶
func (g *GRPCServer) UpsertGithubConnector(ctx context.Context, connector *types.GithubConnectorV3) (*emptypb.Empty, error)
UpsertGithubConnector upserts a Github connector.
func (*GRPCServer) UpsertKubeService ¶
func (g *GRPCServer) UpsertKubeService(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*emptypb.Empty, error)
UpsertKubeService adds a kubernetes service.
func (*GRPCServer) UpsertKubeServiceV2 ¶
func (g *GRPCServer) UpsertKubeServiceV2(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*types.KeepAlive, error)
UpsertKubeServiceV2 adds a kubernetes service
func (*GRPCServer) UpsertKubernetesServer ¶
func (g *GRPCServer) UpsertKubernetesServer(ctx context.Context, req *proto.UpsertKubernetesServerRequest) (*types.KeepAlive, error)
UpsertKubernetesServer registers an kubernetes server.
func (*GRPCServer) UpsertLock ¶
UpsertLock upserts a lock.
func (*GRPCServer) UpsertNode ¶
func (g *GRPCServer) UpsertNode(ctx context.Context, node *types.ServerV2) (*types.KeepAlive, error)
UpsertNode upserts a node.
func (*GRPCServer) UpsertOIDCConnector ¶
func (g *GRPCServer) UpsertOIDCConnector(ctx context.Context, oidcConnector *types.OIDCConnectorV3) (*emptypb.Empty, error)
UpsertOIDCConnector upserts an OIDC connector.
func (*GRPCServer) UpsertRole ¶
UpsertRole upserts a role.
func (*GRPCServer) UpsertSAMLConnector ¶
func (g *GRPCServer) UpsertSAMLConnector(ctx context.Context, samlConnector *types.SAMLConnectorV2) (*emptypb.Empty, error)
UpsertSAMLConnector upserts a SAML connector.
func (*GRPCServer) UpsertToken ¶
func (g *GRPCServer) UpsertToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)
UpsertToken upserts a token.
func (*GRPCServer) UpsertTrustedCluster ¶
func (g *GRPCServer) UpsertTrustedCluster(ctx context.Context, cluster *types.TrustedClusterV2) (*types.TrustedClusterV2, error)
UpsertTrustedCluster upserts a Trusted Cluster.
func (*GRPCServer) UpsertWindowsDesktop ¶
func (g *GRPCServer) UpsertWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)
UpsertWindowsDesktop updates a Windows desktop host, creating it if it doesn't exist.
func (*GRPCServer) UpsertWindowsDesktopService ¶
func (g *GRPCServer) UpsertWindowsDesktopService(ctx context.Context, service *types.WindowsDesktopServiceV3) (*types.KeepAlive, error)
UpsertWindowsDesktopService registers a new Windows desktop service.
func (*GRPCServer) VerifyAccountRecovery ¶
func (g *GRPCServer) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (*types.UserTokenV3, error)
VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.
func (*GRPCServer) WatchEvents ¶
func (g *GRPCServer) WatchEvents(watch *proto.Watch, stream proto.AuthService_WatchEventsServer) error
WatchEvents returns a new stream of cluster events
type GRPCServerConfig ¶
type GRPCServerConfig struct { // APIConfig is GRPC server API configuration APIConfig // TLS is GRPC server config TLS *tls.Config // UnaryInterceptor intercepts individual GRPC requests // for authentication and rate limiting UnaryInterceptor grpc.UnaryServerInterceptor // UnaryInterceptor intercepts GRPC streams // for authentication and rate limiting StreamInterceptor grpc.StreamServerInterceptor }
GRPCServerConfig specifies GRPC server configuration
func (*GRPCServerConfig) CheckAndSetDefaults ¶
func (cfg *GRPCServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type GithubAuthRequest ¶
type GithubAuthRequest struct { // ConnectorID is the name of the connector to use. ConnectorID string `json:"connector_id"` // CSRFToken is used to protect against CSRF attacks. CSRFToken string `json:"csrf_token"` // PublicKey is an optional public key to sign in case of successful auth. PublicKey []byte `json:"public_key"` // CreateWebSession indicates that a user wants to generate a web session // after successful authentication. CreateWebSession bool `json:"create_web_session"` // ClientRedirectURL is the URL where client will be redirected after // successful auth. ClientRedirectURL string `json:"client_redirect_url"` }
GithubAuthRequest is an Github auth request that supports standard json marshaling
func GithubAuthRequestFromProto ¶
func GithubAuthRequestFromProto(req *types.GithubAuthRequest) GithubAuthRequest
GithubAuthRequestFromProto converts the types.GithubAuthRequest to GithubAuthRequest.
type GithubAuthResponse ¶
type GithubAuthResponse struct { // Username is the name of authenticated user Username string `json:"username"` // Identity is the external identity Identity types.ExternalIdentity `json:"identity"` // Session is the created web session Session types.WebSession `json:"session,omitempty"` // Cert is the generated SSH client certificate Cert []byte `json:"cert,omitempty"` // TLSCert is PEM encoded TLS client certificate TLSCert []byte `json:"tls_cert,omitempty"` // Req is the original auth request Req GithubAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []types.CertAuthority `json:"host_signers"` }
GithubAuthResponse represents Github auth callback validation response
type GithubConverter ¶
type GithubConverter struct {
ClientI
}
GithubConverter is a thin wrapper around the ClientI interface that ensures GitHub auth connectors use the registered implementation.
func (*GithubConverter) GetGithubConnector ¶
func (g *GithubConverter) GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)
func (*GithubConverter) GetGithubConnectors ¶
func (g *GithubConverter) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)
func (*GithubConverter) UpsertGithubConnector ¶
func (g *GithubConverter) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error
type HTTPClient ¶
HTTPClient is a teleport HTTP API client.
func NewHTTPClient ¶
func NewHTTPClient(cfg client.Config, tls *tls.Config, params ...roundtrip.ClientParam) (*HTTPClient, error)
NewHTTPClient creates a new HTTP client with TLS authentication and the given dialer.
func (*HTTPClient) Close ¶
func (c *HTTPClient) Close()
Close closes the HTTP client connection to the auth server.
func (*HTTPClient) GetTransport ¶
func (c *HTTPClient) GetTransport() *http.Transport
GetTransport returns the HTTP client's transport.
func (*HTTPClient) TLSConfig ¶
func (c *HTTPClient) TLSConfig() *tls.Config
TLSConfig returns the HTTP client's TLS config.
type HandlerWithAuthFunc ¶
type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)
HandlerWithAuthFunc is http handler with passed auth context
type HostCredentials ¶
type HostCredentials func(context.Context, string, bool, types.RegisterUsingTokenRequest) (*proto.Certs, error)
CredGetter is an interface for a client that can be used to get host credentials. This interface is needed because lib/client can not be imported in lib/auth due to circular imports.
type Identity ¶
type Identity struct { // ID specifies server unique ID, name and role ID IdentityID // KeyBytes is a PEM encoded private key KeyBytes []byte // CertBytes is a PEM encoded SSH host cert CertBytes []byte // TLSCertBytes is a PEM encoded TLS x509 client certificate TLSCertBytes []byte // TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority // associated with auth server services TLSCACertsBytes [][]byte // SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format. SSHCACertBytes [][]byte // KeySigner is an SSH host certificate signer KeySigner ssh.Signer // Cert is a parsed SSH certificate Cert *ssh.Certificate // XCert is X509 client certificate XCert *x509.Certificate // ClusterName is a name of host's cluster ClusterName string }
Identity is collection of certificates and signers that represent server identity
func GenerateIdentity ¶
func GenerateIdentity(a *Server, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)
GenerateIdentity generates identity for the auth server
func LocalRegister ¶
func LocalRegister(id IdentityID, authServer *Server, additionalPrincipals, dnsNames []string, remoteAddr string, systemRoles []types.SystemRole) (*Identity, error)
LocalRegister is used to generate host keys when a node or proxy is running within the same process as the Auth Server and as such, does not need to use provisioning tokens.
func NewServerIdentity ¶
NewServerIdentity generates new server identity, used in tests
func ReRegister ¶
func ReRegister(params ReRegisterParams) (*Identity, error)
ReRegister renews the certificates and private keys based on the client's existing identity.
func ReadIdentityFromKeyPair ¶
ReadIdentityFromKeyPair reads SSH and TLS identity from key pair.
func ReadLocalIdentity ¶
func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)
ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).
func ReadSSHIdentityFromKeyPair ¶
ReadSSHIdentityFromKeyPair reads identity from initialized keypair
func ReadTLSIdentityFromKeyPair ¶
func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)
ReadTLSIdentityFromKeyPair reads TLS identity from key pair
func (*Identity) HasDNSNames ¶
HasDNSNames returns true if TLS certificate has required DNS names
func (*Identity) HasPrincipals ¶
HasPrincipals returns whether identity has principals
func (*Identity) HasTLSConfig ¶
HasTLSConfig returns true if this identity has TLS certificate and private key.
func (*Identity) SSHClientConfig ¶
func (i *Identity) SSHClientConfig(fips bool) (*ssh.ClientConfig, error)
SSHClientConfig returns a ssh.ClientConfig used by nodes to connect to the reverse tunnel server.
type IdentityGetter ¶
type IdentityGetter interface { // GetIdentity returns x509-derived identity of the user GetIdentity() tlsca.Identity }
IdentityGetter returns the unmapped client identity.
Unmapped means that if the client is a remote cluster user, the returned tlsca.Identity contains data from the remote cluster before role mapping is applied.
type IdentityID ¶
type IdentityID struct { Role types.SystemRole HostUUID string NodeName string }
IdentityID is a combination of role, host UUID, and node name.
func (*IdentityID) Equals ¶
func (id *IdentityID) Equals(other IdentityID) bool
Equals returns true if two identities are equal
func (*IdentityID) HostID ¶
func (id *IdentityID) HostID() string
HostID is host ID part of the host UUID that consists cluster name
func (*IdentityID) String ¶
func (id *IdentityID) String() string
String returns debug friendly representation of this identity
type IdentityService ¶
type IdentityService interface { // UpsertOIDCConnector updates or creates OIDC connector UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error // GetOIDCConnector returns OIDC connector information by id GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error) // GetOIDCConnectors gets OIDC connectors list GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error) // DeleteOIDCConnector deletes OIDC connector by ID DeleteOIDCConnector(ctx context.Context, connectorID string) error // CreateOIDCAuthRequest creates OIDCAuthRequest CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error) // GetOIDCAuthRequest returns OIDC auth request if found GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error) // ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error) // UpsertSAMLConnector updates or creates SAML connector UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error // GetSAMLConnector returns SAML connector information by id GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error) // GetSAMLConnectors gets SAML connectors list GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error) // DeleteSAMLConnector deletes SAML connector by ID DeleteSAMLConnector(ctx context.Context, connectorID string) error // CreateSAMLAuthRequest creates SAML AuthnRequest CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error) // ValidateSAMLResponse validates SAML auth response ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error) // GetSAMLAuthRequest returns SAML auth request if found GetSAMLAuthRequest(ctx context.Context, authRequestID string) (*types.SAMLAuthRequest, error) // UpsertGithubConnector creates or updates a Github connector UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error // GetGithubConnectors returns all configured Github connectors GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error) // GetGithubConnector returns the specified Github connector GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error) // DeleteGithubConnector deletes the specified Github connector DeleteGithubConnector(ctx context.Context, id string) error // CreateGithubAuthRequest creates a new request for Github OAuth2 flow CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error) // GetGithubAuthRequest returns Github auth request if found GetGithubAuthRequest(ctx context.Context, id string) (*types.GithubAuthRequest, error) // ValidateGithubAuthCallback validates Github auth callback ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error) // GetSSODiagnosticInfo returns SSO diagnostic info records. GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error) // GetUser returns user by name GetUser(name string, withSecrets bool) (types.User, error) // GetCurrentUser returns current user as seen by the server. // Useful especially in the context of remote clusters which perform role and trait mapping. GetCurrentUser(ctx context.Context) (types.User, error) // GetCurrentUserRoles returns current user's roles. GetCurrentUserRoles(ctx context.Context) ([]types.Role, error) // CreateUser inserts a new entry in a backend. CreateUser(ctx context.Context, user types.User) error // UpdateUser updates an existing user in a backend. UpdateUser(ctx context.Context, user types.User) error // UpsertUser user updates or inserts user entry UpsertUser(user types.User) error // CompareAndSwapUser updates an existing user in a backend, but fails if // the user in the backend does not match the expected value. CompareAndSwapUser(ctx context.Context, new, expected types.User) error // DeleteUser deletes an existng user in a backend by username. DeleteUser(ctx context.Context, user string) error // GetUsers returns a list of usernames registered in the system GetUsers(withSecrets bool) ([]types.User, error) // ChangePassword changes user password ChangePassword(req services.ChangePasswordReq) error // CheckPassword checks if the suplied web access password is valid. CheckPassword(user string, password []byte, otpToken string) error // GenerateToken creates a special provisioning token for a new SSH server // that is valid for ttl period seconds. // // This token is used by SSH server to authenticate with Auth server // and get signed certificate and private key from the auth server. // // If token is not supplied, it will be auto generated and returned. // If TTL is not supplied, token will be valid until removed. GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error) // GenerateHostCert takes the public key in the Open SSH “authorized_keys“ // plain text format, signs it using Host Certificate Authority private key and returns the // resulting certificate. GenerateHostCert(ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error) // GenerateUserCerts takes the public key in the OpenSSH `authorized_keys` plain // text format, signs it using User Certificate Authority signing key and // returns the resulting certificates. GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error) // GenerateUserSingleUseCerts is like GenerateUserCerts but issues a // certificate for a single session // (https://github.com/gravitational/teleport/blob/3a1cf9111c2698aede2056513337f32bfc16f1f1/rfd/0014-session-2FA.md#sessions). GenerateUserSingleUseCerts(ctx context.Context) (proto.AuthService_GenerateUserSingleUseCertsClient, error) // IsMFARequired is a request to check whether MFA is required to // access the Target. IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error) // DeleteAllUsers deletes all users DeleteAllUsers() error // CreateResetPasswordToken creates a new user reset token CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error) // CreateBot creates a new certificate renewal bot and associated resources. CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error) // DeleteBot removes a certificate renewal bot and associated resources. DeleteBot(ctx context.Context, botName string) error // GetBotUsers gets all bot users. GetBotUsers(ctx context.Context) ([]types.User, error) // ChangeUserAuthentication allows a user with a reset or invite token to change their password and if enabled also adds a new mfa device. // Upon success, creates new web session and creates new set of recovery codes (if user meets requirements). ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error) // GetResetPasswordToken returns a reset password token. GetResetPasswordToken(ctx context.Context, username string) (types.UserToken, error) // GetMFADevices fetches all MFA devices registered for the calling user. GetMFADevices(ctx context.Context, in *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error) // AddMFADevice adds a new MFA device for the calling user. AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADeviceClient, error) // DeleteMFADevice deletes a MFA device for the calling user. DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error) // AddMFADeviceSync adds a new MFA device (nonstream). AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error) // DeleteMFADeviceSync deletes a users MFA device (nonstream). DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error // CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices. CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) // CreateRegisterChallenge creates and returns MFA register challenge for a new MFA device. CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error) // MaintainSessionPresence establishes a channel used to continuously verify the presence for a session. MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error) // StartAccountRecovery creates a recovery start token for a user who successfully verified their username and their recovery code. // This token is used as part of a URL that will be emailed to the user (not done in this request). // Represents step 1 of the account recovery process. StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error) // VerifyAccountRecovery creates a recovery approved token after successful verification of users password or second factor // (authn depending on what user needed to recover). This token will allow users to perform protected actions while not logged in. // Represents step 2 of the account recovery process after RPC StartAccountRecovery. VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error) // CompleteAccountRecovery sets a new password or adds a new mfa device, // allowing user to regain access to their account using the new credentials. // Represents the last step in the account recovery process after RPC's StartAccountRecovery and VerifyAccountRecovery. CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error // CreateAccountRecoveryCodes creates new set of recovery codes for a user, replacing and invalidating any previously owned codes. CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error) // GetAccountRecoveryToken returns a user token resource after verifying the token in // request is not expired and is of the correct recovery type. GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error) // GetAccountRecoveryCodes returns the user in context their recovery codes resource without any secrets. GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error) // CreatePrivilegeToken creates a privilege token for the logged in user who has successfully re-authenticated with their second factor. // A privilege token allows users to perform privileged action eg: add/delete their MFA device. CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error) }
IdentityService manages identities and users
type IdentitySpecV2 ¶
type IdentitySpecV2 struct { // Key is a PEM encoded private key. Key []byte `json:"key,omitempty"` // SSHCert is a PEM encoded SSH host cert. SSHCert []byte `json:"ssh_cert,omitempty"` // TLSCert is a PEM encoded x509 client certificate. TLSCert []byte `json:"tls_cert,omitempty"` // TLSCACert is a list of PEM encoded x509 certificate of the // certificate authority of the cluster. TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"` // SSHCACerts is a list of SSH certificate authorities encoded in the // authorized_keys format. SSHCACerts [][]byte `json:"ssh_ca_certs,omitempty"` }
IdentitySpecV2 specifies credentials used by local process.
