Documentation ¶
Overview ¶
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.
* Local services are implemented in local package * Package suite contains the set of acceptance tests for services
Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities
Index ¶
- Constants
- Variables
- func CertPool(ca CertAuthority) (*x509.CertPool, error)
- func CertPoolFromCertAuthorities(cas []CertAuthority) (*x509.CertPool, error)
- func ConvertV1CertAuthority(v1 *CertAuthorityV1) (CertAuthority, Role)
- func GetAttributeNames(attributes map[string]types.Attribute) []string
- func GetAuthPreferenceSchema(extensionSchema string) string
- func GetCertAuthoritySchema() string
- func GetClaimNames(claims jose.Claims) []string
- func GetClusterConfigSchema(extensionSchema string) string
- func GetClusterNameSchema(extensionSchema string) string
- func GetGithubConnectorSchema() string
- func GetNamespaceSchema() string
- func GetOIDCConnectorSchema() string
- func GetRemoteClusterSchema() string
- func GetReverseTunnelSchema() string
- func GetRoleSchema(version string, extensionSchema string) string
- func GetSAMLConnectorSchema() string
- func GetServerSchema() string
- func GetStaticTokensSchema(extensionSchema string) string
- func GetTrustedClusterSchema(extensionSchema string) string
- func GetTunnelConnectionSchema() string
- func GetUserSchema(extensionSchema string) string
- func GetWebSessionSchema() string
- func GetWebSessionSchemaWithExtensions(extension string) string
- func IsValidNamespace(s string) bool
- func LabelsToV2(labels map[string]CommandLabel) map[string]CommandLabelV2
- func LastFailed(x int, attempts []LoginAttempt) bool
- func MarshalCertRoles(roles []string) (string, error)
- func MarshalLicense(license License, opts ...MarshalOption) ([]byte, error)
- func MarshalNamespace(ns Namespace) ([]byte, error)
- func MarshalRemoteCluster(c RemoteCluster, opts ...MarshalOption) ([]byte, error)
- func MarshalTunnelConnection(rt TunnelConnection, opts ...MarshalOption) ([]byte, error)
- func MatchLabels(selector Labels, target map[string]string) (bool, string, error)
- func MatchLogin(selectors []string, login string) (bool, string)
- func MatchNamespace(selectors []string, namespace string) (bool, string)
- func NewActionsParser(ctx RuleContext) (predicate.Parser, error)
- func NewLogActionFn(ctx RuleContext) interface{}
- func NewWhereParser(ctx RuleContext) (predicate.Parser, error)
- func ParseShortcut(in string) (string, error)
- func ProcessNamespace(namespace string) string
- func RO() []string
- func RW() []string
- func ReadNoSecrets() []string
- func RoleNameForCertAuthority(name string) string
- func RoleNameForUser(name string) string
- func RuleSlicesEqual(a, b []Rule) bool
- func SetActionsParserFn(fn NewParserFn)
- func SetAuthPreferenceMarshaler(m AuthPreferenceMarshaler)
- func SetCertAuthorityMarshaler(u CertAuthorityMarshaler)
- func SetClusterConfigMarshaler(m ClusterConfigMarshaler)
- func SetClusterNameMarshaler(m ClusterNameMarshaler)
- func SetGithubConnectorMarshaler(m GithubConnectorMarshaler)
- func SetOIDCConnectorMarshaler(m OIDCConnectorMarshaler)
- func SetReerseTunnelMarshaler(m ReverseTunnelMarshaler)
- func SetRoleMarshaler(m RoleMarshaler)
- func SetSAMLConnectorMarshaler(m SAMLConnectorMarshaler)
- func SetServerMarshaler(m ServerMarshaler)
- func SetStaticTokensMarshaler(m StaticTokensMarshaler)
- func SetTrustedClusterMarshaler(m TrustedClusterMarshaler)
- func SetUserMarshaler(u UserMarshaler)
- func SetWebSessionMarshaler(u WebSessionMarshaler)
- func SetWhereParserFn(fn NewParserFn)
- func TLSCerts(ca CertAuthority) [][]byte
- func TunnelConnectionStatus(clock clockwork.Clock, conn TunnelConnection) string
- func UnmarshalCertRoles(data string) ([]string, error)
- func VerifyPassword(password []byte) error
- type Access
- type AccessChecker
- type AttributeMapping
- type AuditConfig
- type AuthPreference
- type AuthPreferenceMarshaler
- type AuthPreferenceSpecV2
- type AuthPreferenceV2
- func (c *AuthPreferenceV2) CheckAndSetDefaults() error
- func (c *AuthPreferenceV2) GetConnectorName() string
- func (c *AuthPreferenceV2) GetSecondFactor() string
- func (c *AuthPreferenceV2) GetType() string
- func (c *AuthPreferenceV2) GetU2F() (*U2F, error)
- func (c *AuthPreferenceV2) SetConnectorName(cn string)
- func (c *AuthPreferenceV2) SetSecondFactor(s string)
- func (c *AuthPreferenceV2) SetType(s string)
- func (c *AuthPreferenceV2) SetU2F(u2f *U2F)
- func (c *AuthPreferenceV2) String() string
- type Bool
- type CertAuthID
- type CertAuthType
- type CertAuthority
- type CertAuthorityMarshaler
- type CertAuthoritySpecV2
- type CertAuthorityV1
- type CertAuthorityV2
- func (ca *CertAuthorityV2) AddRole(name string)
- func (ca *CertAuthorityV2) Check() error
- func (ca *CertAuthorityV2) CheckAndSetDefaults() error
- func (ca *CertAuthorityV2) Checkers() ([]ssh.PublicKey, error)
- func (c *CertAuthorityV2) Clone() CertAuthority
- func (ca *CertAuthorityV2) CombinedMapping() RoleMap
- func (c *CertAuthorityV2) Expiry() time.Time
- func (ca *CertAuthorityV2) FirstSigningKey() ([]byte, error)
- func (ca *CertAuthorityV2) GetCheckingKeys() [][]byte
- func (ca *CertAuthorityV2) GetClusterName() string
- func (ca *CertAuthorityV2) GetID() CertAuthID
- func (c *CertAuthorityV2) GetMetadata() Metadata
- func (ca *CertAuthorityV2) GetName() string
- func (ca *CertAuthorityV2) GetRawObject() interface{}
- func (ca *CertAuthorityV2) GetRoleMap() RoleMap
- func (ca *CertAuthorityV2) GetRoles() []string
- func (c *CertAuthorityV2) GetRotation() Rotation
- func (ca *CertAuthorityV2) GetSigningKeys() [][]byte
- func (c *CertAuthorityV2) GetTLSKeyPairs() []TLSKeyPair
- func (ca *CertAuthorityV2) GetType() CertAuthType
- func (ca *CertAuthorityV2) ID() *CertAuthID
- func (ca *CertAuthorityV2) SetCheckingKeys(keys [][]byte) error
- func (c *CertAuthorityV2) SetExpiry(expires time.Time)
- func (ca *CertAuthorityV2) SetName(name string)
- func (c *CertAuthorityV2) SetRoleMap(m RoleMap)
- func (ca *CertAuthorityV2) SetRoles(roles []string)
- func (c *CertAuthorityV2) SetRotation(r Rotation)
- func (ca *CertAuthorityV2) SetSigningKeys(keys [][]byte) error
- func (c *CertAuthorityV2) SetTLSKeyPairs(pairs []TLSKeyPair)
- func (c *CertAuthorityV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (ca *CertAuthorityV2) Signers() ([]ssh.Signer, error)
- func (c *CertAuthorityV2) String() string
- func (c *CertAuthorityV2) TLSCA() (*tlsca.CertAuthority, error)
- func (c *CertAuthorityV2) V1() *CertAuthorityV1
- func (c *CertAuthorityV2) V2() *CertAuthorityV2
- type CertRoles
- type ChangePasswordReq
- type ClaimMapping
- type ClusterConfig
- type ClusterConfigMarshaler
- type ClusterConfigSpecV3
- type ClusterConfigV3
- func (c *ClusterConfigV3) CheckAndSetDefaults() error
- func (c *ClusterConfigV3) Copy() ClusterConfig
- func (c *ClusterConfigV3) Expiry() time.Time
- func (c *ClusterConfigV3) GetAuditConfig() AuditConfig
- func (c *ClusterConfigV3) GetClientIdleTimeout() time.Duration
- func (c *ClusterConfigV3) GetClusterID() string
- func (c *ClusterConfigV3) GetDisconnectExpiredCert() bool
- func (c *ClusterConfigV3) GetKeepAliveCountMax() int
- func (c *ClusterConfigV3) GetKeepAliveInterval() time.Duration
- func (c *ClusterConfigV3) GetMetadata() Metadata
- func (c *ClusterConfigV3) GetName() string
- func (c *ClusterConfigV3) GetProxyChecksHostKeys() string
- func (c *ClusterConfigV3) GetSessionRecording() string
- func (c *ClusterConfigV3) SetAuditConfig(cfg AuditConfig)
- func (c *ClusterConfigV3) SetClientIdleTimeout(d time.Duration)
- func (c *ClusterConfigV3) SetClusterID(id string)
- func (c *ClusterConfigV3) SetDisconnectExpiredCert(b bool)
- func (c *ClusterConfigV3) SetExpiry(expires time.Time)
- func (c *ClusterConfigV3) SetKeepAliveCountMax(m int)
- func (c *ClusterConfigV3) SetKeepAliveInterval(t time.Duration)
- func (c *ClusterConfigV3) SetName(e string)
- func (c *ClusterConfigV3) SetProxyChecksHostKeys(t string)
- func (c *ClusterConfigV3) SetSessionRecording(s string)
- func (c *ClusterConfigV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (c *ClusterConfigV3) String() string
- type ClusterConfiguration
- type ClusterName
- type ClusterNameMarshaler
- type ClusterNameSpecV2
- type ClusterNameV2
- func (c *ClusterNameV2) CheckAndSetDefaults() error
- func (c *ClusterNameV2) Expiry() time.Time
- func (c *ClusterNameV2) GetClusterName() string
- func (c *ClusterNameV2) GetMetadata() Metadata
- func (c *ClusterNameV2) GetName() string
- func (c *ClusterNameV2) SetClusterName(n string)
- func (c *ClusterNameV2) SetExpiry(expires time.Time)
- func (c *ClusterNameV2) SetName(e string)
- func (c *ClusterNameV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (c *ClusterNameV2) String() string
- type CommandLabel
- type CommandLabelV1
- type CommandLabelV2
- type CommandLabels
- type ConnectorRef
- type Context
- type CreatedBy
- type Duration
- type EmptyResource
- type ExternalIdentity
- type GithubAuthRequest
- type GithubClaims
- type GithubConnector
- type GithubConnectorMarshaler
- type GithubConnectorSpecV3
- type GithubConnectorV3
- func (c *GithubConnectorV3) CheckAndSetDefaults() error
- func (c *GithubConnectorV3) Expiry() time.Time
- func (c *GithubConnectorV3) GetClientID() string
- func (c *GithubConnectorV3) GetClientSecret() string
- func (c *GithubConnectorV3) GetDisplay() string
- func (c *GithubConnectorV3) GetMetadata() Metadata
- func (c *GithubConnectorV3) GetName() string
- func (c *GithubConnectorV3) GetRedirectURL() string
- func (c *GithubConnectorV3) GetTeamsToLogins() []TeamMapping
- func (c *GithubConnectorV3) MapClaims(claims GithubClaims) ([]string, []string)
- func (c *GithubConnectorV3) SetClientID(id string)
- func (c *GithubConnectorV3) SetClientSecret(secret string)
- func (c *GithubConnectorV3) SetDisplay(display string)
- func (c *GithubConnectorV3) SetExpiry(expires time.Time)
- func (c *GithubConnectorV3) SetName(name string)
- func (c *GithubConnectorV3) SetRedirectURL(redirectURL string)
- func (c *GithubConnectorV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (c *GithubConnectorV3) SetTeamsToLogins(teamsToLogins []TeamMapping)
- type HostCertParams
- type Identity
- type Labels
- type License
- type LicenseSpecV3
- type LicenseV3
- func (c *LicenseV3) CheckAndSetDefaults() error
- func (c *LicenseV3) Expiry() time.Time
- func (c *LicenseV3) GetAWSAccountID() string
- func (c *LicenseV3) GetAWSProductID() string
- func (c *LicenseV3) GetAccountID() string
- func (c *LicenseV3) GetLabels() map[string]string
- func (c *LicenseV3) GetMetadata() Metadata
- func (c *LicenseV3) GetName() string
- func (c *LicenseV3) GetReportsUsage() Bool
- func (c *LicenseV3) GetSupportsKubernetes() Bool
- func (c *LicenseV3) SetAWSAccountID(accountID string)
- func (c *LicenseV3) SetAWSProductID(pid string)
- func (c *LicenseV3) SetExpiry(t time.Time)
- func (c *LicenseV3) SetLabels(labels map[string]string)
- func (c *LicenseV3) SetName(name string)
- func (c *LicenseV3) SetReportsUsage(reports Bool)
- func (c *LicenseV3) SetSupportsKubernetes(supportsK8s Bool)
- func (c *LicenseV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (c *LicenseV3) String() string
- type LogAction
- type LoginAttempt
- type LoginStatus
- type MarshalConfig
- type MarshalOption
- type Metadata
- func (m *Metadata) CheckAndSetDefaults() error
- func (m *Metadata) Expiry() time.Time
- func (m *Metadata) GetMetadata() Metadata
- func (m *Metadata) GetName() string
- func (m *Metadata) SetExpiry(expires time.Time)
- func (m *Metadata) SetName(name string)
- func (m *Metadata) SetTTL(clock clockwork.Clock, ttl time.Duration)
- type Namespace
- type NamespaceSpec
- type NewParserFn
- type OIDCAuthRequest
- type OIDCConnector
- type OIDCConnectorMarshaler
- type OIDCConnectorSpecV2
- type OIDCConnectorV1
- type OIDCConnectorV2
- func (o *OIDCConnectorV2) Check() error
- func (o *OIDCConnectorV2) CheckAndSetDefaults() error
- func (o *OIDCConnectorV2) Expiry() time.Time
- func (o *OIDCConnectorV2) GetACR() string
- func (o *OIDCConnectorV2) GetClaims() []string
- func (o *OIDCConnectorV2) GetClaimsToRoles() []ClaimMapping
- func (o *OIDCConnectorV2) GetClientID() string
- func (o *OIDCConnectorV2) GetClientSecret() string
- func (o *OIDCConnectorV2) GetDisplay() string
- func (o *OIDCConnectorV2) GetIssuerURL() string
- func (o *OIDCConnectorV2) GetMetadata() Metadata
- func (o *OIDCConnectorV2) GetName() string
- func (o *OIDCConnectorV2) GetProvider() string
- func (o *OIDCConnectorV2) GetRedirectURL() string
- func (o *OIDCConnectorV2) GetScope() []string
- func (o *OIDCConnectorV2) MapClaims(claims jose.Claims) []string
- func (o *OIDCConnectorV2) SetACR(acrValue string)
- func (o *OIDCConnectorV2) SetClaimsToRoles(claims []ClaimMapping)
- func (o *OIDCConnectorV2) SetClientID(clintID string)
- func (o *OIDCConnectorV2) SetClientSecret(secret string)
- func (o *OIDCConnectorV2) SetDisplay(display string)
- func (o *OIDCConnectorV2) SetExpiry(expires time.Time)
- func (o *OIDCConnectorV2) SetIssuerURL(issuerURL string)
- func (o *OIDCConnectorV2) SetName(name string)
- func (o *OIDCConnectorV2) SetProvider(identityProvider string)
- func (o *OIDCConnectorV2) SetRedirectURL(redirectURL string)
- func (o *OIDCConnectorV2) SetScope(scope []string)
- func (o *OIDCConnectorV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (o *OIDCConnectorV2) V1() *OIDCConnectorV1
- func (o *OIDCConnectorV2) V2() *OIDCConnectorV2
- type Presence
- type ProvisionToken
- type Provisioner
- type Ref
- type RemoteCluster
- type RemoteClusterStatusV3
- type RemoteClusterV3
- func (c *RemoteClusterV3) CheckAndSetDefaults() error
- func (c *RemoteClusterV3) Expiry() time.Time
- func (c *RemoteClusterV3) GetConnectionStatus() string
- func (c *RemoteClusterV3) GetLastHeartbeat() time.Time
- func (c *RemoteClusterV3) GetMetadata() Metadata
- func (c *RemoteClusterV3) GetName() string
- func (c *RemoteClusterV3) SetConnectionStatus(status string)
- func (c *RemoteClusterV3) SetExpiry(expires time.Time)
- func (c *RemoteClusterV3) SetLastHeartbeat(t time.Time)
- func (c *RemoteClusterV3) SetName(e string)
- func (c *RemoteClusterV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (r *RemoteClusterV3) String() string
- type Resource
- type ResourceHeader
- type ReverseTunnel
- type ReverseTunnelMarshaler
- type ReverseTunnelSpecV2
- type ReverseTunnelV1
- type ReverseTunnelV2
- func (r *ReverseTunnelV2) Check() error
- func (r *ReverseTunnelV2) CheckAndSetDefaults() error
- func (r *ReverseTunnelV2) Expiry() time.Time
- func (r *ReverseTunnelV2) GetClusterName() string
- func (r *ReverseTunnelV2) GetDialAddrs() []string
- func (r *ReverseTunnelV2) GetMetadata() Metadata
- func (r *ReverseTunnelV2) GetName() string
- func (r *ReverseTunnelV2) SetClusterName(name string)
- func (r *ReverseTunnelV2) SetExpiry(expires time.Time)
- func (r *ReverseTunnelV2) SetName(e string)
- func (r *ReverseTunnelV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (r *ReverseTunnelV2) V1() *ReverseTunnelV1
- func (r *ReverseTunnelV2) V2() *ReverseTunnelV2
- type Role
- type RoleConditionType
- type RoleConditions
- type RoleGetter
- type RoleMap
- type RoleMapping
- type RoleMarshaler
- type RoleOptions
- type RoleSet
- func (set RoleSet) AdjustClientIdleTimeout(timeout time.Duration) time.Duration
- func (set RoleSet) AdjustDisconnectExpiredCert(disconnect bool) bool
- func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration
- func (set RoleSet) CanForwardAgents() bool
- func (set RoleSet) CanPortForward() bool
- func (set RoleSet) CertificateFormat() string
- func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string, silent bool) error
- func (set RoleSet) CheckAccessToServer(login string, s Server) error
- func (set RoleSet) CheckAgentForward(login string) error
- func (set RoleSet) CheckKubeGroups(ttl time.Duration) ([]string, error)
- func (set RoleSet) CheckLoginDuration(ttl time.Duration) ([]string, error)
- func (set RoleSet) HasRole(role string) bool
- func (set RoleSet) RoleNames() []string
- func (set RoleSet) String() string
- type RoleSpecV2
- type RoleSpecV3
- type RoleV2
- func (r *RoleV2) CanForwardAgent() bool
- func (r *RoleV2) CheckAndSetDefaults() error
- func (r *RoleV2) Equals(other Role) bool
- func (r *RoleV2) Expiry() time.Time
- func (r *RoleV2) GetLogins() []string
- func (r *RoleV2) GetMaxSessionTTL() Duration
- func (r *RoleV2) GetMetadata() Metadata
- func (r *RoleV2) GetName() string
- func (r *RoleV2) GetNamespaces() []string
- func (r *RoleV2) GetNodeLabels() map[string]string
- func (r *RoleV2) GetResources() map[string][]string
- func (r *RoleV2) RemoveResource(kind string)
- func (r *RoleV2) SetExpiry(expires time.Time)
- func (r *RoleV2) SetForwardAgent(forwardAgent bool)
- func (r *RoleV2) SetLogins(logins []string)
- func (r *RoleV2) SetMaxSessionTTL(duration time.Duration)
- func (r *RoleV2) SetName(s string)
- func (r *RoleV2) SetNamespaces(namespaces []string)
- func (r *RoleV2) SetNodeLabels(labels map[string]string)
- func (r *RoleV2) SetResource(kind string, actions []string)
- func (r *RoleV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (r *RoleV2) String() string
- func (r *RoleV2) V3() *RoleV3
- type RoleV3
- func (r *RoleV3) ApplyTraits(traits map[string][]string) Role
- func (r *RoleV3) CheckAndSetDefaults() error
- func (r *RoleV3) Equals(other Role) bool
- func (r *RoleV3) Expiry() time.Time
- func (r *RoleV3) GetKubeGroups(rct RoleConditionType) []string
- func (r *RoleV3) GetLogins(rct RoleConditionType) []string
- func (r *RoleV3) GetMetadata() Metadata
- func (r *RoleV3) GetName() string
- func (r *RoleV3) GetNamespaces(rct RoleConditionType) []string
- func (r *RoleV3) GetNodeLabels(rct RoleConditionType) Labels
- func (r *RoleV3) GetOptions() RoleOptions
- func (r *RoleV3) GetRawObject() interface{}
- func (r *RoleV3) GetRules(rct RoleConditionType) []Rule
- func (r *RoleV3) SetExpiry(expires time.Time)
- func (r *RoleV3) SetKubeGroups(rct RoleConditionType, groups []string)
- func (r *RoleV3) SetLogins(rct RoleConditionType, logins []string)
- func (r *RoleV3) SetName(s string)
- func (r *RoleV3) SetNamespaces(rct RoleConditionType, namespaces []string)
- func (r *RoleV3) SetNodeLabels(rct RoleConditionType, labels Labels)
- func (r *RoleV3) SetOptions(options RoleOptions)
- func (r *RoleV3) SetRawObject(raw interface{})
- func (r *RoleV3) SetRules(rct RoleConditionType, in []Rule)
- func (r *RoleV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (r *RoleV3) String() string
- type Rotation
- type RotationSchedule
- type Rule
- type RuleContext
- type RuleSet
- type SAMLAuthRequest
- type SAMLConnector
- type SAMLConnectorMarshaler
- type SAMLConnectorSpecV2
- type SAMLConnectorV2
- func (o *SAMLConnectorV2) CheckAndSetDefaults() error
- func (o *SAMLConnectorV2) Equals(other SAMLConnector) bool
- func (o *SAMLConnectorV2) Expiry() time.Time
- func (o *SAMLConnectorV2) GetAssertionConsumerService() string
- func (o *SAMLConnectorV2) GetAttributes() []string
- func (o *SAMLConnectorV2) GetAttributesToRoles() []AttributeMapping
- func (o *SAMLConnectorV2) GetAudience() string
- func (o *SAMLConnectorV2) GetCert() string
- func (o *SAMLConnectorV2) GetDisplay() string
- func (o *SAMLConnectorV2) GetEntityDescriptor() string
- func (o *SAMLConnectorV2) GetEntityDescriptorURL() string
- func (o *SAMLConnectorV2) GetIssuer() string
- func (o *SAMLConnectorV2) GetMetadata() Metadata
- func (o *SAMLConnectorV2) GetName() string
- func (o *SAMLConnectorV2) GetProvider() string
- func (o *SAMLConnectorV2) GetSSO() string
- func (o *SAMLConnectorV2) GetServiceProvider(clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)
- func (o *SAMLConnectorV2) GetServiceProviderIssuer() string
- func (o *SAMLConnectorV2) GetSigningKeyPair() *SigningKeyPair
- func (o *SAMLConnectorV2) MapAttributes(assertionInfo saml2.AssertionInfo) []string
- func (o *SAMLConnectorV2) SetAssertionConsumerService(v string)
- func (o *SAMLConnectorV2) SetAttributesToRoles(mapping []AttributeMapping)
- func (o *SAMLConnectorV2) SetAudience(v string)
- func (o *SAMLConnectorV2) SetCert(cert string)
- func (o *SAMLConnectorV2) SetDisplay(display string)
- func (o *SAMLConnectorV2) SetEntityDescriptor(v string)
- func (o *SAMLConnectorV2) SetEntityDescriptorURL(v string)
- func (o *SAMLConnectorV2) SetExpiry(expires time.Time)
- func (o *SAMLConnectorV2) SetIssuer(issuer string)
- func (o *SAMLConnectorV2) SetName(name string)
- func (o *SAMLConnectorV2) SetProvider(identityProvider string)
- func (o *SAMLConnectorV2) SetSSO(sso string)
- func (o *SAMLConnectorV2) SetServiceProviderIssuer(v string)
- func (o *SAMLConnectorV2) SetSigningKeyPair(k *SigningKeyPair)
- func (o *SAMLConnectorV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (o *SAMLConnectorV2) V2() *SAMLConnectorV2
- type Server
- type ServerMarshaler
- type ServerSpecV2
- type ServerV1
- type ServerV2
- func (s *ServerV2) CheckAndSetDefaults() error
- func (s *ServerV2) Expiry() time.Time
- func (s *ServerV2) GetAddr() string
- func (s *ServerV2) GetAllLabels() map[string]string
- func (s *ServerV2) GetCmdLabels() map[string]CommandLabel
- func (s *ServerV2) GetHostname() string
- func (s *ServerV2) GetLabels() map[string]string
- func (s *ServerV2) GetMetadata() Metadata
- func (s *ServerV2) GetName() string
- func (s *ServerV2) GetNamespace() string
- func (s *ServerV2) GetPublicAddr() string
- func (s *ServerV2) GetRotation() Rotation
- func (s *ServerV2) LabelsString() string
- func (s *ServerV2) MatchAgainst(labels map[string]string) bool
- func (s *ServerV2) SetAddr(addr string)
- func (s *ServerV2) SetExpiry(expires time.Time)
- func (s *ServerV2) SetName(e string)
- func (s *ServerV2) SetNamespace(namespace string)
- func (s *ServerV2) SetPublicAddr(addr string)
- func (s *ServerV2) SetRotation(r Rotation)
- func (s *ServerV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (s *ServerV2) String() string
- func (s *ServerV2) V1() *ServerV1
- func (s *ServerV2) V2() *ServerV2
- type SigningKeyPair
- type SignupToken
- type Site
- type SortedLoginAttempts
- type SortedNamespaces
- type SortedReverseTunnels
- type SortedRoles
- type SortedServers
- type SortedTrustedCluster
- type StaticTokens
- type StaticTokensMarshaler
- type StaticTokensSpecV2
- type StaticTokensV2
- func (c *StaticTokensV2) CheckAndSetDefaults() error
- func (c *StaticTokensV2) Expiry() time.Time
- func (c *StaticTokensV2) GetMetadata() Metadata
- func (c *StaticTokensV2) GetName() string
- func (c *StaticTokensV2) GetStaticTokens() []ProvisionToken
- func (c *StaticTokensV2) SetExpiry(expires time.Time)
- func (c *StaticTokensV2) SetName(e string)
- func (c *StaticTokensV2) SetStaticTokens(s []ProvisionToken)
- func (c *StaticTokensV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (c *StaticTokensV2) String() string
- type TLSKeyPair
- type TeamMapping
- type TeleportAuthPreferenceMarshaler
- type TeleportCertAuthorityMarshaler
- func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority(ca CertAuthority) (CertAuthority, error)
- func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority(ca CertAuthority, opts ...MarshalOption) ([]byte, error)
- func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (CertAuthority, error)
- type TeleportClusterConfigMarshaler
- type TeleportClusterNameMarshaler
- type TeleportGithubConnectorMarshaler
- type TeleportOIDCConnectorMarshaler
- type TeleportRoleMarshaler
- type TeleportSAMLConnectorMarshaler
- type TeleportServerMarshaler
- func (*TeleportServerMarshaler) MarshalServer(s Server, opts ...MarshalOption) ([]byte, error)
- func (*TeleportServerMarshaler) MarshalServers(s []Server) ([]byte, error)
- func (*TeleportServerMarshaler) UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (Server, error)
- func (*TeleportServerMarshaler) UnmarshalServers(bytes []byte) ([]Server, error)
- type TeleportStaticTokensMarshaler
- type TeleportTrustedClusterMarshaler
- type TeleportTunnelMarshaler
- type TeleportUserMarshaler
- type TeleportWebSessionMarshaler
- func (*TeleportWebSessionMarshaler) ExtendWebSession(ws WebSession) (WebSession, error)
- func (*TeleportWebSessionMarshaler) GenerateWebSession(ws WebSession) (WebSession, error)
- func (*TeleportWebSessionMarshaler) MarshalWebSession(ws WebSession, opts ...MarshalOption) ([]byte, error)
- func (*TeleportWebSessionMarshaler) UnmarshalWebSession(bytes []byte) (WebSession, error)
- type Trust
- type TrustedCluster
- type TrustedClusterMarshaler
- type TrustedClusterSpecV2
- type TrustedClusterV2
- func (c *TrustedClusterV2) CanChangeStateTo(t TrustedCluster) error
- func (c *TrustedClusterV2) CheckAndSetDefaults() error
- func (c *TrustedClusterV2) CombinedMapping() RoleMap
- func (c *TrustedClusterV2) Expiry() time.Time
- func (c *TrustedClusterV2) GetEnabled() bool
- func (c *TrustedClusterV2) GetMetadata() Metadata
- func (c *TrustedClusterV2) GetName() string
- func (c *TrustedClusterV2) GetProxyAddress() string
- func (c *TrustedClusterV2) GetReverseTunnelAddress() string
- func (c *TrustedClusterV2) GetRoleMap() RoleMap
- func (c *TrustedClusterV2) GetRoles() []string
