authz

package
v1.3.3-0...-f31c912 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 9, 2024 License: AGPL-3.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrIPPinningMismatch = trace.AccessDenied("pinned IP doesn't match observed client IP")

ErrIPPinningMismatch is returned when user's pinned IP doesn't match observed IP.

View Source 
var ErrIPPinningMissing = trace.AccessDenied("pinned IP is required for the user, but is not present on identity")

ErrIPPinningMissing is returned when user cert should be pinned but isn't.

View Source 
var ErrIPPinningNotAllowed = trace.AccessDenied("IP pinning is not allowed for connections behind L4 load balancers with " +
	"PROXY protocol enabled without explicitly setting 'proxy_protocol: on' in the proxy_service and/or auth_service config.")

ErrIPPinningNotAllowed is returned when user's pinned IP doesn't match observed IP.

View Source 
var WithDelegator = utils.WithDelegator

WithDelegator alias for backwards compatibility

Functions

func AuthorizeAdminAction 

func AuthorizeAdminAction(ctx context.Context, authCtx *Context) error

AuthorizeAdminAction will ensure that the user is authorized to perform admin actions.

func CheckIPPinning 

func CheckIPPinning(ctx context.Context, identity tlsca.Identity, pinSourceIP bool, log logrus.FieldLogger) error

CheckIPPinning verifies IP pinning for the identity, using the client IP taken from context. Check is considered successful if no error is returned.

func ClientAddrsFromContext 

func ClientAddrsFromContext(ctx context.Context) (src net.Addr, dst net.Addr)

ClientAddrsFromContext returns the client address from the context.

func ClientImpersonator 

func ClientImpersonator(ctx context.Context) string

ClientImpersonator returns the impersonator username of a remote client making the call. If not present, returns an empty string

func ClientSrcAddrFromContext 

func ClientSrcAddrFromContext(ctx context.Context) (net.Addr, error)

ClientSrcAddrFromContext returns the client address from the context.

func ClientUserMetadata 

func ClientUserMetadata(ctx context.Context) apievents.UserMetadata

ClientUserMetadata returns a UserMetadata suitable for events caused by a remote client making a call. If ctx didn't pass through auth middleware or did not come from an HTTP request, metadata for teleport.UserSystem is returned.

func ClientUserMetadataWithUser 

func ClientUserMetadataWithUser(ctx context.Context, user string) apievents.UserMetadata

ClientUserMetadataWithUser returns a UserMetadata suitable for events caused by a remote client making a call, with the specified username overriding the one from the remote client.

func ClientUsername 

func ClientUsername(ctx context.Context) string

ClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, teleport.UserSystem is returned.

func ConnFromContext 

func ConnFromContext(ctx context.Context) (net.Conn, error)

func ContextWithClientAddrs 

func ContextWithClientAddrs(ctx context.Context, src, dst net.Addr) context.Context

ContextWithClientAddrs returns the context with the client source and destination addresses embedded.

func ContextWithClientSrcAddr 

func ContextWithClientSrcAddr(ctx context.Context, addr net.Addr) context.Context

ContextWithClientSrcAddr returns the context with the address embedded.

func ContextWithConn 

func ContextWithConn(ctx context.Context, conn net.Conn) context.Context

func ContextWithUser 

func ContextWithUser(ctx context.Context, user IdentityGetter) context.Context

ContextWithUser returns the context with the user embedded.

func ContextWithUserCertificate 

func ContextWithUserCertificate(ctx context.Context, cert *x509.Certificate) context.Context

ContextWithUserCertificate returns the context with the user certificate embedded.

func ConvertAuthorizerError 

func ConvertAuthorizerError(ctx context.Context, log logrus.FieldLogger, err error) error

ConvertAuthorizerError will take an authorizer error and convert it into an error easily handled by gRPC services.

func GetClientUserIsSSO 

func GetClientUserIsSSO(ctx context.Context) (bool, error)

GetClientUserIsSSO extracts the identity of a remote HTTP client and indicates whether that is an SSO user. If ctx didn't pass through auth middleware or did not come from an HTTP request, returns an error.

func GetClientUsername 

func GetClientUsername(ctx context.Context) (string, error)

GetClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, returns an error.

func HasBuiltinRole 

func HasBuiltinRole(authContext Context, name string) bool

HasBuiltinRole checks if the identity is a builtin role with the matching name.

func IsCurrentUser 

func IsCurrentUser(authContext Context, username string) bool

IsCurrentUser checks if the identity is a local user matching the given username

func IsLocalOrRemoteUser 

func IsLocalOrRemoteUser(authContext Context) bool

IsLocalOrRemoteUser checks if the identity is either a local or remote user.

func IsLocalUser 

func IsLocalUser(authContext Context) bool

IsLocalUser checks if the identity is a local user.

func IsRemoteUser 

func IsRemoteUser(authContext Context) bool

IsRemoteUser checks if the identity is a remote user.

func RoleSetForBuiltinRoles 

func RoleSetForBuiltinRoles(clusterName string, recConfig types.SessionRecordingConfig, roles ...types.SystemRole) (services.RoleSet, error)

RoleSetForBuiltinRoles returns RoleSet for embedded builtin role

func UserCertificateFromContext 

func UserCertificateFromContext(ctx context.Context) (*x509.Certificate, error)

UserCertificateFromContext returns the user certificate from the context.

Types

type Authorizer 

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*Context, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer 

func NewAuthorizer(opts AuthorizerOpts) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

type AuthorizerAccessPoint 

type AuthorizerAccessPoint interface {
	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetRole returns role by name.
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetUser returns user by name.
	GetUser(ctx context.Context, name string, withSecrets bool) (types.User, error)

	// GetCertAuthority returns cert authority by id.
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities.
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// ValidateMFAAuthResponse validates an MFA or passwordless challenge.
	// Returns the device used to solve the challenge (if applicable) and the username.
	ValidateMFAAuthResponse(ctx context.Context, resp *proto.MFAAuthenticateResponse, user string, passwordless bool) (*types.MFADevice, string, error)
}

AuthorizerAccessPoint is the access point contract required by an Authorizer

type AuthorizerFunc 

type AuthorizerFunc func(ctx context.Context) (*Context, error)

The AuthorizerFunc type is an adapter to allow the use of ordinary functions as an Authorizer. If f is a function with the appropriate signature, AuthorizerFunc(f) is a Authorizer that calls f.

func (AuthorizerFunc) Authorize 

func (f AuthorizerFunc) Authorize(ctx context.Context) (*Context, error)

Authorize calls f(ctx).

type AuthorizerOpts 

type AuthorizerOpts struct {
	ClusterName string
	AccessPoint AuthorizerAccessPoint
	LockWatcher *services.LockWatcher
	Logger      logrus.FieldLogger

	// DeviceAuthorization holds Device Trust authorization options.
	//
	// Allows services that either do explicit device authorization or don't (yet)
	// support device trust to disable it.
	// Most services should not set this field.
	DeviceAuthorization DeviceAuthorizationOpts
}

AuthorizerOpts holds creation options for NewAuthorizer.

type BuiltinRole 

type BuiltinRole struct {
	// Role is the primary builtin role this username is associated with
	Role types.SystemRole

	// AdditionalSystemRoles is a collection of additional system roles held by
	// this identity (only currently used by identities with RoleInstance as their
	// primary role).
	AdditionalSystemRoles types.SystemRoles

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the local cluster
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

BuiltinRole is the role of the Teleport service.

func (BuiltinRole) GetIdentity 

func (r BuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

func (BuiltinRole) GetServerID 

func (r BuiltinRole) GetServerID() string

GetServerID extracts the identity from the full name. The username extracted from the node's identity (x.509 certificate) is expected to consist of "<server-id>.<cluster-name>" so strip the cluster name suffix to get the server id.

Note that as of right now Teleport expects server id to be a UUID4 but older Gravity clusters used to override it with strings like "192_168_1_1.<cluster-name>" so this code can't rely on it being UUID4 to account for clusters upgraded from older versions.

func (BuiltinRole) IsServer 

func (r BuiltinRole) IsServer() bool

IsServer returns true if the primary role is either RoleInstance, or one of the local service roles (e.g. proxy).

type Context 

type Context struct {
	// User is the username
	User types.User
	// Checker is access checker
	Checker services.AccessChecker
	// Identity holds the caller identity:
	// 1. If caller is a user
	//   a. local user identity
	//   b. remote user identity remapped to local identity based on trusted
	//      cluster role mapping.
	// 2. If caller is a teleport instance, Identity holds their identity as-is
	//    (because there's no role mapping for non-human roles)
	Identity IdentityGetter
	// UnmappedIdentity holds the original caller identity. If this is a remote
	// user, UnmappedIdentity holds the data before role mapping. Otherwise,
	// it's identical to Identity.
	UnmappedIdentity IdentityGetter

	// AdminActionVerified is whether this auth request is verified for admin actions. This
	// either means that the request was MFA verified through the context or Hardware Key support,
	// or the identity does not require admin MFA (built in roles, bot impersonated user, etc).
	AdminActionAuthorized bool
	// contains filtered or unexported fields
}

Context is authorization context

func AuthorizeContextWithVerbs 

func AuthorizeContextWithVerbs(ctx context.Context, log logrus.FieldLogger, authCtx *Context, quiet bool, ruleCtx *services.Context, kind string, verbs ...string) (*Context, error)

AuthorizeContextWithVerbs will ensure that the user has access to the given verbs for the given services.context.

func AuthorizeResourceWithVerbs 

func AuthorizeResourceWithVerbs(ctx context.Context, log logrus.FieldLogger, authorizer Authorizer, quiet bool, resource types.Resource, verbs ...string) (*Context, error)

AuthorizeResourceWithVerbs will ensure that the user has access to the given verbs for the given kind.

func AuthorizeWithVerbs 

func AuthorizeWithVerbs(ctx context.Context, log logrus.FieldLogger, authorizer Authorizer, quiet bool, kind string, verbs ...string) (*Context, error)

AuthorizeWithVerbs will ensure that the user has access to the given verbs for the given kind.

func ContextForBuiltinRole 

func ContextForBuiltinRole(r BuiltinRole, recConfig types.SessionRecordingConfig) (*Context, error)

ContextForBuiltinRole returns a context with the builtin role information embedded.

func ContextForLocalUser 

func ContextForLocalUser(ctx context.Context, u LocalUser, accessPoint AuthorizerAccessPoint, clusterName string, disableDeviceRoleMode bool) (*Context, error)

ContextForLocalUser returns a context with the local user info embedded.

func NewAdminContext 

func NewAdminContext() (*Context, error)

NewAdminContext returns new admin auth context

func NewBuiltinRoleContext 

func NewBuiltinRoleContext(role types.SystemRole) (*Context, error)

NewBuiltinRoleContext create auth context for the provided builtin role.

func (*Context) GetAccessState 

func (c *Context) GetAccessState(authPref types.AuthPreference) services.AccessState

GetAccessState returns the AccessState based on the underlying services.AccessChecker and tlsca.Identity.

func (*Context) GetUserMetadata 

func (c *Context) GetUserMetadata() apievents.UserMetadata

GetUserMetadata returns information about the authenticated identity to be included in audit events.

func (*Context) LockTargets 

func (c *Context) LockTargets() []types.LockTarget

LockTargets returns a list of LockTargets inferred from the context's Identity and UnmappedIdentity.

func (*Context) WithExtraRoles 

func (c *Context) WithExtraRoles(access services.RoleGetter, clusterName string, roles []string) (*Context, error)

WithExtraRoles returns a shallow copy of [c], where the users roles have been extended with [roles]. It may return [c] unmodified.

type DeviceAuthorizationOpts 

type DeviceAuthorizationOpts struct {
	// DisableGlobalMode disables the global device_trust.mode toggle.
	// See [types.DeviceTrust.Mode].
	DisableGlobalMode bool

	// DisableRoleMode disables the role-based device trust toggle.
	// See [types.RoleOption.DeviceTrustMode].
	DisableRoleMode bool
}

DeviceAuthorizationOpts captures Device Trust options for AuthorizerOpts.

type IdentityGetter 

type IdentityGetter interface {
	// GetIdentity  returns x509-derived identity of the user
	GetIdentity() tlsca.Identity
}

IdentityGetter returns the unmapped client identity.

Unmapped means that if the client is a remote cluster user, the returned tlsca.Identity contains data from the remote cluster before role mapping is applied.

func UserFromContext 

func UserFromContext(ctx context.Context) (IdentityGetter, error)

UserFromContext returns the user from the context.

type LocalUser 

type LocalUser struct {
	// Username is local username
	Username string
	// Identity is x509-derived identity used to build this user
	Identity tlsca.Identity
}

LocalUser is a local user

func (LocalUser) GetIdentity 

func (l LocalUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RemoteBuiltinRole 

type RemoteBuiltinRole struct {
	// Role is the builtin role of the user
	Role types.SystemRole

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the remote cluster.
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.

func (RemoteBuiltinRole) GetIdentity 

func (r RemoteBuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

func (RemoteBuiltinRole) IsRemoteServer 

func (r RemoteBuiltinRole) IsRemoteServer() bool

IsRemoteServer returns true if the primary role is either RoleRemoteProxy, or one of the local service roles (e.g. proxy) from the remote cluster.

type RemoteUser 

type RemoteUser struct {
	// Username is a name of the remote user
	Username string `json:"username"`

	// ClusterName is the name of the remote cluster
	// of the user.
	ClusterName string `json:"cluster_name"`

	// RemoteRoles is optional list of remote roles
	RemoteRoles []string `json:"remote_roles"`

	// Principals is a list of Unix logins.
	Principals []string `json:"principals"`

	// KubernetesGroups is a list of Kubernetes groups
	KubernetesGroups []string `json:"kubernetes_groups"`

	// KubernetesUsers is a list of Kubernetes users
	KubernetesUsers []string `json:"kubernetes_users"`

	// DatabaseNames is a list of database names a user can connect to.
	DatabaseNames []string `json:"database_names"`

	// DatabaseUsers is a list of database users a user can connect as.
	DatabaseUsers []string `json:"database_users"`

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteUser defines encoded remote user.

func (RemoteUser) GetIdentity 

func (r RemoteUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type WrapIdentity 

type WrapIdentity tlsca.Identity

WrapIdentity wraps identity to return identity getter function

func (WrapIdentity) GetIdentity 

func (i WrapIdentity) GetIdentity() tlsca.Identity

GetIdentity returns identity

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.