type IdentityV2 ¶
type IdentityV2 struct { // ResourceHeader is a common resource header. types.ResourceHeader // Spec is the identity spec. Spec IdentitySpecV2 `json:"spec"` }
IdentityV2 specifies local host identity.
func (*IdentityV2) CheckAndSetDefaults ¶
func (s *IdentityV2) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults values.
type InitConfig ¶
type InitConfig struct { // Backend is auth backend to use Backend backend.Backend // Authority is key generator that we use Authority sshca.Authority // KeyStoreConfig is the config for the KeyStore which handles private CA // keys that may be held in an HSM. KeyStoreConfig keystore.Config // HostUUID is a UUID of this host HostUUID string // NodeName is the DNS name of the node NodeName string // ClusterName stores the FQDN of the signing CA (its certificate will have this // name embedded). It is usually set to the GUID of the host the Auth service runs on ClusterName types.ClusterName // Authorities is a list of pre-configured authorities to supply on first start Authorities []types.CertAuthority // Resources is a list of previously backed-up resources used to // bootstrap backend on first start. Resources []types.Resource // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string // DataDir is the full path to the directory where keys, events and logs are kept DataDir string // ReverseTunnels is a list of reverse tunnels statically supplied // in configuration, so auth server will init the tunnels on the first start ReverseTunnels []types.ReverseTunnel // OIDCConnectors is a list of trusted OpenID Connect identity providers // in configuration, so auth server will init the tunnels on the first start OIDCConnectors []types.OIDCConnector // Trust is a service that manages users and credentials Trust services.Trust // Presence service is a discovery and heartbeat tracker Presence services.Presence // Provisioner is a service that keeps track of provisioning tokens Provisioner services.Provisioner // Identity is a service that manages users and credentials Identity services.Identity // Access is service controlling access to resources Access services.Access // DynamicAccessExt is a service that manages dynamic RBAC. DynamicAccessExt services.DynamicAccessExt // Events is an event service Events types.Events // ClusterConfiguration is a services that holds cluster wide configuration. ClusterConfiguration services.ClusterConfiguration // Restrictions is a service to access network restrictions, etc Restrictions services.Restrictions // Apps is a service that manages application resources. Apps services.Apps // Databases is a service that manages database resources. Databases services.Databases // Status is a service that manages cluster status info. Status services.StatusInternal // Roles is a set of roles to create Roles []types.Role // StaticTokens are pre-defined host provisioning tokens supplied via config file for // environments where paranoid security is not needed StaticTokens types.StaticTokens // AuthPreference defines the authentication type (local, oidc) and second // factor passed in from a configuration file. AuthPreference types.AuthPreference // AuditLog is used for emitting events to audit log. AuditLog events.IAuditLog // ClusterAuditConfig holds cluster audit configuration. ClusterAuditConfig types.ClusterAuditConfig // ClusterNetworkingConfig holds cluster networking configuration. ClusterNetworkingConfig types.ClusterNetworkingConfig // SessionRecordingConfig holds session recording configuration. SessionRecordingConfig types.SessionRecordingConfig // SkipPeriodicOperations turns off periodic operations // used in tests that don't need periodic operations. SkipPeriodicOperations bool // CipherSuites is a list of ciphersuites that the auth server supports. CipherSuites []uint16 // Emitter is events emitter, used to submit discrete events Emitter apievents.Emitter // Streamer is events sessionstreamer, used to create continuous // session related streams Streamer events.Streamer // WindowsServices is a service that manages Windows desktop resources. WindowsDesktops services.WindowsDesktops // SessionTrackerService is a service that manages trackers for all active sessions. SessionTrackerService services.SessionTrackerService // Enforcer is used to enforce Teleport Enterprise license compliance. Enforcer services.Enforcer // ConnectionsDiagnostic is a service that manages Connection Diagnostics resources. ConnectionsDiagnostic services.ConnectionsDiagnostic // LoadAllCAs tells tsh to load the host CAs for all clusters when trying to ssh into a node. LoadAllCAs bool // TraceClient is used to forward spans to the upstream telemetry collector TraceClient otlptrace.Client // Kubernetes is a service that manages kubernetes cluster resources. Kubernetes services.Kubernetes // AssertionReplayService is a service that mitigatates SSO assertion replay. *local.AssertionReplayService // FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested. FIPS bool // UsageReporter is a service that forwards cluster usage events. UsageReporter services.UsageReporter }
InitConfig is auth server init config
type KubeCSR ¶
type KubeCSR struct { // Username of user's certificate Username string `json:"username"` // ClusterName is a name of the target cluster to generate certificate for ClusterName string `json:"cluster_name"` // CSR is a kubernetes CSR CSR []byte `json:"csr"` }
KubeCSR is a kubernetes CSR request
func (*KubeCSR) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets defaults
type KubeCSRResponse ¶
type KubeCSRResponse struct { // Cert is a signed certificate PEM block Cert []byte `json:"cert"` // CertAuthorities is a list of PEM block with trusted cert authorities CertAuthorities [][]byte `json:"cert_authorities"` // TargetAddr is an optional target address // of the kubernetes API server that can be set // in the kubeconfig TargetAddr string `json:"target_addr"` }
KubeCSRResponse is a response to kubernetes CSR request
type KubernetesAccessPoint ¶
type KubernetesAccessPoint interface { // ReadKubernetesAccessPoint provides methods to read data ReadKubernetesAccessPoint // contains filtered or unexported methods }
KubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.
func NewKubernetesWrapper ¶
func NewKubernetesWrapper(base KubernetesAccessPoint, cache ReadKubernetesAccessPoint) KubernetesAccessPoint
type KubernetesWrapper ¶
type KubernetesWrapper struct { ReadKubernetesAccessPoint NoCache KubernetesAccessPoint // contains filtered or unexported fields }
func (*KubernetesWrapper) Close ¶
func (w *KubernetesWrapper) Close() error
Close closes all associated resources
type LocalUser ¶
type LocalUser struct { // Username is local username Username string // Identity is x509-derived identity used to build this user Identity tlsca.Identity }
LocalUser is a local user
func (LocalUser) GetIdentity ¶
GetIdentity returns client identity
type Metrics ¶
type Metrics struct {
GRPCServerLatency bool
}
Metrics handles optional metrics for TLSServerConfig
type Middleware ¶
type Middleware struct { // AccessPoint is a caching access point for auth server AccessPoint AccessCache // Handler is HTTP handler called after the middleware checks requests Handler http.Handler // AcceptedUsage restricts authentication // to a subset of certificates based on certificate metadata, // for example middleware can reject certificates with mismatching usage. // If empty, will only accept certificates with non-limited usage, // if set, will accept certificates with non-limited usage, // and usage exactly matching the specified values. AcceptedUsage []string // Limiter is a rate and connection limiter Limiter *limiter.Limiter // GRPCMetrics is the configured grpc metrics for the interceptors GRPCMetrics *om.ServerMetrics }
Middleware is authentication middleware checking every request
func (*Middleware) GetUser ¶
func (a *Middleware) GetUser(connState tls.ConnectionState) (IdentityGetter, error)
GetUser returns authenticated user based on request metadata set by HTTP server
func (*Middleware) ServeHTTP ¶
func (a *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP serves HTTP requests
func (*Middleware) StreamInterceptor ¶
func (a *Middleware) StreamInterceptor() grpc.StreamServerInterceptor
StreamInterceptor returns a gPRC stream interceptor which performs rate limiting, authenticates requests, and passes the user information as context metadata.
func (*Middleware) UnaryInterceptor ¶
func (a *Middleware) UnaryInterceptor() grpc.UnaryServerInterceptor
UnaryInterceptor returns a gPRC unary interceptor which performs rate limiting, authenticates requests, and passes the user information as context metadata.
func (*Middleware) WrapContextWithUser ¶
func (a *Middleware) WrapContextWithUser(ctx context.Context, conn utils.TLSConn) (context.Context, error)
WrapContextWithUser enriches the provided context with the identity information extracted from the provided TLS connection.
type NewRemoteProxyCachingAccessPoint ¶
type NewRemoteProxyCachingAccessPoint func(clt ClientI, cacheName []string) (RemoteProxyAccessPoint, error)
NewRemoteProxyCachingAccessPoint returns new caching access point using access point policy
type NodeAccessPoint ¶
type NodeAccessPoint interface { // ReadNodeAccessPoint provides methods to read data ReadNodeAccessPoint // contains filtered or unexported methods }
NodeAccessPoint is an API interface implemented by a certificate authority (CA) to be used by teleport.ComponentNode.
func NewNodeWrapper ¶
func NewNodeWrapper(base NodeAccessPoint, cache ReadNodeAccessPoint) NodeAccessPoint
type NodeWrapper ¶
type NodeWrapper struct { ReadNodeAccessPoint NoCache NodeAccessPoint // contains filtered or unexported fields }
func (*NodeWrapper) Close ¶
func (w *NodeWrapper) Close() error
Close closes all associated resources
type OIDCAuthRequest ¶
type OIDCAuthRequest struct { // ConnectorID is ID of OIDC connector this request uses ConnectorID string `json:"connector_id"` // CSRFToken is associated with user web session token CSRFToken string `json:"csrf_token"` // PublicKey is an optional public key, users want these // keys to be signed by auth servers user CA in case // of successful auth PublicKey []byte `json:"public_key"` // CreateWebSession indicates if user wants to generate a web // session after successful authentication CreateWebSession bool `json:"create_web_session"` // ClientRedirectURL is a URL client wants to be redirected // after successful authentication ClientRedirectURL string `json:"client_redirect_url"` }
OIDCAuthRequest is an OIDC auth request that supports standard json marshaling.
func OIDCAuthRequestFromProto ¶
func OIDCAuthRequestFromProto(req *types.OIDCAuthRequest) OIDCAuthRequest
OIDCAuthRequestFromProto converts the types.OIDCAuthRequest to OIDCAuthRequest.
type OIDCAuthResponse ¶
type OIDCAuthResponse struct { // Username is authenticated teleport username Username string `json:"username"` // Identity contains validated OIDC identity Identity types.ExternalIdentity `json:"identity"` // Web session will be generated by auth server if requested in OIDCAuthRequest Session types.WebSession `json:"session,omitempty"` // Cert will be generated by certificate authority Cert []byte `json:"cert,omitempty"` // TLSCert is PEM encoded TLS certificate TLSCert []byte `json:"tls_cert,omitempty"` // Req is original oidc auth request Req OIDCAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []types.CertAuthority `json:"host_signers"` }
OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider
type OTPCreds ¶
type OTPCreds struct { // Password is a user password Password []byte `json:"password"` // Token is a user second factor token Token string `json:"token"` }
OTPCreds is a two-factor authentication credentials
type PassCreds ¶
type PassCreds struct { // Password is a user password Password []byte `json:"password"` }
PassCreds is a password credential
type PolicyOptions ¶
type PolicyOptions struct {
TerminateOnLeave bool
}
PolicyOptions is a set of settings for the session determined by the matched require policy.
type ProcessStorage ¶
type ProcessStorage struct { // BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states. BackendStorage backend.Backend // contains filtered or unexported fields }
ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.
func NewProcessStorage ¶
func NewProcessStorage(ctx context.Context, path string) (*ProcessStorage, error)
NewProcessStorage returns a new instance of the process storage.
func (*ProcessStorage) Close ¶
func (p *ProcessStorage) Close() error
Close closes all resources used by process storage backend.
func (*ProcessStorage) CreateState ¶
func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error
CreateState creates process state if it does not exist yet.
func (*ProcessStorage) GetState ¶
func (p *ProcessStorage) GetState(role types.SystemRole) (*StateV2, error)
GetState reads rotation state from disk.
func (*ProcessStorage) ReadIdentity ¶
func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error)
ReadIdentity reads identity using identity name and role.
func (*ProcessStorage) WriteIdentity ¶
func (p *ProcessStorage) WriteIdentity(name string, id Identity) error
WriteIdentity writes identity to the backend.
func (*ProcessStorage) WriteState ¶
func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error
WriteState writes local cluster state to the backend.
type ProvisioningService ¶
type ProvisioningService interface { // GetTokens returns a list of active invitation tokens for nodes and users GetTokens(ctx context.Context) (tokens []types.ProvisionToken, err error) // GetToken returns provisioning token GetToken(ctx context.Context, token string) (types.ProvisionToken, error) // DeleteToken deletes a given provisioning token on the auth server (CA). It // could be a reset password token or a machine token DeleteToken(ctx context.Context, token string) error // DeleteAllTokens deletes all provisioning tokens DeleteAllTokens() error // UpsertToken adds provisioning tokens for the auth server UpsertToken(ctx context.Context, token types.ProvisionToken) error // CreateToken creates a new provision token for the auth server CreateToken(ctx context.Context, token types.ProvisionToken) error // RegisterUsingToken calls the auth service API to register a new node via registration token // which has been previously issued via GenerateToken RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error) }
ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster
type ProxyAccessPoint ¶
type ProxyAccessPoint interface { // ReadProxyAccessPoint provides methods to read data ReadProxyAccessPoint // contains filtered or unexported methods }
ProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.
func NewProxyWrapper ¶
func NewProxyWrapper(base ProxyAccessPoint, cache ReadProxyAccessPoint) ProxyAccessPoint
type ProxyWrapper ¶
type ProxyWrapper struct { ReadProxyAccessPoint NoCache ProxyAccessPoint // contains filtered or unexported fields }
func (*ProxyWrapper) Close ¶
func (w *ProxyWrapper) Close() error
Close closes all associated resources
type ReRegisterParams ¶
type ReRegisterParams struct { // Client is an authenticated client using old credentials Client ClientI // ID is identity ID ID IdentityID // AdditionalPrincipals is a list of additional principals to dial AdditionalPrincipals []string // DNSNames is a list of DNS Names to add to the x509 client certificate DNSNames []string // PrivateKey is a PEM encoded private key (not passed to auth servers) PrivateKey []byte // PublicTLSKey is a server's public key to sign PublicTLSKey []byte // PublicSSHKey is a server's public SSH key to sign PublicSSHKey []byte // Rotation is the rotation state of the certificate authority Rotation types.Rotation // SystemRoles is a set of additional system roles held by the instance. SystemRoles []types.SystemRole // Used by older instances to requisition a multi-role cert by individually // proving which system roles are held. UnstableSystemRoleAssertionID string }
ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)
type ReadAppsAccessPoint ¶
type ReadAppsAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetUser returns a services.User for this cluster. GetUser(name string, withSecrets bool) (types.User, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]types.Server, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetApps returns all application resources. GetApps(ctx context.Context) ([]types.Application, error) // GetApp returns the specified application resource. GetApp(ctx context.Context, name string) (types.Application, error) }
ReadAppsAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.