- func (c *TrustedClusterV2) GetToken() string
- func (c *TrustedClusterV2) SetEnabled(e bool)
- func (c *TrustedClusterV2) SetExpiry(expires time.Time)
- func (c *TrustedClusterV2) SetName(e string)
- func (c *TrustedClusterV2) SetProxyAddress(e string)
- func (c *TrustedClusterV2) SetReverseTunnelAddress(e string)
- func (c *TrustedClusterV2) SetRoleMap(m RoleMap)
- func (c *TrustedClusterV2) SetRoles(e []string)
- func (c *TrustedClusterV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (c *TrustedClusterV2) SetToken(e string)
- func (c *TrustedClusterV2) String() string
- type TunnelConnection
- func LatestTunnelConnection(conns []TunnelConnection) (TunnelConnection, error)
- func MustCreateTunnelConnection(name string, spec TunnelConnectionSpecV2) TunnelConnection
- func NewTunnelConnection(name string, spec TunnelConnectionSpecV2) (TunnelConnection, error)
- func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (TunnelConnection, error)
- type TunnelConnectionSpecV2
- type TunnelConnectionV2
- func (r *TunnelConnectionV2) Check() error
- func (r *TunnelConnectionV2) CheckAndSetDefaults() error
- func (r *TunnelConnectionV2) Clone() TunnelConnection
- func (r *TunnelConnectionV2) Expiry() time.Time
- func (r *TunnelConnectionV2) GetClusterName() string
- func (r *TunnelConnectionV2) GetLastHeartbeat() time.Time
- func (r *TunnelConnectionV2) GetMetadata() Metadata
- func (r *TunnelConnectionV2) GetName() string
- func (r *TunnelConnectionV2) GetProxyName() string
- func (r *TunnelConnectionV2) SetExpiry(expires time.Time)
- func (r *TunnelConnectionV2) SetLastHeartbeat(tm time.Time)
- func (r *TunnelConnectionV2) SetName(e string)
- func (r *TunnelConnectionV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (r *TunnelConnectionV2) String() string
- func (r *TunnelConnectionV2) V2() *TunnelConnectionV2
- type U2F
- type UnknownResource
- type User
- type UserCertParams
- type UserGetter
- type UserMarshaler
- type UserRef
- type UserSpecV2
- type UserV1
- type UserV2
- func (u *UserV2) AddRole(name string)
- func (u *UserV2) Check() error
- func (u *UserV2) CheckAndSetDefaults() error
- func (u *UserV2) Equals(other User) bool
- func (u *UserV2) Expiry() time.Time
- func (u *UserV2) GetCreatedBy() CreatedBy
- func (u *UserV2) GetGithubIdentities() []ExternalIdentity
- func (u *UserV2) GetMetadata() Metadata
- func (u *UserV2) GetName() string
- func (u *UserV2) GetOIDCIdentities() []ExternalIdentity
- func (u *UserV2) GetRawObject() interface{}
- func (u *UserV2) GetRoles() []string
- func (u *UserV2) GetSAMLIdentities() []ExternalIdentity
- func (u *UserV2) GetStatus() LoginStatus
- func (u *UserV2) GetTraits() map[string][]string
- func (u *UserV2) SetCreatedBy(b CreatedBy)
- func (u *UserV2) SetExpiry(expires time.Time)
- func (u *UserV2) SetLocked(until time.Time, reason string)
- func (u *UserV2) SetName(e string)
- func (u *UserV2) SetRoles(roles []string)
- func (u *UserV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
- func (u *UserV2) SetTraits(traits map[string][]string)
- func (u *UserV2) String() string
- func (u *UserV2) V1() *UserV1
- func (u *UserV2) V2() *UserV2
- func (u *UserV2) WebSessionInfo(allowedLogins []string) interface{}
- type Users
- type WebSession
- type WebSessionMarshaler
- type WebSessionSpecV2
- type WebSessionV1
- func (ws *WebSessionV1) GetBearerToken() string
- func (ws *WebSessionV1) GetBearerTokenExpiryTime() time.Time
- func (ws *WebSessionV1) GetExpiryTime() time.Time
- func (ws *WebSessionV1) GetName() string
- func (ws *WebSessionV1) GetPriv() []byte
- func (ws *WebSessionV1) GetPub() []byte
- func (ws *WebSessionV1) GetShortName() string
- func (ws *WebSessionV1) GetUser() string
- func (ws *WebSessionV1) SetBearerTokenExpiryTime(tm time.Time)
- func (ws *WebSessionV1) SetExpiryTime(tm time.Time)
- func (ws *WebSessionV1) SetName(name string)
- func (ws *WebSessionV1) SetUser(u string)
- func (s *WebSessionV1) V1() *WebSessionV1
- func (s *WebSessionV1) V2() *WebSessionV2
- func (ws *WebSessionV1) WithoutSecrets() WebSession
- type WebSessionV2
- func (ws *WebSessionV2) CheckAndSetDefaults() error
- func (ws *WebSessionV2) GetBearerToken() string
- func (ws *WebSessionV2) GetBearerTokenExpiryTime() time.Time
- func (ws *WebSessionV2) GetExpiryTime() time.Time
- func (ws *WebSessionV2) GetMetadata() Metadata
- func (ws *WebSessionV2) GetName() string
- func (ws *WebSessionV2) GetPriv() []byte
- func (ws *WebSessionV2) GetPub() []byte
- func (ws *WebSessionV2) GetShortName() string
- func (ws *WebSessionV2) GetTLSCert() []byte
- func (ws *WebSessionV2) GetUser() string
- func (ws *WebSessionV2) SetBearerTokenExpiryTime(tm time.Time)
- func (ws *WebSessionV2) SetExpiryTime(tm time.Time)
- func (ws *WebSessionV2) SetName(name string)
- func (ws *WebSessionV2) SetPriv(priv []byte)
- func (ws *WebSessionV2) SetUser(u string)
- func (ws *WebSessionV2) V1() *WebSessionV1
- func (ws *WebSessionV2) V2() *WebSessionV2
- func (ws *WebSessionV2) WithoutSecrets() WebSession
Constants ¶
const ( // RotationStateStandby is initial status of the rotation - // nothing is being rotated. RotationStateStandby = "standby" // RotationStateInProgress - that rotation is in progress. RotationStateInProgress = "in_progress" // RotationPhaseStandby is the initial phase of the rotation // it means no operations have started. RotationPhaseStandby = "standby" // RotationPhaseInit = is a phase of the rotation // when new certificate authoirty is issued, but not used // It is necessary for remote trusted clusters to fetch the // new certificate authority, otherwise the new clients // will reject it RotationPhaseInit = "init" // RotationPhaseUpdateClients is a phase of the rotation // when client credentials will have to be updated and reloaded // but servers will use and respond with old credentials // because clients have no idea about new credentials at first. RotationPhaseUpdateClients = "update_clients" // RotationPhaseUpdateServers is a phase of the rotation // when servers will have to reload and should start serving // TLS and SSH certificates signed by new CA. RotationPhaseUpdateServers = "update_servers" // RotationPhaseRollback means that rotation is rolling // back to the old certificate authority. RotationPhaseRollback = "rollback" // RotationModeManual is a manual rotation mode when all phases // are set by the operator. RotationModeManual = "manual" // RotationModeAuto is set to go through all phases by the schedule. RotationModeAuto = "auto" )
const ( // RecordAtNode is the default. Sessions are recorded at Teleport nodes. RecordAtNode string = "node" // RecordAtProxy enables the recording proxy which intercepts and records // all sessions. RecordAtProxy string = "proxy" // RecordOff is used to disable session recording completely. RecordOff string = "off" )
const ( // HostKeyCheckYes is the default. The proxy will check the host key of the // target node it connects to. HostKeyCheckYes string = "yes" // HostKeyCheckNo is used to disable host key checking. This is a insecure // settings which makes MITM possible with no indications, use with caution. HostKeyCheckNo string = "no" )
const ( // UserIdentifier represents user registered identifier in the rules UserIdentifier = "user" // ResourceIdentifier represents resource registered identifer in the rules ResourceIdentifier = "resource" )
const ( // DefaultAPIGroup is a default group of permissions API, // lets us to add different permission types DefaultAPIGroup = "gravitational.io/teleport" // ActionRead grants read access (get, list) ActionRead = "read" // ActionWrite allows to write (create, update, delete) ActionWrite = "write" // Wildcard is a special wildcard character matching everything Wildcard = "*" // KindNamespace is a namespace KindNamespace = "namespace" // KindUser is a user resource KindUser = "user" // KindKeyPair is a public/private key pair KindKeyPair = "key_pair" // KindHostCert is a host certificate KindHostCert = "host_cert" // KindLicense is a license resource KindLicense = "license" // KindRole is a role resource KindRole = "role" // KindOIDC is OIDC connector resource KindOIDC = "oidc" // KindSAML is SAML connector resource KindSAML = "saml" // KindGithub is Github connector resource KindGithub = "github" // KindOIDCRequest is OIDC auth request resource KindOIDCRequest = "oidc_request" // KindSAMLRequest is SAML auth request resource KindSAMLRequest = "saml_request" // KindGithubRequest is Github auth request resource KindGithubRequest = "github_request" // KindSession is a recorded SSH session. KindSession = "session" // KindSSHSession is an active SSH session. KindSSHSession = "ssh_session" // KindWebSession is a web session resource KindWebSession = "web_session" // KindEvent is structured audit logging event KindEvent = "event" // KindAuthServer is auth server resource KindAuthServer = "auth_server" // KindProxy is proxy resource KindProxy = "proxy" // KindNode is node resource KindNode = "node" // KindToken is a provisioning token resource KindToken = "token" // KindCertAuthority is a certificate authority resource KindCertAuthority = "cert_authority" // KindReverseTunnel is a reverse tunnel connection KindReverseTunnel = "tunnel" // KindOIDCConnector is a OIDC connector resource KindOIDCConnector = "oidc" // KindSAMLConnector is a SAML connector resource KindSAMLConnector = "saml" // KindGithubConnector is Github OAuth2 connector resource KindGithubConnector = "github" // KindConnectors is a shortcut for all authentication connector types. KindConnectors = "connectors" // KindAuthPreference is the type of authentication for this cluster. KindClusterAuthPreference = "cluster_auth_preference" // KindAuthPreference is the type of authentication for this cluster. MetaNameClusterAuthPreference = "cluster-auth-preference" // KindClusterConfig is the resource that holds cluster level configuration. KindClusterConfig = "cluster_config" // MetaNameClusterConfig is the exact name of the cluster config singleton resource. MetaNameClusterConfig = "cluster-config" // KindClusterName is a type of configuration resource that contains the cluster name. KindClusterName = "cluster_name" // MetaNameClusterName is the name of a configuration resource for cluster name. MetaNameClusterName = "cluster-name" // KindStaticTokens is a type of configuration resource that contains static tokens. KindStaticTokens = "static_tokens" // MetaNameStaticTokens is the name of a configuration resource for static tokens. MetaNameStaticTokens = "static-tokens" // KindTrustedCluster is a resource that contains trusted cluster configuration. KindTrustedCluster = "trusted_cluster" // KindAuthConnector allows access to OIDC and SAML connectors. KindAuthConnector = "auth_connector" // KindTunnelConection specifies connection of a reverse tunnel to proxy KindTunnelConnection = "tunnel_connection" // KindRemoteCluster represents remote cluster connected via reverse tunnel // to proxy KindRemoteCluster = "remote_cluster" // KindIdenity is local on disk identity resource KindIdentity = "identity" // KindState is local on disk process state KindState = "state" // V3 is the third version of resources. V3 = "v3" // V2 is the second version of resources. V2 = "v2" // V1 is the first version of resources. Note: The first version was // not explicitly versioned. V1 = "v1" )
const ( // VerbList is used to list all objects. Does not imply the ability to read a single object. VerbList = "list" // VerbCreate is used to create an object. VerbCreate = "create" // VerbRead is used to read a single object. VerbRead = "read" // VerbReadNoSecrets is used to read a single object without secrets. VerbReadNoSecrets = "readnosecrets" // VerbUpdate is used to update an object. VerbUpdate = "update" // VerbDelete is used to remove an object. VerbDelete = "delete" // VerbRotate is used to rotate certificate authorities // used only internally VerbRotate = "rotate" )
const AuthPreferenceSpecSchemaTemplate = `` /* 421-byte string literal not displayed */
const CertAuthoritySpecV2Schema = `` /* 800-byte string literal not displayed */
CertAuthoritySpecV2Schema is JSON schema for cert authority V2
const CertRolesSchema = `` /* 207-byte string literal not displayed */
CertRolesSchema defines cert roles schema
const ClusterConfigSpecSchemaTemplate = `` /* 1109-byte string literal not displayed */
ClusterConfigSpecSchemaTemplate is a template for ClusterConfig schema.
const ClusterNameSpecSchemaTemplate = `` /* 131-byte string literal not displayed */
ClusterNameSpecSchemaTemplate is a template for ClusterName schema.
const CreatedBySchema = `` /* 486-byte string literal not displayed */
const DefaultDefinitions = ``
DefaultDefinitions the default list of JSON schema definitions which is none.
const ExternalIdentitySchema = `` /* 156-byte string literal not displayed */
const GithubConnectorV3SchemaTemplate = `` /* 252-byte string literal not displayed */
GithubConnectorV3SchemaTemplate is the JSON schema for a Github connector
const LicenseSpecV3Template = `` /* 334-byte string literal not displayed */
LicenseSpecV3Template is a template for V3 License JSON schema
const LoginStatusSchema = `` /* 241-byte string literal not displayed */
const MetadataSchema = `` /* 458-byte string literal not displayed */
MetadataSchema is a schema for resource metadata
const NamespaceSchemaTemplate = `` /* 258-byte string literal not displayed */
const NamespaceSpecSchema = `{
"type": "object",
"additionalProperties": false,
"default": {}
}`
const OIDCConnectorV2SchemaTemplate = `` /* 252-byte string literal not displayed */
OIDCConnectorV2SchemaTemplate is a template JSON Schema for user
const RemoteClusterV3SchemaTemplate = `` /* 246-byte string literal not displayed */
RemoteClusterSchemaTemplate is a template JSON Schema for V3 style objects
const RemoteClusterV3StatusSchema = `` /* 205-byte string literal not displayed */
RemoteClusterV3StatusSchema is a template for remote
const ReverseTunnelSpecV2Schema = `` /* 263-byte string literal not displayed */
ReverseTunnelSpecV2Schema is JSON schema for reverse tunnel spec
const RoleMapSchema = `` /* 265-byte string literal not displayed */
RoleMapSchema is a schema for role mappings of trusted clusters
const RoleSpecV2SchemaTemplate = `` /* 668-byte string literal not displayed */
const RoleSpecV3SchemaDefinitions = `` /* 1192-byte string literal not displayed */
const RoleSpecV3SchemaTemplate = `` /* 691-byte string literal not displayed */
const RotationSchema = `` /* 537-byte string literal not displayed */
RotationSchema is a JSON validation schema of the CA rotation state object.
const SAMLConnectorV2SchemaTemplate = `` /* 252-byte string literal not displayed */
SAMLConnectorV2SchemaTemplate is a template JSON Schema for user
const ServerSpecV2Schema = `` /* 812-byte string literal not displayed */
ServerSpecV2Schema is JSON schema for server
const StaticTokensSpecSchemaTemplate = `` /* 397-byte string literal not displayed */
StaticTokensSpecSchemaTemplate is a template for StaticTokens schema.
const TrustedClusterSpecSchemaTemplate = `` /* 344-byte string literal not displayed */
TrustedClusterSpecSchemaTemplate is a template for trusted cluster schema
const TunnelConnectionSpecV2Schema = `` /* 261-byte string literal not displayed */
TunnelConnectionSpecV2Schema is JSON schema for reverse tunnel spec
const UserSpecV2SchemaTemplate = `` /* 733-byte string literal not displayed */
UserSpecV2SchemaTemplate is JSON schema for V2 user
const V2SchemaTemplate = `` /* 254-byte string literal not displayed */
V2SchemaTemplate is a template JSON Schema for V2 style objects
const WebSessionSpecV2Schema = `` /* 415-byte string literal not displayed */
WebSessionSpecV2Schema is JSON schema for cert authority V2
Variables ¶
var ( // ResourceNameExpr is the identifer that specifies resource name. ResourceNameExpr = builder.Identifier("resource.metadata.name") // CertAuthorityTypeExpr is a function call that returns // cert authority type. CertAuthorityTypeExpr = builder.Identifier(`system.catype()`) )
var AdminUserRules = []Rule{ NewRule(KindRole, RW()), NewRule(KindAuthConnector, RW()), NewRule(KindSession, RO()), NewRule(KindTrustedCluster, RW()), }
AdminUserRules provides access to the default set of rules assigned to all users.
var AttributeMappingSchema = fmt.Sprintf(`{ "type": "object", "additionalProperties": false, "required": ["name", "value" ], "properties": { "name": {"type": "string"}, "value": {"type": "string"}, "roles": { "type": "array", "items": { "type": "string" } }, "role_template": %v } }`, GetRoleSchema(V2, ""))
AttribueMappingSchema is JSON schema for claim mapping
var ClaimMappingSchema = fmt.Sprintf(`{ "type": "object", "additionalProperties": false, "required": ["claim", "value" ], "properties": { "claim": {"type": "string"}, "value": {"type": "string"}, "roles": { "type": "array", "items": { "type": "string" } }, "role_template": %v } }`, GetRoleSchema(V2, ""))
ClaimMappingSchema is JSON schema for claim mapping
var DefaultCertAuthorityRules = []Rule{ NewRule(KindSession, RO()), NewRule(KindNode, RO()), NewRule(KindAuthServer, RO()), NewRule(KindReverseTunnel, RO()), NewRule(KindCertAuthority, ReadNoSecrets()), }
DefaultCertAuthorityRules provides access the minimal set of resources needed for a certificate authority to function.
var DefaultImplicitRules = []Rule{ NewRule(KindNode, RO()), NewRule(KindAuthServer, RO()), NewRule(KindReverseTunnel, RO()), NewRule(KindCertAuthority, ReadNoSecrets()), NewRule(KindClusterAuthPreference, RO()), NewRule(KindClusterName, RO()), NewRule(KindSSHSession, RO()), }
DefaultImplicitRules provides access to the default set of implicit rules assigned to all roles.
var GithubConnectorSpecV3Schema = fmt.Sprintf(`{ "type": "object", "additionalProperties": false, "required": ["client_id", "client_secret", "redirect_url"], "properties": { "client_id": {"type": "string"}, "client_secret": {"type": "string"}, "redirect_url": {"type": "string"}, "display": {"type": "string"}, "teams_to_logins": { "type": "array", "items": %v } } }`, TeamMappingSchema)
GithubConnectorSpecV3Schema is the JSON schema for Github connector spec
var OIDCConnectorSpecV2Schema = fmt.Sprintf(`{ "type": "object", "additionalProperties": false, "required": ["issuer_url", "client_id", "client_secret", "redirect_url"], "properties": { "issuer_url": {"type": "string"}, "client_id": {"type": "string"}, "client_secret": {"type": "string"}, "redirect_url": {"type": "string"}, "acr_values": {"type": "string"}, "provider": {"type": "string"}, "display": {"type": "string"}, "scope": { "type": "array", "items": { "type": "string" } }, "claims_to_roles": { "type": "array", "items": %v } } }`, ClaimMappingSchema)
OIDCConnectorSpecV2Schema is a JSON Schema for OIDC Connector
var RotatePhases = []string{ RotationPhaseInit, RotationPhaseStandby, RotationPhaseUpdateClients, RotationPhaseUpdateServers, RotationPhaseRollback, }
RotatePhases lists all supported rotation phases
var SAMLConnectorSpecV2Schema = fmt.Sprintf(`{ "type": "object", "additionalProperties": false, "required": ["acs"], "properties": { "issuer": {"type": "string"}, "sso": {"type": "string"}, "cert": {"type": "string"}, "provider": {"type": "string"}, "display": {"type": "string"}, "acs": {"type": "string"}, "audience": {"type": "string"}, "service_provider_issuer": {"type": "string"}, "entity_descriptor": {"type": "string"}, "entity_descriptor_url": {"type": "string"}, "attributes_to_roles": { "type": "array", "items": %v }, "signing_key_pair": %v } }`, AttributeMappingSchema, SigningKeyPairSchema)
SAMLConnectorSpecV2Schema is a JSON Schema for SAML Connector
var SigningKeyPairSchema = `` /* 148-byte string literal not displayed */
SigningKeyPairSchema
var TeamMappingSchema = `` /* 392-byte string literal not displayed */
TeamMappingSchema is the JSON schema for team membership mapping
Functions ¶
func CertPool ¶
func CertPool(ca CertAuthority) (*x509.CertPool, error)
CertPool returns certificate pools from TLS certificates set up in the certificate authority
func CertPoolFromCertAuthorities ¶
func CertPoolFromCertAuthorities(cas []CertAuthority) (*x509.CertPool, error)
CertPoolFromCertAuthorities returns certificate pools from TLS certificates set up in the certificate authorities list
func ConvertV1CertAuthority ¶
func ConvertV1CertAuthority(v1 *CertAuthorityV1) (CertAuthority, Role)
ConvertV1CertAuthority converts V1 cert authority for new CA and Role
func GetAttributeNames ¶
GetAttributeNames returns a list of claim names from the claim values
func GetAuthPreferenceSchema ¶
GetAuthPreferenceSchema returns the schema with optionally injected schema for extensions.
func GetCertAuthoritySchema ¶
func GetCertAuthoritySchema() string
GetCertAuthoritySchema returns JSON Schema for cert authorities
func GetClaimNames ¶
GetClaimNames returns a list of claim names from the claim values
func GetClusterConfigSchema ¶
GetClusterConfigSchema returns the schema with optionally injected schema for extensions.
func GetClusterNameSchema ¶
GetClusterNameSchema returns the schema with optionally injected schema for extensions.
func GetGithubConnectorSchema ¶
func GetGithubConnectorSchema() string
GetGithubConnectorSchema returns schema for Github connector
func GetNamespaceSchema ¶
func GetNamespaceSchema() string
GetNamespaceSchema returns namespace schema
func GetOIDCConnectorSchema ¶
func GetOIDCConnectorSchema() string
GetOIDCConnectorSchema returns schema for OIDCConnector
func GetRemoteClusterSchema ¶
func GetRemoteClusterSchema() string
GetRemoteClusterSchema returns the schema for remote cluster
func GetReverseTunnelSchema ¶
func GetReverseTunnelSchema() string
GetReverseTunnelSchema returns role schema with optionally injected schema for extensions
func GetRoleSchema ¶
GetRoleSchema returns role schema for the version requested with optionally injected schema for extensions.
func GetSAMLConnectorSchema ¶
func GetSAMLConnectorSchema() string
GetSAMLConnectorSchema returns schema for SAMLConnector
func GetServerSchema ¶
func GetServerSchema() string
GetServerSchema returns role schema with optionally injected schema for extensions
func GetStaticTokensSchema ¶
GetStaticTokensSchema returns the schema with optionally injected schema for extensions.
func GetTrustedClusterSchema ¶
GetTrustedClusterSchema returns the schema with optionally injected schema for extensions.
func GetTunnelConnectionSchema ¶
func GetTunnelConnectionSchema() string
GetTunnelConnectionSchema returns role schema with optionally injected schema for extensions
func GetUserSchema ¶
GetRoleSchema returns role schema with optionally injected schema for extensions
func GetWebSessionSchema ¶
func GetWebSessionSchema() string
GetWebSessionSchema returns JSON Schema for web session
func GetWebSessionSchemaWithExtensions ¶
GetWebSessionSchemaWithExtensions returns JSON Schema for web session with user-supplied extensions
func IsValidNamespace ¶
func LabelsToV2 ¶
func LabelsToV2(labels map[string]CommandLabel) map[string]CommandLabelV2
LabelsToV2 converts labels from interface to V2 spec
func LastFailed ¶
func LastFailed(x int, attempts []LoginAttempt) bool
LastFailed calculates last x successive attempts are failed
func MarshalCertRoles ¶
MarshalCertRoles marshal roles list to OpenSSH
func MarshalLicense ¶
func MarshalLicense(license License, opts ...MarshalOption) ([]byte, error)
MarshalLicense marshals role to JSON or YAML.
func MarshalNamespace ¶
MarshalNamespace marshals namespace to JSON
func MarshalRemoteCluster ¶
func MarshalRemoteCluster(c RemoteCluster, opts ...MarshalOption) ([]byte, error)
MarshalRemoteCluster marshals remote cluster to JSON.
func MarshalTunnelConnection ¶
func MarshalTunnelConnection(rt TunnelConnection, opts ...MarshalOption) ([]byte, error)
MarshalTunnelConnection marshals tunnel connection
func MatchLabels ¶
MatchLabels matches selector against target. Empty selector matches nothing, wildcard matches everything.
func MatchLogin ¶
MatchLogin returns true if attempted login matches any of the logins.
func MatchNamespace ¶
MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything.
func NewActionsParser ¶
func NewActionsParser(ctx RuleContext) (predicate.Parser, error)
NewActionsParser returns standard parser for 'actions' section in access rules
func NewLogActionFn ¶
func NewLogActionFn(ctx RuleContext) interface{}
NewLogActionFn creates logger functions
func NewWhereParser ¶
func NewWhereParser(ctx RuleContext) (predicate.Parser, error)
NewWhereParser returns standard parser for `where` section in access rules.
func ParseShortcut ¶
ParseShortcut parses resource shortcut
func ProcessNamespace ¶
ProcessNamespace sets default namespace in case if namespace is empty
func RO ¶
func RO() []string
RO is a shortcut that returns read only verbs that provide access to secrets.
func ReadNoSecrets ¶
func ReadNoSecrets() []string
ReadNoSecrets is a shortcut that returns read only verbs that do not provide access to secrets.
func RoleNameForCertAuthority ¶
RoleNameForCertAuthority returns role name associated with a certificate authority.
func RoleNameForUser ¶
RoleNameForUser returns role name associated with a user.
func RuleSlicesEqual ¶
RuleSlicesEqual returns true if two rule slices are equal
func SetActionsParserFn ¶
func SetActionsParserFn(fn NewParserFn)
SetActionsParserFn sets global function that creates actions parsers this function is used in external tools to override and extend actions in rules
func SetAuthPreferenceMarshaler ¶
func SetAuthPreferenceMarshaler(m AuthPreferenceMarshaler)
func SetCertAuthorityMarshaler ¶
func SetCertAuthorityMarshaler(u CertAuthorityMarshaler)
SetCertAuthorityMarshaler sets global user marshaler
func SetClusterConfigMarshaler ¶
func SetClusterConfigMarshaler(m ClusterConfigMarshaler)
SetClusterConfigMarshaler sets the marshaler.
func SetClusterNameMarshaler ¶
func SetClusterNameMarshaler(m ClusterNameMarshaler)
SetClusterNameMarshaler sets the marshaler.
func SetGithubConnectorMarshaler ¶
func SetGithubConnectorMarshaler(m GithubConnectorMarshaler)
SetGithubConnectorMarshaler sets Github connector marshaler
func SetOIDCConnectorMarshaler ¶
func SetOIDCConnectorMarshaler(m OIDCConnectorMarshaler)
SetOIDCConnectorMarshaler sets global user marshaler
func SetReerseTunnelMarshaler ¶
func SetReerseTunnelMarshaler(m ReverseTunnelMarshaler)
func SetRoleMarshaler ¶
func SetRoleMarshaler(m RoleMarshaler)
func SetSAMLConnectorMarshaler ¶
func SetSAMLConnectorMarshaler(m SAMLConnectorMarshaler)
SetSAMLConnectorMarshaler sets global user marshaler
func SetServerMarshaler ¶
func SetServerMarshaler(m ServerMarshaler)
func SetStaticTokensMarshaler ¶
func SetStaticTokensMarshaler(m StaticTokensMarshaler)
SetStaticTokensMarshaler sets the marshaler.
func SetTrustedClusterMarshaler ¶
func SetTrustedClusterMarshaler(m TrustedClusterMarshaler)
func SetUserMarshaler ¶
func SetUserMarshaler(u UserMarshaler)
SetUserMarshaler sets global user marshaler
func SetWebSessionMarshaler ¶
func SetWebSessionMarshaler(u WebSessionMarshaler)
SetWebSessionMarshaler sets global user marshaler
func SetWhereParserFn ¶
func SetWhereParserFn(fn NewParserFn)
SetWhereParserFn sets global function that creates where parsers this function is used in external tools to override and extend 'where' in rules
func TunnelConnectionStatus ¶
func TunnelConnectionStatus(clock clockwork.Clock, conn TunnelConnection) string
IsTunnelConnectionStatus returns tunnel connection status based on the last heartbeat time recorded for a connection
func UnmarshalCertRoles ¶
UnmarshalCertRoles marshals roles list to OpenSSH
func VerifyPassword ¶
VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in
Types ¶
type Access ¶
type Access interface { // GetRoles returns a list of roles GetRoles() ([]Role, error) // CreateRole creates a role CreateRole(role Role, ttl time.Duration) error // UpsertRole creates or updates role UpsertRole(role Role, ttl time.Duration) error // DeleteAllRoles deletes all roles DeleteAllRoles() error // GetRole returns role by name GetRole(name string) (Role, error) // DeleteRole deletes role by name DeleteRole(name string) error }
Access service manages roles and permissions
type AccessChecker ¶
type AccessChecker interface { // HasRole checks if the checker includes the role HasRole(role string) bool // RoleNames returns a list of role names RoleNames() []string // CheckAccessToServer checks access to server. CheckAccessToServer(login string, server Server) error // CheckAccessToRule checks access to a rule within a namespace. CheckAccessToRule(context RuleContext, namespace string, rule string, verb string, silent bool) error // CheckLoginDuration checks if role set can login up to given duration and // returns a combined list of allowed logins. CheckLoginDuration(ttl time.Duration) ([]string, error) // CheckKubeGroups check if role can login into kubernetes // and returns a combined list of allowed groups CheckKubeGroups(ttl time.Duration) ([]string, error) // AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL // for this role set, otherwise it returns ttl unchanged AdjustSessionTTL(ttl time.Duration) time.Duration // AdjustClientIdleTimeout adjusts requested idle timeout // to the lowest max allowed timeout, the most restrictive // option will be picked AdjustClientIdleTimeout(ttl time.Duration) time.Duration // AdjustDisconnectExpiredCert adjusts the value based on the role set // the most restrictive option will be picked AdjustDisconnectExpiredCert(disconnect bool) bool // CheckAgentForward checks if the role can request agent forward for this // user. CheckAgentForward(login string) error // CanForwardAgents returns true if this role set offers capability to forward // agents. CanForwardAgents() bool // CanPortForward returns true if this RoleSet can forward ports. CanPortForward() bool // CertificateFormat returns the most permissive certificate format in a // RoleSet. CertificateFormat() string }
AccessChecker interface implements access checks for given role or role set
type AttributeMapping ¶
type AttributeMapping struct { // Name is attribute statement name Name string `json:"name"` // Value is attribute statement value to match Value string `json:"value"` // Roles is a list of teleport roles to map to Roles []string `json:"roles,omitempty"` // RoleTemplate is a template for a role that will be filled // with data from claims. RoleTemplate *RoleV2 `json:"role_template,omitempty"` }
AttributeMapping is SAML Attribute statement mapping from SAML attribute statements to roles
type AuditConfig ¶
type AuditConfig struct { // Type is audit backend type Type string `json:"type,omitempty"` // Region is a region setting for audit sessions used by cloud providers Region string `json:"region,omitempty"` // AuditSessionsURI is a parameter where to upload sessions AuditSessionsURI string `json:"audit_sessions_uri,omitempty"` // AuditEventsURI is a parameter with all supported outputs // for audit events AuditEventsURI utils.Strings `json:"audit_events_uri,omitempty"` // AuditTableName is a DB table name used for audits // Deprecated in favor of AuditEventsURI // DELETE IN (3.1.0) AuditTableName string `json:"audit_table_name,omitempty"` }
AuditConfig represents audit log settings in the cluster
func AuditConfigFromObject ¶
func AuditConfigFromObject(in interface{}) (*AuditConfig, error)
AuditConfigFromObject returns audit config from interface object
func (AuditConfig) ShouldUploadSessions ¶
func (a AuditConfig) ShouldUploadSessions() bool
ShouldUploadSessions returns whether audit config instructs server to upload sessions
type AuthPreference ¶
type AuthPreference interface { // GetType gets the type of authentication: local, saml, or oidc. GetType() string // SetType sets the type of authentication: local, saml, or oidc. SetType(string) // GetSecondFactor gets the type of second factor: off, otp or u2f. GetSecondFactor() string // SetSecondFactor sets the type of second factor: off, otp, or u2f. SetSecondFactor(string) // GetConnectorName gets the name of the OIDC or SAML connector to use. If // this value is empty, we fall back to the first connector in the backend. GetConnectorName() string // GetConnectorName sets the name of the OIDC or SAML connector to use. If // this value is empty, we fall back to the first connector in the backend. SetConnectorName(string) // GetU2F gets the U2F configuration settings. GetU2F() (*U2F, error) // SetU2F sets the U2F configuration settings. SetU2F(*U2F) // CheckAndSetDefaults sets and default values and then // verifies the constraints for AuthPreference. CheckAndSetDefaults() error // String represents a human readable version of authentication settings. String() string }
AuthPreference defines the authentication preferences for a specific cluster. It defines the type (local, oidc) and second factor (off, otp, oidc). AuthPreference is a configuration resource, never create more than one instance of it.
func NewAuthPreference ¶
func NewAuthPreference(spec AuthPreferenceSpecV2) (AuthPreference, error)
NewAuthPreference is a convenience method to to create AuthPreferenceV2.
type AuthPreferenceMarshaler ¶
type AuthPreferenceMarshaler interface { Marshal(c AuthPreference, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (AuthPreference, error) }
AuthPreferenceMarshaler implements marshal/unmarshal of AuthPreference implementations mostly adds support for extended versions.
func GetAuthPreferenceMarshaler ¶
func GetAuthPreferenceMarshaler() AuthPreferenceMarshaler
type AuthPreferenceSpecV2 ¶
type AuthPreferenceSpecV2 struct { // Type is the type of authentication. Type string `json:"type"` // SecondFactor is the type of second factor. SecondFactor string `json:"second_factor,omitempty"` // ConnectorName is the name of the OIDC or SAML connector. If this value is // not set the first connector in the backend will be used. ConnectorName string `json:"connector_name,omitempty"` // U2F are the settings for the U2F device. U2F *U2F `json:"u2f,omitempty"` }
AuthPreferenceSpecV2 is the actual data we care about for AuthPreferenceV2.
type AuthPreferenceV2 ¶
type AuthPreferenceV2 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec AuthPreferenceSpecV2 `json:"spec"` }
AuthPreferenceV2 implements AuthPreference.
func (*AuthPreferenceV2) CheckAndSetDefaults ¶
func (c *AuthPreferenceV2) CheckAndSetDefaults() error
CheckAndSetDefaults verifies the constraints for AuthPreference.
func (*AuthPreferenceV2) GetConnectorName ¶
func (c *AuthPreferenceV2) GetConnectorName() string
GetConnectorName gets the name of the OIDC or SAML connector to use. If this value is empty, we fall back to the first connector in the backend.
func (*AuthPreferenceV2) GetSecondFactor ¶
func (c *AuthPreferenceV2) GetSecondFactor() string
GetSecondFactor returns the type of second factor.
func (*AuthPreferenceV2) GetType ¶
func (c *AuthPreferenceV2) GetType() string
GetType returns the type of authentication.
func (*AuthPreferenceV2) GetU2F ¶
func (c *AuthPreferenceV2) GetU2F() (*U2F, error)
GetU2F gets the U2F configuration settings.
func (*AuthPreferenceV2) SetConnectorName ¶
func (c *AuthPreferenceV2) SetConnectorName(cn string)
GetConnectorName sets the name of the OIDC or SAML connector to use. If this value is empty, we fall back to the first connector in the backend.
func (*AuthPreferenceV2) SetSecondFactor ¶
func (c *AuthPreferenceV2) SetSecondFactor(s string)
SetSecondFactor sets the type of second factor.
func (*AuthPreferenceV2) SetType ¶
func (c *AuthPreferenceV2) SetType(s string)
SetType sets the type of authentication.
func (*AuthPreferenceV2) SetU2F ¶
func (c *AuthPreferenceV2) SetU2F(u2f *U2F)
SetU2F sets the U2F configuration settings.
func (*AuthPreferenceV2) String ¶
func (c *AuthPreferenceV2) String() string
String represents a human readable version of authentication settings.
type Bool ¶
type Bool struct {
// contains filtered or unexported fields
}
Bool is a wrapper around boolean values
func BoolOption ¶
BoolOption converts bool pointer to Bool value returns equivalent of false if not set
func NewBoolOption ¶
NewBoolOption returns Bool struct based on bool value
func (Bool) MarshalJSON ¶
MarshalJSON marshals boolean value.
func (Bool) MarshalYAML ¶
MarshalYAML marshals bool into yaml value
func (*Bool) UnmarshalJSON ¶
UnmarshalJSON unmarshals JSON from string or bool, in case if value is missing or not recognized, defaults to false
func (*Bool) UnmarshalYAML ¶
type CertAuthID ¶
type CertAuthID struct { Type CertAuthType `json:"type"` DomainName string `json:"domain_name"` }
CertAuthID - id of certificate authority (it's type and domain name)
func (*CertAuthID) Check ¶
func (c *CertAuthID) Check() error
Check returns error if any of the id parameters are bad, nil otherwise
func (*CertAuthID) String ¶
func (c *CertAuthID) String() string
type CertAuthType ¶
type CertAuthType string
CertAuthType specifies certificate authority type, user or host
const ( // HostCA identifies the key as a host certificate authority HostCA CertAuthType = "host" // UserCA identifies the key as a user certificate authority UserCA CertAuthType = "user" )
func (CertAuthType) Check ¶
func (c CertAuthType) Check() error
Check checks if certificate authority type value is correct
type CertAuthority ¶
type CertAuthority interface { // Resource sets common resource properties Resource // GetID returns certificate authority ID - // combined type and name GetID() CertAuthID // GetType returns user or host certificate authority GetType() CertAuthType // GetClusterName returns cluster name this cert authority // is associated with GetClusterName() string // GetCheckingKeys returns public keys to check signature GetCheckingKeys() [][]byte // GetSigning keys returns signing keys GetSigningKeys() [][]byte // CombinedMapping is used to specify combined mapping from legacy property Roles // and new property RoleMap CombinedMapping() RoleMap // GetRoleMap returns role map property GetRoleMap() RoleMap // SetRoleMap sets role map SetRoleMap(m RoleMap) // GetRoles returns a list of roles assumed by users signed by this CA GetRoles() []string // SetRoles sets assigned roles for this certificate authority SetRoles(roles []string) // FirstSigningKey returns first signing key or returns error if it's not here // The first key is returned because multiple keys can exist during key rotation. FirstSigningKey() ([]byte, error) // GetRawObject returns raw object data, used for migrations GetRawObject() interface{} // Check checks object for errors Check() error // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error // SetSigningKeys sets signing keys SetSigningKeys([][]byte) error // SetCheckingKeys sets signing keys SetCheckingKeys([][]byte) error // AddRole adds a role to ca role list AddRole(name string) // Checkers returns public keys that can be used to check cert authorities Checkers() ([]ssh.PublicKey, error) // Signers returns a list of signers that could be used to sign keys Signers() ([]ssh.Signer, error) // V1 returns V1 version of the resource V1() *CertAuthorityV1 // V2 returns V2 version of the resource V2() *CertAuthorityV2 // String returns human readable version of the CertAuthority String() string // TLSCA returns first TLS certificate authority from the list of key pairs TLSCA() (*tlsca.CertAuthority, error) // SetTLSKeyPairs sets TLS key pairs SetTLSKeyPairs(keyPairs []TLSKeyPair) // GetTLSKeyPairs returns first PEM encoded TLS cert GetTLSKeyPairs() []TLSKeyPair // GetRotation returns rotation state. GetRotation() Rotation // SetRotation sets rotation state. SetRotation(Rotation) // Clone returns a copy of the cert authority object. Clone() CertAuthority }
CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
func NewCertAuthority ¶
func NewCertAuthority(caType CertAuthType, clusterName string, signingKeys, checkingKeys [][]byte, roles []string) CertAuthority
NewCertAuthority returns new cert authority
type CertAuthorityMarshaler ¶
type CertAuthorityMarshaler interface { // UnmarshalCertAuthority unmarhsals cert authority from binary representation UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (CertAuthority, error) // MarshalCertAuthority to binary representation MarshalCertAuthority(c CertAuthority, opts ...MarshalOption) ([]byte, error) // GenerateCertAuthority is used to generate new cert authority // based on standard teleport one and is used to add custom // parameters and extend it in extensions of teleport GenerateCertAuthority(CertAuthority) (CertAuthority, error) }
CertAuthorityMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetCertAuthorityMarshaler ¶
func GetCertAuthorityMarshaler() CertAuthorityMarshaler
GetCertAuthorityMarshaler returns currently set user marshaler
type CertAuthoritySpecV2 ¶
type CertAuthoritySpecV2 struct { // Type is either user or host certificate authority Type CertAuthType `json:"type"` // DELETE IN(2.7.0) this field is deprecated, // as resource name matches cluster name after migrations. // and this property is enforced by the auth server code. // ClusterName identifies cluster name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name ClusterName string `json:"cluster_name"` // Checkers is a list of SSH public keys that can be used to check // certificate signatures CheckingKeys [][]byte `json:"checking_keys"` // SigningKeys is a list of private keys used for signing SigningKeys [][]byte `json:"signing_keys,omitempty"` // Roles is a list of roles assumed by users signed by this CA Roles []string `json:"roles,omitempty"` // RoleMap specifies role mappings to remote roles RoleMap RoleMap `json:"role_map,omitempty"` // TLS is a list of TLS key pairs TLSKeyPairs []TLSKeyPair `json:"tls_key_pairs,omitempty"` // Rotation is a status of the certificate authority rotation Rotation *Rotation `json:"rotation,omitempty"` }
CertAuthoritySpecV2 is a host or user certificate authority that can check and if it has private key stored as well, sign it too
type CertAuthorityV1 ¶
type CertAuthorityV1 struct { // Type is either user or host certificate authority Type CertAuthType `json:"type"` // DomainName identifies domain name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name DomainName string `json:"domain_name"` // Checkers is a list of SSH public keys that can be used to check // certificate signatures CheckingKeys [][]byte `json:"checking_keys"` // SigningKeys is a list of private keys used for signing SigningKeys [][]byte `json:"signing_keys"` // AllowedLogins is a list of allowed logins for users within // this certificate authority AllowedLogins []string `json:"allowed_logins"` }
CertAuthorityV1 is a host or user certificate authority that can check and if it has private key stored as well, sign it too
func CertAuthoritiesToV1 ¶
func CertAuthoritiesToV1(in []CertAuthority) ([]CertAuthorityV1, error)
CertAuthoritiesToV1 converts list of cert authorities to V1 slice
func (*CertAuthorityV1) CombinedMapping ¶
func (ca *CertAuthorityV1) CombinedMapping() RoleMap
CombinedMapping is used to specify combined mapping from legacy property Roles and new property RoleMap
func (*CertAuthorityV1) GetRoleMap ¶
func (ca *CertAuthorityV1) GetRoleMap() RoleMap
GetRoleMap returns role map property
func (*CertAuthorityV1) SetRoleMap ¶
func (c *CertAuthorityV1) SetRoleMap(m RoleMap)
SetRoleMap sets role map
func (*CertAuthorityV1) String ¶
func (c *CertAuthorityV1) String() string
String returns human readable version of the CertAuthorityV1.
func (*CertAuthorityV1) V1 ¶
func (c *CertAuthorityV1) V1() *CertAuthorityV1
V1 returns V1 version of the resource
func (*CertAuthorityV1) V2 ¶
func (c *CertAuthorityV1) V2() *CertAuthorityV2
V2 returns V2 version of the resource
type CertAuthorityV2 ¶
type CertAuthorityV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is connector metadata Metadata Metadata `json:"metadata"` // Spec contains cert authority specification Spec CertAuthoritySpecV2 `json:"spec"` // contains filtered or unexported fields }
CertAuthorityV2 is version 2 resource spec for Cert Authority
func (*CertAuthorityV2) AddRole ¶
func (ca *CertAuthorityV2) AddRole(name string)
AddRole adds a role to ca role list
func (*CertAuthorityV2) Check ¶
func (ca *CertAuthorityV2) Check() error
Check checks if all passed parameters are valid
func (*CertAuthorityV2) CheckAndSetDefaults ¶
func (ca *CertAuthorityV2) CheckAndSetDefaults() error
CheckAndSetDefaults checks and set default values for any missing fields.
func (*CertAuthorityV2) Checkers ¶
func (ca *CertAuthorityV2) Checkers() ([]ssh.PublicKey, error)
Checkers returns public keys that can be used to check cert authorities
func (*CertAuthorityV2) Clone ¶
func (c *CertAuthorityV2) Clone() CertAuthority
Clone returns a copy of the cert authority object.
func (*CertAuthorityV2) CombinedMapping ¶
func (ca *CertAuthorityV2) CombinedMapping() RoleMap
CombinedMapping is used to specify combined mapping from legacy property Roles and new property RoleMap
func (*CertAuthorityV2) Expiry ¶
func (c *CertAuthorityV2) Expiry() time.Time
Expires returns object expiry setting
func (*CertAuthorityV2) FirstSigningKey ¶
func (ca *CertAuthorityV2) FirstSigningKey() ([]byte, error)
FirstSigningKey returns first signing key or returns error if it's not here
func (*CertAuthorityV2) GetCheckingKeys ¶
func (ca *CertAuthorityV2) GetCheckingKeys() [][]byte
GetCheckingKeys returns public keys to check signature
func (*CertAuthorityV2) GetClusterName ¶
func (ca *CertAuthorityV2) GetClusterName() string
GetClusterName returns cluster name this cert authority is associated with.
func (*CertAuthorityV2) GetID ¶
func (ca *CertAuthorityV2) GetID() CertAuthID
GetID returns certificate authority ID - combined type and name
func (*CertAuthorityV2) GetMetadata ¶
func (c *CertAuthorityV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*CertAuthorityV2) GetName ¶
func (ca *CertAuthorityV2) GetName() string
GetName returns cert authority name
func (*CertAuthorityV2) GetRawObject ¶
func (ca *CertAuthorityV2) GetRawObject() interface{}
GetRawObject returns raw object data, used for migrations
func (*CertAuthorityV2) GetRoleMap ¶
func (ca *CertAuthorityV2) GetRoleMap() RoleMap
GetRoleMap returns role map property
func (*CertAuthorityV2) GetRoles ¶
func (ca *CertAuthorityV2) GetRoles() []string
GetRoles returns a list of roles assumed by users signed by this CA
func (*CertAuthorityV2) GetRotation ¶
func (c *CertAuthorityV2) GetRotation() Rotation
GetRotation returns rotation state.
func (*CertAuthorityV2) GetSigningKeys ¶
func (ca *CertAuthorityV2) GetSigningKeys() [][]byte
GetSigning keys returns signing keys
func (*CertAuthorityV2) GetTLSKeyPairs ¶
func (c *CertAuthorityV2) GetTLSKeyPairs() []TLSKeyPair
GetTLSPrivateKey returns TLS key pairs
func (*CertAuthorityV2) GetType ¶
func (ca *CertAuthorityV2) GetType() CertAuthType
GetType returns user or host certificate authority
func (*CertAuthorityV2) ID ¶
func (ca *CertAuthorityV2) ID() *CertAuthID
ID returns id (consisting of domain name and type) that identifies the authority this key belongs to
func (*CertAuthorityV2) SetCheckingKeys ¶
func (ca *CertAuthorityV2) SetCheckingKeys(keys [][]byte) error
SetCheckingKeys sets SSH public keys
func (*CertAuthorityV2) SetExpiry ¶
func (c *CertAuthorityV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*CertAuthorityV2) SetName ¶
func (ca *CertAuthorityV2) SetName(name string)
SetName sets cert authority name
func (*CertAuthorityV2) SetRoleMap ¶
func (c *CertAuthorityV2) SetRoleMap(m RoleMap)
SetRoleMap sets role map
func (*CertAuthorityV2) SetRoles ¶
func (ca *CertAuthorityV2) SetRoles(roles []string)
SetRoles sets assigned roles for this certificate authority
func (*CertAuthorityV2) SetRotation ¶
func (c *CertAuthorityV2) SetRotation(r Rotation)
SetRotation sets rotation state.
func (*CertAuthorityV2) SetSigningKeys ¶
func (ca *CertAuthorityV2) SetSigningKeys(keys [][]byte) error
SetSigningKeys sets signing keys
func (*CertAuthorityV2) SetTLSKeyPairs ¶
func (c *CertAuthorityV2) SetTLSKeyPairs(pairs []TLSKeyPair)
SetTLSPrivateKey sets TLS key pairs
func (*CertAuthorityV2) SetTTL ¶
func (c *CertAuthorityV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*CertAuthorityV2) Signers ¶
func (ca *CertAuthorityV2) Signers() ([]ssh.Signer, error)
Signers returns a list of signers that could be used to sign keys
func (*CertAuthorityV2) String ¶
func (c *CertAuthorityV2) String() string
String returns human readable version of the CertAuthorityV2.
func (*CertAuthorityV2) TLSCA ¶
func (c *CertAuthorityV2) TLSCA() (*tlsca.CertAuthority, error)
TLSCA returns TLS certificate authority
func (*CertAuthorityV2) V1 ¶
func (c *CertAuthorityV2) V1() *CertAuthorityV1
V1 returns V1 version of the object
func (*CertAuthorityV2) V2 ¶
func (c *CertAuthorityV2) V2() *CertAuthorityV2
V2 returns V2 version of the resouirce - itself
type CertRoles ¶
type CertRoles struct { // Version is current version of the roles Version string `json:"version"` // Roles is a list of roles Roles []string `json:"roles"` }
CertRoles defines certificate roles
type ChangePasswordReq ¶
type ChangePasswordReq struct { // User is user ID User string // OldPassword is user current password OldPassword []byte `json:"old_password"` // NewPassword is user new password NewPassword []byte `json:"new_password"` // SecondFactorToken is user 2nd factor token SecondFactorToken string `json:"second_factor_token"` // U2FSignResponse is U2F sign response U2FSignResponse *u2f.SignResponse `json:"u2f_sign_response"` }
ChangePasswordReq defines a request to change user password
type ClaimMapping ¶
type ClaimMapping struct { // Claim is OIDC claim name Claim string `json:"claim"` // Value is claim value to match Value string `json:"value"` // Roles is a list of static teleport roles to match. Roles []string `json:"roles,omitempty"` // RoleTemplate a template role that will be filled out with claims. RoleTemplate *RoleV2 `json:"role_template,omitempty"` }
ClaimMapping is OIDC claim mapping that maps claim name to teleport roles
type ClusterConfig ¶
type ClusterConfig interface { // Resource provides common resource properties. Resource // GetSessionRecording gets where the session is being recorded. GetSessionRecording() string // SetSessionRecording sets where the session is recorded. SetSessionRecording(string) // GetClusterID returns the unique cluster ID GetClusterID() string // SetClusterID sets the cluster ID SetClusterID(string) // GetProxyChecksHostKeys sets if the proxy will check host keys. GetProxyChecksHostKeys() string // SetProxyChecksHostKeys gets if the proxy will check host keys. SetProxyChecksHostKeys(string) // CheckAndSetDefaults checks and set default values for missing fields. CheckAndSetDefaults() error // GetAuditConfig returns audit settings GetAuditConfig() AuditConfig // SetAuditConfig sets audit config SetAuditConfig(AuditConfig) // GetClientIdleTimeout returns client idle timeout setting GetClientIdleTimeout() time.Duration // SetClientIdleTimeout sets client idle timeout setting SetClientIdleTimeout(t time.Duration) // GetDisconnectExpiredCert returns disconnect expired certificate setting GetDisconnectExpiredCert() bool // SetDisconnectExpiredCert sets disconnect client with expired certificate setting SetDisconnectExpiredCert(bool) // GetKeepAliveInterval gets the keep-alive interval for server to client // connections. GetKeepAliveInterval() time.Duration // SetKeepAliveInterval sets the keep-alive interval for server to client // connections. SetKeepAliveInterval(t time.Duration) // GetKeepAliveCountMax gets the number of missed keep-alive messages before // the server disconnects the client. GetKeepAliveCountMax() int // SetKeepAliveCountMax sets the number of missed keep-alive messages before // the server disconnects the client. SetKeepAliveCountMax(c int) // Copy creates a copy of the resource and returns it. Copy() ClusterConfig }
ClusterConfig defines cluster level configuration. This is a configuration resource, never create more than one instance of it.
func DefaultClusterConfig ¶
func DefaultClusterConfig() ClusterConfig
DefaultClusterConfig is used as the default cluster configuration when one is not specified (record at node).
func NewClusterConfig ¶
func NewClusterConfig(spec ClusterConfigSpecV3) (ClusterConfig, error)
NewClusterConfig is a convenience wrapper to create a ClusterConfig resource.
type ClusterConfigMarshaler ¶
type ClusterConfigMarshaler interface { Marshal(c ClusterConfig, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (ClusterConfig, error) }
ClusterConfigMarshaler implements marshal/unmarshal of ClusterConfig implementations mostly adds support for extended versions.
func GetClusterConfigMarshaler ¶
func GetClusterConfigMarshaler() ClusterConfigMarshaler
GetClusterConfigMarshaler gets the marshaler.
type ClusterConfigSpecV3 ¶
type ClusterConfigSpecV3 struct { // SessionRecording controls where (or if) the session is recorded. SessionRecording string `json:"session_recording"` // ClusterID is the unique cluster ID that is set once during the first auth // server startup. ClusterID string `json:"cluster_id"` // ProxyChecksHostKeys is used to control if the proxy will check host keys // when in recording mode. ProxyChecksHostKeys string `json:"proxy_checks_host_keys"` // Audit is a section with audit config Audit AuditConfig `json:"audit"` // ClientIdleTimeout sets global cluster default setting for client idle timeouts ClientIdleTimeout Duration `json:"client_idle_timeout"` // DisconnectExpiredCert provides disconnect expired certificate setting - // if true, connections with expired client certificates will get disconnected DisconnectExpiredCert Bool `json:"disconnect_expired_cert"` // KeepAliveInterval is the interval the server sends keep-alive messsages // to the client at. KeepAliveInterval Duration `json:"keep_alive_interval"` // KeepAliveCountMax is the number of keep-alive messages that can be missed before // the server disconnects the connection to the client. KeepAliveCountMax int `json:"keep_alive_count_max"` }
ClusterConfigSpecV3 is the actual data we care about for ClusterConfig.
type ClusterConfigV3 ¶
type ClusterConfigV3 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec ClusterConfigSpecV3 `json:"spec"` }
ClusterConfigV3 implements the ClusterConfig interface.
func (*ClusterConfigV3) CheckAndSetDefaults ¶
func (c *ClusterConfigV3) CheckAndSetDefaults() error
CheckAndSetDefaults checks validity of all parameters and sets defaults.
func (*ClusterConfigV3) Copy ¶
func (c *ClusterConfigV3) Copy() ClusterConfig
Copy creates a copy of the resource and returns it.
func (*ClusterConfigV3) Expiry ¶
func (c *ClusterConfigV3) Expiry() time.Time
Expires returns object expiry setting
func (*ClusterConfigV3) GetAuditConfig ¶
func (c *ClusterConfigV3) GetAuditConfig() AuditConfig
GetAuditConfig returns audit settings
func (*ClusterConfigV3) GetClientIdleTimeout ¶
func (c *ClusterConfigV3) GetClientIdleTimeout() time.Duration
GetClientIdleTimeout returns client idle timeout setting
func (*ClusterConfigV3) GetClusterID ¶
func (c *ClusterConfigV3) GetClusterID() string
GetClusterID returns the unique cluster ID
func (*ClusterConfigV3) GetDisconnectExpiredCert ¶
func (c *ClusterConfigV3) GetDisconnectExpiredCert() bool
GetDisconnectExpiredCert returns disconnect expired certificate setting
func (*ClusterConfigV3) GetKeepAliveCountMax ¶ added in v3.1.0
func (c *ClusterConfigV3) GetKeepAliveCountMax() int
GetKeepAliveCountMax gets the number of missed keep-alive messages before the server disconnects the client.
func (*ClusterConfigV3) GetKeepAliveInterval ¶ added in v3.1.0
func (c *ClusterConfigV3) GetKeepAliveInterval() time.Duration
GetKeepAliveInterval gets the keep-alive interval.
func (*ClusterConfigV3) GetMetadata ¶
func (c *ClusterConfigV3) GetMetadata() Metadata
GetMetadata returns object metadata
func (*ClusterConfigV3) GetName ¶
func (c *ClusterConfigV3) GetName() string
GetName returns the name of the cluster.
func (*ClusterConfigV3) GetProxyChecksHostKeys ¶
func (c *ClusterConfigV3) GetProxyChecksHostKeys() string
GetProxyChecksHostKeys sets if the proxy will check host keys.
func (*ClusterConfigV3) GetSessionRecording ¶
func (c *ClusterConfigV3) GetSessionRecording() string
GetClusterConfig gets the name of the cluster.
func (*ClusterConfigV3) SetAuditConfig ¶
func (c *ClusterConfigV3) SetAuditConfig(cfg AuditConfig)
SetAuditConfig sets audit config
func (*ClusterConfigV3) SetClientIdleTimeout ¶
func (c *ClusterConfigV3) SetClientIdleTimeout(d time.Duration)
SetClientIdleTimeout sets client idle timeout setting
func (*ClusterConfigV3) SetClusterID ¶
func (c *ClusterConfigV3) SetClusterID(id string)
SetClusterID sets the cluster ID
func (*ClusterConfigV3) SetDisconnectExpiredCert ¶
func (c *ClusterConfigV3) SetDisconnectExpiredCert(b bool)
SetDisconnectExpiredCert sets disconnect client with expired certificate setting
func (*ClusterConfigV3) SetExpiry ¶
func (c *ClusterConfigV3) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*ClusterConfigV3) SetKeepAliveCountMax ¶ added in v3.1.0
func (c *ClusterConfigV3) SetKeepAliveCountMax(m int)
SetKeepAliveCountMax sets the number of missed keep-alive messages before the server disconnects the client.
func (*ClusterConfigV3) SetKeepAliveInterval ¶ added in v3.1.0
func (c *ClusterConfigV3) SetKeepAliveInterval(t time.Duration)
SetKeepAliveInterval sets the keep-alive interval.
func (*ClusterConfigV3) SetName ¶
func (c *ClusterConfigV3) SetName(e string)
SetName sets the name of the cluster.
func (*ClusterConfigV3) SetProxyChecksHostKeys ¶
func (c *ClusterConfigV3) SetProxyChecksHostKeys(t string)
SetProxyChecksHostKeys sets if the proxy will check host keys.
func (*ClusterConfigV3) SetSessionRecording ¶
func (c *ClusterConfigV3) SetSessionRecording(s string)
SetClusterConfig sets the name of the cluster.
func (*ClusterConfigV3) SetTTL ¶
func (c *ClusterConfigV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*ClusterConfigV3) String ¶
func (c *ClusterConfigV3) String() string
String represents a human readable version of the cluster name.
type ClusterConfiguration ¶
type ClusterConfiguration interface { // SetClusterName gets services.ClusterName from the backend. GetClusterName() (ClusterName, error) // SetClusterName sets services.ClusterName on the backend. SetClusterName(ClusterName) error // GetStaticTokens gets services.StaticTokens from the backend. GetStaticTokens() (StaticTokens, error) // SetStaticTokens sets services.StaticTokens on the backend. SetStaticTokens(StaticTokens) error // GetAuthPreference gets services.AuthPreference from the backend. GetAuthPreference() (AuthPreference, error) // SetAuthPreference sets services.AuthPreference from the backend. SetAuthPreference(AuthPreference) error // GetClusterConfig gets services.ClusterConfig from the backend. GetClusterConfig() (ClusterConfig, error) // SetClusterConfig sets services.ClusterConfig on the backend. SetClusterConfig(ClusterConfig) error }
ClusterConfiguration stores the cluster configuration in the backend. All the resources modified by this interface can only have a single instance in the backend.
type ClusterName ¶
type ClusterName interface { // Resource provides common resource properties. Resource // SetClusterName sets the name of the cluster. SetClusterName(string) // GetClusterName gets the name of the cluster. GetClusterName() string // CheckAndSetDefaults checks and set default values for missing fields. CheckAndSetDefaults() error }
ClusterName defines the name of the cluster. This is a configuration resource, never create more than one instance of it.
func NewClusterName ¶
func NewClusterName(spec ClusterNameSpecV2) (ClusterName, error)
NewClusterName is a convenience wrapper to create a ClusterName resource.
type ClusterNameMarshaler ¶
type ClusterNameMarshaler interface { Marshal(c ClusterName, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (ClusterName, error) }
ClusterNameMarshaler implements marshal/unmarshal of ClusterName implementations mostly adds support for extended versions.
func GetClusterNameMarshaler ¶
func GetClusterNameMarshaler() ClusterNameMarshaler
GetClusterNameMarshaler gets the marshaler.
type ClusterNameSpecV2 ¶
type ClusterNameSpecV2 struct { // ClusterName is the name of the cluster. Changing this value once the // cluster is setup can and will cause catastrophic problems. ClusterName string `json:"cluster_name"` }
ClusterNameSpecV2 is the actual data we care about for ClusterName.
type ClusterNameV2 ¶
type ClusterNameV2 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec ClusterNameSpecV2 `json:"spec"` }
ClusterNameV2 implements the ClusterName interface.
func (*ClusterNameV2) CheckAndSetDefaults ¶
func (c *ClusterNameV2) CheckAndSetDefaults() error
CheckAndSetDefaults checks validity of all parameters and sets defaults.
func (*ClusterNameV2) Expiry ¶
func (c *ClusterNameV2) Expiry() time.Time
Expires returns object expiry setting
func (*ClusterNameV2) GetClusterName ¶
func (c *ClusterNameV2) GetClusterName() string
GetClusterName gets the name of the cluster.
func (*ClusterNameV2) GetMetadata ¶
func (c *ClusterNameV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*ClusterNameV2) GetName ¶
func (c *ClusterNameV2) GetName() string
GetName returns the name of the cluster.
func (*ClusterNameV2) SetClusterName ¶
func (c *ClusterNameV2) SetClusterName(n string)
SetClusterName sets the name of the cluster.
func (*ClusterNameV2) SetExpiry ¶
func (c *ClusterNameV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*ClusterNameV2) SetName ¶
func (c *ClusterNameV2) SetName(e string)
SetName sets the name of the cluster.
func (*ClusterNameV2) SetTTL ¶
func (c *ClusterNameV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*ClusterNameV2) String ¶
func (c *ClusterNameV2) String() string
String represents a human readable version of the cluster name.
type CommandLabel ¶
type CommandLabel interface { // GetPeriod returns label period GetPeriod() time.Duration // SetPeriod sets label period SetPeriod(time.Duration) // GetResult returns label result GetResult() string // SetResult sets label result SetResult(string) // GetCommand returns to execute and set as a label result GetCommand() []string // Clone returns label copy Clone() CommandLabel }
CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname
type CommandLabelV1 ¶
type CommandLabelV1 struct { // Period is a time between command runs Period time.Duration `json:"period"` // Command is a command to run Command []string `json:"command"` //["/usr/bin/hostname", "--long"] // Result captures standard output Result string `json:"result"` }
CommandLabelV1 is a label that has a value as a result of the output generated by running command, e.g. hostname
type CommandLabelV2 ¶
type CommandLabelV2 struct { // Period is a time between command runs Period Duration `json:"period"` // Command is a command to run Command []string `json:"command"` //["/usr/bin/hostname", "--long"] // Result captures standard output Result string `json:"result"` }
CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname
func (*CommandLabelV2) Clone ¶
func (c *CommandLabelV2) Clone() CommandLabel
Clone returns label copy
func (*CommandLabelV2) GetCommand ¶
func (c *CommandLabelV2) GetCommand() []string
GetCommand returns to execute and set as a label result
func (*CommandLabelV2) GetPeriod ¶
func (c *CommandLabelV2) GetPeriod() time.Duration
GetPeriod returns label period
func (*CommandLabelV2) GetResult ¶
func (c *CommandLabelV2) GetResult() string
GetResult returns label result
func (*CommandLabelV2) SetPeriod ¶
func (c *CommandLabelV2) SetPeriod(p time.Duration)
SetPeriod sets label period
func (*CommandLabelV2) SetResult ¶
func (c *CommandLabelV2) SetResult(r string)
SetResult sets label result
type CommandLabels ¶
type CommandLabels map[string]CommandLabel
CommandLabels is a set of command labels
func (*CommandLabels) SetEnv ¶
func (c *CommandLabels) SetEnv(v string) error
SetEnv sets the value of the label from environment variable
type ConnectorRef ¶
type ConnectorRef struct { // Type is connector type Type string `json:"type"` // ID is connector ID ID string `json:"id"` // Identity is external identity of the user Identity string `json:"identity"` }
ConnectorRef holds information about OIDC connector
func (*ConnectorRef) IsSameProvider ¶
func (r *ConnectorRef) IsSameProvider(other *ConnectorRef) bool
IsSameProvider returns true if the provided connector has the same ID/type as this one
type Context ¶
type Context struct { // User is currently authenticated user User User // Resource is an optional resource, in case if the rule // checks access to the resource Resource Resource }
Context is a default rule context used in teleport
func (*Context) GetIdentifier ¶
GetIdentifier returns identifier defined in a context
func (*Context) GetResource ¶
GetResource returns resource specified in the context, returns error if not specified.
type CreatedBy ¶
type CreatedBy struct { // Identity if present means that user was automatically created by identity Connector *ConnectorRef `json:"connector,omitempty"` // Time specifies when user was created Time time.Time `json:"time"` // User holds information about user User UserRef `json:"user"` }
CreatedBy holds information about the person or agent who created the user
type Duration ¶
Duration is a wrapper around duration to set up custom marshal/unmarshal
func MaxDuration ¶
func MaxDuration() Duration
MaxDuration returns maximum duration that is possible
func NewDuration ¶
NewDuration returns Duration struct based on time.Duration
func (Duration) MarshalJSON ¶
MarshalJSON marshals Duration to string
func (Duration) MarshalYAML ¶
MarshalYAML marshals duration into YAML value, encodes it as a string in format "1m"
func (*Duration) UnmarshalJSON ¶
UnmarshalJSON marshals Duration to string
func (*Duration) UnmarshalYAML ¶
type EmptyResource ¶
type EmptyResource struct { // Kind is a resource kind Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` }
EmptyResource is used to represent a use case when no resource is specified in the rules matcher
func (*EmptyResource) Expiry ¶
func (r *EmptyResource) Expiry() time.Time
Expiry returns the expiry time for the object.
func (*EmptyResource) GetMetadata ¶
func (r *EmptyResource) GetMetadata() Metadata
GetMetadata returns role metadata.
func (*EmptyResource) GetName ¶
func (r *EmptyResource) GetName() string
GetName gets the role name and is a shortcut for GetMetadata().Name.
func (*EmptyResource) SetExpiry ¶
func (r *EmptyResource) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object.
func (*EmptyResource) SetName ¶
func (r *EmptyResource) SetName(s string)
SetName sets the role name and is a shortcut for SetMetadata().Name.
type ExternalIdentity ¶
type ExternalIdentity struct { // ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' ConnectorID string `json:"connector_id"` // Username is username supplied by external identity provider Username string `json:"username"` }
OIDCIdentity is OpenID Connect identity that is linked to particular user and connector and lets user to log in using external credentials, e.g. google
func (*ExternalIdentity) Check ¶
func (i *ExternalIdentity) Check() error
Check returns nil if all parameters are great, err otherwise
func (*ExternalIdentity) Equals ¶
func (i *ExternalIdentity) Equals(other *ExternalIdentity) bool
Equals returns true if this identity equals to passed one
func (*ExternalIdentity) String ¶
func (i *ExternalIdentity) String() string
String returns debug friendly representation of this identity
type GithubAuthRequest ¶
type GithubAuthRequest struct { // ConnectorID is the name of the connector to use ConnectorID string `json:"connector_id"` // Type is opaque string that helps callbacks identify the request type Type string `json:"type"` // StateToken is used to validate the request StateToken string `json:"state_token"` // CSRFToken is used to protect against CSRF attacks CSRFToken string `json:"csrf_token"` // PublicKey is an optional public key to sign in case of successful auth PublicKey []byte `json:"public_key"` // CertTTL is TTL of the cert that's generated in case of successful auth CertTTL time.Duration `json:"cert_ttl"` // CreateWebSession indicates that a user wants to generate a web session // after successul authentication CreateWebSession bool `json:"create_web_session"` // RedirectURL will be used by browser RedirectURL string `json:"redirect_url"` // ClientRedirectURL is the URL where client will be redirected after // successful auth ClientRedirectURL string `json:"client_redirect_url"` // Compatibility specifies OpenSSH compatibility flags Compatibility string `json:"compatibility,omitempty"` // Expires is a global expiry time header can be set on any resource in the system. Expires *time.Time `json:"expires,omitempty"` }
GithubAuthRequest is the request to start Github OAuth2 flow
func (*GithubAuthRequest) Check ¶
func (r *GithubAuthRequest) Check() error
Check makes sure the request is valid
func (*GithubAuthRequest) Expiry ¶
func (r *GithubAuthRequest) Expiry() time.Time
Expires returns object expiry setting.
func (*GithubAuthRequest) SetExpiry ¶
func (r *GithubAuthRequest) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
type GithubClaims ¶
type GithubClaims struct { // Username is the user's username Username string // OrganizationToTeams is the user's organization and team membership OrganizationToTeams map[string][]string }
GithubClaims represents Github user information obtained during OAuth2 flow
type GithubConnector ¶
type GithubConnector interface { // Resource is a common interface for all resources Resource // CheckAndSetDefaults validates the connector and sets some defaults CheckAndSetDefaults() error // GetClientID returns the connector client ID GetClientID() string // SetClientID sets the connector client ID SetClientID(string) // GetClientSecret returns the connector client secret GetClientSecret() string // SetClientSecret sets the connector client secret SetClientSecret(string) // GetRedirectURL returns the connector redirect URL GetRedirectURL() string // SetRedirectURL sets the connector redirect URL SetRedirectURL(string) // GetTeamsToLogins returns the mapping of Github teams to allowed logins GetTeamsToLogins() []TeamMapping // SetTeamsToLogins sets the mapping of Github teams to allowed logins SetTeamsToLogins([]TeamMapping) // MapClaims returns the list of allows logins based on the retrieved claims // returns list of logins and kubernetes groups MapClaims(GithubClaims) ([]string, []string) // GetDisplay returns the connector display name GetDisplay() string // SetDisplay sets the connector display name SetDisplay(string) }
GithubConnector defines an interface for a Github OAuth2 connector
func NewGithubConnector ¶
func NewGithubConnector(name string, spec GithubConnectorSpecV3) GithubConnector
NewGithubConnector creates a new Github connector from name and spec
type GithubConnectorMarshaler ¶
type GithubConnectorMarshaler interface { // Unmarshal unmarshals connector from binary representation Unmarshal(bytes []byte) (GithubConnector, error) // Marshal marshals connector to binary representation Marshal(c GithubConnector, opts ...MarshalOption) ([]byte, error) }
GithubConnectorMarshaler defines interface for Github connector marshaler
func GetGithubConnectorMarshaler ¶
func GetGithubConnectorMarshaler() GithubConnectorMarshaler
GetGithubConnectorMarshaler returns currently set Github connector marshaler
type GithubConnectorSpecV3 ¶
type GithubConnectorSpecV3 struct { // ClientID is the Github OAuth app client ID ClientID string `json:"client_id"` // ClientSecret is the Github OAuth app client secret ClientSecret string `json:"client_secret"` // RedirectURL is the authorization callback URL RedirectURL string `json:"redirect_url"` // TeamsToLogins maps Github team memberships onto allowed logins/roles TeamsToLogins []TeamMapping `json:"teams_to_logins"` // Display is the connector display name Display string `json:"display"` }
GithubConnectorSpecV3 is the current Github connector spec
type GithubConnectorV3 ¶
type GithubConnectorV3 struct { // Kind is a resource kind, for Github connector it is "github" Kind string `json:"kind"` // Version is resource version Version string `json:"version"` // Metadata is resource metadata Metadata Metadata `json:"metadata"` // Spec contains connector specification Spec GithubConnectorSpecV3 `json:"spec"` }
GithubConnectorV3 represents a Github connector
func (*GithubConnectorV3) CheckAndSetDefaults ¶
func (c *GithubConnectorV3) CheckAndSetDefaults() error
CheckAndSetDefaults verifies the connector is valid and sets some defaults
func (*GithubConnectorV3) Expiry ¶
func (c *GithubConnectorV3) Expiry() time.Time
Expires returns the connector expiration time
func (*GithubConnectorV3) GetClientID ¶
func (c *GithubConnectorV3) GetClientID() string
GetClientID returns the connector client ID
func (*GithubConnectorV3) GetClientSecret ¶
func (c *GithubConnectorV3) GetClientSecret() string
GetClientSecret returns the connector client secret
func (*GithubConnectorV3) GetDisplay ¶
func (c *GithubConnectorV3) GetDisplay() string
GetDisplay returns the connector display name
func (*GithubConnectorV3) GetMetadata ¶
func (c *GithubConnectorV3) GetMetadata() Metadata
GetMetadata returns the connector metadata
func (*GithubConnectorV3) GetName ¶
func (c *GithubConnectorV3) GetName() string
GetName returns the name of the connector
func (*GithubConnectorV3) GetRedirectURL ¶
func (c *GithubConnectorV3) GetRedirectURL() string
GetRedirectURL returns the connector redirect URL
func (*GithubConnectorV3) GetTeamsToLogins ¶
func (c *GithubConnectorV3) GetTeamsToLogins() []TeamMapping
GetTeamsToLogins returns the connector team membership mappings
func (*GithubConnectorV3) MapClaims ¶
func (c *GithubConnectorV3) MapClaims(claims GithubClaims) ([]string, []string)
MapClaims returns a list of logins based on the provided claims, returns a list of logins and list of kubernetes groups
func (*GithubConnectorV3) SetClientID ¶
func (c *GithubConnectorV3) SetClientID(id string)
SetClientID sets the connector client ID
func (*GithubConnectorV3) SetClientSecret ¶
func (c *GithubConnectorV3) SetClientSecret(secret string)
SetClientSecret sets the connector client secret
func (*GithubConnectorV3) SetDisplay ¶
func (c *GithubConnectorV3) SetDisplay(display string)
SetDisplay sets the connector display name
func (*GithubConnectorV3) SetExpiry ¶
func (c *GithubConnectorV3) SetExpiry(expires time.Time)
SetExpiry sets the connector expiration time
func (*GithubConnectorV3) SetName ¶
func (c *GithubConnectorV3) SetName(name string)
SetName sets the connector name
func (*GithubConnectorV3) SetRedirectURL ¶
func (c *GithubConnectorV3) SetRedirectURL(redirectURL string)
SetRedirectURL sets the connector redirect URL
func (*GithubConnectorV3) SetTTL ¶
func (c *GithubConnectorV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets the connector TTL
func (*GithubConnectorV3) SetTeamsToLogins ¶
func (c *GithubConnectorV3) SetTeamsToLogins(teamsToLogins []TeamMapping)
SetTeamsToLogins sets the connector team membership mappings
type HostCertParams ¶
type HostCertParams struct { // PrivateCASigningKey is the private key of the CA that will sign the public key of the host PrivateCASigningKey []byte // PublicHostKey is the public key of the host PublicHostKey []byte // HostID is used by Teleport to uniquely identify a node within a cluster HostID string // Principals is a list of additional principals to add to the certificate. Principals []string // NodeName is the DNS name of the node NodeName string // ClusterName is the name of the cluster within which a node lives ClusterName string // Roles identifies the roles of a Teleport instance Roles teleport.Roles // TTL defines how long a certificate is valid for TTL time.Duration }
HostCertParams defines all parameters needed to generate a host certificate
func (*HostCertParams) Check ¶
func (c *HostCertParams) Check() error
type Identity ¶
type Identity interface { // GetUsers returns a list of users registered with the local auth server GetUsers() ([]User, error) // DeleteAllUsers deletes all users DeleteAllUsers() error // CreateUser creates user if it does not exist CreateUser(user User) error // UpsertUser updates parameters about user UpsertUser(user User) error UserGetter // DeleteUser deletes a user with all the keys from the backend DeleteUser(user string) error // AddUserLoginAttempt logs user login attempt AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error // GetUserLoginAttempts returns user login attempts GetUserLoginAttempts(user string) ([]LoginAttempt, error) // DeleteUserLoginAttempts removes all login attempts of a user. Should be // called after successful login. DeleteUserLoginAttempts(user string) error // GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first // user specified with this identity GetUserByOIDCIdentity(id ExternalIdentity) (User, error) // GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns first // user specified with this identity GetUserBySAMLIdentity(id ExternalIdentity) (User, error) // GetUserByGithubIdentity returns a user by its specified Github identity GetUserByGithubIdentity(id ExternalIdentity) (User, error) // UpsertPasswordHash upserts user password hash UpsertPasswordHash(user string, hash []byte) error // GetPasswordHash returns the password hash for a given user GetPasswordHash(user string) ([]byte, error) // UpsertHOTP upserts HOTP state for user // Deprecated: HOTP use is deprecated, use UpsertTOTP instead. UpsertHOTP(user string, otp *hotp.HOTP) error // GetHOTP gets HOTP token state for a user // Deprecated: HOTP use is deprecated, use GetTOTP instead. GetHOTP(user string) (*hotp.HOTP, error) // UpsertTOTP upserts TOTP secret key for a user that can be used to generate and validate tokens. UpsertTOTP(user string, secretKey string) error // GetTOTP returns the secret key used by the TOTP algorithm to validate tokens. GetTOTP(user string) (string, error) // UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again // during the 30 second window it's valid. UpsertUsedTOTPToken(user string, otpToken string) error // GetUsedTOTPToken returns the last successfully used TOTP token. GetUsedTOTPToken(user string) (string, error) // DeleteUsedTOTPToken removes the used token from the backend. This should only // be used during tests. DeleteUsedTOTPToken(user string) error // UpsertWebSession updates or inserts a web session for a user and session UpsertWebSession(user, sid string, session WebSession) error // GetWebSession returns a web session state for a given user and session id GetWebSession(user, sid string) (WebSession, error) // DeleteWebSession deletes web session from the storage DeleteWebSession(user, sid string) error // UpsertPassword upserts new password and OTP token UpsertPassword(user string, password []byte) error // UpsertSignupToken upserts signup token - one time token that lets user to create a user account UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error // GetSignupToken returns signup token data GetSignupToken(token string) (*SignupToken, error) // GetSignupTokens returns a list of signup tokens GetSignupTokens() ([]SignupToken, error) // DeleteSignupToken deletes signup token from the storage DeleteSignupToken(token string) error // UpsertU2FRegisterChallenge upserts a U2F challenge for a new user corresponding to the token UpsertU2FRegisterChallenge(token string, u2fChallenge *u2f.Challenge) error // GetU2FRegisterChallenge returns a U2F challenge for a new user corresponding to the token GetU2FRegisterChallenge(token string) (*u2f.Challenge, error) // UpsertU2FRegistration upserts a U2F registration from a valid register response UpsertU2FRegistration(user string, u2fReg *u2f.Registration) error // GetU2FRegistration returns a U2F registration from a valid register response GetU2FRegistration(user string) (*u2f.Registration, error) // UpsertU2FSignChallenge upserts a U2F sign (auth) challenge UpsertU2FSignChallenge(user string, u2fChallenge *u2f.Challenge) error // GetU2FSignChallenge returns a U2F sign (auth) challenge GetU2FSignChallenge(user string) (*u2f.Challenge, error) // UpsertU2FRegistrationCounter upserts a counter associated with a U2F registration UpsertU2FRegistrationCounter(user string, counter uint32) error // GetU2FRegistrationCounter returns a counter associated with a U2F registration GetU2FRegistrationCounter(user string) (uint32, error) // UpsertOIDCConnector upserts OIDC Connector UpsertOIDCConnector(connector OIDCConnector) error // DeleteOIDCConnector deletes OIDC Connector DeleteOIDCConnector(connectorID string) error // GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results GetOIDCConnector(id string, withSecrets bool) (OIDCConnector, error) // GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results GetOIDCConnectors(withSecrets bool) ([]OIDCConnector, error) // CreateOIDCAuthRequest creates new auth request CreateOIDCAuthRequest(req OIDCAuthRequest, ttl time.Duration) error // GetOIDCAuthRequest returns OIDC auth request if found GetOIDCAuthRequest(stateToken string) (*OIDCAuthRequest, error) // CreateSAMLConnector creates SAML Connector CreateSAMLConnector(connector SAMLConnector) error // UpsertSAMLConnector upserts SAML Connector UpsertSAMLConnector(connector SAMLConnector) error // DeleteSAMLConnector deletes OIDC Connector DeleteSAMLConnector(connectorID string) error // GetSAMLConnector returns OIDC connector data, withSecrets adds or removes secrets from return results GetSAMLConnector(id string, withSecrets bool) (SAMLConnector, error) // GetSAMLConnectors returns registered connectors, withSecrets adds or removes secret from return results GetSAMLConnectors(withSecrets bool) ([]SAMLConnector, error) // CreateSAMLAuthRequest creates new auth request CreateSAMLAuthRequest(req SAMLAuthRequest, ttl time.Duration) error // GetSAMLAuthRequest returns OSAML auth request if found GetSAMLAuthRequest(id string) (*SAMLAuthRequest, error) // CreateGithubConnector creates a new Github connector CreateGithubConnector(connector GithubConnector) error // UpsertGithubConnector creates or updates a new Github connector UpsertGithubConnector(connector GithubConnector) error // GetGithubConnectors returns all configured Github connectors GetGithubConnectors(withSecrets bool) ([]GithubConnector, error) // GetGithubConnector returns a Github connector by its name GetGithubConnector(name string, withSecrets bool) (GithubConnector, error) // DeleteGithubConnector deletes a Github connector by its name DeleteGithubConnector(name string) error // CreateGithubAuthRequest creates a new auth request for Github OAuth2 flow CreateGithubAuthRequest(req GithubAuthRequest) error // GetGithubAuthRequest retrieves Github auth request by the token GetGithubAuthRequest(stateToken string) (*GithubAuthRequest, error) }
Identity is responsible for managing user entries and external identities
type Labels ¶
Labels is a wrapper around map that can marshal and unmarshal itself from scalar and list values
type License ¶
type License interface { Resource // GetReportsUsage returns true if teleport cluster reports usage // to control plane GetReportsUsage() Bool // SetReportsUsage sets usage report SetReportsUsage(Bool) // GetAWSProductID returns product id that limits usage to AWS instance // with a similar product ID GetAWSProductID() string // SetAWSProductID sets AWS product ID SetAWSProductID(string) // GetAWSAccountID limits usage to AWS instance within account ID GetAWSAccountID() string // SetAWSAccountID sets AWS account ID that will be limiting // usage to AWS instance SetAWSAccountID(accountID string) // GetSupportsKubernetes returns kubernetes support flag GetSupportsKubernetes() Bool // SetSupportsKubernetes sets kubernetes support flag SetSupportsKubernetes(Bool) // SetLabels sets metadata labels SetLabels(labels map[string]string) // GetAccountID returns Account ID GetAccountID() string // CheckAndSetDefaults sets and default values and then // verifies the constraints for License. CheckAndSetDefaults() error }
License defines teleport License Information
func NewLicense ¶
func NewLicense(name string, spec LicenseSpecV3) (License, error)
NewLicense is a convenience method to to create LicenseV3.
