auth

package
v4.3.10+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2021 License: Apache-2.0 Imports: 80 Imported by: 345

Documentation

Overview

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source 
const (
	// BearerTokenTTL specifies standard bearer token to exist before
	// it has to be renewed by the client
	BearerTokenTTL = 10 * time.Minute
	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16
)
View Source 
const (
	// CurrentVersion is a current API version
	CurrentVersion = services.V2

	// MissingNamespaceError is a _very_ common error this file generatets
	MissingNamespaceError = "missing required parameter: namespace"
)
View Source 
const (
	// GithubAuthURL is the Github authorization endpoint
	GithubAuthURL = "https://github.com/login/oauth/authorize"

	// GithubTokenURL is the Github token exchange endpoint
	GithubTokenURL = "https://github.com/login/oauth/access_token"

	// GithubAPIURL is the Github base API URL
	GithubAPIURL = "https://api.github.com"

	// MaxPages is the maximum number of pagination links that will be followed.
	MaxPages = 99
)
View Source 
const (
	// ResetPasswordTokenTypeInvite indicates invite UI flow
	ResetPasswordTokenTypeInvite = "invite"
	// ResetPasswordTokenTypePassword indicates set new password UI flow
	ResetPasswordTokenTypePassword = "password"
)
View Source 
const (
	// IdentityNameCurrent is a name for the identity credentials that are
	// currently used by the process.
	IdentityCurrent = "current"
	// IdentityReplacement is a name for the identity crdentials that are
	// replacing current identity credentials during CA rotation.
	IdentityReplacement = "replacement"
)
View Source 
const ContextUser contextUserKey = "teleport-user"

ContextUser is a user set in the context of the request

View Source 
const IdentitySpecV2Schema = `` /* 415-byte string literal not displayed */

IdentitySpecV2Schema is a schema for identity spec.

View Source 
const StateSpecV2Schema = `{
  "type": "object",
  "additionalProperties": false,
  "required": ["rotation"],
  "properties": {
    "rotation": %v
  }
}`

StateSpecV2Schema is a schema for local server state.

Variables

View Source 
var (
	// GithubScopes is a list of scopes requested during OAuth2 flow
	GithubScopes = []string{

		"read:org",
	}
)

Functions

func CertAuthorityInfo 

func CertAuthorityInfo(ca services.CertAuthority) string

CertAuthorityInfo returns debugging information about certificate authority

func CertInfo 

func CertInfo(cert *x509.Certificate) string

CertInfo returns diagnostic information about certificate

func ClientCertPool 

func ClientCertPool(client AccessCache, clusterName string) (*x509.CertPool, error)

ClientCertPool returns trusted x509 cerificate authority pool

func ClientTimeout 

func ClientTimeout(timeout time.Duration) roundtrip.ClientParam

ClientTimeout sets idle and dial timeouts of the HTTP transport used by the client.

func CreateUploaderDir 

func CreateUploaderDir(dir string) error

CreateUploaderDir creates directory for file uploader service

func CreateUserAndRole 

func CreateUserAndRole(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRole creates user and role and assignes role to a user, used in tests

func CreateUserAndRoleWithoutRoles 

func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (services.User, services.Role, error)

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests

func CreateUserRoleAndRequestable 

func CreateUserRoleAndRequestable(clt clt, username string, rolename string) (services.User, error)

CreateUserRoleAndRequestable creates two roles for a user, one base role with allowed login matching username, and another role with a login matching rolename that can be requested.

func DecodeClusterName 

func DecodeClusterName(serverName string) (string, error)

DecodeClusterName decodes cluster name, returns NotFound if no cluster name is encoded (empty subdomain), so servers can detect cases when no server name passed returns BadParameter if encoding does not match

func EncodeClusterName 

func EncodeClusterName(clusterName string) string

EncodeClusterName encodes cluster name in the SNI hostname

func ExtractHostID 

func ExtractHostID(hostName string, clusterName string) (string, error)

ExtractHostID returns host id based on the hostname

func GetCheckerForBuiltinRole 

func GetCheckerForBuiltinRole(clusterName string, clusterConfig services.ClusterConfig, role teleport.Role) (services.RoleSet, error)

GetCheckerForBuiltinRole returns checkers for embedded builtin role

func GetIdentitySchema 

func GetIdentitySchema() string

GetIdentitySchema returns JSON Schema for cert authorities.

func GetStateSchema 

func GetStateSchema() string

GetStateSchema returns JSON Schema for cert authorities.

func HostFQDN 

func HostFQDN(hostUUID, clusterName string) string

HostFQDN consits of host UUID and cluster name joined via .

func NewAPIServer 

func NewAPIServer(config *APIConfig) http.Handler

NewAPIServer returns a new instance of APIServer HTTP handler

func NewGRPCServer 

func NewGRPCServer(cfg APIConfig) http.Handler

NewGRPCServer returns a new instance of GRPC server

func SetPlugin 

func SetPlugin(p Plugin)

SetPlugin sets plugin for the auth API server

func TLSCertInfo 

func TLSCertInfo(cert *tls.Certificate) string

TLSCertInfo returns diagnostic information about certificate

func WithDelegator 

func WithDelegator(ctx context.Context, delegator string) context.Context

WithDelegator creates a child context with the AccessRequestDelegator value set. Optionally used by AuthServer.SetAccessRequestState to log a delegating identity.

Types

type APIConfig added in v1.0.0 

type APIConfig struct {
	AuthServer     *AuthServer
	SessionService session.Service
	AuditLog       events.IAuditLog
	Authorizer     Authorizer
}

type APIServer 

type APIServer struct {
	APIConfig
	httprouter.Router
	clockwork.Clock
}

APIServer implements http API server for AuthServer interface

type AccessCache 

type AccessCache interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

	// GetClusterConfig returns cluster level configuration.
	GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)
}

AccessCache is a subset of the interface working on the certificate authorities

type AccessPoint 

type AccessPoint interface {
	// ReadAccessPoint provides methods to read data
	ReadAccessPoint
	// Announcer adds methods used to announce presence
	Announcer

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(conn services.TunnelConnection) error

	// DeleteTunnelConnection deletes tunnel connection
	DeleteTunnelConnection(clusterName, connName string) error
}

AccessPoint is an API interface implemented by a certificate authority (CA)

func NewWrapper 

func NewWrapper(writer AccessPoint, cache ReadAccessPoint) AccessPoint

NewWrapper returns new access point wrapper

func NoCache 

func NoCache(clt ClientI, cacheName []string) (AccessPoint, error)

NoCache is a no cache used for access point

type Announcer 

type Announcer interface {
	// UpsertNode registers node presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(s services.Server) (*services.KeepAlive, error)

	// UpsertProxy registers proxy presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s services.Server) error

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(s services.Server) error

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (services.KeepAliver, error)
}

Announcer specifies interface responsible for announcing presence

type AuthCache 

type AuthCache interface {
	ReadAccessPoint

	// GetStaticTokens gets the list of static tokens used to provision nodes.
	GetStaticTokens() (services.StaticTokens, error)

	// GetTokens returns all active (non-expired) provisioning tokens
	GetTokens(opts ...services.MarshalOption) ([]services.ProvisionToken, error)

	// GetToken finds and returns token by ID
	GetToken(token string) (services.ProvisionToken, error)

	// NewWatcher returns a new event watcher
	NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)
}

AuthCache is a subset of the auth interface hanlding access to the discovery API and static tokens

type AuthContext 

type AuthContext struct {
	// User is the user name
	User services.User
	// Checker is access checker
	Checker services.AccessChecker
	// Identity holds the caller identity:
	// 1. If caller is a user
	//   a. local user identity
	//   b. remote user identity remapped to local identity based on trusted
	//      cluster role mapping.
	// 2. If caller is a teleport instance, Identity holds their identity as-is
	//    (because there's no role mapping for non-human roles)
	Identity IdentityGetter
	// UnmappedIdentity holds the original caller identity. If this is a remote
	// user, UnmappedIdentity holds the data before role mapping. Otherwise,
	// it's identical to Identity.
	UnmappedIdentity IdentityGetter
}

AuthContext is authorization context

func NewAdminContext 

func NewAdminContext() (*AuthContext, error)

NewAdminContext returns new admin auth context

type AuthMiddleware 

type AuthMiddleware struct {
	// AccessPoint is a caching access point for auth server
	AccessPoint AccessCache
	// Handler is HTTP handler called after the middleware checks requests
	Handler http.Handler
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on certificate metadata,
	// for example middleware can reject certificates with mismatching usage.
	// If empty, will only accept certificates with non-limited usage,
	// if set, will accept certificates with non-limited usage,
	// and usage exactly matching the specified values.
	AcceptedUsage []string
}

AuthMiddleware is authentication middleware checking every request

func (*AuthMiddleware) GetUser 

func (a *AuthMiddleware) GetUser(r *http.Request) (IdentityGetter, error)

GetUser returns authenticated user based on request metadata set by HTTP server

func (*AuthMiddleware) ServeHTTP 

func (a *AuthMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP serves HTTP requests

func (*AuthMiddleware) Wrap 

func (a *AuthMiddleware) Wrap(h http.Handler)

Wrap sets next handler in chain

type AuthServer 

type AuthServer struct {
	sshca.Authority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// AuthServices encapsulate services - provisioner, trust, etc
	// used by the auth server in a separate structure
	AuthServices
	// contains filtered or unexported fields
}

AuthServer keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func Init 

func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error)

Init instantiates and configures an instance of AuthServer

func NewAuthServer 

func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) (*AuthServer, error)

NewAuthServer creates and configures a new AuthServer instance

func (*AuthServer) AuthenticateSSHUser 

func (s *AuthServer) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates an SSH user and returns SSH and TLS certificates for the public key in req.

func (*AuthServer) AuthenticateUser 

func (s *AuthServer) AuthenticateUser(req AuthenticateUserRequest) error

AuthenticateUser authenticates user based on the request type

func (*AuthServer) AuthenticateWebUser 

func (s *AuthServer) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful. In case if existing session id is used to authenticate, returns session associated with the existing session id instead of creating the new one

func (*AuthServer) ChangePassword 

func (s *AuthServer) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*AuthServer) ChangePasswordWithToken 

func (s *AuthServer) ChangePasswordWithToken(ctx context.Context, req ChangePasswordWithTokenRequest) (services.WebSession, error)

ChangePasswordWithToken changes password with token

func (*AuthServer) CheckOTP 

func (s *AuthServer) CheckOTP(user string, otpToken string) error

CheckOTP determines the type of OTP token used (for legacy HOTP support), fetches the appropriate type from the backend, and checks if the token is valid.

func (*AuthServer) CheckPassword 

func (s *AuthServer) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks the password and OTP token. Called by tsh or lib/web/*.

func (*AuthServer) CheckPasswordWOToken 

func (s *AuthServer) CheckPasswordWOToken(user string, password []byte) error

CheckPasswordWOToken checks just password without checking OTP tokens used in case of SSH authentication, when token has been validated.

func (*AuthServer) CheckU2FSignResponse added in v1.3.0 

func (s *AuthServer) CheckU2FSignResponse(user string, response *u2f.SignResponse) error

func (*AuthServer) Close added in v1.0.0 

func (a *AuthServer) Close() error

func (*AuthServer) CreateAccessRequest 

func (a *AuthServer) CreateAccessRequest(ctx context.Context, req services.AccessRequest) error

func (*AuthServer) CreateGithubAuthRequest 

func (s *AuthServer) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*AuthServer) CreateOIDCAuthRequest added in v1.0.0 

func (s *AuthServer) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthServer) CreateResetPasswordToken 

func (s *AuthServer) CreateResetPasswordToken(ctx context.Context, req CreateResetPasswordTokenRequest) (services.ResetPasswordToken, error)

CreateResetPasswordToken creates a reset password token

func (*AuthServer) CreateSAMLAuthRequest 

func (s *AuthServer) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthServer) CreateSignupU2FRegisterRequest added in v1.3.0 

func (s *AuthServer) CreateSignupU2FRegisterRequest(tokenID string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

CreateSignupU2FRegisterRequest creates U2F requests

func (*AuthServer) CreateUser 

func (s *AuthServer) CreateUser(ctx context.Context, user services.User) error

CreateUser inserts a new user entry in a backend.

func (*AuthServer) CreateWebSession added in v1.0.0 

func (s *AuthServer) CreateWebSession(user string) (services.WebSession, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*AuthServer) DeleteNamespace 

func (s *AuthServer) DeleteNamespace(namespace string) error

func (*AuthServer) DeleteOIDCConnector 

func (s *AuthServer) DeleteOIDCConnector(ctx context.Context, connectorName string) error

DeleteOIDCConnector deletes an OIDC connector by name.

func (*AuthServer) DeleteRemoteCluster 

func (a *AuthServer) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it

func (*AuthServer) DeleteRole 

func (a *AuthServer) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes a role by name of the role.

func (*AuthServer) DeleteSAMLConnector 

func (s *AuthServer) DeleteSAMLConnector(ctx context.Context, connectorName string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*AuthServer) DeleteToken 

func (s *AuthServer) DeleteToken(token string) (err error)

func (*AuthServer) DeleteTrustedCluster 

func (a *AuthServer) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster removes services.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.

func (*AuthServer) DeleteUser 

func (s *AuthServer) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes an existng user in a backend by username.

func (*AuthServer) DeleteWebSession 

func (s *AuthServer) DeleteWebSession(user string, id string) error

func (*AuthServer) ExtendWebSession added in v1.0.0 

func (s *AuthServer) ExtendWebSession(user string, prevSessionID string, identity *tlsca.Identity) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous sessionID, method is used to renew the web session for a user

func (*AuthServer) GenerateHostCert 

func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*AuthServer) GenerateServerKeys added in v1.0.0 

func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthServer) GenerateToken 

func (a *AuthServer) GenerateToken(ctx context.Context, req GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token.

func (*AuthServer) GenerateUserTestCerts 

func (a *AuthServer) GenerateUserTestCerts(key []byte, username string, ttl time.Duration, compatibility, routeToCluster string) ([]byte, []byte, error)

GenerateUserTestCerts is used to generate user certificate, used internally for tests

func (*AuthServer) GetAllTunnelConnections 

func (a *AuthServer) GetAllTunnelConnections(opts ...services.MarshalOption) (conns []services.TunnelConnection, err error)

GetAllTunnelConnections is a part of auth.AccessPoint implementation GetAllTunnelConnections are not using recent cache, as they are designed to be called periodically and always return fresh data

func (*AuthServer) GetCache 

func (a *AuthServer) GetCache() AuthCache

GetCache returns cache used by auth server

func (*AuthServer) GetCertAuthorities 

func (a *AuthServer) GetCertAuthorities(caType services.CertAuthType, loadSigningKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

GetCertAuthorities returns a list of authorities of a given type loadSigningKeys controls whether signing keys should be loaded or not

func (*AuthServer) GetCertAuthority 

func (a *AuthServer) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*AuthServer) GetClock 

func (a *AuthServer) GetClock() clockwork.Clock

func (*AuthServer) GetClusterCACert 

func (a *AuthServer) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*AuthServer) GetClusterConfig 

func (a *AuthServer) GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfig gets ClusterConfig from the backend.

func (*AuthServer) GetClusterName 

func (a *AuthServer) GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

GetClusterName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetDomainName added in v1.2.6 

func (a *AuthServer) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*AuthServer) GetNamespace 

func (a *AuthServer) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace

func (*AuthServer) GetNamespaces 

func (a *AuthServer) GetNamespaces() ([]services.Namespace, error)

GetNamespaces is a part of auth.AccessPoint implementation

func (*AuthServer) GetNodes 

func (a *AuthServer) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

GetNodes is a part of auth.AccessPoint implementation

func (*AuthServer) GetProxies 

func (a *AuthServer) GetProxies() ([]services.Server, error)

GetProxies is a part of auth.AccessPoint implementation

func (*AuthServer) GetRemoteCluster 

func (a *AuthServer) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*AuthServer) GetRemoteClusters 

func (a *AuthServer) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

GetRemoteClusters returns remote clusters with updated statuses

func (*AuthServer) GetReverseTunnels 

func (a *AuthServer) GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

GetReverseTunnels is a part of auth.AccessPoint implementation

func (*AuthServer) GetRole 

func (a *AuthServer) GetRole(name string) (services.Role, error)

GetRole is a part of auth.AccessPoint implementation

func (*AuthServer) GetRoles 

func (a *AuthServer) GetRoles() ([]services.Role, error)

GetRoles is a part of auth.AccessPoint implementation

func (*AuthServer) GetStaticTokens 

func (a *AuthServer) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*AuthServer) GetToken 

func (a *AuthServer) GetToken(token string) (services.ProvisionToken, error)

GetToken finds and returns token by ID

func (*AuthServer) GetTokens added in v1.0.0 

func (s *AuthServer) GetTokens(opts ...services.MarshalOption) (tokens []services.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user invitation tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*AuthServer) GetTunnelConnections 

func (a *AuthServer) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetTunnelConnections is a part of auth.AccessPoint implementation GetTunnelConnections are not using recent cache as they are designed to be called periodically and always return fresh data

func (*AuthServer) GetUser 

func (a *AuthServer) GetUser(name string, withSecrets bool) (user services.User, err error)

GetUser is a part of auth.AccessPoint implementation.

func (*AuthServer) GetUsers 

func (a *AuthServer) GetUsers(withSecrets bool) (users []services.User, err error)

GetUsers is a part of auth.AccessPoint implementation

func (*AuthServer) GetWebSession 

func (s *AuthServer) GetWebSession(userName string, id string) (services.WebSession, error)

func (*AuthServer) GetWebSessionInfo added in v1.0.0 

func (s *AuthServer) GetWebSessionInfo(userName string, id string) (services.WebSession, error)

func (*AuthServer) NewKeepAliver 

func (a *AuthServer) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*AuthServer) NewWatcher 

func (a *AuthServer) NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)

NewWatcher returns a new event watcher. In case of an auth server this watcher will return events as seen by the auth server's in memory cache, not the backend.

func (*AuthServer) NewWebSession 

func (s *AuthServer) NewWebSession(username string, roles []string, traits wrappers.Traits) (services.WebSession, error)

func (*AuthServer) PreAuthenticatedSignIn added in v1.3.0 

func (s *AuthServer) PreAuthenticatedSignIn(user string, identity *tlsca.Identity) (services.WebSession, error)

PreAuthenticatedSignIn is for 2-way authentication methods like U2F where the password is already checked before issuing the second factor challenge

func (*AuthServer) ProcessKubeCSR 

func (s *AuthServer) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*AuthServer) RegisterNewAuthServer 

func (s *AuthServer) RegisterNewAuthServer(token string) error

func (*AuthServer) RegisterUsingToken 

func (s *AuthServer) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken adds a new node to the Teleport cluster using previously issued token. A node must also request a specific role (and the role must match one of the roles the token was generated for).

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires) If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed after a successful registration.

func (*AuthServer) ResetPassword 

func (s *AuthServer) ResetPassword(username string) (string, error)

ResetPassword securely generates a new random password and assigns it to user. This method is used to invalidate existing user password during password reset process.

func (*AuthServer) RotateCertAuthority 

func (a *AuthServer) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

Rotation procedure is based on the state machine approach.

Here are the supported rotation states:

  • Standby - the cluster is in standby mode and ready to take action.
  • In-progress - cluster CA rotation is in progress.

In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.

Here are the supported phases:

* Standby - no action is taken.

* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.

This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.

* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".

* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.

* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will loose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.

Rotation modes

There are two rotation modes supported - manual or automatic.

* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.

* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.

It is possible to switch from automatic to manual by setting the phase to the rollback phase.

func (*AuthServer) RotateExternalCertAuthority 

func (a *AuthServer) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*AuthServer) RotateResetPasswordTokenSecrets 

func (s *AuthServer) RotateResetPasswordTokenSecrets(ctx context.Context, tokenID string) (services.ResetPasswordTokenSecrets, error)

RotateResetPasswordTokenSecrets rotates secrets for a given tokenID. It gets called every time a user fetches 2nd-factor secrets during registration attempt. This ensures that an attacker that gains the ResetPasswordToken link can not view it, extract the OTP key from the QR code, then allow the user to signup with the same OTP token.

func (*AuthServer) SetAccessRequestState 

func (a *AuthServer) SetAccessRequestState(ctx context.Context, reqID string, state services.RequestState) error

func (*AuthServer) SetAuditLog 

func (a *AuthServer) SetAuditLog(auditLog events.IAuditLog)

SetAuditLog sets the server's audit log

func (*AuthServer) SetCache 

func (a *AuthServer) SetCache(clt AuthCache)

SetCache sets cache used by auth server

func (*AuthServer) SetClock 

func (a *AuthServer) SetClock(clock clockwork.Clock)

SetClock sets clock, used in tests

func (*AuthServer) U2FSignRequest added in v1.3.0 

func (s *AuthServer) U2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthServer) UpdateUser 

func (s *AuthServer) UpdateUser(ctx context.Context, user services.User) error

UpdateUser updates an existing user in a backend.

func (*AuthServer) UpsertOIDCConnector 

func (s *AuthServer) UpsertOIDCConnector(ctx context.Context, connector services.OIDCConnector) error

UpsertOIDCConnector creates or updates an OIDC connector.

func (*AuthServer) UpsertSAMLConnector 

func (s *AuthServer) UpsertSAMLConnector(ctx context.Context, connector services.SAMLConnector) error

UpsertSAMLConnector creates or updates a SAML connector.

func (*AuthServer) UpsertTrustedCluster 

func (a *AuthServer) UpsertTrustedCluster(ctx context.Context, trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.

func (*AuthServer) UpsertUser 

func (s *AuthServer) UpsertUser(user services.User) error

UpsertUser updates a user.

func (*AuthServer) UpsertWebSession 

func (s *AuthServer) UpsertWebSession(user string, sess services.WebSession) error

func (*AuthServer) ValidateGithubAuthCallback 

func (a *AuthServer) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback redirect

func (*AuthServer) ValidateOIDCAuthCallback added in v1.0.0 

func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*AuthServer) ValidateSAMLResponse 

func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthResponse, error)

ValidateSAMLResponse consumes attribute statements from SAML identity provider

func (*AuthServer) ValidateToken 

func (s *AuthServer) ValidateToken(token string) (roles teleport.Roles, e error)

ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume, or an error if the token cannot be found.

func (*AuthServer) WithUserLock 

func (s *AuthServer) WithUserLock(username string, authenticateFn func() error) error

WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval

type AuthServerOption added in v1.0.0 

type AuthServerOption func(*AuthServer)

AuthServerOption allows setting options as functional arguments to AuthServer

type AuthServices 

type AuthServices struct {
	services.Trust
	services.Presence
	services.Provisioner
	services.Identity
	services.Access
	services.DynamicAccess
	services.ClusterConfiguration
	services.Events
	events.IAuditLog
}

type AuthWithRoles 

type AuthWithRoles struct {
	// contains filtered or unexported fields
}

AuthWithRoles is a wrapper around auth service methods that focuses on authorizing every request

func (*AuthWithRoles) ActivateCertAuthority 

func (a *AuthWithRoles) ActivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) AuthenticateSSHUser 

func (a *AuthWithRoles) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*AuthWithRoles) AuthenticateWebUser 

func (a *AuthWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful

func (*AuthWithRoles) ChangePassword 

func (a *AuthWithRoles) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*AuthWithRoles) ChangePasswordWithToken 

func (a *AuthWithRoles) ChangePasswordWithToken(ctx context.Context, req ChangePasswordWithTokenRequest) (services.WebSession, error)

func (*AuthWithRoles) CheckPassword 

func (a *AuthWithRoles) CheckPassword(user string, password []byte, otpToken string) error

func (*AuthWithRoles) Close 

func (a *AuthWithRoles) Close() error

func (*AuthWithRoles) CompareAndSwapCertAuthority 

func (a *AuthWithRoles) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*AuthWithRoles) CreateAccessRequest 

func (a *AuthWithRoles) CreateAccessRequest(ctx context.Context, req services.AccessRequest) error

func (*AuthWithRoles) CreateCertAuthority 

func (a *AuthWithRoles) CreateCertAuthority(ca services.CertAuthority) error

func (*AuthWithRoles) CreateGithubAuthRequest 

func (a *AuthWithRoles) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

func (*AuthWithRoles) CreateGithubConnector 

func (a *AuthWithRoles) CreateGithubConnector(connector services.GithubConnector) error

func (*AuthWithRoles) CreateOIDCAuthRequest added in v1.0.0 

func (a *AuthWithRoles) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

func (*AuthWithRoles) CreateRemoteCluster 

func (a *AuthWithRoles) CreateRemoteCluster(conn services.RemoteCluster) error

func (*AuthWithRoles) CreateResetPasswordToken 

func (a *AuthWithRoles) CreateResetPasswordToken(ctx context.Context, req CreateResetPasswordTokenRequest) (services.ResetPasswordToken, error)

func (*AuthWithRoles) CreateRole 

func (a *AuthWithRoles) CreateRole(role services.Role) error

CreateRole creates a role.

func (*AuthWithRoles) CreateSAMLAuthRequest 

func (a *AuthWithRoles) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

func (*AuthWithRoles) CreateSAMLConnector 

func (a *AuthWithRoles) CreateSAMLConnector(ctx context.Context, connector services.SAMLConnector) error

func (*AuthWithRoles) CreateSession added in v1.0.0 

func (a *AuthWithRoles) CreateSession(s session.Session) error

func (*AuthWithRoles) CreateUser 

func (a *AuthWithRoles) CreateUser(ctx context.Context, user services.User) error

CreateUser inserts a new user entry in a backend.

func (*AuthWithRoles) CreateWebSession added in v1.0.0 

func (a *AuthWithRoles) CreateWebSession(user string) (services.WebSession, error)

func (*AuthWithRoles) DeactivateCertAuthority 

func (a *AuthWithRoles) DeactivateCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteAccessRequest 

func (a *AuthWithRoles) DeleteAccessRequest(ctx context.Context, name string) error

func (*AuthWithRoles) DeleteAllAuthServers 

func (a *AuthWithRoles) DeleteAllAuthServers() error

DeleteAllAuthServers deletes all auth servers

func (*AuthWithRoles) DeleteAllCertAuthorities 

func (a *AuthWithRoles) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*AuthWithRoles) DeleteAllNamespaces 

func (a *AuthWithRoles) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*AuthWithRoles) DeleteAllNodes 

func (a *AuthWithRoles) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*AuthWithRoles) DeleteAllProxies 

func (a *AuthWithRoles) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*AuthWithRoles) DeleteAllRemoteClusters 

func (a *AuthWithRoles) DeleteAllRemoteClusters() error

func (*AuthWithRoles) DeleteAllReverseTunnels 

func (a *AuthWithRoles) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*AuthWithRoles) DeleteAllRoles 

func (a *AuthWithRoles) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*AuthWithRoles) DeleteAllTokens 

func (a *AuthWithRoles) DeleteAllTokens() error

DeleteAllTokens deletes all tokens

func (*AuthWithRoles) DeleteAllTunnelConnections 

func (a *AuthWithRoles) DeleteAllTunnelConnections() error

func (*AuthWithRoles) DeleteAllUsers 

func (a *AuthWithRoles) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*AuthWithRoles) DeleteAuthServer 

func (a *AuthWithRoles) DeleteAuthServer(name string) error

DeleteAuthServer deletes auth server by name

func (*AuthWithRoles) DeleteCertAuthority added in v1.0.0 

func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error

func (*AuthWithRoles) DeleteClusterConfig 

func (a *AuthWithRoles) DeleteClusterConfig() error

DeleteClusterConfig deletes cluster config

func (*AuthWithRoles) DeleteClusterName 

func (a *AuthWithRoles) DeleteClusterName() error

DeleteClusterName deletes cluster name

func (*AuthWithRoles) DeleteGithubConnector 

func (a *AuthWithRoles) DeleteGithubConnector(ctx context.Context, connectorID string) error

DeleteGithubConnector deletes a Github connector by name.

func (*AuthWithRoles) DeleteNamespace 

func (a *AuthWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*AuthWithRoles) DeleteNode 

func (a *AuthWithRoles) DeleteNode(namespace, node string) error

DeleteNode deletes node in the namespace

func (*AuthWithRoles) DeleteOIDCConnector added in v1.0.0 

func (a *AuthWithRoles) DeleteOIDCConnector(ctx context.Context, connectorID string) error

func (*AuthWithRoles) DeleteProxy 

func (a *AuthWithRoles) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*AuthWithRoles) DeleteRemoteCluster 

func (a *AuthWithRoles) DeleteRemoteCluster(clusterName string) error

func (*AuthWithRoles) DeleteReverseTunnel added in v1.0.0 

func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error

func (*AuthWithRoles) DeleteRole 

func (a *AuthWithRoles) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes role by name

func (*AuthWithRoles) DeleteSAMLConnector 

func (a *AuthWithRoles) DeleteSAMLConnector(ctx context.Context, connectorID string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*AuthWithRoles) DeleteSession 

func (a *AuthWithRoles) DeleteSession(namespace string, id session.ID) error

DeleteSession removes an active session from the backend.

func (*AuthWithRoles) DeleteStaticTokens 

func (a *AuthWithRoles) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*AuthWithRoles) DeleteToken added in v1.0.0 

func (a *AuthWithRoles) DeleteToken(token string) error

func (*AuthWithRoles) DeleteTrustedCluster 

func (a *AuthWithRoles) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster deletes a trusted cluster by name.

func (*AuthWithRoles) DeleteTunnelConnection 

func (a *AuthWithRoles) DeleteTunnelConnection(clusterName string, connName string) error

func (*AuthWithRoles) DeleteTunnelConnections 

func (a *AuthWithRoles) DeleteTunnelConnections(clusterName string) error

func (*AuthWithRoles) DeleteUser 

func (a *AuthWithRoles) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes an existng user in a backend by username.

func (*AuthWithRoles) DeleteWebSession 

func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error

func (*AuthWithRoles) EmitAuditEvent added in v1.0.0 

func (a *AuthWithRoles) EmitAuditEvent(event events.Event, fields events.EventFields) error

func (*AuthWithRoles) ExtendWebSession added in v1.0.0 

func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (services.WebSession, error)

func (*AuthWithRoles) GenerateHostCert 

func (a *AuthWithRoles) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

func (*AuthWithRoles) GenerateKeyPair 

func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error)

func (*AuthWithRoles) GenerateServerKeys 

func (a *AuthWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

GenerateServerKeys generates new host private keys and certificates (signed by the host certificate authority) for a node.

func (*AuthWithRoles) GenerateToken 

func (a *AuthWithRoles) GenerateToken(ctx context.Context, req GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token.

func (*AuthWithRoles) GenerateUserCerts 

func (a *AuthWithRoles) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

GenerateUserCerts generates users certificates

func (*AuthWithRoles) GetAccessRequests 

func (a *AuthWithRoles) GetAccessRequests(ctx context.Context, filter services.AccessRequestFilter) ([]services.AccessRequest, error)

func (*AuthWithRoles) GetAllTunnelConnections 

func (a *AuthWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetAuthPreference 

func (a *AuthWithRoles) GetAuthPreference() (services.AuthPreference, error)

func (*AuthWithRoles) GetAuthServers added in v1.0.0 

func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error)

func (*AuthWithRoles) GetCertAuthorities added in v1.0.0 

func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

func (*AuthWithRoles) GetCertAuthority 

func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

func (*AuthWithRoles) GetClusterCACert 

func (a *AuthWithRoles) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*AuthWithRoles) GetClusterConfig 

func (a *AuthWithRoles) GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfig gets cluster level configuration.

func (*AuthWithRoles) GetClusterName 

func (a *AuthWithRoles) GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

GetClusterName gets the name of the cluster.

func (*AuthWithRoles) GetDomainName added in v1.2.6 

func (a *AuthWithRoles) GetDomainName() (string, error)

func (*AuthWithRoles) GetGithubConnector 

func (a *AuthWithRoles) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

func (*AuthWithRoles) GetGithubConnectors 

func (a *AuthWithRoles) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

func (*AuthWithRoles) GetLocalClusterName 

func (a *AuthWithRoles) GetLocalClusterName() (string, error)

func (*AuthWithRoles) GetNamespace 

func (a *AuthWithRoles) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*AuthWithRoles) GetNamespaces 

func (a *AuthWithRoles) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*AuthWithRoles) GetNodes added in v1.0.0 

func (a *AuthWithRoles) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

func (*AuthWithRoles) GetOIDCConnector added in v1.0.0 

func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

func (*AuthWithRoles) GetOIDCConnectors added in v1.0.0 

func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

func (*AuthWithRoles) GetPluginData 

func (a *AuthWithRoles) GetPluginData(ctx context.Context, filter services.PluginDataFilter) ([]services.PluginData, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*AuthWithRoles) GetProxies added in v1.0.0 

func (a *AuthWithRoles) GetProxies() ([]services.Server, error)

func (*AuthWithRoles) GetRemoteCluster 

func (a *AuthWithRoles) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

func (*AuthWithRoles) GetRemoteClusters 

func (a *AuthWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

func (*AuthWithRoles) GetResetPasswordToken 

func (a *AuthWithRoles) GetResetPasswordToken(ctx context.Context, tokenID string) (services.ResetPasswordToken, error)

func (*AuthWithRoles) GetReverseTunnel 

func (a *AuthWithRoles) GetReverseTunnel(name string, opts ...services.MarshalOption) (services.ReverseTunnel, error)

func (*AuthWithRoles) GetReverseTunnels added in v1.0.0 

func (a *AuthWithRoles) GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

func (*AuthWithRoles) GetRole 

func (a *AuthWithRoles) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*AuthWithRoles) GetRoles 

func (a *AuthWithRoles) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*AuthWithRoles) GetSAMLConnector 

func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

func (*AuthWithRoles) GetSAMLConnectors 

func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

func (*AuthWithRoles) GetSession 

func (a *AuthWithRoles) GetSession(namespace string, id session.ID) (*session.Session, error)

func (*AuthWithRoles) GetSessionChunk added in v1.0.0 

func (a *AuthWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*AuthWithRoles) GetSessionEvents added in v1.0.0 

func (a *AuthWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)

func (*AuthWithRoles) GetSessions 

func (a *AuthWithRoles) GetSessions(namespace string) ([]session.Session, error)

func (*AuthWithRoles) GetSignupU2FRegisterRequest added in v1.3.0 

func (a *AuthWithRoles) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

func (*AuthWithRoles) GetStaticTokens 

func (a *AuthWithRoles) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*AuthWithRoles) GetToken 

func (a *AuthWithRoles) GetToken(token string) (services.ProvisionToken, error)

func (*AuthWithRoles) GetTokens added in v1.0.0 

func (a *AuthWithRoles) GetTokens(opts ...services.MarshalOption) ([]services.ProvisionToken, error)

func (*AuthWithRoles) GetTrustedCluster 

func (a *AuthWithRoles) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*AuthWithRoles) GetTrustedClusters 

func (a *AuthWithRoles) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*AuthWithRoles) GetTunnelConnections 

func (a *AuthWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

func (*AuthWithRoles) GetU2FSignRequest added in v1.3.0 

func (a *AuthWithRoles) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

func (*AuthWithRoles) GetUser added in v1.0.0 

func (a *AuthWithRoles) GetUser(name string, withSecrets bool) (services.User, error)

func (*AuthWithRoles) GetUsers 

func (a *AuthWithRoles) GetUsers(withSecrets bool) ([]services.User, error)

func (*AuthWithRoles) GetWebSessionInfo added in v1.0.0 

func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

func (*AuthWithRoles) KeepAliveNode 

func (a *AuthWithRoles) KeepAliveNode(ctx context.Context, handle services.KeepAlive) error

func (*AuthWithRoles) NewKeepAliver 

func (a *AuthWithRoles) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*AuthWithRoles) NewWatcher 

func (a *AuthWithRoles) NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)

NewWatcher returns a new event watcher

func (*AuthWithRoles) Ping 

func (a *AuthWithRoles) Ping(ctx context.Context) (proto.PingResponse, error)

Ping gets basic info about the auth server.

func (*AuthWithRoles) PostSessionSlice 

func (a *AuthWithRoles) PostSessionSlice(slice events.SessionSlice) error

func (*AuthWithRoles) PreAuthenticatedSignIn added in v1.3.0 

func (a *AuthWithRoles) PreAuthenticatedSignIn(user string) (services.WebSession, error)

func (*AuthWithRoles) ProcessKubeCSR 

func (a *AuthWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*AuthWithRoles) RegisterNewAuthServer 

func (a *AuthWithRoles) RegisterNewAuthServer(token string) error

func (*AuthWithRoles) RegisterUsingToken 

func (a *AuthWithRoles) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

func (*AuthWithRoles) RotateCertAuthority 

func (a *AuthWithRoles) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*AuthWithRoles) RotateExternalCertAuthority 

func (a *AuthWithRoles) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*AuthWithRoles) RotateResetPasswordTokenSecrets 

func (a *AuthWithRoles) RotateResetPasswordTokenSecrets(ctx context.Context, tokenID string) (services.ResetPasswordTokenSecrets, error)

func (*AuthWithRoles) SearchEvents added in v1.0.0 

func (a *AuthWithRoles) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SearchSessionEvents 

func (a *AuthWithRoles) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

func (*AuthWithRoles) SetAccessRequestState 

func (a *AuthWithRoles) SetAccessRequestState(ctx context.Context, reqID string, state services.RequestState) error

func (*AuthWithRoles) SetAuthPreference 

func (a *AuthWithRoles) SetAuthPreference(cap services.AuthPreference) error

func (*AuthWithRoles) SetClusterConfig 

func (a *AuthWithRoles) SetClusterConfig(c services.ClusterConfig) error

SetClusterConfig sets cluster level configuration.

func (*AuthWithRoles) SetClusterName 

func (a *AuthWithRoles) SetClusterName(c services.ClusterName) error

SetClusterName sets the name of the cluster. SetClusterName can only be called once.

func (*AuthWithRoles) SetStaticTokens 

func (a *AuthWithRoles) SetStaticTokens(s services.StaticTokens) error

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*AuthWithRoles) UpdatePluginData 

func (a *AuthWithRoles) UpdatePluginData(ctx context.Context, params services.PluginDataUpdateParams) error

UpdatePluginData updates a per-resource PluginData entry.

func (*AuthWithRoles) UpdateSession added in v1.0.0 

func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error

func (*AuthWithRoles) UpdateUser 

func (a *AuthWithRoles) UpdateUser(ctx context.Context, user services.User) error

UpdateUser updates an existing user in a backend. Captures the auth user who modified the user record.

func (*AuthWithRoles) UploadSessionRecording 

func (a *AuthWithRoles) UploadSessionRecording(r events.SessionRecording) error

func (*AuthWithRoles) UpsertAuthServer added in v1.0.0 

func (a *AuthWithRoles) UpsertAuthServer(s services.Server) error

func (*AuthWithRoles) UpsertCertAuthority added in v1.0.0 

func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority) error

UpsertCertAuthority updates existing cert authority or updates the existing one.

func (*AuthWithRoles) UpsertClusterName 

func (a *AuthWithRoles) UpsertClusterName(c services.ClusterName) error

UpsertClusterName sets the name of the cluster.

func (*AuthWithRoles) UpsertGithubConnector 

func (a *AuthWithRoles) UpsertGithubConnector(ctx context.Context, connector services.GithubConnector) error

UpsertGithubConnector creates or updates a Github connector.

func (*AuthWithRoles) UpsertLocalClusterName 

func (a *AuthWithRoles) UpsertLocalClusterName(clusterName string) error

func (*AuthWithRoles) UpsertNamespace 

func (a *AuthWithRoles) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*AuthWithRoles) UpsertNode added in v1.0.0 

func (a *AuthWithRoles) UpsertNode(s services.Server) (*services.KeepAlive, error)

func (*AuthWithRoles) UpsertNodes 

func (a *AuthWithRoles) UpsertNodes(namespace string, servers []services.Server) error

UpsertNodes bulk upserts nodes into the backend.

func (*AuthWithRoles) UpsertOIDCConnector added in v1.0.0 

func (a *AuthWithRoles) UpsertOIDCConnector(ctx context.Context, connector services.OIDCConnector) error

UpsertOIDCConnector creates or updates an OIDC connector.

func (*AuthWithRoles) UpsertPassword 

func (a *AuthWithRoles) UpsertPassword(user string, password []byte) error

func (*AuthWithRoles) UpsertProxy added in v1.0.0 

func (a *AuthWithRoles) UpsertProxy(s services.Server) error

func (*AuthWithRoles) UpsertReverseTunnel added in v1.0.0 

func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel) error

func (*AuthWithRoles) UpsertRole 

func (a *AuthWithRoles) UpsertRole(ctx context.Context, role services.Role) error

UpsertRole creates or updates role.

func (*AuthWithRoles) UpsertSAMLConnector 

func (a *AuthWithRoles) UpsertSAMLConnector(ctx context.Context, connector services.SAMLConnector) error

UpsertSAMLConnector creates or updates a SAML connector.

func (*AuthWithRoles) UpsertTOTP 

func (a *AuthWithRoles) UpsertTOTP(user string, otpSecret string) error

func (*AuthWithRoles) UpsertToken 

func (a *AuthWithRoles) UpsertToken(token services.ProvisionToken) error

func (*AuthWithRoles) UpsertTrustedCluster 

func (a *AuthWithRoles) UpsertTrustedCluster(ctx context.Context, tc services.TrustedCluster) (services.TrustedCluster, error)

UpsertTrustedCluster creates or updates a trusted cluster.

func (*AuthWithRoles) UpsertTunnelConnection 

func (a *AuthWithRoles) UpsertTunnelConnection(conn services.TunnelConnection) error

func (*AuthWithRoles) UpsertUser added in v1.0.0 

func (a *AuthWithRoles) UpsertUser(u services.User) error

func (*AuthWithRoles) ValidateGithubAuthCallback 

func (a *AuthWithRoles) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

func (*AuthWithRoles) ValidateOIDCAuthCallback added in v1.0.0 

func (a *AuthWithRoles) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

func (*AuthWithRoles) ValidateSAMLResponse 

func (a *AuthWithRoles) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

func (*AuthWithRoles) ValidateTrustedCluster 

func (a *AuthWithRoles) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*AuthWithRoles) WaitForDelivery 

func (a *AuthWithRoles) WaitForDelivery(context.Context) error

type AuthenticateSSHRequest 

type AuthenticateSSHRequest struct {
	// AuthenticateUserRequest is a request with credentials
	AuthenticateUserRequest
	// PublicKey is a public key in ssh authorized_keys format
	PublicKey []byte `json:"public_key"`
	// TTL is a requested TTL for certificates to be issues
	TTL time.Duration `json:"ttl"`
	// CompatibilityMode sets certificate compatibility mode with old SSH clients
	CompatibilityMode string `json:"compatibility_mode"`
	RouteToCluster    string `json:"route_to_cluster"`
}

AuthenticateSSHRequest is a request to authenticate SSH client user via CLI

func (*AuthenticateSSHRequest) CheckAndSetDefaults 

func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default certificate values

type AuthenticateUserRequest 

type AuthenticateUserRequest struct {
	// Username is a user name
	Username string `json:"username"`
	// Pass is a password used in local authentication schemes
	Pass *PassCreds `json:"pass,omitempty"`
	// U2F is a sign response crdedentials used to authenticate via U2F
	U2F *U2FSignResponseCreds `json:"u2f,omitempty"`
	// OTP is a password and second factor, used in two factor authentication
	OTP *OTPCreds `json:"otp,omitempty"`
	// Session is a web session credential used to authenticate web sessions
	Session *SessionCreds `json:"session,omitempty"`
}

AuthenticateUserRequest is a request to authenticate interactive user

func (*AuthenticateUserRequest) CheckAndSetDefaults 

func (a *AuthenticateUserRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type Authorizer 

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*AuthContext, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer 

func NewAuthorizer(clusterName string, access services.Access, identity services.UserGetter, trust services.Trust) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

type BuiltinRole 

type BuiltinRole struct {
	// GetClusterConfig fetches cluster configuration.
	GetClusterConfig GetClusterConfigFunc

	// Role is the builtin role this username is associated with
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the local cluster
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

BuiltinRole is the role of the Teleport service.

func (BuiltinRole) GetIdentity 

func (r BuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type BuiltinRoleSet 

type BuiltinRoleSet struct {
	services.RoleSet
}

BuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is builtin or not.

type ChangePasswordWithTokenRequest 

type ChangePasswordWithTokenRequest struct {
	// SecondFactorToken is 2nd factor token value
	SecondFactorToken string `json:"second_factor_token"`
	// TokenID is this token ID
	TokenID string `json:"token"`
	// Password is user password
	Password []byte `json:"password"`
	// U2FRegisterResponse is U2F register response
	U2FRegisterResponse u2f.RegisterResponse `json:"u2f_register_response"`
}

ChangePasswordWithTokenRequest defines a request to change user password

type Client 

type Client struct {
	sync.Mutex
	ClientConfig
	roundtrip.Client
	// contains filtered or unexported fields
}

Client is HTTP Auth API client. It works by connecting to auth servers via HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

func NewTLSClient 

func NewTLSClient(cfg ClientConfig, params ...roundtrip.ClientParam) (*Client, error)

NewTLSClient returns a new TLS client that uses mutual TLS authentication and dials the remote server using dialer

func (*Client) ActivateCertAuthority 

func (c *Client) ActivateCertAuthority(id services.CertAuthID) error

ActivateCertAuthority moves a CertAuthority from the deactivated list to the normal list.

func (*Client) AddUserLoginAttempt 

func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error

AddUserLoginAttempt logs user login attempt

func (*Client) AuthenticateSSHUser 

func (c *Client) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*Client) AuthenticateWebUser 

func (c *Client) AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful

func (*Client) ChangePassword 

func (c *Client) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*Client) ChangePasswordWithToken 

func (c *Client) ChangePasswordWithToken(ctx context.Context, req ChangePasswordWithTokenRequest) (services.WebSession, error)

ChangePasswordWithToken changes user password with ResetPasswordToken

func (*Client) CheckPassword 

func (c *Client) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close added in v1.0.0 

func (c *Client) Close() error

func (*Client) CompareAndSwapCertAuthority 

func (c *Client) CompareAndSwapCertAuthority(new, existing services.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*Client) CreateAccessRequest 

func (c *Client) CreateAccessRequest(ctx context.Context, req services.AccessRequest) error

func (*Client) CreateCertAuthority 

func (c *Client) CreateCertAuthority(ca services.CertAuthority) error

CreateCertAuthority inserts new cert authority

func (*Client) CreateGithubAuthRequest 

func (c *Client) CreateGithubAuthRequest(req services.GithubAuthRequest) (*services.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*Client) CreateGithubConnector 

func (c *Client) CreateGithubConnector(connector services.GithubConnector) error

CreateGithubConnector creates a new Github connector

func (*Client) CreateOIDCAuthRequest added in v1.0.0 

func (c *Client) CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*Client) CreateRemoteCluster 

func (c *Client) CreateRemoteCluster(rc services.RemoteCluster) error

CreateRemoteCluster creates remote cluster resource

func (*Client) CreateResetPasswordToken 

func (c *Client) CreateResetPasswordToken(ctx context.Context, req CreateResetPasswordTokenRequest) (services.ResetPasswordToken, error)

CreateResetPasswordToken creates reset password token

func (*Client) CreateRole 

func (c *Client) CreateRole(role services.Role) error

CreateRole creates a role.

func (*Client) CreateSAMLAuthRequest 

func (c *Client) CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAML AuthnRequest

func (*Client) CreateSAMLConnector 

func (c *Client) CreateSAMLConnector(ctx context.Context, connector services.SAMLConnector) error

CreateOIDCConnector creates SAML connector

func (*Client) CreateSession added in v1.0.0 

func (c *Client) CreateSession(sess session.Session) error

CreateSession creates new session

func (*Client) CreateUser 

func (c *Client) CreateUser(ctx context.Context, user services.User) error

CreateUser inserts a new user entry in a backend.

func (*Client) CreateWebSession added in v1.0.0 

func (c *Client) CreateWebSession(user string) (services.WebSession, error)

CreateWebSession creates a new web session for a user

func (*Client) DeactivateCertAuthority 

func (c *Client) DeactivateCertAuthority(id services.CertAuthID) error

DeactivateCertAuthority moves a CertAuthority from the normal list to the deactivated list.

func (*Client) Delete 

func (c *Client) Delete(u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteAccessRequest 

func (c *Client) DeleteAccessRequest(ctx context.Context, reqID string) error

func (*Client) DeleteAllAuthServers 

func (c *Client) DeleteAllAuthServers() error

DeleteAllAuthServers deletes all auth servers

func (*Client) DeleteAllCertAuthorities 

func (c *Client) DeleteAllCertAuthorities(caType services.CertAuthType) error

DeleteAllCertAuthorities deletes all certificate authorities of a certain type

func (*Client) DeleteAllNamespaces 

func (c *Client) DeleteAllNamespaces() error

DeleteAllCertNamespaces deletes all namespaces

func (*Client) DeleteAllNodes 

func (c *Client) DeleteAllNodes(namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*Client) DeleteAllProxies 

func (c *Client) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*Client) DeleteAllRemoteClusters 

func (c *Client) DeleteAllRemoteClusters() error

DeleteAllRemoteClusters deletes all remote clusters

func (*Client) DeleteAllReverseTunnels 

func (c *Client) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels deletes all reverse tunnels

func (*Client) DeleteAllRoles 

func (c *Client) DeleteAllRoles() error

DeleteAllRoles deletes all roles

func (*Client) DeleteAllTokens 

func (c *Client) DeleteAllTokens() error

DeleteAllTokens deletes all tokens

func (*Client) DeleteAllTunnelConnections 

func (c *Client) DeleteAllTunnelConnections() error

DeleteAllTunnelConnections deletes all tunnel connections

func (*Client) DeleteAllUsers 

func (c *Client) DeleteAllUsers() error

DeleteAllUsers deletes all users

func (*Client) DeleteAuthServer 

func (c *Client) DeleteAuthServer(name string) error

DeleteAuthServer deletes auth server by name

func (*Client) DeleteCertAuthority added in v1.0.0 

func (c *Client) DeleteCertAuthority(id services.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteClusterConfig 

func (c *Client) DeleteClusterConfig() error

DeleteClusterConfig deletes cluster config

func (*Client) DeleteClusterName 

func (c *Client) DeleteClusterName() error

DeleteClusterName deletes cluster name

func (*Client) DeleteGithubConnector 

func (c *Client) DeleteGithubConnector(ctx context.Context, id string) error

DeleteGithubConnector deletes the specified Github connector

func (*Client) DeleteNamespace 

func (c *Client) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*Client) DeleteNode 

func (c *Client) DeleteNode(namespace string, name string) error

DeleteNode deletes node in the namespace by name

func (*Client) DeleteOIDCConnector added in v1.0.0 

func (c *Client) DeleteOIDCConnector(ctx context.Context, connectorID string) error

DeleteOIDCConnector deletes OIDC connector by ID

func (*Client) DeleteProxy 

func (c *Client) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*Client) DeleteRemoteCluster 

func (c *Client) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster by name

func (*Client) DeleteReverseTunnel added in v1.0.0 

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteRole 

func (c *Client) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes role by name

func (*Client) DeleteSAMLConnector 

func (c *Client) DeleteSAMLConnector(ctx context.Context, connectorID string) error

DeleteSAMLConnector deletes SAML connector by ID

func (*Client) DeleteSession 

func (c *Client) DeleteSession(namespace string, id session.ID) error

DeleteSession removes an active session from the backend.

func (*Client) DeleteStaticTokens 

func (c *Client) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*Client) DeleteToken added in v1.0.0 

func (c *Client) DeleteToken(token string) error

DeleteToken deletes a given provisioning token on the auth server (CA). It could be a reset password token or a machine token

func (*Client) DeleteTrustedCluster 

func (c *Client) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster deletes a trusted cluster by name.

func (*Client) DeleteTunnelConnection 

func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error

DeleteTunnelConnection deletes tunnel connection by name

func (*Client) DeleteTunnelConnections 

func (c *Client) DeleteTunnelConnections(clusterName string) error

DeleteTunnelConnections deletes all tunnel connections for cluster

func (*Client) DeleteUser 

func (c *Client) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes a user by username.

func (*Client) DeleteWebSession 

func (c *Client) DeleteWebSession(user string, sid string) error

DeleteWebSession deletes a web session for this user by id

func (*Client) EmitAuditEvent added in v1.0.0 

func (c *Client) EmitAuditEvent(event events.Event, fields events.EventFields) error

EmitAuditEvent sends an auditable event to the auth server (part of evets.IAuditLog interface)

func (*Client) ExtendWebSession added in v1.0.0 

func (c *Client) ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateHostCert 

func (c *Client) GenerateHostCert(
	key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) GenerateKeyPair 

func (c *Client) GenerateKeyPair(pass string) ([]byte, []byte, error)

GenerateKeyPair generates SSH private/public key pair optionally protected by password. If the pass parameter is an empty string, the key pair is not password-protected.

func (*Client) GenerateServerKeys 

func (c *Client) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys, error)

RenewCredentials returns a new set of credentials associated with the server with the same privileges

func (*Client) GenerateToken 

func (c *Client) GenerateToken(ctx context.Context, req GenerateTokenRequest) (string, error)

GenerateToken creates a special provisioning token for a new SSH server that is valid for ttl period seconds.

This token is used by SSH server to authenticate with Auth server and get signed certificate and private key from the auth server.

If token is not supplied, it will be auto generated and returned. If TTL is not supplied, token will be valid until removed.

func (*Client) GenerateUserCerts 

func (c *Client) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

GenerateUserCerts takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificates.

func (*Client) Get 

func (c *Client) Get(u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAccessRequests 

func (c *Client) GetAccessRequests(ctx context.Context, filter services.AccessRequestFilter) ([]services.AccessRequest, error)

func (*Client) GetAllTunnelConnections 

func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetAllTunnelConnections returns all tunnel connections

func (*Client) GetAuthPreference 

func (c *Client) GetAuthPreference() (services.AuthPreference, error)

func (*Client) GetAuthServers added in v1.0.0 

func (c *Client) GetAuthServers() ([]services.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetCertAuthorities added in v1.0.0 

func (c *Client) GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority 

func (c *Client) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetClusterCACert 

func (c *Client) GetClusterCACert() (*LocalCAResponse, error)

GetClusterCACert returns the CAs for the local cluster without signing keys.

func (*Client) GetClusterConfig 

func (c *Client) GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfig returns cluster level configuration information.

func (*Client) GetClusterName 

func (c *Client) GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

GetClusterName returns a cluster name

func (*Client) GetDomainName added in v1.2.6 

func (c *Client) GetDomainName() (string, error)

GetDomainName returns local auth domain of the current auth server

func (*Client) GetGithubConnector 

func (c *Client) GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)

GetGithubConnector returns the specified Github connector

func (*Client) GetGithubConnectors 

func (c *Client) GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)

GetGithubConnectors returns all configured Github connectors

func (*Client) GetLocalClusterName 

func (c *Client) GetLocalClusterName() (string, error)

GetLocalClusterName returns local cluster name

func (*Client) GetNamespace 

func (c *Client) GetNamespace(name string) (*services.Namespace, error)

GetNamespace returns namespace by name

func (*Client) GetNamespaces 

func (c *Client) GetNamespaces() ([]services.Namespace, error)

GetNamespaces returns a list of namespaces

func (*Client) GetNodes added in v1.0.0 

func (c *Client) GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

GetNodes returns the list of servers registered in the cluster.

func (*Client) GetOIDCConnector added in v1.0.0 

func (c *Client) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

GetOIDCConnector returns OIDC connector information by id

func (*Client) GetOIDCConnectors added in v1.0.0 

func (c *Client) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

GetOIDCConnector gets OIDC connectors list

func (*Client) GetPluginData 

func (c *Client) GetPluginData(ctx context.Context, filter services.PluginDataFilter) ([]services.PluginData, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*Client) GetProxies added in v1.0.0 

func (c *Client) GetProxies() ([]services.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetRemoteCluster 

func (c *Client) GetRemoteCluster(clusterName string) (services.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*Client) GetRemoteClusters 

func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]services.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*Client) GetResetPasswordToken 

func (c *Client) GetResetPasswordToken(ctx context.Context, tokenID string) (services.ResetPasswordToken, error)

func (*Client) GetReverseTunnel 

func (c *Client) GetReverseTunnel(name string, opts ...services.MarshalOption) (services.ReverseTunnel, error)

GetReverseTunnel returns reverse tunnel by name

func (*Client) GetReverseTunnels added in v1.0.0 

func (c *Client) GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetRole 

func (c *Client) GetRole(name string) (services.Role, error)

GetRole returns role by name

func (*Client) GetRoles 

func (c *Client) GetRoles() ([]services.Role, error)

GetRoles returns a list of roles

func (*Client) GetSAMLConnector 

func (c *Client) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

GetOIDCConnector returns SAML connector information by id

func (*Client) GetSAMLConnectors 

func (c *Client) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

GetSAMLConnectors gets SAML connectors list

func (*Client) GetSession 

func (c *Client) GetSession(namespace string, id session.ID) (*session.Session, error)

GetSession returns a session by ID

func (*Client) GetSessionChunk added in v1.0.0 

func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents added in v1.0.0 

func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessions 

func (c *Client) GetSessions(namespace string) ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by auth server

func (*Client) GetSignupU2FRegisterRequest added in v1.3.0 

func (c *Client) GetSignupU2FRegisterRequest(token string) (u2fRegisterRequest *u2f.RegisterRequest, e error)

GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite tokenx

func (*Client) GetStaticTokens 

func (c *Client) GetStaticTokens() (services.StaticTokens, error)

GetStaticTokens returns a list of static register tokens

func (*Client) GetToken 

func (c *Client) GetToken(token string) (services.ProvisionToken, error)

GetToken returns provisioning token

func (*Client) GetTokens added in v1.0.0 

func (c *Client) GetTokens(opts ...services.MarshalOption) ([]services.ProvisionToken, error)

GetTokens returns a list of active invitation tokens for nodes and users

func (*Client) GetTransport added in v1.0.0 

func (c *Client) GetTransport() *http.Transport

func (*Client) GetTrustedCluster 

func (c *Client) GetTrustedCluster(name string) (services.TrustedCluster, error)

func (*Client) GetTrustedClusters 

func (c *Client) GetTrustedClusters() ([]services.TrustedCluster, error)

func (*Client) GetTunnelConnections 

func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)

GetTunnelConnections returns tunnel connections for a given cluster

func (*Client) GetU2FAppID added in v1.3.0 

func (c *Client) GetU2FAppID() (string, error)

GetU2FAppID returns U2F settings, like App ID and Facets

func (*Client) GetU2FSignRequest added in v1.3.0 

func (c *Client) GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

GetU2FSignRequest generates request for user trying to authenticate with U2F token

func (*Client) GetUser added in v1.0.0 

func (c *Client) GetUser(name string, withSecrets bool) (services.User, error)

GetUser returns a list of usernames registered in the system

func (*Client) GetUserLoginAttempts 

func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)

GetUserLoginAttempts returns user login attempts

func (*Client) GetUsers 

func (c *Client) GetUsers(withSecrets bool) ([]services.User, error)

GetUsers returns a list of usernames registered in the system

func (*Client) GetWebSessionInfo added in v1.0.0 

func (c *Client) GetWebSessionInfo(user string, sid string) (services.WebSession, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) KeepAliveNode 

func (c *Client) KeepAliveNode(ctx context.Context, keepAlive services.KeepAlive) error

KeepAliveNode updates node keep alive information

func (*Client) NewKeepAliver 

func (c *Client) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*Client) NewWatcher 

func (c *Client) NewWatcher(ctx context.Context, watch services.Watch) (services.Watcher, error)

NewWatcher returns a new event watcher

func (*Client) Ping 

func (c *Client) Ping(ctx context.Context) (proto.PingResponse, error)

Ping gets basic info about the auth server.

func (*Client) PostForm 

func (c *Client) PostForm(endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON added in v1.0.0 

func (c *Client) PostJSON(endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) PostSessionSlice 

func (c *Client) PostSessionSlice(slice events.SessionSlice) error

PostSessionSlice allows clients to submit session stream chunks to the audit log (part of evets.IAuditLog interface)

The data is POSTed to HTTP server as a simple binary body (no encodings of any kind are needed)

func (*Client) ProcessKubeCSR 

func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*Client) PutJSON added in v1.0.0 

func (c *Client) PutJSON(endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterNewAuthServer 

func (c *Client) RegisterNewAuthServer(token string) error

RegisterNewAuthServer is used to register new auth server with token

func (*Client) RegisterUsingToken 

func (c *Client) RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.

func (*Client) RotateCertAuthority 

func (c *Client) RotateCertAuthority(req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*Client) RotateExternalCertAuthority 

func (c *Client) RotateExternalCertAuthority(ca services.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.

func (*Client) RotateResetPasswordTokenSecrets 

func (c *Client) RotateResetPasswordTokenSecrets(ctx context.Context, tokenID string) (services.ResetPasswordTokenSecrets, error)

func (*Client) SearchEvents added in v1.0.0 

func (c *Client) SearchEvents(from, to time.Time, query string, limit int) ([]events.EventFields, error)

SearchEvents returns events that fit the criteria

func (*Client) SearchSessionEvents 

func (c *Client) SearchSessionEvents(from, to time.Time, limit int) ([]events.EventFields, error)

SearchSessionEvents returns session related events to find completed sessions.

func (*Client) SetAccessRequestState 

func (c *Client) SetAccessRequestState(ctx context.Context, reqID string, state services.RequestState) error

func (*Client) SetAuthPreference 

func (c *Client) SetAuthPreference(cap services.AuthPreference) error

func (*Client) SetClusterConfig 

func (c *Client) SetClusterConfig(cc services.ClusterConfig) error

SetClusterConfig sets cluster level configuration information.

func (*Client) SetClusterName 

func (c *Client) SetClusterName(cn services.ClusterName) error

SetClusterName sets cluster name once, will return Already Exists error if the name is already set

func (*Client) SetStaticTokens 

func (c *Client) SetStaticTokens(st services.StaticTokens) error

SetStaticTokens sets a list of static register tokens

func (*Client) TLSConfig 

func (c *Client) TLSConfig() *tls.Config

TLSConfig returns TLS config used by the client, could return nil if the client is not using TLS

func (*Client) UpdatePluginData 

func (c *Client) UpdatePluginData(ctx context.Context, params services.PluginDataUpdateParams) error

UpdatePluginData updates a per-resource PluginData entry.

func (*Client) UpdateSession added in v1.0.0 

func (c *Client) UpdateSession(req session.UpdateRequest) error

UpdateSession updates existing session

func (*Client) UpdateUser 

func (c *Client) UpdateUser(ctx context.Context, user services.User) error

UpdateUser updates an existing user in a backend.

func (*Client) UploadSessionRecording 

func (c *Client) UploadSessionRecording(r events.SessionRecording) error

UploadSessionRecording uploads session recording to the audit server

func (*Client) UpsertAuthServer added in v1.0.0 

func (c *Client) UpsertAuthServer(s services.Server) error

UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority added in v1.0.0 

func (c *Client) UpsertCertAuthority(ca services.CertAuthority) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertClusterName 

func (c *Client) UpsertClusterName(cn services.ClusterName) error

UpsertClusterName updates or creates cluster name once

func (*Client) UpsertGithubConnector 

func (c *Client) UpsertGithubConnector(ctx context.Context, connector services.GithubConnector) error

UpsertGithubConnector creates or updates a Github connector

func (*Client) UpsertLocalClusterName 

func (c *Client) UpsertLocalClusterName(string) error

UpsertLocalClusterName upserts local cluster name

func (*Client) UpsertNamespace 

func (c *Client) UpsertNamespace(ns services.Namespace) error

UpsertNamespace upserts namespace

func (*Client) UpsertNode added in v1.0.0 

func (c *Client) UpsertNode(s services.Server) (*services.KeepAlive, error)

UpsertNode is used by SSH servers to reprt their presence to the auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertNodes 

func (c *Client) UpsertNodes(namespace string, servers []services.Server) error

UpsertNodes bulk inserts nodes.

func (*Client) UpsertOIDCConnector added in v1.0.0 

func (c *Client) UpsertOIDCConnector(ctx context.Context, connector services.OIDCConnector) error

UpsertOIDCConnector updates or creates OIDC connector

func (*Client) UpsertPassword 

func (c *Client) UpsertPassword(user string, password []byte) error

UpsertPassword updates web access password for the user

func (*Client) UpsertProxy added in v1.0.0 

func (c *Client) UpsertProxy(s services.Server) error

UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel added in v1.0.0 

func (c *Client) UpsertReverseTunnel(tunnel services.ReverseTunnel) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertRole 

func (c *Client) UpsertRole(ctx context.Context, role services.Role) error

UpsertRole creates or updates role

func (*Client) UpsertSAMLConnector 

func (c *Client) UpsertSAMLConnector(ctx context.Context, connector services.SAMLConnector) error

UpsertSAMLConnector updates or creates OIDC connector

func (*Client) UpsertToken 

func (c *Client) UpsertToken(tok services.ProvisionToken) error

UpsertToken adds provisioning tokens for the auth server

func (*Client) UpsertTrustedCluster 

func (c *Client) UpsertTrustedCluster(ctx context.Context, trustedCluster services.TrustedCluster) (services.TrustedCluster, error)

UpsertTrustedCluster creates or updates a trusted cluster.

func (*Client) UpsertTunnelConnection 

func (c *Client) UpsertTunnelConnection(conn services.TunnelConnection) error

UpsertTunnelConnection upserts tunnel connection

func (*Client) UpsertUser added in v1.0.0 

func (c *Client) UpsertUser(user services.User) error

UpsertUser user updates user entry.

func (*Client) ValidateGithubAuthCallback 

func (c *Client) ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback returned from redirect

func (*Client) ValidateOIDCAuthCallback added in v1.0.0 

func (c *Client) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

func (*Client) ValidateSAMLResponse 

func (c *Client) ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates response returned by SAML identity provider

func (*Client) ValidateTrustedCluster 

func (c *Client) ValidateTrustedCluster(validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*Client) WaitForDelivery 

func (c *Client) WaitForDelivery(context.Context) error

type ClientConfig 

type ClientConfig struct {
	// Addrs is a list of addresses to dial
	Addrs []utils.NetAddr
	// Dialer is a custom dialer, if provided
	// is used instead of the list of addresses
	Dialer ContextDialer
	// KeepAlivePeriod defines period between keep alives
	KeepAlivePeriod time.Duration
	// KeepAliveCount specifies amount of missed keep alives
	// to wait for until declaring connection as broken
	KeepAliveCount int
	// TLS is a TLS config
	TLS *tls.Config
}

ClientConfig contains configuration of the client

func (*ClientConfig) CheckAndSetDefaults 

func (c *ClientConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values

type ClientI 

type ClientI interface {
	IdentityService
	ProvisioningService
	services.Trust
	events.IAuditLog
	services.Presence
	services.Access
	services.DynamicAccess
	WebService
	session.Service
	services.ClusterConfiguration
	services.Events

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

	// RotateCertAuthority starts or restarts certificate authority rotation process.
	RotateCertAuthority(req RotateRequest) error

	// RotateExternalCertAuthority rotates external certificate authority,
	// this method is used to update only public keys and certificates of the
	// the certificate authorities of trusted clusters.
	RotateExternalCertAuthority(ca services.CertAuthority) error

	// ValidateTrustedCluster validates trusted cluster token with
	// main cluster, in case if validation is successful, main cluster
	// adds remote cluster
	ValidateTrustedCluster(*ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

	// GetDomainName returns auth server cluster name
	GetDomainName() (string, error)

	// GetClusterCACert returns the CAs for the local cluster without signing keys.
	GetClusterCACert() (*LocalCAResponse, error)

	// GenerateServerKeys generates new host private keys and certificates (signed
	// by the host certificate authority) for a node
	GenerateServerKeys(GenerateServerKeysRequest) (*PackedKeys, error)
	// AuthenticateWebUser authenticates web user, creates and  returns web session
	// in case if authentication is successful
	AuthenticateWebUser(req AuthenticateUserRequest) (services.WebSession, error)
	// AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
	// short lived certificates as a result
	AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error)

	// ProcessKubeCSR processes CSR request against Kubernetes CA, returns
	// signed certificate if successful.
	ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

	// Ping gets basic info about the auth server.
	Ping(ctx context.Context) (proto.PingResponse, error)
}

ClientI is a client to Auth service

func NewAdminAuthServer 

func NewAdminAuthServer(authServer *AuthServer, sessions session.Service, alog events.IAuditLog) (ClientI, error)

NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access

type ContextDialer 

type ContextDialer interface {
	// DialContext is a function that dials to the specified address
	DialContext(in context.Context, network, addr string) (net.Conn, error)
}

ContextDialer represents network dialer interface that uses context

func NewAddrDialer 

func NewAddrDialer(addrs []utils.NetAddr, keepAliveInterval time.Duration) ContextDialer

NewAddrDialer returns new dialer from a list of addresses

type ContextDialerFunc 

type ContextDialerFunc func(in context.Context, network, addr string) (net.Conn, error)

ContextDialerFunc is a function wrapper that implements ContextDialer interface

func (ContextDialerFunc) DialContext 

func (f ContextDialerFunc) DialContext(in context.Context, network, addr string) (net.Conn, error)

DialContext is a function that dials to the specified address

type CreateResetPasswordTokenRequest 

type CreateResetPasswordTokenRequest struct {
	// Name is the user name to reset.
	Name string `json:"name"`
	// TTL specifies how long the generated reset token is valid for.
	TTL time.Duration `json:"ttl"`
	// Type is a token type.
	Type string `json:"type"`
}

CreateResetPasswordTokenRequest is a request to create a new reset password token

func (*CreateResetPasswordTokenRequest) CheckAndSetDefaults 

func (r *CreateResetPasswordTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets the defaults

type Dialer added in v1.0.0 

type Dialer func(network, addr string) (net.Conn, error)

Dialer defines dialer function

type GRPCServer 

type GRPCServer struct {
	*logrus.Entry
	APIConfig
	// contains filtered or unexported fields
}

GRPCServer is GPRC Auth Server API

func (*GRPCServer) CreateAccessRequest 

func (g *GRPCServer) CreateAccessRequest(ctx context.Context, req *services.AccessRequestV3) (*empty.Empty, error)

func (*GRPCServer) CreateResetPasswordToken 

func (g *GRPCServer) CreateResetPasswordToken(ctx context.Context, req *proto.CreateResetPasswordTokenRequest) (*services.ResetPasswordTokenV3, error)

func (*GRPCServer) CreateUser 

func (g *GRPCServer) CreateUser(ctx context.Context, req *services.UserV2) (*empty.Empty, error)

CreateUser inserts a new user entry in a backend.

func (*GRPCServer) DeleteAccessRequest 

func (g *GRPCServer) DeleteAccessRequest(ctx context.Context, id *proto.RequestID) (*empty.Empty, error)

func (*GRPCServer) DeleteUser 

func (g *GRPCServer) DeleteUser(ctx context.Context, req *proto.DeleteUserRequest) (*empty.Empty, error)

DeleteUser deletes an existng user in a backend by username.

func (*GRPCServer) GenerateUserCerts 

func (g *GRPCServer) GenerateUserCerts(ctx context.Context, req *proto.UserCertsRequest) (*proto.Certs, error)

func (*GRPCServer) GetAccessRequests 

func (g *GRPCServer) GetAccessRequests(ctx context.Context, f *services.AccessRequestFilter) (*proto.AccessRequests, error)

func (*GRPCServer) GetPluginData 

func (g *GRPCServer) GetPluginData(ctx context.Context, filter *services.PluginDataFilter) (*proto.PluginDataSeq, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*GRPCServer) GetResetPasswordToken 

func (g *GRPCServer) GetResetPasswordToken(ctx context.Context, req *proto.GetResetPasswordTokenRequest) (*services.ResetPasswordTokenV3, error)

func (*GRPCServer) GetUser 

func (g *GRPCServer) GetUser(ctx context.Context, req *proto.GetUserRequest) (*services.UserV2, error)

func (*GRPCServer) GetUsers 

func (g *GRPCServer) GetUsers(req *proto.GetUsersRequest, stream proto.AuthService_GetUsersServer) error

func (*GRPCServer) Ping 

func (g *GRPCServer) Ping(ctx context.Context, req *proto.PingRequest) (*proto.PingResponse, error)

func (*GRPCServer) RotateResetPasswordTokenSecrets 

func (g *GRPCServer) RotateResetPasswordTokenSecrets(ctx context.Context, req *proto.RotateResetPasswordTokenSecretsRequest) (*services.ResetPasswordTokenSecretsV3, error)

func (*GRPCServer) SendKeepAlives 

func (g *GRPCServer) SendKeepAlives(stream proto.AuthService_SendKeepAlivesServer) error

SendKeepAlives allows node to send a stream of keep alive requests

func (*GRPCServer) ServeHTTP 

func (g *GRPCServer) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP dispatches requests based on the request type

func (*GRPCServer) SetAccessRequestState 

func (g *GRPCServer) SetAccessRequestState(ctx context.Context, req *proto.RequestStateSetter) (*empty.Empty, error)

func (*GRPCServer) UpdatePluginData 

func (g *GRPCServer) UpdatePluginData(ctx context.Context, params *services.PluginDataUpdateParams) (*empty.Empty, error)

UpdatePluginData updates a per-resource PluginData entry.

func (*GRPCServer) UpdateUser 

func (g *GRPCServer) UpdateUser(ctx context.Context, req *services.UserV2) (*empty.Empty, error)

UpdateUser updates an existing user in a backend.

func (*GRPCServer) UpsertNode 

func (g *GRPCServer) UpsertNode(ctx context.Context, server *services.ServerV2) (*services.KeepAlive, error)

UpsertNode upserts node

func (*GRPCServer) WatchEvents 

func (g *GRPCServer) WatchEvents(watch *proto.Watch, stream proto.AuthService_WatchEventsServer) error

WatchEvents returns a new stream of cluster events

type GenerateServerKeysRequest 

type GenerateServerKeysRequest struct {
	// HostID is a unique ID of the host
	HostID string `json:"host_id"`
	// NodeName is a user friendly host name
	NodeName string `json:"node_name"`
	// Roles is a list of roles assigned to node
	Roles teleport.Roles `json:"roles"`
	// AdditionalPrincipals is a list of additional principals
	// to include in OpenSSH and X509 certificates
	AdditionalPrincipals []string `json:"additional_principals"`
	// DNSNames is a list of DNS names
	// to include in the x509 client certificate
	DNSNames []string `json:"dns_names"`
	// PublicTLSKey is a PEM encoded public key
	// used for TLS setup
	PublicTLSKey []byte `json:"public_tls_key"`
	// PublicSSHKey is a SSH encoded public key,
	// if present will be signed as a return value
	// otherwise, new public/private key pair will be generated
	PublicSSHKey []byte `json:"public_ssh_key"`
	// RemoteAddr is the IP address of the remote host requesting a host
	// certificate. RemoteAddr is used to replace 0.0.0.0 in the list of
	// additional principals.
	RemoteAddr string `json:"remote_addr"`
	// Rotation allows clients to send the certificate authority rotation state
	// expected by client of the certificate authority backends, so auth servers
	// can avoid situation when clients request certs assuming one
	// state, and auth servers issue another
	Rotation *services.Rotation `json:"rotation,omitempty"`
	// NoCache is argument that only local callers can supply to bypass cache
	NoCache bool `json:"-"`
}

GenerateServerKeysRequest is a request to generate server keys

func (*GenerateServerKeysRequest) CheckAndSetDefaults 

func (req *GenerateServerKeysRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GenerateTokenRequest 

type GenerateTokenRequest struct {
	// Token if provided sets the token value, otherwise will be auto generated
	Token string `json:"token"`
	// Roles is a list of roles this token authenticates as
	Roles teleport.Roles `json:"roles"`
	// TTL is a time to live for token
	TTL time.Duration `json:"ttl"`
}

GenerateTokenRequest is a request to generate auth token

func (*GenerateTokenRequest) CheckAndSetDefaults 

func (req *GenerateTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values of request

type GetClusterConfigFunc 

type GetClusterConfigFunc func(opts ...services.MarshalOption) (services.ClusterConfig, error)

GetClusterConfigFunc returns a cached services.ClusterConfig.

type GithubAuthResponse 

type GithubAuthResponse struct {
	// Username is the name of authenticated user
	Username string `json:"username"`
	// Identity is the external identity
	Identity services.ExternalIdentity `json:"identity"`
	// Session is the created web session
	Session services.WebSession `json:"session,omitempty"`
	// Cert is the generated SSH client certificate
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS client certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is the original auth request
	Req services.GithubAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

GithubAuthResponse represents Github auth callback validation response

type HandlerWithAuthFunc 

type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type HostCredentials 

type HostCredentials func(context.Context, string, bool, RegisterUsingTokenRequest) (*PackedKeys, error)

CredGetter is an interface for a client that can be used to get host credentials. This interface is needed because lib/client can not be imported in lib/auth due to circular imports.

type Identity added in v1.0.0 

type Identity struct {
	// ID specifies server unique ID, name and role
	ID IdentityID
	// KeyBytes is a PEM encoded private key
	KeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format.
	SSHCACertBytes [][]byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// Cert is a parsed SSH certificate
	Cert *ssh.Certificate
	// XCert is X509 client certificate
	XCert *x509.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
}

Identity is collection of certificates and signers that represent server identity

func GenerateIdentity 

func GenerateIdentity(a *AuthServer, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)

GenerateIdentity generates identity for the auth server

func LocalRegister added in v1.0.0 

func LocalRegister(id IdentityID, authServer *AuthServer, additionalPrincipals, dnsNames []string, remoteAddr string) (*Identity, error)

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the Auth Server and as such, does not need to use provisioning tokens.

func NewServerIdentity 

func NewServerIdentity(clt *AuthServer, hostID string, role teleport.Role) (*Identity, error)

NewServerIdentity generates new server identity, used in tests

func ReRegister 

func ReRegister(params ReRegisterParams) (*Identity, error)

ReRegister renews the certificates and private keys based on the client's existing identity.

func ReadIdentityFromKeyPair added in v1.0.0 

func ReadIdentityFromKeyPair(keys *PackedKeys) (*Identity, error)

ReadIdentityFromKeyPair reads SSH and TLS identity from key pair.

func ReadLocalIdentity 

func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)

ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadSSHIdentityFromKeyPair 

func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair 

func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func Register 

func Register(params RegisterParams) (*Identity, error)

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.

func (*Identity) HasDNSNames 

func (i *Identity) HasDNSNames(dnsNames []string) bool

HasDNSNames returns true if TLS certificate has required DNS names

func (*Identity) HasPrincipals 

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasTLSConfig 

func (i *Identity) HasTLSConfig() bool

HasTSLConfig returns true if this identity has TLS certificate and private key

func (*Identity) SSHClientConfig 

func (i *Identity) SSHClientConfig() *ssh.ClientConfig

SSHClientConfig returns a ssh.ClientConfig used by nodes to connect to the reverse tunnel server.

func (*Identity) String 

func (i *Identity) String() string

String returns user-friendly representation of the identity.

func (*Identity) TLSConfig 

func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type IdentityGetter 

type IdentityGetter interface {
	// GetIdentity  returns x509-derived identity of the user
	GetIdentity() tlsca.Identity
}

IdentityGetter returns the unmapped client identity.

Unmapped means that if the client is a remote cluster user, the returned tlsca.Identity contains data from the remote cluster before role mapping is applied.

type IdentityID added in v1.0.0 

type IdentityID struct {
	Role     teleport.Role
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals added in v1.0.0 

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) HostID 

func (id *IdentityID) HostID() (string, error)

HostID is host ID part of the host UUID that consists cluster name

func (*IdentityID) String added in v1.0.0 

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityService 

type IdentityService interface {
	// UpsertPassword updates web access password for the user
	UpsertPassword(user string, password []byte) error

	// UpsertOIDCConnector updates or creates OIDC connector
	UpsertOIDCConnector(ctx context.Context, connector services.OIDCConnector) error

	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error)

	// GetOIDCConnector gets OIDC connectors list
	GetOIDCConnectors(withSecrets bool) ([]services.OIDCConnector, error)

	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(ctx context.Context, connectorID string) error

	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(req services.OIDCAuthRequest) (*services.OIDCAuthRequest, error)

	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse, error)

	// CreateSAMLConnector creates SAML connector
	CreateSAMLConnector(ctx context.Context, connector services.SAMLConnector) error

	// UpsertSAMLConnector updates or creates SAML connector
	UpsertSAMLConnector(ctx context.Context, connector services.SAMLConnector) error

	// GetSAMLConnector returns SAML connector information by id
	GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error)

	// GetSAMLConnector gets SAML connectors list
	GetSAMLConnectors(withSecrets bool) ([]services.SAMLConnector, error)

	// DeleteSAMLConnector deletes SAML connector by ID
	DeleteSAMLConnector(ctx context.Context, connectorID string) error

	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(req services.SAMLAuthRequest) (*services.SAMLAuthRequest, error)

	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(re string) (*SAMLAuthResponse, error)

	// CreateGithubConnector creates a new Github connector
	CreateGithubConnector(connector services.GithubConnector) error
	// UpsertGithubConnector creates or updates a Github connector
	UpsertGithubConnector(ctx context.Context, connector services.GithubConnector) error
	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(withSecrets bool) ([]services.GithubConnector, error)
	// GetGithubConnector returns the specified Github connector
	GetGithubConnector(id string, withSecrets bool) (services.GithubConnector, error)
	// DeleteGithubConnector deletes the specified Github connector
	DeleteGithubConnector(ctx context.Context, id string) error
	// CreateGithubAuthRequest creates a new request for Github OAuth2 flow
	CreateGithubAuthRequest(services.GithubAuthRequest) (*services.GithubAuthRequest, error)
	// ValidateGithubAuthCallback validates Github auth callback
	ValidateGithubAuthCallback(q url.Values) (*GithubAuthResponse, error)

	// GetU2FSignRequest generates request for user trying to authenticate with U2F token
	GetU2FSignRequest(user string, password []byte) (*u2f.SignRequest, error)

	// GetSignupU2FRegisterRequest generates sign request for user trying to sign up with invite token
	GetSignupU2FRegisterRequest(token string) (*u2f.RegisterRequest, error)

	// GetUser returns user by name
	GetUser(name string, withSecrets bool) (services.User, error)

	// CreateUser inserts a new entry in a backend.
	CreateUser(ctx context.Context, user services.User) error

	// UpdateUser updates an existing user in a backend.
	UpdateUser(ctx context.Context, user services.User) error

	// UpsertUser user updates or inserts user entry
	UpsertUser(user services.User) error

	// DeleteUser deletes an existng user in a backend by username.
	DeleteUser(ctx context.Context, user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers(withSecrets bool) ([]services.User, error)

	// ChangePassword changes user password
	ChangePassword(req services.ChangePasswordReq) error

	// CheckPassword checks if the suplied web access password is valid.
	CheckPassword(user string, password []byte, otpToken string) error

	// GenerateToken creates a special provisioning token for a new SSH server
	// that is valid for ttl period seconds.
	//
	// This token is used by SSH server to authenticate with Auth server
	// and get signed certificate and private key from the auth server.
	//
	// If token is not supplied, it will be auto generated and returned.
	// If TTL is not supplied, token will be valid until removed.
	GenerateToken(ctx context.Context, req GenerateTokenRequest) (string, error)

	// GenerateKeyPair generates SSH private/public key pair optionally protected
	// by password. If the pass parameter is an empty string, the key pair
	// is not password-protected.
	GenerateKeyPair(pass string) ([]byte, []byte, error)

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(key []byte, hostID, nodeName string, principals []string, clusterName string, roles teleport.Roles, ttl time.Duration) ([]byte, error)

	// GenerateUserCerts takes the public key in the OpenSSH `authorized_keys` plain
	// text format, signs it using User Certificate Authority signing key and
	// returns the resulting certificates.
	GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

	// DeleteAllUsers deletes all users
	DeleteAllUsers() error

	// CreateResetPasswordToken creates a new user reset token
	CreateResetPasswordToken(ctx context.Context, req CreateResetPasswordTokenRequest) (services.ResetPasswordToken, error)

	// ChangePasswordWithToken changes password with token
	ChangePasswordWithToken(ctx context.Context, req ChangePasswordWithTokenRequest) (services.WebSession, error)

	// GetResetPasswordToken returns token
	GetResetPasswordToken(ctx context.Context, username string) (services.ResetPasswordToken, error)

	// RotateResetPasswordTokenSecrets rotates token secrets for a given tokenID
	RotateResetPasswordTokenSecrets(ctx context.Context, tokenID string) (services.ResetPasswordTokenSecrets, error)
}

IdentityService manages identities and users

type IdentitySpecV2 

type IdentitySpecV2 struct {
	// Key is a PEM encoded private key.
	Key []byte `json:"key,omitempty"`
	// SSHCert is a PEM encoded SSH host cert.
	SSHCert []byte `json:"ssh_cert,omitempty"`
	// TLSCert is a PEM encoded x509 client certificate.
	TLSCert []byte `json:"tls_cert,omitempty"`
	// TLSCACert is a list of PEM encoded x509 certificate of the
	// certificate authority of the cluster.
	TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"`
	// SSHCACerts is a list of SSH certificate authorities encoded in the
	// authorized_keys format.
	SSHCACerts [][]byte `json:"ssh_ca_certs,omitempty"`
}

IdentitySpecV2 specifies credentials used by local process.

type IdentityV2 

type IdentityV2 struct {
	// ResourceHeader is a common resource header.
	services.ResourceHeader
	// Spec is the identity spec.
	Spec IdentitySpecV2 `json:"spec"`
}

IdentityV2 specifies local host identity.

func (*IdentityV2) CheckAndSetDefaults 

func (s *IdentityV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type InitConfig 

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority sshca.Authority

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// ClusterName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	ClusterName services.ClusterName

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []services.CertAuthority

	// Resources is a list of previously backed-up resources used to
	// bootstrap backend on first start.
	Resources []services.Resource

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []services.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []services.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// DynamicAccess is a service that manages dynamic RBAC.
	DynamicAccess services.DynamicAccess

	// Events is an event service
	Events services.Events

	// ClusterConfiguration is a services that holds cluster wide configuration.
	ClusterConfiguration services.ClusterConfiguration

	// Roles is a set of roles to create
	Roles []services.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//StaticTokens []services.ProvisionToken
	StaticTokens services.StaticTokens

	// AuthPreference defines the authentication type (local, oidc) and second
	// factor (off, otp, u2f) passed in from a configuration file.
	AuthPreference services.AuthPreference

	// AuditLog is used for emitting events to audit log.
	AuditLog events.IAuditLog

	// ClusterConfig holds cluster level configuration.
	ClusterConfig services.ClusterConfig

	// SkipPeriodicOperations turns off periodic operations
	// used in tests that don't need periodc operations.
	SkipPeriodicOperations bool

	// CipherSuites is a list of ciphersuites that the auth server supports.
	CipherSuites []uint16

	// CASigningAlg is a signing algorithm used for SSH (certificate and
	// handshake) signatures for both host and user CAs. This option only
	// affects newly-created CAs.
	CASigningAlg *string
}

InitConfig is auth server init config

type KubeCSR 

type KubeCSR struct {
	// Username of user's certificate
	Username string `json:"username"`
	// ClusterName is a name of the target cluster to generate certificate for
	ClusterName string `json:"cluster_name"`
	// CSR is a kubernetes CSR
	CSR []byte `json:"csr"`
}

KubeCSR is a kubernetes CSR request

func (*KubeCSR) CheckAndSetDefaults 

func (a *KubeCSR) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type KubeCSRResponse 

type KubeCSRResponse struct {
	// Cert is a signed certificate PEM block
	Cert []byte `json:"cert"`
	// CertAuthorities is a list of PEM block with trusted cert authorities
	CertAuthorities [][]byte `json:"cert_authorities"`
	// TargetAddr is an optional target address
	// of the kubernetes API server that can be set
	// in the kubeconfig
	TargetAddr string `json:"target_addr"`
}

KubeCSRResponse is a response to kubernetes CSR request

type LocalCAResponse 

type LocalCAResponse struct {
	// TLSCA is the PEM-encoded TLS certificate authority.
	TLSCA []byte `json:"tls_ca"`
}

LocalCAResponse contains PEM-encoded local CAs.

type LocalUser 

type LocalUser struct {
	// Username is local username
	Username string
	// Identity is x509-derived identity used to build this user
	Identity tlsca.Identity
}

LocalUser is a local user

func (LocalUser) GetIdentity 

func (l LocalUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type LocalUserRoleSet 

type LocalUserRoleSet struct {
	services.RoleSet
}

LocalUserRoleSet wraps a services.RoleSet. This type is used to determine if the role is a local user or not.

type NewCachingAccessPoint 

type NewCachingAccessPoint func(clt ClientI, cacheName []string) (AccessPoint, error)

NewCachingAcessPoint returns new caching access point using access point policy

type OIDCAuthResponse added in v1.0.0 

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req services.OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type OTPCreds 

type OTPCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
	// Token is a user second factor token
	Token string `json:"token"`
}

OTPCreds is a two factor authencication credentials

type PackedKeys 

type PackedKeys struct {
	// Key is a private key
	Key []byte `json:"key"`
	// Cert is an SSH host cert
	Cert []byte `json:"cert"`
	// TLSCert is an X509 certificate
	TLSCert []byte `json:"tls_cert"`
	// TLSCACerts is a list of TLS certificate authorities.
	TLSCACerts [][]byte `json:"tls_ca_certs"`
	// SSHCACerts is a list of SSH certificate authorities.
	SSHCACerts [][]byte `json:"ssh_ca_certs"`
}

PackedKeys is a collection of private key, SSH host certificate and TLS certificate and certificate authority issued the certificate

type PassCreds 

type PassCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
}

PassCreds is a password credential

type Plugin 

type Plugin interface {
	// AddHandlers adds handlers to the auth API server
	AddHandlers(srv *APIServer)
}

Plugin is auth API server extension setter

func GetPlugin 

func GetPlugin() Plugin

GetPlugin returns auth API server plugin that allows injecting handlers

type ProcessStorage 

type ProcessStorage struct {
	backend.Backend
}

ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.

func NewProcessStorage 

func NewProcessStorage(ctx context.Context, path string) (*ProcessStorage, error)

NewProcessStorage returns a new instance of the process storage.

func (*ProcessStorage) Close 

func (p *ProcessStorage) Close() error

Close closes all resources used by process storage backend.

func (*ProcessStorage) CreateState 

func (p *ProcessStorage) CreateState(role teleport.Role, state StateV2) error

CreateState creates process state if it does not exist yet.

func (*ProcessStorage) GetState 

func (p *ProcessStorage) GetState(role teleport.Role) (*StateV2, error)

GetState reads rotation state from disk.

func (*ProcessStorage) ReadIdentity 

func (p *ProcessStorage) ReadIdentity(name string, role teleport.Role) (*Identity, error)

ReadIdentity reads identity using identity name and role.

func (*ProcessStorage) WriteIdentity 

func (p *ProcessStorage) WriteIdentity(name string, id Identity) error

WriteIdentity writes identity to the backend.

func (*ProcessStorage) WriteState 

func (p *ProcessStorage) WriteState(role teleport.Role, state StateV2) error

WriteState writes local cluster state to the backend.

type ProvisioningService 

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens(opts ...services.MarshalOption) (tokens []services.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(token string) (services.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a reset password token or a machine token
	DeleteToken(token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(services.ProvisionToken) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(req RegisterUsingTokenRequest) (*PackedKeys, error)

	// RegisterNewAuthServer is used to register new auth server with token
	RegisterNewAuthServer(token string) error
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type ReRegisterParams 

type ReRegisterParams struct {
	// Client is an authenticated client using old credentials
	Client ClientI
	// ID is identity ID
	ID IdentityID
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS Names to add to the x509 client certificate
	DNSNames []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// Rotation is the rotation state of the certificate authority
	Rotation services.Rotation
}

ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)

type ReadAccessPoint 

type ReadAccessPoint interface {
	// Closer closes all the resources
	io.Closer
	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(opts ...services.MarshalOption) ([]services.ReverseTunnel, error)

	// GetClusterName returns cluster name
	GetClusterName(opts ...services.MarshalOption) (services.ClusterName, error)

	// GetClusterConfig returns cluster level configuration.
	GetClusterConfig(opts ...services.MarshalOption) (services.ClusterConfig, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]services.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*services.Namespace, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]services.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]services.Server, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(id services.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(caType services.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]services.CertAuthority, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (services.User, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers(withSecrets bool) ([]services.User, error)

	// GetRole returns role by name
	GetRole(name string) (services.Role, error)

	// GetRoles returns a list of roles
	GetRoles() ([]services.Role, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]services.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]services.TunnelConnection, error)
}

ReadAccessPoint is an API interface implemented by a certificate authority (CA)

type RegisterParams 

type RegisterParams struct {
	// DataDir is the data directory
	// storing CA certificate
	DataDir string
	// Token is a secure token to join the cluster
	Token string
	// ID is identity ID
	ID IdentityID
	// Servers is a list of auth servers to dial
	Servers []utils.NetAddr
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS names to add to x509 certificate
	DNSNames []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// CipherSuites is a list of cipher suites to use for TLS client connection
	CipherSuites []uint16
	// CAPin is the SKPI hash of the CA used to verify the Auth Server.
	CAPin string
	// CAPath is the path to the CA file.
	CAPath string
	// GetHostCredentials is a client that can fetch host credentials.
	GetHostCredentials HostCredentials
	// Clock specifies the time provider. Will be used to override the time anchor
	// for TLS certificate verification.
	// Defaults to real clock if unspecified
	Clock clockwork.Clock
}

RegisterParams specifies parameters for first time register operation with auth server

type RegisterUsingTokenRequest 

type RegisterUsingTokenRequest struct {
	// HostID is a unique host ID, usually a UUID
	HostID string `json:"hostID"`
	// NodeName is a node name
	NodeName string `json:"node_name"`
	// Role is a system role, e.g. Proxy
	Role teleport.Role `json:"role"`
	// Token is an authentication token
	Token string `json:"token"`
	// AdditionalPrincipals is a list of additional principals
	AdditionalPrincipals []string `json:"additional_principals"`
	// DNSNames is a list of DNS names to include in the x509 client certificate
	DNSNames []string `json:"dns_names"`
	// PublicTLSKey is a PEM encoded public key
	// used for TLS setup
	PublicTLSKey []byte `json:"public_tls_key"`
	// PublicSSHKey is a SSH encoded public key,
	// if present will be signed as a return value
	// otherwise, new public/private key pair will be generated
	PublicSSHKey []byte `json:"public_ssh_key"`
	// RemoteAddr is the remote address of the host requesting a host certificate.
	// It is used to replace 0.0.0.0 in the list of additional principals.
	RemoteAddr string `json:"remote_addr"`
}

RegisterUsingTokenRequest is a request to register with auth server using authentication token

func (*RegisterUsingTokenRequest) CheckAndSetDefaults 

func (r *RegisterUsingTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks for errors and sets defaults

type RemoteBuiltinRole 

type RemoteBuiltinRole struct {
	// Role is the builtin role of the user
	Role teleport.Role

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the remote cluster.
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.

func (RemoteBuiltinRole) GetIdentity 

func (r RemoteBuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RemoteBuiltinRoleSet 

type RemoteBuiltinRoleSet struct {
	services.RoleSet
}

RemoteBuiltinRoleSet wraps a services.RoleSet. The type is used to determine if the role is a remote builtin or not.

type RemoteUser 

type RemoteUser struct {
	// Username is a name of the remote user
	Username string `json:"username"`

	// ClusterName is the name of the remote cluster
	// of the user.
	ClusterName string `json:"cluster_name"`

	// RemoteRoles is optional list of remote roles
	RemoteRoles []string `json:"remote_roles"`

	// Principals is a list of Unix logins.
	Principals []string `json:"principals"`

	// KubernetesGroups is a list of Kubernetes groups
	KubernetesGroups []string `json:"kubernetes_groups"`

	// KubernetesUsers is a list of Kubernetes users
	KubernetesUsers []string `json:"kubernetes_users"`

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteUser defines encoded remote user.

func (RemoteUser) GetIdentity 

func (r RemoteUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RemoteUserRoleSet 

type RemoteUserRoleSet struct {
	services.RoleSet
}

RemoteUserRoleSet wraps a services.RoleSet. This type is used to determine if the role is a remote user or not.

type RotateRequest 

type RotateRequest struct {
	// Type is a certificate authority type, if omitted, both user and host CA
	// will be rotated.
	Type services.CertAuthType `json:"type"`
	// GracePeriod is used to generate cert rotation schedule that defines
	// times at which different rotation phases will be applied by the auth server
	// in auto mode. It is not used in manual rotation mode.
	// If omitted, default value is set, if 0 is supplied, it is interpreted as
	// forcing rotation of all certificate authorities with no grace period,
	// all existing users and hosts will have to re-login and re-added
	// into the cluster.
	GracePeriod *time.Duration `json:"grace_period,omitempty"`
	// TargetPhase sets desired rotation phase to move to, if not set
	// will be set automatically, it is a required argument
	// for manual rotation.
	TargetPhase string `json:"target_phase,omitempty"`
	// Mode sets manual or auto rotation mode.
	Mode string `json:"mode"`
	// Schedule is an optional rotation schedule,
	// autogenerated based on GracePeriod parameter if not set.
	Schedule *services.RotationSchedule `json:"schedule"`
}

RotateRequest is a request to start rotation of the certificate authority.

func (*RotateRequest) CheckAndSetDefaults 

func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default values.

func (*RotateRequest) Types 

func (r *RotateRequest) Types() []services.CertAuthType

Types returns cert authority types requested to be rotated.

type SAMLAuthResponse 

type SAMLAuthResponse struct {
	// Username is an authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated SAML identity
	Identity services.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in SAMLAuthRequest
	Session services.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is a PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is an original SAML auth request
	Req services.SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority `json:"host_signers"`
}

SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider

type SSHLoginResponse 

type SSHLoginResponse struct {
	// User contains a logged in user informationn
	Username string `json:"username"`
	// Cert is a PEM encoded  signed certificate
	Cert []byte `json:"cert"`
	// TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority
	TLSCert []byte `json:"tls_cert"`
	// HostSigners is a list of signing host public keys trusted by proxy
	HostSigners []TrustedCerts `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

type SessionCreds 

type SessionCreds struct {
	// ID is a web session id
	ID string `json:"id"`
}

SessionCreds is a web session credentials

type StateSpecV2 

type StateSpecV2 struct {
	// Rotation holds local process rotation state.
	Rotation services.Rotation `json:"rotation"`
}

StateSpecV2 is a state spec.

type StateV2 

type StateV2 struct {
	// ResourceHeader is a common resource header.
	services.ResourceHeader
	// Spec is a process spec.
	Spec StateSpecV2 `json:"spec"`
}

StateV2 is a local process state.

func (*StateV2) CheckAndSetDefaults 

func (s *StateV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type TLSServer 

type TLSServer struct {
	*http.Server
	// TLSServerConfig is TLS server configuration used for auth server
	TLSServerConfig
	// Entry is TLS server logging entry
	*logrus.Entry
}

TLSServer is TLS auth server

func NewTLSServer 

func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) GetConfigForClient 

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve 

func (t *TLSServer) Serve(listener net.Listener) error

Serve takes TCP listener, upgrades to TLS using config and starts serving

type TLSServerConfig 

type TLSServerConfig struct {
	// TLS is a base TLS configuration
	TLS *tls.Config
	// API is API server configuration
	APIConfig
	// LimiterConfig is limiter config
	LimiterConfig limiter.LimiterConfig
	// AccessPoint is a caching access point
	AccessPoint AccessCache
	// Component is used for debugging purposes
	Component string
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on the metadata
	AcceptedUsage []string
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults 

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type TestAuthServer 

type TestAuthServer struct {
	// TestAuthServer config is configuration used for auth server setup
	TestAuthServerConfig
	// AuthServer is an auth server
	AuthServer *AuthServer
	// AuditLog is an event audit log
	AuditLog events.IAuditLog
	// SessionLogger is a session logger
	SessionServer session.Service
	// Backend is a backend for auth server
	Backend backend.Backend
	// Authorizer is an authorizer used in tests
	Authorizer Authorizer
}

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key

func NewTestAuthServer 

func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)

NewTestAuthServer returns new instances of Auth server

func (*TestAuthServer) Clock 

func (a *TestAuthServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestAuthServer) GenerateUserCert 

func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*TestAuthServer) NewCertificate 

func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)

NewCertificate returns new TLS credentials generated by test auth server

func (*TestAuthServer) NewRemoteClient 

func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)

NewRemoteClient creates new client to the remote server using identity generated for this certificate authority

func (*TestAuthServer) NewTestTLSServer 

func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server

func (*TestAuthServer) Trust 

func (a *TestAuthServer) Trust(remote *TestAuthServer, roleMap services.RoleMap) error

Trust adds other server host certificate authority as trusted

type TestAuthServerConfig 

type TestAuthServerConfig struct {
	// ClusterName is cluster name
	ClusterName string
	// Dir is directory for local backend
	Dir string
	// AcceptedUsage is an optional list of restricted
	// server usage
	AcceptedUsage []string
	// CipherSuites is the list of ciphers that the server supports.
	CipherSuites []uint16
	// Clock is used to control time in tests.
	Clock clockwork.FakeClock
}

TestAuthServerConfig is auth server test config

func (*TestAuthServerConfig) CheckAndSetDefaults 

func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type TestIdentity 

type TestIdentity struct {
	I              interface{}
	TTL            time.Duration
	AcceptedUsage  []string
	RouteToCluster string
}

TestIdentity is test identity spec used to generate identities in tests

func TestAdmin 

func TestAdmin() TestIdentity

TestAdmin returns TestIdentity for admin user

func TestBuiltin 

func TestBuiltin(role teleport.Role) TestIdentity

TestBuiltin returns TestIdentity for builtin user

func TestNop 

func TestNop() TestIdentity

TestNop returns "Nop" - unauthenticated identity

func TestServerID 

func TestServerID(serverID string) TestIdentity

TestServerID returns a TestIdentity for a node with the passed in serverID.

func TestUser 

func TestUser(username string) TestIdentity

TestUser returns TestIdentity for local user

type TestTLSServer 

type TestTLSServer struct {
	// TestTLSServerConfig is a configuration for TLS server
	TestTLSServerConfig
	// Identity is a generated TLS/SSH identity used to answer in TLS
	Identity *Identity
	// TLSServer is a configured TLS server
	TLSServer *TLSServer
}

TestTLSServer is a test TLS server

func NewTestTLSServer 

func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port

func (*TestTLSServer) Addr 

func (t *TestTLSServer) Addr() net.Addr

Addr returns address of TLS server

func (*TestTLSServer) Auth 

func (t *TestTLSServer) Auth() *AuthServer

Auth returns auth server used by this TLS server

func (*TestTLSServer) CertPool 

func (t *TestTLSServer) CertPool() (*x509.CertPool, error)

CertPool returns cert pool that auth server represents

func (*TestTLSServer) ClientTLSConfig 

func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)

ClientTLSConfig returns client TLS config based on the identity

func (*TestTLSServer) Clock 

func (t *TestTLSServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestTLSServer) CloneClient 

func (t *TestTLSServer) CloneClient(clt *Client) *Client

CloneClient uses the same credentials as the passed client but forces the client to be recreated

func (*TestTLSServer) Close 

func (t *TestTLSServer) Close() error

Close closes the listener and HTTP server

func (*TestTLSServer) ClusterName 

func (t *TestTLSServer) ClusterName() string

ClusterName returns name of test TLS server cluster

func (*TestTLSServer) NewClient 

func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)

NewClient returns new client to test server authenticated with identity

func (*TestTLSServer) NewClientFromWebSession 

func (t *TestTLSServer) NewClientFromWebSession(sess services.WebSession) (*Client, error)

NewClientFromWebSession returns new authenticated client from web session

func (*TestTLSServer) Start 

func (t *TestTLSServer) Start() error

Start starts TLS server on loopback address on the first lisenting socket

func (*TestTLSServer) Stop 

func (t *TestTLSServer) Stop() error

Stop stops listening server, but does not close the auth backend

type TestTLSServerConfig 

type TestTLSServerConfig struct {
	// APIConfig is a configuration of API server
	APIConfig *APIConfig
	// AuthServer is a test auth server used to serve requests
	AuthServer *TestAuthServer
	// Limiter is a connection and request limiter
	Limiter *limiter.LimiterConfig
	// Listener is a listener to serve requests on
	Listener net.Listener
	// AcceptedUsage is a list of accepted usage restrictions
	AcceptedUsage []string
}

TestTLSServerConfig is a configuration for test TLS server

func (*TestTLSServerConfig) CheckAndSetDefaults 

func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets limiter defaults

type TrustedCerts 

type TrustedCerts struct {
	// ClusterName identifies teleport cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"domain_name"`
	// HostCertificates is a list of SSH public keys that can be used to check
	// host certificate signatures
	HostCertificates [][]byte `json:"checking_keys"`
	// TLSCertificates  is a list of TLS certificates of the certificate authoritiy
	// of the authentication server
	TLSCertificates [][]byte `json:"tls_certs"`
}

TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

func AuthoritiesToTrustedCerts 

func AuthoritiesToTrustedCerts(authorities []services.CertAuthority) []TrustedCerts

AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure

func (*TrustedCerts) SSHCertPublicKeys 

func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)

SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys

type U2FSignResponseCreds 

type U2FSignResponseCreds struct {
	// SignResponse is a U2F sign resposne
	SignResponse u2f.SignResponse `json:"sign_response"`
}

U2FSignResponseCreds is a U2F signature sent by U2F device

type ValidateTrustedClusterRequest 

type ValidateTrustedClusterRequest struct {
	Token string                   `json:"token"`
	CAs   []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequest) ToRaw 

func (v *ValidateTrustedClusterRequest) ToRaw() (*ValidateTrustedClusterRequestRaw, error)

type ValidateTrustedClusterRequestRaw 

type ValidateTrustedClusterRequestRaw struct {
	Token string   `json:"token"`
	CAs   [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterRequestRaw) ToNative 

func (v *ValidateTrustedClusterRequestRaw) ToNative() (*ValidateTrustedClusterRequest, error)

type ValidateTrustedClusterResponse 

type ValidateTrustedClusterResponse struct {
	CAs []services.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponse) ToRaw 

func (v *ValidateTrustedClusterResponse) ToRaw() (*ValidateTrustedClusterResponseRaw, error)

type ValidateTrustedClusterResponseRaw 

type ValidateTrustedClusterResponseRaw struct {
	CAs [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponseRaw) ToNative 

func (v *ValidateTrustedClusterResponseRaw) ToNative() (*ValidateTrustedClusterResponse, error)

type WebService 

type WebService interface {
	// GetWebSessionInfo checks if a web sesion is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(user string, sid string) (services.WebSession, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(user string, prevSessionID string) (services.WebSession, error)
	// CreateWebSession creates a new web session for a user
	CreateWebSession(user string) (services.WebSession, error)
	// DeleteWebSession deletes a web session for this user by id
	DeleteWebSession(user string, sid string) error
}

WebService implements features used by Web UI clients

type WrapIdentity 

type WrapIdentity tlsca.Identity

WrapIdentity wraps identity to return identity getter function

func (WrapIdentity) GetIdentity 

func (i WrapIdentity) GetIdentity() tlsca.Identity

GetIdentity returns identity

type Wrapper 

type Wrapper struct {
	ReadAccessPoint
	Write AccessPoint
}

Wrapper wraps access point and auth cache in one client so that update operations are going through access point and read operations are going though cache

func (*Wrapper) Close 

func (w *Wrapper) Close() error

Close closes all associated resources

func (*Wrapper) DeleteTunnelConnection 

func (w *Wrapper) DeleteTunnelConnection(clusterName, connName string) error

DeleteTunnelConnection is a part of auth.AccessPoint implementation

func (*Wrapper) NewKeepAliver 

func (w *Wrapper) NewKeepAliver(ctx context.Context) (services.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*Wrapper) UpsertAuthServer 

func (w *Wrapper) UpsertAuthServer(s services.Server) error

UpsertAuthServer is part of auth.AccessPoint implementation

func (*Wrapper) UpsertNode 

func (w *Wrapper) UpsertNode(s services.Server) (*services.KeepAlive, error)

UpsertNode is part of auth.AccessPoint implementation

func (*Wrapper) UpsertProxy 

func (w *Wrapper) UpsertProxy(s services.Server) error

UpsertProxy is part of auth.AccessPoint implementation

func (*Wrapper) UpsertTunnelConnection 

func (w *Wrapper) UpsertTunnelConnection(conn services.TunnelConnection) error

UpsertTunnelConnection is a part of auth.AccessPoint implementation

Source Files

View all Source files

Directories

Path Synopsis
package test contains CA authority acceptance test suite.
 package test contains CA authority acceptance test suite.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.