auth

package
v2.0.0-alpha.4+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 2, 2017 License: Apache-2.0 Imports: 42 Imported by: 36

Documentation

Overview

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source
const (
	// WebSessionTTL specifies standard web session time to live
	WebSessionTTL = 10 * time.Minute
	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16
)
View Source
const (
	// DialerRetryAttempts is the amount of attempts for dialer to try and
	// connect to the remote destination
	DialerRetryAttempts = 3
	// DialerPeriodBetweenAttempts is the period between retry attempts
	DialerPeriodBetweenAttempts = time.Second
)
View Source
const (
	ReqWebSessionAgent = "web-session-agent@teleport"
	ReqProvision       = "provision@teleport"
	ReqDirectTCPIP     = "direct-tcpip"
	ReqNewAuth         = "new-auth@teleport"

	ExtWebSession  = "web-session@teleport"
	ExtWebPassword = "web-password@teleport"
	ExtWebU2F      = "web-u2f@teleport"
	ExtToken       = "provision@teleport"
	ExtHost        = "host@teleport"
	ExtRole        = "role@teleport"

	AuthWebPassword = "password"
	AuthWebU2FSign  = "u2f-sign"
	AuthWebU2F      = "u2f"
	AuthWebSession  = "session"
	AuthToken       = "provision-token"
	AuthSignupToken = "signup-token"
)
View Source
const CurrentVersion = services.V2

CurrentVersion is a current API version

Variables

This section is empty.

Functions

func GetCheckerForBuiltinRole

func GetCheckerForBuiltinRole(role teleport.Role) (services.AccessChecker, error)

GetCheckerForBuiltinRole returns checkers for embedded builtin role

func HaveHostKeys added in v1.0.0

func HaveHostKeys(dataDir string, id IdentityID) (bool, error)

HaveHostKeys checks either the host keys are in place

func Init

func Init(cfg InitConfig, seedConfig bool) (*AuthServer, *Identity, error)

Init instantiates and configures an instance of AuthServer

func LocalRegister added in v1.0.0

func LocalRegister(dataDir string, id IdentityID, authServer *AuthServer) error

LocalRegister is used in standalone mode to register roles without connecting to remote clients and provisioning tokens

func NewAPIServer

func NewAPIServer(config *APIConfig) http.Handler

NewAPIServer returns a new instance of APIServer HTTP handler

func NewHostAuth

func NewHostAuth(key, cert []byte) ([]ssh.AuthMethod, error)

func NewSignupTokenAuth

func NewSignupTokenAuth(token string) ([]ssh.AuthMethod, error)

func NewTokenAuth

func NewTokenAuth(domainName, token string) ([]ssh.AuthMethod, error)

func NewWebPasswordAuth

func NewWebPasswordAuth(user string, password []byte, otpToken string) ([]ssh.AuthMethod, error)

func NewWebPasswordU2FSignAuth added in v1.3.0

func NewWebPasswordU2FSignAuth(user string, password []byte) ([]ssh.AuthMethod, error)

NewWebPasswordU2FSignAuth is for getting a U2F sign challenge

func NewWebSessionAuth

func NewWebSessionAuth(user string, session []byte) ([]ssh.AuthMethod, error)

func NewWebU2FSignResponseAuth added in v1.3.0

func NewWebU2FSignResponseAuth(user string, u2fSignResponse *u2f.SignResponse) ([]ssh.AuthMethod, error)

NewWebU2FSignResponseAuth is for signing in with a U2F sign response

func Register

func Register(dataDir, token string, id IdentityID, servers []utils.NetAddr) error

Register is used by auth service clients (other services, like proxy or SSH) when a new node joins the cluster

func RegisterNewAuth

func RegisterNewAuth(domainName, token string, servers []utils.NetAddr) error

func WriteIdentity added in v1.0.0

func WriteIdentity(dataDir string, identity *Identity) error

WriteIdentity writes identity keypair to disk

Types

type APIConfig added in v1.0.0

type APIConfig struct {
	AuthServer     *AuthServer
	SessionService session.Service
	AuditLog       events.IAuditLog
	Authorizer     Authorizer
}

type APIServer

type APIServer struct {
	APIConfig
	httprouter.Router
}

APIServer implements http API server for AuthServer interface

type AccessPoint

type AccessPoint interface {
	// GetDomainName returns domain name AKA ("cluster name") of the auth
	// server / certificate authority (CA)
	GetDomainName() (string, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]services.Namespace, error)

	// GetServers returns a list of registered servers
	GetNodes(namespace string) ([]services.Server, error)

	// UpsertServer registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(s services.Server, ttl time.Duration) error

	// UpsertProxy registers server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s services.Server, ttl time.Duration) error

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]services.Server, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers() ([]services.User, error)

	// GetRole returns role by name
	GetRole(name string) (services.Role, error)

	// GetRoles returns a list of roles
	GetRoles() ([]services.Role, error)
}

AccessPoint is an API interface implemented by a certificate authority (CA)

type AccessPointDialer

type AccessPointDialer func() (net.Conn, error)

AccessPointDialer dials to auth access point remote HTTP api

type AgentCloser added in v1.0.0

type AgentCloser interface {
	io.Closer
	agent.Agent
}

type AuthContext

type AuthContext struct {
	// Username is the user name
	Username string
	// Checker is access checker
	Checker services.AccessChecker
}

AuthzContext is authorization context

type AuthServer

type AuthServer struct {
	Authority

	// DomainName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	DomainName string

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens []services.ProvisionToken

	// U2F is the configuration of the U2F 2 factor authentication
	U2F services.U2F

	services.Trust
	services.Presence
	services.Provisioner
	services.Identity
	services.Access
	// contains filtered or unexported fields
}

AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func NewAuthServer

func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) *AuthServer

NewAuthServer creates and configures a new AuthServer instance

func (*AuthServer) CheckOTP

func (s *AuthServer) CheckOTP(user string, otpToken string) error

CheckOTP determines the type of OTP token used (for legacy HOTP support), fetches the appropriate type from the backend, and checks if the token is valid.

func (*AuthServer) CheckPassword

func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks the password and OTP token. Called by tsh or lib/web/*.

func (*AuthServer) CheckPasswordWOToken

func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error

CheckPasswordWOToken checks just password without checking OTP tokens used in case of SSH authentication, when token has been validated.

func (*AuthServer) CheckU2FEnabled added in v1.3.0

func (a *AuthServer) CheckU2FEnabled() error

func (*AuthServer) CheckU2FSignResponse added in v1.3.0

func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error

func (*AuthServer) Close added in v1.0.0

func (a *AuthServer) Close() error

func (*AuthServer) CreateOIDCAuthRequest added in v1.0.0

func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthServer) CreateSignupToken

func (s *AuthServer) CreateSignupToken(userv1 services.UserV1) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*AuthServer) CreateSignupU2FRegisterRequest added in v1.3.0

func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthServer) CreateUserWithToken

func (s *AuthServer) CreateUserWithToken(token string, password string, otpToken string) (*Session, error)

CreateUserWithToken creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.

func (*AuthServer) CreateUserWithU2FToken added in v1.3.0

func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (*Session, error)

func (*AuthServer) CreateWebSession added in v1.0.0

func (s *AuthServer) CreateWebSession(user string) (*Session, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*AuthServer) DeleteNamespace

func (s *AuthServer) DeleteNamespace(namespace string) error

func (*AuthServer) DeleteOIDCConnector

func (s *AuthServer) DeleteOIDCConnector(connectorName string) error

func (*AuthServer) DeleteRole

func (a *AuthServer) DeleteRole(name string) error

func (*AuthServer) DeleteToken

func (s *AuthServer) DeleteToken(token string) (err error)

func (*AuthServer) DeleteUser

func (a *AuthServer) DeleteUser(user string) error

func (*AuthServer) DeleteWebSession

func (s *AuthServer) DeleteWebSession(user string, id string) error

func (*AuthServer) ExtendWebSession added in v1.0.0

func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (*Session, error)

ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user

func (*AuthServer) GenerateHostCert

func (s *AuthServer) GenerateHostCert(key []byte, hostID, authDomain string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert generates host certificate, it takes pkey as a signing private key (host certificate authority)

func (*AuthServer) GenerateServerKeys added in v1.0.0

func (s *AuthServer) GenerateServerKeys(hostID string, roles teleport.Roles) (*PackedKeys, error)

GenerateServerKeys generates private key and certificate signed by the host certificate authority, listing the role of this server

func (*AuthServer) GenerateToken

func (s *AuthServer) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)

func (*AuthServer) GenerateUserCert

func (s *AuthServer) GenerateUserCert(key []byte, username string, allowedLogins []string, ttl time.Duration) ([]byte, error)

GenerateUserCert generates user certificate, it takes pkey as a signing private key (user certificate authority)

func (*AuthServer) GetDomainName added in v1.2.6

func (a *AuthServer) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetOTPData

func (s *AuthServer) GetOTPData(user string) (string, []byte, error)

GetOTPData returns the OTP Key, Key URL, and the QR code.

func (*AuthServer) GetSignupTokenData

func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)

GetSignupTokenData returns token data for a valid token

func (*AuthServer) GetTokens added in v1.0.0

func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*AuthServer) GetU2FAppID added in v1.3.0

func (a *AuthServer) GetU2FAppID() (string, error)

func (*AuthServer) GetWebSession

func (s *AuthServer) GetWebSession(userName string, id string) (*Session, error)

func (*AuthServer) GetWebSessionInfo added in v1.0.0

func (s *AuthServer) GetWebSessionInfo(userName string, id string) (*Session, error)

func (*AuthServer) NewWebSession

func (s *AuthServer) NewWebSession(userName string) (*Session, error)

func (*AuthServer) PreAuthenticatedSignIn added in v1.3.0

func (s *AuthServer) PreAuthenticatedSignIn(user string) (*Session, error)

PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issueing the second factor challenge

func (*AuthServer) RegisterNewAuthServer

func (s *AuthServer) RegisterNewAuthServer(token string) error

func (*AuthServer) RegisterUsingToken

func (s *AuthServer) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)

RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.

func (*AuthServer) SignIn

func (s *AuthServer) SignIn(user string, password []byte) (*Session, error)

func (*AuthServer) U2FSignRequest added in v1.3.0

func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthServer) UpsertOIDCConnector

func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error

func (*AuthServer) UpsertWebSession

func (s *AuthServer) UpsertWebSession(user string, sess *Session, ttl time.Duration) error

func (*AuthServer) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*AuthServer) ValidateToken

func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)

ValidteToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found

type AuthServerOption added in v1.0.0

type AuthServerOption func(*AuthServer)

AuthServerOption allows setting options as functional arguments to AuthServer

type AuthTunnel added in v1.0.0

type AuthTunnel struct {
	// contains filtered or unexported fields
}

AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then establishes an SSH tunnel which HTTP requests travel over. In other words, the Auth Service API runs on HTTP-via-SSH-tunnel.

Use auth.TunClient to connect to AuthTunnel

func NewTunnel added in v1.0.0

func NewTunnel(addr utils.NetAddr,
	hostSigner ssh.Signer,
	apiConf *APIConfig,
	opts ...ServerOption) (tunnel *AuthTunnel, err error)

NewTunnel creates a new SSH tunnel server which is not started yet. This is how "site API" (aka "auth API") is served: by creating an "tunnel server" which serves HTTP via SSH.

func (*AuthTunnel) Addr added in v1.0.0

func (s *AuthTunnel) Addr() string

func (*AuthTunnel) Close added in v1.0.0

func (s *AuthTunnel) Close() error

func (*AuthTunnel) HandleNewChan added in v1.0.0

func (s *AuthTunnel) HandleNewChan(_ net.Conn, sconn *ssh.ServerConn, nch ssh.NewChannel)

HandleNewChan implements NewChanHandler interface: it gets called every time a new SSH connection is established

func (*AuthTunnel) Start added in v1.0.0

func (s *AuthTunnel) Start() error

type AuthWithRoles

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

func NewAuthWithRoles

func NewAuthWithRoles(authServer *AuthServer,
	checker services.AccessChecker,
	user string,
	sessions session.Service,
	alog events.IAuditLog) *AuthWithRoles

NewAuthWithRoles creates new auth server with access control

func (*AuthWithRoles) CheckPassword

func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error

func (*AuthWithRoles) CreateOIDCAuthRequest added in v1.0.0

func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthWithRoles) CreateSession added in v1.0.0

func (a *AuthWithRoles) CreateSession(s session.Session) error

func (*AuthWithRoles) CreateSignupToken

func (a *AuthWithRoles) CreateSignupToken(user services.UserV1) (token string, e error)

func (*AuthWithRoles) CreateUserWithToken

func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) (*Session, error)

func (*AuthWithRoles) CreateUserWithU2FToken added in v1.3.0

func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (*Session, error)

func (*AuthWithRoles) CreateWebSession added in v1.0.0

func (a *AuthWithRoles) CreateWebSession(user string) (*Session, error)

func (*AuthWithRoles) DeleteCertAuthority added in v1.0.0

func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteNamespace

func (a *AuthWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*AuthWithRoles) DeleteOIDCConnector added in v1.0.0

func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error

func (*AuthWithRoles) DeleteReverseTunnel added in v1.0.0

func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error

func (*AuthWithRoles) DeleteRole

func (a *AuthWithRoles) DeleteRole(name string) error

DeleteRole deletes role by name

func (*AuthWithRoles) DeleteToken added in v1.0.0

func (a *AuthWithRoles) DeleteToken(token string) error

func (*AuthWithRoles) DeleteUser

func (a *AuthWithRoles) DeleteUser(user string) error

func (*AuthWithRoles) DeleteWebSession

func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error

func (*AuthWithRoles) EmitAuditEvent added in v1.0.0

func (a *AuthWithRoles) EmitAuditEvent(eventType string, fields events.EventFields) error

func (*AuthWithRoles) ExtendWebSession added in v1.0.0

func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (*Session, error)

func (*AuthWithRoles) GenerateHostCert

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, hostname, authDomain string, roles teleport.Roles,
	ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateToken

func (a *AuthWithRoles) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)

func (*AuthWithRoles) GenerateUserCert

func (a *AuthWithRoles) GenerateUserCert(key []byte, username string, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GetAuthServers added in v1.0.0

func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)

func (*AuthWithRoles) GetCertAuthorities added in v1.0.0

func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)

func (*AuthWithRoles) GetCertAuthority

func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool) (services.CertAuthority, error)

func (*AuthWithRoles) GetDomainName added in v1.2.6

func (a *AuthWithRoles) GetDomainName() (string, error)

func (*AuthWithRoles) GetNamespace

func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*AuthWithRoles) GetNamespaces

func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*AuthWithRoles) GetNodes added in v1.0.0

func (a *AuthWithRoles) GetNodes(namespace string) ([]services.Server, error)

func (*AuthWithRoles) GetOIDCConnector added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

func (*AuthWithRoles) GetOIDCConnectors added in v1.0.0

func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

func (*AuthWithRoles) GetOTPData

func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)

func (*AuthWithRoles) GetProxies added in v1.0.0

func (a *AuthWithRoles) GetProxies() ([]services.Server, error)

func (*AuthWithRoles) GetReverseTunnels added in v1.0.0

func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)

func (*AuthWithRoles) GetRole

func (a *AuthWithRoles) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*AuthWithRoles) GetRoles

func (a *AuthWithRoles) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*AuthWithRoles) GetSession

func (a *AuthWithRoles) GetSession(namespace string, id session.ID) (*session.Session, error)

func (*AuthWithRoles) GetSessionChunk added in v1.0.0

func (a *AuthWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*AuthWithRoles) GetSessionEvents added in v1.0.0

func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int) ([]events.EventFields, error)

func (*AuthWithRoles) GetSessions

func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)

func (*AuthWithRoles) GetSignupToken

func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)

func (*AuthWithRoles) GetSignupTokenData

func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)

func (*AuthWithRoles) GetSignupU2FRegisterRequest added in v1.3.0

func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthWithRoles) GetToken

func (a *AuthWithRoles) GetToken(token string) (*services.ProvisionToken, error)

func (*AuthWithRoles) GetTokens added in v1.0.0

func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)

func (*AuthWithRoles) GetU2FAppID added in v1.3.0

func (a *AuthWithRoles) GetU2FAppID() (string, error)

func (*AuthWithRoles) GetU2FSignRequest added in v1.3.0

func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthWithRoles) GetUser added in v1.0.0

func (a *AuthWithRoles) GetUser(name string) (services.User, error)

func (*AuthWithRoles) GetUsers

func (a *AuthWithRoles) GetUsers() ([]services.User, error)

func (*AuthWithRoles) GetWebSessionInfo added in v1.0.0

func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (*Session, error)

func (*AuthWithRoles) PostSessionChunk added in v1.0.0

func (a *AuthWithRoles) PostSessionChunk(namespace string, sid session.ID, reader io.Reader) error

func (*AuthWithRoles) PreAuthenticatedSignIn added in v1.3.0

func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (*Session, error)

func (*AuthWithRoles) RegisterNewAuthServer

func (a *AuthWithRoles) RegisterNewAuthServer(token string) error

func (*AuthWithRoles) RegisterUsingToken

func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)

func (*AuthWithRoles) SearchEvents added in v1.0.0

func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string) ([]events.EventFields, error)

func (*AuthWithRoles) SignIn

func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error)

func (*AuthWithRoles) UpdateSession added in v1.0.0

func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error

func (*AuthWithRoles) UpsertAuthServer added in v1.0.0

func (a *AuthWithRoles) UpsertAuthServer(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertCertAuthority added in v1.0.0

func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error

func (*AuthWithRoles) UpsertNamespace

func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*AuthWithRoles) UpsertNode added in v1.0.0

func (a *AuthWithRoles) UpsertNode(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertOIDCConnector added in v1.0.0

func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error

func (*AuthWithRoles) UpsertPassword

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error

func (*AuthWithRoles) UpsertProxy added in v1.0.0

func (a *AuthWithRoles) UpsertProxy(s services.Server, ttl time.Duration) error

func (*AuthWithRoles) UpsertReverseTunnel added in v1.0.0

func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel, ttl time.Duration) error

func (*AuthWithRoles) UpsertRole

func (a *AuthWithRoles) UpsertRole(role services.Role) error

UpsertRole creates or updates role

func (*AuthWithRoles) UpsertTOTP

func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error

func (*AuthWithRoles) UpsertToken

func (a *AuthWithRoles) UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error

func (*AuthWithRoles) UpsertUser added in v1.0.0

func (a *AuthWithRoles) UpsertUser(u services.User) error

func (*AuthWithRoles) ValidateOIDCAuthCallback added in v1.0.0

func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

type Authority

type Authority interface {
	// GenerateKeyPair generates new keypair
	GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error)

	// GetNewKeyPairFromPool returns new keypair from pre-generated in memory pool
	GetNewKeyPairFromPool() (privKey []byte, pubKey []byte, err error)

	// GenerateHostCert generates host certificate, it takes pkey as a signing
	// private key (host certificate authority)
	GenerateHostCert(pkey, key []byte, hostID, authDomain string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

	// GenerateUserCert generates user certificate, it takes pkey as a signing
	// private key (user certificate authority)
	GenerateUserCert(pkey, key []byte, teleportUsername string, allowedLogins []string, ttl time.Duration) ([]byte, error)
}

Authority implements minimal key-management facility for generating OpenSSH compatible public/private key pairs and OpenSSH certificates

type Authorizer

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*AuthContext, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer

func NewAuthorizer(access services.Access, identity services.Identity, trust services.Trust) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

func NewRoleAuthorizer

func NewRoleAuthorizer(r teleport.Role) (Authorizer, error)

NewRoleAuthorizer authorizes everyone as predefined role

func NewUserAuthorizer

func NewUserAuthorizer(username string, identity services.Identity, access services.Access) (Authorizer, error)

NewUserAuthorizer authorizes everyone as predefined local user

type Client

type Client struct {
	roundtrip.Client
	// contains filtered or unexported fields
}

Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

func NewClient

func NewClient(addr string, dialer Dialer, params ...roundtrip.ClientParam) (*Client, error)

NewAuthClient returns a new instance of the client which talks to an Auth server API (aka "site API") via HTTP-over-SSH

func (*Client) CheckPassword

func (c *Client) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close added in v1.0.0

func (c *Client) Close() error

func (*Client) CreateOIDCAuthRequest added in v1.0.0

func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*Client) CreateSession added in v1.0.0

func (c *Client) CreateSession(sess session.Session) error

CreateSession creates new session

func (*Client) CreateSignupToken

func (c *Client) CreateSignupToken(user services.UserV1) (string, error)

CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator

func (*Client) CreateUserWithToken

func (c *Client) CreateUserWithToken(token, password, otpToken string) (*Session, error)

CreateUserWithToken creates account with provided token and password. Account username and OTP key are taken from token data. Deletes token after account creation.

func (*Client) CreateUserWithU2FToken added in v1.3.0

func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (*Session, error)

CreateUserWithU2FToken creates user account with provided token and U2F sign response

func (*Client) CreateWebSession added in v1.0.0

func (c *Client) CreateWebSession(user string) (*Session, error)

CreateWebSession creates a new web session for a user

func (*Client) Delete

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteCertAuthority added in v1.0.0

func (c *Client) DeleteCertAuthority(id services.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteNamespace

func (c *Client) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*Client) DeleteOIDCConnector added in v1.0.0

func (c *Client) DeleteOIDCConnector(connectorID string) error

DeleteOIDCConnector deletes OIDC connector by ID

func (*Client) DeleteReverseTunnel added in v1.0.0

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteRole

func (c *Client) DeleteRole(name string) error

DeleteRole deletes role by name

func (*Client) DeleteSession

func (c *Client) DeleteSession(namespace, id string) error

DeleteSession deletes a session by ID

func (*Client) DeleteToken added in v1.0.0

func (c *Client) DeleteToken(token string) error

DeleteToken deletes a given provisioning token on the auth server (CA). It could be a user token or a machine token

func (*Client) DeleteUser

func (c *Client) DeleteUser(user string) error

DeleteUser deletes a user by username

func (*Client) DeleteWebSession

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) EmitAuditEvent added in v1.0.0

func (c *Client) EmitAuditEvent(eventType string, fields events.EventFields) error

EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)

func (*Client) ExtendWebSession added in v1.0.0

func (c *Client) ExtendWebSession(user string, prevSessionID string) (*Session, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateHostCert

func (c *Client) GenerateHostCert(
	key []byte, hostname, authDomain string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateToken

func (c *Client) GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)

GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

The token can be used only once.

func (*Client) GenerateUserCert

func (c *Client) GenerateUserCert(
	key []byte, user string, ttl time.Duration) ([]byte, error)

GenerateUserCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*Client) Get

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAuthServers added in v1.0.0

func (c *Client) GetAuthServers() ([]services.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetCertAuthorities added in v1.0.0

func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]services.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority

func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool) (services.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetDomainName added in v1.2.6

func (c *Client) GetDomainName() (string, error)

GetDomainName returns local auth domain of the current auth server

func (*Client) GetNamespace

func (c *Client) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*Client) GetNamespaces

func (c *Client) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*Client) GetNodes added in v1.0.0

func (c *Client) GetNodes(namespace string) ([]services.Server, error)

GetNodes returns the list of servers registered in the cluster.

func (*Client) GetOIDCConnector added in v1.0.0

func (c *Client) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

GetOIDCConnector returns OIDC connector information by id

func (*Client) GetOIDCConnectors added in v1.0.0

func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

GetOIDCConnector gets OIDC connectors list

func (*Client) GetProxies added in v1.0.0

func (c *Client) GetProxies() ([]services.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetReverseTunnels added in v1.0.0

func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetRole

func (c *Client) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*Client) GetRoles

func (c *Client) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*Client) GetSession

func (c *Client) GetSession(namespace string, id session.ID) (*session.Session, error)

GetSession returns a session by ID

func (*Client) GetSessionChunk added in v1.0.0

func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents added in v1.0.0

func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessions

func (c *Client) GetSessions(namespace string) ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by auth server

func (*Client) GetSignupTokenData

func (c *Client) GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

GetSignupTokenData returns token data for a valid token

func (*Client) GetSignupU2FRegisterRequest added in v1.3.0

func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite tokenx

func (*Client) GetToken

func (c *Client) GetToken(token string) (*services.ProvisionToken, error)

GetToken returns provisioning token

func (*Client) GetTokens added in v1.0.0

func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)

GetTokens returns a list of active invitation tokens for nodes and users

func (*Client) GetTransport added in v1.0.0

func (c *Client) GetTransport() *http.Transport

func (*Client) GetU2FAppID added in v1.3.0

func (c *Client) GetU2FAppID() (string, error)

GetU2FAppID returns U2F settings, like App ID and Facets

func (*Client) GetU2FSignRequest added in v1.3.0

func (c *Client) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

GetU2FSignRequest generates request for user trying to authenticate with U2F token

func (*Client) GetUser added in v1.0.0

func (c *Client) GetUser(name string) (services.User, error)

GetUser returns a list of usernames registered in the system

func (*Client) GetUsers

func (c *Client) GetUsers() ([]services.User, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSessionInfo added in v1.0.0

func (c *Client) GetWebSessionInfo(user string, sid string) (*Session, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) PostForm

func (c *Client) PostForm(
	endpoint string,
	vals url.Values,
	files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON added in v1.0.0

func (c *Client) PostJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) PostSessionChunk added in v1.0.0

func (c *Client) PostSessionChunk(namespace string, sid session.ID, reader io.Reader) error

PostSessionChunk allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)

The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)

func (*Client) PreAuthenticatedSignIn added in v1.3.0

func (c *Client) PreAuthenticatedSignIn(user string) (*Session, error)

PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issueing the second factor challenge

func (*Client) PutJSON added in v1.0.0

func (c *Client) PutJSON(
	endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterNewAuthServer

func (c *Client) RegisterNewAuthServer(token string) error

RegisterNewAuthServer is used to register new auth server with token

func (*Client) RegisterUsingToken

func (c *Client) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)

RegisterUsingToken calls the auth service API to register a new node via registration token which has been previously issued via GenerateToken

func (*Client) SearchEvents added in v1.0.0

func (c *Client) SearchEvents(from, to time.Time, query string) ([]events.EventFields, error)

SearchEvents returns events that fit the criteria

func (*Client) SignIn

func (c *Client) SignIn(user string, password []byte) (*Session, error)

SignIn checks if the web access password is valid, and if it is valid returns a secure web session id.

func (*Client) UpdateSession added in v1.0.0

func (c *Client) UpdateSession(req session.UpdateRequest) error

UpdateSession updates existing session

func (*Client) UpsertAuthServer added in v1.0.0

func (c *Client) UpsertAuthServer(s services.Server, ttl time.Duration) error

UpsertAuthServer is used by auth servers to report their presense to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority added in v1.0.0

func (c *Client) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertNamespace

func (c *Client) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*Client) UpsertNode added in v1.0.0

func (c *Client) UpsertNode(s services.Server, ttl time.Duration) error

UpsertNode is used by SSH servers to reprt their presense to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertOIDCConnector added in v1.0.0

func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error

UpsertOIDCConnector updates or creates OIDC connector

func (*Client) UpsertPassword

func (c *Client) UpsertPassword(user string, password []byte) error

UpsertPassword updates web access password for the user

func (*Client) UpsertProxy added in v1.0.0

func (c *Client) UpsertProxy(s services.Server, ttl time.Duration) error

UpsertProxy is used by proxies to report their presense to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel added in v1.0.0

func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel, ttl time.Duration) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertRole

func (c *Client) UpsertRole(role services.Role) error

UpsertRole creates or updates role

func (*Client) UpsertUser added in v1.0.0

func (c *Client) UpsertUser(user services.User) error

UpsertUser user updates or inserts user entry

func (*Client) ValidateOIDCAuthCallback added in v1.0.0

func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

type ClientI

ClientI is a client to Auth service

type Dialer added in v1.0.0

type Dialer func(network, addr string) (net.Conn, error)

type FakeSSHConnection added in v1.0.0

type FakeSSHConnection struct {
	// contains filtered or unexported fields
}

FakeSSHConnection implements net.Conn interface on top of the ssh.Cnahhel object. This allows us to run non-SSH servers (like HTTP) on top of an existing SSH connection

func (*FakeSSHConnection) Close added in v1.0.0

func (conn *FakeSSHConnection) Close() error

func (*FakeSSHConnection) LocalAddr added in v1.0.0

func (conn *FakeSSHConnection) LocalAddr() net.Addr

func (*FakeSSHConnection) Read added in v1.0.0

func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)

func (*FakeSSHConnection) RemoteAddr added in v1.0.0

func (conn *FakeSSHConnection) RemoteAddr() net.Addr

func (*FakeSSHConnection) SetDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetDeadline(t time.Time) error

SetDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetReadDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error

SetReadDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) SetWriteDeadline added in v1.0.0

func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error

SetWriteDeadline is needed to implement net.Conn interface

func (*FakeSSHConnection) Write added in v1.0.0

func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)

type HandlerWithAuthFunc

type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type Identity added in v1.0.0

type Identity struct {
	ID              IdentityID
	KeyBytes        []byte
	CertBytes       []byte
	KeySigner       ssh.Signer
	Cert            *ssh.Certificate
	AuthorityDomain string
}

Identity is a collection of certificates and signers that represent identity

func ReadIdentity added in v1.0.0

func ReadIdentity(dataDir string, id IdentityID) (i *Identity, err error)

ReadIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadIdentityFromKeyPair added in v1.0.0

func ReadIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadIdentityFromKeyPair reads identity from initialized keypair

type IdentityID added in v1.0.0

type IdentityID struct {
	Role     teleport.Role
	HostUUID string
}

IdentityID is a combination of role and host UUID

func (*IdentityID) Equals added in v1.0.0

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) String added in v1.0.0

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityService

type IdentityService interface {
	// UpsertPassword updates web access password for the user
	UpsertPassword(user string, password []byte) error

	// UpsertOIDCConnector updates or creates OIDC connector
	UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error

	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

	// GetOIDCConnector gets OIDC connectors list
	GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(connectorID string) error

	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

	// GetU2FSignRequest generates request for user trying to authenticate with U2F token
	GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

	// GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite token
	GetSignupU2FRegisterRequest(token string) (*u2f.RegisterRequest, error)

	// CreateUserWithU2FToken creates user account with provided token and U2F sign response
	CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (*Session, error)

	// PreAuthenticatedSignIn is used get web session for a user that is already authenticated
	PreAuthenticatedSignIn(user string) (*Session, error)

	// GetU2FAppID returns U2F settings, like App ID and Facets
	GetU2FAppID() (string, error)

	// GetUser returns user by name
	GetUser(name string) (services.User, error)

	// UpsertUser user updates or inserts user entry
	UpsertUser(user services.User) error

	// DeleteUser deletes a user by username
	DeleteUser(user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers() ([]services.User, error)

	// CheckPassword checks if the suplied web access password is valid.
	CheckPassword(user string, password []byte, otpToken string) error

	// SignIn checks if the web access password is valid, and if it is valid
	// returns a secure web session id.
	SignIn(user string, password []byte) (*Session, error)

	// CreateUserWithToken creates account with provided token and password.
	// Account username and OTP key are taken from token data.
	// Deletes token after account creation.
	CreateUserWithToken(token, password, otpToken string) (*Session, error)

	// GenerateToken creates a special provisioning token for a new SSH server
	// that is valid for ttl period seconds.
	//
	// This token is used by SSH server to authenticate with Auth server
	// and get signed certificate and private key from the auth server.
	//
	// The token can be used only once.
	GenerateToken(roles teleport.Roles, ttl time.Duration) (string, error)

	// GenerateKeyPair generates SSH private/public key pair optionally protected
	// by password. If the pass parameter is an empty string, the key pair
	// is not password-protected.
	GenerateKeyPair(pass string) ([]byte, []byte, error)

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(key []byte, hostname, authDomain string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

	// GenerateUserCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using User Certificate Authority signing key and returns the
	// resulting certificate.
	GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error)

	// GetSignupTokenData returns token data for a valid token
	GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)

	// CreateSignupToken creates one time token for creating account for the user
	// For each token it creates username and OTP key
	CreateSignupToken(user services.UserV1) (string, error)
}

IdentityService manages identities and userse

type InitConfig

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority Authority

	// HostUUID is a UUID of this host
	HostUUID string

	// DomainName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	DomainName string

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []services.CertAuthority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []services.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []services.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// Roles is a set of roles to create
	Roles []services.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens []services.ProvisionToken

	// U2F is the configuration of the U2F 2 factor authentication
	U2F services.U2F
}

InitConfig is auth server init config

type OIDCAuthResponse added in v1.0.0

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity services.OIDCIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session *Session `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// Req is original oidc auth request
	Req services.OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type PackedKeys

type PackedKeys struct {
	Key  []byte `json:"key"`
	Cert []byte `json:"cert"`
}

type ProvisioningService

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens() (tokens []services.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(token string) (*services.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a user token or a machine token
	DeleteToken(token string) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error)

	// RegisterNewAuthServer is used to register new auth server with token
	RegisterNewAuthServer(token string) error
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type ServerOption

type ServerOption func(s *AuthTunnel) error

ServerOption is the functional argument passed to the server

func SetLimiter added in v1.0.0

func SetLimiter(limiter *limiter.Limiter) ServerOption

SetLimiter sets rate and connection limiter for auth tunnel server

type Session

type Session struct {
	// ID is a session ID
	ID string `json:"id"`
	// Username is a user this session belongs to
	Username string `json:"username"`
	// ExpiresAt is an optional expiry time, if set
	// that means this web session and all derived web sessions
	// can not continue after this time, used in OIDC use case
	// when expiry is set by external identity provider, so user
	// has to relogin (or later on we'd need to refresh the token)
	ExpiresAt time.Time `json:"expires_at"`
	// WS is a private keypair used for signing requests
	WS services.WebSession `json:"web"`
}

Session is a web session context, stores temporary key-value pair and session id

type TunClient

type TunClient struct {
	sync.Mutex

	// embed auth API HTTP client
	Client
	// contains filtered or unexported fields
}

TunClient is HTTP client that works over SSH tunnel This is done in order to authenticate various teleport roles using existing SSH certificate infrastructure

func NewTunClient

func NewTunClient(purpose string,
	authServers []utils.NetAddr,
	user string,
	authMethods []ssh.AuthMethod,
	opts ...TunClientOption) (*TunClient, error)

NewTunClient returns an instance of new HTTP client to Auth server API exposed over SSH tunnel, so client uses SSH credentials to dial and authenticate

  • purpose is mostly for debuggin, like "web client" or "reverse tunnel client"
  • authServers: list of auth servers in this cluster (they are supposed to be in sync)
  • authMethods: how to authenticate (via cert, web passwowrd, etc)
  • opts : functional arguments for further extending

func (*TunClient) Close

func (c *TunClient) Close() error

Close releases all the resources allocated for this client

func (*TunClient) Dial added in v1.0.0

func (c *TunClient) Dial(network, address string) (net.Conn, error)

Dial dials to Auth server's HTTP API over SSH tunnel.

func (*TunClient) GetAgent

func (c *TunClient) GetAgent() (AgentCloser, error)

GetAgent creates an SSH key agent (similar object to what CLI uses), this key agent fetches user keys directly from the auth server using a custom channel created via "ReqWebSessionAgent" reguest

func (*TunClient) GetDialer

func (c *TunClient) GetDialer() AccessPointDialer

GetDialer returns dialer that will connect to auth server API

type TunClientOption added in v1.0.0

type TunClientOption func(t *TunClient)

TunClientOption is functional option for tunnel client

func TunClientStorage added in v1.0.0

func TunClientStorage(storage utils.AddrStorage) TunClientOption

TunClientStorage allows tun client to set local presence service that it will use to sync up the latest information about auth servers

type WebService

type WebService interface {
	// GetWebSessionInfo checks if a web sesion is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(user string, sid string) (*Session, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(user string, prevSessionID string) (*Session, error)
	// CreateWebSession creates a new web session for a user
	CreateWebSession(user string) (*Session, error)
	// DeleteWebSession deletes a web session for this user by id
	DeleteWebSession(user string, sid string) error
}

WebService implements features used by Web UI clients

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL