webclient

package
v0.0.0-...-df39993 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 3, 2024 License: Apache-2.0 Imports: 24 Imported by: 12

Documentation

Overview

Package webclient provides a client for the Teleport Proxy API endpoints.

Index

Constants

View Source 
const (
	// WebConfigAuthProviderOIDCType is OIDC provider type
	WebConfigAuthProviderOIDCType = "oidc"
	// WebConfigAuthProviderOIDCURL is OIDC webapi endpoint.
	// redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation.
	WebConfigAuthProviderOIDCURL = "/v1/webapi/oidc/login/web?connector_id=:providerName&redirect_url=:redirect"

	// WebConfigAuthProviderSAMLType is SAML provider type
	WebConfigAuthProviderSAMLType = "saml"
	// WebConfigAuthProviderSAMLURL is SAML webapi endpoint.
	// redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation.
	WebConfigAuthProviderSAMLURL = "/v1/webapi/saml/sso?connector_id=:providerName&redirect_url=:redirect"

	// WebConfigAuthProviderGitHubType is GitHub provider type
	WebConfigAuthProviderGitHubType = "github"
	// WebConfigAuthProviderGitHubURL is GitHub webapi endpoint
	// redirect_url MUST be the last query param, see the comment in parseSSORequestParams for an explanation.
	WebConfigAuthProviderGitHubURL = "/v1/webapi/github/login/web?connector_id=:providerName&redirect_url=:redirect"
)

Variables

This section is empty.

Functions

func ParseHostPort 

func ParseHostPort(addr string, opts ...ParseHostPortOpt) (host, port string, err error)

ParseHostPort parses host and port from the given address.

Types

type AuthenticationSettings 

type AuthenticationSettings struct {
	// Type is the type of authentication, can be either local or oidc.
	Type string `json:"type"`
	// SecondFactor is the type of second factor to use in authentication.
	SecondFactor constants.SecondFactorType `json:"second_factor,omitempty"`
	// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
	// when various options are available.
	// It is empty if there is nothing to suggest.
	PreferredLocalMFA constants.SecondFactorType `json:"preferred_local_mfa,omitempty"`
	// AllowPasswordless is true if passwordless logins are allowed.
	AllowPasswordless bool `json:"allow_passwordless,omitempty"`
	// AllowHeadless is true if headless logins are allowed.
	AllowHeadless bool `json:"allow_headless,omitempty"`
	// Local contains settings for local authentication.
	Local *LocalSettings `json:"local,omitempty"`
	// Webauthn contains MFA settings for Web Authentication.
	Webauthn *Webauthn `json:"webauthn,omitempty"`
	// U2F contains the Universal Second Factor settings needed for authentication.
	U2F *U2FSettings `json:"u2f,omitempty"`
	// OIDC contains OIDC connector settings needed for authentication.
	OIDC *OIDCSettings `json:"oidc,omitempty"`
	// SAML contains SAML connector settings needed for authentication.
	SAML *SAMLSettings `json:"saml,omitempty"`
	// Github contains Github connector settings needed for authentication.
	Github *GithubSettings `json:"github,omitempty"`
	// PrivateKeyPolicy contains the cluster-wide private key policy.
	PrivateKeyPolicy keys.PrivateKeyPolicy `json:"private_key_policy"`
	// PIVSlot specifies a specific PIV slot to use with hardware key support.
	PIVSlot keys.PIVSlot `json:"piv_slot"`
	// DeviceTrust holds cluster-wide device trust settings.
	DeviceTrust DeviceTrustSettings `json:"device_trust,omitempty"`
	// HasMessageOfTheDay is a flag indicating that the cluster has MOTD
	// banner text that must be retrieved, displayed and acknowledged by
	// the user.
	HasMessageOfTheDay bool `json:"has_motd"`
	// LoadAllCAs tells tsh to load CAs for all clusters when trying to ssh into a node.
	LoadAllCAs bool `json:"load_all_cas,omitempty"`
	// DefaultSessionTTL is the TTL requested for user certs if
	// a TTL is not otherwise specified.
	DefaultSessionTTL types.Duration `json:"default_session_ttl"`
}

AuthenticationSettings contains information about server authentication settings.

type Config 

type Config struct {
	// Context is a context for creating webclient requests.
	Context context.Context
	// ProxyAddr specifies the teleport proxy address for requests.
	ProxyAddr string
	// Insecure turns off TLS certificate verification when enabled.
	Insecure bool
	// Pool defines the set of root CAs to use when verifying server
	// certificates.
	Pool *x509.CertPool
	// ConnectorName is the name of the ODIC or SAML connector.
	ConnectorName string
	// ExtraHeaders is a map of extra HTTP headers to be included in
	// requests.
	ExtraHeaders map[string]string
	// Timeout is a timeout for requests.
	Timeout time.Duration
	// TraceProvider is used to retrieve a Tracer for creating spans
	TraceProvider oteltrace.TracerProvider
}

Config specifies information when building requests with the webclient.

func (*Config) CheckAndSetDefaults 

func (c *Config) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type DBProxySettings 

type DBProxySettings struct {
	// PostgresListenAddr is Postgres proxy listen address.
	PostgresListenAddr string `json:"postgres_listen_addr,omitempty"`
	// PostgresPublicAddr is advertised to Postgres clients.
	PostgresPublicAddr string `json:"postgres_public_addr,omitempty"`
	// MySQLListenAddr is MySQL proxy listen address.
	MySQLListenAddr string `json:"mysql_listen_addr,omitempty"`
	// MySQLPublicAddr is advertised to MySQL clients.
	MySQLPublicAddr string `json:"mysql_public_addr,omitempty"`
	// MongoListenAddr is Mongo proxy listen address.
	MongoListenAddr string `json:"mongo_listen_addr,omitempty"`
	// MongoPublicAddr is advertised to Mongo clients.
	MongoPublicAddr string `json:"mongo_public_addr,omitempty"`
}

DBProxySettings contains database access specific proxy settings.

type DeviceTrustSettings 

type DeviceTrustSettings struct {
	Disabled   bool `json:"disabled,omitempty"`
	AutoEnroll bool `json:"auto_enroll,omitempty"`
}

DeviceTrustSettings holds cluster-wide device trust settings that are liable to change client behavior.

type FeatureLimits 

type FeatureLimits struct {
	// Limit for the number of access list creatable when feature is
	// not enabled.
	AccessListCreateLimit int `json:"accessListCreateLimit"`
	// Defines the max number of days to include in an access report if
	// feature is not enabled.
	AccessMonitoringMaxReportRangeLimit int `json:"accessMonitoringMaxReportRangeLimit"`
	// AccessRequestMonthlyRequestLimit is the usage-based limit for the number of
	// access requests created in a calendar month.
	AccessRequestMonthlyRequestLimit int `json:"AccessRequestMonthlyRequestLimit"`
}

featureLimits define limits for features. Typically used with feature teasers if feature is not enabled for the product type eg: Team product contains teasers to upgrade to Enterprise.

type GithubSettings 

type GithubSettings struct {
	// Name is the internal name of the connector
	Name string `json:"name"`
	// Display is the connector display name
	Display string `json:"display"`
}

GithubSettings contains the Name and Display string for Github connector.

type KubeProxySettings 

type KubeProxySettings struct {
	// Enabled is true when kubernetes proxy is enabled
	Enabled bool `json:"enabled,omitempty"`
	// PublicAddr is a kubernetes proxy public address if set
	PublicAddr string `json:"public_addr,omitempty"`
	// ListenAddr is the address that the kubernetes proxy is listening for
	// connections on.
	ListenAddr string `json:"listen_addr,omitempty"`
}

KubeProxySettings is kubernetes proxy settings

type LocalSettings 

type LocalSettings struct {
	// Name is the name of the local connector.
	Name string `json:"name"`
}

LocalSettings holds settings for local authentication.

type MotD 

type MotD struct {
	Text string
}

MotD holds data about the current message of the day.

func GetMOTD 

func GetMOTD(cfg *Config) (*MotD, error)

type OIDCSettings 

type OIDCSettings struct {
	// Name is the internal name of the connector.
	Name string `json:"name"`
	// Display is the display name for the connector.
	Display string `json:"display"`
}

OIDCSettings contains the Name and Display string for OIDC.

type ParseHostPortOpt 

type ParseHostPortOpt func(host, port string) (hostR, portR string)

func WithDefaultPort 

func WithDefaultPort(defaultPort int) ParseHostPortOpt

WithDefaultPort replaces the parse port with the default port if empty.

func WithOverridePort 

func WithOverridePort(overridePort int) ParseHostPortOpt

WithOverridePort replaces the parsed port with the override port.

type PingError 

type PingError struct {
	Message string `json:"message"`
}

PingError contains the string message from the PingErrorResponse

type PingErrorResponse 

type PingErrorResponse struct {
	Error PingError `json:"error"`
}

PingErrorResponse contains the error message if the requested connector does not match one that has been registered.

type PingResponse 

type PingResponse struct {
	// Auth contains the forms of authentication the auth server supports.
	Auth AuthenticationSettings `json:"auth"`
	// Proxy contains the proxy settings.
	Proxy ProxySettings `json:"proxy"`
	// ServerVersion is the version of Teleport that is running.
	ServerVersion string `json:"server_version"`
	// MinClientVersion is the minimum client version required by the server.
	MinClientVersion string `json:"min_client_version"`
	// ClusterName contains the name of the Teleport cluster.
	ClusterName string `json:"cluster_name"`

	// reserved: license_warnings ([]string)
	// AutomaticUpgrades describes whether agents should automatically upgrade.
	AutomaticUpgrades bool `json:"automatic_upgrades"`
}

PingResponse contains data about the Teleport server like supported authentication types, server version, etc.

func Find 

func Find(cfg *Config) (*PingResponse, error)

Find fetches discovery data by connecting to the given web proxy address. It is designed to fetch proxy public addresses without any inefficiencies.

func Ping 

func Ping(cfg *Config) (*PingResponse, error)

Ping serves two purposes. The first is to validate the HTTP endpoint of a Teleport proxy. This leads to better user experience: users get connection errors before being asked for passwords. The second is to return the form of authentication that the server supports. This also leads to better user experience: users only get prompted for the type of authentication the server supports.

type ProxySettings 

type ProxySettings struct {
	// Kube is a kubernetes specific proxy section
	Kube KubeProxySettings `json:"kube"`
	// SSH is SSH specific proxy settings
	SSH SSHProxySettings `json:"ssh"`
	// DB contains database access specific proxy settings
	DB DBProxySettings `json:"db"`
	// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
	// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
	TLSRoutingEnabled bool `json:"tls_routing_enabled"`
	// AssistEnabled is true when Teleport Assist is enabled.
	AssistEnabled bool `json:"assist_enabled"`
}

ProxySettings contains basic information about proxy settings

func (*ProxySettings) SSHProxyHostPort 

func (ps *ProxySettings) SSHProxyHostPort() (host, port string, err error)

SSHProxyHostPort returns the ssh proxy host and port for the proxy settings.

func (*ProxySettings) TunnelAddr 

func (ps *ProxySettings) TunnelAddr() (string, error)

type SAMLSettings 

type SAMLSettings struct {
	// Name is the internal name of the connector.
	Name string `json:"name"`
	// Display is the display name for the connector.
	Display string `json:"display"`
}

SAMLSettings contains the Name and Display string for SAML

type SSHProxySettings 

type SSHProxySettings struct {
	// ListenAddr is the address that the SSH proxy is listening for
	// connections on.
	ListenAddr string `json:"listen_addr,omitempty"`

	// TunnelListenAddr is the address that the SSH reverse tunnel is
	// listening for connections on.
	TunnelListenAddr string `json:"tunnel_listen_addr,omitempty"`

	// WebListenAddr is the address where the proxy web handler is listening.
	WebListenAddr string `json:"web_listen_addr,omitempty"`

	// PublicAddr is the public address of the HTTP proxy.
	PublicAddr string `json:"public_addr,omitempty"`

	// SSHPublicAddr is the public address of the SSH proxy.
	SSHPublicAddr string `json:"ssh_public_addr,omitempty"`

	// TunnelPublicAddr is the public address of the SSH reverse tunnel.
	TunnelPublicAddr string `json:"ssh_tunnel_public_addr,omitempty"`
}

SSHProxySettings is SSH specific proxy settings.

type U2FSettings 

type U2FSettings struct {
	// AppID is the U2F AppID.
	AppID string `json:"app_id"`
}

U2FSettings contains the AppID for Universal Second Factor.

type UIConfig 

type UIConfig struct {
	// ScrollbackLines is the max number of lines the UI terminal can display in its history
	ScrollbackLines int `json:"scrollbackLines,omitempty"`
	// ShowResources determines which resources are shown in the web UI. Default if unset is "requestable"
	// which means resources the user has access to and resources they can request will be shown in the
	// resources UI. If set to `accessible_only`, only resources the user already has access to will be shown.
	ShowResources constants.ShowResources `json:"showResources,omitempty"`
}

UIConfig provides config options for the web UI served by the proxy service.

type WebConfig 

type WebConfig struct {
	// Auth contains Teleport auth. preferences
	Auth WebConfigAuthSettings `json:"auth,omitempty"`
	// CanJoinSessions disables joining sessions
	CanJoinSessions bool `json:"canJoinSessions"`
	// ProxyClusterName is the name of the local cluster
	ProxyClusterName string `json:"proxyCluster,omitempty"`
	// IsCloud is a flag that determines if cloud features are enabled.
	IsCloud bool `json:"isCloud,omitempty"`
	// TunnelPublicAddress is the public ssh tunnel address
	TunnelPublicAddress string `json:"tunnelPublicAddress,omitempty"`
	// RecoveryCodesEnabled is a flag that determines if recovery codes are enabled in the cluster.
	RecoveryCodesEnabled bool `json:"recoveryCodesEnabled,omitempty"`
	// UIConfig is the configuration for the web UI
	UI UIConfig `json:"ui,omitempty"`
	// IsDashboard is a flag that determines if the cluster is running as a "dashboard".
	// The web UI for dashboards provides functionality for downloading self-hosted licenses and
	// Teleport Enterprise binaries.
	IsDashboard bool `json:"isDashboard,omitempty"`
	// IsUsageBasedBilling determines if the cloud user subscription is usage-based (pay-as-you-go).
	IsUsageBasedBilling bool `json:"isUsageBasedBilling,omitempty"`
	// AutomaticUpgrades describes whether agents should automatically upgrade.
	AutomaticUpgrades bool `json:"automaticUpgrades"`
	// AutomaticUpgradesTargetVersion is the agents version (eg kube agent helm chart) that should be installed.
	// Eg, v13.4.3
	// Only present when AutomaticUpgrades are enabled.
	AutomaticUpgradesTargetVersion string `json:"automaticUpgradesTargetVersion,omitempty"`
	// AssistEnabled is true when Teleport Assist is enabled.
	AssistEnabled bool `json:"assistEnabled"`
	// HideInaccessibleFeatures is true when features should be undiscoverable to users without the necessary permissions.
	// Usually, in order to encourage discoverability of features, we show UI elements even if the user doesn't have permission to access them,
	// this flag disables that behavior.
	HideInaccessibleFeatures bool `json:"hideInaccessibleFeatures"`
	// CustomTheme is a string that represents the name of the custom theme that the WebUI should use.
	CustomTheme string `json:"customTheme"`
	// Deprecated: IsTeam is true if [Features.ProductType] = Team
	// Prefer checking the cluster features over this flag, as this will be removed.
	IsTeam bool `json:"isTeam"`
	// IsIGSEnabled is true if [Features.IdentityGovernance] = true
	IsIGSEnabled bool `json:"isIgsEnabled"`
	// featureLimits define limits for features.
	// Typically used with feature teasers if feature is not enabled for the
	// product type eg: Team product contains teasers to upgrade to Enterprise.
	FeatureLimits FeatureLimits `json:"featureLimits"`
	// Questionnaire indicates whether cluster users should get an onboarding questionnaire
	Questionnaire bool `json:"questionnaire"`
	// IsStripeManaged indicates if the cluster billing & lifecycle is managed via Stripe
	IsStripeManaged bool `json:"isStripeManaged"`
	// ExternalAuditStorage indicates whether the EAS feature is enabled in the cluster.
	ExternalAuditStorage bool `json:"externalAuditStorage"`
	// PremiumSupport indicates whether the customer has premium support
	PremiumSupport bool `json:"premiumSupport"`
	// JoinActiveSessions indicates whether joining active sessions via web UI is enabled
	JoinActiveSessions bool `json:"joinActiveSessions"`
	// AccessRequests indicates whether access requests are enabled
	AccessRequests bool `json:"accessRequests"`
	// TrustedDevices indicates whether trusted devices page is enabled
	TrustedDevices bool `json:"trustedDevices"`
	// OIDC indicates whether the OIDC integration flow is enabled
	OIDC bool `json:"oidc"`
	// SAML indicates whether the SAML integration flow is enabled
	SAML bool `json:"saml"`
	// MobileDeviceManagement indicates whether adding Jamf plugin is enabled
	MobileDeviceManagement bool `json:"mobileDeviceManagement"`
}

WebConfig is web application configuration served by the backend to be used in frontend apps.

type WebConfigAuthProvider 

type WebConfigAuthProvider struct {
	// Name is this provider ID
	Name string `json:"name,omitempty"`
	// DisplayName is this provider display name
	DisplayName string `json:"displayName,omitempty"`
	// Type is this provider type
	Type string `json:"type,omitempty"`
	// WebAPIURL is this provider webapi URL
	WebAPIURL string `json:"url,omitempty"`
}

WebConfigAuthProvider describes auth. provider

type WebConfigAuthSettings 

type WebConfigAuthSettings struct {
	// SecondFactor is the type of second factor to use in authentication.
	SecondFactor constants.SecondFactorType `json:"second_factor,omitempty"`
	// Providers contains a list of configured auth providers
	Providers []WebConfigAuthProvider `json:"providers,omitempty"`
	// LocalAuthEnabled is a flag that enables local authentication
	LocalAuthEnabled bool `json:"localAuthEnabled"`
	// AllowPasswordless is true if passwordless logins are allowed.
	AllowPasswordless bool `json:"allowPasswordless,omitempty"`
	// AuthType is the authentication type.
	AuthType string `json:"authType"`
	// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
	// when various options are available.
	// It is empty if there is nothing to suggest.
	PreferredLocalMFA constants.SecondFactorType `json:"preferredLocalMfa,omitempty"`
	// LocalConnectorName is the name of the local connector.
	LocalConnectorName string `json:"localConnectorName,omitempty"`
	// PrivateKeyPolicy is the configured private key policy for the cluster.
	PrivateKeyPolicy keys.PrivateKeyPolicy `json:"privateKeyPolicy,omitempty"`
	// MOTD is message of the day. MOTD is displayed to users before login.
	MOTD string `json:"motd"`
}

WebConfigAuthSettings describes auth configuration

type Webauthn 

type Webauthn struct {
	// RPID is the Webauthn Relying Party ID used by the server.
	RPID string `json:"rp_id"`
}

Webauthn holds MFA settings for Web Authentication.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.