Documentation ¶
Overview ¶
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Package auth implements certificate signing authority and access control server Authority server is composed of several parts:
* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Index ¶
- Constants
- Variables
- func ClientCertPool(client AccessPoint) (*x509.CertPool, error)
- func ClientTimeout(timeout time.Duration) roundtrip.ClientParam
- func CreateUploaderDir(dir string) error
- func CreateUserAndRole(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)
- func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)
- func DecodeClusterName(serverName string) (string, error)
- func EncodeClusterName(clusterName string) string
- func GenerateCertificate(authServer *AuthServer, identity TestIdentity) ([]byte, []byte, error)
- func GetCheckerForBuiltinRole(clusterName string, clusterConfig services.ClusterConfig, role teleport.Role) (services.RoleSet, error)
- func GetIdentitySchema() string
- func GetStateSchema() string
- func HostFQDN(hostUUID, clusterName string) string
- func NewAPIServer(config *APIConfig) http.Handler
- func SetPlugin(p Plugin)
- type APIConfig
- type APIServer
- type AccessPoint
- type AuthContext
- type AuthMiddleware
- type AuthServer
- func (s *AuthServer) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)
- func (s *AuthServer) AuthenticateUser(req AuthenticateUserRequest) error
- func (s *AuthServer) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
- func (s *AuthServer) ChangePassword(req services.ChangePasswordReq) error
- func (s *AuthServer) CheckOTP(user string, otpToken string) error
- func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error
- func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error
- func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error
- func (s *AuthServer) ClientCertPool(clusterName string) (*x509.CertPool, error)
- func (a *AuthServer) Close() error
- func (s *AuthServer) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)
- func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
- func (s *AuthServer) CreateSignupToken(userv1 services.UserV1, ttl time.Duration) (string, error)
- func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
- func (s *AuthServer) CreateUserWithOTP(token string, password string, otpToken string) (services.WebSession, error)
- func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (services.WebSession, error)
- func (s *AuthServer) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
- func (s *AuthServer) CreateWebSession(user string) (services.WebSession, error)
- func (s *AuthServer) DeleteNamespace(namespace string) error
- func (s *AuthServer) DeleteOIDCConnector(connectorName string) error
- func (a *AuthServer) DeleteRemoteCluster(clusterName string) error
- func (a *AuthServer) DeleteRole(name string) error
- func (s *AuthServer) DeleteSAMLConnector(connectorName string) error
- func (s *AuthServer) DeleteToken(token string) (err error)
- func (a *AuthServer) DeleteTrustedCluster(name string) error
- func (a *AuthServer) DeleteUser(user string) error
- func (s *AuthServer) DeleteWebSession(user string, id string) error
- func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
- func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName string, principals []string, ...) ([]byte, error)
- func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)
- func (s *AuthServer) GenerateToken(req GenerateTokenRequest) (string, error)
- func (a *AuthServer) GenerateUserCerts(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, []byte, error)
- func (a *AuthServer) GetClock() clockwork.Clock
- func (a *AuthServer) GetClusterCACert() (*LocalCAResponse, error)
- func (a *AuthServer) GetClusterName() (services.ClusterName, error)
- func (a *AuthServer) GetDomainName() (string, error)
- func (s *AuthServer) GetOTPData(user string) (string, []byte, error)
- func (a *AuthServer) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)
- func (a *AuthServer) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)
- func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)
- func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)
- func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)
- func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)
- func (s *AuthServer) NewWebSession(username string) (services.WebSession, error)
- func (s *AuthServer) PreAuthenticatedSignIn(user string) (services.WebSession, error)
- func (s *AuthServer) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
- func (s *AuthServer) RegisterNewAuthServer(token string) error
- func (s *AuthServer) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)
- func (a *AuthServer) RotateCertAuthority(req RotateRequest) error
- func (a *AuthServer) RotateExternalCertAuthority(ca services.CertAuthority) error
- func (a *AuthServer) SetAuditLog(auditLog events.IAuditLog)
- func (a *AuthServer) SetClock(clock clockwork.Clock)
- func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
- func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector) error
- func (s *AuthServer) UpsertSAMLConnector(connector services.SAMLConnector) error
- func (a *AuthServer) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)
- func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error
- func (a *AuthServer) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)
- func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
- func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)
- func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)
- func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error
- type AuthServerOption
- type AuthWithRoles
- func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error
- func (a *AuthWithRoles) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)
- func (a *AuthWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
- func (a *AuthWithRoles) ChangePassword(req services.ChangePasswordReq) error
- func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error
- func (a *AuthWithRoles) Close() error
- func (a *AuthWithRoles) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error
- func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error
- func (a *AuthWithRoles) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)
- func (a *AuthWithRoles) CreateGithubConnector(connector services.GithubConnector) error
- func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (a *AuthWithRoles) CreateRemoteCluster(conn services.RemoteCluster) error
- func (a *AuthWithRoles) CreateRole(role services.Role, ttl time.Duration) error
- func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
- func (a *AuthWithRoles) CreateSAMLConnector(connector services.SAMLConnector) error
- func (a *AuthWithRoles) CreateSession(s session.Session) error
- func (a *AuthWithRoles) CreateSignupToken(user services.UserV1, ttl time.Duration) (token string, e error)
- func (a *AuthWithRoles) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
- func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
- func (a *AuthWithRoles) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
- func (a *AuthWithRoles) CreateWebSession(user string) (services.WebSession, error)
- func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error
- func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error
- func (a *AuthWithRoles) DeleteAllNamespaces() error
- func (a *AuthWithRoles) DeleteAllNodes(namespace string) error
- func (a *AuthWithRoles) DeleteAllProxies() error
- func (a *AuthWithRoles) DeleteAllRemoteClusters() error
- func (a *AuthWithRoles) DeleteAllReverseTunnels() error
- func (a *AuthWithRoles) DeleteAllRoles() error
- func (a *AuthWithRoles) DeleteAllTunnelConnections() error
- func (a *AuthWithRoles) DeleteAllUsers() error
- func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error
- func (a *AuthWithRoles) DeleteGithubConnector(id string) error
- func (a *AuthWithRoles) DeleteNamespace(name string) error
- func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error
- func (a *AuthWithRoles) DeleteRemoteCluster(clusterName string) error
- func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error
- func (a *AuthWithRoles) DeleteRole(name string) error
- func (a *AuthWithRoles) DeleteSAMLConnector(connectorID string) error
- func (a *AuthWithRoles) DeleteToken(token string) error
- func (a *AuthWithRoles) DeleteTrustedCluster(name string) error
- func (a *AuthWithRoles) DeleteTunnelConnection(clusterName string, connName string) error
- func (a *AuthWithRoles) DeleteTunnelConnections(clusterName string) error
- func (a *AuthWithRoles) DeleteUser(user string) error
- func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error
- func (a *AuthWithRoles) EmitAuditEvent(event events.Event, fields events.EventFields) error
- func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)
- func (a *AuthWithRoles) GenerateHostCert(key []byte, hostID, nodeName string, principals []string, clusterName string, ...) ([]byte, error)
- func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)
- func (a *AuthWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)
- func (a *AuthWithRoles) GenerateToken(req GenerateTokenRequest) (string, error)
- func (a *AuthWithRoles) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)
- func (a *AuthWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)
- func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)
- func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)
- func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)
- func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)
- func (a *AuthWithRoles) GetClusterCACert() (*LocalCAResponse, error)
- func (a *AuthWithRoles) GetClusterConfig() (services.ClusterConfig, error)
- func (a *AuthWithRoles) GetClusterName() (services.ClusterName, error)
- func (a *AuthWithRoles) GetDomainName() (string, error)
- func (a *AuthWithRoles) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)
- func (a *AuthWithRoles) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
- func (a *AuthWithRoles) GetLocalClusterName() (string, error)
- func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)
- func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)
- func (a *AuthWithRoles) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)
- func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)
- func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
- func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)
- func (a *AuthWithRoles) GetProxies() ([]services.Server, error)
- func (a *AuthWithRoles) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)
- func (a *AuthWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)
- func (a *AuthWithRoles) GetReverseTunnel(name string) (services.ReverseTunnel, error)
- func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)
- func (a *AuthWithRoles) GetRole(name string) (services.Role, error)
- func (a *AuthWithRoles) GetRoles() ([]services.Role, error)
- func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)
- func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
- func (a *AuthWithRoles) GetSession(namespace string, id session.ID) (*session.Session, error)
- func (a *AuthWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
- func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)
- func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)
- func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)
- func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)
- func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
- func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)
- func (a *AuthWithRoles) GetToken(token string) (*services.ProvisionToken, error)
- func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)
- func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)
- func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)
- func (a *AuthWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)
- func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
- func (a *AuthWithRoles) GetUser(name string) (services.User, error)
- func (a *AuthWithRoles) GetUsers() ([]services.User, error)
- func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)
- func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error
- func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)
- func (a *AuthWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
- func (a *AuthWithRoles) RegisterNewAuthServer(token string) error
- func (a *AuthWithRoles) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)
- func (a *AuthWithRoles) RotateCertAuthority(req RotateRequest) error
- func (a *AuthWithRoles) RotateExternalCertAuthority(ca services.CertAuthority) error
- func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)
- func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)
- func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error
- func (a *AuthWithRoles) SetClusterConfig(c services.ClusterConfig) error
- func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error
- func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error
- func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error
- func (a *AuthWithRoles) UploadSessionRecording(r events.SessionRecording) error
- func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error
- func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error
- func (a *AuthWithRoles) UpsertGithubConnector(connector services.GithubConnector) error
- func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error
- func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error
- func (a *AuthWithRoles) UpsertNode(s services.Server) error
- func (a *AuthWithRoles) UpsertNodes(namespace string, servers []services.Server) error
- func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) error
- func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error
- func (a *AuthWithRoles) UpsertProxy(s services.Server) error
- func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error
- func (a *AuthWithRoles) UpsertRole(role services.Role, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) error
- func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error
- func (a *AuthWithRoles) UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error
- func (a *AuthWithRoles) UpsertTrustedCluster(tc services.TrustedCluster) (services.TrustedCluster, error)
- func (a *AuthWithRoles) UpsertTunnelConnection(conn services.TunnelConnection) error
- func (a *AuthWithRoles) UpsertUser(u services.User) error
- func (a *AuthWithRoles) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)
- func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
- func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
- func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
- func (a *AuthWithRoles) WaitForDelivery(context.Context) error
- type AuthenticateSSHRequest
- type AuthenticateUserRequest
- type Authorizer
- func NewAuthorizer(access services.Access, identity services.UserGetter, trust services.Trust) (Authorizer, error)
- func NewRoleAuthorizer(clusterName string, clusterConfig services.ClusterConfig, r teleport.Role) (Authorizer, error)
- func NewUserAuthorizer(username string, identity services.UserGetter, access services.Access) (Authorizer, error)
- type BuiltinRole
- type BuiltinRoleSet
- type Client
- func NewClient(addr string, dialer Dialer, params ...roundtrip.ClientParam) (*Client, error)
- func NewTLSClient(addrs []utils.NetAddr, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)
- func NewTLSClientWithDialer(dialContext DialContext, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)
- func (c *Client) ActivateCertAuthority(id services.CertAuthID) error
- func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error
- func (c *Client) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)
- func (c *Client) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
- func (c *Client) ChangePassword(req services.ChangePasswordReq) error
- func (c *Client) CheckPassword(user string, password []byte, otpToken string) error
- func (c *Client) Close() error
- func (c *Client) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error
- func (c *Client) CreateCertAuthority(ca services.CertAuthority) error
- func (c *Client) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)
- func (c *Client) CreateGithubConnector(connector services.GithubConnector) error
- func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
- func (c *Client) CreateRemoteCluster(rc services.RemoteCluster) error
- func (c *Client) CreateRole(role services.Role, ttl time.Duration) error
- func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
- func (c *Client) CreateSAMLConnector(connector services.SAMLConnector) error
- func (c *Client) CreateSession(sess session.Session) error
- func (c *Client) CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error)
- func (c *Client) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
- func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
- func (c *Client) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
- func (c *Client) CreateWebSession(user string) (services.WebSession, error)
- func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error
- func (c *Client) Delete(u string) (*roundtrip.Response, error)
- func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error
- func (c *Client) DeleteAllNamespaces() error
- func (c *Client) DeleteAllNodes(namespace string) error
- func (c *Client) DeleteAllProxies() error
- func (c *Client) DeleteAllRemoteClusters() error
- func (c *Client) DeleteAllReverseTunnels() error
- func (c *Client) DeleteAllRoles() error
- func (c *Client) DeleteAllTunnelConnections() error
- func (c *Client) DeleteAllUsers() error
- func (c *Client) DeleteCertAuthority(id services.CertAuthID) error
- func (c *Client) DeleteGithubConnector(id string) error
- func (c *Client) DeleteNamespace(name string) error
- func (c *Client) DeleteOIDCConnector(connectorID string) error
- func (c *Client) DeleteRemoteCluster(clusterName string) error
- func (c *Client) DeleteReverseTunnel(domainName string) error
- func (c *Client) DeleteRole(name string) error
- func (c *Client) DeleteSAMLConnector(connectorID string) error
- func (c *Client) DeleteSession(namespace, id string) error
- func (c *Client) DeleteToken(token string) error
- func (c *Client) DeleteTrustedCluster(name string) error
- func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error
- func (c *Client) DeleteTunnelConnections(clusterName string) error
- func (c *Client) DeleteUser(user string) error
- func (c *Client) DeleteWebSession(user string, sid string) error
- func (c *Client) EmitAuditEvent(event events.Event, fields events.EventFields) error
- func (c *Client) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
- func (c *Client) GenerateHostCert(key []byte, hostID, nodeName string, principals []string, clusterName string, ...) ([]byte, error)
- func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)
- func (c *Client) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)
- func (c *Client) GenerateToken(req GenerateTokenRequest) (string, error)
- func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)
- func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)
- func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)
- func (c *Client) GetAuthPreference() (services.AuthPreference, error)
- func (c *Client) GetAuthServers() ([]services.Server, error)
- func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)
- func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)
- func (c *Client) GetClusterCACert() (*LocalCAResponse, error)
- func (c *Client) GetClusterConfig() (services.ClusterConfig, error)
- func (c *Client) GetClusterName() (services.ClusterName, error)
- func (c *Client) GetDomainName() (string, error)
- func (c *Client) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)
- func (c *Client) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
- func (c *Client) GetLocalClusterName() (string, error)
- func (c *Client) GetNamespace(name string) (*services.Namespace, error)
- func (c *Client) GetNamespaces() ([]services.Namespace, error)
- func (c *Client) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)
- func (c *Client) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)
- func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
- func (c *Client) GetProxies() ([]services.Server, error)
- func (c *Client) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)
- func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)
- func (c *Client) GetReverseTunnel(name string) (services.ReverseTunnel, error)
- func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)
- func (c *Client) GetRole(name string) (services.Role, error)
- func (c *Client) GetRoles() ([]services.Role, error)
- func (c *Client) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)
- func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
- func (c *Client) GetSession(namespace string, id session.ID) (*session.Session, error)
- func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
- func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)
- func (c *Client) GetSessions(namespace string) ([]session.Session, error)
- func (c *Client) GetSignupTokenData(token string) (user string, otpQRCode []byte, e error)
- func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
- func (c *Client) GetStaticTokens() (services.StaticTokens, error)
- func (c *Client) GetToken(token string) (*services.ProvisionToken, error)
- func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)
- func (c *Client) GetTransport() *http.Transport
- func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)
- func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)
- func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)
- func (c *Client) GetU2FAppID() (string, error)
- func (c *Client) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
- func (c *Client) GetUser(name string) (services.User, error)
- func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)
- func (c *Client) GetUsers() ([]services.User, error)
- func (c *Client) GetWebSessionInfo(user string, sid string) (services.WebSession, error)
- func (c *Client) PostForm(endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
- func (c *Client) PostJSON(endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) PostSessionSlice(slice events.SessionSlice) error
- func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
- func (c *Client) PutJSON(endpoint string, val interface{}) (*roundtrip.Response, error)
- func (c *Client) RegisterNewAuthServer(token string) error
- func (c *Client) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)
- func (c *Client) RotateCertAuthority(req RotateRequest) error
- func (c *Client) RotateExternalCertAuthority(ca services.CertAuthority) error
- func (c *Client) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)
- func (c *Client) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)
- func (c *Client) SetAuthPreference(cap services.AuthPreference) error
- func (c *Client) SetClusterConfig(cc services.ClusterConfig) error
- func (c *Client) SetClusterName(cn services.ClusterName) error
- func (c *Client) SetStaticTokens(st services.StaticTokens) error
- func (c *Client) TLSConfig() *tls.Config
- func (c *Client) UpdateSession(req session.UpdateRequest) error
- func (c *Client) UploadSessionRecording(r events.SessionRecording) error
- func (c *Client) UpsertAuthServer(s services.Server) error
- func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error
- func (c *Client) UpsertGithubConnector(connector services.GithubConnector) error
- func (c *Client) UpsertLocalClusterName(string) error
- func (c *Client) UpsertNamespace(ns services.Namespace) error
- func (c *Client) UpsertNode(s services.Server) error
- func (c *Client) UpsertNodes(namespace string, servers []services.Server) error
- func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector) error
- func (c *Client) UpsertPassword(user string, password []byte) error
- func (c *Client) UpsertProxy(s services.Server) error
- func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error
- func (c *Client) UpsertRole(role services.Role, ttl time.Duration) error
- func (c *Client) UpsertSAMLConnector(connector services.SAMLConnector) error
- func (c *Client) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)
- func (c *Client) UpsertTunnelConnection(conn services.TunnelConnection) error
- func (c *Client) UpsertUser(user services.User) error
- func (c *Client) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)
- func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
- func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
- func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
- func (c *Client) WaitForDelivery(context.Context) error
- type ClientI
- type DialContext
- type Dialer
- type FakeSSHConnection
- func (conn *FakeSSHConnection) Close() error
- func (conn *FakeSSHConnection) LocalAddr() net.Addr
- func (conn *FakeSSHConnection) Read(b []byte) (n int, err error)
- func (conn *FakeSSHConnection) RemoteAddr() net.Addr
- func (conn *FakeSSHConnection) SetDeadline(t time.Time) error
- func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error
- func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error
- func (conn *FakeSSHConnection) Write(b []byte) (n int, err error)
- type GenerateServerKeysRequest
- type GenerateTokenRequest
- type GetClusterConfigFunc
- type GithubAuthResponse
- type HandlerWithAuthFunc
- type Identity
- func GenerateIdentity(a *AuthServer, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)
- func LocalRegister(id IdentityID, authServer *AuthServer, additionalPrincipals, dnsNames []string) (*Identity, error)
- func NewServerIdentity(clt *AuthServer, hostID string, role teleport.Role) (*Identity, error)
- func ReRegister(params ReRegisterParams) (*Identity, error)
- func ReadIdentityFromKeyPair(keyBytes, sshCertBytes, tlsCertBytes []byte, tlsCACertsBytes [][]byte) (*Identity, error)
- func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)
- func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)
- func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)
- func Register(params RegisterParams) (*Identity, error)
- type IdentityID
- type IdentityService
- type IdentitySpecV2
- type IdentityV2
- type InitConfig
- type KubeCSR
- type KubeCSRResponse
- type LocalCAResponse
- type LocalUser
- type OIDCAuthResponse
- type OTPCreds
- type PackedKeys
- type PassCreds
- type Plugin
- type ProcessStorage
- func (p *ProcessStorage) Close() error
- func (p *ProcessStorage) CreateState(role teleport.Role, state StateV2) error
- func (p *ProcessStorage) GetState(role teleport.Role) (*StateV2, error)
- func (p *ProcessStorage) ReadIdentity(name string, role teleport.Role) (*Identity, error)
- func (p *ProcessStorage) WriteIdentity(name string, id Identity) error
- func (p *ProcessStorage) WriteState(role teleport.Role, state StateV2) error
- type ProvisioningService
- type ReRegisterParams
- type RegisterParams
- type RegisterUsingTokenRequest
- type RemoteBuiltinRole
- type RemoteBuiltinRoleSet
- type RemoteUser
- type RotateRequest
- type SAMLAuthResponse
- type SSHLoginResponse
- type SessionCreds
- type StateSpecV2
- type StateV2
- type TLSServer
- type TLSServerConfig
- type TestAuthServer
- func (a *TestAuthServer) Clock() clockwork.Clock
- func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)
- func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)
- func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)
- func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)
- func (a *TestAuthServer) Trust(remote *TestAuthServer, roleMap services.RoleMap) error
- type TestAuthServerConfig
- type TestIdentity
- type TestTLSServer
- func (t *TestTLSServer) Addr() net.Addr
- func (t *TestTLSServer) Auth() *AuthServer
- func (t *TestTLSServer) CertPool() (*x509.CertPool, error)
- func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)
- func (t *TestTLSServer) Clock() clockwork.Clock
- func (t *TestTLSServer) CloneClient(clt *Client) *Client
- func (t *TestTLSServer) Close() error
- func (t *TestTLSServer) ClusterName() string
- func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)
- func (t *TestTLSServer) NewClientFromWebSession(sess services.WebSession) (*Client, error)
- func (t *TestTLSServer) Start() error
- func (t *TestTLSServer) Stop() error
- type TestTLSServerConfig
- type TrustedCerts
- type U2FSignResponseCreds
- type ValidateTrustedClusterRequest
- type ValidateTrustedClusterRequestRaw
- type ValidateTrustedClusterResponse
- type ValidateTrustedClusterResponseRaw
- type WebService
Constants ¶
const ( // BearerTokenTTL specifies standard bearer token to exist before // it has to be renewed by the client BearerTokenTTL = 10 * time.Minute // TokenLenBytes is len in bytes of the invite token TokenLenBytes = 16 )
const ( // CurrentVersion is a current API version CurrentVersion = services.V2 // MissingNamespaceError is a _very_ common error this file generatets MissingNamespaceError = "missing required parameter: namespace" )
const ( // GithubAuthURL is the Github authorization endpoint GithubAuthURL = "https://github.com/login/oauth/authorize" // GithubTokenURL is the Github token exchange endpoint GithubTokenURL = "https://github.com/login/oauth/access_token" // GithubAPIURL is the Github base API URL GithubAPIURL = "https://api.github.com" // MaxPages is the maximum number of pagination links that will be followed. MaxPages = 99 )
const ( // IdentityNameCurrent is a name for the identity credentials that are // currently used by the process. IdentityCurrent = "current" // IdentityReplacement is a name for the identity crdentials that are // replacing current identity credentials during CA rotation. IdentityReplacement = "replacement" )
const ContextUser = "teleport-user"
ContextUser is a user set in the context of the request
const IdentitySpecV2Schema = `` /* 329-byte string literal not displayed */
IdentitySpecV2Schema is a schema for identity spec.
const StateSpecV2Schema = `{
"type": "object",
"additionalProperties": false,
"required": ["rotation"],
"properties": {
"rotation": %v
}
}`
StateSpecV2Schema is a schema for local server state.
Variables ¶
var ( // GithubScopes is a list of scopes requested during OAuth2 flow GithubScopes = []string{ "read:org", } )
Functions ¶
func ClientCertPool ¶
func ClientCertPool(client AccessPoint) (*x509.CertPool, error)
ClientCertPool returns trusted x509 cerificate authority pool
func ClientTimeout ¶
func ClientTimeout(timeout time.Duration) roundtrip.ClientParam
ClientTimeout sets idle and dial timeouts of the HTTP transport used by the client.
func CreateUploaderDir ¶
CreateUploaderDir creates directory for file uploader service
func CreateUserAndRole ¶
func CreateUserAndRole(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)
CreateUserAndRole creates user and role and assignes role to a user, used in tests
func CreateUserAndRoleWithoutRoles ¶
func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)
CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests
func DecodeClusterName ¶ added in v3.1.0
DecodeClusterName decodes cluster name, returns NotFound if no cluster name is encoded (empty subdomain), so servers can detect cases when no server name passed returns BadParameter if encoding does not match
func EncodeClusterName ¶ added in v3.1.0
EncodeClusterName encodes cluster name in the SNI hostname
func GenerateCertificate ¶
func GenerateCertificate(authServer *AuthServer, identity TestIdentity) ([]byte, []byte, error)
GenerateCertificate generates certificate for identity, returns private public key pair
func GetCheckerForBuiltinRole ¶
func GetCheckerForBuiltinRole(clusterName string, clusterConfig services.ClusterConfig, role teleport.Role) (services.RoleSet, error)
GetCheckerForBuiltinRole returns checkers for embedded builtin role
func GetIdentitySchema ¶
func GetIdentitySchema() string
GetIdentitySchema returns JSON Schema for cert authorities.
func GetStateSchema ¶
func GetStateSchema() string
GetStateSchema returns JSON Schema for cert authorities.
func NewAPIServer ¶
NewAPIServer returns a new instance of APIServer HTTP handler
Types ¶
type APIConfig ¶
type APIConfig struct { AuthServer *AuthServer SessionService session.Service AuditLog events.IAuditLog Authorizer Authorizer }
type APIServer ¶
type APIServer struct { APIConfig httprouter.Router clockwork.Clock }
APIServer implements http API server for AuthServer interface
type AccessPoint ¶
type AccessPoint interface { // GetReverseTunnels returns a list of reverse tunnels GetReverseTunnels() ([]services.ReverseTunnel, error) // GetDomainName returns domain name AKA ("cluster name") of the auth // server / certificate authority (CA) GetDomainName() (string, error) // GetClusterConfig returns cluster level configuration. GetClusterConfig() (services.ClusterConfig, error) // GetNamespaces returns a list of namespaces GetNamespaces() ([]services.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*services.Namespace, error) // GetServers returns a list of registered servers GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error) // UpsertServer registers server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertNode(s services.Server) error // UpsertProxy registers server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertProxy(s services.Server) error // GetProxies returns a list of proxy servers registered in the cluster GetProxies() ([]services.Server, error) // GetCertAuthority returns cert authority by id GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error) // GetUser returns a services.User for this cluster. GetUser(string) (services.User, error) // GetUsers returns a list of local users registered with this domain GetUsers() ([]services.User, error) // GetRole returns role by name GetRole(name string) (services.Role, error) // GetRoles returns a list of roles GetRoles() ([]services.Role, error) // UpsertTunnelConnection upserts tunnel connection UpsertTunnelConnection(conn services.TunnelConnection) error // DeleteTunnelConnection deletes tunnel connection DeleteTunnelConnection(clusterName, connName string) error // GetTunnelConnections returns tunnel connections for a given cluster GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error) // GetAllTunnelConnections returns all tunnel connections GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error) }
AccessPoint is an API interface implemented by a certificate authority (CA)
type AuthContext ¶
type AuthContext struct { // User is the user name User services.User // Checker is access checker Checker services.AccessChecker }
AuthzContext is authorization context
func NewAdminContext ¶
func NewAdminContext() (*AuthContext, error)
NewAdminContext returns new admin auth context
type AuthMiddleware ¶
type AuthMiddleware struct { // AccessPoint is a caching access point for auth server AccessPoint AccessPoint // Handler is HTTP handler called after the middleware checks requests Handler http.Handler // AcceptedUsage restricts authentication // to a subset of certificates based on certificate metadata, // for example middleware can reject certificates with mismatching usage. // If empty, will only accept certificates with non-limited usage, // if set, will accept certificates with non-limited usage, // and usage exactly matching the specified values. AcceptedUsage []string }
AuthMiddleware is authentication middleware checking every request
func (*AuthMiddleware) GetUser ¶
func (a *AuthMiddleware) GetUser(r *http.Request) (interface{}, error)
GetUser returns authenticated user based on request metadata set by HTTP server
func (*AuthMiddleware) ServeHTTP ¶
func (a *AuthMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP serves HTTP requests
func (*AuthMiddleware) Wrap ¶
func (a *AuthMiddleware) Wrap(h http.Handler)
Wrap sets next handler in chain
type AuthServer ¶
type AuthServer struct { sshca.Authority // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string services.Trust services.Presence services.Provisioner services.Identity services.Access services.ClusterConfiguration events.IAuditLog // contains filtered or unexported fields }
AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:
- generates the keypair for the node it's running on
- invites other SSH nodes to a cluster, by issuing invite tokens
- adds other SSH nodes to a cluster, by checking their token and signing their keys
- same for users and their sessions
- checks public keys to see if they're signed by it (can be trusted or not)
func Init ¶
func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error)
Init instantiates and configures an instance of AuthServer
func NewAuthServer ¶
func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) (*AuthServer, error)
NewAuthServer creates and configures a new AuthServer instance
func (*AuthServer) AuthenticateSSHUser ¶
func (s *AuthServer) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)
AuthenticateSSHUser authenticates web user, creates and returns web session in case if authentication is successful
func (*AuthServer) AuthenticateUser ¶
func (s *AuthServer) AuthenticateUser(req AuthenticateUserRequest) error
AuthenticateUser authenticates user based on the request type
func (*AuthServer) AuthenticateWebUser ¶
func (s *AuthServer) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful. In case if existing session id is used to authenticate, returns session associated with the existing session id instead of creating the new one
func (*AuthServer) ChangePassword ¶
func (s *AuthServer) ChangePassword(req services.ChangePasswordReq) error
ChangePassword changes user passsword
func (*AuthServer) CheckOTP ¶
func (s *AuthServer) CheckOTP(user string, otpToken string) error
CheckOTP determines the type of OTP token used (for legacy HOTP support), fetches the appropriate type from the backend, and checks if the token is valid.
func (*AuthServer) CheckPassword ¶
func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error
CheckPassword checks the password and OTP token. Called by tsh or lib/web/*.
func (*AuthServer) CheckPasswordWOToken ¶
func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error
CheckPasswordWOToken checks just password without checking OTP tokens used in case of SSH authentication, when token has been validated.
func (*AuthServer) CheckU2FSignResponse ¶
func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error
func (*AuthServer) ClientCertPool ¶
func (s *AuthServer) ClientCertPool(clusterName string) (*x509.CertPool, error)
ClientCertPool returns trusted x509 cerificate authority pool
func (*AuthServer) Close ¶
func (a *AuthServer) Close() error
func (*AuthServer) CreateGithubAuthRequest ¶
func (s *AuthServer) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)
CreateGithubAuthRequest creates a new request for Github OAuth2 flow
func (*AuthServer) CreateOIDCAuthRequest ¶
func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
func (*AuthServer) CreateSAMLAuthRequest ¶
func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
func (*AuthServer) CreateSignupToken ¶
CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator
func (*AuthServer) CreateSignupU2FRegisterRequest ¶
func (s *AuthServer) CreateSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
func (*AuthServer) CreateUserWithOTP ¶
func (s *AuthServer) CreateUserWithOTP(token string, password string, otpToken string) (services.WebSession, error)
CreateUserWithOTP creates account with provided token and password. Account username and hotp generator are taken from token data. Deletes token after account creation.
func (*AuthServer) CreateUserWithU2FToken ¶
func (s *AuthServer) CreateUserWithU2FToken(token string, password string, response u2f.RegisterResponse) (services.WebSession, error)
func (*AuthServer) CreateUserWithoutOTP ¶
func (s *AuthServer) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
CreateUserWithoutOTP creates an account with the provided password and deletes the token afterwards.
func (*AuthServer) CreateWebSession ¶
func (s *AuthServer) CreateWebSession(user string) (services.WebSession, error)
CreateWebSession creates a new web session for user without any checks, is used by admins
func (*AuthServer) DeleteNamespace ¶
func (s *AuthServer) DeleteNamespace(namespace string) error
func (*AuthServer) DeleteOIDCConnector ¶
func (s *AuthServer) DeleteOIDCConnector(connectorName string) error
func (*AuthServer) DeleteRemoteCluster ¶
func (a *AuthServer) DeleteRemoteCluster(clusterName string) error
DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it
func (*AuthServer) DeleteRole ¶
func (a *AuthServer) DeleteRole(name string) error
func (*AuthServer) DeleteSAMLConnector ¶
func (s *AuthServer) DeleteSAMLConnector(connectorName string) error
func (*AuthServer) DeleteToken ¶
func (s *AuthServer) DeleteToken(token string) (err error)
func (*AuthServer) DeleteTrustedCluster ¶
func (a *AuthServer) DeleteTrustedCluster(name string) error
DeleteTrustedCluster removes services.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.
func (*AuthServer) DeleteUser ¶
func (a *AuthServer) DeleteUser(user string) error
func (*AuthServer) DeleteWebSession ¶
func (s *AuthServer) DeleteWebSession(user string, id string) error
func (*AuthServer) ExtendWebSession ¶
func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user
func (*AuthServer) GenerateHostCert ¶
func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)
GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.
func (*AuthServer) GenerateServerKeys ¶
func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)
GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.
func (*AuthServer) GenerateToken ¶
func (s *AuthServer) GenerateToken(req GenerateTokenRequest) (string, error)
GenerateToken generates multi-purpose authentication token
func (*AuthServer) GenerateUserCerts ¶
func (a *AuthServer) GenerateUserCerts(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, []byte, error)
GenerateUserCerts is used to generate user certificate, used internally for tests
func (*AuthServer) GetClock ¶
func (a *AuthServer) GetClock() clockwork.Clock
func (*AuthServer) GetClusterCACert ¶ added in v3.1.0
func (a *AuthServer) GetClusterCACert() (*LocalCAResponse, error)
GetClusterCACert returns the CAs for the local cluster without signing keys.
func (*AuthServer) GetClusterName ¶
func (a *AuthServer) GetClusterName() (services.ClusterName, error)
GetClusterName returns the domain name that identifies this authority server. Also known as "cluster name"
func (*AuthServer) GetDomainName ¶
func (a *AuthServer) GetDomainName() (string, error)
GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"
func (*AuthServer) GetOTPData ¶
func (s *AuthServer) GetOTPData(user string) (string, []byte, error)
GetOTPData returns the OTP Key, Key URL, and the QR code.
func (*AuthServer) GetRemoteCluster ¶
func (a *AuthServer) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)
GetRemoteCluster returns remote cluster by name
func (*AuthServer) GetRemoteClusters ¶
func (a *AuthServer) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)
GetRemoteClusters returns remote clusters with updated statuses
func (*AuthServer) GetSignupTokenData ¶
func (s *AuthServer) GetSignupTokenData(token string) (user string, qrCode []byte, err error)
GetSignupTokenData returns token data (username and QR code bytes) for a valid signup token.
func (*AuthServer) GetTokens ¶
func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error)
GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role
func (*AuthServer) GetWebSession ¶
func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)
func (*AuthServer) GetWebSessionInfo ¶
func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)
func (*AuthServer) NewWebSession ¶
func (s *AuthServer) NewWebSession(username string) (services.WebSession, error)
func (*AuthServer) PreAuthenticatedSignIn ¶
func (s *AuthServer) PreAuthenticatedSignIn(user string) (services.WebSession, error)
PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issuing the second factor challenge
func (*AuthServer) ProcessKubeCSR ¶
func (s *AuthServer) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessful.
func (*AuthServer) RegisterNewAuthServer ¶
func (s *AuthServer) RegisterNewAuthServer(token string) error
func (*AuthServer) RegisterUsingToken ¶
func (s *AuthServer) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)
RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).
If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.
func (*AuthServer) RotateCertAuthority ¶
func (a *AuthServer) RotateCertAuthority(req RotateRequest) error
RotateCertAuthority starts or restarts certificate authority rotation process.
Rotation procedure is based on the state machine approach.
Here are the supported rotation states:
- Standby - the cluster is in standby mode and ready to take action.
- In-progress - cluster CA rotation is in progress.
In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.
Here are the supported phases:
* Standby - no action is taken.
* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.
This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.
* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".
* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.
* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will loose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.
Rotation modes ¶
There are two rotation modes supported - manual or automatic.
* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.
* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.
It is possible to switch from automatic to manual by setting the phase to the rollback phase.
func (*AuthServer) RotateExternalCertAuthority ¶
func (a *AuthServer) RotateExternalCertAuthority(ca services.CertAuthority) error
RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.
func (*AuthServer) SetAuditLog ¶
func (a *AuthServer) SetAuditLog(auditLog events.IAuditLog)
SetAuditLog sets the server's audit log
func (*AuthServer) SetClock ¶
func (a *AuthServer) SetClock(clock clockwork.Clock)
SetClock sets clock, used in tests
func (*AuthServer) U2FSignRequest ¶
func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
func (*AuthServer) UpsertOIDCConnector ¶
func (s *AuthServer) UpsertOIDCConnector(connector services.OIDCConnector) error
func (*AuthServer) UpsertSAMLConnector ¶
func (s *AuthServer) UpsertSAMLConnector(connector services.SAMLConnector) error
func (*AuthServer) UpsertTrustedCluster ¶
func (a *AuthServer) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)
UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.
func (*AuthServer) UpsertWebSession ¶
func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error
func (*AuthServer) ValidateGithubAuthCallback ¶
func (a *AuthServer) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)
ValidateGithubAuthCallback validates Github auth callback redirect
func (*AuthServer) ValidateOIDCAuthCallback ¶
func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error
func (*AuthServer) ValidateSAMLResponse ¶
func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)
ValidateSAMLResponse consumes attribute statements from SAML identity provider
func (*AuthServer) ValidateToken ¶
func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)
ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found.
func (*AuthServer) WithUserLock ¶
func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error
WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval
type AuthServerOption ¶
type AuthServerOption func(*AuthServer)
AuthServerOption allows setting options as functional arguments to AuthServer
type AuthWithRoles ¶
type AuthWithRoles struct {
// contains filtered or unexported fields
}
func NewAuthWithRoles ¶
func NewAuthWithRoles(authServer *AuthServer, checker services.AccessChecker, user services.User, sessions session.Service, alog events.IAuditLog) *AuthWithRoles
NewAuthWithRoles creates new auth server with access control
func (*AuthWithRoles) ActivateCertAuthority ¶
func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error
func (*AuthWithRoles) AuthenticateSSHUser ¶
func (a *AuthWithRoles) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)
AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result
func (*AuthWithRoles) AuthenticateWebUser ¶
func (a *AuthWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful
func (*AuthWithRoles) ChangePassword ¶
func (a *AuthWithRoles) ChangePassword(req services.ChangePasswordReq) error
func (*AuthWithRoles) CheckPassword ¶
func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error
func (*AuthWithRoles) Close ¶
func (a *AuthWithRoles) Close() error
func (*AuthWithRoles) CompareAndSwapCertAuthority ¶
func (a *AuthWithRoles) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error
CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.
func (*AuthWithRoles) CreateCertAuthority ¶
func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error
func (*AuthWithRoles) CreateGithubAuthRequest ¶
func (a *AuthWithRoles) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)
func (*AuthWithRoles) CreateGithubConnector ¶
func (a *AuthWithRoles) CreateGithubConnector(connector services.GithubConnector) error
func (*AuthWithRoles) CreateOIDCAuthRequest ¶
func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
func (*AuthWithRoles) CreateRemoteCluster ¶
func (a *AuthWithRoles) CreateRemoteCluster(conn services.RemoteCluster) error
func (*AuthWithRoles) CreateRole ¶
CreateRole creates a role.
func (*AuthWithRoles) CreateSAMLAuthRequest ¶
func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
func (*AuthWithRoles) CreateSAMLConnector ¶
func (a *AuthWithRoles) CreateSAMLConnector(connector services.SAMLConnector) error
func (*AuthWithRoles) CreateSession ¶
func (a *AuthWithRoles) CreateSession(s session.Session) error
func (*AuthWithRoles) CreateSignupToken ¶
func (*AuthWithRoles) CreateUserWithOTP ¶
func (a *AuthWithRoles) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
func (*AuthWithRoles) CreateUserWithU2FToken ¶
func (a *AuthWithRoles) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
func (*AuthWithRoles) CreateUserWithoutOTP ¶
func (a *AuthWithRoles) CreateUserWithoutOTP(token string, password string) (services.WebSession, error)
func (*AuthWithRoles) CreateWebSession ¶
func (a *AuthWithRoles) CreateWebSession(user string) (services.WebSession, error)
func (*AuthWithRoles) DeactivateCertAuthority ¶
func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error
func (*AuthWithRoles) DeleteAllCertAuthorities ¶
func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error
DeleteAllCertAuthorities deletes all certificate authorities of a certain type
func (*AuthWithRoles) DeleteAllNamespaces ¶
func (a *AuthWithRoles) DeleteAllNamespaces() error
DeleteAllCertNamespaces deletes all namespaces
func (*AuthWithRoles) DeleteAllNodes ¶
func (a *AuthWithRoles) DeleteAllNodes(namespace string) error
DeleteAllNodes deletes all nodes in a given namespace
func (*AuthWithRoles) DeleteAllProxies ¶
func (a *AuthWithRoles) DeleteAllProxies() error
DeleteAllProxies deletes all proxies
func (*AuthWithRoles) DeleteAllRemoteClusters ¶
func (a *AuthWithRoles) DeleteAllRemoteClusters() error
func (*AuthWithRoles) DeleteAllReverseTunnels ¶
func (a *AuthWithRoles) DeleteAllReverseTunnels() error
DeleteAllReverseTunnels deletes all reverse tunnels
func (*AuthWithRoles) DeleteAllRoles ¶
func (a *AuthWithRoles) DeleteAllRoles() error
DeleteAllRoles deletes all roles
func (*AuthWithRoles) DeleteAllTunnelConnections ¶
func (a *AuthWithRoles) DeleteAllTunnelConnections() error
func (*AuthWithRoles) DeleteAllUsers ¶
func (a *AuthWithRoles) DeleteAllUsers() error
DeleteAllUsers deletes all users
func (*AuthWithRoles) DeleteCertAuthority ¶
func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error
func (*AuthWithRoles) DeleteGithubConnector ¶
func (a *AuthWithRoles) DeleteGithubConnector(id string) error
func (*AuthWithRoles) DeleteNamespace ¶
func (a *AuthWithRoles) DeleteNamespace(name string) error
DeleteNamespace deletes namespace by name
func (*AuthWithRoles) DeleteOIDCConnector ¶
func (a *AuthWithRoles) DeleteOIDCConnector(connectorID string) error
func (*AuthWithRoles) DeleteRemoteCluster ¶
func (a *AuthWithRoles) DeleteRemoteCluster(clusterName string) error
func (*AuthWithRoles) DeleteReverseTunnel ¶
func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error
func (*AuthWithRoles) DeleteRole ¶
func (a *AuthWithRoles) DeleteRole(name string) error
DeleteRole deletes role by name
func (*AuthWithRoles) DeleteSAMLConnector ¶
func (a *AuthWithRoles) DeleteSAMLConnector(connectorID string) error
func (*AuthWithRoles) DeleteToken ¶
func (a *AuthWithRoles) DeleteToken(token string) error
func (*AuthWithRoles) DeleteTrustedCluster ¶
func (a *AuthWithRoles) DeleteTrustedCluster(name string) error
func (*AuthWithRoles) DeleteTunnelConnection ¶
func (a *AuthWithRoles) DeleteTunnelConnection(clusterName string, connName string) error
func (*AuthWithRoles) DeleteTunnelConnections ¶
func (a *AuthWithRoles) DeleteTunnelConnections(clusterName string) error
func (*AuthWithRoles) DeleteUser ¶
func (a *AuthWithRoles) DeleteUser(user string) error
func (*AuthWithRoles) DeleteWebSession ¶
func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error
func (*AuthWithRoles) EmitAuditEvent ¶
func (a *AuthWithRoles) EmitAuditEvent(event events.Event, fields events.EventFields) error
func (*AuthWithRoles) ExtendWebSession ¶
func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)
func (*AuthWithRoles) GenerateHostCert ¶
func (*AuthWithRoles) GenerateKeyPair ¶
func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)
func (*AuthWithRoles) GenerateServerKeys ¶
func (a *AuthWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)
GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.
func (*AuthWithRoles) GenerateToken ¶
func (a *AuthWithRoles) GenerateToken(req GenerateTokenRequest) (string, error)
func (*AuthWithRoles) GenerateUserCert ¶
func (*AuthWithRoles) GetAllTunnelConnections ¶
func (a *AuthWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)
func (*AuthWithRoles) GetAuthPreference ¶
func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)
func (*AuthWithRoles) GetAuthServers ¶
func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)
func (*AuthWithRoles) GetCertAuthorities ¶
func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)
func (*AuthWithRoles) GetCertAuthority ¶
func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)
func (*AuthWithRoles) GetClusterCACert ¶ added in v3.1.0
func (a *AuthWithRoles) GetClusterCACert() (*LocalCAResponse, error)
GetClusterCACert returns the CAs for the local cluster without signing keys.
func (*AuthWithRoles) GetClusterConfig ¶
func (a *AuthWithRoles) GetClusterConfig() (services.ClusterConfig, error)
GetClusterConfig gets cluster level configuration.
func (*AuthWithRoles) GetClusterName ¶
func (a *AuthWithRoles) GetClusterName() (services.ClusterName, error)
GetClusterName gets the name of the cluster.
func (*AuthWithRoles) GetDomainName ¶
func (a *AuthWithRoles) GetDomainName() (string, error)
func (*AuthWithRoles) GetGithubConnector ¶
func (a *AuthWithRoles) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)
func (*AuthWithRoles) GetGithubConnectors ¶
func (a *AuthWithRoles) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
func (*AuthWithRoles) GetLocalClusterName ¶
func (a *AuthWithRoles) GetLocalClusterName() (string, error)
func (*AuthWithRoles) GetNamespace ¶
func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)
GetNamespace returns namespace by name
func (*AuthWithRoles) GetNamespaces ¶
func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)
GetNamespaces returns a list of namespaces
func (*AuthWithRoles) GetNodes ¶
func (a *AuthWithRoles) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)
func (*AuthWithRoles) GetOIDCConnector ¶
func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)
func (*AuthWithRoles) GetOIDCConnectors ¶
func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
func (*AuthWithRoles) GetOTPData ¶
func (a *AuthWithRoles) GetOTPData(user string) (string, []byte, error)
func (*AuthWithRoles) GetProxies ¶
func (a *AuthWithRoles) GetProxies() ([]services.Server, error)
func (*AuthWithRoles) GetRemoteCluster ¶
func (a *AuthWithRoles) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)
func (*AuthWithRoles) GetRemoteClusters ¶
func (a *AuthWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)
func (*AuthWithRoles) GetReverseTunnel ¶
func (a *AuthWithRoles) GetReverseTunnel(name string) (services.ReverseTunnel, error)
func (*AuthWithRoles) GetReverseTunnels ¶
func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error)
func (*AuthWithRoles) GetRole ¶
func (a *AuthWithRoles) GetRole(name string) (services.Role, error)
GetRole returns role by name
func (*AuthWithRoles) GetRoles ¶
func (a *AuthWithRoles) GetRoles() ([]services.Role, error)
GetRoles returns a list of roles
func (*AuthWithRoles) GetSAMLConnector ¶
func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)
func (*AuthWithRoles) GetSAMLConnectors ¶
func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
func (*AuthWithRoles) GetSession ¶
func (*AuthWithRoles) GetSessionChunk ¶
func (*AuthWithRoles) GetSessionEvents ¶
func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)
func (*AuthWithRoles) GetSessions ¶
func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)
func (*AuthWithRoles) GetSignupToken ¶
func (a *AuthWithRoles) GetSignupToken(token string) (*services.SignupToken, error)
func (*AuthWithRoles) GetSignupTokenData ¶
func (a *AuthWithRoles) GetSignupTokenData(token string) (user string, otpQRCode []byte, err error)
func (*AuthWithRoles) GetSignupU2FRegisterRequest ¶
func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
func (*AuthWithRoles) GetStaticTokens ¶
func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)
GetStaticTokens gets the list of static tokens used to provision nodes.
func (*AuthWithRoles) GetToken ¶
func (a *AuthWithRoles) GetToken(token string) (*services.ProvisionToken, error)
func (*AuthWithRoles) GetTokens ¶
func (a *AuthWithRoles) GetTokens() ([]services.ProvisionToken, error)
func (*AuthWithRoles) GetTrustedCluster ¶
func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)
func (*AuthWithRoles) GetTrustedClusters ¶
func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)
func (*AuthWithRoles) GetTunnelConnections ¶
func (a *AuthWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)
func (*AuthWithRoles) GetU2FSignRequest ¶
func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)
func (*AuthWithRoles) GetWebSessionInfo ¶
func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)
func (*AuthWithRoles) PostSessionSlice ¶
func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error
func (*AuthWithRoles) PreAuthenticatedSignIn ¶
func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)
func (*AuthWithRoles) ProcessKubeCSR ¶
func (a *AuthWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessful.
func (*AuthWithRoles) RegisterNewAuthServer ¶
func (a *AuthWithRoles) RegisterNewAuthServer(token string) error
func (*AuthWithRoles) RegisterUsingToken ¶
func (a *AuthWithRoles) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)
func (*AuthWithRoles) RotateCertAuthority ¶
func (a *AuthWithRoles) RotateCertAuthority(req RotateRequest) error
RotateCertAuthority starts or restarts certificate authority rotation process.
func (*AuthWithRoles) RotateExternalCertAuthority ¶
func (a *AuthWithRoles) RotateExternalCertAuthority(ca services.CertAuthority) error
RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.
func (*AuthWithRoles) SearchEvents ¶
func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)
func (*AuthWithRoles) SearchSessionEvents ¶
func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)
func (*AuthWithRoles) SetAuthPreference ¶
func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error
func (*AuthWithRoles) SetClusterConfig ¶
func (a *AuthWithRoles) SetClusterConfig(c services.ClusterConfig) error
SetClusterConfig sets cluster level configuration.
func (*AuthWithRoles) SetClusterName ¶
func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error
SetClusterName sets the name of the cluster. SetClusterName can only be called once.
func (*AuthWithRoles) SetStaticTokens ¶
func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error
SetStaticTokens sets the list of static tokens used to provision nodes.
func (*AuthWithRoles) UpdateSession ¶
func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error
func (*AuthWithRoles) UploadSessionRecording ¶
func (a *AuthWithRoles) UploadSessionRecording(r events.SessionRecording) error
func (*AuthWithRoles) UpsertAuthServer ¶
func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error
func (*AuthWithRoles) UpsertCertAuthority ¶
func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error
UpsertCertAuthority updates existing cert authority or updates the existing one.
func (*AuthWithRoles) UpsertGithubConnector ¶
func (a *AuthWithRoles) UpsertGithubConnector(connector services.GithubConnector) error
func (*AuthWithRoles) UpsertLocalClusterName ¶
func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error
func (*AuthWithRoles) UpsertNamespace ¶
func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error
UpsertNamespace upserts namespace
func (*AuthWithRoles) UpsertNode ¶
func (a *AuthWithRoles) UpsertNode(s services.Server) error
func (*AuthWithRoles) UpsertNodes ¶
func (a *AuthWithRoles) UpsertNodes(namespace string, servers []services.Server) error
UpsertNodes bulk upserts nodes into the backend.
func (*AuthWithRoles) UpsertOIDCConnector ¶
func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) error
func (*AuthWithRoles) UpsertPassword ¶
func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error
func (*AuthWithRoles) UpsertProxy ¶
func (a *AuthWithRoles) UpsertProxy(s services.Server) error
func (*AuthWithRoles) UpsertReverseTunnel ¶
func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error
func (*AuthWithRoles) UpsertRole ¶
UpsertRole creates or updates role
func (*AuthWithRoles) UpsertSAMLConnector ¶
func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) error
func (*AuthWithRoles) UpsertTOTP ¶
func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error
func (*AuthWithRoles) UpsertToken ¶
func (*AuthWithRoles) UpsertTrustedCluster ¶
func (a *AuthWithRoles) UpsertTrustedCluster(tc services.TrustedCluster) (services.TrustedCluster, error)
func (*AuthWithRoles) UpsertTunnelConnection ¶
func (a *AuthWithRoles) UpsertTunnelConnection(conn services.TunnelConnection) error
func (*AuthWithRoles) UpsertUser ¶
func (a *AuthWithRoles) UpsertUser(u services.User) error
func (*AuthWithRoles) ValidateGithubAuthCallback ¶
func (a *AuthWithRoles) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)
func (*AuthWithRoles) ValidateOIDCAuthCallback ¶
func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
func (*AuthWithRoles) ValidateSAMLResponse ¶
func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
func (*AuthWithRoles) ValidateTrustedCluster ¶
func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
func (*AuthWithRoles) WaitForDelivery ¶
func (a *AuthWithRoles) WaitForDelivery(context.Context) error
type AuthenticateSSHRequest ¶
type AuthenticateSSHRequest struct { // AuthenticateUserRequest is a request with credentials AuthenticateUserRequest // PublicKey is a public key in ssh authorized_keys format PublicKey []byte `json:"public_key"` // TTL is a requested TTL for certificates to be issues TTL time.Duration `json:"ttl"` // CompatibilityMode sets certificate compatibility mode with old SSH clients CompatibilityMode string `json:"compatibility_mode"` }
AuthenticateSSHRequest is a request to authenticate SSH client user via CLI
func (*AuthenticateSSHRequest) CheckAndSetDefaults ¶
func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default certificate values
type AuthenticateUserRequest ¶
type AuthenticateUserRequest struct { // Username is a user name Username string `json:"username"` // Pass is a password used in local authentication schemes Pass *PassCreds `json:"pass,omitempty"` // U2F is a sign response crdedentials used to authenticate via U2F U2F *U2FSignResponseCreds `json:"u2f,omitempty"` // OTP is a password and second factor, used in two factor authentication OTP *OTPCreds `json:"otp,omitempty"` // Session is a web session credential used to authenticate web sessions Session *SessionCreds `json:"session,omitempty"` }
AuthenticateUserRequest is a request to authenticate interactive user
func (*AuthenticateUserRequest) CheckAndSetDefaults ¶
func (a *AuthenticateUserRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type Authorizer ¶
type Authorizer interface { // Authorize authorizes user based on identity supplied via context Authorize(ctx context.Context) (*AuthContext, error) }
Authorizer authorizes identity and returns auth context
func NewAuthorizer ¶
func NewAuthorizer(access services.Access, identity services.UserGetter, trust services.Trust) (Authorizer, error)
NewAuthorizer returns new authorizer using backends
func NewRoleAuthorizer ¶
func NewRoleAuthorizer(clusterName string, clusterConfig services.ClusterConfig, r teleport.Role) (Authorizer, error)
NewRoleAuthorizer authorizes everyone as predefined role, used in tests
func NewUserAuthorizer ¶
func NewUserAuthorizer(username string, identity services.UserGetter, access services.Access) (Authorizer, error)
NewUserAuthorizer authorizes everyone as predefined local user
type BuiltinRole ¶
type BuiltinRole struct { // GetClusterConfig fetches cluster configuration. GetClusterConfig GetClusterConfigFunc // Role is the builtin role this username is associated with Role teleport.Role // Username is for authentication tracking purposes Username string // ClusterName is the name of the local cluster ClusterName string }
BuiltinRole is the role of the Teleport service.
type BuiltinRoleSet ¶
BuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is builtin or not.
type Client ¶
Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.
When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go
func NewClient ¶
NewAuthClient returns a new instance of the client which talks to an Auth server API (aka "site API") via HTTP-over-SSH
func NewTLSClient ¶
func NewTLSClient(addrs []utils.NetAddr, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)
NewTLSClient returns new client using TLS mutual authentication
func NewTLSClientWithDialer ¶
func NewTLSClientWithDialer(dialContext DialContext, cfg *tls.Config, params ...roundtrip.ClientParam) (*Client, error)
NewTLSClientWithDialer returns new TLS client that uses mutual TLS authenticate and dials the remote server using dialer
func (*Client) ActivateCertAuthority ¶
func (c *Client) ActivateCertAuthority(id services.CertAuthID) error
ActivateCertAuthority moves a CertAuthority from the deactivated list to the normal list.
func (*Client) AddUserLoginAttempt ¶
func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error
AddUserLoginAttempt logs user login attempt
func (*Client) AuthenticateSSHUser ¶
func (c *Client) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)
AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result
func (*Client) AuthenticateWebUser ¶
func (c *Client) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful
func (*Client) ChangePassword ¶
func (c *Client) ChangePassword(req services.ChangePasswordReq) error
ChangePassword changes user password
func (*Client) CheckPassword ¶
CheckPassword checks if the suplied web access password is valid.
func (*Client) CompareAndSwapCertAuthority ¶
func (c *Client) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error
CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.
func (*Client) CreateCertAuthority ¶
func (c *Client) CreateCertAuthority(ca services.CertAuthority) error
CreateCertAuthority inserts new cert authority
func (*Client) CreateGithubAuthRequest ¶
func (c *Client) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)
CreateGithubAuthRequest creates a new request for Github OAuth2 flow
func (*Client) CreateGithubConnector ¶
func (c *Client) CreateGithubConnector(connector services.GithubConnector) error
CreateGithubConnector creates a new Github connector
func (*Client) CreateOIDCAuthRequest ¶
func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)
CreateOIDCAuthRequest creates OIDCAuthRequest
func (*Client) CreateRemoteCluster ¶
func (c *Client) CreateRemoteCluster(rc services.RemoteCluster) error
CreateRemoteCluster creates remote cluster resource
func (*Client) CreateRole ¶
CreateRole creates a role.
func (*Client) CreateSAMLAuthRequest ¶
func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)
CreateSAMLAuthRequest creates SAML AuthnRequest
func (*Client) CreateSAMLConnector ¶
func (c *Client) CreateSAMLConnector(connector services.SAMLConnector) error
CreateOIDCConnector creates SAML connector
func (*Client) CreateSession ¶
CreateSession creates new session
func (*Client) CreateSignupToken ¶
CreateSignupToken creates one time token for creating account for the user For each token it creates username and otp generator
func (*Client) CreateUserWithOTP ¶
func (c *Client) CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error)
CreateUserWithOTP creates account with provided token and password. Account username and OTP key are taken from token data. Deletes token after account creation.
func (*Client) CreateUserWithU2FToken ¶
func (c *Client) CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error)
CreateUserWithU2FToken creates user account with provided token and U2F sign response
func (*Client) CreateUserWithoutOTP ¶
CreateUserWithoutOTP validates a given token creates a user with the given password and deletes the token afterwards.
func (*Client) CreateWebSession ¶
func (c *Client) CreateWebSession(user string) (services.WebSession, error)
CreateWebSession creates a new web session for a user
func (*Client) DeactivateCertAuthority ¶
func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error
DeactivateCertAuthority moves a CertAuthority from the normal list to the deactivated list.
func (*Client) DeleteAllCertAuthorities ¶
func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error
DeleteAllCertAuthorities deletes all certificate authorities of a certain type
func (*Client) DeleteAllNamespaces ¶
DeleteAllCertNamespaces deletes all namespaces
func (*Client) DeleteAllNodes ¶
DeleteAllNodes deletes all nodes in a given namespace
func (*Client) DeleteAllProxies ¶
DeleteAllProxies deletes all proxies
func (*Client) DeleteAllRemoteClusters ¶
DeleteAllRemoteClusters deletes all remote clusters
func (*Client) DeleteAllReverseTunnels ¶
DeleteAllReverseTunnels deletes all reverse tunnels
func (*Client) DeleteAllRoles ¶
DeleteAllRoles deletes all roles
func (*Client) DeleteAllTunnelConnections ¶
DeleteAllTunnelConnections deletes all tunnel connections
func (*Client) DeleteAllUsers ¶
DeleteAllUsers deletes all users
func (*Client) DeleteCertAuthority ¶
func (c *Client) DeleteCertAuthority(id services.CertAuthID) error
DeleteCertAuthority deletes cert authority by ID
func (*Client) DeleteGithubConnector ¶
DeleteGithubConnector deletes the specified Github connector
func (*Client) DeleteNamespace ¶
DeleteNamespace deletes namespace by name
func (*Client) DeleteOIDCConnector ¶
DeleteOIDCConnector deletes OIDC connector by ID
func (*Client) DeleteRemoteCluster ¶
DeleteRemoteCluster deletes remote cluster by name
func (*Client) DeleteReverseTunnel ¶
DeleteReverseTunnel deletes reverse tunnel by domain name
func (*Client) DeleteRole ¶
DeleteRole deletes role by name
func (*Client) DeleteSAMLConnector ¶
DeleteSAMLConnector deletes SAML connector by ID
func (*Client) DeleteSession ¶
DeleteSession deletes a session by ID
func (*Client) DeleteToken ¶
DeleteToken deletes a given provisioning token on the auth server (CA). It could be a user token or a machine token
func (*Client) DeleteTrustedCluster ¶
func (*Client) DeleteTunnelConnection ¶
DeleteTunnelConnection deletes tunnel connection by name
func (*Client) DeleteTunnelConnections ¶
DeleteTunnelConnections deletes all tunnel connections for cluster
func (*Client) DeleteUser ¶
DeleteUser deletes a user by username
func (*Client) DeleteWebSession ¶
DeleteWebSession deletes a web session for this user by id
func (*Client) EmitAuditEvent ¶
EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)
func (*Client) ExtendWebSession ¶
ExtendWebSession creates a new web session for a user based on another valid web session
func (*Client) GenerateHostCert ¶
func (c *Client) GenerateHostCert( key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)
GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.
func (*Client) GenerateKeyPair ¶
GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.
func (*Client) GenerateServerKeys ¶
func (c *Client) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)
RenewCredentials returns a new set of credentials associated with the server with the same privileges
func (*Client) GenerateToken ¶
func (c *Client) GenerateToken(req GenerateTokenRequest) (string, error)
GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.
This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.
If token is not supplied, it will be auto generated and returned. If TTL is not supplied, token will be valid until removed.
func (*Client) GenerateUserCert ¶
func (c *Client) GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error)
GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.
func (*Client) GetAllTunnelConnections ¶
func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)
GetAllTunnelConnections returns all tunnel connections
func (*Client) GetAuthPreference ¶
func (c *Client) GetAuthPreference() (services.AuthPreference, error)
func (*Client) GetAuthServers ¶
GetAuthServers returns the list of auth servers registered in the cluster.
func (*Client) GetCertAuthorities ¶
func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)
GetCertAuthorities returns a list of certificate authorities
func (*Client) GetCertAuthority ¶
func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)
GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded
func (*Client) GetClusterCACert ¶ added in v3.1.0
func (c *Client) GetClusterCACert() (*LocalCAResponse, error)
GetClusterCACert returns the CAs for the local cluster without signing keys.
func (*Client) GetClusterConfig ¶
func (c *Client) GetClusterConfig() (services.ClusterConfig, error)
GetClusterConfig returns cluster level configuration information.
func (*Client) GetClusterName ¶
func (c *Client) GetClusterName() (services.ClusterName, error)
func (*Client) GetDomainName ¶
GetDomainName returns local auth domain of the current auth server
func (*Client) GetGithubConnector ¶
GetGithubConnector returns the specified Github connector
func (*Client) GetGithubConnectors ¶
func (c *Client) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
GetGithubConnectors returns all configured Github connectors
func (*Client) GetLocalClusterName ¶
GetLocalClusterName returns local cluster name
func (*Client) GetNamespace ¶
GetNamespace returns namespace by name
func (*Client) GetNamespaces ¶
GetNamespaces returns a list of namespaces
func (*Client) GetNodes ¶
func (c *Client) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)
GetNodes returns the list of servers registered in the cluster.
func (*Client) GetOIDCConnector ¶
GetOIDCConnector returns OIDC connector information by id
func (*Client) GetOIDCConnectors ¶
func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)
GetOIDCConnector gets OIDC connectors list
func (*Client) GetProxies ¶
GetProxies returns the list of auth servers registered in the cluster.
func (*Client) GetRemoteCluster ¶
func (c *Client) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)
GetRemoteCluster returns a remote cluster by name
func (*Client) GetRemoteClusters ¶
func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)
GetRemoteClusters returns a list of remote clusters
func (*Client) GetReverseTunnel ¶
func (c *Client) GetReverseTunnel(name string) (services.ReverseTunnel, error)
GetReverseTunnel returns reverse tunnel by name
func (*Client) GetReverseTunnels ¶
func (c *Client) GetReverseTunnels() ([]services.ReverseTunnel, error)
GetReverseTunnels returns the list of created reverse tunnels
func (*Client) GetSAMLConnector ¶
GetOIDCConnector returns SAML connector information by id
func (*Client) GetSAMLConnectors ¶
func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)
GetSAMLConnectors gets SAML connectors list
func (*Client) GetSession ¶
GetSession returns a session by ID
func (*Client) GetSessionChunk ¶
func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)
GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes
func (*Client) GetSessionEvents ¶
func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)
Returns events that happen during a session sorted by time (oldest first).
afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)
This function is usually used in conjunction with GetSessionReader to replay recorded session streams.
func (*Client) GetSessions ¶
GetSessions returns a list of active sessions in the cluster as reported by auth server
func (*Client) GetSignupTokenData ¶
GetSignupTokenData returns token data for a valid token
func (*Client) GetSignupU2FRegisterRequest ¶
func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)
GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite tokenx
func (*Client) GetStaticTokens ¶
func (c *Client) GetStaticTokens() (services.StaticTokens, error)
func (*Client) GetToken ¶
func (c *Client) GetToken(token string) (*services.ProvisionToken, error)
GetToken returns provisioning token
func (*Client) GetTokens ¶
func (c *Client) GetTokens() (tokens []services.ProvisionToken, err error)
GetTokens returns a list of active invitation tokens for nodes and users
func (*Client) GetTransport ¶
func (*Client) GetTrustedCluster ¶
func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)
func (*Client) GetTrustedClusters ¶
func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)
func (*Client) GetTunnelConnections ¶
func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)
GetTunnelConnections returns tunnel connections for a given cluster
func (*Client) GetU2FAppID ¶
GetU2FAppID returns U2F settings, like App ID and Facets
func (*Client) GetU2FSignRequest ¶
GetU2FSignRequest generates request for user trying to authenticate with U2F token
func (*Client) GetUserLoginAttempts ¶
func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)
GetUserLoginAttempts returns user login attempts
func (*Client) GetWebSessionInfo ¶
GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.
func (*Client) PostForm ¶
func (c *Client) PostForm( endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)
PostForm is a generic method that issues http POST request to the server
func (*Client) PostSessionSlice ¶
func (c *Client) PostSessionSlice(slice events.SessionSlice) error
PostSessionSlice allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)
The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)
func (*Client) ProcessKubeCSR ¶
func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if sucessful.
func (*Client) RegisterNewAuthServer ¶
RegisterNewAuthServer is used to register new auth server with token
func (*Client) RegisterUsingToken ¶
func (c *Client) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)
RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.
func (*Client) RotateCertAuthority ¶
func (c *Client) RotateCertAuthority(req RotateRequest) error
RotateCertAuthority starts or restarts certificate authority rotation process.
func (*Client) RotateExternalCertAuthority ¶
func (c *Client) RotateExternalCertAuthority(ca services.CertAuthority) error
RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.
func (*Client) SearchEvents ¶
func (c *Client) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)
SearchEvents returns events that fit the criteria
func (*Client) SearchSessionEvents ¶
SearchSessionEvents returns session related events to find completed sessions.
func (*Client) SetAuthPreference ¶
func (c *Client) SetAuthPreference(cap services.AuthPreference) error
func (*Client) SetClusterConfig ¶
func (c *Client) SetClusterConfig(cc services.ClusterConfig) error
SetClusterConfig sets cluster level configuration information.
func (*Client) SetClusterName ¶
func (c *Client) SetClusterName(cn services.ClusterName) error
func (*Client) SetStaticTokens ¶
func (c *Client) SetStaticTokens(st services.StaticTokens) error
func (*Client) TLSConfig ¶
TLSConfig returns TLS config used by the client, could return nil if the client is not using TLS
func (*Client) UpdateSession ¶
func (c *Client) UpdateSession(req session.UpdateRequest) error
UpdateSession updates existing session
func (*Client) UploadSessionRecording ¶
func (c *Client) UploadSessionRecording(r events.SessionRecording) error
UploadSessionRecording uploads session recording to the audit server
func (*Client) UpsertAuthServer ¶
UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertCertAuthority ¶
func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error
UpsertCertAuthority updates or inserts new cert authority
func (*Client) UpsertGithubConnector ¶
func (c *Client) UpsertGithubConnector(connector services.GithubConnector) error
UpsertGithubConnector creates or updates a Github connector
func (*Client) UpsertLocalClusterName ¶
UpsertLocalClusterName upserts local cluster name
func (*Client) UpsertNamespace ¶
UpsertNamespace upserts namespace
func (*Client) UpsertNode ¶
UpsertNode is used by SSH servers to reprt their presence to the auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertNodes ¶
UpsertNodes bulk inserts nodes.
func (*Client) UpsertOIDCConnector ¶
func (c *Client) UpsertOIDCConnector(connector services.OIDCConnector) error
UpsertOIDCConnector updates or creates OIDC connector
func (*Client) UpsertPassword ¶
UpsertPassword updates web access password for the user
func (*Client) UpsertProxy ¶
UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.
func (*Client) UpsertReverseTunnel ¶
func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error
UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions
func (*Client) UpsertRole ¶
UpsertRole creates or updates role
func (*Client) UpsertSAMLConnector ¶
func (c *Client) UpsertSAMLConnector(connector services.SAMLConnector) error
UpsertSAMLConnector updates or creates OIDC connector
func (*Client) UpsertTrustedCluster ¶
func (c *Client) UpsertTrustedCluster(trustedCluster services.TrustedCluster) (services.TrustedCluster, error)
func (*Client) UpsertTunnelConnection ¶
func (c *Client) UpsertTunnelConnection(conn services.TunnelConnection) error
UpsertTunnelConnection upserts tunnel connection
func (*Client) UpsertUser ¶
UpsertUser user updates or inserts user entry
func (*Client) ValidateGithubAuthCallback ¶
func (c *Client) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)
ValidateGithubAuthCallback validates Github auth callback returned from redirect
func (*Client) ValidateOIDCAuthCallback ¶
func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)
ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
func (*Client) ValidateSAMLResponse ¶
func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)
ValidateSAMLResponse validates response returned by SAML identity provider
func (*Client) ValidateTrustedCluster ¶
func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)
type ClientI ¶
type ClientI interface { IdentityService ProvisioningService services.Trust events.IAuditLog services.Presence services.Access WebService session.Service services.ClusterConfiguration // RotateCertAuthority starts or restarts certificate authority rotation process. RotateCertAuthority(req RotateRequest) error // RotateExternalCertAuthority rotates external certificate authority, // this method is used to update only public keys and certificates of the // the certificate authorities of trusted clusters. RotateExternalCertAuthority(ca services.CertAuthority) error // ValidateTrustedCluster validates trusted cluster token with // main cluster, in case if validation is successful, main cluster // adds remote cluster ValidateTrustedCluster(*ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error) // GetDomainName returns auth server cluster name GetDomainName() (string, error) // GetClusterCACert returns the CAs for the local cluster without signing keys. GetClusterCACert() (*LocalCAResponse, error) // GenerateServerKeys generates new host private keys and certificates (signed // by the host certificate authority) for a node GenerateServerKeys(GenerateServerKeysRequest) (*PackedKeys, error) // AuthenticateWebUser authenticates web user, creates and returns web session // in case if authentication is successful AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error) // AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH // short lived certificates as a result AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error) // ProcessKubeCSR processes CSR request against Kubernetes CA, returns // signed certificate if sucessful. ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error) }
ClientI is a client to Auth service
func NewAdminAuthServer ¶
func NewAdminAuthServer(authServer *AuthServer, sessions session.Service, alog events.IAuditLog) (ClientI, error)
NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access
type DialContext ¶
DialContext is a function that dials to the specified address
func NewAddrDialer ¶
func NewAddrDialer(addrs []utils.NetAddr) DialContext
NewAddrDialer returns new dialer from a list of addresses
type FakeSSHConnection ¶
type FakeSSHConnection struct {
// contains filtered or unexported fields
}
FakeSSHConnection implements net.Conn interface on top of the ssh.Cnahhel object. This allows us to run non-SSH servers (like HTTP) on top of an existing SSH connection
func (*FakeSSHConnection) Close ¶
func (conn *FakeSSHConnection) Close() error
func (*FakeSSHConnection) LocalAddr ¶
func (conn *FakeSSHConnection) LocalAddr() net.Addr
func (*FakeSSHConnection) RemoteAddr ¶
func (conn *FakeSSHConnection) RemoteAddr() net.Addr
func (*FakeSSHConnection) SetDeadline ¶
func (conn *FakeSSHConnection) SetDeadline(t time.Time) error
SetDeadline is needed to implement net.Conn interface
func (*FakeSSHConnection) SetReadDeadline ¶
func (conn *FakeSSHConnection) SetReadDeadline(t time.Time) error
SetReadDeadline is needed to implement net.Conn interface
func (*FakeSSHConnection) SetWriteDeadline ¶
func (conn *FakeSSHConnection) SetWriteDeadline(t time.Time) error
SetWriteDeadline is needed to implement net.Conn interface
type GenerateServerKeysRequest ¶
type GenerateServerKeysRequest struct { // HostID is a unique ID of the host HostID string `json:"host_id"` // NodeName is a user friendly host name NodeName string `json:"node_name"` // Roles is a list of roles assigned to node Roles teleport.Roles `json:"roles"` // AdditionalPrincipals is a list of additional principals // to include in OpenSSH and X509 certificates AdditionalPrincipals []string `json:"additional_principals"` // DNSNames is a list of DNS names // to include in the x509 client certificate DNSNames []string `json:"dns_names"` // PublicTLSKey is a PEM encoded public key // used for TLS setup PublicTLSKey []byte `json:"public_tls_key"` // PublicSSHKey is a SSH encoded public key, // if present will be signed as a return value // otherwise, new public/private key pair will be generated PublicSSHKey []byte `json:"public_ssh_key"` }
GenerateServerKeysRequest is a request to generate server keys
func (*GenerateServerKeysRequest) CheckAndSetDefaults ¶
func (req *GenerateServerKeysRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type GenerateTokenRequest ¶
type GenerateTokenRequest struct { // Token if provided sets the token value, otherwise will be auto generated Token string `json:"token"` // Roles is a list of roles this token authenticates as Roles teleport.Roles `json:"roles"` // TTL is a time to live for token TTL time.Duration `json:"ttl"` }
GenerateTokenRequest is a request to generate auth token
func (*GenerateTokenRequest) CheckAndSetDefaults ¶
func (req *GenerateTokenRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values of request
type GetClusterConfigFunc ¶
type GetClusterConfigFunc func() (services.ClusterConfig, error)
GetClusterConfigFunc returns a cached services.ClusterConfig.
type GithubAuthResponse ¶
type GithubAuthResponse struct { // Username is the name of authenticated user Username string `json:"username"` // Identity is the external identity Identity services.ExternalIdentity `json:"identity"` // Session is the created web session Session services.WebSession `json:"session,omitempty"` // Cert is the generated SSH client certificate Cert []byte `json:"cert,omitempty"` // TLSCert is PEM encoded TLS client certificate TLSCert []byte `json:"tls_cert,omitempty"` // Req is the original auth request Req services.GithubAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []services.CertAuthority `json:"host_signers"` }
GithubAuthResponse represents Github auth callback validation response
type HandlerWithAuthFunc ¶
type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)
HandlerWithAuthFunc is http handler with passed auth context
type Identity ¶
type Identity struct { // ID specifies server unique ID, name and role ID IdentityID // KeyBytes is a PEM encoded private key KeyBytes []byte // CertBytes is a PEM encoded SSH host cert CertBytes []byte // TLSCertBytes is a PEM encoded TLS x509 client certificate TLSCertBytes []byte // TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority // associated with auth server services TLSCACertsBytes [][]byte // KeySigner is an SSH host certificate signer KeySigner ssh.Signer // Cert is a parsed SSH certificate Cert *ssh.Certificate // XCert is X509 client certificate XCert *x509.Certificate // ClusterName is a name of host's cluster ClusterName string }
Identity is collection of certificates and signers that represent server identity
func GenerateIdentity ¶
func GenerateIdentity(a *AuthServer, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)
GenerateIdentity generates identity for the auth server
func LocalRegister ¶
func LocalRegister(id IdentityID, authServer *AuthServer, additionalPrincipals, dnsNames []string) (*Identity, error)
LocalRegister is used to generate host keys when a node or proxy is running within the same process as the auth server. This method does not need to use provisioning tokens.
func NewServerIdentity ¶
NewServerIdentity generates new server identity, used in tests
func ReRegister ¶
func ReRegister(params ReRegisterParams) (*Identity, error)
ReRegister renews the certificates and private keys based on the client's existing identity.
func ReadIdentityFromKeyPair ¶
func ReadIdentityFromKeyPair(keyBytes, sshCertBytes, tlsCertBytes []byte, tlsCACertsBytes [][]byte) (*Identity, error)
ReadIdentityFromKeyPair reads TLS identity from key pair
func ReadLocalIdentity ¶
func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)
ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).
func ReadSSHIdentityFromKeyPair ¶
ReadSSHIdentityFromKeyPair reads identity from initialized keypair
func ReadTLSIdentityFromKeyPair ¶
func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)
ReadTLSIdentityFromKeyPair reads TLS identity from key pair
func Register ¶
func Register(params RegisterParams) (*Identity, error)
Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.
func (*Identity) HasDNSNames ¶ added in v3.1.0
HasDNSNames returns true if TLS certificate has required DNS names
func (*Identity) HasPrincipals ¶
HasPrincipals returns whether identity has principals
func (*Identity) HasTLSConfig ¶
HasTSLConfig returns true if this identity has TLS certificate and private key
type IdentityID ¶
IdentityID is a combination of role, host UUID, and node name.
func (*IdentityID) Equals ¶
func (id *IdentityID) Equals(other IdentityID) bool
Equals returns true if two identities are equal
func (*IdentityID) HostID ¶
func (id *IdentityID) HostID() (string, error)
HostID is host ID part of the host UUID that consists cluster name
func (*IdentityID) String ¶
func (id *IdentityID) String() string
String returns debug friendly representation of this identity
type IdentityService ¶
type IdentityService interface { // UpsertPassword updates web access password for the user UpsertPassword(user string, password []byte) error // UpsertOIDCConnector updates or creates OIDC connector UpsertOIDCConnector(connector services.OIDCConnector) error // GetOIDCConnector returns OIDC connector information by id GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error) // GetOIDCConnector gets OIDC connectors list GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error) // DeleteOIDCConnector deletes OIDC connector by ID DeleteOIDCConnector(connectorID string) error // CreateOIDCAuthRequest creates OIDCAuthRequest CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error) // ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error) // CreateSAMLConnector creates SAML connector CreateSAMLConnector(connector services.SAMLConnector) error // UpsertSAMLConnector updates or creates SAML connector UpsertSAMLConnector(connector services.SAMLConnector) error // GetSAMLConnector returns SAML connector information by id GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error) // GetSAMLConnector gets SAML connectors list GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error) // DeleteSAMLConnector deletes SAML connector by ID DeleteSAMLConnector(connectorID string) error // CreateSAMLAuthRequest creates SAML AuthnRequest CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error) // ValidateSAMLResponse validates SAML auth response ValidateSAMLResponse(re string) (*SAMLAuthResponse, error) // CreateGithubConnector creates a new Github connector CreateGithubConnector(connector services.GithubConnector) error // UpsertGithubConnector creates or updates a Github connector UpsertGithubConnector(connector services.GithubConnector) error // GetGithubConnectors returns all configured Github connectors GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error) // GetGithubConnector returns the specified Github connector GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error) // DeleteGithubConnector deletes the specified Github connector DeleteGithubConnector(id string) error // CreateGithubAuthRequest creates a new request for Github OAuth2 flow CreateGithubAuthRequest(services.GithubAuthRequest) (*services.GithubAuthRequest, error) // ValidateGithubAuthCallback validates Github auth callback ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error) // GetU2FSignRequest generates request for user trying to authenticate with U2F token GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error) // GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite token GetSignupU2FRegisterRequest(token string) (*u2f.RegisterRequest, error) // CreateUserWithU2FToken creates user account with provided token and U2F sign response CreateUserWithU2FToken(token string, password string, u2fRegisterResponse u2f.RegisterResponse) (services.WebSession, error) // GetUser returns user by name GetUser(name string) (services.User, error) // UpsertUser user updates or inserts user entry UpsertUser(user services.User) error // DeleteUser deletes a user by username DeleteUser(user string) error // GetUsers returns a list of usernames registered in the system GetUsers() ([]services.User, error) // ChangePassword changes user password ChangePassword(req services.ChangePasswordReq) error // CheckPassword checks if the suplied web access password is valid. CheckPassword(user string, password []byte, otpToken string) error // CreateUserWithOTP creates account with provided token and password. // Account username and OTP key are taken from token data. // Deletes token after account creation. CreateUserWithOTP(token, password, otpToken string) (services.WebSession, error) // CreateUserWithoutOTP validates a given token creates a user // with the given password and deletes the token afterwards. CreateUserWithoutOTP(token string, password string) (services.WebSession, error) // GenerateToken creates a special provisioning token for a new SSH server // that is valid for ttl period seconds. // // This token is used by SSH server to authenticate with Auth server // and get signed certificate and private key from the auth server. // // If token is not supplied, it will be auto generated and returned. // If TTL is not supplied, token will be valid until removed. GenerateToken(GenerateTokenRequest) (string, error) // GenerateKeyPair generates SSH private/public key pair optionally protected // by password. If the pass parameter is an empty string, the key pair // is not password-protected. GenerateKeyPair(pass string) ([]byte, []byte, error) // GenerateHostCert takes the public key in the Open SSH “authorized_keys“ // plain text format, signs it using Host Certificate Authority private key and returns the // resulting certificate. GenerateHostCert(key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error) // GenerateUserCert takes the public key in the OpenSSH `authorized_keys` // plain text format, signs it using User Certificate Authority signing key and returns the // resulting certificate. GenerateUserCert(key []byte, user string, ttl time.Duration, compatibility string) ([]byte, error) // GetSignupTokenData returns token data for a valid token GetSignupTokenData(token string) (user string, otpQRCode []byte, e error) // CreateSignupToken creates one time token for creating account for the user // For each token it creates username and OTP key CreateSignupToken(user services.UserV1, ttl time.Duration) (string, error) }
IdentityService manages identities and users
type IdentitySpecV2 ¶
type IdentitySpecV2 struct { // Key is a PEM encoded private key. Key []byte `json:"key,omitempty"` // SSHCert is a PEM encoded SSH host cert. SSHCert []byte `json:"ssh_cert,omitempty"` // TLSCert is a PEM encoded x509 client certificate. TLSCert []byte `json:"tls_cert,omitempty"` // TLSCACert is a list of PEM encoded x509 certificate of the // certificate authority of the cluster. TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"` }
IdentitySpecV2 specifies credentials used by local process.
type IdentityV2 ¶
type IdentityV2 struct { // ResourceHeader is a common resource header. services.ResourceHeader // Spec is the identity spec. Spec IdentitySpecV2 `json:"spec"` }
IdentityV2 specifies local host identity.
func (*IdentityV2) CheckAndSetDefaults ¶
func (s *IdentityV2) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults values.
type InitConfig ¶
type InitConfig struct { // Backend is auth backend to use Backend backend.Backend // Authority is key generator that we use Authority sshca.Authority // HostUUID is a UUID of this host HostUUID string // NodeName is the DNS name of the node NodeName string // ClusterName stores the FQDN of the signing CA (its certificate will have this // name embedded). It is usually set to the GUID of the host the Auth service runs on ClusterName services.ClusterName // Authorities is a list of pre-configured authorities to supply on first start Authorities []services.CertAuthority // AuthServiceName is a human-readable name of this CA. If several Auth services are running // (managing multiple teleport clusters) this field is used to tell them apart in UIs // It usually defaults to the hostname of the machine the Auth service runs on. AuthServiceName string // DataDir is the full path to the directory where keys, events and logs are kept DataDir string // ReverseTunnels is a list of reverse tunnels statically supplied // in configuration, so auth server will init the tunnels on the first start ReverseTunnels []services.ReverseTunnel // OIDCConnectors is a list of trusted OpenID Connect identity providers // in configuration, so auth server will init the tunnels on the first start OIDCConnectors []services.OIDCConnector // Trust is a service that manages users and credentials Trust services.Trust // Presence service is a discovery and hearbeat tracker Presence services.Presence // Provisioner is a service that keeps track of provisioning tokens Provisioner services.Provisioner // Identity is a service that manages users and credentials Identity services.Identity // Access is service controlling access to resources Access services.Access // ClusterConfiguration is a services that holds cluster wide configuration. ClusterConfiguration services.ClusterConfiguration // Roles is a set of roles to create Roles []services.Role // StaticTokens are pre-defined host provisioning tokens supplied via config file for // environments where paranoid security is not needed //StaticTokens []services.ProvisionToken StaticTokens services.StaticTokens // AuthPreference defines the authentication type (local, oidc) and second // factor (off, otp, u2f) passed in from a configuration file. AuthPreference services.AuthPreference // AuditLog is used for emitting events to audit log. AuditLog events.IAuditLog // ClusterConfig holds cluster level configuration. ClusterConfig services.ClusterConfig // SkipPeriodicOperations turns off periodic operations // used in tests that don't need periodc operations. SkipPeriodicOperations bool // CipherSuites is a list of ciphersuites that the auth server supports. CipherSuites []uint16 }
InitConfig is auth server init config
type KubeCSR ¶
type KubeCSR struct { // Username of user's certificate Username string `json:"username"` // ClusterName is a name of the target cluster to generate certificate for ClusterName string `json:"cluster_name"` // CSR is a kubernetes CSR CSR []byte `json:"csr"` }
KubeCSR is a kubernetes CSR request
func (*KubeCSR) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets defaults
type KubeCSRResponse ¶
type KubeCSRResponse struct { // Cert is a signed certificate PEM block Cert []byte `json:"cert"` // CertAuthorities is a list of PEM block with trusted cert authorities CertAuthorities [][]byte `json:"cert_authorities"` // TargetAddr is an optional target address // of the kubernetes API server that can be set // in the kubeconfig TargetAddr string `json:"target_addr"` }
KubeCSRResponse is a response to kubernetes CSR request
type LocalCAResponse ¶ added in v3.1.0
type LocalCAResponse struct { // TLSCA is the PEM-encoded TLS certificate authority. TLSCA []byte `json:"tls_ca"` }
LocalCAResponse contains PEM-encoded local CAs.
type LocalUser ¶
type LocalUser struct { // Username is local username Username string }
LocalUsername is a local username
type OIDCAuthResponse ¶
type OIDCAuthResponse struct { // Username is authenticated teleport username Username string `json:"username"` // Identity contains validated OIDC identity Identity services.ExternalIdentity `json:"identity"` // Web session will be generated by auth server if requested in OIDCAuthRequest Session services.WebSession `json:"session,omitempty"` // Cert will be generated by certificate authority Cert []byte `json:"cert,omitempty"` // TLSCert is PEM encoded TLS certificate TLSCert []byte `json:"tls_cert,omitempty"` // Req is original oidc auth request Req services.OIDCAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []services.CertAuthority `json:"host_signers"` }
OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider
type OTPCreds ¶
type OTPCreds struct { // Password is a user password Password []byte `json:"password"` // Token is a user second factor token Token string `json:"token"` }
OTPCreds is a two factor authencication credentials
type PackedKeys ¶
type PackedKeys struct { // Key is a private key Key []byte `json:"key"` // Cert is an SSH host cert Cert []byte `json:"cert"` // TLSCert is an X509 certificate TLSCert []byte `json:"tls_cert"` // TLSCACerts is a list of certificate authorities TLSCACerts [][]byte `json:"tls_ca_certs"` }
PackedKeys is a collection of private key, SSH host certificate and TLS certificate and certificate authority issued the certificate
type PassCreds ¶
type PassCreds struct { // Password is a user password Password []byte `json:"password"` }
PassCreds is a password credential
type Plugin ¶
type Plugin interface { // AddHandlers adds handlers to the auth API server AddHandlers(srv *APIServer) }
Plugin is auth API server extension setter
type ProcessStorage ¶
type ProcessStorage struct {
// contains filtered or unexported fields
}
ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.
func NewProcessStorage ¶
func NewProcessStorage(path string) (*ProcessStorage, error)
NewProcessStorage returns a new instance of the process storage.
func (*ProcessStorage) Close ¶
func (p *ProcessStorage) Close() error
Close closes all resources used by process storage backend.
func (*ProcessStorage) CreateState ¶
func (p *ProcessStorage) CreateState(role teleport.Role, state StateV2) error
CreateState creates process state if it does not exist yet.
func (*ProcessStorage) GetState ¶
func (p *ProcessStorage) GetState(role teleport.Role) (*StateV2, error)
GetState reads rotation state from disk.
func (*ProcessStorage) ReadIdentity ¶
ReadIdentity reads identity using identity name and role.
func (*ProcessStorage) WriteIdentity ¶
func (p *ProcessStorage) WriteIdentity(name string, id Identity) error
WriteIdentity writes identity to the backend.
func (*ProcessStorage) WriteState ¶
func (p *ProcessStorage) WriteState(role teleport.Role, state StateV2) error
WriteState writes local cluster state to the backend.
type ProvisioningService ¶
type ProvisioningService interface { // GetTokens returns a list of active invitation tokens for nodes and users GetTokens() (tokens []services.ProvisionToken, err error) // GetToken returns provisioning token GetToken(token string) (*services.ProvisionToken, error) // DeleteToken deletes a given provisioning token on the auth server (CA). It // could be a user token or a machine token DeleteToken(token string) error // RegisterUsingToken calls the auth service API to register a new node via registration token // which has been previously issued via GenerateToken RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error) // RegisterNewAuthServer is used to register new auth server with token RegisterNewAuthServer(token string) error }
ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster
type ReRegisterParams ¶
type ReRegisterParams struct { // Client is an authenticated client using old credentials Client ClientI // ID is identity ID ID IdentityID // AdditionalPrincipals is a list of additional principals to dial AdditionalPrincipals []string // DNSNames is a list of DNS Names to add to the x509 client certificate DNSNames []string // PrivateKey is a PEM encoded private key (not passed to auth servers) PrivateKey []byte // PublicTLSKey is a server's public key to sign PublicTLSKey []byte // PublicSSHKey is a server's public SSH key to sign PublicSSHKey []byte }
ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)
type RegisterParams ¶
type RegisterParams struct { // DataDir is the data directory // storing CA certificate DataDir string // Token is a secure token to join the cluster Token string // ID is identity ID ID IdentityID // Servers is a list of auth servers to dial Servers []utils.NetAddr // AdditionalPrincipals is a list of additional principals to dial AdditionalPrincipals []string // DNSNames is a list of DNS names to add to x509 certificate DNSNames []string // PrivateKey is a PEM encoded private key (not passed to auth servers) PrivateKey []byte // PublicTLSKey is a server's public key to sign PublicTLSKey []byte // PublicSSHKey is a server's public SSH key to sign PublicSSHKey []byte // CipherSuites is a list of cipher suites to use for TLS client connection CipherSuites []uint16 // CAPin is the SKPI hash of the CA used to verify the Auth Server. CAPin string // CAPath is the path to the CA file. CAPath string }
RegisterParams specifies parameters for first time register operation with auth server
type RegisterUsingTokenRequest ¶
type RegisterUsingTokenRequest struct { // HostID is a unique host ID, usually a UUID HostID string `json:"hostID"` // NodeName is a node name NodeName string `json:"node_name"` // Role is a system role, e.g. Proxy Role teleport.Role `json:"role"` // Token is an authentication token Token string `json:"token"` // AdditionalPrincipals is a list of additional principals AdditionalPrincipals []string `json:"additional_principals"` // DNSNames is a list of DNS names to include in the x509 client certificate DNSNames []string `json:"dns_names"` // PublicTLSKey is a PEM encoded public key // used for TLS setup PublicTLSKey []byte `json:"public_tls_key"` // PublicSSHKey is a SSH encoded public key, // if present will be signed as a return value // otherwise, new public/private key pair will be generated PublicSSHKey []byte `json:"public_ssh_key"` }
RegisterUsingTokenRequest is a request to register with auth server using authentication token
func (*RegisterUsingTokenRequest) CheckAndSetDefaults ¶
func (r *RegisterUsingTokenRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks for errors and sets defaults
type RemoteBuiltinRole ¶
type RemoteBuiltinRole struct { // Role is the builtin role of the user Role teleport.Role // Username is for authentication tracking purposes Username string // ClusterName is the name of the remote cluster. ClusterName string }
RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.
type RemoteBuiltinRoleSet ¶
BuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is a remote builtin or not.
type RemoteUser ¶
type RemoteUser struct { // Username is a name of the remote user Username string `json:"username"` // ClusterName is the name of the remote cluster // of the user. ClusterName string `json:"cluster_name"` // RemoteRoles is optional list of remote roles RemoteRoles []string `json:"remote_roles"` // Principals is a list of Unix logins. Principals []string `json:"principals"` // KubernetesGroups is a list of Kubernetes groups KubernetesGroups []string `json:"kubernetes_groups"` }
RemoteUser defines encoded remote user.
type RotateRequest ¶
type RotateRequest struct { // Type is a certificate authority type, if omitted, both user and host CA // will be rotated. Type services.CertAuthType `json:"type"` // GracePeriod is used to generate cert rotation schedule that defines // times at which different rotation phases will be applied by the auth server // in auto mode. It is not used in manual rotation mode. // If omitted, default value is set, if 0 is supplied, it is interpreted as // forcing rotation of all certificate authorities with no grace period, // all existing users and hosts will have to re-login and re-added // into the cluster. GracePeriod *time.Duration `json:"grace_period,omitempty"` // TargetPhase sets desired rotation phase to move to, if not set // will be set automatically, it is a required argument // for manual rotation. TargetPhase string `json:"target_phase,omitempty"` // Mode sets manual or auto rotation mode. Mode string `json:"mode"` // Schedule is an optional rotation schedule, // autogenerated based on GracePeriod parameter if not set. Schedule *services.RotationSchedule `json:"schedule"` }
RotateRequest is a request to start rotation of the certificate authority.
func (*RotateRequest) CheckAndSetDefaults ¶
func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error
CheckAndSetDefaults checks and sets default values.
func (*RotateRequest) Types ¶
func (r *RotateRequest) Types() []services.CertAuthType
Types returns cert authority types requested to be rotated.
type SAMLAuthResponse ¶
type SAMLAuthResponse struct { // Username is an authenticated teleport username Username string `json:"username"` // Identity contains validated SAML identity Identity services.ExternalIdentity `json:"identity"` // Web session will be generated by auth server if requested in SAMLAuthRequest Session services.WebSession `json:"session,omitempty"` // Cert will be generated by certificate authority Cert []byte `json:"cert,omitempty"` // TLSCert is a PEM encoded TLS certificate TLSCert []byte `json:"tls_cert,omitempty"` // Req is an original SAML auth request Req services.SAMLAuthRequest `json:"req"` // HostSigners is a list of signing host public keys // trusted by proxy, used in console login HostSigners []services.CertAuthority `json:"host_signers"` }
SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider
type SSHLoginResponse ¶
type SSHLoginResponse struct { // User contains a logged in user informationn Username string `json:"username"` // Cert is a PEM encoded signed certificate Cert []byte `json:"cert"` // TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority TLSCert []byte `json:"tls_cert"` // HostSigners is a list of signing host public keys trusted by proxy HostSigners []TrustedCerts `json:"host_signers"` }
SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags
type SessionCreds ¶
type SessionCreds struct { // ID is a web session id ID string `json:"id"` }
SessionCreds is a web session credentials
type StateSpecV2 ¶
type StateSpecV2 struct { // Rotation holds local process rotation state. Rotation services.Rotation `json:"rotation"` }
StateSpecV2 is a state spec.
type StateV2 ¶
type StateV2 struct { // ResourceHeader is a common resource header. services.ResourceHeader // Spec is a process spec. Spec StateSpecV2 `json:"spec"` }
StateV2 is a local process state.
func (*StateV2) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets defaults values.
type TLSServer ¶
type TLSServer struct { *http.Server // TLSServerConfig is TLS server configuration used for auth server TLSServerConfig }
TLSServer is TLS auth server
func NewTLSServer ¶
func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)
NewTLSServer returns new unstarted TLS server
func (*TLSServer) GetConfigForClient ¶
GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities
type TLSServerConfig ¶
type TLSServerConfig struct { // TLS is a base TLS configuration TLS *tls.Config // API is API server configuration APIConfig // LimiterConfig is limiter config LimiterConfig limiter.LimiterConfig // AccessPoint is caching access point AccessPoint AccessPoint // Component is used for debugging purposes Component string // AcceptedUsage restricts authentication // to a subset of certificates based on the metadata AcceptedUsage []string }
TLSServerConfig is a configuration for TLS server
func (*TLSServerConfig) CheckAndSetDefaults ¶
func (c *TLSServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type TestAuthServer ¶
type TestAuthServer struct { // TestAuthServer config is configuration used for auth server setup TestAuthServerConfig // AuthServer is an auth server AuthServer *AuthServer // AuditLog is an event audit log AuditLog events.IAuditLog // SessionLogger is a session logger SessionServer session.Service // Backend is a backend for auth server Backend backend.Backend // Authorizer is an authorizer used in tests Authorizer Authorizer }
TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key
func NewTestAuthServer ¶
func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)
NewTestAuthServer returns new instances of Auth server
func (*TestAuthServer) Clock ¶
func (a *TestAuthServer) Clock() clockwork.Clock
Clock returns clock used by auth server
func (*TestAuthServer) GenerateUserCert ¶
func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)
GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.
func (*TestAuthServer) NewCertificate ¶
func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)
NewCertificate returns new TLS credentials generated by test auth server
func (*TestAuthServer) NewRemoteClient ¶
func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)
NewRemoteClient creates new client to the remote server using identity generated for this certificate authority
func (*TestAuthServer) NewTestTLSServer ¶
func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)
NewTestTLSServer returns new test TLS server
func (*TestAuthServer) Trust ¶
func (a *TestAuthServer) Trust(remote *TestAuthServer, roleMap services.RoleMap) error
Trust adds other server host certificate authority as trusted
type TestAuthServerConfig ¶
type TestAuthServerConfig struct { // ClusterName is cluster name ClusterName string // Dir is directory for local backend Dir string // AcceptedUsage is an optional list of restricted // server usage AcceptedUsage []string // CipherSuites is the list of ciphers that the server supports. CipherSuites []uint16 // Clock is used to control time in tests. Clock clockwork.FakeClock }
TestAuthServerConfig is auth server test config
func (*TestAuthServerConfig) CheckAndSetDefaults ¶
func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type TestIdentity ¶
TestIdentity is test identity spec used to generate identities in tests
func TestBuiltin ¶
func TestBuiltin(role teleport.Role) TestIdentity
TestBuiltin returns TestIdentity for builtin user
func TestUser ¶
func TestUser(username string) TestIdentity
TestUser returns TestIdentity for local user
type TestTLSServer ¶
type TestTLSServer struct { // TestTLSServerConfig is a configuration for TLS server TestTLSServerConfig // Identity is a generated TLS/SSH identity used to answer in TLS Identity *Identity // TLSServer is a configured TLS server TLSServer *TLSServer }
TestTLSServer is a test TLS server
func NewTestTLSServer ¶
func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)
NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port
func (*TestTLSServer) Addr ¶
func (t *TestTLSServer) Addr() net.Addr
Addr returns address of TLS server
func (*TestTLSServer) Auth ¶
func (t *TestTLSServer) Auth() *AuthServer
Auth returns auth server used by this TLS server
func (*TestTLSServer) CertPool ¶
func (t *TestTLSServer) CertPool() (*x509.CertPool, error)
CertPool returns cert pool that auth server represents
func (*TestTLSServer) ClientTLSConfig ¶
func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)
ClientTLSConfig returns client TLS config based on the identity
func (*TestTLSServer) Clock ¶
func (t *TestTLSServer) Clock() clockwork.Clock
Clock returns clock used by auth server
func (*TestTLSServer) CloneClient ¶
func (t *TestTLSServer) CloneClient(clt *Client) *Client
CloneClient uses the same credentials as the passed client but forces the client to be recreated
func (*TestTLSServer) Close ¶
func (t *TestTLSServer) Close() error
Close closes the listener and HTTP server
func (*TestTLSServer) ClusterName ¶
func (t *TestTLSServer) ClusterName() string
ClusterName returns name of test TLS server cluster
func (*TestTLSServer) NewClient ¶
func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)
NewClient returns new client to test server authenticated with identity
func (*TestTLSServer) NewClientFromWebSession ¶
func (t *TestTLSServer) NewClientFromWebSession(sess services.WebSession) (*Client, error)
NewClientFromWebSession returns new authenticated client from web session
func (*TestTLSServer) Start ¶
func (t *TestTLSServer) Start() error
Start starts TLS server on loopback address on the first lisenting socket
func (*TestTLSServer) Stop ¶
func (t *TestTLSServer) Stop() error
Stop stops listening server, but does not close the auth backend
type TestTLSServerConfig ¶
type TestTLSServerConfig struct { // APIConfig is a configuration of API server APIConfig *APIConfig // AuthServer is a test auth server used to serve requests AuthServer *TestAuthServer // Limiter is a connection and request limiter Limiter *limiter.LimiterConfig // Listener is a listener to serve requests on Listener net.Listener // AcceptedUsage is a list of accepted usage restrictions AcceptedUsage []string }
TestTLSServerConfig is a configuration for test TLS server
func (*TestTLSServerConfig) CheckAndSetDefaults ¶
func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets limiter defaults
type TrustedCerts ¶
type TrustedCerts struct { // ClusterName identifies teleport cluster name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name ClusterName string `json:"domain_name"` // HostCertificates is a list of SSH public keys that can be used to check // host certificate signatures HostCertificates [][]byte `json:"checking_keys"` // TLSCertificates is a list of TLS certificates of the certificate authoritiy // of the authentication server TLSCertificates [][]byte `json:"tls_certs"` }
TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags
func AuthoritiesToTrustedCerts ¶
func AuthoritiesToTrustedCerts(authorities []services.CertAuthority) []TrustedCerts
AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure
func (*TrustedCerts) SSHCertPublicKeys ¶
func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)
SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys
type U2FSignResponseCreds ¶
type U2FSignResponseCreds struct { // SignResponse is a U2F sign resposne SignResponse u2f.SignResponse `json:"sign_response"` }
U2FSignResponseCreds is a U2F signature sent by U2F device
type ValidateTrustedClusterRequest ¶
type ValidateTrustedClusterRequest struct { Token string `json:"token"` CAs []services.CertAuthority `json:"certificate_authorities"` }
func (*ValidateTrustedClusterRequest) ToRaw ¶
func (v *ValidateTrustedClusterRequest) ToRaw() (*ValidateTrustedClusterRequestRaw, error)
type ValidateTrustedClusterRequestRaw ¶
type ValidateTrustedClusterRequestRaw struct { Token string `json:"token"` CAs [][]byte `json:"certificate_authorities"` }
func (*ValidateTrustedClusterRequestRaw) ToNative ¶
func (v *ValidateTrustedClusterRequestRaw) ToNative() (*ValidateTrustedClusterRequest, error)
type ValidateTrustedClusterResponse ¶
type ValidateTrustedClusterResponse struct {
CAs []services.CertAuthority `json:"certificate_authorities"`
}
func (*ValidateTrustedClusterResponse) ToRaw ¶
func (v *ValidateTrustedClusterResponse) ToRaw() (*ValidateTrustedClusterResponseRaw, error)
type ValidateTrustedClusterResponseRaw ¶
type ValidateTrustedClusterResponseRaw struct {
CAs [][]byte `json:"certificate_authorities"`
}
func (*ValidateTrustedClusterResponseRaw) ToNative ¶
func (v *ValidateTrustedClusterResponseRaw) ToNative() (*ValidateTrustedClusterResponse, error)
type WebService ¶
type WebService interface { // GetWebSessionInfo checks if a web sesion is valid, returns session id in case if // it is valid, or error otherwise. GetWebSessionInfo(user string, sid string) (services.WebSession, error) // ExtendWebSession creates a new web session for a user based on another // valid web session ExtendWebSession(user string, prevSessionID string) (services.WebSession, error) // CreateWebSession creates a new web session for a user CreateWebSession(user string) (services.WebSession, error) // DeleteWebSession deletes a web session for this user by id DeleteWebSession(user string, sid string) error }
WebService implements features used by Web UI clients