func UnmarshalLicense ¶
UnmarshalLicense unmarshals License from JSON or YAML and validates schema
type LicenseSpecV3 ¶
type LicenseSpecV3 struct { // AccountID is a customer account ID AccountID string `json:"account_id,omitempty"` // AWSProductID limits usage to AWS instance with a product ID AWSProductID string `json:"aws_pid,omitempty"` // AWSAccountID limits usage to AWS instance within account ID AWSAccountID string `json:"aws_account,omitempty"` // SupportsKubernetes turns kubernetes support on or off SupportsKubernetes Bool `json:"k8s"` // ReportsUsage is turned on when system reports usage ReportsUsage Bool `json:"usage,omitempty"` }
LicenseSpecV3 is the actual data we care about for LicenseV3.
type LicenseV3 ¶
type LicenseV3 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec LicenseSpecV3 `json:"spec"` }
LicenseV3 represents License resource version V3
func (*LicenseV3) CheckAndSetDefaults ¶
CheckAndSetDefaults verifies the constraints for License.
func (*LicenseV3) GetAWSAccountID ¶
GetAWSAccountID limits usage to AWS instance within account ID
func (*LicenseV3) GetAWSProductID ¶
GetAWSProductID returns product ID that limits usage to AWS instance with a similar product ID
func (*LicenseV3) GetAccountID ¶
GetAccountID sets AWS product ID
func (*LicenseV3) GetMetadata ¶
GetMetadata returns object metadata
func (*LicenseV3) GetReportsUsage ¶
GetReportsUsage returns true if teleport cluster reports usage to control plane
func (*LicenseV3) GetSupportsKubernetes ¶
GetSupportsKubernetes returns kubernetes support flag
func (*LicenseV3) SetAWSAccountID ¶
SetAWSAccountID sets AWS account ID that will be limiting usage to AWS instance
func (*LicenseV3) SetAWSProductID ¶
SetAWSProductID sets AWS product ID
func (*LicenseV3) SetReportsUsage ¶
SetReportsUsage sets usage report
func (*LicenseV3) SetSupportsKubernetes ¶
SetSupportsKubernetes sets kubernetes support flag
type LogAction ¶
type LogAction struct {
// contains filtered or unexported fields
}
LogAction represents action that will emit log entry when specified in the actions of a matched rule
type LoginAttempt ¶
type LoginAttempt struct { // Time is time of the attempt Time time.Time `json:"time"` // Success indicates whether attempt was successful Success bool `json:"bool"` }
LoginAttempt represents successful or unsuccessful attempt for user to login
type LoginStatus ¶
type LoginStatus struct { // IsLocked tells us if user is locked IsLocked bool `json:"is_locked"` // LockedMessage contains the message in case if user is locked LockedMessage string `json:"locked_message,omitempty"` // LockedTime contains time when user was locked LockedTime time.Time `json:"locked_time,omitempty"` // LockExpires contains time when this lock will expire LockExpires time.Time `json:"lock_expires,omitempty"` }
LoginStatus is a login status of the user
type MarshalConfig ¶
type MarshalConfig struct { // Version specifies particular version we should marshal resources with Version string // SkipValidation is used to skip schema validation. SkipValidation bool }
MarshalConfig specify marshalling options
func CollectOptions ¶
func CollectOptions(opts []MarshalOption) (*MarshalConfig, error)
func (*MarshalConfig) GetVersion ¶
func (m *MarshalConfig) GetVersion() string
GetVersion returns explicitly provided version or sets latest as default
type MarshalOption ¶
type MarshalOption func(c *MarshalConfig) error
MarshalOption sets marshalling option
func SkipValidation ¶
func SkipValidation() MarshalOption
SkipValidation is used to disable schema validation.
type Metadata ¶
type Metadata struct { // Name is an object name Name string `json:"name"` // Namespace is object namespace. The field should be called "namespace" // when it returns in Teleport 2.4. Namespace string `json:"-"` // Description is object description Description string `json:"description,omitempty"` // Labels is a set of labels Labels map[string]string `json:"labels,omitempty"` // Expires is a global expiry time header can be set on any resource in the system. Expires *time.Time `json:"expires,omitempty"` }
Metadata is resource metadata
func (*Metadata) CheckAndSetDefaults ¶
CheckAndSetDefaults checks validity of all parameters and sets defaults
func (*Metadata) GetMetadata ¶
GetMetadata returns object metadata
type Namespace ¶
type Namespace struct { // Kind is a resource kind - always namespace Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` // Spec contains namespace specification Spec NamespaceSpec `json:"spec"` }
Namespace represents namespace resource specification
func UnmarshalNamespace ¶
UnmarshalNamespace unmarshals role from JSON or YAML, sets defaults and checks the schema
func (*Namespace) CheckAndSetDefaults ¶
Check checks validity of all parameters and sets defaults
type NewParserFn ¶
type NewParserFn func(ctx RuleContext) (predicate.Parser, error)
NewParserFn returns function that creates parser of 'where' section in access rules
func GetActionsParserFn ¶
func GetActionsParserFn() NewParserFn
GetActionsParserFn returns global function that creates where parsers this function is used in external tools to override and extend actions in rules
func GetWhereParserFn ¶
func GetWhereParserFn() NewParserFn
GetWhereParserFn returns global function that creates where parsers this function is used in external tools to override and extend 'where' in rules
type OIDCAuthRequest ¶
type OIDCAuthRequest struct { // ConnectorID is ID of OIDC connector this request uses ConnectorID string `json:"connector_id"` // Type is opaque string that helps callbacks identify the request type Type string `json:"type"` // CheckUser tells validator if it should expect and check user CheckUser bool `json:"check_user"` // StateToken is generated by service and is used to validate // reuqest coming from StateToken string `json:"state_token"` // CSRFToken is associated with user web session token CSRFToken string `json:"csrf_token"` // RedirectURL will be used by browser RedirectURL string `json:"redirect_url"` // PublicKey is an optional public key, users want these // keys to be signed by auth servers user CA in case // of successful auth PublicKey []byte `json:"public_key"` // CertTTL is the TTL of the certificate user wants to get CertTTL time.Duration `json:"cert_ttl"` // CreateWebSession indicates if user wants to generate a web // session after successful authentication CreateWebSession bool `json:"create_web_session"` // ClientRedirectURL is a URL client wants to be redirected // after successful authentication ClientRedirectURL string `json:"client_redirect_url"` // Compatibility specifies OpenSSH compatibility flags. Compatibility string `json:"compatibility,omitempty"` }
OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server
func (*OIDCAuthRequest) Check ¶
func (i *OIDCAuthRequest) Check() error
Check returns nil if all parameters are great, err otherwise
type OIDCConnector ¶
type OIDCConnector interface { // Resource provides common methods for objects Resource // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com GetIssuerURL() string // ClientID is id for authentication client (in our case it's our Auth server) GetClientID() string // ClientSecret is used to authenticate our client and should not // be visible to end user GetClientSecret() string // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successful authentication // Should match the URL on Provider's side GetRedirectURL() string // GetACR returns the Authentication Context Class Reference (ACR) value. GetACR() string // GetProvider returns the identity provider. GetProvider() string // Display - Friendly name for this provider. GetDisplay() string // Scope is additional scopes set by provder GetScope() []string // ClaimsToRoles specifies dynamic mapping from claims to roles GetClaimsToRoles() []ClaimMapping // GetClaims returns list of claims expected by mappings GetClaims() []string // MapClaims maps claims to roles MapClaims(claims jose.Claims) []string // Check checks OIDC connector for errors Check() error // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error // SetClientSecret sets client secret to some value SetClientSecret(secret string) // SetClientID sets id for authentication client (in our case it's our Auth server) SetClientID(string) // SetIssuerURL sets the endpoint of the provider SetIssuerURL(string) // SetRedirectURL sets RedirectURL SetRedirectURL(string) // SetACR sets the Authentication Context Class Reference (ACR) value. SetACR(string) // SetProvider sets the identity provider. SetProvider(string) // SetScope sets additional scopes set by provider SetScope([]string) // SetClaimsToRoles sets dynamic mapping from claims to roles SetClaimsToRoles([]ClaimMapping) // SetDisplay sets friendly name for this provider. SetDisplay(string) }
OIDCConnector specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
func NewOIDCConnector ¶
func NewOIDCConnector(name string, spec OIDCConnectorSpecV2) OIDCConnector
NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV2.
type OIDCConnectorMarshaler ¶
type OIDCConnectorMarshaler interface { // UnmarshalOIDCConnector unmarshals connector from binary representation UnmarshalOIDCConnector(bytes []byte) (OIDCConnector, error) // MarshalOIDCConnector marshals connector to binary representation MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error) }
OIDCConnectorMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetOIDCConnectorMarshaler ¶
func GetOIDCConnectorMarshaler() OIDCConnectorMarshaler
GetOIDCConnectorMarshaler returns currently set user marshaler
type OIDCConnectorSpecV2 ¶
type OIDCConnectorSpecV2 struct { // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com IssuerURL string `json:"issuer_url"` // ClientID is id for authentication client (in our case it's our Auth server) ClientID string `json:"client_id"` // ClientSecret is used to authenticate our client and should not // be visible to end user ClientSecret string `json:"client_secret"` // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successful authentication // Should match the URL on Provider's side RedirectURL string `json:"redirect_url"` // ACR is an Authentication Context Class Reference value. The meaning of the ACR // value is context-specific and varies for identity providers. ACR string `json:"acr_values,omitempty"` // Provider is the external identity provider. Provider string `json:"provider,omitempty"` // Display - Friendly name for this provider. Display string `json:"display,omitempty"` // Scope is additional scopes set by provder Scope []string `json:"scope,omitempty"` // ClaimsToRoles specifies dynamic mapping from claims to roles ClaimsToRoles []ClaimMapping `json:"claims_to_roles,omitempty"` }
OIDCConnectorSpecV2 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
type OIDCConnectorV1 ¶
type OIDCConnectorV1 struct { // ID is a provider id, 'e.g.' google, used internally ID string `json:"id"` // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com IssuerURL string `json:"issuer_url"` // ClientID is id for authentication client (in our case it's our Auth server) ClientID string `json:"client_id"` // ClientSecret is used to authenticate our client and should not // be visible to end user ClientSecret string `json:"client_secret"` // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successful authentication // Should match the URL on Provider's side RedirectURL string `json:"redirect_url"` // Display - Friendly name for this provider. Display string `json:"display"` // Scope is additional scopes set by provder Scope []string `json:"scope"` // ClaimsToRoles specifies dynamic mapping from claims to roles ClaimsToRoles []ClaimMapping `json:"claims_to_roles"` }
OIDCConnectorV1 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnectorV1) V1 ¶
func (o *OIDCConnectorV1) V1() *OIDCConnectorV1
V1 returns V1 version of the resource
func (*OIDCConnectorV1) V2 ¶
func (o *OIDCConnectorV1) V2() *OIDCConnectorV2
V2 returns V2 version of the connector
type OIDCConnectorV2 ¶
type OIDCConnectorV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is connector metadata Metadata Metadata `json:"metadata"` // Spec contains connector specification Spec OIDCConnectorSpecV2 `json:"spec"` }
OIDCConnectorV2 is version 1 resource spec for OIDC connector
func (*OIDCConnectorV2) Check ¶
func (o *OIDCConnectorV2) Check() error
Check returns nil if all parameters are great, err otherwise
func (*OIDCConnectorV2) CheckAndSetDefaults ¶
func (o *OIDCConnectorV2) CheckAndSetDefaults() error
CheckAndSetDefaults checks and set default values for any missing fields.
func (*OIDCConnectorV2) Expiry ¶
func (o *OIDCConnectorV2) Expiry() time.Time
Expires returns object expiry setting
func (*OIDCConnectorV2) GetACR ¶
func (o *OIDCConnectorV2) GetACR() string
GetACR returns the Authentication Context Class Reference (ACR) value.
func (*OIDCConnectorV2) GetClaims ¶
func (o *OIDCConnectorV2) GetClaims() []string
GetClaims returns list of claims expected by mappings
func (*OIDCConnectorV2) GetClaimsToRoles ¶
func (o *OIDCConnectorV2) GetClaimsToRoles() []ClaimMapping
ClaimsToRoles specifies dynamic mapping from claims to roles
func (*OIDCConnectorV2) GetClientID ¶
func (o *OIDCConnectorV2) GetClientID() string
ClientID is id for authentication client (in our case it's our Auth server)
func (*OIDCConnectorV2) GetClientSecret ¶
func (o *OIDCConnectorV2) GetClientSecret() string
ClientSecret is used to authenticate our client and should not be visible to end user
func (*OIDCConnectorV2) GetDisplay ¶
func (o *OIDCConnectorV2) GetDisplay() string
Display - Friendly name for this provider.
func (*OIDCConnectorV2) GetIssuerURL ¶
func (o *OIDCConnectorV2) GetIssuerURL() string
Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
func (*OIDCConnectorV2) GetMetadata ¶
func (o *OIDCConnectorV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*OIDCConnectorV2) GetName ¶
func (o *OIDCConnectorV2) GetName() string
GetName returns the name of the connector
func (*OIDCConnectorV2) GetProvider ¶
func (o *OIDCConnectorV2) GetProvider() string
GetProvider returns the identity provider.
func (*OIDCConnectorV2) GetRedirectURL ¶
func (o *OIDCConnectorV2) GetRedirectURL() string
RedirectURL - Identity provider will use this URL to redirect client's browser back to it after successful authentication Should match the URL on Provider's side
func (*OIDCConnectorV2) GetScope ¶
func (o *OIDCConnectorV2) GetScope() []string
Scope is additional scopes set by provder
func (*OIDCConnectorV2) MapClaims ¶
func (o *OIDCConnectorV2) MapClaims(claims jose.Claims) []string
MapClaims maps claims to roles
func (*OIDCConnectorV2) SetACR ¶
func (o *OIDCConnectorV2) SetACR(acrValue string)
SetACR sets the Authentication Context Class Reference (ACR) value.
func (*OIDCConnectorV2) SetClaimsToRoles ¶
func (o *OIDCConnectorV2) SetClaimsToRoles(claims []ClaimMapping)
SetClaimsToRoles sets dynamic mapping from claims to roles
func (*OIDCConnectorV2) SetClientID ¶
func (o *OIDCConnectorV2) SetClientID(clintID string)
SetClientID sets id for authentication client (in our case it's our Auth server)
func (*OIDCConnectorV2) SetClientSecret ¶
func (o *OIDCConnectorV2) SetClientSecret(secret string)
SetClientSecret sets client secret to some value
func (*OIDCConnectorV2) SetDisplay ¶
func (o *OIDCConnectorV2) SetDisplay(display string)
SetDisplay sets friendly name for this provider.
func (*OIDCConnectorV2) SetExpiry ¶
func (o *OIDCConnectorV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*OIDCConnectorV2) SetIssuerURL ¶
func (o *OIDCConnectorV2) SetIssuerURL(issuerURL string)
SetIssuerURL sets client secret to some value
func (*OIDCConnectorV2) SetName ¶
func (o *OIDCConnectorV2) SetName(name string)
SetName sets client secret to some value
func (*OIDCConnectorV2) SetProvider ¶
func (o *OIDCConnectorV2) SetProvider(identityProvider string)
SetProvider sets the identity provider.
func (*OIDCConnectorV2) SetRedirectURL ¶
func (o *OIDCConnectorV2) SetRedirectURL(redirectURL string)
SetRedirectURL sets client secret to some value
func (*OIDCConnectorV2) SetScope ¶
func (o *OIDCConnectorV2) SetScope(scope []string)
SetScope sets additional scopes set by provider
func (*OIDCConnectorV2) SetTTL ¶
func (o *OIDCConnectorV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*OIDCConnectorV2) V1 ¶
func (o *OIDCConnectorV2) V1() *OIDCConnectorV1
V1 converts OIDCConnectorV2 to OIDCConnectorV1 format
func (*OIDCConnectorV2) V2 ¶
func (o *OIDCConnectorV2) V2() *OIDCConnectorV2
V2 returns V2 version of the resource
type Presence ¶
type Presence interface { // UpsertLocalClusterName upserts local domain UpsertLocalClusterName(name string) error // GetLocalClusterName upserts local domain GetLocalClusterName() (string, error) // GetNodes returns a list of registered servers. Schema validation can be // skipped to improve performance. GetNodes(namespace string, opts ...MarshalOption) ([]Server, error) // DeleteAllNodes deletes all nodes in a namespace. DeleteAllNodes(namespace string) error // UpsertNode registers node presence, permanently if TTL is 0 or for the // specified duration with second resolution if it's >= 1 second. UpsertNode(server Server) error // UpsertNodes bulk inserts nodes. UpsertNodes(namespace string, servers []Server) error // GetAuthServers returns a list of registered servers GetAuthServers() ([]Server, error) // UpsertAuthServer registers auth server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertAuthServer(server Server) error // UpsertProxy registers proxy server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertProxy(server Server) error // GetProxies returns a list of registered proxies GetProxies() ([]Server, error) // DeleteAllProxies deletes all proxies DeleteAllProxies() error // UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently UpsertReverseTunnel(tunnel ReverseTunnel) error // GetReverseTunnel returns reverse tunnel by name GetReverseTunnel(name string) (ReverseTunnel, error) // GetReverseTunnels returns a list of registered servers GetReverseTunnels() ([]ReverseTunnel, error) // DeleteReverseTunnel deletes reverse tunnel by it's domain name DeleteReverseTunnel(domainName string) error // DeleteAllReverseTunnels deletes all reverse tunnels DeleteAllReverseTunnels() error // GetNamespaces returns a list of namespaces GetNamespaces() ([]Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*Namespace, error) // DeleteAllNamespaces deletes all namespaces DeleteAllNamespaces() error // UpsertNamespace upserts namespace UpsertNamespace(Namespace) error // DeleteNamespace deletes namespace by name DeleteNamespace(name string) error // UpsertTrustedCluster creates or updates a TrustedCluster in the backend. UpsertTrustedCluster(TrustedCluster) (TrustedCluster, error) // GetTrustedCluster returns a single TrustedCluster by name. GetTrustedCluster(string) (TrustedCluster, error) // GetTrustedClusters returns all TrustedClusters in the backend. GetTrustedClusters() ([]TrustedCluster, error) // DeleteTrustedCluster removes a TrustedCluster from the backend by name. DeleteTrustedCluster(string) error // UpsertTunnelConnection upserts tunnel connection UpsertTunnelConnection(TunnelConnection) error // GetTunnelConnections returns tunnel connections for a given cluster GetTunnelConnections(clusterName string, opts ...MarshalOption) ([]TunnelConnection, error) // GetAllTunnelConnections returns all tunnel connections GetAllTunnelConnections(opts ...MarshalOption) ([]TunnelConnection, error) // DeleteTunnelConnection deletes tunnel connection by name DeleteTunnelConnection(clusterName string, connName string) error // DeleteTunnelConnections deletes all tunnel connections for cluster DeleteTunnelConnections(clusterName string) error // DeleteAllTunnelConnections deletes all tunnel connections for cluster DeleteAllTunnelConnections() error // CreateRemoteCluster creates a remote cluster CreateRemoteCluster(RemoteCluster) error // GetRemoteClusters returns a list of remote clusters GetRemoteClusters(opts ...MarshalOption) ([]RemoteCluster, error) // GetRemoteCluster returns a remote cluster by name GetRemoteCluster(clusterName string) (RemoteCluster, error) // DeleteRemoteCluster deletes remote cluster by name DeleteRemoteCluster(clusterName string) error // DeleteAllRemoteClusters deletes all remote clusters DeleteAllRemoteClusters() error }
Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes
type ProvisionToken ¶
type ProvisionToken struct { Roles teleport.Roles `json:"roles"` Expires time.Time `json:"expires"` Token string `json:"token"` }
ProvisionToken stores metadata about some provisioning token
func (ProvisionToken) String ¶
func (p ProvisionToken) String() string
String returns the human readable representation of a provisioning token.
type Provisioner ¶
type Provisioner interface { // UpsertToken adds provisioning tokens for the auth server UpsertToken(token string, roles teleport.Roles, ttl time.Duration) error // GetToken finds and returns token by id GetToken(token string) (*ProvisionToken, error) // DeleteToken deletes provisioning token DeleteToken(token string) error // GetTokens returns all non-expired tokens GetTokens() ([]ProvisionToken, error) }
Provisioner governs adding new nodes to the cluster
type Ref ¶
Ref is a resource reference
type RemoteCluster ¶
type RemoteCluster interface { // Resource provides common resource properties Resource // GetConnectionStatus returns connection status GetConnectionStatus() string // SetConnectionStatus sets connection status SetConnectionStatus(string) // GetLastHeartbeat returns last heartbeat of the cluster GetLastHeartbeat() time.Time // SetLastHeartbeat sets last heartbeat of the cluster SetLastHeartbeat(t time.Time) // CheckAndSetDefaults checks and sets default values CheckAndSetDefaults() error }
RemoteCluster represents a remote cluster that has connected via reverse tunnel to this lcuster
func NewRemoteCluster ¶
func NewRemoteCluster(name string) (RemoteCluster, error)
NewRemoteCluster is a convenience wa to create a RemoteCluster resource.
func UnmarshalRemoteCluster ¶
func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (RemoteCluster, error)
UnmarshalRemoteCluster unmarshals remote cluster from JSON or YAML.
type RemoteClusterStatusV3 ¶
type RemoteClusterStatusV3 struct { // Connection represents connection status, online or offline Connection string `json:"connection"` // LastHeartbeat records last heartbeat of the cluster LastHeartbeat time.Time `json:"last_heartbeat"` }
RemoteClusterSpecV3 represents status of the remote cluster
type RemoteClusterV3 ¶
type RemoteClusterV3 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Sstatus is read only status of the remote cluster Status RemoteClusterStatusV3 `json:"status"` }
RemoteClusterV3 implements RemoteCluster.
func (*RemoteClusterV3) CheckAndSetDefaults ¶
func (c *RemoteClusterV3) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
func (*RemoteClusterV3) Expiry ¶
func (c *RemoteClusterV3) Expiry() time.Time
Expires returns object expiry setting
func (*RemoteClusterV3) GetConnectionStatus ¶
func (c *RemoteClusterV3) GetConnectionStatus() string
GetConnectionStatus returns connection status
func (*RemoteClusterV3) GetLastHeartbeat ¶
func (c *RemoteClusterV3) GetLastHeartbeat() time.Time
GetLastHeartbeat returns last heartbeat of the cluster
func (*RemoteClusterV3) GetMetadata ¶
func (c *RemoteClusterV3) GetMetadata() Metadata
GetMetadata returns object metadata
func (*RemoteClusterV3) GetName ¶
func (c *RemoteClusterV3) GetName() string
GetName returns the name of the RemoteCluster.
func (*RemoteClusterV3) SetConnectionStatus ¶
func (c *RemoteClusterV3) SetConnectionStatus(status string)
SetConnectionStatus sets connection status
func (*RemoteClusterV3) SetExpiry ¶
func (c *RemoteClusterV3) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*RemoteClusterV3) SetLastHeartbeat ¶
func (c *RemoteClusterV3) SetLastHeartbeat(t time.Time)
SetLastHeartbeat sets last heartbeat of the cluster
func (*RemoteClusterV3) SetName ¶
func (c *RemoteClusterV3) SetName(e string)
SetName sets the name of the RemoteCluster.
func (*RemoteClusterV3) SetTTL ¶
func (c *RemoteClusterV3) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*RemoteClusterV3) String ¶
func (r *RemoteClusterV3) String() string
String represents a human readable version of remote cluster settings.
type Resource ¶
type Resource interface { // GetName returns the name of the resource GetName() string // SetName sets the name of the resource SetName(string) // Expiry returns object expiry setting Expiry() time.Time // SetExpiry sets object expiry SetExpiry(time.Time) // SetTTL sets Expires header using current clock SetTTL(clock clockwork.Clock, ttl time.Duration) // GetMetadata returns object metadata GetMetadata() Metadata }
Resource represents common properties for resources
type ResourceHeader ¶
type ResourceHeader struct { // Kind is a resource kind - always resource Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` }
ResorceHeader is a shared resource header
type ReverseTunnel ¶
type ReverseTunnel interface { // Resource provides common methods for resource objects Resource // GetClusterName returns name of the cluster GetClusterName() string // SetClusterName sets cluster name SetClusterName(name string) // GetDialAddrs returns list of dial addresses for this cluster GetDialAddrs() []string // Check checks tunnel for errors Check() error // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error }
ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved
func NewReverseTunnel ¶
func NewReverseTunnel(clusterName string, dialAddrs []string) ReverseTunnel
NewReverseTunnel returns new version of reverse tunnel
func UnmarshalReverseTunnel ¶
func UnmarshalReverseTunnel(data []byte) (ReverseTunnel, error)
UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML, sets defaults and checks the schema
type ReverseTunnelMarshaler ¶
type ReverseTunnelMarshaler interface { // UnmarshalReverseTunnel unmarshals reverse tunnel from binary representation UnmarshalReverseTunnel(bytes []byte) (ReverseTunnel, error) // MarshalReverseTunnel marshals reverse tunnel to binary representation MarshalReverseTunnel(ReverseTunnel, ...MarshalOption) ([]byte, error) }
ReverseTunnelMarshaler implements marshal/unmarshal of reverse tunnel implementations
func GetReverseTunnelMarshaler ¶
func GetReverseTunnelMarshaler() ReverseTunnelMarshaler
type ReverseTunnelSpecV2 ¶
type ReverseTunnelSpecV2 struct { // ClusterName is a domain name of remote cluster we are connecting to ClusterName string `json:"cluster_name"` // DialAddrs is a list of remote address to establish a connection to // it's always SSH over TCP DialAddrs []string `json:"dial_addrs,omitempty"` }
ReverseTunnelSpecV2 is a specification for V2 reverse tunnel
type ReverseTunnelV1 ¶
type ReverseTunnelV1 struct { // DomainName is a domain name of remote cluster we are connecting to DomainName string `json:"domain_name"` // DialAddrs is a list of remote address to establish a connection to // it's always SSH over TCP DialAddrs []string `json:"dial_addrs"` }
ReverseTunnelV1 is V1 version of reverse tunnel
func (*ReverseTunnelV1) V1 ¶
func (r *ReverseTunnelV1) V1() *ReverseTunnelV1
V1 returns V1 version of the resource
func (*ReverseTunnelV1) V2 ¶
func (r *ReverseTunnelV1) V2() *ReverseTunnelV2
V2 returns V2 version of reverse tunnel
type ReverseTunnelV2 ¶
type ReverseTunnelV2 struct { // Kind is a resource kind - always resource Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` // Spec contains user specification Spec ReverseTunnelSpecV2 `json:"spec"` }
ReverseTunnelV2 is version 1 resource spec of the reverse tunnel
func (*ReverseTunnelV2) Check ¶
func (r *ReverseTunnelV2) Check() error
Check returns nil if all parameters are good, error otherwise
func (*ReverseTunnelV2) CheckAndSetDefaults ¶
func (r *ReverseTunnelV2) CheckAndSetDefaults() error
func (*ReverseTunnelV2) Expiry ¶
func (r *ReverseTunnelV2) Expiry() time.Time
Expires returns object expiry setting
func (*ReverseTunnelV2) GetClusterName ¶
func (r *ReverseTunnelV2) GetClusterName() string
GetClusterName returns name of the cluster
func (*ReverseTunnelV2) GetDialAddrs ¶
func (r *ReverseTunnelV2) GetDialAddrs() []string
GetDialAddrs returns list of dial addresses for this cluster
func (*ReverseTunnelV2) GetMetadata ¶
func (r *ReverseTunnelV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*ReverseTunnelV2) GetName ¶
func (r *ReverseTunnelV2) GetName() string
GetName returns the name of the User
func (*ReverseTunnelV2) SetClusterName ¶
func (r *ReverseTunnelV2) SetClusterName(name string)
SetClusterName sets name of a cluster
func (*ReverseTunnelV2) SetExpiry ¶
func (r *ReverseTunnelV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*ReverseTunnelV2) SetName ¶
func (r *ReverseTunnelV2) SetName(e string)
SetName sets the name of the User
func (*ReverseTunnelV2) SetTTL ¶
func (r *ReverseTunnelV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*ReverseTunnelV2) V1 ¶
func (r *ReverseTunnelV2) V1() *ReverseTunnelV1
V1 returns V1 version of the resource
func (*ReverseTunnelV2) V2 ¶
func (r *ReverseTunnelV2) V2() *ReverseTunnelV2
V2 returns V2 version of the resource
type Role ¶
type Role interface { // Resource provides common resource methods. Resource // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error // Equals returns true if the roles are equal. Roles are equal if options and // conditions match. Equals(other Role) bool // ApplyTraits applies the passed in traits to any variables within the role // and returns itself. ApplyTraits(map[string][]string) Role // GetRawObject returns the raw object stored in the backend without any // conversions applied, used in migrations. GetRawObject() interface{} // GetOptions gets role options. GetOptions() RoleOptions // SetOptions sets role options SetOptions(opt RoleOptions) // GetLogins gets *nix system logins for allow or deny condition. GetLogins(RoleConditionType) []string // SetLogins sets *nix system logins for allow or deny condition. SetLogins(RoleConditionType, []string) // GetNamespaces gets a list of namespaces this role is allowed or denied access to. GetNamespaces(RoleConditionType) []string // GetNamespaces sets a list of namespaces this role is allowed or denied access to. SetNamespaces(RoleConditionType, []string) // GetNodeLabels gets the map of node labels this role is allowed or denied access to. GetNodeLabels(RoleConditionType) Labels // SetNodeLabels sets the map of node labels this role is allowed or denied access to. SetNodeLabels(RoleConditionType, Labels) // GetRules gets all allow or deny rules. GetRules(rct RoleConditionType) []Rule // SetRules sets an allow or deny rule. SetRules(rct RoleConditionType, rules []Rule) // GetKubeGroups returns kubernetes groups GetKubeGroups(RoleConditionType) []string // SetKubeGroups sets kubernetes groups for allow or deny condition. SetKubeGroups(RoleConditionType, []string) }
Role contains a set of permissions or settings
func ApplyTraits ¶
ApplyTraits applies the passed in traits to any variables within the role and returns itself.
func NewAdminRole ¶
func NewAdminRole() Role
NewAdminRole is the default admin role for all local users if another role is not explicitly assigned (Enterprise only).
func NewImplicitRole ¶
func NewImplicitRole() Role
NewImplicitRole is the default implicit role that gets added to all RoleSets.
func NewRole ¶
func NewRole(name string, spec RoleSpecV3) (Role, error)
NewRole constructs new standard role
func RoleForCertAuthority ¶
func RoleForCertAuthority(ca CertAuthority) Role
RoleForCertauthority creates role using services.CertAuthority.
func RoleForUser ¶
RoleForUser creates an admin role for a services.User.
type RoleConditionType ¶
type RoleConditionType bool
RoleConditionType specifies if it's an allow rule (true) or deny rule (false).
const ( // Allow is the set of conditions that allow access. Allow RoleConditionType = true // Deny is the set of conditions that prevent access. Deny RoleConditionType = false )
type RoleConditions ¶
type RoleConditions struct { // Logins is a list of *nix system logins. Logins []string `json:"logins,omitempty"` // Namespaces is a list of namespaces (used to partition a cluster). The // field should be called "namespaces" when it returns in Teleport 2.4. Namespaces []string `json:"-"` // NodeLabels is a map of node labels (used to dynamically grant access to nodes). NodeLabels Labels `json:"node_labels,omitempty"` // Rules is a list of rules and their access levels. Rules are a high level // construct used for access control. Rules []Rule `json:"rules,omitempty"` // KubeGroups is a list of kubernetes groups KubeGroups []string `json:"kubernetes_groups,omitempty"` }
RoleConditions is a set of conditions that must all match to be allowed or denied access.
func (*RoleConditions) Equals ¶
func (r *RoleConditions) Equals(o RoleConditions) bool
Equals returns true if the role conditions (logins, namespaces, labels, and rules) are equal and false if they are not.
type RoleGetter ¶
RoleGetter is an interface that defines GetRole method
type RoleMap ¶
type RoleMap []RoleMapping
RoleMap is a list of mappings
type RoleMapping ¶
type RoleMapping struct { // Remote specifies remote role name to map from Remote string `json:"remote"` // Local specifies local roles to map to Local []string `json:"local"` }
RoleMappping provides mapping of remote roles to local roles for trusted clusters
func (RoleMapping) Equals ¶
func (r RoleMapping) Equals(o RoleMapping) bool
Equals checks if the two role mappings are equal.
type RoleMarshaler ¶
type RoleMarshaler interface { // UnmarshalRole from binary representation UnmarshalRole(bytes []byte) (Role, error) // MarshalRole to binary representation MarshalRole(u Role, opts ...MarshalOption) ([]byte, error) }
RoleMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions
func GetRoleMarshaler ¶
func GetRoleMarshaler() RoleMarshaler
type RoleOptions ¶
type RoleOptions struct { // ForwardAgent is SSH agent forwarding. ForwardAgent Bool `json:"forward_agent"` // MaxSessionTTL defines how long a SSH session can last for. MaxSessionTTL Duration `json:"max_session_ttl"` // PortForwarding defines if the certificate will have "permit-port-forwarding" // in the certificate. PortForwarding is "yes" if not set, // that's why this is a pointer PortForwarding *Bool `json:"port_forwarding,omitempty"` // CertificateFormat defines the format of the user certificate to allow // compatibility with older versions of OpenSSH. CertificateFormat string `json:"cert_format"` // ClientIdleTimeout sets disconnect clients on idle timeout behavior, // if set to 0 means do not disconnect, otherwise is set to the idle // duration. ClientIdleTimeout Duration `json:"client_idle_timeout"` // DisconnectExpiredCert sets disconnect clients on expired certificates. DisconnectExpiredCert Bool `json:"disconnect_expired_cert"` }
RoleOptions is a set of role options
func (RoleOptions) Equals ¶
func (o RoleOptions) Equals(other RoleOptions) bool
Equals checks if all the key/values in the RoleOptions map match.
type RoleSet ¶
type RoleSet []Role
RoleSet is a set of roles that implements access control functionality
func FetchRoles ¶
FetchRoles fetches roles by their names, applies the traits to role variables, and returns the RoleSet.
func FromSpec ¶
func FromSpec(name string, spec RoleSpecV3) (RoleSet, error)
FromSpec returns new RoleSet created from spec
func NewRoleSet ¶
NewRoleSet returns new RoleSet based on the roles
func (RoleSet) AdjustClientIdleTimeout ¶
AdjustClientIdleTimeout adjusts requested idle timeout to the lowest max allowed timeout, the most restrictive option will be picked, negative values will be assumed as 0
func (RoleSet) AdjustDisconnectExpiredCert ¶
AdjustDisconnectExpiredCert adjusts the value based on the role set the most restrictive option will be picked
func (RoleSet) AdjustSessionTTL ¶
AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL for this role set, otherwise it returns ttl unchanged
func (RoleSet) CanForwardAgents ¶
CanForwardAgents returns true if role set allows forwarding agents.
func (RoleSet) CanPortForward ¶
CanPortForward returns true if a role in the RoleSet allows port forwarding.
func (RoleSet) CertificateFormat ¶
CertificateFormat returns the most permissive certificate format in a RoleSet.
func (RoleSet) CheckAccessToRule ¶
func (RoleSet) CheckAccessToServer ¶
CheckAccessToServer checks if a role has access to a node. Deny rules are checked first then allow rules. Access to a node is determined by namespaces, labels, and logins.
Note, logging in this function only happens in debug mode, this is because adding logging to this function (which is called on every server returned by GetNodes) can slow down this function by 50x for large clusters!
func (RoleSet) CheckAgentForward ¶
CheckAgentForward checks if the role can request to forward the SSH agent for this user.
func (RoleSet) CheckKubeGroups ¶
CheckKubeGroups check if role can login into kubernetes and returns a combined list of allowed groups
func (RoleSet) CheckLoginDuration ¶
CheckLoginDuration checks if role set can login up to given duration and returns a combined list of allowed logins.
type RoleSpecV2 ¶
type RoleSpecV2 struct { // MaxSessionTTL is a maximum SSH or Web session TTL MaxSessionTTL Duration `json:"max_session_ttl" yaml:"max_session_ttl"` // Logins is a list of linux logins allowed for this role Logins []string `json:"logins,omitempty" yaml:"logins,omitempty"` // NodeLabels is a set of matching labels that users of this role // will be allowed to access NodeLabels map[string]string `json:"node_labels,omitempty" yaml:"node_labels,omitempty"` // Namespaces is a list of namespaces, guarding access to resources Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` // Resources limits access to resources Resources map[string][]string `json:"resources,omitempty" yaml:"resources,omitempty"` // ForwardAgent permits SSH agent forwarding if requested by the client ForwardAgent bool `json:"forward_agent" yaml:"forward_agent"` }
RoleSpecV2 is role specification for RoleV2
type RoleSpecV3 ¶
type RoleSpecV3 struct { // Options is for OpenSSH options like agent forwarding. Options RoleOptions `json:"options,omitempty"` // Allow is the set of conditions evaluated to grant access. Allow RoleConditions `json:"allow,omitempty"` // Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. Deny RoleConditions `json:"deny,omitempty"` }
RoleSpecV3 is role specification for RoleV3.
type RoleV2 ¶
type RoleV2 struct { // Kind is a resource kind - always resource Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` // Spec contains role specification Spec RoleSpecV2 `json:"spec"` }
RoleV2 represents role resource specification
func (*RoleV2) CanForwardAgent ¶
CanForwardAgent returns true if this role is allowed to request agent forwarding
func (*RoleV2) CheckAndSetDefaults ¶
Check checks validity of all parameters and sets defaults
func (*RoleV2) Equals ¶
Equals test roles for equality. Roles are considered equal if all resources, logins, namespaces, labels, and options match.
func (*RoleV2) GetMaxSessionTTL ¶
GetMaxSessionTTL is a maximum SSH or Web session TTL
func (*RoleV2) GetMetadata ¶
GetMetadata returns role metadata
func (*RoleV2) GetNamespaces ¶
GetNamespaces returns a list of namespaces this role has access to
func (*RoleV2) GetNodeLabels ¶
GetNodeLabels returns a list of matchign nodes this role has access to
func (*RoleV2) GetResources ¶
GetResources returns access to resources
func (*RoleV2) RemoveResource ¶
RemoveResource deletes resource entry
func (*RoleV2) SetForwardAgent ¶
SetForwardAgent sets forward agent property
func (*RoleV2) SetMaxSessionTTL ¶
SetMaxSessionTTL sets a maximum TTL for SSH or Web session
func (*RoleV2) SetNamespaces ¶
SetNamespaces sets a list of namespaces this role has access to
func (*RoleV2) SetNodeLabels ¶
SetNodeLabels sets node labels for role
func (*RoleV2) SetResource ¶
SetResource sets resource rule
type RoleV3 ¶
type RoleV3 struct { // Kind is the type of resource. Kind string `json:"kind"` // Version is the resource version. Version string `json:"version"` // Metadata is resource metadata. Metadata Metadata `json:"metadata"` // Spec contains resource specification. Spec RoleSpecV3 `json:"spec"` // contains filtered or unexported fields }
RoleV3 represents role resource specification
func UnmarshalRole ¶
UnmarshalRole unmarshals role from JSON, sets defaults, and checks schema.
func (*RoleV3) ApplyTraits ¶
ApplyTraits applies the passed in traits to any variables within the role and returns itself.
func (*RoleV3) CheckAndSetDefaults ¶
Check checks validity of all parameters and sets defaults
func (*RoleV3) Equals ¶
Equals returns true if the roles are equal. Roles are equal if options, namespaces, logins, labels, and conditions match.
func (*RoleV3) GetKubeGroups ¶
func (r *RoleV3) GetKubeGroups(rct RoleConditionType) []string
GetKubeGroups returns kubernetes groups
func (*RoleV3) GetLogins ¶
func (r *RoleV3) GetLogins(rct RoleConditionType) []string
GetLogins gets system logins for allow or deny condition.
func (*RoleV3) GetMetadata ¶
GetMetadata returns role metadata.
func (*RoleV3) GetNamespaces ¶
func (r *RoleV3) GetNamespaces(rct RoleConditionType) []string
GetNamespaces gets a list of namespaces this role is allowed or denied access to.
func (*RoleV3) GetNodeLabels ¶
func (r *RoleV3) GetNodeLabels(rct RoleConditionType) Labels
GetNodeLabels gets the map of node labels this role is allowed or denied access to.
func (*RoleV3) GetRawObject ¶
func (r *RoleV3) GetRawObject() interface{}
GetRawObject returns the raw object stored in the backend without any conversions applied, used in migrations.
func (*RoleV3) GetRules ¶
func (r *RoleV3) GetRules(rct RoleConditionType) []Rule
GetRules gets all allow or deny rules.
func (*RoleV3) SetKubeGroups ¶
func (r *RoleV3) SetKubeGroups(rct RoleConditionType, groups []string)
SetKubeGroups sets kubernetes groups for allow or deny condition.
func (*RoleV3) SetLogins ¶
func (r *RoleV3) SetLogins(rct RoleConditionType, logins []string)
SetLogins sets system logins for allow or deny condition.
func (*RoleV3) SetNamespaces ¶
func (r *RoleV3) SetNamespaces(rct RoleConditionType, namespaces []string)
GetNamespaces sets a list of namespaces this role is allowed or denied access to.
func (*RoleV3) SetNodeLabels ¶
func (r *RoleV3) SetNodeLabels(rct RoleConditionType, labels Labels)
SetNodeLabels sets the map of node labels this role is allowed or denied access to.
func (*RoleV3) SetOptions ¶
func (r *RoleV3) SetOptions(options RoleOptions)
SetOptions sets role options.
func (*RoleV3) SetRawObject ¶
func (r *RoleV3) SetRawObject(raw interface{})
SetRawObject sets raw object as it was stored in the database used for migrations and should not be modifed
func (*RoleV3) SetRules ¶
func (r *RoleV3) SetRules(rct RoleConditionType, in []Rule)
SetRules sets an allow or deny rule.
type Rotation ¶
type Rotation struct { // State could be one of "init" or "in_progress". State string `json:"state,omitempty"` // Phase is the current rotation phase. Phase string `json:"phase,omitempty"` // Mode sets manual or automatic rotation mode. Mode string `json:"mode,omitempty"` // CurrentID is the ID of the rotation operation // to differentiate between rotation attempts. CurrentID string `json:"current_id"` // Started is set to the time when rotation has been started // in case if the state of the rotation is "in_progress". Started time.Time `json:"started,omitempty"` // GracePeriod is a period during which old and new CA // are valid for checking purposes, but only new CA is issuing certificates. GracePeriod Duration `json:"grace_period,omitempty"` // LastRotated specifies the last time of the completed rotation. LastRotated time.Time `json:"last_rotated,omitempty"` // Schedule is a rotation schedule - used in // automatic mode to switch beetween phases. Schedule RotationSchedule `json:"schedule,omitempty"` }
Rotation is a status of the rotation of the certificate authority
func (*Rotation) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets default rotation parameters.
func (*Rotation) LastRotatedDescription ¶
LastRotatedDescription returns human friendly description.
func (*Rotation) Matches ¶
Matches returns true if this state rotation matches external rotation state, phase and rotation ID should match, notice that matches does not behave like Equals because it does not require all fields to be the same.
func (*Rotation) PhaseDescription ¶
PhaseDescription returns human friendly description of a current rotation phase.
type RotationSchedule ¶
type RotationSchedule struct { // UpdateClients specifies time to switch to the "Update clients" phase UpdateClients time.Time `json:"update_clients,omitempty"` // UpdateServers specifies time to switch to the "Update servers" phase. UpdateServers time.Time `json:"update_servers,omitempty"` // Standby specifies time to switch to the "Standby" phase. Standby time.Time `json:"standby,omitempty"` }
RotationSchedule is a rotation schedule setting time switches for different phases.
func GenerateSchedule ¶
GenerateSchedule generates schedule based on the time period, using even time periods between rotation phases.
func (*RotationSchedule) CheckAndSetDefaults ¶
func (s *RotationSchedule) CheckAndSetDefaults(clock clockwork.Clock) error
CheckAndSetDefaults checks and sets default values of the rotation schedule.
type Rule ¶
type Rule struct { // Resources is a list of resources Resources []string `json:"resources"` // Verbs is a list of verbs Verbs []string `json:"verbs"` // Where specifies optional advanced matcher Where string `json:"where,omitempty"` // Actions specifies optional actions taken when this rule matches Actions []string `json:"actions,omitempty"` }
Rule represents allow or deny rule that is executed to check if user or service have access to resource
func CopyRulesSlice ¶
CopyRulesSlice copies input slice of Rules and returns the copy
func (*Rule) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets defaults for this rule
func (*Rule) IsMoreSpecificThan ¶
IsMoreSpecificThan returns true if the rule is more specific than the other.
* nRule matching wildcard resource is less specific than same rule matching specific resource. * Rule that has wildcard verbs is less specific than the same rules matching specific verb. * Rule that has where section is more specific than the same rule without where section. * Rule that has actions list is more specific than rule without actions list.
func (*Rule) MatchesWhere ¶
MatchesWhere returns true if Where rule matches Empty Where block always matches
type RuleContext ¶
type RuleContext interface { // GetIdentifier returns identifier defined in a context GetIdentifier(fields []string) (interface{}, error) // String returns human friendly representation of a context String() string // GetResource returns resource if specified in the context, // if unpecified, returns error. GetResource() (Resource, error) }
RuleContext specifies context passed to the rule processing matcher, and contains information about current session, e.g. current user
type RuleSet ¶
RuleSet maps resource to a set of rules defined for it
func MakeRuleSet ¶
MakeRuleSet converts slice of rules to the set of rules
func (RuleSet) Match ¶
func (set RuleSet) Match(whereParser predicate.Parser, actionsParser predicate.Parser, resource string, verb string) (bool, error)
MatchRule tests if the resource name and verb are in a given list of rules. More specific rules will be matched first. See Rule.IsMoreSpecificThan for exact specs on whether the rule is more or less specific.
Specifying order solves the problem on having multiple rules, e.g. one wildcard rule can override more specific rules with 'where' sections that can have 'actions' lists with side effects that will not be triggered otherwise.
type SAMLAuthRequest ¶
type SAMLAuthRequest struct { // ID is a unique request ID ID string `json:"id"` // ConnectorID is ID of OIDC connector this request uses ConnectorID string `json:"connector_id"` // Type is opaque string that helps callbacks identify the request type Type string `json:"type"` // CheckUser tells validator if it should expect and check user CheckUser bool `json:"check_user"` // RedirectURL will be used by browser RedirectURL string `json:"redirect_url"` // PublicKey is an optional public key, users want these // keys to be signed by auth servers user CA in case // of successful auth PublicKey []byte `json:"public_key"` // CertTTL is the TTL of the certificate user wants to get CertTTL time.Duration `json:"cert_ttl"` // CSRFToken is associated with user web session token CSRFToken string `json:"csrf_token"` // CreateWebSession indicates if user wants to generate a web // session after successful authentication CreateWebSession bool `json:"create_web_session"` // ClientRedirectURL is a URL client wants to be redirected // after successful authentication ClientRedirectURL string `json:"client_redirect_url"` // Compatibility specifies OpenSSH compatibility flags. Compatibility string `json:"compatibility,omitempty"` }
SAMLAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server
func (*SAMLAuthRequest) Check ¶
func (i *SAMLAuthRequest) Check() error
Check returns nil if all parameters are great, err otherwise
type SAMLConnector ¶
type SAMLConnector interface { // Resource provides common methods for objects Resource // GetDisplay returns display - friendly name for this provider. GetDisplay() string // SetDisplay sets friendly name for this provider. SetDisplay(string) // GetAttributesToRoles returns attributes to roles mapping GetAttributesToRoles() []AttributeMapping // SetAttributesToRoles sets attributes to roles mapping SetAttributesToRoles(mapping []AttributeMapping) // GetAttributes returns list of attributes expected by mappings GetAttributes() []string // MapAttributes maps attributes to roles MapAttributes(assertionInfo saml2.AssertionInfo) []string // Check checks SAML connector for errors CheckAndSetDefaults() error // SetIssuer sets issuer SetIssuer(issuer string) // GetIssuer returns issuer GetIssuer() string // GetSigningKeyPair returns signing key pair GetSigningKeyPair() *SigningKeyPair // GetSigningKeyPair sets signing key pair SetSigningKeyPair(k *SigningKeyPair) // Equals returns true if the connectors are identical Equals(other SAMLConnector) bool // GetSSO returns SSO service GetSSO() string // SetSSO sets SSO service SetSSO(string) // GetEntityDescriptor returns XML entity descriptor of the service GetEntityDescriptor() string // SetEntityDescriptor sets entity descritor of the service SetEntityDescriptor(v string) // GetEntityDescriptorURL returns the URL to obtain the entity descriptor. GetEntityDescriptorURL() string // SetEntityDescriptorURL sets the entity descriptor url. SetEntityDescriptorURL(string) // GetCert returns identity provider checking x509 certificate GetCert() string // SetCert sets identity provider checking certificate SetCert(string) // GetServiceProviderIssuer returns service provider issuer GetServiceProviderIssuer() string // SetServiceProviderIssuer sets service provider issuer SetServiceProviderIssuer(v string) // GetAudience returns audience GetAudience() string // SetAudience sets audience SetAudience(v string) // GetServiceProvider initialises service provider spec from settings GetServiceProvider(clock clockwork.Clock) (*saml2.SAMLServiceProvider, error) // GetAssertionConsumerService returns assertion consumer service URL GetAssertionConsumerService() string // SetAssertionConsumerService sets assertion consumer service URL SetAssertionConsumerService(v string) // GetProvider returns the identity provider. GetProvider() string // SetProvider sets the identity provider. SetProvider(string) }
SAMLConnector specifies configuration for SAML 2.0 dentity providers
func NewSAMLConnector ¶
func NewSAMLConnector(name string, spec SAMLConnectorSpecV2) SAMLConnector
NewSAMLConnector returns a new SAMLConnector based off a name and SAMLConnectorSpecV2.
type SAMLConnectorMarshaler ¶
type SAMLConnectorMarshaler interface { // UnmarshalSAMLConnector unmarshals connector from binary representation UnmarshalSAMLConnector(bytes []byte) (SAMLConnector, error) // MarshalSAMLConnector marshals connector to binary representation MarshalSAMLConnector(c SAMLConnector, opts ...MarshalOption) ([]byte, error) }
SAMLConnectorMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetSAMLConnectorMarshaler ¶
func GetSAMLConnectorMarshaler() SAMLConnectorMarshaler
GetSAMLConnectorMarshaler returns currently set user marshaler
type SAMLConnectorSpecV2 ¶
type SAMLConnectorSpecV2 struct { // Issuer is identity provider issuer Issuer string `json:"issuer"` // SSO is URL of the identity provider SSO service SSO string `json:"sso"` // Cert is identity provider certificate PEM // IDP signs <Response> responses using this certificate Cert string `json:"cert"` // Display controls how this connector is displayed Display string `json:"display"` // AssertionConsumerService is a URL for assertion consumer service // on the service provider (Teleport's side) AssertionConsumerService string `json:"acs"` // Audience uniquely identifies our service provider Audience string `json:"audience"` // SertviceProviderIssuer is the issuer of the service provider (Teleport) ServiceProviderIssuer string `json:"service_provider_issuer"` // EntityDescriptor is XML with descriptor, can be used to supply configuration // parameters in one XML files vs supplying them in the individual elelemtns EntityDescriptor string `json:"entity_descriptor"` // EntityDescriptor points to a URL that supplies a configuration XML. EntityDescriptorURL string `json:"entity_descriptor_url"` // AttriburesToRoles is a list of mappings of attribute statements to roles AttributesToRoles []AttributeMapping `json:"attributes_to_roles"` // SigningKeyPair is x509 key pair used to sign AuthnRequest SigningKeyPair *SigningKeyPair `json:"signing_key_pair,omitempty"` // Provider is the external identity provider. Provider string `json:"provider,omitempty"` }
SAMLConnectorSpecV2 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation
type SAMLConnectorV2 ¶
type SAMLConnectorV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is connector metadata Metadata Metadata `json:"metadata"` // Spec contains connector specification Spec SAMLConnectorSpecV2 `json:"spec"` }
SAMLConnectorV2 is version 1 resource spec for SAML connector
func (*SAMLConnectorV2) CheckAndSetDefaults ¶
func (o *SAMLConnectorV2) CheckAndSetDefaults() error
func (*SAMLConnectorV2) Equals ¶
func (o *SAMLConnectorV2) Equals(other SAMLConnector) bool
Equals returns true if the connectors are identical
func (*SAMLConnectorV2) Expiry ¶
func (o *SAMLConnectorV2) Expiry() time.Time
Expires returns object expiry setting
func (*SAMLConnectorV2) GetAssertionConsumerService ¶
func (o *SAMLConnectorV2) GetAssertionConsumerService() string
GetAssertionConsumerService returns assertion consumer service URL
func (*SAMLConnectorV2) GetAttributes ¶
func (o *SAMLConnectorV2) GetAttributes() []string
GetAttributes returns list of attributes expected by mappings
func (*SAMLConnectorV2) GetAttributesToRoles ¶
func (o *SAMLConnectorV2) GetAttributesToRoles() []AttributeMapping
GetAttributesToRoles returns attributes to roles mapping
func (*SAMLConnectorV2) GetAudience ¶
func (o *SAMLConnectorV2) GetAudience() string
GetAudience returns audience
func (*SAMLConnectorV2) GetCert ¶
func (o *SAMLConnectorV2) GetCert() string
GetCert returns identity provider checking x509 certificate
func (*SAMLConnectorV2) GetDisplay ¶
func (o *SAMLConnectorV2) GetDisplay() string
Display - Friendly name for this provider.
func (*SAMLConnectorV2) GetEntityDescriptor ¶
func (o *SAMLConnectorV2) GetEntityDescriptor() string
GetEntityDescriptor returns XML entity descriptor of the service
func (*SAMLConnectorV2) GetEntityDescriptorURL ¶
func (o *SAMLConnectorV2) GetEntityDescriptorURL() string
GetEntityDescriptorURL returns the URL to obtain the entity descriptor.
func (*SAMLConnectorV2) GetIssuer ¶
func (o *SAMLConnectorV2) GetIssuer() string
GetIssuer returns issuer
func (*SAMLConnectorV2) GetMetadata ¶
func (o *SAMLConnectorV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*SAMLConnectorV2) GetName ¶
func (o *SAMLConnectorV2) GetName() string
GetName returns the name of the connector
func (*SAMLConnectorV2) GetProvider ¶
func (o *SAMLConnectorV2) GetProvider() string
GetProvider returns the identity provider.
func (*SAMLConnectorV2) GetSSO ¶
func (o *SAMLConnectorV2) GetSSO() string
GetSSO returns SSO service
func (*SAMLConnectorV2) GetServiceProvider ¶
func (o *SAMLConnectorV2) GetServiceProvider(clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)
GetServiceProvider initialises service provider spec from settings
func (*SAMLConnectorV2) GetServiceProviderIssuer ¶
func (o *SAMLConnectorV2) GetServiceProviderIssuer() string
GetServiceProviderIssuer returns service provider issuer
func (*SAMLConnectorV2) GetSigningKeyPair ¶
func (o *SAMLConnectorV2) GetSigningKeyPair() *SigningKeyPair
GetSigningKeyPair returns signing key pair
func (*SAMLConnectorV2) MapAttributes ¶
func (o *SAMLConnectorV2) MapAttributes(assertionInfo saml2.AssertionInfo) []string
MapClaims maps SAML attributes to roles
func (*SAMLConnectorV2) SetAssertionConsumerService ¶
func (o *SAMLConnectorV2) SetAssertionConsumerService(v string)
SetAssertionConsumerService sets assertion consumer service URL
func (*SAMLConnectorV2) SetAttributesToRoles ¶
func (o *SAMLConnectorV2) SetAttributesToRoles(mapping []AttributeMapping)
SetAttributesToRoles sets attributes to roles mapping
func (*SAMLConnectorV2) SetAudience ¶
func (o *SAMLConnectorV2) SetAudience(v string)
SetAudience sets audience
func (*SAMLConnectorV2) SetCert ¶
func (o *SAMLConnectorV2) SetCert(cert string)
SetCert sets identity provider checking certificate
func (*SAMLConnectorV2) SetDisplay ¶
func (o *SAMLConnectorV2) SetDisplay(display string)
SetDisplay sets friendly name for this provider.
func (*SAMLConnectorV2) SetEntityDescriptor ¶
func (o *SAMLConnectorV2) SetEntityDescriptor(v string)
SetEntityDescriptor sets entity descritor of the service
func (*SAMLConnectorV2) SetEntityDescriptorURL ¶
func (o *SAMLConnectorV2) SetEntityDescriptorURL(v string)
SetEntityDescriptorURL sets the entity descriptor url.
func (*SAMLConnectorV2) SetExpiry ¶
func (o *SAMLConnectorV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*SAMLConnectorV2) SetIssuer ¶
func (o *SAMLConnectorV2) SetIssuer(issuer string)
SetIssuer sets issuer
func (*SAMLConnectorV2) SetName ¶
func (o *SAMLConnectorV2) SetName(name string)
SetName sets client secret to some value
func (*SAMLConnectorV2) SetProvider ¶
func (o *SAMLConnectorV2) SetProvider(identityProvider string)
SetProvider sets the identity provider.
func (*SAMLConnectorV2) SetSSO ¶
func (o *SAMLConnectorV2) SetSSO(sso string)
SetSSO sets SSO service
func (*SAMLConnectorV2) SetServiceProviderIssuer ¶
func (o *SAMLConnectorV2) SetServiceProviderIssuer(v string)
SetServiceProviderIssuer sets service provider issuer
func (*SAMLConnectorV2) SetSigningKeyPair ¶
func (o *SAMLConnectorV2) SetSigningKeyPair(k *SigningKeyPair)
GetSigningKeyPair sets signing key pair
func (*SAMLConnectorV2) SetTTL ¶
func (o *SAMLConnectorV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*SAMLConnectorV2) V2 ¶
func (o *SAMLConnectorV2) V2() *SAMLConnectorV2
V2 returns V2 version of the resource
type Server ¶
type Server interface { // Resource provides common resource headers Resource // GetAddr return server address GetAddr() string // GetHostname returns server hostname GetHostname() string // GetNamespace returns server namespace GetNamespace() string // GetAllLabels returns server's static and dynamic label values merged together GetAllLabels() map[string]string // GetLabels returns server's static label key pairs GetLabels() map[string]string // GetCmdLabels returns command labels GetCmdLabels() map[string]CommandLabel // GetPublicAddr is an optional field that returns the public address this cluster can be reached at. GetPublicAddr() string // GetRotation gets the state of certificate authority rotation. GetRotation() Rotation // SetRotation sets the state of certificate authority rotation. SetRotation(Rotation) // String returns string representation of the server String() string // SetAddr sets server address SetAddr(addr string) // SetPublicAddr sets the public address this cluster can be reached at. SetPublicAddr(string) // SetNamespace sets server namespace SetNamespace(namespace string) // V1 returns V1 version for backwards compatibility V1() *ServerV1 // MatchAgainst takes a map of labels and returns True if this server // has ALL of them // // Any server matches against an empty label set MatchAgainst(labels map[string]string) bool // LabelsString returns a comma separated string with all node's labels LabelsString() string // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error }
Server represents a Node, Proxy or Auth server in a Teleport cluster
func UnmarshalServerResource ¶
func UnmarshalServerResource(data []byte, kind string, cfg *MarshalConfig) (Server, error)
UnmarshalServerResource unmarshals role from JSON or YAML, sets defaults and checks the schema
type ServerMarshaler ¶
type ServerMarshaler interface { // UnmarshalServer from binary representation. UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (Server, error) // MarshalServer to binary representation. MarshalServer(Server, ...MarshalOption) ([]byte, error) // UnmarshalServers is used to unmarshal multiple servers from their // binary representation. UnmarshalServers(bytes []byte) ([]Server, error) // MarshalServers is used to marshal multiple servers to their binary // representation. MarshalServers([]Server) ([]byte, error) }
ServerMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions
func GetServerMarshaler ¶
func GetServerMarshaler() ServerMarshaler
type ServerSpecV2 ¶
type ServerSpecV2 struct { // Addr is server host:port address Addr string `json:"addr"` // PublicAddr is the public address this cluster can be reached at. PublicAddr string `json:"public_addr,omitempty"` // Hostname is server hostname Hostname string `json:"hostname"` // CmdLabels is server dynamic labels CmdLabels map[string]CommandLabelV2 `json:"cmd_labels,omitempty"` // Rotation specifies server rotatoin status Rotation Rotation `json:"rotation,omitempty"` }
ServerSpecV2 is a specification for V2 Server
type ServerV1 ¶
type ServerV1 struct { Kind string `json:"kind"` ID string `json:"id"` Addr string `json:"addr"` Hostname string `json:"hostname"` Namespace string `json:"namespace"` Labels map[string]string `json:"labels"` CmdLabels map[string]CommandLabelV1 `json:"cmd_labels"` }
ServerV1 represents V1 spec of the server
func ServersToV1 ¶
ServersToV1 converts list of servers to slice of V1 style ones
type ServerV2 ¶
type ServerV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is User metadata Metadata Metadata `json:"metadata"` // Spec contains user specification Spec ServerSpecV2 `json:"spec"` }
ServerV2 is version1 resource spec of the server
func (*ServerV2) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and set default values for any missing fields.
func (*ServerV2) GetAllLabels ¶
GetAllLabels returns the full key:value map of both static labels and "command labels"
func (*ServerV2) GetCmdLabels ¶
func (s *ServerV2) GetCmdLabels() map[string]CommandLabel
GetCmdLabels returns command labels
func (*ServerV2) GetHostname ¶
GetHostname returns server hostname
func (*ServerV2) GetMetadata ¶
GetMetadata returns metadata
func (*ServerV2) GetNamespace ¶
GetNamespace returns server namespace
func (*ServerV2) GetPublicAddr ¶
GetPublicAddr is an optional field that returns the public address this cluster can be reached at.
func (*ServerV2) GetRotation ¶
GetRotation gets the state of certificate authority rotation.
func (*ServerV2) LabelsString ¶
LabelsString returns a comma separated string with all node's labels
func (*ServerV2) MatchAgainst ¶
MatchAgainst takes a map of labels and returns True if this server has ALL of them
Any server matches against an empty label set
func (*ServerV2) SetNamespace ¶
SetNamespace sets server namespace
func (*ServerV2) SetPublicAddr ¶
SetPublicAddr sets the public address this cluster can be reached at.
func (*ServerV2) SetRotation ¶
SetRotation sets the state of certificate authority rotation.
type SigningKeyPair ¶
type SigningKeyPair struct { // PrivateKey is PEM encoded x509 private key PrivateKey string `json:"private_key"` // Cert is certificate in OpenSSH authorized keys format Cert string `json:"cert"` }
SigningKeyPair is a key pair used to sign SAML AuthnRequest
type SignupToken ¶
type SignupToken struct { Token string `json:"token"` User UserV1 `json:"user"` OTPKey string `json:"otp_key"` OTPQRCode []byte `json:"otp_qr_code"` Expires time.Time `json:"expires"` }
SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed
type Site ¶
type Site struct { Name string `json:"name"` LastConnected time.Time `json:"lastconnected"` Status string `json:"status"` }
Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.
The CA is represented by an auth server (or multiple auth servers, if running in HA mode)
type SortedLoginAttempts ¶
type SortedLoginAttempts []LoginAttempt
SortedLoginAttempts sorts login attempts by time
func (SortedLoginAttempts) Len ¶
func (s SortedLoginAttempts) Len() int
Len returns length of a role list
func (SortedLoginAttempts) Less ¶
func (s SortedLoginAttempts) Less(i, j int) bool
Less stacks latest attempts to the end of the list
func (SortedLoginAttempts) Swap ¶
func (s SortedLoginAttempts) Swap(i, j int)
Swap swaps two attempts
type SortedNamespaces ¶
type SortedNamespaces []Namespace
SortedNamespaces sorts namespaces
func (SortedNamespaces) Less ¶
func (s SortedNamespaces) Less(i, j int) bool
Less compares roles by name
func (SortedNamespaces) Swap ¶
func (s SortedNamespaces) Swap(i, j int)
Swap swaps two roles in a list
type SortedReverseTunnels ¶
type SortedReverseTunnels []ReverseTunnel
SortedReverseTunnels sorts reverse tunnels by cluster name
func (SortedReverseTunnels) Len ¶
func (s SortedReverseTunnels) Len() int
func (SortedReverseTunnels) Less ¶
func (s SortedReverseTunnels) Less(i, j int) bool
func (SortedReverseTunnels) Swap ¶
func (s SortedReverseTunnels) Swap(i, j int)
type SortedServers ¶
type SortedServers []Server
SortedServers is a sort wrapper that sorts servers by name
func (SortedServers) Len ¶
func (s SortedServers) Len() int
func (SortedServers) Less ¶
func (s SortedServers) Less(i, j int) bool
func (SortedServers) Swap ¶
func (s SortedServers) Swap(i, j int)
type SortedTrustedCluster ¶
type SortedTrustedCluster []TrustedCluster
SortedTrustedCluster sorts clusters by name
func (SortedTrustedCluster) Len ¶
func (s SortedTrustedCluster) Len() int
Len returns the length of a list.
func (SortedTrustedCluster) Less ¶
func (s SortedTrustedCluster) Less(i, j int) bool
Less compares items by name.
func (SortedTrustedCluster) Swap ¶
func (s SortedTrustedCluster) Swap(i, j int)
Swap swaps two items in a list.
type StaticTokens ¶
type StaticTokens interface { // Resource provides common resource properties. Resource // SetStaticTokens sets the list of static tokens used to provision nodes. SetStaticTokens([]ProvisionToken) // GetStaticTokens gets the list of static tokens used to provision nodes. GetStaticTokens() []ProvisionToken // CheckAndSetDefaults checks and set default values for missing fields. CheckAndSetDefaults() error }
StaticTokens define a list of static []ProvisionToken used to provision a node. StaticTokens is a configuration resource, never create more than one instance of it.
func DefaultStaticTokens ¶
func DefaultStaticTokens() StaticTokens
DefaultStaticTokens is used to get the default static tokens (empty list) when nothing is specified in file configuration.
func NewStaticTokens ¶
func NewStaticTokens(spec StaticTokensSpecV2) (StaticTokens, error)
NewStaticTokens is a convenience wrapper to create a StaticTokens resource.
type StaticTokensMarshaler ¶
type StaticTokensMarshaler interface { Marshal(c StaticTokens, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (StaticTokens, error) }
StaticTokensMarshaler implements marshal/unmarshal of StaticTokens implementations mostly adds support for extended versions.
func GetStaticTokensMarshaler ¶
func GetStaticTokensMarshaler() StaticTokensMarshaler
GetStaticTokensMarshaler gets the marshaler.
type StaticTokensSpecV2 ¶
type StaticTokensSpecV2 struct { // StaticTokens is a list of tokens that can be used to add nodes to the // cluster. StaticTokens []ProvisionToken `json:"static_tokens"` }
StaticTokensSpecV2 is the actual data we care about for StaticTokensSpecV2.
type StaticTokensV2 ¶
type StaticTokensV2 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec StaticTokensSpecV2 `json:"spec"` }
StaticTokensV2 implements the StaticTokens interface.
func (*StaticTokensV2) CheckAndSetDefaults ¶
func (c *StaticTokensV2) CheckAndSetDefaults() error
CheckAndSetDefaults checks validity of all parameters and sets defaults.
func (*StaticTokensV2) Expiry ¶
func (c *StaticTokensV2) Expiry() time.Time
Expires returns object expiry setting
func (*StaticTokensV2) GetMetadata ¶
func (c *StaticTokensV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*StaticTokensV2) GetName ¶
func (c *StaticTokensV2) GetName() string
GetName returns the name of the StaticTokens resource.
func (*StaticTokensV2) GetStaticTokens ¶
func (c *StaticTokensV2) GetStaticTokens() []ProvisionToken
GetStaticTokens gets the list of static tokens used to provision nodes.
func (*StaticTokensV2) SetExpiry ¶
func (c *StaticTokensV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*StaticTokensV2) SetName ¶
func (c *StaticTokensV2) SetName(e string)
SetName sets the name of the StaticTokens resource.
func (*StaticTokensV2) SetStaticTokens ¶
func (c *StaticTokensV2) SetStaticTokens(s []ProvisionToken)
SetStaticTokens sets the list of static tokens used to provision nodes.
func (*StaticTokensV2) SetTTL ¶
func (c *StaticTokensV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*StaticTokensV2) String ¶
func (c *StaticTokensV2) String() string
String represents a human readable version of static provisioning tokens.
type TLSKeyPair ¶
type TLSKeyPair struct { // Cert is a PEM encoded TLS cert Cert []byte `json:"cert,omitempty"` // Key is a PEM encoded TLS key Key []byte `json:"key,omitempty"` }
TLSKeyPair is a TLS key pair
type TeamMapping ¶
type TeamMapping struct { // Organization is a Github organization a user belongs to Organization string `json:"organization"` // Team is a team within the organization a user belongs to Team string `json:"team"` // Logins is a list of allowed logins for this org/team Logins []string `json:"logins,omitempty"` // KubeGroups is a list of allowed kubernetes groups for this org/team KubeGroups []string `json:"kubernetes_groups,omitempty"` }
TeamMapping represents a single team membership mapping
type TeleportAuthPreferenceMarshaler ¶
type TeleportAuthPreferenceMarshaler struct{}
func (*TeleportAuthPreferenceMarshaler) Marshal ¶
func (t *TeleportAuthPreferenceMarshaler) Marshal(c AuthPreference, opts ...MarshalOption) ([]byte, error)
Marshal marshals role to JSON or YAML.
func (*TeleportAuthPreferenceMarshaler) Unmarshal ¶
func (t *TeleportAuthPreferenceMarshaler) Unmarshal(bytes []byte) (AuthPreference, error)
Unmarshal unmarshals role from JSON or YAML.
type TeleportCertAuthorityMarshaler ¶
type TeleportCertAuthorityMarshaler struct{}
func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority ¶
func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority(ca CertAuthority) (CertAuthority, error)
GenerateCertAuthority is used to generate new cert authority based on standard teleport one and is used to add custom parameters and extend it in extensions of teleport
func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority ¶
func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority(ca CertAuthority, opts ...MarshalOption) ([]byte, error)
MarshalUser marshalls cert authority into JSON
func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority ¶
func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (CertAuthority, error)
UnmarshalUser unmarshals user from JSON
type TeleportClusterConfigMarshaler ¶
type TeleportClusterConfigMarshaler struct{}
TeleportClusterConfigMarshaler is used to marshal and unmarshal ClusterConfig.
func (*TeleportClusterConfigMarshaler) Marshal ¶
func (t *TeleportClusterConfigMarshaler) Marshal(c ClusterConfig, opts ...MarshalOption) ([]byte, error)
Marshal marshals ClusterConfig to JSON.
func (*TeleportClusterConfigMarshaler) Unmarshal ¶
func (t *TeleportClusterConfigMarshaler) Unmarshal(bytes []byte) (ClusterConfig, error)
Unmarshal unmarshals ClusterConfig from JSON.
type TeleportClusterNameMarshaler ¶
type TeleportClusterNameMarshaler struct{}
TeleportClusterNameMarshaler is used to marshal and unmarshal ClusterName.
func (*TeleportClusterNameMarshaler) Marshal ¶
func (t *TeleportClusterNameMarshaler) Marshal(c ClusterName, opts ...MarshalOption) ([]byte, error)
Marshal marshals ClusterName to JSON.
func (*TeleportClusterNameMarshaler) Unmarshal ¶
func (t *TeleportClusterNameMarshaler) Unmarshal(bytes []byte) (ClusterName, error)
Unmarshal unmarshals ClusterName from JSON.
type TeleportGithubConnectorMarshaler ¶
type TeleportGithubConnectorMarshaler struct{}
TeleportGithubConnectorMarshaler is the default Github connector marshaler
func (*TeleportGithubConnectorMarshaler) Marshal ¶
func (*TeleportGithubConnectorMarshaler) Marshal(c GithubConnector, opts ...MarshalOption) ([]byte, error)
MarshalGithubConnector marshals Github connector to JSON
func (*TeleportGithubConnectorMarshaler) Unmarshal ¶
func (*TeleportGithubConnectorMarshaler) Unmarshal(bytes []byte) (GithubConnector, error)
UnmarshalGithubConnector unmarshals Github connector from JSON
type TeleportOIDCConnectorMarshaler ¶
type TeleportOIDCConnectorMarshaler struct{}
func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector ¶
func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error)
MarshalUser marshals OIDC connector into JSON
func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector ¶
func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector(bytes []byte) (OIDCConnector, error)
UnmarshalOIDCConnector unmarshals connector from
type TeleportRoleMarshaler ¶
type TeleportRoleMarshaler struct{}
func (*TeleportRoleMarshaler) MarshalRole ¶
func (*TeleportRoleMarshaler) MarshalRole(u Role, opts ...MarshalOption) ([]byte, error)
MarshalRole marshalls role into JSON.
func (*TeleportRoleMarshaler) UnmarshalRole ¶
func (*TeleportRoleMarshaler) UnmarshalRole(bytes []byte) (Role, error)
UnmarshalRole unmarshals role from JSON.
type TeleportSAMLConnectorMarshaler ¶
type TeleportSAMLConnectorMarshaler struct{}
func (*TeleportSAMLConnectorMarshaler) MarshalSAMLConnector ¶
func (*TeleportSAMLConnectorMarshaler) MarshalSAMLConnector(c SAMLConnector, opts ...MarshalOption) ([]byte, error)
MarshalUser marshals SAML connector into JSON
func (*TeleportSAMLConnectorMarshaler) UnmarshalSAMLConnector ¶
func (*TeleportSAMLConnectorMarshaler) UnmarshalSAMLConnector(bytes []byte) (SAMLConnector, error)
UnmarshalSAMLConnector unmarshals connector from
type TeleportServerMarshaler ¶
type TeleportServerMarshaler struct{}
func (*TeleportServerMarshaler) MarshalServer ¶
func (*TeleportServerMarshaler) MarshalServer(s Server, opts ...MarshalOption) ([]byte, error)
MarshalServer marshals server into JSON.
func (*TeleportServerMarshaler) MarshalServers ¶
func (*TeleportServerMarshaler) MarshalServers(s []Server) ([]byte, error)
MarshalServers is used to marshal multiple servers to their binary representation.
func (*TeleportServerMarshaler) UnmarshalServer ¶
func (*TeleportServerMarshaler) UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (Server, error)
UnmarshalServer unmarshals server from JSON
func (*TeleportServerMarshaler) UnmarshalServers ¶
func (*TeleportServerMarshaler) UnmarshalServers(bytes []byte) ([]Server, error)
UnmarshalServers is used to unmarshal multiple servers from their binary representation.
type TeleportStaticTokensMarshaler ¶
type TeleportStaticTokensMarshaler struct{}
TeleportStaticTokensMarshaler is used to marshal and unmarshal StaticTokens.
func (*TeleportStaticTokensMarshaler) Marshal ¶
func (t *TeleportStaticTokensMarshaler) Marshal(c StaticTokens, opts ...MarshalOption) ([]byte, error)
Marshal marshals StaticTokens to JSON.
func (*TeleportStaticTokensMarshaler) Unmarshal ¶
func (t *TeleportStaticTokensMarshaler) Unmarshal(bytes []byte) (StaticTokens, error)
Unmarshal unmarshals StaticTokens from JSON.
type TeleportTrustedClusterMarshaler ¶
type TeleportTrustedClusterMarshaler struct{}
func (*TeleportTrustedClusterMarshaler) Marshal ¶
func (t *TeleportTrustedClusterMarshaler) Marshal(c TrustedCluster, opts ...MarshalOption) ([]byte, error)
Marshal marshals role to JSON or YAML.
func (*TeleportTrustedClusterMarshaler) Unmarshal ¶
func (t *TeleportTrustedClusterMarshaler) Unmarshal(bytes []byte) (TrustedCluster, error)
Unmarshal unmarshals role from JSON or YAML.
type TeleportTunnelMarshaler ¶
type TeleportTunnelMarshaler struct{}
func (*TeleportTunnelMarshaler) MarshalReverseTunnel ¶
func (*TeleportTunnelMarshaler) MarshalReverseTunnel(rt ReverseTunnel, opts ...MarshalOption) ([]byte, error)
MarshalRole marshalls role into JSON
func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel ¶
func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel(bytes []byte) (ReverseTunnel, error)
UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML
type TeleportUserMarshaler ¶
type TeleportUserMarshaler struct{}
func (*TeleportUserMarshaler) GenerateUser ¶
func (*TeleportUserMarshaler) GenerateUser(in User) (User, error)
GenerateUser generates new user
func (*TeleportUserMarshaler) MarshalUser ¶
func (*TeleportUserMarshaler) MarshalUser(u User, opts ...MarshalOption) ([]byte, error)
MarshalUser marshalls user into JSON
func (*TeleportUserMarshaler) UnmarshalUser ¶
func (*TeleportUserMarshaler) UnmarshalUser(bytes []byte) (User, error)
UnmarshalUser unmarshals user from JSON
type TeleportWebSessionMarshaler ¶
type TeleportWebSessionMarshaler struct{}
func (*TeleportWebSessionMarshaler) ExtendWebSession ¶
func (*TeleportWebSessionMarshaler) ExtendWebSession(ws WebSession) (WebSession, error)
ExtendWebSession renews web session and is used to inject additional data in extenstions when session is getting renewed
func (*TeleportWebSessionMarshaler) GenerateWebSession ¶
func (*TeleportWebSessionMarshaler) GenerateWebSession(ws WebSession) (WebSession, error)
GenerateWebSession generates new web session and is used to inject additional data in extenstions
func (*TeleportWebSessionMarshaler) MarshalWebSession ¶
func (*TeleportWebSessionMarshaler) MarshalWebSession(ws WebSession, opts ...MarshalOption) ([]byte, error)
MarshalWebSession marshals web session into on-disk representation
func (*TeleportWebSessionMarshaler) UnmarshalWebSession ¶
func (*TeleportWebSessionMarshaler) UnmarshalWebSession(bytes []byte) (WebSession, error)
UnmarshalWebSession unmarshals web session from on-disk byte format
type Trust ¶
type Trust interface { // CreateCertAuthority inserts a new certificate authority CreateCertAuthority(ca CertAuthority) error // UpsertCertAuthority updates or inserts a new certificate authority UpsertCertAuthority(ca CertAuthority) error // CompareAndSwapCertAuthority updates the cert authority value // if existing value matches existing parameter, // returns nil if succeeds, trace.CompareFailed otherwise CompareAndSwapCertAuthority(new, existing CertAuthority) error // DeleteCertAuthority deletes particular certificate authority DeleteCertAuthority(id CertAuthID) error // DeleteAllCertAuthorities deletes cert authorities of a certain type DeleteAllCertAuthorities(caType CertAuthType) error // GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys // controls if signing keys are loaded GetCertAuthority(id CertAuthID, loadSigningKeys bool, opts ...MarshalOption) (CertAuthority, error) // GetCertAuthorities returns a list of authorities of a given type // loadSigningKeys controls whether signing keys should be loaded or not GetCertAuthorities(caType CertAuthType, loadSigningKeys bool, opts ...MarshalOption) ([]CertAuthority, error) // ActivateCertAuthority moves a CertAuthority from the deactivated list to // the normal list. ActivateCertAuthority(id CertAuthID) error // DeactivateCertAuthority moves a CertAuthority from the normal list to // the deactivated list. DeactivateCertAuthority(id CertAuthID) error }
Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com
There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts
Remote authorities have only public keys available, so they can be only used to validate
type TrustedCluster ¶
type TrustedCluster interface { // Resource provides common resource properties Resource // GetEnabled returns the state of the TrustedCluster. GetEnabled() bool // SetEnabled enables (handshake and add ca+reverse tunnel) or disables TrustedCluster. SetEnabled(bool) // CombinedMapping is used to specify combined mapping from legacy property Roles // and new property RoleMap CombinedMapping() RoleMap // GetRoleMap returns role map property GetRoleMap() RoleMap // SetRoleMap sets role map SetRoleMap(m RoleMap) // GetRoles returns the roles for the certificate authority. GetRoles() []string // SetRoles sets the roles for the certificate authority. SetRoles([]string) // GetToken returns the authorization and authentication token. GetToken() string // SetToken sets the authorization and authentication. SetToken(string) // GetProxyAddress returns the address of the proxy server. GetProxyAddress() string // SetProxyAddress sets the address of the proxy server. SetProxyAddress(string) // GetReverseTunnelAddress returns the address of the reverse tunnel. GetReverseTunnelAddress() string // SetReverseTunnelAddress sets the address of the reverse tunnel. SetReverseTunnelAddress(string) // CheckAndSetDefaults checks and set default values for missing fields. CheckAndSetDefaults() error // CanChangeStateTo checks the TrustedCluster can transform into another. CanChangeStateTo(TrustedCluster) error }
TrustedCluster holds information needed for a cluster that can not be directly accessed (maybe be behind firewall without any open ports) to join a parent cluster.
func NewTrustedCluster ¶
func NewTrustedCluster(name string, spec TrustedClusterSpecV2) (TrustedCluster, error)
NewTrustedCluster is a convenience wa to create a TrustedCluster resource.
type TrustedClusterMarshaler ¶
type TrustedClusterMarshaler interface { Marshal(c TrustedCluster, opts ...MarshalOption) ([]byte, error) Unmarshal(bytes []byte) (TrustedCluster, error) }
TrustedClusterMarshaler implements marshal/unmarshal of TrustedCluster implementations mostly adds support for extended versions.
func GetTrustedClusterMarshaler ¶
func GetTrustedClusterMarshaler() TrustedClusterMarshaler
type TrustedClusterSpecV2 ¶
type TrustedClusterSpecV2 struct { // Enabled is a bool that indicates if the TrustedCluster is enabled or disabled. // Setting Enabled to false has a side effect of deleting the user and host // certificate authority (CA). Enabled bool `json:"enabled"` // Roles is a list of roles that users will be assuming when connecting to this cluster. Roles []string `json:"roles,omitempty"` // Token is the authorization token provided by another cluster needed by // this cluster to join. Token string `json:"token"` // ProxyAddress is the address of the web proxy server of the cluster to join. If not set, // it is derived from <metadata.name>:<default web proxy server port>. ProxyAddress string `json:"web_proxy_addr"` // ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If // not set, it is derived from <metadata.name>:<default reverse tunnel port>. ReverseTunnelAddress string `json:"tunnel_addr"` // RoleMap specifies role mappings to remote roles RoleMap RoleMap `json:"role_map,omitempty"` }
TrustedClusterSpecV2 is the actual data we care about for TrustedClusterSpecV2.
type TrustedClusterV2 ¶
type TrustedClusterV2 struct { // Kind is a resource kind - always resource. Kind string `json:"kind"` // Version is a resource version. Version string `json:"version"` // Metadata is metadata about the resource. Metadata Metadata `json:"metadata"` // Spec is the specification of the resource. Spec TrustedClusterSpecV2 `json:"spec"` }
TrustedClusterV2 implements TrustedCluster.
func (*TrustedClusterV2) CanChangeStateTo ¶
func (c *TrustedClusterV2) CanChangeStateTo(t TrustedCluster) error
CanChangeState checks if the state change is allowed or not. If not, returns an error explaining the reason.
func (*TrustedClusterV2) CheckAndSetDefaults ¶
func (c *TrustedClusterV2) CheckAndSetDefaults() error
Check checks validity of all parameters and sets defaults
func (*TrustedClusterV2) CombinedMapping ¶
func (c *TrustedClusterV2) CombinedMapping() RoleMap
CombinedMapping is used to specify combined mapping from legacy property Roles and new property RoleMap
func (*TrustedClusterV2) Expiry ¶
func (c *TrustedClusterV2) Expiry() time.Time
Expires returns object expiry setting
func (*TrustedClusterV2) GetEnabled ¶
func (c *TrustedClusterV2) GetEnabled() bool
GetEnabled returns the state of the TrustedCluster.
func (*TrustedClusterV2) GetMetadata ¶
func (c *TrustedClusterV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*TrustedClusterV2) GetName ¶
func (c *TrustedClusterV2) GetName() string
GetName returns the name of the TrustedCluster.
func (*TrustedClusterV2) GetProxyAddress ¶
func (c *TrustedClusterV2) GetProxyAddress() string
GetProxyAddress returns the address of the proxy server.
func (*TrustedClusterV2) GetReverseTunnelAddress ¶
func (c *TrustedClusterV2) GetReverseTunnelAddress() string
GetReverseTunnelAddress returns the address of the reverse tunnel.
func (*TrustedClusterV2) GetRoleMap ¶
func (c *TrustedClusterV2) GetRoleMap() RoleMap
GetRoleMap returns role map property
func (*TrustedClusterV2) GetRoles ¶
func (c *TrustedClusterV2) GetRoles() []string
GetRoles returns the roles for the certificate authority.
func (*TrustedClusterV2) GetToken ¶
func (c *TrustedClusterV2) GetToken() string
GetToken returns the authorization and authentication token.
func (*TrustedClusterV2) SetEnabled ¶
func (c *TrustedClusterV2) SetEnabled(e bool)
SetEnabled enables (handshake and add ca+reverse tunnel) or disables TrustedCluster.
func (*TrustedClusterV2) SetExpiry ¶
func (c *TrustedClusterV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*TrustedClusterV2) SetName ¶
func (c *TrustedClusterV2) SetName(e string)
SetName sets the name of the TrustedCluster.
func (*TrustedClusterV2) SetProxyAddress ¶
func (c *TrustedClusterV2) SetProxyAddress(e string)
SetProxyAddress sets the address of the proxy server.
func (*TrustedClusterV2) SetReverseTunnelAddress ¶
func (c *TrustedClusterV2) SetReverseTunnelAddress(e string)
SetReverseTunnelAddress sets the address of the reverse tunnel.
func (*TrustedClusterV2) SetRoleMap ¶
func (c *TrustedClusterV2) SetRoleMap(m RoleMap)
SetRoleMap sets role map
func (*TrustedClusterV2) SetRoles ¶
func (c *TrustedClusterV2) SetRoles(e []string)
SetRoles sets the roles for the certificate authority.
func (*TrustedClusterV2) SetTTL ¶
func (c *TrustedClusterV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*TrustedClusterV2) SetToken ¶
func (c *TrustedClusterV2) SetToken(e string)
SetToken sets the authorization and authentication.
func (*TrustedClusterV2) String ¶
func (c *TrustedClusterV2) String() string
String represents a human readable version of trusted cluster settings.
type TunnelConnection ¶
type TunnelConnection interface { // Resource provides common methods for resource objects Resource // GetClusterName returns name of the cluster // this connection is for GetClusterName() string // GetProxyName returns the proxy name this connection is established to GetProxyName() string // GetLastHeartbeat returns time of the last heartbeat received from // the tunnel over the connection GetLastHeartbeat() time.Time // SetLastHeartbeat sets last heartbeat time SetLastHeartbeat(time.Time) // Check checks tunnel for errors Check() error // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error // String returns user friendly representation of this connection String() string // Clone returns a copy of this tunnel connection Clone() TunnelConnection }
TunnelConnection is SSH reverse tunnel connection established to reverse tunnel proxy
func LatestTunnelConnection ¶
func LatestTunnelConnection(conns []TunnelConnection) (TunnelConnection, error)
LatestTunnelConnection returns latest tunnel connection from the list of tunnel connections, if no connections found, returns NotFound error
func MustCreateTunnelConnection ¶
func MustCreateTunnelConnection(name string, spec TunnelConnectionSpecV2) TunnelConnection
MustCreateTunnelConnection returns new connection from V2 spec or panics if parameters are incorrect
func NewTunnelConnection ¶
func NewTunnelConnection(name string, spec TunnelConnectionSpecV2) (TunnelConnection, error)
NewTunnelConnection returns new connection from V2 spec
func UnmarshalTunnelConnection ¶
func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (TunnelConnection, error)
UnmarshalTunnelConnection unmarshals reverse tunnel from JSON or YAML, sets defaults and checks the schema
type TunnelConnectionSpecV2 ¶
type TunnelConnectionSpecV2 struct { // ClusterName is a name of the cluster ClusterName string `json:"cluster_name"` // ProxyName is the name of the proxy server ProxyName string `json:"proxy_name"` // LastHeartbeat is a time of the last heartbeat LastHeartbeat time.Time `json:"last_heartbeat,omitempty"` }
TunnelConnectionSpecV2 is a specification for V2 tunnel connection
type TunnelConnectionV2 ¶
type TunnelConnectionV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata Metadata `json:"metadata"` // Spec contains user specification Spec TunnelConnectionSpecV2 `json:"spec"` }
TunnelConnectionV2 is version 1 resource spec of the reverse tunnel
func (*TunnelConnectionV2) Check ¶
func (r *TunnelConnectionV2) Check() error
Check returns nil if all parameters are good, error otherwise
func (*TunnelConnectionV2) CheckAndSetDefaults ¶
func (r *TunnelConnectionV2) CheckAndSetDefaults() error
func (*TunnelConnectionV2) Clone ¶
func (r *TunnelConnectionV2) Clone() TunnelConnection
Clone returns a copy of this tunnel connection
func (*TunnelConnectionV2) Expiry ¶
func (r *TunnelConnectionV2) Expiry() time.Time
Expires returns object expiry setting
func (*TunnelConnectionV2) GetClusterName ¶
func (r *TunnelConnectionV2) GetClusterName() string
GetClusterName returns name of the cluster
func (*TunnelConnectionV2) GetLastHeartbeat ¶
func (r *TunnelConnectionV2) GetLastHeartbeat() time.Time
GetLastHeartbeat returns last heartbeat
func (*TunnelConnectionV2) GetMetadata ¶
func (r *TunnelConnectionV2) GetMetadata() Metadata
GetMetadata returns object metadata
func (*TunnelConnectionV2) GetName ¶
func (r *TunnelConnectionV2) GetName() string
GetName returns the name of the User
func (*TunnelConnectionV2) GetProxyName ¶
func (r *TunnelConnectionV2) GetProxyName() string
GetProxyName returns the name of the proxy
func (*TunnelConnectionV2) SetExpiry ¶
func (r *TunnelConnectionV2) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object
func (*TunnelConnectionV2) SetLastHeartbeat ¶
func (r *TunnelConnectionV2) SetLastHeartbeat(tm time.Time)
SetLastHeartbeat sets last heartbeat time
func (*TunnelConnectionV2) SetName ¶
func (r *TunnelConnectionV2) SetName(e string)
SetName sets the name of the User
func (*TunnelConnectionV2) SetTTL ¶
func (r *TunnelConnectionV2) SetTTL(clock clockwork.Clock, ttl time.Duration)
SetTTL sets Expires header using realtime clock
func (*TunnelConnectionV2) String ¶
func (r *TunnelConnectionV2) String() string
String returns user-friendly description of this connection
func (*TunnelConnectionV2) V2 ¶
func (r *TunnelConnectionV2) V2() *TunnelConnectionV2
V2 returns V2 version of the resource
type U2F ¶
type U2F struct { // AppID returns the application ID for universal second factor. AppID string `json:"app_id,omitempty"` // Facets returns the facets for universal second factor. Facets []string `json:"facets,omitempty"` }
U2F defines settings for U2F device.
type UnknownResource ¶
type UnknownResource struct { ResourceHeader // Raw is raw representation of the resource Raw []byte }
UnknownResource is used to detect resources
func (*UnknownResource) UnmarshalJSON ¶
func (u *UnknownResource) UnmarshalJSON(raw []byte) error
UnmarshalJSON unmarshals header and captures raw state
type User ¶
type User interface { // Resource provides common resource properties Resource // GetOIDCIdentities returns a list of connected OIDC identities GetOIDCIdentities() []ExternalIdentity // GetSAMLIdentities returns a list of connected SAML identities GetSAMLIdentities() []ExternalIdentity // GetGithubIdentities returns a list of connected Github identities GetGithubIdentities() []ExternalIdentity // GetRoles returns a list of roles assigned to user GetRoles() []string // String returns user String() string // Equals checks if user equals to another Equals(other User) bool // GetStatus return user login status GetStatus() LoginStatus // SetLocked sets login status to locked SetLocked(until time.Time, reason string) // SetRoles sets user roles SetRoles(roles []string) // AddRole adds role to the users' role list AddRole(name string) // GetCreatedBy returns information about user GetCreatedBy() CreatedBy // SetCreatedBy sets created by information SetCreatedBy(CreatedBy) // Check checks basic user parameters for errors Check() error // GetRawObject returns raw object data, used for migrations GetRawObject() interface{} // WebSessionInfo returns web session information about user WebSessionInfo(allowedLogins []string) interface{} // GetTraits gets the trait map for this user used to populate role variables. GetTraits() map[string][]string // GetTraits sets the trait map for this user used to populate role variables. SetTraits(map[string][]string) // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error }
User represents teleport embedded user or external user
type UserCertParams ¶
type UserCertParams struct { // PrivateCASigningKey is the private key of the CA that will sign the public key of the user PrivateCASigningKey []byte // PublicUserKey is the public key of the user PublicUserKey []byte // TTL defines how long a certificate is valid for TTL time.Duration // Username is teleport username Username string // AllowedLogins is a list of SSH principals AllowedLogins []string // PermitAgentForwarding permits agent forwarding for this cert PermitAgentForwarding bool // PermitPortForwarding permits port forwarding. PermitPortForwarding bool // Roles is a list of roles assigned to this user Roles []string // CertificateFormat is the format of the SSH certificate. CertificateFormat string }
UserCertParams defines OpenSSH user certificate parameters
type UserGetter ¶
UserGetter is responsible for getting users
type UserMarshaler ¶
type UserMarshaler interface { // UnmarshalUser from binary representation UnmarshalUser(bytes []byte) (User, error) // MarshalUser to binary representation MarshalUser(u User, opts ...MarshalOption) ([]byte, error) // GenerateUser generates new user based on standard teleport user // it gives external implementations to add more app-specific // data to the user GenerateUser(User) (User, error) }
UserMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetUserMarshaler ¶
func GetUserMarshaler() UserMarshaler
GetUserMarshaler returns currently set user marshaler
type UserRef ¶
type UserRef struct { // Name is name of the user Name string `json:"name"` }
UserRef holds references to user
type UserSpecV2 ¶
type UserSpecV2 struct { // OIDCIdentities lists associated OpenID Connect identities // that let user log in using externally verified identity OIDCIdentities []ExternalIdentity `json:"oidc_identities,omitempty"` // SAMLIdentities lists associated SAML identities // that let user log in using externally verified identity SAMLIdentities []ExternalIdentity `json:"saml_identities,omitempty"` // GithubIdentities list associated Github OAuth2 identities // that let user log in using externally verified identity GithubIdentities []ExternalIdentity `json:"github_identities,omitempty"` // Roles is a list of roles assigned to user Roles []string `json:"roles,omitempty"` // Traits are key/value pairs received from an identity provider (through // OIDC claims or SAML assertions) or from a system administrator for local // accounts. Traits are used to populate role variables. Traits map[string][]string `json:"traits,omitempty"` // Status is a login status of the user Status LoginStatus `json:"status"` // Expires if set sets TTL on the user Expires time.Time `json:"expires"` // CreatedBy holds information about agent or person created this usre CreatedBy CreatedBy `json:"created_by"` }
UserSpecV2 is a specification for V2 user
type UserV1 ¶
type UserV1 struct { // Name is a user name Name string `json:"name"` // AllowedLogins represents a list of OS users this teleport // user is allowed to login as AllowedLogins []string `json:"allowed_logins"` // KubeGroups represents a list of kubernetes groups // this teleport user is allowed to assume KubeGroups []string `json:"kubernetes_groups,omitempty"` // OIDCIdentities lists associated OpenID Connect identities // that let user log in using externally verified identity OIDCIdentities []ExternalIdentity `json:"oidc_identities"` // Status is a login status of the user Status LoginStatus `json:"status"` // Expires if set sets TTL on the user Expires time.Time `json:"expires"` // CreatedBy holds information about agent or person created this usre CreatedBy CreatedBy `json:"created_by"` // Roles is a list of roles Roles []string `json:"roles"` }
UserV1 is V1 version of the user
type UserV2 ¶
type UserV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is User metadata Metadata Metadata `json:"metadata"` // Spec contains user specification Spec UserSpecV2 `json:"spec"` // contains filtered or unexported fields }
UserV2 is version1 resource spec of the user
func (*UserV2) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and set default values for any missing fields.
func (*UserV2) Expiry ¶
Expiry returns expiry time for temporary users. Prefer expires from metadata, if it does not exist, fall back to expires in spec.
func (*UserV2) GetCreatedBy ¶
GetCreatedBy returns information about who created user
func (*UserV2) GetGithubIdentities ¶
func (u *UserV2) GetGithubIdentities() []ExternalIdentity
GetGithubIdentities returns a list of connected Github identities
func (*UserV2) GetMetadata ¶
GetMetadata returns object metadata
func (*UserV2) GetOIDCIdentities ¶
func (u *UserV2) GetOIDCIdentities() []ExternalIdentity
GetOIDCIdentities returns a list of connected OIDC identities
func (*UserV2) GetRawObject ¶
func (u *UserV2) GetRawObject() interface{}
GetObject returns raw object data, used for migrations
func (*UserV2) GetSAMLIdentities ¶
func (u *UserV2) GetSAMLIdentities() []ExternalIdentity
GetSAMLIdentities returns a list of connected SAML identities
func (*UserV2) GetStatus ¶
func (u *UserV2) GetStatus() LoginStatus
GetStatus returns login status of the user
func (*UserV2) GetTraits ¶
GetTraits gets the trait map for this user used to populate role variables.
func (*UserV2) SetCreatedBy ¶
SetCreatedBy sets created by information
func (*UserV2) SetTraits ¶
SetTraits sets the trait map for this user used to populate role variables.
func (*UserV2) WebSessionInfo ¶
WebSessionInfo returns web session information about user
type Users ¶
type Users []User
Users represents a slice of users, makes it sort compatible (sorts by username)
type WebSession ¶
type WebSession interface { GetMetadata() Metadata // GetShortName returns visible short name used in logging GetShortName() string // GetName returns session name GetName() string // GetUser returns the user this session is associated with GetUser() string // SetName sets session name SetName(string) // SetUser sets user associated with this session SetUser(string) // GetPub is returns public certificate signed by auth server GetPub() []byte // GetPriv returns private OpenSSH key used to auth with SSH nodes GetPriv() []byte // SetPriv sets private key SetPriv([]byte) // GetTLSCert returns PEM encoded TLS certificate associated with session GetTLSCert() []byte // BearerToken is a special bearer token used for additional // bearer authentication GetBearerToken() string // SetBearerTokenExpiryTime sets bearer token expiry time SetBearerTokenExpiryTime(time.Time) // SetExpiryTime sets session expiry time SetExpiryTime(time.Time) // GetBearerTokenExpiryTime - absolute time when token expires GetBearerTokenExpiryTime() time.Time // GetExpiryTime - absolute time when web session expires GetExpiryTime() time.Time // V1 returns V1 version of the resource V1() *WebSessionV1 // V2 returns V2 version of the resource V2() *WebSessionV2 // WithoutSecrets returns copy of the web session but without private keys WithoutSecrets() WebSession // CheckAndSetDefaults checks and set default values for any missing fields. CheckAndSetDefaults() error }
WebSession stores key and value used to authenticate with SSH notes on behalf of user
func NewWebSession ¶
func NewWebSession(name string, spec WebSessionSpecV2) WebSession
NewWebSession returns new instance of the web session based on the V2 spec
type WebSessionMarshaler ¶
type WebSessionMarshaler interface { // UnmarshalWebSession unmarhsals cert authority from binary representation UnmarshalWebSession(bytes []byte) (WebSession, error) // MarshalWebSession to binary representation MarshalWebSession(c WebSession, opts ...MarshalOption) ([]byte, error) // GenerateWebSession generates new web session and is used to // inject additional data in extenstions GenerateWebSession(WebSession) (WebSession, error) // ExtendWebSession extends web session and is used to // inject additional data in extenstions when session is getting renewed ExtendWebSession(WebSession) (WebSession, error) }
WebSessionMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions
func GetWebSessionMarshaler ¶
func GetWebSessionMarshaler() WebSessionMarshaler
GetWebSessionMarshaler returns currently set user marshaler
type WebSessionSpecV2 ¶
type WebSessionSpecV2 struct { // User is a user this web session belongs to User string `json:"user"` // Pub is a public certificate signed by auth server Pub []byte `json:"pub"` // Priv is a private OpenSSH key used to auth with SSH nodes Priv []byte `json:"priv,omitempty"` // TLSCert is a TLS certificate used to auth with auth server TLSCert []byte `json:"tls_cert,omitempty"` // BearerToken is a special bearer token used for additional // bearer authentication BearerToken string `json:"bearer_token"` // BearerTokenExpires - absolute time when token expires BearerTokenExpires time.Time `json:"bearer_token_expires"` // Expires - absolute time when session expires Expires time.Time `json:"expires"` }
WebSessionSpecV2 is a spec for V2 session
type WebSessionV1 ¶
type WebSessionV1 struct { // ID is session ID ID string `json:"id"` // User is a user this web session is associated with User string `json:"user"` // Pub is a public certificate signed by auth server Pub []byte `json:"pub"` // Priv is a private OpenSSH key used to auth with SSH nodes Priv []byte `json:"priv,omitempty"` // BearerToken is a special bearer token used for additional // bearer authentication BearerToken string `json:"bearer_token"` // Expires - absolute time when token expires Expires time.Time `json:"expires"` }
WebSession stores key and value used to authenticate with SSH nodes on behalf of user
func (*WebSessionV1) GetBearerToken ¶
func (ws *WebSessionV1) GetBearerToken() string
BearerToken is a special bearer token used for additional bearer authentication
func (*WebSessionV1) GetBearerTokenExpiryTime ¶
func (ws *WebSessionV1) GetBearerTokenExpiryTime() time.Time
GetBearerRoken - absolute time when token expires
func (*WebSessionV1) GetExpiryTime ¶
func (ws *WebSessionV1) GetExpiryTime() time.Time
Expires - absolute time when token expires
func (*WebSessionV1) GetName ¶
func (ws *WebSessionV1) GetName() string
GetName returns session name
func (*WebSessionV1) GetPriv ¶
func (ws *WebSessionV1) GetPriv() []byte
GetPriv returns private OpenSSH key used to auth with SSH nodes
func (*WebSessionV1) GetPub ¶
func (ws *WebSessionV1) GetPub() []byte
GetPub is returns public certificate signed by auth server
func (*WebSessionV1) GetShortName ¶
func (ws *WebSessionV1) GetShortName() string
GetShortName returns visible short name used in logging
func (*WebSessionV1) GetUser ¶
func (ws *WebSessionV1) GetUser() string
GetUser returns the user this session is associated with
func (*WebSessionV1) SetBearerTokenExpiryTime ¶
func (ws *WebSessionV1) SetBearerTokenExpiryTime(tm time.Time)
SetBearerTokenExpiryTime sets session expiry time
func (*WebSessionV1) SetExpiryTime ¶
func (ws *WebSessionV1) SetExpiryTime(tm time.Time)
SetExpiryTime sets session expiry time
func (*WebSessionV1) SetName ¶
func (ws *WebSessionV1) SetName(name string)
SetName sets session name
func (*WebSessionV1) SetUser ¶
func (ws *WebSessionV1) SetUser(u string)
SetUser sets user associated with this session
func (*WebSessionV1) V1 ¶
func (s *WebSessionV1) V1() *WebSessionV1
V1 returns V1 version of the resource
func (*WebSessionV1) V2 ¶
func (s *WebSessionV1) V2() *WebSessionV2
V2 returns V2 version of the resource
func (*WebSessionV1) WithoutSecrets ¶
func (ws *WebSessionV1) WithoutSecrets() WebSession
WithoutSecrets returns copy of the web session but without private keys
type WebSessionV2 ¶
type WebSessionV2 struct { // Kind is a resource kind Kind string `json:"kind"` // Version is version Version string `json:"version"` // Metadata is connector metadata Metadata Metadata `json:"metadata"` // Spec contains cert authority specification Spec WebSessionSpecV2 `json:"spec"` }
WebSessionV2 is version 2 spec for session
func (*WebSessionV2) CheckAndSetDefaults ¶
func (ws *WebSessionV2) CheckAndSetDefaults() error
CheckAndSetDefaults checks and set default values for any missing fields.
func (*WebSessionV2) GetBearerToken ¶
func (ws *WebSessionV2) GetBearerToken() string
BearerToken is a special bearer token used for additional bearer authentication
func (*WebSessionV2) GetBearerTokenExpiryTime ¶
func (ws *WebSessionV2) GetBearerTokenExpiryTime() time.Time
GetBearerTokenExpiryTime - absolute time when token expires
func (*WebSessionV2) GetExpiryTime ¶
func (ws *WebSessionV2) GetExpiryTime() time.Time
GetExpiryTime - absolute time when web session expires
func (*WebSessionV2) GetMetadata ¶
func (ws *WebSessionV2) GetMetadata() Metadata
GetMetadata returns metadata
func (*WebSessionV2) GetName ¶
func (ws *WebSessionV2) GetName() string
GetName returns session name
func (*WebSessionV2) GetPriv ¶
func (ws *WebSessionV2) GetPriv() []byte
GetPriv returns private OpenSSH key used to auth with SSH nodes
func (*WebSessionV2) GetPub ¶
func (ws *WebSessionV2) GetPub() []byte
GetPub is returns public certificate signed by auth server
func (*WebSessionV2) GetShortName ¶
func (ws *WebSessionV2) GetShortName() string
GetShortName returns visible short name used in logging
func (*WebSessionV2) GetTLSCert ¶
func (ws *WebSessionV2) GetTLSCert() []byte
GetTLSCert returns PEM encoded TLS certificate associated with session
func (*WebSessionV2) GetUser ¶
func (ws *WebSessionV2) GetUser() string
GetUser returns the user this session is associated with
func (*WebSessionV2) SetBearerTokenExpiryTime ¶
func (ws *WebSessionV2) SetBearerTokenExpiryTime(tm time.Time)
SetBearerTokenExpiryTime sets bearer token expiry time
func (*WebSessionV2) SetExpiryTime ¶
func (ws *WebSessionV2) SetExpiryTime(tm time.Time)
SetExpiryTime sets session expiry time
func (*WebSessionV2) SetName ¶
func (ws *WebSessionV2) SetName(name string)
SetName sets session name
func (*WebSessionV2) SetPriv ¶
func (ws *WebSessionV2) SetPriv(priv []byte)
SetPriv sets private key
func (*WebSessionV2) SetUser ¶
func (ws *WebSessionV2) SetUser(u string)
SetUser sets user associated with this session
func (*WebSessionV2) V1 ¶
func (ws *WebSessionV2) V1() *WebSessionV1
V1 returns V1 version of the object
func (*WebSessionV2) V2 ¶
func (ws *WebSessionV2) V2() *WebSessionV2
V2 returns V2 version of the resource
func (*WebSessionV2) WithoutSecrets ¶
func (ws *WebSessionV2) WithoutSecrets() WebSession
WithoutSecrets returns copy of the object but without secrets
Source Files ¶
- authentication.go
- authority.go
- clusterconfig.go
- clustername.go
- configuration.go
- doc.go
- github.go
- identity.go
- license.go
- namespace.go
- oidc.go
- parser.go
- presence.go
- provisioning.go
- remotecluster.go
- resource.go
- role.go
- saml.go
- server.go
- session.go
- statictokens.go
- trust.go
- trustedcluster.go
- tunnel.go
- tunnelconn.go
- user.go
Directories ¶
Path | Synopsis |
---|---|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd |