Documentation
¶
Index ¶
- Constants
- Variables
- func GetAWSAssumedRole(r *http.Request) string
- func IsReservedHeader(header string) bool
- func MakeAWSRequestMetadata(req *http.Request, awsEndpoint *endpoints.ResolvedEndpoint) *apievents.AWSRequestMetadata
- func MakeAppMetadata(app types.Application) *apievents.AppMetadata
- func SetTeleportAPIErrorHeader(rw http.ResponseWriter, err error)
- func WithAWSAssumedRole(r *http.Request, assumedRole string) *http.Request
- func WithSessionContext(r *http.Request, sessionCtx *SessionContext) *http.Request
- type Audit
- type AuditConfig
- type HeaderRewriter
- type SessionContext
Constants ¶
const ( // XForwardedSSL is a non-standard X-Forwarded-* header that is set to "on" or "off" depending on // whether SSL is enabled. XForwardedSSL = "X-Forwarded-Ssl" // TeleportAPIErrorHeader is Teleport-specific error header, optionally holding background error information. TeleportAPIErrorHeader = "X-Teleport-Api-Error" // TeleportAPIInfoHeader is Teleport-specific info header, optionally holding background information. TeleportAPIInfoHeader = "X-Teleport-Api-Info" // TeleportAWSAssumedRole indicates that the incoming requests are signed // with real AWS credentials of the specified assumed role by the AWS client. TeleportAWSAssumedRole = "X-Teleport-Aws-Assumed-Role" // TeleportAWSAssumedRoleAuthorization contains the original authorization // header for requests signed by assumed roles. TeleportAWSAssumedRoleAuthorization = "X-Teleport-Aws-Assumed-Role-Authorization" )
Variables ¶
var ReservedHeaders = append([]string{ teleport.AppJWTHeader, XForwardedSSL, TeleportAPIErrorHeader, TeleportAPIInfoHeader, TeleportAWSAssumedRole, TeleportAWSAssumedRoleAuthorization, }, reverseproxy.XHeaders..., )
ReservedHeaders is a list of headers injected by Teleport.
Functions ¶
func GetAWSAssumedRole ¶
GetAWSAssumedRole gets AWS assumed role from a request.
func IsReservedHeader ¶
IsReservedHeader returns true if the provided header is one of headers injected by Teleport.
func MakeAWSRequestMetadata ¶
func MakeAWSRequestMetadata(req *http.Request, awsEndpoint *endpoints.ResolvedEndpoint) *apievents.AWSRequestMetadata
MakeAWSRequestMetadata is a helper to build AWSRequestMetadata from the provided request and endpoint. If the aws endpoint is nil, returns an empty request metadata.
func MakeAppMetadata ¶
func MakeAppMetadata(app types.Application) *apievents.AppMetadata
MakeAppMetadata returns common server metadata for database session.
func SetTeleportAPIErrorHeader ¶
func SetTeleportAPIErrorHeader(rw http.ResponseWriter, err error)
SetTeleportAPIErrorHeader saves the provided error in X-Teleport-API-Error header of response.
func WithAWSAssumedRole ¶
WithAWSAssumedRole adds AWS assumed role to the context of the provided request.
func WithSessionContext ¶
func WithSessionContext(r *http.Request, sessionCtx *SessionContext) *http.Request
WithSessionContext adds session context to provided request.
Types ¶
type Audit ¶
type Audit interface {
// OnSessionStart is called when new app session starts.
OnSessionStart(ctx context.Context, serverID string, identity *tlsca.Identity, app types.Application) error
// OnSessionEnd is called when an app session ends.
OnSessionEnd(ctx context.Context, serverID string, identity *tlsca.Identity, app types.Application) error
// OnSessionChunk is called when a new session chunk is created.
OnSessionChunk(ctx context.Context, serverID, chunkID string, identity *tlsca.Identity, app types.Application) error
// OnRequest is called when an app request is sent during the session and a response is received.
OnRequest(ctx context.Context, sessionCtx *SessionContext, req *http.Request, status uint32, re *endpoints.ResolvedEndpoint) error
// OnDynamoDBRequest is called when app request for a DynamoDB API is sent and a response is received.
OnDynamoDBRequest(ctx context.Context, sessionCtx *SessionContext, req *http.Request, status uint32, re *endpoints.ResolvedEndpoint) error
// EmitEvent emits the provided audit event.
EmitEvent(ctx context.Context, event apievents.AuditEvent) error
}
Audit defines an interface for app access audit events logger.
func NewAudit ¶
func NewAudit(config AuditConfig) (Audit, error)
NewAudit returns a new instance of the audit events emitter.
type AuditConfig ¶
type AuditConfig struct {
// Emitter is used to emit audit events.
Emitter apievents.Emitter
// Recorder is used to record session events.
Recorder events.SessionPreparerRecorder
}
AuditConfig is the audit events emitter configuration.
type HeaderRewriter ¶
type HeaderRewriter struct {
// contains filtered or unexported fields
}
HeaderRewriter delegates to rewriters and then appends its own headers.
func NewHeaderRewriter ¶
func NewHeaderRewriter(delegates ...reverseproxy.Rewriter) *HeaderRewriter
NewHeaderRewriter will create a new header rewriter with a number of delegates. The delegates will be executed in the order supplied
func (*HeaderRewriter) Rewrite ¶
func (hr *HeaderRewriter) Rewrite(req *http.Request)
Rewrite will delegate to the supplied delegates' rewrite functions and then inject its own headers.
type SessionContext ¶
type SessionContext struct {
// Identity is the requested identity.
Identity *tlsca.Identity
// App is the requested identity.
App types.Application
// ChunkID is the session chunk's uuid.
ChunkID string
// Audit is used to emit audit events for the session.
Audit Audit
}
SessionContext contains common context parameters for an App session.
func GetSessionContext ¶
func GetSessionContext(r *http.Request) (*SessionContext, error)
GetSessionContext retrieves the session context from a request.
Source Files