NOTE: This interface must match the resources replicated in cache.ForApps.
type ReadDatabaseAccessPoint ¶
type ReadDatabaseAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetUser returns a services.User for this cluster. GetUser(name string, withSecrets bool) (types.User, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]types.Server, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetDatabases returns all database resources. GetDatabases(ctx context.Context) ([]types.Database, error) // GetDatabase returns the specified database resource. GetDatabase(ctx context.Context, name string) (types.Database, error) }
ReadDatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.
NOTE: This interface must match the resources replicated in cache.ForDatabases.
type ReadDiscoveryAccessPoint ¶
type ReadDiscoveryAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetNodes returns a list of registered servers for this cluster. GetNodes(ctx context.Context, namespace string) ([]types.Server, error) // GetKubernetesCluster returns a kubernetes cluster resource identified by name. GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error) // GetKubernetesClusters returns all kubernetes cluster resources. GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error) }
ReadDiscoveryAccessPoint is a read only API interface to be used by a teleport.ComponentDiscovery.
NOTE: This interface must match the resources replicated in cache.ForDiscovery.
type ReadKubernetesAccessPoint ¶
type ReadKubernetesAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetUser returns a services.User for this cluster. GetUser(name string, withSecrets bool) (types.User, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetKubeServices returns a list of kubernetes services registered in the cluster // DELETE IN 13.0. Deprecated, use GetKubernetesServers. GetKubeServices(context.Context) ([]types.Server, error) // GetKubernetesServers returns a list of kubernetes servers registered in the cluster GetKubernetesServers(context.Context) ([]types.KubeServer, error) // GetKubernetesClusters returns all kubernetes cluster resources. GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error) // GetKubernetesCluster returns the specified kubernetes cluster resource. GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error) }
ReadKubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.
NOTE: This interface must match the resources replicated in cache.ForKubernetes.
type ReadNodeAccessPoint ¶
type ReadNodeAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetNetworkRestrictions returns networking restrictions for restricted shell to enforce GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error) }
ReadNodeAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentNode.
NOTE: This interface must match the resources replicated in cache.ForNode.
type ReadProxyAccessPoint ¶
type ReadProxyAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetUser returns a services.User for this cluster. GetUser(name string, withSecrets bool) (types.User, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetNode returns a node by name and namespace. GetNode(ctx context.Context, namespace, name string) (types.Server, error) // GetNodes returns a list of registered servers for this cluster. GetNodes(ctx context.Context, namespace string) ([]types.Server, error) // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]types.Server, error) // GetAuthServers returns a list of auth servers registered in the cluster GetAuthServers() ([]types.Server, error) // GetReverseTunnels returns a list of reverse tunnels GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error) // GetAllTunnelConnections returns all tunnel connections GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error) // GetTunnelConnections returns tunnel connections for a given cluster GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error) // GetApplicationServers returns all registered application servers. GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error) // GetApps returns all application resources. GetApps(ctx context.Context) ([]types.Application, error) // GetApp returns the specified application resource. GetApp(ctx context.Context, name string) (types.Application, error) // GetNetworkRestrictions returns networking restrictions for restricted shell to enforce GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error) // GetAppSession gets an application web session. GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error) // GetWebSession gets a web session for the given request GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error) // GetWebToken gets a web token for the given request GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error) // GetRemoteClusters returns a list of remote clusters GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error) // GetRemoteCluster returns a remote cluster by name GetRemoteCluster(clusterName string) (types.RemoteCluster, error) // GetKubeServices returns a list of kubernetes services registered in the cluster // DELETE IN 13.0. Deprecated, use GetKubernetesServers. GetKubeServices(context.Context) ([]types.Server, error) // GetKubernetesServers returns a list of kubernetes servers registered in the cluster GetKubernetesServers(context.Context) ([]types.KubeServer, error) // GetDatabaseServers returns all registered database proxy servers. GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error) // GetDatabases returns all database resources. GetDatabases(ctx context.Context) ([]types.Database, error) // GetDatabase returns the specified database resource. GetDatabase(ctx context.Context, name string) (types.Database, error) // GetWindowsDesktops returns windows desktop hosts. GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error) // GetWindowsDesktopServices returns windows desktop hosts. GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error) // GetWindowsDesktopService returns a windows desktop host by name. GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error) // GetKubernetesClusters returns all kubernetes cluster resources. GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error) // GetKubernetesCluster returns the specified kubernetes cluster resource. GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error) }
ReadProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.
NOTE: This interface must match the resources replicated in cache.ForProxy.
type ReadRemoteProxyAccessPoint ¶
type ReadRemoteProxyAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetNode returns a node by name and namespace. GetNode(ctx context.Context, namespace, name string) (types.Server, error) // GetNodes returns a list of registered servers for this cluster. GetNodes(ctx context.Context, namespace string) ([]types.Server, error) // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]types.Server, error) // GetAuthServers returns a list of auth servers registered in the cluster GetAuthServers() ([]types.Server, error) // GetReverseTunnels returns a list of reverse tunnels GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error) // GetAllTunnelConnections returns all tunnel connections GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error) // GetTunnelConnections returns tunnel connections for a given cluster GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error) // GetApplicationServers returns all registered application servers. GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error) // GetRemoteClusters returns a list of remote clusters GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error) // GetRemoteCluster returns a remote cluster by name GetRemoteCluster(clusterName string) (types.RemoteCluster, error) // GetKubeServices returns a list of kubernetes services registered in the cluster // DELETE IN 13.0. Deprecated, use GetKubernetesServers. GetKubeServices(context.Context) ([]types.Server, error) // GetKubernetesServers returns a list of kubernetes servers registered in the cluster GetKubernetesServers(context.Context) ([]types.KubeServer, error) // GetDatabaseServers returns all registered database proxy servers. GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error) }
ReadRemoteProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.
NOTE: This interface must match the resources replicated in cache.ForRemoteProxy.
type ReadWindowsDesktopAccessPoint ¶
type ReadWindowsDesktopAccessPoint interface { // Closer closes all the resources io.Closer // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) // GetClusterName gets the name of the cluster from the backend. GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterAuditConfig returns cluster audit configuration. GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetUser returns a services.User for this cluster. GetUser(name string, withSecrets bool) (types.User, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetRoles returns a list of roles GetRoles(ctx context.Context) ([]types.Role, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // GetWindowsDesktops returns windows desktop hosts. GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error) // GetWindowsDesktopServices returns windows desktop hosts. GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error) // GetWindowsDesktopService returns a windows desktop host by name. GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error) }
ReadWindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.
NOTE: This interface must match the resources replicated in cache.ForWindowsDesktop.
type RegisterParams ¶
type RegisterParams struct { // Token is a secure token to join the cluster Token string // ID is identity ID ID IdentityID // AuthServers is a list of auth servers to dial AuthServers []utils.NetAddr // ProxyServer is a proxy server to dial ProxyServer utils.NetAddr // AdditionalPrincipals is a list of additional principals to dial AdditionalPrincipals []string // DNSNames is a list of DNS names to add to x509 certificate DNSNames []string // PublicTLSKey is a server's public key to sign PublicTLSKey []byte // PublicSSHKey is a server's public SSH key to sign PublicSSHKey []byte // CipherSuites is a list of cipher suites to use for TLS client connection CipherSuites []uint16 // CAPins are the SKPI hashes of the CAs used to verify the Auth Server. CAPins []string // CAPath is the path to the CA file. CAPath string // GetHostCredentials is a client that can fetch host credentials. GetHostCredentials HostCredentials // Clock specifies the time provider. Will be used to override the time anchor // for TLS certificate verification. // Defaults to real clock if unspecified Clock clockwork.Clock // JoinMethod is the joining method used for this register request. JoinMethod types.JoinMethod // CircuitBreakerConfig defines how the circuit breaker should behave. CircuitBreakerConfig breaker.Config // FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested. FIPS bool // IDToken is a token retrieved from a workload identity provider for // certain join types e.g GitHub, Google. IDToken string // Expires is an optional field for bots that specifies a time that the // certificates that are returned by registering should expire at. // It should not be specified for non-bot registrations. Expires *time.Time // contains filtered or unexported fields }
RegisterParams specifies parameters for first time register operation with auth server
type RemoteBuiltinRole ¶
type RemoteBuiltinRole struct { // Role is the builtin role of the user Role types.SystemRole // Username is for authentication tracking purposes Username string // ClusterName is the name of the remote cluster. ClusterName string // Identity is source x509 used to build this role Identity tlsca.Identity }
RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.
func (RemoteBuiltinRole) GetIdentity ¶
func (r RemoteBuiltinRole) GetIdentity() tlsca.Identity
GetIdentity returns client identity
type RemoteProxyAccessPoint ¶
type RemoteProxyAccessPoint interface { // ReadRemoteProxyAccessPoint provides methods to read data ReadRemoteProxyAccessPoint // contains filtered or unexported methods }
RemoteProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.
func NewRemoteProxyWrapper ¶
func NewRemoteProxyWrapper(base RemoteProxyAccessPoint, cache ReadRemoteProxyAccessPoint) RemoteProxyAccessPoint
type RemoteProxyWrapper ¶
type RemoteProxyWrapper struct { ReadRemoteProxyAccessPoint NoCache RemoteProxyAccessPoint // contains filtered or unexported fields }
func (*RemoteProxyWrapper) Close ¶
func (w *RemoteProxyWrapper) Close() error
Close closes all associated resources
type RemoteUser ¶
type RemoteUser struct { // Username is a name of the remote user Username string `json:"username"` // ClusterName is the name of the remote cluster // of the user. ClusterName string `json:"cluster_name"` // RemoteRoles is optional list of remote roles RemoteRoles []string `json:"remote_roles"` // Principals is a list of Unix logins. Principals []string `json:"principals"` // KubernetesGroups is a list of Kubernetes groups KubernetesGroups []string `json:"kubernetes_groups"` // KubernetesUsers is a list of Kubernetes users KubernetesUsers []string `json:"kubernetes_users"` // DatabaseNames is a list of database names a user can connect to. DatabaseNames []string `json:"database_names"` // DatabaseUsers is a list of database users a user can connect as. DatabaseUsers []string `json:"database_users"` // Identity is source x509 used to build this role Identity tlsca.Identity }
RemoteUser defines encoded remote user.
func (RemoteUser) GetIdentity ¶
func (r RemoteUser) GetIdentity() tlsca.Identity
GetIdentity returns client identity
type RotateRequest ¶
type RotateRequest struct { // Type is a certificate authority type, if omitted, both user and host CA // will be rotated. Type types.CertAuthType `json:"type"` // GracePeriod is used to generate cert rotation schedule that defines // times at which different rotation phases will be applied by the auth server // in auto mode. It is not used in manual rotation mode. // If omitted, default value is set, if 0 is supplied, it is interpreted as // forcing rotation of all certificate authorities with no grace period, // all existing users and hosts will have to re-login and re-added // into the cluster. GracePeriod *time.Duration `json:"grace_period,omitempty"` // TargetPhase sets desired rotation phase to move to, if not set // will be set automatically, it is a required argument // for manual rotation. TargetPhase string `json:"target_phase,omitempty"` // Mode sets manual or auto rotation mode. Mode string `json:"mode"` // Schedule is an optional rotation schedule, // autogenerated based on GracePeriod parameter if not set. Schedule *types.RotationSchedule `json:"schedule"` }
RotateRequest is a request to start rotation of the certificate authority.
func (*RotateRequest) CheckAndSetDefaults ¶
func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error
CheckAndSetDefaults checks and sets default values.
func (*RotateRequest) Types ¶
func (r *RotateRequest) Types() []types.CertAuthType
Types returns cert authority types requested to be rotated.
type SAMLAuthRequest ¶
type SAMLAuthRequest struct { // ID is a unique request ID. ID string `json:"id"` // PublicKey is an optional public key, users want these // keys to be signed by auth servers user CA in case // of successful auth. PublicKey []byte `json:"public_key"` // CSRFToken is associated with user web session token. CSRFToken string `json:"csrf_token"` // CreateWebSession indicates if user wants to generate a web // session after successful authentication. CreateWebSession bool `json:"create_web_session"` // ClientRedirectURL is a URL client wants to be redirected // after successful authentication. ClientRedirectURL string `json:"client_redirect_url"` }
SAMLAuthRequest is a SAML auth request that supports standard json marshaling.
func SAMLAuthRequestFromProto ¶
func SAMLAuthRequestFromProto(req *types.SAMLAuthRequest) SAMLAuthRequest
SAMLAuthRequestFromProto converts the types.SAMLAuthRequest to SAMLAuthRequestData.
type SAMLAuthResponse ¶
type SAMLAuthResponse struct { // Username is an authenticated teleport username Username string `json:"username"` // Identity contains validated SAML identity Identity types.ExternalIdentity `json:"identity"` // Web session will be generated by auth server if requested in SAMLAuthRequest Session types.WebSession `json:"session,omitempty"` // Cert will be generated by certificate authority Cert []byte `json:"cert,omitempty"` // TLSCert is a PEM encoded TLS certificate TLSCert []byte `json:"tls_cert,omitempty"` // Req is an original SAML auth request Req SAMLAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []types.CertAuthority `json:"host_signers"` }
SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider
type SSHLoginResponse ¶
type SSHLoginResponse struct { // User contains a logged-in user information Username string `json:"username"` // Cert is a PEM encoded signed certificate Cert []byte `json:"cert"` // TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority TLSCert []byte `json:"tls_cert"` // HostSigners is a list of signing host public keys trusted by proxy HostSigners []TrustedCerts `json:"host_signers"` }
SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags
type Server ¶
type Server struct { sshca.Authority // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string // ServerID is the server ID of this auth server. ServerID string // Services encapsulate services - provisioner, trust, etc. used by the auth // server in a separate structure. Reads through Services hit the backend. *Services // Cache should either be the same as Services, or a caching layer over it. // As it's an interface (and thus directly implementing all of its methods) // its embedding takes priority over Services (which only indirectly // implements its methods), thus any implemented GetFoo method on both Cache // and Services will call the one from Cache. To bypass the cache, call the // method on Services instead. Cache // contains filtered or unexported fields }
Server keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:
- generates the keypair for the node it's running on
- invites other SSH nodes to a cluster, by issuing invite tokens
- adds other SSH nodes to a cluster, by checking their token and signing their keys
- same for users and their sessions
- checks public keys to see if they're signed by it (can be trusted or not)
func Init ¶
func Init(cfg InitConfig, opts ...ServerOption) (*Server, error)
Init instantiates and configures an instance of AuthServer
func NewServer ¶
func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error)
NewServer creates and configures a new Server instance
func (*Server) AddMFADeviceSync ¶
func (a *Server) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
AddMFADeviceSync implements AuthService.AddMFADeviceSync.
func (*Server) AuthenticateSSHUser ¶
func (s *Server) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)
AuthenticateSSHUser authenticates an SSH user and returns SSH and TLS certificates for the public key in req.
func (*Server) AuthenticateUser ¶
func (s *Server) AuthenticateUser(req AuthenticateUserRequest) (string, error)
AuthenticateUser authenticates user based on the request type. Returns the username of the authenticated user.
func (*Server) AuthenticateWebUser ¶
func (s *Server) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
AuthenticateWebUser authenticates web user, creates and returns a web session if authentication is successful. In case the existing session ID is used to authenticate, returns the existing session instead of creating a new one
func (*Server) ChangePassword ¶
func (s *Server) ChangePassword(req services.ChangePasswordReq) error
ChangePassword updates users password based on the old password.
func (*Server) ChangeUserAuthentication ¶
func (s *Server) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)
ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.
func (*Server) CloseContext ¶
func (*Server) CompareAndSwapUser ¶
CompareAndSwapUser updates a user but fails if the value on the backend does not match the expected value.
func (*Server) CompleteAccountRecovery ¶
func (s *Server) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error
CompleteAccountRecovery implements AuthService.CompleteAccountRecovery.
func (*Server) CreateAccessRequest ¶
func (*Server) CreateAccountRecoveryCodes ¶
func (s *Server) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
CreateAccountRecoveryCodes implements AuthService.CreateAccountRecoveryCodes.
func (*Server) CreateAppSession ¶
func (s *Server) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest, user types.User, identity tlsca.Identity, checker services.AccessChecker) (types.WebSession, error)
CreateAppSession creates and inserts a services.WebSession into the backend with the identity of the caller used to generate the certificate. The certificate is used for all access requests, which is where access control is enforced.
func (*Server) CreateAuditStream ¶
CreateAuditStream creates audit event stream
func (*Server) CreateAuthenticateChallenge ¶
func (a *Server) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
CreateAuthenticateChallenge implements AuthService.CreateAuthenticateChallenge.
func (*Server) CreateDatabase ¶
CreateDatabase creates a new database resource.
func (*Server) CreateGithubAuthRequest ¶
func (a *Server) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)
CreateGithubAuthRequest creates a new request for Github OAuth2 flow
func (*Server) CreateKubernetesCluster ¶
CreateKubernetesCluster creates a new kubernetes cluster resource.
func (*Server) CreateOIDCAuthRequest ¶
func (a *Server) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
func (*Server) CreatePrivilegeToken ¶
func (s *Server) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
CreatePrivilegeToken implements AuthService.CreatePrivilegeToken.
func (*Server) CreateRegisterChallenge ¶
func (a *Server) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)
CreateRegisterChallenge implements AuthService.CreateRegisterChallenge.
func (*Server) CreateResetPasswordToken ¶
func (s *Server) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)
CreateResetPasswordToken creates a reset password token
func (*Server) CreateSAMLAuthRequest ¶
func (a *Server) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
func (*Server) CreateSessionTracker ¶
func (a *Server) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)
CreateSessionTracker creates a tracker resource for an active session.
func (*Server) CreateSnowflakeSession ¶
func (s *Server) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest, identity tlsca.Identity, checker services.AccessChecker, ) (types.WebSession, error)
func (*Server) CreateUser ¶
CreateUser inserts a new user entry in a backend.
func (*Server) CreateWebSession ¶
CreateWebSession creates a new web session for user without any checks, is used by admins
func (*Server) DeleteAccessRequest ¶
func (*Server) DeleteDatabase ¶
DeleteDatabase deletes a database resource.
func (*Server) DeleteKubernetesCluster ¶
DeleteKubernetesCluster deletes a kubernetes cluster resource.
func (*Server) DeleteLock ¶
DeleteLock deletes a lock and emits a related audit event.
func (*Server) DeleteMFADeviceSync ¶
func (a *Server) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error
DeleteMFADeviceSync implements AuthService.DeleteMFADeviceSync.
func (*Server) DeleteNamespace ¶
func (*Server) DeleteOIDCConnector ¶
DeleteOIDCConnector deletes an OIDC connector by name.
func (*Server) DeleteRemoteCluster ¶
DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it
func (*Server) DeleteRole ¶
DeleteRole deletes a role and emits a related audit event.
func (*Server) DeleteSAMLConnector ¶
DeleteSAMLConnector deletes a SAML connector by name.
func (*Server) DeleteToken ¶
func (*Server) DeleteTrustedCluster ¶
DeleteTrustedCluster removes types.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.
func (*Server) DeleteUser ¶
DeleteUser deletes an existng user in a backend by username.
func (*Server) ExtendWebSession ¶
func (a *Server) ExtendWebSession(ctx context.Context, req WebSessionReq, identity tlsca.Identity) (types.WebSession, error)
ExtendWebSession creates a new web session for a user based on a valid previous (current) session.
If there is an approved access request, additional roles are appended to the roles that were extracted from identity. The new session expiration time will not exceed the expiration time of the previous session.
If there is a switchback request, the roles will switchback to user's default roles and the expiration time is derived from users recently logged in time.
func (*Server) GenerateCertAuthorityCRL ¶
func (a *Server) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)
GenerateCertAuthorityCRL generates an empty CRL for the local CA of a given type.
func (*Server) GenerateDatabaseCert ¶
func (s *Server) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)
GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.
func (*Server) GenerateDatabaseTestCert ¶
func (a *Server) GenerateDatabaseTestCert(req DatabaseTestCertRequest) ([]byte, error)
GenerateDatabaseTestCert generates a database access certificate for the provided parameters. Used only internally in tests.
func (*Server) GenerateHostCert ¶
func (a *Server) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error)
GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.
func (*Server) GenerateHostCerts ¶
func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)
GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.
func (*Server) GenerateSnowflakeJWT ¶
func (s *Server) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)
GenerateSnowflakeJWT generates JWT in the format required by Snowflake.
func (*Server) GenerateToken ¶
func (a *Server) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)
GenerateToken generates multi-purpose authentication token.
func (*Server) GenerateUserAppTestCert ¶
func (a *Server) GenerateUserAppTestCert(req AppTestCertRequest) ([]byte, error)
GenerateUserAppTestCert generates an application specific certificate, used internally for tests.
func (*Server) GenerateUserTestCerts ¶
func (a *Server) GenerateUserTestCerts(key []byte, username string, ttl time.Duration, compatibility, routeToCluster, sourceIP string) ([]byte, []byte, error)
GenerateUserTestCerts is used to generate user certificate, used internally for tests
func (*Server) GenerateWindowsDesktopCert ¶
func (s *Server) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.
func (*Server) GetAccessCapabilities ¶
func (a *Server) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
func (*Server) GetAccountRecoveryCodes ¶
func (s *Server) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
GetAccountRecoveryCodes implements AuthService.GetAccountRecoveryCodes.
func (*Server) GetAccountRecoveryToken ¶
func (s *Server) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)
GetAccountRecoveryToken implements AuthService.GetAccountRecoveryToken.
func (*Server) GetClusterCACert ¶
GetClusterCACert returns the PEM-encoded TLS certs for the local cluster. If the cluster has multiple TLS certs, they will all be concatenated.
func (*Server) GetDomainName ¶
GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"
func (*Server) GetInventoryStatus ¶
func (a *Server) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) proto.InventoryStatusSummary
func (*Server) GetKeyStore ¶
GetKeyStore returns the KeyStore used by the auth server
func (*Server) GetMFADevices ¶
func (a *Server) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
GetMFADevices returns all mfa devices for the user defined in the token or the user defined in context.
func (*Server) GetRemoteCluster ¶
func (a *Server) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
GetRemoteCluster returns remote cluster by name
func (*Server) GetRemoteClusters ¶
func (a *Server) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)
GetRemoteClusters returns remote clusters with updated statuses
func (*Server) GetTokens ¶
func (a *Server) GetTokens(ctx context.Context, opts ...services.MarshalOption) (tokens []types.ProvisionToken, err error)
GetTokens returns all tokens (machine provisioning ones and user tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role
func (*Server) GetWebSession ¶
func (a *Server) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)
GetWebSession returns existing web session described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.
func (*Server) GetWebSessionInfo ¶
func (a *Server) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
GetWebSessionInfo returns the web session specified with sessionID for the given user. The session is stripped of any authentication details. Implements auth.WebUIService
func (*Server) GetWebToken ¶
func (a *Server) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)
GetWebToken returns existing web token described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.
func (*Server) IterateResources ¶
func (a *Server) IterateResources(ctx context.Context, req proto.ListResourcesRequest, f func(resource types.ResourceWithLabels) error) error
IterateResources loads all resources matching the provided request and passes them one by one to the provided callback function. To stop iteration callers may return ErrDone from the callback function, which will result in a nil return from IterateResources. Any other errors returned from the callback function cause iteration to stop and the error to be returned.
func (*Server) ListResources ¶
func (a *Server) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
ListResources returns paginated resources depending on the resource type..
func (*Server) MakeLocalInventoryControlStream ¶
func (a *Server) MakeLocalInventoryControlStream(opts ...client.ICSPipeOption) client.DownstreamInventoryControlStream
MakeLocalInventoryControlStream sets up an in-memory control stream which automatically registers with this auth server upon hello exchange.
func (*Server) NewKeepAliver ¶
NewKeepAliver returns a new instance of keep aliver
func (*Server) NewWebSession ¶
func (a *Server) NewWebSession(ctx context.Context, req types.NewWebSessionRequest) (types.WebSession, error)
NewWebSession creates and returns a new web session for the specified request
func (*Server) PingInventory ¶
func (a *Server) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)
func (*Server) PreAuthenticatedSignIn ¶
func (a *Server) PreAuthenticatedSignIn(ctx context.Context, user string, identity tlsca.Identity) (types.WebSession, error)
PreAuthenticatedSignIn is for MFA authentication methods where the password is already checked before issuing the second factor challenge
func (*Server) ProcessKubeCSR ¶
func (s *Server) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.
func (*Server) RegisterInventoryControlStream ¶
func (a *Server) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream, hello proto.UpstreamInventoryHello) error
func (*Server) RegisterUsingIAMMethod ¶
func (a *Server) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc, opts ...iamRegisterOption) (*proto.Certs, error)
RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.
The caller must provide a ChallengeResponseFunc which returns a *types.RegisterUsingTokenRequest with a signed sts:GetCallerIdentity request including the challenge as a signed header.
func (*Server) RegisterUsingToken ¶
func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
RegisterUsingToken returns credentials for a new node to join the Teleport cluster using a previously issued token.
A node must also request a specific role (and the role must match one of the roles the token was generated for.)
If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires.)
If the token includes a specific join method, the rules for that join method will be checked.
func (*Server) ResetPassword ¶
ResetPassword securely generates a new random password and assigns it to user. This method is used to invalidate existing user password during password reset process.
func (*Server) ResumeAuditStream ¶
func (a *Server) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)
ResumeAuditStream resumes the stream that has been created
func (*Server) RotateCertAuthority ¶
func (a *Server) RotateCertAuthority(ctx context.Context, req RotateRequest) error
RotateCertAuthority starts or restarts certificate authority rotation process.
Rotation procedure is based on the state machine approach.
Here are the supported rotation states:
- Standby - the cluster is in standby mode and ready to take action.
- In-progress - cluster CA rotation is in progress.
In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.
Here are the supported phases:
* Standby - no action is taken.
* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.
This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.
* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".
* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.
* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will lose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.
Rotation modes ¶
There are two rotation modes supported - manual or automatic.
* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.
* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.
It is possible to switch from automatic to manual by setting the phase to the rollback phase.
func (*Server) RotateExternalCertAuthority ¶
RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.
func (*Server) SetAccessRequestState ¶
func (*Server) SetAuditLog ¶
SetAuditLog sets the server's audit log
func (*Server) SetEmitter ¶
func (*Server) SetEnforcer ¶
SetEnforcer sets the server's enforce service
func (*Server) SetLockWatcher ¶
func (a *Server) SetLockWatcher(lockWatcher *services.LockWatcher)
SetLockWatcher sets the lock watcher.
func (*Server) SetUsageReporter ¶
func (a *Server) SetUsageReporter(reporter services.UsageReporter)
SetUsageReporter sets the server's usage reporter
func (*Server) SignDatabaseCSR ¶
func (s *Server) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)
SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.
func (*Server) StartAccountRecovery ¶
func (s *Server) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)
StartAccountRecovery implements AuthService.StartAccountRecovery.
func (*Server) SubmitAccessReview ¶
func (a *Server) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
func (*Server) SubmitUsageEvent ¶
SubmitUsageEvent submits an external usage event.
func (*Server) UnstableAssertSystemRole ¶
func (a *Server) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error
UnstableAssertSystemRole is not a stable part of the public API. Used by older instances to prove that they hold a given system role. DELETE IN: 12.0 (deprecated in v11, but required for back-compat with v10 clients)
func (*Server) UnstableGetSystemRoleAssertions ¶
func (*Server) UpdateDatabase ¶
UpdateDatabase updates an existing database resource.
func (*Server) UpdateKubernetesCluster ¶
UpdateKubernetesCluster updates an existing kubernetes cluster resource.
func (*Server) UpdateUser ¶
UpdateUser updates an existing user in a backend.
func (*Server) UpsertLock ¶
UpsertLock upserts a lock and emits a related audit event.
func (*Server) UpsertOIDCConnector ¶
UpsertOIDCConnector creates or updates an OIDC connector.
func (*Server) UpsertRole ¶
UpsertRole creates or updates a role and emits a related audit event.
func (*Server) UpsertSAMLConnector ¶
UpsertSAMLConnector creates or updates a SAML connector.
func (*Server) UpsertTrustedCluster ¶
func (a *Server) UpsertTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)
UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.
func (*Server) UpsertUser ¶
UpsertUser updates a user.
func (*Server) ValidateGithubAuthCallback ¶
func (a *Server) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)
ValidateGithubAuthCallback validates Github auth callback redirect
func (*Server) ValidateOIDCAuthCallback ¶
func (a *Server) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)
ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error
func (*Server) ValidateSAMLResponse ¶
func (a *Server) ValidateSAMLResponse(ctx context.Context, samlResponse string, connectorID string) (*SAMLAuthResponse, error)
ValidateSAMLResponse consumes attribute statements from SAML identity provider
func (*Server) ValidateToken ¶
ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume and token labels, or an error if the token cannot be found.
func (*Server) VerifyAccountRecovery ¶
func (s *Server) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)
VerifyAccountRecovery implements AuthService.VerifyAccountRecovery.
func (*Server) WithUserLock ¶
WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval
type ServerOption ¶
ServerOption allows setting options as functional arguments to Server
func WithClock ¶
func WithClock(clock clockwork.Clock) ServerOption
WithClock is a functional server option that sets the server's clock
type ServerWithRoles ¶
type ServerWithRoles struct {
// contains filtered or unexported fields
}
ServerWithRoles is a wrapper around auth service methods that focuses on authorizing every request
func (*ServerWithRoles) AcquireSemaphore ¶
func (a *ServerWithRoles) AcquireSemaphore(ctx context.Context, params types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)
AcquireSemaphore acquires lease with requested resources from semaphore.
func (*ServerWithRoles) ActivateCertAuthority ¶
func (a *ServerWithRoles) ActivateCertAuthority(id types.CertAuthID) error
ActivateCertAuthority not implemented: can only be called locally.
func (*ServerWithRoles) AddMFADevice ¶
func (a *ServerWithRoles) AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADeviceClient, error)
AddMFADevice exists to satisfy auth.ClientI but is not implemented here. Use auth.GRPCServer.AddMFADevice or client.Client.AddMFADevice instead.
func (*ServerWithRoles) AddMFADeviceSync ¶
func (a *ServerWithRoles) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.
func (*ServerWithRoles) AppendDiagnosticTrace ¶
func (a *ServerWithRoles) AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)
AppendDiagnosticTrace adds a new trace for the given ConnectionDiagnostic.
func (*ServerWithRoles) AuthenticateSSHUser ¶
func (a *ServerWithRoles) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)
AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result
func (*ServerWithRoles) AuthenticateWebUser ¶
func (a *ServerWithRoles) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
AuthenticateWebUser authenticates web user, creates and returns a web session in case authentication is successful
func (*ServerWithRoles) CancelSemaphoreLease ¶
func (a *ServerWithRoles) CancelSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error
CancelSemaphoreLease cancels semaphore lease early.
func (*ServerWithRoles) ChangePassword ¶
func (a *ServerWithRoles) ChangePassword(req services.ChangePasswordReq) error
ChangePassword updates users password based on the old password.
func (*ServerWithRoles) ChangeUserAuthentication ¶
func (a *ServerWithRoles) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)
ChangeUserAuthentication is implemented by AuthService.ChangeUserAuthentication.
func (*ServerWithRoles) CheckPassword ¶
func (a *ServerWithRoles) CheckPassword(user string, password []byte, otpToken string) error
func (*ServerWithRoles) Close ¶
func (a *ServerWithRoles) Close() error
func (*ServerWithRoles) CloseContext ¶
func (a *ServerWithRoles) CloseContext() context.Context
CloseContext is closed when the auth server shuts down
func (*ServerWithRoles) CompareAndSwapCertAuthority ¶
func (a *ServerWithRoles) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error
CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.
func (*ServerWithRoles) CompareAndSwapUser ¶
CompareAndSwapUser updates an existing user in a backend, but fails if the backend's value does not match the expected value. Captures the auth user who modified the user record.
func (*ServerWithRoles) CompleteAccountRecovery ¶
func (a *ServerWithRoles) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error
CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.
func (*ServerWithRoles) CreateAccessRequest ¶
func (a *ServerWithRoles) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error
func (*ServerWithRoles) CreateAccountRecoveryCodes ¶
func (a *ServerWithRoles) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.
func (*ServerWithRoles) CreateApp ¶
func (a *ServerWithRoles) CreateApp(ctx context.Context, app types.Application) error
CreateApp creates a new application resource.
func (*ServerWithRoles) CreateAppSession ¶
func (a *ServerWithRoles) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest) (types.WebSession, error)
CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.
func (*ServerWithRoles) CreateAuditStream ¶
func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)
CreateAuditStream creates audit event stream
func (*ServerWithRoles) CreateAuthenticateChallenge ¶
func (a *ServerWithRoles) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.
func (*ServerWithRoles) CreateBot ¶
func (a *ServerWithRoles) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
CreateBot creates a new certificate renewal bot and returns a join token.
func (*ServerWithRoles) CreateCertAuthority ¶
func (a *ServerWithRoles) CreateCertAuthority(ca types.CertAuthority) error
CreateCertAuthority not implemented: can only be called locally.
func (*ServerWithRoles) CreateConnectionDiagnostic ¶
func (a *ServerWithRoles) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error
CreateConnectionDiagnostic creates a new connection diagnostic.
func (*ServerWithRoles) CreateDatabase ¶
CreateDatabase creates a new database resource.
func (*ServerWithRoles) CreateGithubAuthRequest ¶
func (a *ServerWithRoles) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)
func (*ServerWithRoles) CreateKubernetesCluster ¶
func (a *ServerWithRoles) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
CreateKubernetesCluster creates a new kubernetes cluster resource.
func (*ServerWithRoles) CreateOIDCAuthRequest ¶
func (a *ServerWithRoles) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
func (*ServerWithRoles) CreatePrivilegeToken ¶
func (a *ServerWithRoles) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.
func (*ServerWithRoles) CreateRegisterChallenge ¶
func (a *ServerWithRoles) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)
CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.
func (*ServerWithRoles) CreateRemoteCluster ¶
func (a *ServerWithRoles) CreateRemoteCluster(conn types.RemoteCluster) error
func (*ServerWithRoles) CreateResetPasswordToken ¶
func (a *ServerWithRoles) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)
func (*ServerWithRoles) CreateRole ¶
CreateRole not implemented: can only be called locally.
func (*ServerWithRoles) CreateSAMLAuthRequest ¶
func (a *ServerWithRoles) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
func (*ServerWithRoles) CreateSession ¶
DELETE IN 12.0.0
func (*ServerWithRoles) CreateSessionTracker ¶
func (a *ServerWithRoles) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)
CreateSessionTracker creates a tracker resource for an active session.
func (*ServerWithRoles) CreateSnowflakeSession ¶
func (a *ServerWithRoles) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest) (types.WebSession, error)
CreateSnowflakeSession creates a Snowflake web session.
func (*ServerWithRoles) CreateToken ¶
func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.ProvisionToken) error
func (*ServerWithRoles) CreateUser ¶
CreateUser inserts a new user entry in a backend.
func (*ServerWithRoles) CreateWebSession ¶
func (a *ServerWithRoles) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)
CreateWebSession creates a new web session for the specified user
func (*ServerWithRoles) CreateWindowsDesktop ¶
func (a *ServerWithRoles) CreateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error
CreateWindowsDesktop creates a new windows desktop host.
func (*ServerWithRoles) DeactivateCertAuthority ¶
func (a *ServerWithRoles) DeactivateCertAuthority(id types.CertAuthID) error
DeactivateCertAuthority not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAccessRequest ¶
func (a *ServerWithRoles) DeleteAccessRequest(ctx context.Context, name string) error
func (*ServerWithRoles) DeleteAllAppSessions ¶
func (a *ServerWithRoles) DeleteAllAppSessions(ctx context.Context) error
DeleteAllAppSessions removes all application web sessions.
func (*ServerWithRoles) DeleteAllApplicationServers ¶
func (a *ServerWithRoles) DeleteAllApplicationServers(ctx context.Context, namespace string) error
DeleteAllApplicationServers deletes all registered application servers.
func (*ServerWithRoles) DeleteAllApps ¶
func (a *ServerWithRoles) DeleteAllApps(ctx context.Context) error
DeleteAllApps removes all application resources.
func (*ServerWithRoles) DeleteAllAuthServers ¶
func (a *ServerWithRoles) DeleteAllAuthServers() error
DeleteAllAuthServers deletes all auth servers
func (*ServerWithRoles) DeleteAllCertAuthorities ¶
func (a *ServerWithRoles) DeleteAllCertAuthorities(caType types.CertAuthType) error
DeleteAllCertAuthorities not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAllDatabaseServers ¶
func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespace string) error
DeleteAllDatabaseServers removes all registered database proxy servers.
func (*ServerWithRoles) DeleteAllDatabases ¶
func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error
DeleteAllDatabases removes all database resources.
func (*ServerWithRoles) DeleteAllInstallers ¶
func (a *ServerWithRoles) DeleteAllInstallers(ctx context.Context) error
DeleteAllInstallers removes all installer script resources
func (*ServerWithRoles) DeleteAllKubeServices ¶
func (a *ServerWithRoles) DeleteAllKubeServices(ctx context.Context) error
DeleteAllKubeService deletes all registered kubernetes services.
func (*ServerWithRoles) DeleteAllKubernetesClusters ¶
func (a *ServerWithRoles) DeleteAllKubernetesClusters(ctx context.Context) error
DeleteAllKubernetesClusters removes all kubernetes cluster resources.
func (*ServerWithRoles) DeleteAllKubernetesServers ¶
func (a *ServerWithRoles) DeleteAllKubernetesServers(ctx context.Context) error
DeleteAllKubernetesServers deletes all registered kubernetes servers.
func (*ServerWithRoles) DeleteAllLocks ¶
func (a *ServerWithRoles) DeleteAllLocks(context.Context) error
DeleteAllLocks not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAllNamespaces ¶
func (a *ServerWithRoles) DeleteAllNamespaces() error
DeleteAllCertNamespaces not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAllNodes ¶
func (a *ServerWithRoles) DeleteAllNodes(ctx context.Context, namespace string) error
DeleteAllNodes deletes all nodes in a given namespace
func (*ServerWithRoles) DeleteAllProxies ¶
func (a *ServerWithRoles) DeleteAllProxies() error
DeleteAllProxies deletes all proxies
func (*ServerWithRoles) DeleteAllRemoteClusters ¶
func (a *ServerWithRoles) DeleteAllRemoteClusters() error
func (*ServerWithRoles) DeleteAllReverseTunnels ¶
func (a *ServerWithRoles) DeleteAllReverseTunnels() error
DeleteAllReverseTunnels not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAllRoles ¶
func (a *ServerWithRoles) DeleteAllRoles() error
DeleteAllRoles not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAllSnowflakeSessions ¶
func (a *ServerWithRoles) DeleteAllSnowflakeSessions(ctx context.Context) error
DeleteAllSnowflakeSessions removes all Snowflake web sessions.
func (*ServerWithRoles) DeleteAllTokens ¶
func (a *ServerWithRoles) DeleteAllTokens() error
DeleteAllTokens not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAllTunnelConnections ¶
func (a *ServerWithRoles) DeleteAllTunnelConnections() error
func (*ServerWithRoles) DeleteAllUsers ¶
func (a *ServerWithRoles) DeleteAllUsers() error
DeleteAllUsers not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAllWindowsDesktopServices ¶
func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) error
DeleteAllWindowsDesktopServices removes all registered windows desktop services.
func (*ServerWithRoles) DeleteAllWindowsDesktops ¶
func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error
DeleteAllWindowsDesktops removes all registered windows desktop hosts.
func (*ServerWithRoles) DeleteApp ¶
func (a *ServerWithRoles) DeleteApp(ctx context.Context, name string) error
DeleteApp removes the specified application resource.
func (*ServerWithRoles) DeleteAppSession ¶
func (a *ServerWithRoles) DeleteAppSession(ctx context.Context, req types.DeleteAppSessionRequest) error
DeleteAppSession removes an application web session.
func (*ServerWithRoles) DeleteApplicationServer ¶
func (a *ServerWithRoles) DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error
DeleteApplicationServer deletes specified application server.
func (*ServerWithRoles) DeleteAuthPreference ¶
func (a *ServerWithRoles) DeleteAuthPreference(context.Context) error
DeleteAuthPreference not implemented: can only be called locally.
func (*ServerWithRoles) DeleteAuthServer ¶
func (a *ServerWithRoles) DeleteAuthServer(name string) error
DeleteAuthServer deletes auth server by name
func (*ServerWithRoles) DeleteBot ¶
func (a *ServerWithRoles) DeleteBot(ctx context.Context, botName string) error
DeleteBot removes a certificate renewal bot by name.
func (*ServerWithRoles) DeleteCertAuthority ¶
func (a *ServerWithRoles) DeleteCertAuthority(id types.CertAuthID) error
func (*ServerWithRoles) DeleteClusterAuditConfig ¶
func (a *ServerWithRoles) DeleteClusterAuditConfig(ctx context.Context) error
DeleteClusterAuditConfig not implemented: can only be called locally.
func (*ServerWithRoles) DeleteClusterName ¶
func (a *ServerWithRoles) DeleteClusterName() error
DeleteClusterName deletes cluster name
func (*ServerWithRoles) DeleteClusterNetworkingConfig ¶
func (a *ServerWithRoles) DeleteClusterNetworkingConfig(ctx context.Context) error
DeleteClusterNetworkingConfig not implemented: can only be called locally.
func (*ServerWithRoles) DeleteDatabase ¶
func (a *ServerWithRoles) DeleteDatabase(ctx context.Context, name string) error
DeleteDatabase removes the specified database resource.
func (*ServerWithRoles) DeleteDatabaseServer ¶
func (a *ServerWithRoles) DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error
DeleteDatabaseServer removes the specified database proxy server.
func (*ServerWithRoles) DeleteGithubConnector ¶
func (a *ServerWithRoles) DeleteGithubConnector(ctx context.Context, connectorID string) error
DeleteGithubConnector deletes a Github connector by name.
func (*ServerWithRoles) DeleteInstaller ¶
func (a *ServerWithRoles) DeleteInstaller(ctx context.Context, name string) error
DeleteInstaller removes an installer script resource
func (*ServerWithRoles) DeleteKubeService ¶
func (a *ServerWithRoles) DeleteKubeService(ctx context.Context, name string) error
DeleteKubeService deletes a named kubernetes service.
func (*ServerWithRoles) DeleteKubernetesCluster ¶
func (a *ServerWithRoles) DeleteKubernetesCluster(ctx context.Context, name string) error
DeleteKubernetesCluster removes the specified kubernetes cluster resource.
func (*ServerWithRoles) DeleteKubernetesServer ¶
func (a *ServerWithRoles) DeleteKubernetesServer(ctx context.Context, hostID, name string) error
DeleteKubernetesServer deletes specified kubernetes server.
func (*ServerWithRoles) DeleteLock ¶
func (a *ServerWithRoles) DeleteLock(ctx context.Context, name string) error
DeleteLock deletes a lock.
func (*ServerWithRoles) DeleteMFADevice ¶
func (a *ServerWithRoles) DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error)
DeleteMFADevice exists to satisfy auth.ClientI but is not implemented here. Use auth.GRPCServer.DeleteMFADevice or client.Client.DeleteMFADevice instead.
func (*ServerWithRoles) DeleteMFADeviceSync ¶
func (a *ServerWithRoles) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error
DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.
func (*ServerWithRoles) DeleteNamespace ¶
func (a *ServerWithRoles) DeleteNamespace(name string) error
DeleteNamespace deletes namespace by name
func (*ServerWithRoles) DeleteNetworkRestrictions ¶
func (a *ServerWithRoles) DeleteNetworkRestrictions(ctx context.Context) error
DeleteNetworkRestrictions deletes the network restrictions.
func (*ServerWithRoles) DeleteNode ¶
func (a *ServerWithRoles) DeleteNode(ctx context.Context, namespace, node string) error
DeleteNode deletes node in the namespace
func (*ServerWithRoles) DeleteOIDCConnector ¶
func (a *ServerWithRoles) DeleteOIDCConnector(ctx context.Context, connectorID string) error
func (*ServerWithRoles) DeleteProxy ¶
func (a *ServerWithRoles) DeleteProxy(name string) error
DeleteProxy deletes proxy by name
func (*ServerWithRoles) DeleteRemoteCluster ¶
func (a *ServerWithRoles) DeleteRemoteCluster(clusterName string) error
func (*ServerWithRoles) DeleteReverseTunnel ¶
func (a *ServerWithRoles) DeleteReverseTunnel(domainName string) error
func (*ServerWithRoles) DeleteRole ¶
func (a *ServerWithRoles) DeleteRole(ctx context.Context, name string) error
DeleteRole deletes role by name
func (*ServerWithRoles) DeleteSAMLConnector ¶
func (a *ServerWithRoles) DeleteSAMLConnector(ctx context.Context, connectorID string) error
DeleteSAMLConnector deletes a SAML connector by name.
func (*ServerWithRoles) DeleteSemaphore ¶
func (a *ServerWithRoles) DeleteSemaphore(ctx context.Context, filter types.SemaphoreFilter) error
DeleteSemaphore deletes a semaphore matching the supplied filter.
func (*ServerWithRoles) DeleteSession ¶
DeleteSession removes an active session from the backend. DELETE IN 12.0.0
func (*ServerWithRoles) DeleteSessionRecordingConfig ¶
func (a *ServerWithRoles) DeleteSessionRecordingConfig(ctx context.Context) error
DeleteSessionRecordingConfig not implemented: can only be called locally.
func (*ServerWithRoles) DeleteSnowflakeSession ¶
func (a *ServerWithRoles) DeleteSnowflakeSession(ctx context.Context, req types.DeleteSnowflakeSessionRequest) error
DeleteSnowflakeSession removes a Snowflake web session.
func (*ServerWithRoles) DeleteStaticTokens ¶
func (a *ServerWithRoles) DeleteStaticTokens() error
DeleteStaticTokens deletes static tokens
func (*ServerWithRoles) DeleteToken ¶
func (a *ServerWithRoles) DeleteToken(ctx context.Context, token string) error
func (*ServerWithRoles) DeleteTrustedCluster ¶
func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string) error
DeleteTrustedCluster deletes a trusted cluster by name.
func (*ServerWithRoles) DeleteTunnelConnection ¶
func (a *ServerWithRoles) DeleteTunnelConnection(clusterName string, connName string) error
func (*ServerWithRoles) DeleteTunnelConnections ¶
func (a *ServerWithRoles) DeleteTunnelConnections(clusterName string) error
func (*ServerWithRoles) DeleteUser ¶
func (a *ServerWithRoles) DeleteUser(ctx context.Context, user string) error
DeleteUser deletes an existng user in a backend by username.
func (*ServerWithRoles) DeleteUserAppSessions ¶
func (a *ServerWithRoles) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error
DeleteUserAppSessions deletes all user’s application sessions.
func (*ServerWithRoles) DeleteWindowsDesktop ¶
func (a *ServerWithRoles) DeleteWindowsDesktop(ctx context.Context, hostID, name string) error
DeleteWindowsDesktop removes the specified Windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.
func (*ServerWithRoles) DeleteWindowsDesktopService ¶
func (a *ServerWithRoles) DeleteWindowsDesktopService(ctx context.Context, name string) error
DeleteWindowsDesktopService removes the specified windows desktop service.
func (*ServerWithRoles) EmitAuditEvent ¶
func (a *ServerWithRoles) EmitAuditEvent(ctx context.Context, event apievents.AuditEvent) error
EmitAuditEvent emits a single audit event
func (*ServerWithRoles) Export ¶
func (a *ServerWithRoles) Export(ctx context.Context, req *collectortracev1.ExportTraceServiceRequest) (*collectortracev1.ExportTraceServiceResponse, error)
Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.
All spans received will have a `teleport.forwarded.for` attribute added to them with the value being one of two things depending on the role of the forwarder:
- User forwarded: `teleport.forwarded.for: alice`
- Instance forwarded: `teleport.forwarded.for: Proxy.clustername:Proxy,Node,Instance`
This allows upstream consumers of the spans to be able to identify forwarded spans and act on them accordingly.
func (*ServerWithRoles) ExtendWebSession ¶
func (a *ServerWithRoles) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)
ExtendWebSession creates a new web session for a user based on a valid previous session. Additional roles are appended to initial roles if there is an approved access request. The new session expiration time will not exceed the expiration time of the old session.
func (*ServerWithRoles) GenerateAppToken ¶
func (a *ServerWithRoles) GenerateAppToken(ctx context.Context, req types.GenerateAppTokenRequest) (string, error)
GenerateAppToken creates a JWT token with application access.
func (*ServerWithRoles) GenerateCertAuthorityCRL ¶
func (a *ServerWithRoles) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)
GenerateCertAuthorityCRL generates an empty CRL for a CA.
func (*ServerWithRoles) GenerateDatabaseCert ¶
func (a *ServerWithRoles) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)
GenerateDatabaseCert generates a certificate used by a database service to authenticate with the database instance.
This certificate can be requested by:
- Cluster administrator using "tctl auth sign --format=db" command locally on the auth server to produce a certificate for configuring a self-hosted database.
- Remote user using "tctl auth sign --format=db" command with a remote proxy (e.g. Teleport Cloud), as long as they can impersonate system role Db.
- Database service when initiating connection to a database instance to produce a client certificate.
- Proxy service when generating mTLS files to a database
func (*ServerWithRoles) GenerateHostCert ¶
func (*ServerWithRoles) GenerateHostCerts ¶
func (a *ServerWithRoles) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)
GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.
func (*ServerWithRoles) GenerateSnowflakeJWT ¶
func (a *ServerWithRoles) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)
GenerateSnowflakeJWT generates JWT in the Snowflake required format.
func (*ServerWithRoles) GenerateToken ¶
func (a *ServerWithRoles) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)
GenerateToken generates multi-purpose authentication token.
func (*ServerWithRoles) GenerateUserCerts ¶
func (a *ServerWithRoles) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)
GenerateUserCerts generates users certificates
func (*ServerWithRoles) GenerateUserSingleUseCerts ¶
func (a *ServerWithRoles) GenerateUserSingleUseCerts(ctx context.Context) (proto.AuthService_GenerateUserSingleUseCertsClient, error)
GenerateUserSingleUseCerts exists to satisfy auth.ClientI but is not implemented here.
Use auth.GRPCServer.GenerateUserSingleUseCerts or client.Client.GenerateUserSingleUseCerts instead.
func (*ServerWithRoles) GenerateWindowsDesktopCert ¶
func (a *ServerWithRoles) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
GenerateWindowsDesktopCert generates a certificate for Windows RDP authentication.
func (*ServerWithRoles) GetAccessCapabilities ¶
func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
func (*ServerWithRoles) GetAccessRequests ¶
func (a *ServerWithRoles) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
func (*ServerWithRoles) GetAccountRecoveryCodes ¶
func (a *ServerWithRoles) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.
func (*ServerWithRoles) GetAccountRecoveryToken ¶
func (a *ServerWithRoles) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)
GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.
func (*ServerWithRoles) GetActiveSessionTrackers ¶
func (a *ServerWithRoles) GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)
GetActiveSessionTrackers returns a list of active session trackers.
func (*ServerWithRoles) GetActiveSessionTrackersWithFilter ¶
func (a *ServerWithRoles) GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)
GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.
func (*ServerWithRoles) GetAllTunnelConnections ¶
func (a *ServerWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)
func (*ServerWithRoles) GetApp ¶
func (a *ServerWithRoles) GetApp(ctx context.Context, name string) (types.Application, error)
GetApp returns specified application resource.
func (*ServerWithRoles) GetAppSession ¶
func (a *ServerWithRoles) GetAppSession(ctx context.Context, req types.GetAppSessionRequest) (types.WebSession, error)
GetAppSession gets an application web session.
func (*ServerWithRoles) GetAppSessions ¶
func (a *ServerWithRoles) GetAppSessions(ctx context.Context) ([]types.WebSession, error)
GetAppSessions gets all application web sessions.
func (*ServerWithRoles) GetApplicationServers ¶
func (a *ServerWithRoles) GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)
GetApplicationServers returns all registered application servers.
func (*ServerWithRoles) GetApps ¶
func (a *ServerWithRoles) GetApps(ctx context.Context) (result []types.Application, err error)
GetApps returns all application resources.
func (*ServerWithRoles) GetAuthPreference ¶
func (a *ServerWithRoles) GetAuthPreference(ctx context.Context) (types.AuthPreference, error)
GetAuthPreference gets cluster auth preference.
func (*ServerWithRoles) GetAuthServers ¶
func (a *ServerWithRoles) GetAuthServers() ([]types.Server, error)
func (*ServerWithRoles) GetBotUsers ¶
GetBotUsers fetches all users with bot labels. It does not fetch users with secrets.
func (*ServerWithRoles) GetCertAuthorities ¶
func (a *ServerWithRoles) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)
func (*ServerWithRoles) GetCertAuthority ¶
func (a *ServerWithRoles) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)
func (*ServerWithRoles) GetClusterAlerts ¶
func (a *ServerWithRoles) GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)
func (*ServerWithRoles) GetClusterAuditConfig ¶
func (a *ServerWithRoles) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)
GetClusterAuditConfig gets cluster audit configuration.
func (*ServerWithRoles) GetClusterCACert ¶
func (a *ServerWithRoles) GetClusterCACert( ctx context.Context, ) (*proto.GetClusterCACertResponse, error)
getClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be concatenated.
func (*ServerWithRoles) GetClusterName ¶
func (a *ServerWithRoles) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
GetClusterName gets the name of the cluster.
func (*ServerWithRoles) GetClusterNetworkingConfig ¶
func (a *ServerWithRoles) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)
GetClusterNetworkingConfig gets cluster networking configuration.
func (*ServerWithRoles) GetConnectionDiagnostic ¶
func (a *ServerWithRoles) GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)
GetConnectionDiagnostic returns the connection diagnostic with the matching name
func (*ServerWithRoles) GetCurrentUser ¶
GetCurrentUser returns current user as seen by the server. Useful especially in the context of remote clusters which perform role and trait mapping.
func (*ServerWithRoles) GetCurrentUserRoles ¶
GetCurrentUserRoles returns current user's roles.
func (*ServerWithRoles) GetDatabase ¶
GetDatabase returns specified database resource.
func (*ServerWithRoles) GetDatabaseServers ¶
func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)
GetDatabaseServers returns all registered database servers.
func (*ServerWithRoles) GetDatabases ¶
GetDatabases returns all database resources.
func (*ServerWithRoles) GetDomainName ¶
func (a *ServerWithRoles) GetDomainName(ctx context.Context) (string, error)
func (*ServerWithRoles) GetGithubAuthRequest ¶
func (a *ServerWithRoles) GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)
GetGithubAuthRequest returns Github auth request if found.
func (*ServerWithRoles) GetGithubConnector ¶
func (a *ServerWithRoles) GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)
func (*ServerWithRoles) GetGithubConnectors ¶
func (a *ServerWithRoles) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)
func (*ServerWithRoles) GetInstaller ¶
GetInstaller retrieves an installer script resource
func (*ServerWithRoles) GetInstallers ¶
GetInstallers gets all the installer resources.
func (*ServerWithRoles) GetInventoryStatus ¶
func (a *ServerWithRoles) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)
func (*ServerWithRoles) GetKubeServices ¶
GetKubeServices returns all Servers representing teleport kubernetes services. DELETE in 12.0.0
func (*ServerWithRoles) GetKubernetesCluster ¶
func (a *ServerWithRoles) GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
GetKubernetesCluster returns specified kubernetes cluster resource.
func (*ServerWithRoles) GetKubernetesClusters ¶
func (a *ServerWithRoles) GetKubernetesClusters(ctx context.Context) (result []types.KubeCluster, err error)
GetKubernetesClusters returns all kubernetes cluster resources.
func (*ServerWithRoles) GetKubernetesServers ¶
func (a *ServerWithRoles) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)
GetKubernetesServers returns all registered kubernetes servers.
func (*ServerWithRoles) GetLocks ¶
func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
GetLocks gets all/in-force locks that match at least one of the targets when specified.
func (*ServerWithRoles) GetMFADevices ¶
func (a *ServerWithRoles) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
GetMFADevices returns a list of MFA devices.
func (*ServerWithRoles) GetNamespace ¶
func (a *ServerWithRoles) GetNamespace(name string) (*types.Namespace, error)
GetNamespace returns namespace by name
func (*ServerWithRoles) GetNamespaces ¶
func (a *ServerWithRoles) GetNamespaces() ([]types.Namespace, error)
GetNamespaces returns a list of namespaces
func (*ServerWithRoles) GetNetworkRestrictions ¶
func (a *ServerWithRoles) GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)
GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).
func (*ServerWithRoles) GetNode ¶
func (a *ServerWithRoles) GetNode(ctx context.Context, namespace, name string) (types.Server, error)
GetNode gets a node by name and namespace.
func (*ServerWithRoles) GetOIDCAuthRequest ¶
func (a *ServerWithRoles) GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)
GetOIDCAuthRequest returns OIDC auth request if found.
func (*ServerWithRoles) GetOIDCConnector ¶
func (a *ServerWithRoles) GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)
func (*ServerWithRoles) GetOIDCConnectors ¶
func (a *ServerWithRoles) GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)
func (*ServerWithRoles) GetPluginData ¶
func (a *ServerWithRoles) GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)
GetPluginData loads all plugin data matching the supplied filter.
func (*ServerWithRoles) GetProxies ¶
func (a *ServerWithRoles) GetProxies() ([]types.Server, error)
func (*ServerWithRoles) GetRemoteCluster ¶
func (a *ServerWithRoles) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
func (*ServerWithRoles) GetRemoteClusters ¶
func (a *ServerWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)
func (*ServerWithRoles) GetResetPasswordToken ¶
func (*ServerWithRoles) GetReverseTunnel ¶
func (a *ServerWithRoles) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)
func (*ServerWithRoles) GetReverseTunnels ¶
func (a *ServerWithRoles) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)
func (*ServerWithRoles) GetSAMLAuthRequest ¶
func (a *ServerWithRoles) GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)
GetSAMLAuthRequest returns SAML auth request if found.
func (*ServerWithRoles) GetSAMLConnector ¶
func (a *ServerWithRoles) GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)
func (*ServerWithRoles) GetSAMLConnectors ¶
func (a *ServerWithRoles) GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)
func (*ServerWithRoles) GetSSODiagnosticInfo ¶
func (a *ServerWithRoles) GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)
GetSSODiagnosticInfo returns SSO diagnostic info records.
func (*ServerWithRoles) GetSemaphores ¶
func (a *ServerWithRoles) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error)
GetSemaphores returns a list of all semaphores matching the supplied filter.
func (*ServerWithRoles) GetSession ¶
func (a *ServerWithRoles) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)
DELETE IN 12.0.0
func (*ServerWithRoles) GetSessionChunk ¶
func (*ServerWithRoles) GetSessionEvents ¶
func (a *ServerWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)
func (*ServerWithRoles) GetSessionRecordingConfig ¶
func (a *ServerWithRoles) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)
GetSessionRecordingConfig gets session recording configuration.
func (*ServerWithRoles) GetSessionTracker ¶
func (a *ServerWithRoles) GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)
GetSessionTracker returns the current state of a session tracker for an active session.
func (*ServerWithRoles) GetSessions ¶
func (a *ServerWithRoles) GetSessions(ctx context.Context, namespace string) ([]session.Session, error)
DELETE IN 12.0.0
func (*ServerWithRoles) GetSnowflakeSession ¶
func (a *ServerWithRoles) GetSnowflakeSession(ctx context.Context, req types.GetSnowflakeSessionRequest) (types.WebSession, error)
GetSnowflakeSession gets a Snowflake web session.
func (*ServerWithRoles) GetSnowflakeSessions ¶
func (a *ServerWithRoles) GetSnowflakeSessions(ctx context.Context) ([]types.WebSession, error)
GetSnowflakeSessions gets all Snowflake web sessions.
func (*ServerWithRoles) GetStaticTokens ¶
func (a *ServerWithRoles) GetStaticTokens() (types.StaticTokens, error)
GetStaticTokens gets the list of static tokens used to provision nodes.
func (*ServerWithRoles) GetToken ¶
func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.ProvisionToken, error)
func (*ServerWithRoles) GetTokens ¶
func (a *ServerWithRoles) GetTokens(ctx context.Context) ([]types.ProvisionToken, error)
func (*ServerWithRoles) GetTrustedCluster ¶
func (a *ServerWithRoles) GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)
func (*ServerWithRoles) GetTrustedClusters ¶
func (a *ServerWithRoles) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)
func (*ServerWithRoles) GetTunnelConnections ¶
func (a *ServerWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)
func (*ServerWithRoles) GetUsers ¶
func (a *ServerWithRoles) GetUsers(withSecrets bool) ([]types.User, error)
func (*ServerWithRoles) GetWebSession ¶
func (a *ServerWithRoles) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)
GetWebSession returns the web session specified with req. Implements auth.ReadAccessPoint.
func (*ServerWithRoles) GetWebSessionInfo ¶
func (a *ServerWithRoles) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
GetWebSessionInfo returns the web session for the given user specified with sid. The session is stripped of any authentication details. Implements auth.WebUIService
func (*ServerWithRoles) GetWebToken ¶
func (a *ServerWithRoles) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)
GetWebToken returns the web token specified with req. Implements auth.ReadAccessPoint.
func (*ServerWithRoles) GetWindowsDesktopService ¶
func (a *ServerWithRoles) GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
GetWindowsDesktopService returns a registered windows desktop service by name.
func (*ServerWithRoles) GetWindowsDesktopServices ¶
func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)
GetWindowsDesktopServices returns all registered windows desktop services.
func (*ServerWithRoles) GetWindowsDesktops ¶
func (a *ServerWithRoles) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)
GetWindowsDesktops returns all registered windows desktop hosts.
func (*ServerWithRoles) IsMFARequired ¶
func (a *ServerWithRoles) IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)
func (*ServerWithRoles) KeepAliveSemaphoreLease ¶
func (a *ServerWithRoles) KeepAliveSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error
KeepAliveSemaphoreLease updates semaphore lease.
func (*ServerWithRoles) KeepAliveServer ¶
KeepAliveServer updates expiry time of a server resource.
func (*ServerWithRoles) ListResources ¶
func (a *ServerWithRoles) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
ListResources returns a paginated list of resources filtered by user access.
func (*ServerWithRoles) ListWindowsDesktopServices ¶
func (a *ServerWithRoles) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
ListWindowsDesktopServices not implemented: can only be called locally.
func (*ServerWithRoles) ListWindowsDesktops ¶
func (a *ServerWithRoles) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
ListWindowsDesktops not implemented: can only be called locally.
func (*ServerWithRoles) MaintainSessionPresence ¶
func (a *ServerWithRoles) MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error)
UpdatePresence is coupled to the service layer and must exist here but is never actually called since it's handled by the session presence task. This is never valid to call.
func (*ServerWithRoles) NewKeepAliver ¶
func (a *ServerWithRoles) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)
NewKeepAliver not implemented: can only be called locally.
func (*ServerWithRoles) NewWatcher ¶
NewWatcher returns a new event watcher
func (*ServerWithRoles) Ping ¶
func (a *ServerWithRoles) Ping(ctx context.Context) (proto.PingResponse, error)
Ping gets basic info about the auth server.
func (*ServerWithRoles) PingInventory ¶
func (a *ServerWithRoles) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)
func (*ServerWithRoles) PreAuthenticatedSignIn ¶
func (a *ServerWithRoles) PreAuthenticatedSignIn(ctx context.Context, user string) (types.WebSession, error)
func (*ServerWithRoles) ProcessKubeCSR ¶
func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.
func (*ServerWithRoles) RegisterInventoryControlStream ¶
func (a *ServerWithRoles) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream) error
func (*ServerWithRoles) RegisterUsingIAMMethod ¶
func (a *ServerWithRoles) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc) (*proto.Certs, error)
RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.
See (*Server).RegisterUsingIAMMethod for further documentation.
This wrapper does not do any extra authz checks, as the register method has its own authz mechanism.
func (*ServerWithRoles) RegisterUsingToken ¶
func (a *ServerWithRoles) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
func (*ServerWithRoles) RemoveSessionTracker ¶
func (a *ServerWithRoles) RemoveSessionTracker(ctx context.Context, sessionID string) error
RemoveSessionTracker removes a tracker resource for an active session.
func (*ServerWithRoles) ReplaceRemoteLocks ¶
func (a *ServerWithRoles) ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error
ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.
func (*ServerWithRoles) ResetAuthPreference ¶
func (a *ServerWithRoles) ResetAuthPreference(ctx context.Context) error
ResetAuthPreference resets cluster auth preference to defaults.
func (*ServerWithRoles) ResetClusterNetworkingConfig ¶
func (a *ServerWithRoles) ResetClusterNetworkingConfig(ctx context.Context) error
ResetClusterNetworkingConfig resets cluster networking configuration to defaults.
func (*ServerWithRoles) ResetSessionRecordingConfig ¶
func (a *ServerWithRoles) ResetSessionRecordingConfig(ctx context.Context) error
ResetSessionRecordingConfig resets session recording configuration to defaults.
func (*ServerWithRoles) ResumeAuditStream ¶
func (a *ServerWithRoles) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)
ResumeAuditStream resumes the stream that has been created
func (*ServerWithRoles) RotateCertAuthority ¶
func (a *ServerWithRoles) RotateCertAuthority(ctx context.Context, req RotateRequest) error
RotateCertAuthority starts or restarts certificate authority rotation process.
func (*ServerWithRoles) RotateExternalCertAuthority ¶
func (a *ServerWithRoles) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error
RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.
func (*ServerWithRoles) SearchEvents ¶
func (a *ServerWithRoles) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) (events []apievents.AuditEvent, lastKey string, err error)
SearchEvents allows searching audit events with pagination support.
func (*ServerWithRoles) SearchSessionEvents ¶
func (a *ServerWithRoles) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, cond *types.WhereExpr, sessionID string) (events []apievents.AuditEvent, lastKey string, err error)
SearchSessionEvents allows searching session audit events with pagination support.
func (*ServerWithRoles) SetAccessRequestState ¶
func (a *ServerWithRoles) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error
func (*ServerWithRoles) SetAuthPreference ¶
func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref types.AuthPreference) error
SetAuthPreference sets cluster auth preference.
func (*ServerWithRoles) SetClusterAuditConfig ¶
func (a *ServerWithRoles) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error
SetClusterAuditConfig not implemented: can only be called locally.
func (*ServerWithRoles) SetClusterName ¶
func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error
SetClusterName sets the name of the cluster. SetClusterName can only be called once.
func (*ServerWithRoles) SetClusterNetworkingConfig ¶
func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNetConfig types.ClusterNetworkingConfig) error
SetClusterNetworkingConfig sets cluster networking configuration.
func (*ServerWithRoles) SetInstaller ¶
SetInstaller sets an Installer script resource
func (*ServerWithRoles) SetNetworkRestrictions ¶
func (a *ServerWithRoles) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error
SetNetworkRestrictions updates the network restrictions.
func (*ServerWithRoles) SetSessionRecordingConfig ¶
func (a *ServerWithRoles) SetSessionRecordingConfig(ctx context.Context, newRecConfig types.SessionRecordingConfig) error
SetSessionRecordingConfig sets session recording configuration.
func (*ServerWithRoles) SetStaticTokens ¶
func (a *ServerWithRoles) SetStaticTokens(s types.StaticTokens) error
SetStaticTokens sets the list of static tokens used to provision nodes.
func (*ServerWithRoles) SignDatabaseCSR ¶
func (a *ServerWithRoles) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)
SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.
func (*ServerWithRoles) StartAccountRecovery ¶
func (a *ServerWithRoles) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)
StartAccountRecovery is implemented by AuthService.StartAccountRecovery.
func (*ServerWithRoles) StreamSessionEvents ¶
func (a *ServerWithRoles) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)
StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.
func (*ServerWithRoles) SubmitAccessReview ¶
func (a *ServerWithRoles) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
func (*ServerWithRoles) SubmitUsageEvent ¶
func (a *ServerWithRoles) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error
SubmitUsageEvent submits an external usage event.
func (*ServerWithRoles) UnstableAssertSystemRole ¶
func (a *ServerWithRoles) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error
func (*ServerWithRoles) UpdateApp ¶
func (a *ServerWithRoles) UpdateApp(ctx context.Context, app types.Application) error
UpdateApp updates existing application resource.
func (*ServerWithRoles) UpdateConnectionDiagnostic ¶
func (a *ServerWithRoles) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error
UpdateConnectionDiagnostic updates a connection diagnostic.
func (*ServerWithRoles) UpdateDatabase ¶
UpdateDatabase updates existing database resource.
func (*ServerWithRoles) UpdateKubernetesCluster ¶
func (a *ServerWithRoles) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
UpdateKubernetesCluster updates existing kubernetes cluster resource.
func (*ServerWithRoles) UpdatePluginData ¶
func (a *ServerWithRoles) UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error
UpdatePluginData updates a per-resource PluginData entry.
func (*ServerWithRoles) UpdatePresence ¶
func (a *ServerWithRoles) UpdatePresence(ctx context.Context, sessionID, user string) error
UpdatePresence is coupled to the service layer and must exist here but is never actually called since it's handled by the session presence task. This is never valid to call.
func (*ServerWithRoles) UpdateRemoteCluster ¶
func (a *ServerWithRoles) UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error
func (*ServerWithRoles) UpdateSession ¶
func (a *ServerWithRoles) UpdateSession(ctx context.Context, req session.UpdateRequest) error
DELETE IN 12.0.0
func (*ServerWithRoles) UpdateSessionTracker ¶
func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error
UpdateSessionTracker updates a tracker resource for an active session.
func (*ServerWithRoles) UpdateUser ¶
UpdateUser updates an existing user in a backend. Captures the auth user who modified the user record.
func (*ServerWithRoles) UpdateWindowsDesktop ¶
func (a *ServerWithRoles) UpdateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error
UpdateWindowsDesktop updates an existing windows desktop host.
func (*ServerWithRoles) UpsertAppSession ¶
func (a *ServerWithRoles) UpsertAppSession(ctx context.Context, session types.WebSession) error
UpsertAppSession not implemented: can only be called locally.
func (*ServerWithRoles) UpsertApplicationServer ¶
func (a *ServerWithRoles) UpsertApplicationServer(ctx context.Context, server types.AppServer) (*types.KeepAlive, error)
UpsertApplicationServer registers an application server.
func (*ServerWithRoles) UpsertAuthServer ¶
func (a *ServerWithRoles) UpsertAuthServer(s types.Server) error
func (*ServerWithRoles) UpsertCertAuthority ¶
func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error
UpsertCertAuthority updates existing cert authority or updates the existing one.
func (*ServerWithRoles) UpsertClusterAlert ¶
func (a *ServerWithRoles) UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error
func (*ServerWithRoles) UpsertClusterName ¶
func (a *ServerWithRoles) UpsertClusterName(c types.ClusterName) error
UpsertClusterName sets the name of the cluster.
func (*ServerWithRoles) UpsertDatabaseServer ¶
func (a *ServerWithRoles) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error)
UpsertDatabaseServer creates or updates a new database proxy server.
func (*ServerWithRoles) UpsertGithubConnector ¶
func (a *ServerWithRoles) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error
UpsertGithubConnector creates or updates a Github connector.
func (*ServerWithRoles) UpsertKubeService ¶
UpsertKubeService creates or updates a Server representing a teleport kubernetes service.
func (*ServerWithRoles) UpsertKubeServiceV2 ¶
func (a *ServerWithRoles) UpsertKubeServiceV2(ctx context.Context, s types.Server) (*types.KeepAlive, error)
UpsertKubeServiceV2 creates or updates a Server representing a teleport kubernetes service.
func (*ServerWithRoles) UpsertKubernetesServer ¶
func (a *ServerWithRoles) UpsertKubernetesServer(ctx context.Context, s types.KubeServer) (*types.KeepAlive, error)
UpsertKubernetesServer creates or updates a Server representing a teleport kubernetes server.
func (*ServerWithRoles) UpsertLock ¶
UpsertLock upserts a lock.
func (*ServerWithRoles) UpsertNamespace ¶
func (a *ServerWithRoles) UpsertNamespace(ns types.Namespace) error
UpsertNamespace upserts namespace
func (*ServerWithRoles) UpsertNode ¶
func (*ServerWithRoles) UpsertOIDCConnector ¶
func (a *ServerWithRoles) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error
UpsertOIDCConnector creates or updates an OIDC connector.
func (*ServerWithRoles) UpsertProxy ¶
func (a *ServerWithRoles) UpsertProxy(s types.Server) error
func (*ServerWithRoles) UpsertReverseTunnel ¶
func (a *ServerWithRoles) UpsertReverseTunnel(r types.ReverseTunnel) error
func (*ServerWithRoles) UpsertRole ¶
UpsertRole creates or updates role.
func (*ServerWithRoles) UpsertSAMLConnector ¶
func (a *ServerWithRoles) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error
UpsertSAMLConnector creates or updates a SAML connector.
func (*ServerWithRoles) UpsertSnowflakeSession ¶
func (a *ServerWithRoles) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error
UpsertSnowflakeSession not implemented: can only be called locally.
func (*ServerWithRoles) UpsertToken ¶
func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.ProvisionToken) error
func (*ServerWithRoles) UpsertTrustedCluster ¶
func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)
UpsertTrustedCluster creates or updates a trusted cluster.
func (*ServerWithRoles) UpsertTunnelConnection ¶
func (a *ServerWithRoles) UpsertTunnelConnection(conn types.TunnelConnection) error
func (*ServerWithRoles) UpsertUser ¶
func (a *ServerWithRoles) UpsertUser(u types.User) error
func (*ServerWithRoles) UpsertWindowsDesktop ¶
func (a *ServerWithRoles) UpsertWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error
UpsertWindowsDesktop updates a windows desktop resource, creating it if it doesn't exist.
func (*ServerWithRoles) UpsertWindowsDesktopService ¶
func (a *ServerWithRoles) UpsertWindowsDesktopService(ctx context.Context, s types.WindowsDesktopService) (*types.KeepAlive, error)
UpsertWindowsDesktopService creates or updates a new windows desktop service.
func (*ServerWithRoles) ValidateGithubAuthCallback ¶
func (a *ServerWithRoles) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)
func (*ServerWithRoles) ValidateOIDCAuthCallback ¶
func (a *ServerWithRoles) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)
func (*ServerWithRoles) ValidateSAMLResponse ¶
func (a *ServerWithRoles) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)
ValidateSAMLResponse validates SAML auth response.
func (*ServerWithRoles) ValidateTrustedCluster ¶
func (a *ServerWithRoles) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
func (*ServerWithRoles) VerifyAccountRecovery ¶
func (a *ServerWithRoles) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)
VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.
func (*ServerWithRoles) WebSessions ¶
func (a *ServerWithRoles) WebSessions() types.WebSessionInterface
WebSessions returns the web session manager. Implements services.WebSessionsGetter.
func (*ServerWithRoles) WebTokens ¶
func (a *ServerWithRoles) WebTokens() types.WebTokenInterface
WebTokens returns the web token manager. Implements services.WebTokensGetter.
type Services ¶
type Services struct { services.Trust services.Presence services.Provisioner services.Identity services.Access services.DynamicAccessExt services.ClusterConfiguration services.Restrictions services.Apps services.Kubernetes services.Databases services.WindowsDesktops services.SessionTrackerService services.Enforcer services.ConnectionsDiagnostic services.StatusInternal services.UsageReporter types.Events events.IAuditLog }
func (*Services) GetWebSession ¶
func (r *Services) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)
GetWebSession returns existing web session described by req. Implements ReadAccessPoint
func (*Services) GetWebToken ¶
func (r *Services) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)
GetWebToken returns existing web token described by req. Implements ReadAccessPoint
type SessionAccessContext ¶
type SessionAccessContext struct { Username string Roles []types.Role Mode types.SessionParticipantMode }
SessionAccessContext is the context that must be provided per participant in the session.
func (*SessionAccessContext) GetIdentifier ¶
func (ctx *SessionAccessContext) GetIdentifier(fields []string) (interface{}, error)
GetIdentifier is used by the `predicate` library to evaluate variable expressions when evaluating policy filters. It deals with evaluating strings like `participant.name` to the appropriate value.
func (*SessionAccessContext) GetResource ¶
func (ctx *SessionAccessContext) GetResource() (types.Resource, error)
type SessionAccessEvaluator ¶
type SessionAccessEvaluator struct {
// contains filtered or unexported fields
}
SessionAccessEvaluator takes a set of policies and uses rules to evaluate them to determine when a session may start and if a user can join a session.
The current implementation is very simple and uses a brute-force algorithm. More efficient implementations that run in non O(n^2)-ish time are possible but require complex code that is harder to debug in the case of misconfigured policies or other error and are harder to intuitively follow. In the real world, the number of roles and session are small enough that this doesn't have a meaningful impact.
func NewSessionAccessEvaluator ¶
func NewSessionAccessEvaluator(policySets []*types.SessionTrackerPolicySet, kind types.SessionKind, owner string) SessionAccessEvaluator
NewSessionAccessEvaluator creates a new session access evaluator for a given session kind and a set of roles attached to the host user.
func (*SessionAccessEvaluator) CanJoin ¶
func (e *SessionAccessEvaluator) CanJoin(user SessionAccessContext) []types.SessionParticipantMode
CanJoin returns the modes a user has access to join a session with. If the list is empty, the user doesn't have access to join the session at all.
func (*SessionAccessEvaluator) FulfilledFor ¶
func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContext) (bool, PolicyOptions, error)
FulfilledFor checks if a given session may run with a list of participants.
func (*SessionAccessEvaluator) IsModerated ¶
func (e *SessionAccessEvaluator) IsModerated() bool
IsModerated returns true if the session needs moderation.
func (*SessionAccessEvaluator) PrettyRequirementsList ¶
func (e *SessionAccessEvaluator) PrettyRequirementsList() string
Generate a pretty-printed string of precise requirements for session start suitable for user display.
type SessionCreds ¶
type SessionCreds struct { // ID is a web session id ID string `json:"id"` }
SessionCreds is a web session credentials
type SnowflakeSessionWatcher ¶
type SnowflakeSessionWatcher interface { // NewWatcher returns a new event watcher. NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error) // GetSnowflakeSession gets a Snowflake web session for a given request. GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error) }
SnowflakeSessionWatcher is watcher interface used by Snowflake web session watcher.
type StateSpecV2 ¶
type StateSpecV2 struct { // Rotation holds local process rotation state. Rotation types.Rotation `json:"rotation"` }
StateSpecV2 is a state spec.
type StateV2 ¶
type StateV2 struct { // ResourceHeader is a common resource header. types.ResourceHeader // Spec is a process spec. Spec StateSpecV2 `json:"spec"` }
StateV2 is a local process state.
func (*StateV2) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets defaults values.
type TLSServer ¶
type TLSServer struct {
// contains filtered or unexported fields
}
TLSServer is TLS auth server
func NewTLSServer ¶
func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)
NewTLSServer returns new unstarted TLS server
func (*TLSServer) GetConfigForClient ¶
GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities
type TLSServerConfig ¶
type TLSServerConfig struct { // Listener is a listener to bind to Listener net.Listener // TLS is a base TLS configuration TLS *tls.Config // API is API server configuration APIConfig // LimiterConfig is limiter config LimiterConfig limiter.Config // AccessPoint is a caching access point AccessPoint AccessCache // Component is used for debugging purposes Component string // AcceptedUsage restricts authentication // to a subset of certificates based on the metadata AcceptedUsage []string // ID is an optional debugging ID ID string // Metrics are optional TLSServer metrics Metrics *Metrics }
TLSServerConfig is a configuration for TLS server
func (*TLSServerConfig) CheckAndSetDefaults ¶
func (c *TLSServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type TestAuthServer ¶
type TestAuthServer struct { // TestAuthServer config is configuration used for auth server setup TestAuthServerConfig // AuthServer is an auth server AuthServer *Server // AuditLog is an event audit log AuditLog events.IAuditLog // SessionServer is a session service SessionServer session.Service // Backend is a backend for auth server Backend backend.Backend // Authorizer is an authorizer used in tests Authorizer Authorizer // LockWatcher is a lock watcher used in tests. LockWatcher *services.LockWatcher }
TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key
func NewTestAuthServer ¶
func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)
NewTestAuthServer returns new instances of Auth server
func (*TestAuthServer) Clock ¶
func (a *TestAuthServer) Clock() clockwork.Clock
Clock returns clock used by auth server
func (*TestAuthServer) Close ¶
func (a *TestAuthServer) Close() error
func (*TestAuthServer) GenerateUserCert ¶
func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)
GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.
func (*TestAuthServer) NewCertificate ¶
func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)
NewCertificate returns new TLS credentials generated by test auth server
func (*TestAuthServer) NewRemoteClient ¶
func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)
NewRemoteClient creates new client to the remote server using identity generated for this certificate authority
func (*TestAuthServer) NewTestTLSServer ¶
func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)
NewTestTLSServer returns new test TLS server
func (*TestAuthServer) Trust ¶
func (a *TestAuthServer) Trust(ctx context.Context, remote *TestAuthServer, roleMap types.RoleMap) error
Trust adds other server host certificate authority as trusted
type TestAuthServerConfig ¶
type TestAuthServerConfig struct { // ClusterName is cluster name ClusterName string // Dir is directory for local backend Dir string // AcceptedUsage is an optional list of restricted // server usage AcceptedUsage []string // CipherSuites is the list of ciphers that the server supports. CipherSuites []uint16 // Clock is used to control time in tests. Clock clockwork.FakeClock // ClusterNetworkingConfig allows a test to change the default // networking configuration. ClusterNetworkingConfig types.ClusterNetworkingConfig // Streamer allows a test to set its own audit events streamer. Streamer events.Streamer // AuditLog allows a test to configure its own audit log. AuditLog events.IAuditLog // TraceClient allows a test to configure the trace client TraceClient otlptrace.Client // AuthPreferenceSpec is custom initial AuthPreference spec for the test. AuthPreferenceSpec *types.AuthPreferenceSpecV2 }
TestAuthServerConfig is auth server test config
func (*TestAuthServerConfig) CheckAndSetDefaults ¶
func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type TestDevice ¶
type TestDevice struct { MFA *types.MFADevice TOTPSecret string Key *mocku2f.Key // contains filtered or unexported fields }
TestDevice is a test MFA device.
func NewTestDeviceFromChallenge ¶
func NewTestDeviceFromChallenge(c *proto.MFARegisterChallenge, opts ...TestDeviceOpt) (*TestDevice, *proto.MFARegisterResponse, error)
func RegisterTestDevice ¶
func RegisterTestDevice( ctx context.Context, clt authClient, devName string, devType proto.DeviceType, authenticator *TestDevice, opts ...TestDeviceOpt) (*TestDevice, error)
RegisterTestDevice creates and registers a TestDevice. TOTP devices require a clock option.
func (*TestDevice) Origin ¶
func (d *TestDevice) Origin() string
func (*TestDevice) SolveAuthn ¶
func (d *TestDevice) SolveAuthn(c *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
type TestDeviceOpt ¶
type TestDeviceOpt func(d *TestDevice)
TestDeviceOpt is a creation option for TestDevice.
func WithPasswordless ¶
func WithPasswordless() TestDeviceOpt
func WithTestDeviceClock ¶
func WithTestDeviceClock(clock clockwork.Clock) TestDeviceOpt
type TestIdentity ¶
type TestIdentity struct { I interface{} TTL time.Duration AcceptedUsage []string RouteToCluster string Renewable bool Generation uint64 }
TestIdentity is test identity spec used to generate identities in tests
func TestBuiltin ¶
func TestBuiltin(role types.SystemRole) TestIdentity
TestBuiltin returns TestIdentity for builtin user
func TestRemoteBuiltin ¶
func TestRemoteBuiltin(role types.SystemRole, remoteCluster string) TestIdentity
TestRemoteBuiltin returns TestIdentity for a remote builtin role.
func TestRenewableUser ¶
func TestRenewableUser(username string, generation uint64) TestIdentity
TestUser returns a TestIdentity for a local user with renewable credentials.
func TestServerID ¶
func TestServerID(role types.SystemRole, serverID string) TestIdentity
TestServerID returns a TestIdentity for a node with the passed in serverID.
func TestUser ¶
func TestUser(username string) TestIdentity
TestUser returns TestIdentity for local user
type TestServer ¶
type TestServer struct { TLS *TestTLSServer AuthServer *TestAuthServer }
TestServer defines the set of server components for a test
func NewTestServer ¶
func NewTestServer(cfg TestServerConfig) (*TestServer, error)
NewTestServer creates a new test server configuration
func (*TestServer) Auth ¶
func (a *TestServer) Auth() *Server
Auth returns the underlying auth server instance
func (*TestServer) ClusterName ¶
func (a *TestServer) ClusterName() string
func (*TestServer) NewClient ¶
func (a *TestServer) NewClient(identity TestIdentity) (*Client, error)
type TestServerConfig ¶
type TestServerConfig struct { // Auth specifies the auth server configuration Auth TestAuthServerConfig // TLS optionally specifies the configuration for the TLS server. // If unspecified, will be generated automatically TLS *TestTLSServerConfig }
TestServerConfig defines the configuration for all server components
type TestTLSServer ¶
type TestTLSServer struct { // TestTLSServerConfig is a configuration for TLS server TestTLSServerConfig // Identity is a generated TLS/SSH identity used to answer in TLS Identity *Identity // TLSServer is a configured TLS server TLSServer *TLSServer }
TestTLSServer is a test TLS server
func NewTestTLSServer ¶
func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)
NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port
func (*TestTLSServer) Addr ¶
func (t *TestTLSServer) Addr() net.Addr
Addr returns address of TLS server
func (*TestTLSServer) Auth ¶
func (t *TestTLSServer) Auth() *Server
Auth returns auth server used by this TLS server
func (*TestTLSServer) CertPool ¶
func (t *TestTLSServer) CertPool() (*x509.CertPool, error)
CertPool returns cert pool that auth server represents
func (*TestTLSServer) ClientTLSConfig ¶
func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)
ClientTLSConfig returns client TLS config based on the identity
func (*TestTLSServer) Clock ¶
func (t *TestTLSServer) Clock() clockwork.Clock
Clock returns clock used by auth server
func (*TestTLSServer) CloneClient ¶
func (t *TestTLSServer) CloneClient(clt *Client) *Client
CloneClient uses the same credentials as the passed client but forces the client to be recreated
func (*TestTLSServer) Close ¶
func (t *TestTLSServer) Close() error
Close closes the listener and HTTP server
func (*TestTLSServer) ClusterName ¶
func (t *TestTLSServer) ClusterName() string
ClusterName returns name of test TLS server cluster
func (*TestTLSServer) NewClient ¶
func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)
NewClient returns new client to test server authenticated with identity
func (*TestTLSServer) NewClientFromWebSession ¶
func (t *TestTLSServer) NewClientFromWebSession(sess types.WebSession) (*Client, error)
NewClientFromWebSession returns new authenticated client from web session
func (*TestTLSServer) NewClientWithCert ¶
func (t *TestTLSServer) NewClientWithCert(clientCert tls.Certificate) *Client
NewClientWithCert creates a new client using given cert and private key
func (*TestTLSServer) Shutdown ¶
func (t *TestTLSServer) Shutdown(ctx context.Context) error
Shutdown closes the listener and HTTP server gracefully
func (*TestTLSServer) Start ¶
func (t *TestTLSServer) Start() error
Start starts TLS server on loopback address on the first listening socket
func (*TestTLSServer) Stop ¶
func (t *TestTLSServer) Stop() error
Stop stops listening server, but does not close the auth backend
type TestTLSServerConfig ¶
type TestTLSServerConfig struct { // APIConfig is a configuration of API server APIConfig *APIConfig // AuthServer is a test auth server used to serve requests AuthServer *TestAuthServer // Limiter is a connection and request limiter Limiter *limiter.Config // Listener is a listener to serve requests on Listener net.Listener // AcceptedUsage is a list of accepted usage restrictions AcceptedUsage []string }
TestTLSServerConfig is a configuration for test TLS server
func (*TestTLSServerConfig) CheckAndSetDefaults ¶
func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets limiter defaults
type TrustedCerts ¶
type TrustedCerts struct { // ClusterName identifies teleport cluster name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name ClusterName string `json:"domain_name"` // HostCertificates is a list of SSH public keys that can be used to check // host certificate signatures HostCertificates [][]byte `json:"checking_keys"` // TLSCertificates is a list of TLS certificates of the certificate authority // of the authentication server TLSCertificates [][]byte `json:"tls_certs"` }
TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags
func AuthoritiesToTrustedCerts ¶
func AuthoritiesToTrustedCerts(authorities []types.CertAuthority) []TrustedCerts
AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure
func (*TrustedCerts) SSHCertPublicKeys ¶
func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)
SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys
type ValidateTrustedClusterRequest ¶
type ValidateTrustedClusterRequest struct { Token string `json:"token"` CAs []types.CertAuthority `json:"certificate_authorities"` TeleportVersion string `json:"teleport_version"` }
func (*ValidateTrustedClusterRequest) ToRaw ¶
func (v *ValidateTrustedClusterRequest) ToRaw() (*ValidateTrustedClusterRequestRaw, error)
type ValidateTrustedClusterRequestRaw ¶
type ValidateTrustedClusterRequestRaw struct { Token string `json:"token"` CAs [][]byte `json:"certificate_authorities"` TeleportVersion string `json:"teleport_version"` }
func (*ValidateTrustedClusterRequestRaw) ToNative ¶
func (v *ValidateTrustedClusterRequestRaw) ToNative() (*ValidateTrustedClusterRequest, error)
type ValidateTrustedClusterResponse ¶
type ValidateTrustedClusterResponse struct {
CAs []types.CertAuthority `json:"certificate_authorities"`
}
func (*ValidateTrustedClusterResponse) ToRaw ¶
func (v *ValidateTrustedClusterResponse) ToRaw() (*ValidateTrustedClusterResponseRaw, error)
type ValidateTrustedClusterResponseRaw ¶
type ValidateTrustedClusterResponseRaw struct {
CAs [][]byte `json:"certificate_authorities"`
}
func (*ValidateTrustedClusterResponseRaw) ToNative ¶
func (v *ValidateTrustedClusterResponseRaw) ToNative() (*ValidateTrustedClusterResponse, error)
type WebService ¶
type WebService interface { // GetWebSessionInfo checks if a web session is valid, returns session id in case if // it is valid, or error otherwise. GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error) // ExtendWebSession creates a new web session for a user based on another // valid web session ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error) // CreateWebSession creates a new web session for a user CreateWebSession(ctx context.Context, user string) (types.WebSession, error) // AppSession defines application session features. services.AppSession // SnowflakeSession defines Snowflake session features. services.SnowflakeSession }
WebService implements features used by Web UI clients
type WebSessionReq ¶
type WebSessionReq struct { // User is the user name associated with the session id. User string `json:"user"` // PrevSessionID is the id of current session. PrevSessionID string `json:"prev_session_id"` // AccessRequestID is an optional field that holds the id of an approved access request. AccessRequestID string `json:"access_request_id"` // Switchback is a flag to indicate if user is wanting to switchback from an assumed role // back to their default role. Switchback bool `json:"switchback"` // ReloadUser is a flag to indicate if user needs to be refetched from the backend // to apply new user changes e.g. user traits were updated. ReloadUser bool `json:"reload_user"` }
type WindowsDesktopAccessPoint ¶
type WindowsDesktopAccessPoint interface { // ReadWindowsDesktopAccessPoint provides methods to read data ReadWindowsDesktopAccessPoint // contains filtered or unexported methods }
WindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.
func NewWindowsDesktopWrapper ¶
func NewWindowsDesktopWrapper(base WindowsDesktopAccessPoint, cache ReadWindowsDesktopAccessPoint) WindowsDesktopAccessPoint
type WindowsDesktopWrapper ¶
type WindowsDesktopWrapper struct { ReadWindowsDesktopAccessPoint NoCache WindowsDesktopAccessPoint // contains filtered or unexported fields }
func (*WindowsDesktopWrapper) Close ¶
func (w *WindowsDesktopWrapper) Close() error
Close closes all associated resources
type WrapIdentity ¶
WrapIdentity wraps identity to return identity getter function
func (WrapIdentity) GetIdentity ¶
func (i WrapIdentity) GetIdentity() tlsca.Identity
GetIdentity returns identity
Source Files ¶
- access.go
- accountrecovery.go
- api.go
- apiserver.go
- auth.go
- auth_with_roles.go
- aws_certs.go
- bot.go
- clt.go
- db.go
- desktop.go
- github.go
- grpcserver.go
- helpers.go
- helpers_mfa.go
- httpfallback.go
- init.go
- join.go
- join_circleci.go
- join_ec2.go
- join_github.go
- join_iam.go
- kube.go
- methods.go
- middleware.go
- oidc.go
- oidc_google.go
- password.go
- permissions.go
- register.go
- rotate.go
- saml.go
- session_access.go
- sessions.go
- sso_diag_context.go
- state.go
- state_unix.go
- sts_endpoints.go
- trustedcluster.go
- user.go
- usertoken.go
Directories ¶
Path | Synopsis |
---|---|
Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.
|
Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy. |
Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.
|
Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS. |
package test contains CA authority acceptance test suite.
|
package test contains CA authority acceptance test suite. |
Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.
|
Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys. |
Package webauthn implements server-side support for the Web Authentication specification.
|
Package webauthn implements server-side support for the Web Authentication specification. |
Package webauthncli provides the client-side implementation for WebAuthn.
|
Package webauthncli provides the client-side implementation for WebAuthn. |
Package webauthnwin is wrapper around Windows webauthn API.
|
Package webauthnwin is wrapper around Windows webauthn API. |