auth

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2022 License: Apache-2.0 Imports: 144 Imported by: 0

Documentation

Overview

*

  • Copyright 2021 Gravitational, Inc. *
  • Licensed under the Apache License, Version 2.0 (the "License");
  • you may not use this file except in compliance with the License.
  • You may obtain a copy of the License at *
  • http://www.apache.org/licenses/LICENSE-2.0 *
  • Unless required by applicable law or agreed to in writing, software
  • distributed under the License is distributed on an "AS IS" BASIS,
  • WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  • See the License for the specific language governing permissions and
  • limitations under the License.

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Package auth implements certificate signing authority and access control server Authority server is composed of several parts:

* Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper

Index

Constants

View Source 
const (

	// MaxFailedAttemptsFromStartRecoveryErrMsg is a user friendly error message to try again later.
	// This error is defined in a variable so that the root caller can determine if an email needs to be sent.
	MaxFailedAttemptsFromStartRecoveryErrMsg = "you have reached max attempts, please try again later"

	// MaxFailedAttemptsFromVerifyRecoveryErrMsg is a user friendly error message to start over.
	// This error is defined in a variable so that the root caller can determine if an email needs to be sent.
	MaxFailedAttemptsFromVerifyRecoveryErrMsg = "too many incorrect attempts, please start over with a new recovery code"
)
View Source 
const (
	ErrFieldKeyUserMaxedAttempts = "maxed-attempts"

	// MaxFailedAttemptsErrMsg is a user friendly error message that tells a user that they are locked.
	MaxFailedAttemptsErrMsg = "too many incorrect attempts, please try again later"
)
View Source 
const (
	// BearerTokenTTL specifies standard bearer token to exist before
	// it has to be renewed by the client
	BearerTokenTTL = 10 * time.Minute

	// TokenLenBytes is len in bytes of the invite token
	TokenLenBytes = 16

	// RecoveryTokenLenBytes is len in bytes of a user token for recovery.
	RecoveryTokenLenBytes = 32

	// SessionTokenBytes is the number of bytes of a web or application session.
	SessionTokenBytes = 32
)
View Source 
const (
	// CurrentVersion is a current API version
	CurrentVersion = types.V2

	// MissingNamespaceError indicates that the client failed to
	// provide the namespace in the request.
	MissingNamespaceError = "missing required parameter: namespace"
)
View Source 
const (
	// GithubAuthPath is the GitHub authorization endpoint
	GithubAuthPath = "login/oauth/authorize"

	// GithubTokenPath is the GitHub token exchange endpoint
	GithubTokenPath = "login/oauth/access_token"

	// MaxPages is the maximum number of pagination links that will be followed.
	MaxPages = 99
)
View Source 
const (
	// ContextUser is a user set in the context of the request
	ContextUser contextKey = "teleport-user"
	// ContextClientAddr is a client address set in the context of the request
	ContextClientAddr contextKey = "client-addr"
)
View Source 
const (
	// IdentityCurrent is a name for the identity credentials that are
	// currently used by the process.
	IdentityCurrent = "current"
	// IdentityReplacement is a name for the identity credentials that are
	// replacing current identity credentials during CA rotation.
	IdentityReplacement = "replacement"
)
View Source 
const (
	// UserTokenTypeResetPasswordInvite is a token type used for the UI invite flow that
	// allows users to change their password and set second factor (if enabled).
	UserTokenTypeResetPasswordInvite = "invite"
	// UserTokenTypeResetPassword is a token type used for the UI flow where user
	// re-sets their password and second factor (if enabled).
	UserTokenTypeResetPassword = "password"
	// UserTokenTypeRecoveryStart describes a recovery token issued to users who
	// successfully verified their recovery code.
	UserTokenTypeRecoveryStart = "recovery_start"
	// UserTokenTypeRecoveryApproved describes a recovery token issued to users who
	// successfully verified their second auth credential (either password or a second factor) and
	// can now start changing their password or add a new second factor device.
	// This token is also used to allow users to delete exisiting second factor devices
	// and retrieve their new set of recovery codes as part of the recovery flow.
	UserTokenTypeRecoveryApproved = "recovery_approved"
	// UserTokenTypePrivilege describes a token type that grants access to a privileged action
	// that requires users to re-authenticate with their second factor while looged in. This
	// token is issued to users who has successfully re-authenticated.
	UserTokenTypePrivilege = "privilege"
	// UserTokenTypePrivilegeException describes a token type that allowed a user to bypass
	// second factor re-authentication which in other cases would be required eg:
	// allowing user to add a mfa device if they don't have any registered.
	UserTokenTypePrivilegeException = "privilege_exception"
)
View Source 
const LicenseExpiredNotification = "licenseExpired"

LicenseExpiredNotification defines a license expired notification

View Source 
const TokenExpiredOrNotFound = "token expired or not found"

TokenExpiredOrNotFound is a special message returned by the auth server when provisioning tokens are either past their TTL, or could not be found.

Variables

View Source 
var ErrDone = errors.New("done iterating")

ErrDone indicates that resource iteration is complete

View Source 
var ErrGithubNoTeams = trace.BadParameter("user does not belong to any teams configured in connector; the configuration may have typos.")

ErrGithubNoTeams results from a github user not belonging to any teams.

View Source 
var ErrOIDCNoRoles = trace.AccessDenied("No roles mapped from claims. The mappings may contain typos.")

ErrOIDCNoRoles results from not mapping any roles from OIDC claims.

View Source 
var ErrRequiresEnterprise = services.ErrRequiresEnterprise
View Source 
var ErrSAMLNoRoles = trace.AccessDenied("No roles mapped from claims. The mappings may contain typos.")

ErrSAMLNoRoles results from not mapping any roles from SAML claims.

View Source 
var GithubScopes = []string{

	"read:org",
}

GithubScopes is a list of scopes requested during OAuth2 flow

View Source 
var MinSupportedModeratedSessionsVersion = semver.New(utils.VersionBeforeAlpha("9.0.0"))
View Source 
var (

	// UserLoginCount counts user logins
	UserLoginCount = prometheus.NewCounter(
		prometheus.CounterOpts{
			Name: teleport.MetricUserLoginCount,
			Help: "Number of times there was a user login",
		},
	)
)
View Source 
var WithDelegator = utils.WithDelegator

WithDelegator alias for backwards compatibility

Functions

func BotResourceName 

func BotResourceName(botName string) string

BotResourceName returns the default name for resources associated with the given named bot.

func CertAuthorityInfo 

func CertAuthorityInfo(ca types.CertAuthority) string

CertAuthorityInfo returns debugging information about certificate authority

func CertInfo 

func CertInfo(cert *x509.Certificate) string

CertInfo returns diagnostic information about certificate

func ClientCertPool 

func ClientCertPool(client AccessCache, clusterName string, caTypes ...types.CertAuthType) (*x509.CertPool, int64, error)

ClientCertPool returns trusted x509 certificate authority pool with CAs provided as caTypes. In addition, it returns the total length of all subjects added to the cert pool, allowing the caller to validate that the pool doesn't exceed the maximum 2-byte length prefix before using it.

func ClientImpersonator 

func ClientImpersonator(ctx context.Context) string

ClientImpersonator returns the impersonator username of a remote client making the call. If not present, returns an empty string

func ClientTimeout 

func ClientTimeout(timeout time.Duration) roundtrip.ClientParam

ClientTimeout sets idle and dial timeouts of the HTTP transport used by the client.

func ClientUserMetadata 

func ClientUserMetadata(ctx context.Context) apievents.UserMetadata

ClientUserMetadata returns a UserMetadata suitable for events caused by a remote client making a call. If ctx didn't pass through auth middleware or did not come from an HTTP request, metadata for teleport.UserSystem is returned.

func ClientUserMetadataWithUser 

func ClientUserMetadataWithUser(ctx context.Context, user string) apievents.UserMetadata

ClientUserMetadataWithUser returns a UserMetadata suitable for events caused by a remote client making a call, with the specified username overriding the one from the remote client.

func ClientUsername 

func ClientUsername(ctx context.Context) string

ClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, teleport.UserSystem is returned.

func ContainsSessionKind 

func ContainsSessionKind(s []string, e types.SessionKind) bool

func CreateAccessPluginUser 

func CreateAccessPluginUser(ctx context.Context, clt clt, username string) (types.User, error)

CreateAccessPluginUser creates a user with list/read abilites for access requests, and list/read/update abilities for access plugin data.

func CreateRole 

func CreateRole(ctx context.Context, clt clt, name string, spec types.RoleSpecV5) (types.Role, error)

CreateRole creates a role without assigning any users. Used in tests.

func CreateUser 

func CreateUser(clt clt, username string, roles ...types.Role) (types.User, error)

CreateUser creates user and role and assigns role to a user, used in tests

func CreateUserAndRole 

func CreateUserAndRole(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)

CreateUserAndRole creates user and role and assigns role to a user, used in tests

func CreateUserAndRoleWithoutRoles 

func CreateUserAndRoleWithoutRoles(clt clt, username string, allowedLogins []string) (types.User, types.Role, error)

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests

func CreateUserRoleAndRequestable 

func CreateUserRoleAndRequestable(clt clt, username string, rolename string) (types.User, error)

CreateUserRoleAndRequestable creates two roles for a user, one base role with allowed login matching username, and another role with a login matching rolename that can be requested.

func DefaultClientCertPool 

func DefaultClientCertPool(client AccessCache, clusterName string) (*x509.CertPool, int64, error)

DefaultClientCertPool returns default trusted x509 certificate authority pool.

func DefaultDNSNamesForRole 

func DefaultDNSNamesForRole(role types.SystemRole) []string

DefaultDNSNamesForRole returns default DNS names for the specified role.

func ExtractHostID 

func ExtractHostID(hostName string, clusterName string) (string, error)

ExtractHostID returns host id based on the hostname

func GetClientUsername 

func GetClientUsername(ctx context.Context) (string, error)

GetClientUsername returns the username of a remote HTTP client making the call. If ctx didn't pass through auth middleware or did not come from an HTTP request, returns an error.

func HasBuiltinRole 

func HasBuiltinRole(authContext Context, name string) bool

HasBuiltinRole checks if the identity is a builtin role with the matching name.

func HasRemoteBuiltinRole 

func HasRemoteBuiltinRole(authContext Context, name string) bool

HasRemoteBuiltinRole checks if the identity is a remote builtin role with the matching name.

func HasV5Role 

func HasV5Role(roles []types.Role) bool

func HostFQDN 

func HostFQDN(hostUUID, clusterName string) string

HostFQDN consists of host UUID and cluster name joined via .

func IsInvalidLocalCredentialError 

func IsInvalidLocalCredentialError(err error) bool

IsInvalidLocalCredentialError checks if an error resulted from an incorrect username, password, or second factor.

func NewAPIServer 

func NewAPIServer(config *APIConfig) (http.Handler, error)

NewAPIServer returns a new instance of APIServer HTTP handler

func ParseSAMLInResponseTo 

func ParseSAMLInResponseTo(response string) (string, error)

func PrivateKeyToPublicKeyTLS 

func PrivateKeyToPublicKeyTLS(privateKey []byte) (tlsPublicKey []byte, err error)

PrivateKeyToPublicKeyTLS gets the TLS public key from a raw private key.

func Register 

func Register(params RegisterParams) (*proto.Certs, error)

Register is used to generate host keys when a node or proxy are running on different hosts than the auth server. This method requires provisioning tokens to prove a valid auth server was used to issue the joining request as well as a method for the node to validate the auth server.

func RoleSetForBuiltinRoles 

func RoleSetForBuiltinRoles(clusterName string, recConfig types.SessionRecordingConfig, roles ...types.SystemRole) (services.RoleSet, error)

RoleSetForBuiltinRole returns RoleSet for embedded builtin role

func SliceContainsMode 

func SliceContainsMode(s []types.SessionParticipantMode, e types.SessionParticipantMode) bool

func TLSCertInfo 

func TLSCertInfo(cert *tls.Certificate) string

TLSCertInfo returns diagnostic information about certificate

func WaitForAppSession 

func WaitForAppSession(ctx context.Context, sessionID, user string, ap ReadProxyAccessPoint) error

WaitForAppSession will block until the requested application session shows up in the cache or a timeout occurs.

func WaitForSnowflakeSession 

func WaitForSnowflakeSession(ctx context.Context, sessionID, user string, ap SnowflakeSessionWatcher) error

WaitForSnowflakeSession waits until the requested Snowflake session shows up int the cache or a timeout occurs.

func WithClusterCAs 

func WithClusterCAs(tlsConfig *tls.Config, ap AccessCache, currentClusterName string, log logrus.FieldLogger) func(*tls.ClientHelloInfo) (*tls.Config, error)

WithClusterCAs returns a TLS hello callback that returns a copy of the provided TLS config with client CAs pool of the specified cluster.

Types

type APIClient 

type APIClient = client.Client

APIClient is aliased here so that it can be embedded in Client.

type APIConfig 

type APIConfig struct {
	PluginRegistry plugin.Registry
	AuthServer     *Server
	SessionService session.Service
	AuditLog       events.IAuditLog
	Authorizer     Authorizer
	Emitter        apievents.Emitter
	// KeepAlivePeriod defines period between keep alives
	KeepAlivePeriod time.Duration
	// KeepAliveCount specifies amount of missed keep alives
	// to wait for until declaring connection as broken
	KeepAliveCount int
	// MetadataGetter retrieves additional metadata about session uploads.
	// Will be nil if audit logging is not enabled.
	MetadataGetter events.UploadMetadataGetter
}

func (*APIConfig) CheckAndSetDefaults 

func (a *APIConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type APIServer 

type APIServer struct {
	APIConfig
	httprouter.Router
	clockwork.Clock
}

APIServer implements http API server for AuthServer interface

type AccessCache 

type AccessCache interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
}

AccessCache is a subset of the interface working on the certificate authorities

type Announcer 

type Announcer interface {
	// UpsertNode registers node presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error)

	// UpsertProxy registers proxy presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(s types.Server) error

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(s types.Server) error

	// UpsertKubeService registers kubernetes presence, permanently if ttl is 0
	// or for the specified duration with second resolution if it's >= 1 second
	// DELETE IN 11.0. Deprecated, use UpsertKubeServiceV2
	UpsertKubeService(context.Context, types.Server) error

	// UpsertKubeServiceV2 registers a kubernetes service
	// DELETE IN 13.0. Deprecated, use UpsertKubernetesServer
	UpsertKubeServiceV2(context.Context, types.Server) (*types.KeepAlive, error)

	// UpsertKubernetesServer registers a kubernetes server
	UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error)

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

	// UpsertApplicationServer registers an application server.
	UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error)

	// UpsertDatabaseServer registers a database proxy server.
	UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error)

	// UpsertWindowsDesktopService registers a Windows desktop service.
	UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error)

	// CreateWindowsDesktop registers a Windows desktop host.
	CreateWindowsDesktop(context.Context, types.WindowsDesktop) error
	// UpdateWindowsDesktop updates a Windows desktop host.
	UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error
}

Announcer specifies interface responsible for announcing presence

type AppTestCertRequest 

type AppTestCertRequest struct {
	// PublicKey is the public key to sign.
	PublicKey []byte
	// Username is the Teleport user name to sign certificate for.
	Username string
	// TTL is the test certificate validity period.
	TTL time.Duration
	// PublicAddr is the application public address. Used for routing.
	PublicAddr string
	// ClusterName is the name of the cluster application resides in. Used for routing.
	ClusterName string
	// SessionID is the optional session ID to encode. Used for routing.
	SessionID string
	// AWSRoleARN is optional AWS role ARN a user wants to assume to encode.
	AWSRoleARN string
}

AppTestCertRequest combines parameters for generating a test app access cert.

type AppsAccessPoint 

type AppsAccessPoint interface {
	// ReadAppsAccessPoint provides methods to read data
	ReadAppsAccessPoint
	// contains filtered or unexported methods
}

AppsAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.

func NewAppsWrapper 

func NewAppsWrapper(base AppsAccessPoint, cache ReadAppsAccessPoint) AppsAccessPoint

type AppsWrapper 

type AppsWrapper struct {
	ReadAppsAccessPoint

	NoCache AppsAccessPoint
	// contains filtered or unexported fields
}

func (*AppsWrapper) Close 

func (w *AppsWrapper) Close() error

Close closes all associated resources

type AuthenticateSSHRequest 

type AuthenticateSSHRequest struct {
	// AuthenticateUserRequest is a request with credentials
	AuthenticateUserRequest
	// PublicKey is a public key in ssh authorized_keys format
	PublicKey []byte `json:"public_key"`
	// TTL is a requested TTL for certificates to be issues
	TTL time.Duration `json:"ttl"`
	// CompatibilityMode sets certificate compatibility mode with old SSH clients
	CompatibilityMode string `json:"compatibility_mode"`
	RouteToCluster    string `json:"route_to_cluster"`
	// KubernetesCluster sets the target kubernetes cluster for the TLS
	// certificate. This can be empty on older clients.
	KubernetesCluster string `json:"kubernetes_cluster"`
	// AttestationStatement is an attestation statement associated with the given public key.
	AttestationStatement *keys.AttestationStatement `json:"attestation_statement,omitempty"`
}

AuthenticateSSHRequest is a request to authenticate SSH client user via CLI

func (*AuthenticateSSHRequest) CheckAndSetDefaults 

func (a *AuthenticateSSHRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default certificate values

type AuthenticateUserRequest 

type AuthenticateUserRequest struct {
	// Username is a username
	Username string `json:"username"`
	// Pass is a password used in local authentication schemes
	Pass *PassCreds `json:"pass,omitempty"`
	// Webauthn is a signed credential assertion, used in MFA authentication
	Webauthn *wanlib.CredentialAssertionResponse `json:"webauthn,omitempty"`
	// OTP is a password and second factor, used for MFA authentication
	OTP *OTPCreds `json:"otp,omitempty"`
	// Session is a web session credential used to authenticate web sessions
	Session *SessionCreds `json:"session,omitempty"`
	// ClientMetadata includes forwarded information about a client
	ClientMetadata *ForwardedClientMetadata `json:"client_metadata,omitempty"`
}

AuthenticateUserRequest is a request to authenticate interactive user

func (*AuthenticateUserRequest) CheckAndSetDefaults 

func (a *AuthenticateUserRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type Authorizer 

type Authorizer interface {
	// Authorize authorizes user based on identity supplied via context
	Authorize(ctx context.Context) (*Context, error)
}

Authorizer authorizes identity and returns auth context

func NewAuthorizer 

func NewAuthorizer(clusterName string, accessPoint AuthorizerAccessPoint, lockWatcher *services.LockWatcher) (Authorizer, error)

NewAuthorizer returns new authorizer using backends

type AuthorizerAccessPoint 

type AuthorizerAccessPoint interface {
	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)
}

AuthorizerAccessPoint is the access point contract required by an Authorizer

type BuiltinRole 

type BuiltinRole struct {
	// Role is the primary builtin role this username is associated with
	Role types.SystemRole

	// AdditionalSystemRoles is a collection of additional system roles held by
	// this identity (only currently used by identities with RoleInstance as their
	// primary role).
	AdditionalSystemRoles types.SystemRoles

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the local cluster
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

BuiltinRole is the role of the Teleport service.

func (BuiltinRole) GetIdentity 

func (r BuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

func (BuiltinRole) GetServerID 

func (r BuiltinRole) GetServerID() string

GetServerID extracts the identity from the full name. The username extracted from the node's identity (x.509 certificate) is expected to consist of "<server-id>.<cluster-name>" so strip the cluster name suffix to get the server id.

Note that as of right now Teleport expects server id to be a UUID4 but older Gravity clusters used to override it with strings like "192_168_1_1.<cluster-name>" so this code can't rely on it being UUID4 to account for clusters upgraded from older versions.

func (BuiltinRole) IsServer 

func (r BuiltinRole) IsServer() bool

IsServer returns true if the primary role is either RoleInstance, or one of the local service roles (e.g. proxy).

type Cache 

type Cache interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetClusterName returns cluster name
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetUsers returns a list of local users registered with this domain
	GetUsers(withSecrets bool) ([]types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)

	// GetSnowflakeSession gets a Snowflake web session.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)

	// GetWebSession gets a web session for the given request
	GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken gets a web token for the given request
	GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

	// GetStaticTokens gets the list of static tokens used to provision nodes.
	GetStaticTokens() (types.StaticTokens, error)

	// GetTokens returns all active (non-expired) provisioning tokens
	GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

	// GetToken finds and returns token by ID
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// GetLock gets a lock by name.
	// NOTE: This method is intentionally available only for the auth server
	// cache, the other Teleport components should make use of
	// services.LockWatcher that provides the necessary freshness guarantees.
	GetLock(ctx context.Context, name string) (types.Lock, error)

	// GetLocks gets all/in-force locks that match at least one of the targets
	// when specified.
	// NOTE: This method is intentionally available only for the auth server
	// cache, the other Teleport components should make use of
	// services.LockWatcher that provides the necessary freshness guarantees.
	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

	// ListResources returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
	// ListWindowsDesktops returns a paginated list of windows desktops.
	ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
	// ListWindowsDesktopServices returns a paginated list of windows desktops.
	ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)

	// GetInstaller gets installer resource for this cluster
	GetInstaller(ctx context.Context, name string) (types.Installer, error)

	// GetInstallers gets all the installer resources.
	GetInstallers(ctx context.Context) ([]types.Installer, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

Cache is a subset of the auth interface handling access to the discovery API and static tokens

type CertAuthorityMap 

type CertAuthorityMap = map[types.CertAuthType]types.CertAuthority

type Client 

type Client struct {
	// APIClient is used to make gRPC requests to the server
	*APIClient
	// HTTPClient is used to make http requests to the server
	*HTTPClient
}

Client is the Auth API client. It works by connecting to auth servers via gRPC and HTTP.

When Teleport servers connect to auth API, they usually establish an SSH tunnel first, and then do HTTP-over-SSH. This client is wrapped by auth.TunClient in lib/auth/tun.go

NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.

func NewClient 

func NewClient(cfg client.Config, params ...roundtrip.ClientParam) (*Client, error)

NewClient creates a new API client with a connection to a Teleport server.

The client will use the first credentials and the given dialer. If no dialer is given, the first address will be used. This address must be an auth server address.

NOTE: This client is being deprecated in favor of the gRPC Client in teleport/api/client. This Client should only be used internally, or for functionality that hasn't been ported to the new client yet.

func (*Client) ActivateCertAuthority 

func (c *Client) ActivateCertAuthority(id types.CertAuthID) error

ActivateCertAuthority not implemented: can only be called locally.

func (*Client) AddUserLoginAttempt 

func (c *Client) AddUserLoginAttempt(user string, attempt services.LoginAttempt, ttl time.Duration) error

AddUserLoginAttempt logs user login attempt

func (*Client) AuthenticateSSHUser 

func (c *Client) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*Client) AuthenticateWebUser 

func (c *Client) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns web session in case if authentication is successful

func (*Client) ChangePassword 

func (c *Client) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*Client) CheckPassword 

func (c *Client) CheckPassword(user string, password []byte, otpToken string) error

CheckPassword checks if the suplied web access password is valid.

func (*Client) Close 

func (c *Client) Close() error

func (*Client) CompareAndSwapCertAuthority 

func (c *Client) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*Client) CompareAndSwapUser 

func (c *Client) CompareAndSwapUser(ctx context.Context, new, expected types.User) error

CompareAndSwapUser not implemented: can only be called locally

func (*Client) CreateAuditStream 

func (c *Client) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates new audit stream. This is a wrapper on the grpc endpoint and is deprecated. DELETE IN 7.0.0

func (*Client) CreateBot 

func (c *Client) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)

CreateBot creates a bot and associated resources.

func (*Client) CreateCertAuthority 

func (c *Client) CreateCertAuthority(ca types.CertAuthority) error

CreateCertAuthority not implemented: can only be called locally.

func (*Client) CreateRemoteCluster 

func (c *Client) CreateRemoteCluster(rc types.RemoteCluster) error

CreateRemoteCluster creates remote cluster resource

func (*Client) CreateResetPasswordToken 

func (c *Client) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

CreateResetPasswordToken creates reset password token

func (*Client) CreateRole 

func (c *Client) CreateRole(ctx context.Context, role types.Role) error

CreateRole not implemented: can only be called locally.

func (*Client) CreateSession 

func (c *Client) CreateSession(ctx context.Context, sess session.Session) error

CreateSession creates new session DELETE IN 12.0.0

func (*Client) CreateWebSession 

func (c *Client) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for a user

func (*Client) DeactivateCertAuthority 

func (c *Client) DeactivateCertAuthority(id types.CertAuthID) error

DeactivateCertAuthority not implemented: can only be called locally.

func (*Client) Delete 

func (c *Client) Delete(ctx context.Context, u string) (*roundtrip.Response, error)

Delete issues http Delete Request to the server

func (*Client) DeleteAllAuthServers 

func (c *Client) DeleteAllAuthServers() error

DeleteAllAuthServers not implemented: can only be called locally.

func (*Client) DeleteAllCertAuthorities 

func (c *Client) DeleteAllCertAuthorities(caType types.CertAuthType) error

DeleteAllCertAuthorities not implemented: can only be called locally.

func (*Client) DeleteAllLocks 

func (c *Client) DeleteAllLocks(context.Context) error

DeleteAllLocks not implemented: can only be called locally.

func (*Client) DeleteAllNamespaces 

func (c *Client) DeleteAllNamespaces() error

DeleteAllCertNamespaces not implemented: can only be called locally.

func (*Client) DeleteAllProxies 

func (c *Client) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*Client) DeleteAllRemoteClusters 

func (c *Client) DeleteAllRemoteClusters() error

DeleteAllRemoteClusters deletes all remote clusters

func (*Client) DeleteAllReverseTunnels 

func (c *Client) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels not implemented: can only be called locally.

func (*Client) DeleteAllRoles 

func (c *Client) DeleteAllRoles() error

DeleteAllRoles not implemented: can only be called locally.

func (*Client) DeleteAllTokens 

func (c *Client) DeleteAllTokens() error

DeleteAllTokens not implemented: can only be called locally.

func (*Client) DeleteAllTunnelConnections 

func (c *Client) DeleteAllTunnelConnections() error

DeleteAllTunnelConnections deletes all tunnel connections

func (*Client) DeleteAllUsers 

func (c *Client) DeleteAllUsers() error

DeleteAllUsers not implemented: can only be called locally.

func (*Client) DeleteAuthPreference 

func (c *Client) DeleteAuthPreference(context.Context) error

DeleteAuthPreference not implemented: can only be called locally.

func (*Client) DeleteAuthServer 

func (c *Client) DeleteAuthServer(name string) error

DeleteAuthServer not implemented: can only be called locally.

func (*Client) DeleteBot 

func (c *Client) DeleteBot(ctx context.Context, botName string) error

DeleteBot deletes a certificate renewal bot and associated resources.

func (*Client) DeleteCertAuthority 

func (c *Client) DeleteCertAuthority(id types.CertAuthID) error

DeleteCertAuthority deletes cert authority by ID

func (*Client) DeleteClusterAuditConfig 

func (c *Client) DeleteClusterAuditConfig(ctx context.Context) error

DeleteClusterAuditConfig not implemented: can only be called locally.

func (*Client) DeleteClusterName 

func (c *Client) DeleteClusterName() error

DeleteClusterName not implemented: can only be called locally.

func (*Client) DeleteClusterNetworkingConfig 

func (c *Client) DeleteClusterNetworkingConfig(ctx context.Context) error

DeleteClusterNetworkingConfig not implemented: can only be called locally.

func (*Client) DeleteNamespace 

func (c *Client) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*Client) DeleteProxy 

func (c *Client) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*Client) DeleteRemoteCluster 

func (c *Client) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster by name

func (*Client) DeleteReverseTunnel 

func (c *Client) DeleteReverseTunnel(domainName string) error

DeleteReverseTunnel deletes reverse tunnel by domain name

func (*Client) DeleteSession 

func (c *Client) DeleteSession(ctx context.Context, namespace string, id session.ID) error

DeleteSession removes an active session from the backend. DELETE IN 12.0.0

func (*Client) DeleteSessionRecordingConfig 

func (c *Client) DeleteSessionRecordingConfig(ctx context.Context) error

DeleteSessionRecordingConfig not implemented: can only be called locally.

func (*Client) DeleteStaticTokens 

func (c *Client) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*Client) DeleteTunnelConnection 

func (c *Client) DeleteTunnelConnection(clusterName string, connName string) error

DeleteTunnelConnection deletes tunnel connection by name

func (*Client) DeleteTunnelConnections 

func (c *Client) DeleteTunnelConnections(clusterName string) error

DeleteTunnelConnections deletes all tunnel connections for cluster

func (*Client) DeleteWebSession 

func (c *Client) DeleteWebSession(ctx context.Context, user string, sid string) error

DeleteWebSession deletes the web session specified with sid for the given user

func (*Client) ExtendWebSession 

func (c *Client) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on another valid web session

func (*Client) GenerateCertAuthorityCRL 

func (c *Client) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for a CA.

func (*Client) GenerateHostCert 

func (c *Client) GenerateHostCert(
	ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration,
) ([]byte, error)

GenerateHostCert takes the public key in the Open SSH “authorized_keys“ plain text format, signs it using Host Certificate Authority private key and returns the resulting certificate.

func (*Client) Get 

func (c *Client) Get(ctx context.Context, u string, params url.Values) (*roundtrip.Response, error)

Get issues http GET request to the server

func (*Client) GetAllTunnelConnections 

func (c *Client) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

GetAllTunnelConnections returns all tunnel connections

func (*Client) GetAuthServers 

func (c *Client) GetAuthServers() ([]types.Server, error)

GetAuthServers returns the list of auth servers registered in the cluster.

func (*Client) GetBotUsers 

func (c *Client) GetBotUsers(ctx context.Context) ([]types.User, error)

GetBotUsers fetches all bot users.

func (*Client) GetCertAuthorities 

func (c *Client) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

GetCertAuthorities returns a list of certificate authorities

func (*Client) GetCertAuthority 

func (c *Client) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys controls if signing keys are loaded

func (*Client) GetClusterAuditConfig 

func (c *Client) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*Client) GetClusterName 

func (c *Client) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

GetClusterName returns a cluster name

func (*Client) GetClusterNetworkingConfig 

func (c *Client) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*Client) GetDatabaseServers 

func (c *Client) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database proxy servers.

func (*Client) GetNamespace 

func (c *Client) GetNamespace(name string) (*types.Namespace, error)

GetNamespace returns namespace by name

func (*Client) GetNamespaces 

func (c *Client) GetNamespaces() ([]types.Namespace, error)

GetNamespaces returns a list of namespaces

func (*Client) GetProxies 

func (c *Client) GetProxies() ([]types.Server, error)

GetProxies returns the list of auth servers registered in the cluster.

func (*Client) GetRemoteCluster 

func (c *Client) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

GetRemoteCluster returns a remote cluster by name

func (*Client) GetRemoteClusters 

func (c *Client) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

GetRemoteClusters returns a list of remote clusters

func (*Client) GetReverseTunnel 

func (c *Client) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)

GetReverseTunnel not implemented: can only be called locally.

func (*Client) GetReverseTunnels 

func (c *Client) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

GetReverseTunnels returns the list of created reverse tunnels

func (*Client) GetSession 

func (c *Client) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)

GetSession returns a session by ID DELETE IN 12.0.0

func (*Client) GetSessionChunk 

func (c *Client) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk allows clients to receive a byte array (chunk) from a recorded session stream, starting from 'offset', up to 'max' in length. The upper bound of 'max' is set to events.MaxChunkBytes

func (*Client) GetSessionEvents 

func (c *Client) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) (retval []events.EventFields, err error)

Returns events that happen during a session sorted by time (oldest first).

afterN allows to filter by "newer than N" value where N is the cursor ID of previously returned bunch (good for polling for latest)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Client) GetSessionRecordingConfig 

func (c *Client) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*Client) GetSessions 

func (c *Client) GetSessions(ctx context.Context, namespace string) ([]session.Session, error)

GetSessions returns a list of active sessions in the cluster as reported by the auth server. DELETE IN 12.0.0

func (*Client) GetStaticTokens 

func (c *Client) GetStaticTokens() (types.StaticTokens, error)

GetStaticTokens returns a list of static register tokens

func (*Client) GetTunnelConnections 

func (c *Client) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

GetTunnelConnections returns tunnel connections for a given cluster

func (*Client) GetUserLoginAttempts 

func (c *Client) GetUserLoginAttempts(user string) ([]services.LoginAttempt, error)

GetUserLoginAttempts returns user login attempts

func (*Client) GetWebSessionInfo 

func (c *Client) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo checks if a web sesion is valid, returns session id in case if it is valid, or error otherwise.

func (*Client) KeepAliveNode 

func (c *Client) KeepAliveNode(ctx context.Context, keepAlive types.KeepAlive) error

DELETE IN: 5.1.0

This logic has been moved to KeepAliveServer.

KeepAliveNode updates node keep alive information.

func (*Client) KeepAliveServer 

func (c *Client) KeepAliveServer(ctx context.Context, keepAlive types.KeepAlive) error

KeepAliveServer not implemented: can only be called locally.

func (*Client) ListWindowsDesktopServices 

func (c *Client) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)

ListWindowsDesktopServices not implemented: can only be called locally.

func (*Client) ListWindowsDesktops 

func (c *Client) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)

ListWindowsDesktops not implemented: can only be called locally.

func (*Client) PostForm 

func (c *Client) PostForm(ctx context.Context, endpoint string, vals url.Values, files ...roundtrip.File) (*roundtrip.Response, error)

PostForm is a generic method that issues http POST request to the server

func (*Client) PostJSON 

func (c *Client) PostJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)

PostJSON is a generic method that issues http POST request to the server

func (*Client) ProcessKubeCSR 

func (c *Client) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*Client) PutJSON 

func (c *Client) PutJSON(ctx context.Context, endpoint string, val interface{}) (*roundtrip.Response, error)

PutJSON is a generic method that issues http PUT request to the server

func (*Client) RegisterUsingToken 

func (c *Client) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

RegisterUsingToken calls the auth service API to register a new node using a registration token which was previously issued via GenerateToken.

func (*Client) ResumeAuditStream 

func (c *Client) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes existing audit stream. This is a wrapper on the grpc endpoint and is deprecated. DELETE IN 7.0.0

func (*Client) RotateCertAuthority 

func (c *Client) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*Client) RotateExternalCertAuthority 

func (c *Client) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is used to update only public keys and certificates of the the certificate authorities of trusted clusters.

func (*Client) SearchEvents 

func (c *Client) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]apievents.AuditEvent, string, error)

SearchEvents allows searching for audit events with pagination support.

func (*Client) SearchSessionEvents 

func (c *Client) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, cond *types.WhereExpr, sessionID string) ([]apievents.AuditEvent, string, error)

SearchSessionEvents returns session related events to find completed sessions.

func (*Client) SetClusterAuditConfig 

func (c *Client) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error

SetClusterAuditConfig not implemented: can only be called locally.

func (*Client) SetClusterName 

func (c *Client) SetClusterName(cn types.ClusterName) error

SetClusterName sets cluster name once, will return Already Exists error if the name is already set

func (*Client) SetStaticTokens 

func (c *Client) SetStaticTokens(st types.StaticTokens) error

SetStaticTokens sets a list of static register tokens

func (*Client) StreamSessionEvents 

func (c *Client) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*Client) UpdatePresence 

func (c *Client) UpdatePresence(ctx context.Context, sessionID, user string) error

func (*Client) UpdateSession 

func (c *Client) UpdateSession(ctx context.Context, req session.UpdateRequest) error

UpdateSession updates existing session DELETE IN 12.0.0

func (*Client) UpsertAppSession 

func (c *Client) UpsertAppSession(ctx context.Context, session types.WebSession) error

UpsertAppSession not implemented: can only be called locally.

func (*Client) UpsertAuthServer 

func (c *Client) UpsertAuthServer(s types.Server) error

UpsertAuthServer is used by auth servers to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertCertAuthority 

func (c *Client) UpsertCertAuthority(ca types.CertAuthority) error

UpsertCertAuthority updates or inserts new cert authority

func (*Client) UpsertClusterName 

func (c *Client) UpsertClusterName(cn types.ClusterName) error

UpsertClusterName not implemented: can only be called locally.

func (*Client) UpsertNamespace 

func (c *Client) UpsertNamespace(ns types.Namespace) error

UpsertNamespace upserts namespace

func (*Client) UpsertProxy 

func (c *Client) UpsertProxy(s types.Server) error

UpsertProxy is used by proxies to report their presence to other auth servers in form of hearbeat expiring after ttl period.

func (*Client) UpsertReverseTunnel 

func (c *Client) UpsertReverseTunnel(tunnel types.ReverseTunnel) error

UpsertReverseTunnel is used by admins to create a new reverse tunnel to the remote proxy to bypass firewall restrictions

func (*Client) UpsertSnowflakeSession 

func (c *Client) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error

UpsertSnowflakeSession not implemented: can only be called locally.

func (*Client) UpsertTunnelConnection 

func (c *Client) UpsertTunnelConnection(conn types.TunnelConnection) error

UpsertTunnelConnection upserts tunnel connection

func (*Client) UpsertUser 

func (c *Client) UpsertUser(user types.User) error

UpsertUser user updates user entry.

func (*Client) ValidateGithubAuthCallback 

func (c *Client) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback returned from redirect

func (*Client) ValidateOIDCAuthCallback 

func (c *Client) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect

func (*Client) ValidateSAMLResponse 

func (c *Client) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates response returned by SAML identity provider

func (*Client) ValidateTrustedCluster 

func (c *Client) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

type ClientI 

type ClientI interface {
	IdentityService
	ProvisioningService
	services.Trust
	events.IAuditLog
	events.Streamer
	apievents.Emitter
	services.Presence
	services.Access
	services.DynamicAccess
	services.DynamicAccessOracle
	services.Restrictions
	services.Apps
	services.Databases
	services.Kubernetes
	services.WindowsDesktops
	WebService
	services.Status
	session.Service
	services.ClusterConfiguration
	services.SessionTrackerService
	services.ConnectionsDiagnostic
	types.Events

	types.WebSessionsGetter
	types.WebTokensGetter

	// NewKeepAliver returns a new instance of keep aliver
	NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

	// RotateCertAuthority starts or restarts certificate authority rotation process.
	RotateCertAuthority(ctx context.Context, req RotateRequest) error

	// RotateExternalCertAuthority rotates external certificate authority,
	// this method is used to update only public keys and certificates of the
	// the certificate authorities of trusted clusters.
	RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

	// ValidateTrustedCluster validates trusted cluster token with
	// main cluster, in case if validation is successful, main cluster
	// adds remote cluster
	ValidateTrustedCluster(context.Context, *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

	// GetDomainName returns auth server cluster name
	GetDomainName(ctx context.Context) (string, error)

	// GetClusterCACert returns the PEM-encoded TLS certs for the local cluster.
	// If the cluster has multiple TLS certs, they will all be concatenated.
	GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)

	// GenerateHostCerts generates new host certificates (signed
	// by the host certificate authority) for a node
	GenerateHostCerts(context.Context, *proto.HostCertsRequest) (*proto.Certs, error)
	// AuthenticateWebUser authenticates web user, creates and  returns web session
	// in case if authentication is successful
	AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)
	// AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
	// short-lived certificates as a result
	AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

	// ProcessKubeCSR processes CSR request against Kubernetes CA, returns
	// signed certificate if successful.
	ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

	// Ping gets basic info about the auth server.
	Ping(ctx context.Context) (proto.PingResponse, error)

	// CreateAppSession creates an application web session. Application web
	// sessions represent a browser session the client holds.
	CreateAppSession(context.Context, types.CreateAppSessionRequest) (types.WebSession, error)

	// CreateSnowflakeSession creates a Snowflake web session. Snowflake web
	// sessions represent Database Access Snowflake session the client holds.
	CreateSnowflakeSession(context.Context, types.CreateSnowflakeSessionRequest) (types.WebSession, error)

	// GenerateDatabaseCert generates client certificate used by a database
	// service to authenticate with the database instance.
	GenerateDatabaseCert(context.Context, *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

	// GetWebSession queries the existing web session described with req.
	// Implements ReadAccessPoint.
	GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken queries the existing web token described with req.
	// Implements ReadAccessPoint.
	GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

	// ResetAuthPreference resets cluster auth preference to defaults.
	ResetAuthPreference(ctx context.Context) error

	// ResetClusterNetworkingConfig resets cluster networking configuration to defaults.
	ResetClusterNetworkingConfig(ctx context.Context) error

	// ResetSessionRecordingConfig resets session recording configuration to defaults.
	ResetSessionRecordingConfig(ctx context.Context) error

	// GenerateWindowsDesktopCert generates client smartcard certificate used
	// by an RDP client to authenticate with Windows.
	GenerateWindowsDesktopCert(context.Context, *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
	// GenerateCertAuthorityCRL generates an empty CRL for a CA.
	GenerateCertAuthorityCRL(context.Context, types.CertAuthType) ([]byte, error)

	// GetInventoryStatus gets basic status info about instance inventory.
	GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)

	// PingInventory attempts to trigger a downstream ping against a connected instance.
	PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)

	// SubmitUsageEvent submits an external usage event.
	SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error
}

ClientI is a client to Auth service

func NewAdminAuthServer 

func NewAdminAuthServer(authServer *Server, sessions session.Service, alog events.IAuditLog) (ClientI, error)

NewAdminAuthServer returns auth server authorized as admin, used for auth server cached access

func WithGithubConnectorConversions 

func WithGithubConnectorConversions(c ClientI) ClientI

WithGithubConnectorConversions takes a ClientI and returns one that ensures returned or passed types.GithubConnector interfaces use the registered implementation for the following methods:

  • ClientI.GetGithubConnector
  • ClientI.GetGithubConnectors
  • ClientI.UpsertGithubConnector

This is function is necessary so that the github.com/gravitational/teleport/api module does not import github.com/gravitational/teleport/lib/services.

type Context 

type Context struct {
	// User is the username
	User types.User
	// Checker is access checker
	Checker services.AccessChecker
	// Identity holds the caller identity:
	// 1. If caller is a user
	//   a. local user identity
	//   b. remote user identity remapped to local identity based on trusted
	//      cluster role mapping.
	// 2. If caller is a teleport instance, Identity holds their identity as-is
	//    (because there's no role mapping for non-human roles)
	Identity IdentityGetter
	// UnmappedIdentity holds the original caller identity. If this is a remote
	// user, UnmappedIdentity holds the data before role mapping. Otherwise,
	// it's identical to Identity.
	UnmappedIdentity IdentityGetter
}

Context is authorization context

func NewAdminContext 

func NewAdminContext() (*Context, error)

NewAdminContext returns new admin auth context

func NewBuiltinRoleContext 

func NewBuiltinRoleContext(role types.SystemRole) (*Context, error)

NewBuiltinRoleContext create auth context for the provided builtin role.

func (*Context) LockTargets 

func (c *Context) LockTargets() []types.LockTarget

LockTargets returns a list of LockTargets inferred from the context's Identity and UnmappedIdentity.

func (*Context) MFAParams 

func (c *Context) MFAParams(authPrefMFARequirement types.RequireMFAType) services.AccessMFAParams

MFAParams returns MFA params for the given auth context and auth preference MFA requirement.

func (*Context) UseExtraRoles 

func (c *Context) UseExtraRoles(access services.RoleGetter, clusterName string, roles []string) error

UseExtraRoles extends the roles of the Checker on the current Context with the given extra roles.

type CreateUserTokenRequest 

type CreateUserTokenRequest struct {
	// Name is the user name for token.
	Name string `json:"name"`
	// TTL specifies how long the generated token is valid for.
	TTL time.Duration `json:"ttl"`
	// Type is the token type.
	Type string `json:"type"`
}

CreateUserTokenRequest is a request to create a new user token.

func (*CreateUserTokenRequest) CheckAndSetDefaults 

func (r *CreateUserTokenRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets the defaults.

type DatabaseAccessPoint 

type DatabaseAccessPoint interface {
	// ReadDatabaseAccessPoint provides methods to read data
	ReadDatabaseAccessPoint
	// contains filtered or unexported methods
}

DatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.

func NewDatabaseWrapper 

func NewDatabaseWrapper(base DatabaseAccessPoint, cache ReadDatabaseAccessPoint) DatabaseAccessPoint

type DatabaseTestCertRequest 

type DatabaseTestCertRequest struct {
	// PublicKey is the public key to sign.
	PublicKey []byte
	// Cluster is the Teleport cluster name.
	Cluster string
	// Username is the Teleport username.
	Username string
	// RouteToDatabase contains database routing information.
	RouteToDatabase tlsca.RouteToDatabase
}

DatabaseTestCertRequest combines parameters for generating test database access certificate.

type DatabaseWrapper 

type DatabaseWrapper struct {
	ReadDatabaseAccessPoint

	NoCache DatabaseAccessPoint
	// contains filtered or unexported fields
}

func (*DatabaseWrapper) Close 

func (w *DatabaseWrapper) Close() error

Close closes all associated resources

type DiscoveryAccessPoint 

type DiscoveryAccessPoint interface {
	// ReadDiscoveryAccessPoint provides methods to read data
	ReadDiscoveryAccessPoint

	// CreateKubernetesCluster creates a new kubernetes cluster resource.
	CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
	// UpdateKubernetesCluster updates existing kubernetes cluster resource.
	UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error
	// DeleteKubernetesCluster deletes specified kubernetes cluster resource.
	DeleteKubernetesCluster(ctx context.Context, name string) error
	// contains filtered or unexported methods
}

DiscoveryAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDiscovery

func NewDiscoveryWrapper 

func NewDiscoveryWrapper(base DiscoveryAccessPoint, cache ReadDiscoveryAccessPoint) DiscoveryAccessPoint

type DiscoveryWrapper 

type DiscoveryWrapper struct {
	ReadDiscoveryAccessPoint

	NoCache DiscoveryAccessPoint
	// contains filtered or unexported fields
}

func (*DiscoveryWrapper) Close 

func (w *DiscoveryWrapper) Close() error

Close closes all associated resources

func (*DiscoveryWrapper) CreateKubernetesCluster 

func (w *DiscoveryWrapper) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*DiscoveryWrapper) DeleteKubernetesCluster 

func (w *DiscoveryWrapper) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster deletes specified kubernetes cluster resource.

func (*DiscoveryWrapper) UpdateKubernetesCluster 

func (w *DiscoveryWrapper) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

UpdateKubernetesCluster updates existing kubernetes cluster resource.

type ForwardedClientMetadata 

type ForwardedClientMetadata struct {
	UserAgent  string `json:"user_agent,omitempty"`
	RemoteAddr string `json:"remote_addr,omitempty"`
}

ForwardedClientMetadata can be used by the proxy web API to forward information about the client to the auth service for logging purposes.

type GRPCServer 

type GRPCServer struct {
	*logrus.Entry
	APIConfig

	// TraceServiceServer exposes the exporter server so that the auth server may
	// collect and forward spans
	collectortracepb.TraceServiceServer
	// contains filtered or unexported fields
}

GRPCServer is GPRC Auth Server API

func NewGRPCServer 

func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error)

NewGRPCServer returns a new instance of GRPC server

func (*GRPCServer) AcquireSemaphore 

func (g *GRPCServer) AcquireSemaphore(ctx context.Context, params *types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)

AcquireSemaphore acquires lease with requested resources from semaphore.

func (*GRPCServer) AddMFADevice 

func (g *GRPCServer) AddMFADevice(stream proto.AuthService_AddMFADeviceServer) error

func (*GRPCServer) AddMFADeviceSync 

func (g *GRPCServer) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)

AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.

func (*GRPCServer) AppendDiagnosticTrace 

func (g *GRPCServer) AppendDiagnosticTrace(ctx context.Context, in *proto.AppendDiagnosticTraceRequest) (*types.ConnectionDiagnosticV1, error)

AppendDiagnosticTrace updates a connection diagnostic

func (*GRPCServer) CancelSemaphoreLease 

func (g *GRPCServer) CancelSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)

CancelSemaphoreLease cancels semaphore lease early.

func (*GRPCServer) ChangeUserAuthentication 

func (g *GRPCServer) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.

func (*GRPCServer) CompleteAccountRecovery 

func (g *GRPCServer) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) (*emptypb.Empty, error)

CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.

func (*GRPCServer) CreateAccessRequest 

func (g *GRPCServer) CreateAccessRequest(ctx context.Context, req *types.AccessRequestV3) (*emptypb.Empty, error)

func (*GRPCServer) CreateAccountRecoveryCodes 

func (g *GRPCServer) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.

func (*GRPCServer) CreateApp 

func (g *GRPCServer) CreateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)

CreateApp creates a new application resource.

func (*GRPCServer) CreateAppSession 

func (g *GRPCServer) CreateAppSession(ctx context.Context, req *proto.CreateAppSessionRequest) (*proto.CreateAppSessionResponse, error)

CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.

func (*GRPCServer) CreateAuditStream 

func (g *GRPCServer) CreateAuditStream(stream proto.AuthService_CreateAuditStreamServer) error

CreateAuditStream creates or resumes audit event stream

func (*GRPCServer) CreateAuthenticateChallenge 

func (g *GRPCServer) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)

CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.

func (*GRPCServer) CreateBot 

func (g *GRPCServer) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)

CreateBot creates a new bot and an optional join token.

func (*GRPCServer) CreateConnectionDiagnostic 

func (g *GRPCServer) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)

CreateConnectionDiagnostic creates a connection diagnostic

func (*GRPCServer) CreateDatabase 

func (g *GRPCServer) CreateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)

CreateDatabase creates a new database resource.

func (*GRPCServer) CreateGithubAuthRequest 

func (g *GRPCServer) CreateGithubAuthRequest(ctx context.Context, req *types.GithubAuthRequest) (*types.GithubAuthRequest, error)

CreateGithubAuthRequest creates GithubAuthRequest.

func (*GRPCServer) CreateKubernetesCluster 

func (g *GRPCServer) CreateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*GRPCServer) CreateOIDCAuthRequest 

func (g *GRPCServer) CreateOIDCAuthRequest(ctx context.Context, req *types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

CreateOIDCAuthRequest creates OIDCAuthRequest

func (*GRPCServer) CreatePrivilegeToken 

func (g *GRPCServer) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.

func (*GRPCServer) CreateRegisterChallenge 

func (g *GRPCServer) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.

func (*GRPCServer) CreateResetPasswordToken 

func (g *GRPCServer) CreateResetPasswordToken(ctx context.Context, req *proto.CreateResetPasswordTokenRequest) (*types.UserTokenV3, error)

func (*GRPCServer) CreateSAMLAuthRequest 

func (g *GRPCServer) CreateSAMLAuthRequest(ctx context.Context, req *types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

CreateSAMLAuthRequest creates SAMLAuthRequest.

func (*GRPCServer) CreateSessionTracker 

func (g *GRPCServer) CreateSessionTracker(ctx context.Context, req *proto.CreateSessionTrackerRequest) (*types.SessionTrackerV1, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*GRPCServer) CreateSnowflakeSession 

func (g *GRPCServer) CreateSnowflakeSession(ctx context.Context, req *proto.CreateSnowflakeSessionRequest) (*proto.CreateSnowflakeSessionResponse, error)

func (*GRPCServer) CreateToken 

func (g *GRPCServer) CreateToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)

CreateToken creates a token.

func (*GRPCServer) CreateUser 

func (g *GRPCServer) CreateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)

CreateUser inserts a new user entry in a backend.

func (*GRPCServer) CreateWindowsDesktop 

func (g *GRPCServer) CreateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

CreateWindowsDesktop registers a new Windows desktop host.

func (*GRPCServer) DeleteAccessRequest 

func (g *GRPCServer) DeleteAccessRequest(ctx context.Context, id *proto.RequestID) (*emptypb.Empty, error)

func (*GRPCServer) DeleteAllAppSessions 

func (g *GRPCServer) DeleteAllAppSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllAppSessions removes all application web sessions.

func (*GRPCServer) DeleteAllApplicationServers 

func (g *GRPCServer) DeleteAllApplicationServers(ctx context.Context, req *proto.DeleteAllApplicationServersRequest) (*emptypb.Empty, error)

DeleteAllApplicationServers deletes all registered application servers.

func (*GRPCServer) DeleteAllApps 

func (g *GRPCServer) DeleteAllApps(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllApps removes all application resources.

func (*GRPCServer) DeleteAllDatabaseServers 

func (g *GRPCServer) DeleteAllDatabaseServers(ctx context.Context, req *proto.DeleteAllDatabaseServersRequest) (*emptypb.Empty, error)

DeleteAllDatabaseServers removes all registered database proxy servers.

func (*GRPCServer) DeleteAllDatabases 

func (g *GRPCServer) DeleteAllDatabases(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllDatabases removes all databases.

func (*GRPCServer) DeleteAllInstallers 

func (g *GRPCServer) DeleteAllInstallers(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteALlInstallers deletes all the installers

func (*GRPCServer) DeleteAllKubeServices 

func (g *GRPCServer) DeleteAllKubeServices(ctx context.Context, req *proto.DeleteAllKubeServicesRequest) (*emptypb.Empty, error)

DeleteAllKubeServices removes all kubernetes services.

func (*GRPCServer) DeleteAllKubernetesClusters 

func (g *GRPCServer) DeleteAllKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllKubernetesClusters removes all kubernetes cluster.

func (*GRPCServer) DeleteAllKubernetesServers 

func (g *GRPCServer) DeleteAllKubernetesServers(ctx context.Context, req *proto.DeleteAllKubernetesServersRequest) (*emptypb.Empty, error)

DeleteAllKubernetesServers deletes all registered kubernetes servers.

func (*GRPCServer) DeleteAllNodes 

func (g *GRPCServer) DeleteAllNodes(ctx context.Context, req *types.ResourcesInNamespaceRequest) (*emptypb.Empty, error)

DeleteAllNodes deletes all nodes in a given namespace.

func (*GRPCServer) DeleteAllSnowflakeSessions 

func (g *GRPCServer) DeleteAllSnowflakeSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

func (*GRPCServer) DeleteAllWebSessions 

func (g *GRPCServer) DeleteAllWebSessions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWebSessions removes all web sessions.

func (*GRPCServer) DeleteAllWebTokens 

func (g *GRPCServer) DeleteAllWebTokens(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWebTokens removes all web tokens.

func (*GRPCServer) DeleteAllWindowsDesktopServices 

func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWindowsDesktopServices removes all registered Windows desktop services.

func (*GRPCServer) DeleteAllWindowsDesktops 

func (g *GRPCServer) DeleteAllWindowsDesktops(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteAllWindowsDesktops removes all registered Windows desktop hosts.

func (*GRPCServer) DeleteApp 

func (g *GRPCServer) DeleteApp(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteApp removes the specified application resource.

func (*GRPCServer) DeleteAppSession 

func (g *GRPCServer) DeleteAppSession(ctx context.Context, req *proto.DeleteAppSessionRequest) (*emptypb.Empty, error)

DeleteAppSession removes an application web session.

func (*GRPCServer) DeleteApplicationServer 

func (g *GRPCServer) DeleteApplicationServer(ctx context.Context, req *proto.DeleteApplicationServerRequest) (*emptypb.Empty, error)

DeleteApplicationServer deletes an application server.

func (*GRPCServer) DeleteBot 

func (g *GRPCServer) DeleteBot(ctx context.Context, req *proto.DeleteBotRequest) (*emptypb.Empty, error)

DeleteBot removes a bot and its associated resources.

func (*GRPCServer) DeleteDatabase 

func (g *GRPCServer) DeleteDatabase(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteDatabase removes the specified database.

func (*GRPCServer) DeleteDatabaseServer 

func (g *GRPCServer) DeleteDatabaseServer(ctx context.Context, req *proto.DeleteDatabaseServerRequest) (*emptypb.Empty, error)

DeleteDatabaseServer removes the specified database proxy server.

func (*GRPCServer) DeleteGithubConnector 

func (g *GRPCServer) DeleteGithubConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteGithubConnector deletes a Github connector by name.

func (*GRPCServer) DeleteInstaller 

func (g *GRPCServer) DeleteInstaller(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteInstaller sets the installer script resource to its default

func (*GRPCServer) DeleteKubeService 

func (g *GRPCServer) DeleteKubeService(ctx context.Context, req *proto.DeleteKubeServiceRequest) (*emptypb.Empty, error)

DeleteKubeService removes a kubernetes service.

func (*GRPCServer) DeleteKubernetesCluster 

func (g *GRPCServer) DeleteKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteKubernetesCluster removes the specified kubernetes cluster.

func (*GRPCServer) DeleteKubernetesServer 

func (g *GRPCServer) DeleteKubernetesServer(ctx context.Context, req *proto.DeleteKubernetesServerRequest) (*emptypb.Empty, error)

DeleteKubernetesServer deletes a kubernetes server.

func (*GRPCServer) DeleteLock 

func (g *GRPCServer) DeleteLock(ctx context.Context, req *proto.DeleteLockRequest) (*emptypb.Empty, error)

DeleteLock deletes a lock.

func (*GRPCServer) DeleteMFADevice 

func (g *GRPCServer) DeleteMFADevice(stream proto.AuthService_DeleteMFADeviceServer) error

func (*GRPCServer) DeleteMFADeviceSync 

func (g *GRPCServer) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) (*emptypb.Empty, error)

DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.

func (*GRPCServer) DeleteNetworkRestrictions 

func (g *GRPCServer) DeleteNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

DeleteNetworkRestrictions deletes the network restrictions.

func (*GRPCServer) DeleteNode 

func (g *GRPCServer) DeleteNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*emptypb.Empty, error)

DeleteNode deletes a node by name.

func (*GRPCServer) DeleteOIDCConnector 

func (g *GRPCServer) DeleteOIDCConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteOIDCConnector deletes an OIDC connector by name.

func (*GRPCServer) DeleteRole 

func (g *GRPCServer) DeleteRole(ctx context.Context, req *proto.DeleteRoleRequest) (*emptypb.Empty, error)

DeleteRole deletes a role by name.

func (*GRPCServer) DeleteSAMLConnector 

func (g *GRPCServer) DeleteSAMLConnector(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteSAMLConnector deletes a SAML connector by name.

func (*GRPCServer) DeleteSemaphore 

func (g *GRPCServer) DeleteSemaphore(ctx context.Context, req *types.SemaphoreFilter) (*emptypb.Empty, error)

DeleteSemaphore deletes a semaphore matching the supplied filter.

func (*GRPCServer) DeleteSnowflakeSession 

func (g *GRPCServer) DeleteSnowflakeSession(ctx context.Context, req *proto.DeleteSnowflakeSessionRequest) (*emptypb.Empty, error)

func (*GRPCServer) DeleteToken 

func (g *GRPCServer) DeleteToken(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteToken deletes a token by name.

func (*GRPCServer) DeleteTrustedCluster 

func (g *GRPCServer) DeleteTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*emptypb.Empty, error)

DeleteTrustedCluster deletes a Trusted Cluster by name.

func (*GRPCServer) DeleteUser 

func (g *GRPCServer) DeleteUser(ctx context.Context, req *proto.DeleteUserRequest) (*emptypb.Empty, error)

DeleteUser deletes an existng user in a backend by username.

func (*GRPCServer) DeleteUserAppSessions 

func (g *GRPCServer) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) (*emptypb.Empty, error)

DeleteUserAppSessions removes user's all application web sessions.

func (*GRPCServer) DeleteWebSession 

func (g *GRPCServer) DeleteWebSession(ctx context.Context, req *types.DeleteWebSessionRequest) (*emptypb.Empty, error)

DeleteWebSession removes the web session given with req.

func (*GRPCServer) DeleteWebToken 

func (g *GRPCServer) DeleteWebToken(ctx context.Context, req *types.DeleteWebTokenRequest) (*emptypb.Empty, error)

DeleteWebToken removes the web token given with req.

func (*GRPCServer) DeleteWindowsDesktop 

func (g *GRPCServer) DeleteWindowsDesktop(ctx context.Context, req *proto.DeleteWindowsDesktopRequest) (*emptypb.Empty, error)

DeleteWindowsDesktop removes the specified windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.

func (*GRPCServer) DeleteWindowsDesktopService 

func (g *GRPCServer) DeleteWindowsDesktopService(ctx context.Context, req *proto.DeleteWindowsDesktopServiceRequest) (*emptypb.Empty, error)

DeleteWindowsDesktopService removes the specified Windows desktop service.

func (*GRPCServer) EmitAuditEvent 

func (g *GRPCServer) EmitAuditEvent(ctx context.Context, req *apievents.OneOf) (*emptypb.Empty, error)

EmitAuditEvent emits audit event

func (*GRPCServer) Export 

func (g *GRPCServer) Export(ctx context.Context, req *collectortracepb.ExportTraceServiceRequest) (*collectortracepb.ExportTraceServiceResponse, error)

Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.

func (*GRPCServer) GenerateAppToken 

func (g *GRPCServer) GenerateAppToken(ctx context.Context, req *proto.GenerateAppTokenRequest) (*proto.GenerateAppTokenResponse, error)

GenerateAppToken creates a JWT token with application access.

func (*GRPCServer) GenerateCertAuthorityCRL 

func (g *GRPCServer) GenerateCertAuthorityCRL(ctx context.Context, req *proto.CertAuthorityRequest) (*proto.CRL, error)

GenerateCertAuthorityCRL returns a CRL for a CA.

func (*GRPCServer) GenerateDatabaseCert 

func (g *GRPCServer) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.

func (*GRPCServer) GenerateHostCerts 

func (g *GRPCServer) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

func (*GRPCServer) GenerateSnowflakeJWT 

func (g *GRPCServer) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the format required by Snowflake.

func (*GRPCServer) GenerateToken 

func (g *GRPCServer) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (*proto.GenerateTokenResponse, error)

GenerateToken generates a new auth token.

func (*GRPCServer) GenerateUserCerts 

func (g *GRPCServer) GenerateUserCerts(ctx context.Context, req *proto.UserCertsRequest) (*proto.Certs, error)

func (*GRPCServer) GenerateUserSingleUseCerts 

func (g *GRPCServer) GenerateUserSingleUseCerts(stream proto.AuthService_GenerateUserSingleUseCertsServer) error

func (*GRPCServer) GenerateWindowsDesktopCert 

func (g *GRPCServer) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.

func (*GRPCServer) GetAccessCapabilities 

func (g *GRPCServer) GetAccessCapabilities(ctx context.Context, req *types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*GRPCServer) GetAccessRequests 

func (g *GRPCServer) GetAccessRequests(ctx context.Context, f *types.AccessRequestFilter) (*proto.AccessRequests, error)

DEPRECATED, DELETE IN 11.0.0: Use GetAccessRequestsV2 instead.

func (*GRPCServer) GetAccessRequestsV2 

func (g *GRPCServer) GetAccessRequestsV2(f *types.AccessRequestFilter, stream proto.AuthService_GetAccessRequestsV2Server) error

func (*GRPCServer) GetAccountRecoveryCodes 

func (g *GRPCServer) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.

func (*GRPCServer) GetAccountRecoveryToken 

func (g *GRPCServer) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (*types.UserTokenV3, error)

GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.

func (*GRPCServer) GetActiveSessionTrackers 

func (g *GRPCServer) GetActiveSessionTrackers(_ *emptypb.Empty, stream proto.AuthService_GetActiveSessionTrackersServer) error

GetActiveSessionTrackers returns a list of active session trackers.

func (*GRPCServer) GetActiveSessionTrackersWithFilter 

func (g *GRPCServer) GetActiveSessionTrackersWithFilter(filter *types.SessionTrackerFilter, stream proto.AuthService_GetActiveSessionTrackersWithFilterServer) error

GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.

func (*GRPCServer) GetApp 

func (g *GRPCServer) GetApp(ctx context.Context, req *types.ResourceRequest) (*types.AppV3, error)

GetApp returns the specified application resource.

func (*GRPCServer) GetAppSession 

func (g *GRPCServer) GetAppSession(ctx context.Context, req *proto.GetAppSessionRequest) (*proto.GetAppSessionResponse, error)

GetAppSession gets an application web session.

func (*GRPCServer) GetAppSessions 

func (g *GRPCServer) GetAppSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetAppSessionsResponse, error)

GetAppSessions gets all application web sessions.

func (*GRPCServer) GetApps 

func (g *GRPCServer) GetApps(ctx context.Context, _ *emptypb.Empty) (*types.AppV3List, error)

GetApps returns all application resources.

func (*GRPCServer) GetAuthPreference 

func (g *GRPCServer) GetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*types.AuthPreferenceV2, error)

GetAuthPreference gets cluster auth preference.

func (*GRPCServer) GetBotUsers 

func (g *GRPCServer) GetBotUsers(_ *proto.GetBotUsersRequest, stream proto.AuthService_GetBotUsersServer) error

GetBotUsers lists all users with a bot label

func (*GRPCServer) GetClusterAlerts 

func (g *GRPCServer) GetClusterAlerts(ctx context.Context, query *types.GetClusterAlertsRequest) (*proto.GetClusterAlertsResponse, error)

func (*GRPCServer) GetClusterAuditConfig 

func (g *GRPCServer) GetClusterAuditConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterAuditConfigV2, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*GRPCServer) GetClusterCACert 

func (g *GRPCServer) GetClusterCACert(
	ctx context.Context, req *emptypb.Empty,
) (*proto.GetClusterCACertResponse, error)

GetClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be appended.

func (*GRPCServer) GetClusterNetworkingConfig 

func (g *GRPCServer) GetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*types.ClusterNetworkingConfigV2, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*GRPCServer) GetConnectionDiagnostic 

func (g *GRPCServer) GetConnectionDiagnostic(ctx context.Context, req *proto.GetConnectionDiagnosticRequest) (*types.ConnectionDiagnosticV1, error)

GetConnectionDiagnostic reads a connection diagnostic.

func (*GRPCServer) GetCurrentUser 

func (g *GRPCServer) GetCurrentUser(ctx context.Context, req *emptypb.Empty) (*types.UserV2, error)

func (*GRPCServer) GetCurrentUserRoles 

func (g *GRPCServer) GetCurrentUserRoles(_ *emptypb.Empty, stream proto.AuthService_GetCurrentUserRolesServer) error

func (*GRPCServer) GetDatabase 

func (g *GRPCServer) GetDatabase(ctx context.Context, req *types.ResourceRequest) (*types.DatabaseV3, error)

GetDatabase returns the specified database resource.

func (*GRPCServer) GetDatabases 

func (g *GRPCServer) GetDatabases(ctx context.Context, _ *emptypb.Empty) (*types.DatabaseV3List, error)

GetDatabases returns all database resources.

func (*GRPCServer) GetDomainName 

func (g *GRPCServer) GetDomainName(ctx context.Context, req *emptypb.Empty) (*proto.GetDomainNameResponse, error)

GetDomainName returns local auth domain of the current auth server.

func (*GRPCServer) GetEvents 

func (g *GRPCServer) GetEvents(ctx context.Context, req *proto.GetEventsRequest) (*proto.Events, error)

GetEvents searches for events on the backend and sends them back in a response.

func (*GRPCServer) GetGithubAuthRequest 

func (g *GRPCServer) GetGithubAuthRequest(ctx context.Context, req *proto.GetGithubAuthRequestRequest) (*types.GithubAuthRequest, error)

GetGithubAuthRequest gets a GithubAuthRequest by id.

func (*GRPCServer) GetGithubConnector 

func (g *GRPCServer) GetGithubConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.GithubConnectorV3, error)

GetGithubConnector retrieves a Github connector by name.

func (*GRPCServer) GetGithubConnectors 

func (g *GRPCServer) GetGithubConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.GithubConnectorV3List, error)

GetGithubConnectors retrieves all Github connectors.

func (*GRPCServer) GetInstaller 

func (g *GRPCServer) GetInstaller(ctx context.Context, req *types.ResourceRequest) (*types.InstallerV1, error)

GetInstaller retrieves the installer script resource

func (*GRPCServer) GetInstallers 

func (g *GRPCServer) GetInstallers(ctx context.Context, _ *emptypb.Empty) (*types.InstallerV1List, error)

GetInstallers returns all installer script resources registered in the cluster.

func (*GRPCServer) GetInventoryStatus 

func (g *GRPCServer) GetInventoryStatus(ctx context.Context, req *proto.InventoryStatusRequest) (*proto.InventoryStatusSummary, error)

func (*GRPCServer) GetKubernetesCluster 

func (g *GRPCServer) GetKubernetesCluster(ctx context.Context, req *types.ResourceRequest) (*types.KubernetesClusterV3, error)

GetKubernetesCluster returns the specified kubernetes cluster resource.

func (*GRPCServer) GetKubernetesClusters 

func (g *GRPCServer) GetKubernetesClusters(ctx context.Context, _ *emptypb.Empty) (*types.KubernetesClusterV3List, error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*GRPCServer) GetLock 

func (g *GRPCServer) GetLock(ctx context.Context, req *proto.GetLockRequest) (*types.LockV2, error)

GetLock retrieves a lock by name.

func (*GRPCServer) GetLocks 

func (g *GRPCServer) GetLocks(ctx context.Context, req *proto.GetLocksRequest) (*proto.GetLocksResponse, error)

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*GRPCServer) GetMFADevices 

func (g *GRPCServer) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)

func (*GRPCServer) GetNetworkRestrictions 

func (g *GRPCServer) GetNetworkRestrictions(ctx context.Context, _ *emptypb.Empty) (*types.NetworkRestrictionsV4, error)

GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).

func (*GRPCServer) GetNode 

func (g *GRPCServer) GetNode(ctx context.Context, req *types.ResourceInNamespaceRequest) (*types.ServerV2, error)

GetNode retrieves a node by name and namespace.

func (*GRPCServer) GetOIDCAuthRequest 

func (g *GRPCServer) GetOIDCAuthRequest(ctx context.Context, req *proto.GetOIDCAuthRequestRequest) (*types.OIDCAuthRequest, error)

GetOIDCAuthRequest gets OIDC AuthnRequest

func (*GRPCServer) GetOIDCConnector 

func (g *GRPCServer) GetOIDCConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.OIDCConnectorV3, error)

GetOIDCConnector retrieves an OIDC connector by name.

func (*GRPCServer) GetOIDCConnectors 

func (g *GRPCServer) GetOIDCConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.OIDCConnectorV3List, error)

GetOIDCConnectors retrieves all OIDC connectors.

func (*GRPCServer) GetPluginData 

func (g *GRPCServer) GetPluginData(ctx context.Context, filter *types.PluginDataFilter) (*proto.PluginDataSeq, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*GRPCServer) GetResetPasswordToken 

func (g *GRPCServer) GetResetPasswordToken(ctx context.Context, req *proto.GetResetPasswordTokenRequest) (*types.UserTokenV3, error)

func (*GRPCServer) GetRole 

func (g *GRPCServer) GetRole(ctx context.Context, req *proto.GetRoleRequest) (*types.RoleV5, error)

GetRole retrieves a role by name.

func (*GRPCServer) GetRoles 

func (g *GRPCServer) GetRoles(ctx context.Context, _ *emptypb.Empty) (*proto.GetRolesResponse, error)

GetRoles retrieves all roles.

func (*GRPCServer) GetSAMLAuthRequest 

func (g *GRPCServer) GetSAMLAuthRequest(ctx context.Context, req *proto.GetSAMLAuthRequestRequest) (*types.SAMLAuthRequest, error)

GetSAMLAuthRequest gets a SAMLAuthRequest by id.

func (*GRPCServer) GetSAMLConnector 

func (g *GRPCServer) GetSAMLConnector(ctx context.Context, req *types.ResourceWithSecretsRequest) (*types.SAMLConnectorV2, error)

GetSAMLConnector retrieves a SAML connector by name.

func (*GRPCServer) GetSAMLConnectors 

func (g *GRPCServer) GetSAMLConnectors(ctx context.Context, req *types.ResourcesWithSecretsRequest) (*types.SAMLConnectorV2List, error)

GetSAMLConnectors retrieves all SAML connectors.

func (*GRPCServer) GetSSODiagnosticInfo 

func (g *GRPCServer) GetSSODiagnosticInfo(ctx context.Context, req *proto.GetSSODiagnosticInfoRequest) (*types.SSODiagnosticInfo, error)

GetSSODiagnosticInfo gets a SSO diagnostic info for a specific SSO auth request.

func (*GRPCServer) GetSemaphores 

func (g *GRPCServer) GetSemaphores(ctx context.Context, req *types.SemaphoreFilter) (*proto.Semaphores, error)

GetSemaphores returns a list of all semaphores matching the supplied filter.

func (*GRPCServer) GetServer 

func (g *GRPCServer) GetServer() (*grpc.Server, error)

GetServer returns an instance of grpc server

func (*GRPCServer) GetSessionEvents 

func (g *GRPCServer) GetSessionEvents(ctx context.Context, req *proto.GetSessionEventsRequest) (*proto.Events, error)

GetSessionEvents searches for session events on the backend and sends them back in a response.

func (*GRPCServer) GetSessionRecordingConfig 

func (g *GRPCServer) GetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*types.SessionRecordingConfigV2, error)

GetSessionRecordingConfig gets session recording configuration.

func (*GRPCServer) GetSessionTracker 

func (g *GRPCServer) GetSessionTracker(ctx context.Context, req *proto.GetSessionTrackerRequest) (*types.SessionTrackerV1, error)

GetSessionTracker returns the current state of a session tracker for an active session.

func (*GRPCServer) GetSnowflakeSession 

func (g *GRPCServer) GetSnowflakeSession(ctx context.Context, req *proto.GetSnowflakeSessionRequest) (*proto.GetSnowflakeSessionResponse, error)

func (*GRPCServer) GetSnowflakeSessions 

func (g *GRPCServer) GetSnowflakeSessions(ctx context.Context, e *emptypb.Empty) (*proto.GetSnowflakeSessionsResponse, error)

func (*GRPCServer) GetToken 

func (g *GRPCServer) GetToken(ctx context.Context, req *types.ResourceRequest) (*types.ProvisionTokenV2, error)

GetToken retrieves a token by name.

func (*GRPCServer) GetTokens 

func (g *GRPCServer) GetTokens(ctx context.Context, _ *emptypb.Empty) (*types.ProvisionTokenV2List, error)

GetTokens retrieves all tokens.

func (*GRPCServer) GetTrustedCluster 

func (g *GRPCServer) GetTrustedCluster(ctx context.Context, req *types.ResourceRequest) (*types.TrustedClusterV2, error)

GetTrustedCluster retrieves a Trusted Cluster by name.

func (*GRPCServer) GetTrustedClusters 

func (g *GRPCServer) GetTrustedClusters(ctx context.Context, _ *emptypb.Empty) (*types.TrustedClusterV2List, error)

GetTrustedClusters retrieves all Trusted Clusters.

func (*GRPCServer) GetUser 

func (g *GRPCServer) GetUser(ctx context.Context, req *proto.GetUserRequest) (*types.UserV2, error)

func (*GRPCServer) GetUsers 

func (g *GRPCServer) GetUsers(req *proto.GetUsersRequest, stream proto.AuthService_GetUsersServer) error

func (*GRPCServer) GetWebSession 

func (g *GRPCServer) GetWebSession(ctx context.Context, req *types.GetWebSessionRequest) (*proto.GetWebSessionResponse, error)

GetWebSession gets a web session.

func (*GRPCServer) GetWebSessions 

func (g *GRPCServer) GetWebSessions(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebSessionsResponse, error)

GetWebSessions gets all web sessions.

func (*GRPCServer) GetWebToken 

func (g *GRPCServer) GetWebToken(ctx context.Context, req *types.GetWebTokenRequest) (*proto.GetWebTokenResponse, error)

GetWebToken gets a web token.

func (*GRPCServer) GetWebTokens 

func (g *GRPCServer) GetWebTokens(ctx context.Context, _ *emptypb.Empty) (*proto.GetWebTokensResponse, error)

GetWebTokens gets all web tokens.

func (*GRPCServer) GetWindowsDesktopService 

func (g *GRPCServer) GetWindowsDesktopService(ctx context.Context, req *proto.GetWindowsDesktopServiceRequest) (*proto.GetWindowsDesktopServiceResponse, error)

GetWindowsDesktopService returns a registered Windows desktop service by name.

func (*GRPCServer) GetWindowsDesktopServices 

func (g *GRPCServer) GetWindowsDesktopServices(ctx context.Context, req *emptypb.Empty) (*proto.GetWindowsDesktopServicesResponse, error)

GetWindowsDesktopServices returns all registered Windows desktop services.

func (*GRPCServer) GetWindowsDesktops 

func (g *GRPCServer) GetWindowsDesktops(ctx context.Context, filter *types.WindowsDesktopFilter) (*proto.GetWindowsDesktopsResponse, error)

GetWindowsDesktops returns all registered Windows desktop hosts.

func (*GRPCServer) InventoryControlStream 

func (g *GRPCServer) InventoryControlStream(stream proto.AuthService_InventoryControlStreamServer) error

func (*GRPCServer) IsMFARequired 

func (g *GRPCServer) IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)

func (*GRPCServer) KeepAliveSemaphoreLease 

func (g *GRPCServer) KeepAliveSemaphoreLease(ctx context.Context, req *types.SemaphoreLease) (*emptypb.Empty, error)

KeepAliveSemaphoreLease updates semaphore lease.

func (*GRPCServer) ListResources 

func (g *GRPCServer) ListResources(ctx context.Context, req *proto.ListResourcesRequest) (*proto.ListResourcesResponse, error)

ListResources retrieves a paginated list of resources.

func (*GRPCServer) MaintainSessionPresence 

func (g *GRPCServer) MaintainSessionPresence(stream proto.AuthService_MaintainSessionPresenceServer) error

MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.

func (*GRPCServer) Ping 

func (g *GRPCServer) Ping(ctx context.Context, req *proto.PingRequest) (*proto.PingResponse, error)

func (*GRPCServer) PingInventory 

func (g *GRPCServer) PingInventory(ctx context.Context, req *proto.InventoryPingRequest) (*proto.InventoryPingResponse, error)

func (*GRPCServer) RemoveSessionTracker 

func (g *GRPCServer) RemoveSessionTracker(ctx context.Context, req *proto.RemoveSessionTrackerRequest) (*emptypb.Empty, error)

RemoveSessionTracker removes a tracker resource for an active session.

func (*GRPCServer) ReplaceRemoteLocks 

func (g *GRPCServer) ReplaceRemoteLocks(ctx context.Context, req *proto.ReplaceRemoteLocksRequest) (*emptypb.Empty, error)

ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.

func (*GRPCServer) ResetAuthPreference 

func (g *GRPCServer) ResetAuthPreference(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetAuthPreference resets cluster auth preference to defaults.

func (*GRPCServer) ResetClusterNetworkingConfig 

func (g *GRPCServer) ResetClusterNetworkingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetClusterNetworkingConfig resets cluster networking configuration to defaults.

func (*GRPCServer) ResetSessionRecordingConfig 

func (g *GRPCServer) ResetSessionRecordingConfig(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error)

ResetSessionRecordingConfig resets session recording configuration to defaults.

func (*GRPCServer) SendKeepAlives 

func (g *GRPCServer) SendKeepAlives(stream proto.AuthService_SendKeepAlivesServer) error

SendKeepAlives allows node to send a stream of keep alive requests

func (*GRPCServer) SetAccessRequestState 

func (g *GRPCServer) SetAccessRequestState(ctx context.Context, req *proto.RequestStateSetter) (*emptypb.Empty, error)

func (*GRPCServer) SetAuthPreference 

func (g *GRPCServer) SetAuthPreference(ctx context.Context, authPref *types.AuthPreferenceV2) (*emptypb.Empty, error)

SetAuthPreference sets cluster auth preference.

func (*GRPCServer) SetClusterNetworkingConfig 

func (g *GRPCServer) SetClusterNetworkingConfig(ctx context.Context, netConfig *types.ClusterNetworkingConfigV2) (*emptypb.Empty, error)

SetClusterNetworkingConfig sets cluster networking configuration.

func (*GRPCServer) SetInstaller 

func (g *GRPCServer) SetInstaller(ctx context.Context, req *types.InstallerV1) (*emptypb.Empty, error)

SetInstaller sets the installer script resource

func (*GRPCServer) SetNetworkRestrictions 

func (g *GRPCServer) SetNetworkRestrictions(ctx context.Context, nr *types.NetworkRestrictionsV4) (*emptypb.Empty, error)

SetNetworkRestrictions updates the network restrictions.

func (*GRPCServer) SetSessionRecordingConfig 

func (g *GRPCServer) SetSessionRecordingConfig(ctx context.Context, recConfig *types.SessionRecordingConfigV2) (*emptypb.Empty, error)

SetSessionRecordingConfig sets session recording configuration.

func (*GRPCServer) SignDatabaseCSR 

func (g *GRPCServer) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*GRPCServer) StartAccountRecovery 

func (g *GRPCServer) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (*types.UserTokenV3, error)

StartAccountRecovery is implemented by AuthService.StartAccountRecovery.

func (*GRPCServer) StreamSessionEvents 

func (g *GRPCServer) StreamSessionEvents(req *proto.StreamSessionEventsRequest, stream proto.AuthService_StreamSessionEventsServer) error

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*GRPCServer) SubmitAccessReview 

func (g *GRPCServer) SubmitAccessReview(ctx context.Context, review *types.AccessReviewSubmission) (*types.AccessRequestV3, error)

func (*GRPCServer) SubmitUsageEvent 

func (g *GRPCServer) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) (*emptypb.Empty, error)

SubmitUsageEvent submits an external usage event.

func (*GRPCServer) UnstableAssertSystemRole 

func (g *GRPCServer) UnstableAssertSystemRole(ctx context.Context, req *proto.UnstableSystemRoleAssertion) (*emptypb.Empty, error)

DELETE IN: 12.0 (deprecated in v11, but required for back-compat with v10 clients)

func (*GRPCServer) UpdateApp 

func (g *GRPCServer) UpdateApp(ctx context.Context, app *types.AppV3) (*emptypb.Empty, error)

UpdateApp updates existing application resource.

func (*GRPCServer) UpdateConnectionDiagnostic 

func (g *GRPCServer) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic *types.ConnectionDiagnosticV1) (*emptypb.Empty, error)

UpdateConnectionDiagnostic updates a connection diagnostic

func (*GRPCServer) UpdateDatabase 

func (g *GRPCServer) UpdateDatabase(ctx context.Context, database *types.DatabaseV3) (*emptypb.Empty, error)

UpdateDatabase updates existing database resource.

func (*GRPCServer) UpdateKubernetesCluster 

func (g *GRPCServer) UpdateKubernetesCluster(ctx context.Context, cluster *types.KubernetesClusterV3) (*emptypb.Empty, error)

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*GRPCServer) UpdatePluginData 

func (g *GRPCServer) UpdatePluginData(ctx context.Context, params *types.PluginDataUpdateParams) (*emptypb.Empty, error)

UpdatePluginData updates a per-resource PluginData entry.

func (*GRPCServer) UpdateRemoteCluster 

func (g *GRPCServer) UpdateRemoteCluster(ctx context.Context, req *types.RemoteClusterV3) (*emptypb.Empty, error)

UpdateRemoteCluster updates remote cluster

func (*GRPCServer) UpdateSessionTracker 

func (g *GRPCServer) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) (*emptypb.Empty, error)

UpdateSessionTracker updates a tracker resource for an active session.

func (*GRPCServer) UpdateUser 

func (g *GRPCServer) UpdateUser(ctx context.Context, req *types.UserV2) (*emptypb.Empty, error)

UpdateUser updates an existing user in a backend.

func (*GRPCServer) UpdateWindowsDesktop 

func (g *GRPCServer) UpdateWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

UpdateWindowsDesktop updates an existing Windows desktop host.

func (*GRPCServer) UpsertApplicationServer 

func (g *GRPCServer) UpsertApplicationServer(ctx context.Context, req *proto.UpsertApplicationServerRequest) (*types.KeepAlive, error)

UpsertApplicationServer registers an application server.

func (*GRPCServer) UpsertClusterAlert 

func (g *GRPCServer) UpsertClusterAlert(ctx context.Context, req *proto.UpsertClusterAlertRequest) (*emptypb.Empty, error)

func (*GRPCServer) UpsertDatabaseServer 

func (g *GRPCServer) UpsertDatabaseServer(ctx context.Context, req *proto.UpsertDatabaseServerRequest) (*types.KeepAlive, error)

UpsertDatabaseServer registers a new database proxy server.

func (*GRPCServer) UpsertGithubConnector 

func (g *GRPCServer) UpsertGithubConnector(ctx context.Context, connector *types.GithubConnectorV3) (*emptypb.Empty, error)

UpsertGithubConnector upserts a Github connector.

func (*GRPCServer) UpsertKubeService 

func (g *GRPCServer) UpsertKubeService(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*emptypb.Empty, error)

UpsertKubeService adds a kubernetes service.

func (*GRPCServer) UpsertKubeServiceV2 

func (g *GRPCServer) UpsertKubeServiceV2(ctx context.Context, req *proto.UpsertKubeServiceRequest) (*types.KeepAlive, error)

UpsertKubeServiceV2 adds a kubernetes service

func (*GRPCServer) UpsertKubernetesServer 

func (g *GRPCServer) UpsertKubernetesServer(ctx context.Context, req *proto.UpsertKubernetesServerRequest) (*types.KeepAlive, error)

UpsertKubernetesServer registers an kubernetes server.

func (*GRPCServer) UpsertLock 

func (g *GRPCServer) UpsertLock(ctx context.Context, lock *types.LockV2) (*emptypb.Empty, error)

UpsertLock upserts a lock.

func (*GRPCServer) UpsertNode 

func (g *GRPCServer) UpsertNode(ctx context.Context, node *types.ServerV2) (*types.KeepAlive, error)

UpsertNode upserts a node.

func (*GRPCServer) UpsertOIDCConnector 

func (g *GRPCServer) UpsertOIDCConnector(ctx context.Context, oidcConnector *types.OIDCConnectorV3) (*emptypb.Empty, error)

UpsertOIDCConnector upserts an OIDC connector.

func (*GRPCServer) UpsertRole 

func (g *GRPCServer) UpsertRole(ctx context.Context, role *types.RoleV5) (*emptypb.Empty, error)

UpsertRole upserts a role.

func (*GRPCServer) UpsertSAMLConnector 

func (g *GRPCServer) UpsertSAMLConnector(ctx context.Context, samlConnector *types.SAMLConnectorV2) (*emptypb.Empty, error)

UpsertSAMLConnector upserts a SAML connector.

func (*GRPCServer) UpsertToken 

func (g *GRPCServer) UpsertToken(ctx context.Context, token *types.ProvisionTokenV2) (*emptypb.Empty, error)

UpsertToken upserts a token.

func (*GRPCServer) UpsertTrustedCluster 

func (g *GRPCServer) UpsertTrustedCluster(ctx context.Context, cluster *types.TrustedClusterV2) (*types.TrustedClusterV2, error)

UpsertTrustedCluster upserts a Trusted Cluster.

func (*GRPCServer) UpsertWindowsDesktop 

func (g *GRPCServer) UpsertWindowsDesktop(ctx context.Context, desktop *types.WindowsDesktopV3) (*emptypb.Empty, error)

UpsertWindowsDesktop updates a Windows desktop host, creating it if it doesn't exist.

func (*GRPCServer) UpsertWindowsDesktopService 

func (g *GRPCServer) UpsertWindowsDesktopService(ctx context.Context, service *types.WindowsDesktopServiceV3) (*types.KeepAlive, error)

UpsertWindowsDesktopService registers a new Windows desktop service.

func (*GRPCServer) VerifyAccountRecovery 

func (g *GRPCServer) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (*types.UserTokenV3, error)

VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.

func (*GRPCServer) WatchEvents 

func (g *GRPCServer) WatchEvents(watch *proto.Watch, stream proto.AuthService_WatchEventsServer) error

WatchEvents returns a new stream of cluster events

type GRPCServerConfig 

type GRPCServerConfig struct {
	// APIConfig is GRPC server API configuration
	APIConfig
	// TLS is GRPC server config
	TLS *tls.Config
	// UnaryInterceptor intercepts individual GRPC requests
	// for authentication and rate limiting
	UnaryInterceptor grpc.UnaryServerInterceptor
	// UnaryInterceptor intercepts GRPC streams
	// for authentication and rate limiting
	StreamInterceptor grpc.StreamServerInterceptor
}

GRPCServerConfig specifies GRPC server configuration

func (*GRPCServerConfig) CheckAndSetDefaults 

func (cfg *GRPCServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GithubAuthRequest 

type GithubAuthRequest struct {
	// ConnectorID is the name of the connector to use.
	ConnectorID string `json:"connector_id"`
	// CSRFToken is used to protect against CSRF attacks.
	CSRFToken string `json:"csrf_token"`
	// PublicKey is an optional public key to sign in case of successful auth.
	PublicKey []byte `json:"public_key"`
	// CreateWebSession indicates that a user wants to generate a web session
	// after successful authentication.
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is the URL where client will be redirected after
	// successful auth.
	ClientRedirectURL string `json:"client_redirect_url"`
}

GithubAuthRequest is an Github auth request that supports standard json marshaling

func GithubAuthRequestFromProto 

func GithubAuthRequestFromProto(req *types.GithubAuthRequest) GithubAuthRequest

GithubAuthRequestFromProto converts the types.GithubAuthRequest to GithubAuthRequest.

type GithubAuthResponse 

type GithubAuthResponse struct {
	// Username is the name of authenticated user
	Username string `json:"username"`
	// Identity is the external identity
	Identity types.ExternalIdentity `json:"identity"`
	// Session is the created web session
	Session types.WebSession `json:"session,omitempty"`
	// Cert is the generated SSH client certificate
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS client certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is the original auth request
	Req GithubAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

GithubAuthResponse represents Github auth callback validation response

type GithubConverter 

type GithubConverter struct {
	ClientI
}

GithubConverter is a thin wrapper around the ClientI interface that ensures GitHub auth connectors use the registered implementation.

func (*GithubConverter) GetGithubConnector 

func (g *GithubConverter) GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

func (*GithubConverter) GetGithubConnectors 

func (g *GithubConverter) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

func (*GithubConverter) UpsertGithubConnector 

func (g *GithubConverter) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error

type HTTPClient 

type HTTPClient struct {
	roundtrip.Client
	// contains filtered or unexported fields
}

HTTPClient is a teleport HTTP API client.

func NewHTTPClient 

func NewHTTPClient(cfg client.Config, tls *tls.Config, params ...roundtrip.ClientParam) (*HTTPClient, error)

NewHTTPClient creates a new HTTP client with TLS authentication and the given dialer.

func (*HTTPClient) Close 

func (c *HTTPClient) Close()

Close closes the HTTP client connection to the auth server.

func (*HTTPClient) GetTransport 

func (c *HTTPClient) GetTransport() *http.Transport

GetTransport returns the HTTP client's transport.

func (*HTTPClient) TLSConfig 

func (c *HTTPClient) TLSConfig() *tls.Config

TLSConfig returns the HTTP client's TLS config.

type HandlerWithAuthFunc 

type HandlerWithAuthFunc func(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error)

HandlerWithAuthFunc is http handler with passed auth context

type HostCredentials 

type HostCredentials func(context.Context, string, bool, types.RegisterUsingTokenRequest) (*proto.Certs, error)

CredGetter is an interface for a client that can be used to get host credentials. This interface is needed because lib/client can not be imported in lib/auth due to circular imports.

type Identity 

type Identity struct {
	// ID specifies server unique ID, name and role
	ID IdentityID
	// KeyBytes is a PEM encoded private key
	KeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format.
	SSHCACertBytes [][]byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// Cert is a parsed SSH certificate
	Cert *ssh.Certificate
	// XCert is X509 client certificate
	XCert *x509.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
}

Identity is collection of certificates and signers that represent server identity

func GenerateIdentity 

func GenerateIdentity(a *Server, id IdentityID, additionalPrincipals, dnsNames []string) (*Identity, error)

GenerateIdentity generates identity for the auth server

func LocalRegister 

func LocalRegister(id IdentityID, authServer *Server, additionalPrincipals, dnsNames []string, remoteAddr string, systemRoles []types.SystemRole) (*Identity, error)

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the Auth Server and as such, does not need to use provisioning tokens.

func NewServerIdentity 

func NewServerIdentity(clt *Server, hostID string, role types.SystemRole) (*Identity, error)

NewServerIdentity generates new server identity, used in tests

func ReRegister 

func ReRegister(params ReRegisterParams) (*Identity, error)

ReRegister renews the certificates and private keys based on the client's existing identity.

func ReadIdentityFromKeyPair 

func ReadIdentityFromKeyPair(privateKey []byte, certs *proto.Certs) (*Identity, error)

ReadIdentityFromKeyPair reads SSH and TLS identity from key pair.

func ReadLocalIdentity 

func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error)

ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the key storage (dataDir).

func ReadSSHIdentityFromKeyPair 

func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error)

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair 

func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byte) (*Identity, error)

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func (*Identity) HasDNSNames 

func (i *Identity) HasDNSNames(dnsNames []string) bool

HasDNSNames returns true if TLS certificate has required DNS names

func (*Identity) HasPrincipals 

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasTLSConfig 

func (i *Identity) HasTLSConfig() bool

HasTLSConfig returns true if this identity has TLS certificate and private key.

func (*Identity) SSHClientConfig 

func (i *Identity) SSHClientConfig(fips bool) (*ssh.ClientConfig, error)

SSHClientConfig returns a ssh.ClientConfig used by nodes to connect to the reverse tunnel server.

func (*Identity) String 

func (i *Identity) String() string

String returns user-friendly representation of the identity.

func (*Identity) TLSConfig 

func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type IdentityGetter 

type IdentityGetter interface {
	// GetIdentity  returns x509-derived identity of the user
	GetIdentity() tlsca.Identity
}

IdentityGetter returns the unmapped client identity.

Unmapped means that if the client is a remote cluster user, the returned tlsca.Identity contains data from the remote cluster before role mapping is applied.

type IdentityID 

type IdentityID struct {
	Role     types.SystemRole
	HostUUID string
	NodeName string
}

IdentityID is a combination of role, host UUID, and node name.

func (*IdentityID) Equals 

func (id *IdentityID) Equals(other IdentityID) bool

Equals returns true if two identities are equal

func (*IdentityID) HostID 

func (id *IdentityID) HostID() string

HostID is host ID part of the host UUID that consists cluster name

func (*IdentityID) String 

func (id *IdentityID) String() string

String returns debug friendly representation of this identity

type IdentityService 

type IdentityService interface {
	// UpsertOIDCConnector updates or creates OIDC connector
	UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error
	// GetOIDCConnector returns OIDC connector information by id
	GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)
	// GetOIDCConnectors gets OIDC connectors list
	GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)
	// DeleteOIDCConnector deletes OIDC connector by ID
	DeleteOIDCConnector(ctx context.Context, connectorID string) error
	// CreateOIDCAuthRequest creates OIDCAuthRequest
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)
	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)
	// ValidateOIDCAuthCallback validates OIDC auth callback returned from redirect
	ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

	// UpsertSAMLConnector updates or creates SAML connector
	UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error
	// GetSAMLConnector returns SAML connector information by id
	GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)
	// GetSAMLConnectors gets SAML connectors list
	GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)
	// DeleteSAMLConnector deletes SAML connector by ID
	DeleteSAMLConnector(ctx context.Context, connectorID string) error
	// CreateSAMLAuthRequest creates SAML AuthnRequest
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)
	// ValidateSAMLResponse validates SAML auth response
	ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)
	// GetSAMLAuthRequest returns SAML auth request if found
	GetSAMLAuthRequest(ctx context.Context, authRequestID string) (*types.SAMLAuthRequest, error)

	// UpsertGithubConnector creates or updates a Github connector
	UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error
	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)
	// GetGithubConnector returns the specified Github connector
	GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)
	// DeleteGithubConnector deletes the specified Github connector
	DeleteGithubConnector(ctx context.Context, id string) error
	// CreateGithubAuthRequest creates a new request for Github OAuth2 flow
	CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)
	// GetGithubAuthRequest returns Github auth request if found
	GetGithubAuthRequest(ctx context.Context, id string) (*types.GithubAuthRequest, error)
	// ValidateGithubAuthCallback validates Github auth callback
	ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

	// GetSSODiagnosticInfo returns SSO diagnostic info records.
	GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

	// GetUser returns user by name
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetCurrentUser returns current user as seen by the server.
	// Useful especially in the context of remote clusters which perform role and trait mapping.
	GetCurrentUser(ctx context.Context) (types.User, error)

	// GetCurrentUserRoles returns current user's roles.
	GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)

	// CreateUser inserts a new entry in a backend.
	CreateUser(ctx context.Context, user types.User) error

	// UpdateUser updates an existing user in a backend.
	UpdateUser(ctx context.Context, user types.User) error

	// UpsertUser user updates or inserts user entry
	UpsertUser(user types.User) error

	// CompareAndSwapUser updates an existing user in a backend, but fails if
	// the user in the backend does not match the expected value.
	CompareAndSwapUser(ctx context.Context, new, expected types.User) error

	// DeleteUser deletes an existng user in a backend by username.
	DeleteUser(ctx context.Context, user string) error

	// GetUsers returns a list of usernames registered in the system
	GetUsers(withSecrets bool) ([]types.User, error)

	// ChangePassword changes user password
	ChangePassword(req services.ChangePasswordReq) error

	// CheckPassword checks if the suplied web access password is valid.
	CheckPassword(user string, password []byte, otpToken string) error

	// GenerateToken creates a special provisioning token for a new SSH server
	// that is valid for ttl period seconds.
	//
	// This token is used by SSH server to authenticate with Auth server
	// and get signed certificate and private key from the auth server.
	//
	// If token is not supplied, it will be auto generated and returned.
	// If TTL is not supplied, token will be valid until removed.
	GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)

	// GenerateHostCert takes the public key in the Open SSH “authorized_keys“
	// plain text format, signs it using Host Certificate Authority private key and returns the
	// resulting certificate.
	GenerateHostCert(ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error)

	// GenerateUserCerts takes the public key in the OpenSSH `authorized_keys` plain
	// text format, signs it using User Certificate Authority signing key and
	// returns the resulting certificates.
	GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

	// GenerateUserSingleUseCerts is like GenerateUserCerts but issues a
	// certificate for a single session
	// (https://github.com/gravitational/teleport/blob/3a1cf9111c2698aede2056513337f32bfc16f1f1/rfd/0014-session-2FA.md#sessions).
	GenerateUserSingleUseCerts(ctx context.Context) (proto.AuthService_GenerateUserSingleUseCertsClient, error)

	// IsMFARequired is a request to check whether MFA is required to
	// access the Target.
	IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)

	// DeleteAllUsers deletes all users
	DeleteAllUsers() error

	// CreateResetPasswordToken creates a new user reset token
	CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

	// CreateBot creates a new certificate renewal bot and associated resources.
	CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)
	// DeleteBot removes a certificate renewal bot and associated resources.
	DeleteBot(ctx context.Context, botName string) error
	// GetBotUsers gets all bot users.
	GetBotUsers(ctx context.Context) ([]types.User, error)

	// ChangeUserAuthentication allows a user with a reset or invite token to change their password and if enabled also adds a new mfa device.
	// Upon success, creates new web session and creates new set of recovery codes (if user meets requirements).
	ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

	// GetResetPasswordToken returns a reset password token.
	GetResetPasswordToken(ctx context.Context, username string) (types.UserToken, error)

	// GetMFADevices fetches all MFA devices registered for the calling user.
	GetMFADevices(ctx context.Context, in *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)
	// AddMFADevice adds a new MFA device for the calling user.
	AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADeviceClient, error)
	// DeleteMFADevice deletes a MFA device for the calling user.
	DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error)
	// AddMFADeviceSync adds a new MFA device (nonstream).
	AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)
	// DeleteMFADeviceSync deletes a users MFA device (nonstream).
	DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error
	// CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices.
	CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
	// CreateRegisterChallenge creates and returns MFA register challenge for a new MFA device.
	CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

	// MaintainSessionPresence establishes a channel used to continuously verify the presence for a session.
	MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error)

	// StartAccountRecovery creates a recovery start token for a user who successfully verified their username and their recovery code.
	// This token is used as part of a URL that will be emailed to the user (not done in this request).
	// Represents step 1 of the account recovery process.
	StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)
	// VerifyAccountRecovery creates a recovery approved token after successful verification of users password or second factor
	// (authn depending on what user needed to recover). This token will allow users to perform protected actions while not logged in.
	// Represents step 2 of the account recovery process after RPC StartAccountRecovery.
	VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)
	// CompleteAccountRecovery sets a new password or adds a new mfa device,
	// allowing user to regain access to their account using the new credentials.
	// Represents the last step in the account recovery process after RPC's StartAccountRecovery and VerifyAccountRecovery.
	CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

	// CreateAccountRecoveryCodes creates new set of recovery codes for a user, replacing and invalidating any previously owned codes.
	CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)
	// GetAccountRecoveryToken returns a user token resource after verifying the token in
	// request is not expired and is of the correct recovery type.
	GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)
	// GetAccountRecoveryCodes returns the user in context their recovery codes resource without any secrets.
	GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

	// CreatePrivilegeToken creates a privilege token for the logged in user who has successfully re-authenticated with their second factor.
	// A privilege token allows users to perform privileged action eg: add/delete their MFA device.
	CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)
}

IdentityService manages identities and users

type IdentitySpecV2 

type IdentitySpecV2 struct {
	// Key is a PEM encoded private key.
	Key []byte `json:"key,omitempty"`
	// SSHCert is a PEM encoded SSH host cert.
	SSHCert []byte `json:"ssh_cert,omitempty"`
	// TLSCert is a PEM encoded x509 client certificate.
	TLSCert []byte `json:"tls_cert,omitempty"`
	// TLSCACert is a list of PEM encoded x509 certificate of the
	// certificate authority of the cluster.
	TLSCACerts [][]byte `json:"tls_ca_certs,omitempty"`
	// SSHCACerts is a list of SSH certificate authorities encoded in the
	// authorized_keys format.
	SSHCACerts [][]byte `json:"ssh_ca_certs,omitempty"`
}

IdentitySpecV2 specifies credentials used by local process.

type IdentityV2 

type IdentityV2 struct {
	// ResourceHeader is a common resource header.
	types.ResourceHeader
	// Spec is the identity spec.
	Spec IdentitySpecV2 `json:"spec"`
}

IdentityV2 specifies local host identity.

func (*IdentityV2) CheckAndSetDefaults 

func (s *IdentityV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type InitConfig 

type InitConfig struct {
	// Backend is auth backend to use
	Backend backend.Backend

	// Authority is key generator that we use
	Authority sshca.Authority

	// KeyStoreConfig is the config for the KeyStore which handles private CA
	// keys that may be held in an HSM.
	KeyStoreConfig keystore.Config

	// HostUUID is a UUID of this host
	HostUUID string

	// NodeName is the DNS name of the node
	NodeName string

	// ClusterName stores the FQDN of the signing CA (its certificate will have this
	// name embedded). It is usually set to the GUID of the host the Auth service runs on
	ClusterName types.ClusterName

	// Authorities is a list of pre-configured authorities to supply on first start
	Authorities []types.CertAuthority

	// Resources is a list of previously backed-up resources used to
	// bootstrap backend on first start.
	Resources []types.Resource

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// DataDir is the full path to the directory where keys, events and logs are kept
	DataDir string

	// ReverseTunnels is a list of reverse tunnels statically supplied
	// in configuration, so auth server will init the tunnels on the first start
	ReverseTunnels []types.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	// in configuration, so auth server will init the tunnels on the first start
	OIDCConnectors []types.OIDCConnector

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and heartbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is service controlling access to resources
	Access services.Access

	// DynamicAccessExt is a service that manages dynamic RBAC.
	DynamicAccessExt services.DynamicAccessExt

	// Events is an event service
	Events types.Events

	// ClusterConfiguration is a services that holds cluster wide configuration.
	ClusterConfiguration services.ClusterConfiguration

	// Restrictions is a service to access network restrictions, etc
	Restrictions services.Restrictions

	// Apps is a service that manages application resources.
	Apps services.Apps

	// Databases is a service that manages database resources.
	Databases services.Databases

	// Status is a service that manages cluster status info.
	Status services.StatusInternal

	// Roles is a set of roles to create
	Roles []types.Role

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens types.StaticTokens

	// AuthPreference defines the authentication type (local, oidc) and second
	// factor passed in from a configuration file.
	AuthPreference types.AuthPreference

	// AuditLog is used for emitting events to audit log.
	AuditLog events.IAuditLog

	// ClusterAuditConfig holds cluster audit configuration.
	ClusterAuditConfig types.ClusterAuditConfig

	// ClusterNetworkingConfig holds cluster networking configuration.
	ClusterNetworkingConfig types.ClusterNetworkingConfig

	// SessionRecordingConfig holds session recording configuration.
	SessionRecordingConfig types.SessionRecordingConfig

	// SkipPeriodicOperations turns off periodic operations
	// used in tests that don't need periodic operations.
	SkipPeriodicOperations bool

	// CipherSuites is a list of ciphersuites that the auth server supports.
	CipherSuites []uint16

	// Emitter is events emitter, used to submit discrete events
	Emitter apievents.Emitter

	// Streamer is events sessionstreamer, used to create continuous
	// session related streams
	Streamer events.Streamer

	// WindowsServices is a service that manages Windows desktop resources.
	WindowsDesktops services.WindowsDesktops

	// SessionTrackerService is a service that manages trackers for all active sessions.
	SessionTrackerService services.SessionTrackerService

	// Enforcer is used to enforce Teleport Enterprise license compliance.
	Enforcer services.Enforcer

	// ConnectionsDiagnostic is a service that manages Connection Diagnostics resources.
	ConnectionsDiagnostic services.ConnectionsDiagnostic

	// LoadAllCAs tells tsh to load the host CAs for all clusters when trying to ssh into a node.
	LoadAllCAs bool

	// TraceClient is used to forward spans to the upstream telemetry collector
	TraceClient otlptrace.Client

	// Kubernetes is a service that manages kubernetes cluster resources.
	Kubernetes services.Kubernetes

	// AssertionReplayService is a service that mitigatates SSO assertion replay.
	*local.AssertionReplayService

	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool

	// UsageReporter is a service that forwards cluster usage events.
	UsageReporter services.UsageReporter
}

InitConfig is auth server init config

type KubeCSR 

type KubeCSR struct {
	// Username of user's certificate
	Username string `json:"username"`
	// ClusterName is a name of the target cluster to generate certificate for
	ClusterName string `json:"cluster_name"`
	// CSR is a kubernetes CSR
	CSR []byte `json:"csr"`
}

KubeCSR is a kubernetes CSR request

func (*KubeCSR) CheckAndSetDefaults 

func (a *KubeCSR) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type KubeCSRResponse 

type KubeCSRResponse struct {
	// Cert is a signed certificate PEM block
	Cert []byte `json:"cert"`
	// CertAuthorities is a list of PEM block with trusted cert authorities
	CertAuthorities [][]byte `json:"cert_authorities"`
	// TargetAddr is an optional target address
	// of the kubernetes API server that can be set
	// in the kubeconfig
	TargetAddr string `json:"target_addr"`
}

KubeCSRResponse is a response to kubernetes CSR request

type KubernetesAccessPoint 

type KubernetesAccessPoint interface {
	// ReadKubernetesAccessPoint provides methods to read data
	ReadKubernetesAccessPoint
	// contains filtered or unexported methods
}

KubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.

func NewKubernetesWrapper 

func NewKubernetesWrapper(base KubernetesAccessPoint, cache ReadKubernetesAccessPoint) KubernetesAccessPoint

type KubernetesWrapper 

type KubernetesWrapper struct {
	ReadKubernetesAccessPoint

	NoCache KubernetesAccessPoint
	// contains filtered or unexported fields
}

func (*KubernetesWrapper) Close 

func (w *KubernetesWrapper) Close() error

Close closes all associated resources

type LocalUser 

type LocalUser struct {
	// Username is local username
	Username string
	// Identity is x509-derived identity used to build this user
	Identity tlsca.Identity
}

LocalUser is a local user

func (LocalUser) GetIdentity 

func (l LocalUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type Metrics 

type Metrics struct {
	GRPCServerLatency bool
}

Metrics handles optional metrics for TLSServerConfig

type Middleware 

type Middleware struct {
	// AccessPoint is a caching access point for auth server
	AccessPoint AccessCache
	// Handler is HTTP handler called after the middleware checks requests
	Handler http.Handler
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on certificate metadata,
	// for example middleware can reject certificates with mismatching usage.
	// If empty, will only accept certificates with non-limited usage,
	// if set, will accept certificates with non-limited usage,
	// and usage exactly matching the specified values.
	AcceptedUsage []string
	// Limiter is a rate and connection limiter
	Limiter *limiter.Limiter
	// GRPCMetrics is the configured grpc metrics for the interceptors
	GRPCMetrics *om.ServerMetrics
}

Middleware is authentication middleware checking every request

func (*Middleware) GetUser 

func (a *Middleware) GetUser(connState tls.ConnectionState) (IdentityGetter, error)

GetUser returns authenticated user based on request metadata set by HTTP server

func (*Middleware) ServeHTTP 

func (a *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP serves HTTP requests

func (*Middleware) StreamInterceptor 

func (a *Middleware) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns a gPRC stream interceptor which performs rate limiting, authenticates requests, and passes the user information as context metadata.

func (*Middleware) UnaryInterceptor 

func (a *Middleware) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns a gPRC unary interceptor which performs rate limiting, authenticates requests, and passes the user information as context metadata.

func (*Middleware) Wrap 

func (a *Middleware) Wrap(h http.Handler)

Wrap sets next handler in chain

func (*Middleware) WrapContextWithUser 

func (a *Middleware) WrapContextWithUser(ctx context.Context, conn utils.TLSConn) (context.Context, error)

WrapContextWithUser enriches the provided context with the identity information extracted from the provided TLS connection.

type NewRemoteProxyCachingAccessPoint 

type NewRemoteProxyCachingAccessPoint func(clt ClientI, cacheName []string) (RemoteProxyAccessPoint, error)

NewRemoteProxyCachingAccessPoint returns new caching access point using access point policy

type NodeAccessPoint 

type NodeAccessPoint interface {
	// ReadNodeAccessPoint provides methods to read data
	ReadNodeAccessPoint
	// contains filtered or unexported methods
}

NodeAccessPoint is an API interface implemented by a certificate authority (CA) to be used by teleport.ComponentNode.

func NewNodeWrapper 

func NewNodeWrapper(base NodeAccessPoint, cache ReadNodeAccessPoint) NodeAccessPoint

type NodeWrapper 

type NodeWrapper struct {
	ReadNodeAccessPoint

	NoCache NodeAccessPoint
	// contains filtered or unexported fields
}

func (*NodeWrapper) Close 

func (w *NodeWrapper) Close() error

Close closes all associated resources

type OIDCAuthRequest 

type OIDCAuthRequest struct {
	// ConnectorID is ID of OIDC connector this request uses
	ConnectorID string `json:"connector_id"`
	// CSRFToken is associated with user web session token
	CSRFToken string `json:"csrf_token"`
	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth
	PublicKey []byte `json:"public_key"`
	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication
	ClientRedirectURL string `json:"client_redirect_url"`
}

OIDCAuthRequest is an OIDC auth request that supports standard json marshaling.

func OIDCAuthRequestFromProto 

func OIDCAuthRequestFromProto(req *types.OIDCAuthRequest) OIDCAuthRequest

OIDCAuthRequestFromProto converts the types.OIDCAuthRequest to OIDCAuthRequest.

type OIDCAuthResponse 

type OIDCAuthResponse struct {
	// Username is authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated OIDC identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session types.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is original oidc auth request
	Req OIDCAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

OIDCAuthResponse is returned when auth server validated callback parameters returned from OIDC provider

type OTPCreds 

type OTPCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
	// Token is a user second factor token
	Token string `json:"token"`
}

OTPCreds is a two-factor authentication credentials

type PassCreds 

type PassCreds struct {
	// Password is a user password
	Password []byte `json:"password"`
}

PassCreds is a password credential

type PolicyOptions 

type PolicyOptions struct {
	TerminateOnLeave bool
}

PolicyOptions is a set of settings for the session determined by the matched require policy.

type ProcessStorage 

type ProcessStorage struct {
	// BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states.
	BackendStorage backend.Backend
	// contains filtered or unexported fields
}

ProcessStorage is a backend for local process state, it helps to manage rotation for certificate authorities and keeps local process credentials - x509 and SSH certs and keys.

func NewProcessStorage 

func NewProcessStorage(ctx context.Context, path string) (*ProcessStorage, error)

NewProcessStorage returns a new instance of the process storage.

func (*ProcessStorage) Close 

func (p *ProcessStorage) Close() error

Close closes all resources used by process storage backend.

func (*ProcessStorage) CreateState 

func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error

CreateState creates process state if it does not exist yet.

func (*ProcessStorage) GetState 

func (p *ProcessStorage) GetState(role types.SystemRole) (*StateV2, error)

GetState reads rotation state from disk.

func (*ProcessStorage) ReadIdentity 

func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error)

ReadIdentity reads identity using identity name and role.

func (*ProcessStorage) WriteIdentity 

func (p *ProcessStorage) WriteIdentity(name string, id Identity) error

WriteIdentity writes identity to the backend.

func (*ProcessStorage) WriteState 

func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error

WriteState writes local cluster state to the backend.

type ProvisioningService 

type ProvisioningService interface {
	// GetTokens returns a list of active invitation tokens for nodes and users
	GetTokens(ctx context.Context) (tokens []types.ProvisionToken, err error)

	// GetToken returns provisioning token
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// DeleteToken deletes a given provisioning token on the auth server (CA). It
	// could be a reset password token or a machine token
	DeleteToken(ctx context.Context, token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ctx context.Context, token types.ProvisionToken) error

	// CreateToken creates a new provision token for the auth server
	CreateToken(ctx context.Context, token types.ProvisionToken) error

	// RegisterUsingToken calls the auth service API to register a new node via registration token
	// which has been previously issued via GenerateToken
	RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
}

ProvisioningService is a service in control of adding new nodes, auth servers and proxies to the cluster

type ProxyAccessPoint 

type ProxyAccessPoint interface {
	// ReadProxyAccessPoint provides methods to read data
	ReadProxyAccessPoint
	// contains filtered or unexported methods
}

ProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

func NewProxyWrapper 

func NewProxyWrapper(base ProxyAccessPoint, cache ReadProxyAccessPoint) ProxyAccessPoint

type ProxyWrapper 

type ProxyWrapper struct {
	ReadProxyAccessPoint

	NoCache ProxyAccessPoint
	// contains filtered or unexported fields
}

func (*ProxyWrapper) Close 

func (w *ProxyWrapper) Close() error

Close closes all associated resources

type ReRegisterParams 

type ReRegisterParams struct {
	// Client is an authenticated client using old credentials
	Client ClientI
	// ID is identity ID
	ID IdentityID
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS Names to add to the x509 client certificate
	DNSNames []string
	// PrivateKey is a PEM encoded private key (not passed to auth servers)
	PrivateKey []byte
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// Rotation is the rotation state of the certificate authority
	Rotation types.Rotation
	// SystemRoles is a set of additional system roles held by the instance.
	SystemRoles []types.SystemRole
	// Used by older instances to requisition a multi-role cert by individually
	// proving which system roles are held.
	UnstableSystemRoleAssertionID string
}

ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members)

type ReadAppsAccessPoint 

type ReadAppsAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)
}

ReadAppsAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentApp.

NOTE: This interface must match the resources replicated in cache.ForApps.

type ReadDatabaseAccessPoint 

type ReadDatabaseAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)
}

ReadDatabaseAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentDatabase.

NOTE: This interface must match the resources replicated in cache.ForDatabases.

type ReadDiscoveryAccessPoint 

type ReadDiscoveryAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
	// GetKubernetesCluster returns a kubernetes cluster resource identified by name.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
}

ReadDiscoveryAccessPoint is a read only API interface to be used by a teleport.ComponentDiscovery.

NOTE: This interface must match the resources replicated in cache.ForDiscovery.

type ReadKubernetesAccessPoint 

type ReadKubernetesAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

ReadKubernetesAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentKube.

NOTE: This interface must match the resources replicated in cache.ForKubernetes.

type ReadNodeAccessPoint 

type ReadNodeAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)
}

ReadNodeAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentNode.

NOTE: This interface must match the resources replicated in cache.ForNode.

type ReadProxyAccessPoint 

type ReadProxyAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetApps returns all application resources.
	GetApps(ctx context.Context) ([]types.Application, error)

	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)

	// GetNetworkRestrictions returns networking restrictions for restricted shell to enforce
	GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)

	// GetWebSession gets a web session for the given request
	GetWebSession(context.Context, types.GetWebSessionRequest) (types.WebSession, error)

	// GetWebToken gets a web token for the given request
	GetWebToken(context.Context, types.GetWebTokenRequest) (types.WebToken, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

	// GetDatabases returns all database resources.
	GetDatabases(ctx context.Context) ([]types.Database, error)

	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)
	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(ctx context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

ReadProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

NOTE: This interface must match the resources replicated in cache.ForProxy.

type ReadRemoteProxyAccessPoint 

type ReadRemoteProxyAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// GetNodes returns a list of registered servers for this cluster.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

	// GetProxies returns a list of proxy servers registered in the cluster
	GetProxies() ([]types.Server, error)

	// GetAuthServers returns a list of auth servers registered in the cluster
	GetAuthServers() ([]types.Server, error)

	// GetReverseTunnels returns  a list of reverse tunnels
	GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// GetKubeServices returns a list of kubernetes services registered in the cluster
	// DELETE IN 13.0. Deprecated, use GetKubernetesServers.
	GetKubeServices(context.Context) ([]types.Server, error)

	// GetKubernetesServers returns a list of kubernetes servers registered in the cluster
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)
}

ReadRemoteProxyAccessPoint is a read only API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

NOTE: This interface must match the resources replicated in cache.ForRemoteProxy.

type ReadWindowsDesktopAccessPoint 

type ReadWindowsDesktopAccessPoint interface {
	// Closer closes all the resources
	io.Closer

	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

	// GetClusterName gets the name of the cluster from the backend.
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterAuditConfig returns cluster audit configuration.
	GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetUser returns a services.User for this cluster.
	GetUser(name string, withSecrets bool) (types.User, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetRoles returns a list of roles
	GetRoles(ctx context.Context) ([]types.Role, error)

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// GetWindowsDesktops returns windows desktop hosts.
	GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

	// GetWindowsDesktopServices returns windows desktop hosts.
	GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

	// GetWindowsDesktopService returns a windows desktop host by name.
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
}

ReadWindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.

NOTE: This interface must match the resources replicated in cache.ForWindowsDesktop.

type RegisterParams 

type RegisterParams struct {
	// Token is a secure token to join the cluster
	Token string
	// ID is identity ID
	ID IdentityID
	// AuthServers is a list of auth servers to dial
	AuthServers []utils.NetAddr
	// ProxyServer is a proxy server to dial
	ProxyServer utils.NetAddr
	// AdditionalPrincipals is a list of additional principals to dial
	AdditionalPrincipals []string
	// DNSNames is a list of DNS names to add to x509 certificate
	DNSNames []string
	// PublicTLSKey is a server's public key to sign
	PublicTLSKey []byte
	// PublicSSHKey is a server's public SSH key to sign
	PublicSSHKey []byte
	// CipherSuites is a list of cipher suites to use for TLS client connection
	CipherSuites []uint16
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// CAPath is the path to the CA file.
	CAPath string
	// GetHostCredentials is a client that can fetch host credentials.
	GetHostCredentials HostCredentials
	// Clock specifies the time provider. Will be used to override the time anchor
	// for TLS certificate verification.
	// Defaults to real clock if unspecified
	Clock clockwork.Clock
	// JoinMethod is the joining method used for this register request.
	JoinMethod types.JoinMethod

	// CircuitBreakerConfig defines how the circuit breaker should behave.
	CircuitBreakerConfig breaker.Config
	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool
	// IDToken is a token retrieved from a workload identity provider for
	// certain join types e.g GitHub, Google.
	IDToken string
	// Expires is an optional field for bots that specifies a time that the
	// certificates that are returned by registering should expire at.
	// It should not be specified for non-bot registrations.
	Expires *time.Time
	// contains filtered or unexported fields
}

RegisterParams specifies parameters for first time register operation with auth server

type RemoteBuiltinRole 

type RemoteBuiltinRole struct {
	// Role is the builtin role of the user
	Role types.SystemRole

	// Username is for authentication tracking purposes
	Username string

	// ClusterName is the name of the remote cluster.
	ClusterName string

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteBuiltinRole is the role of the remote (service connecting via trusted cluster link) Teleport service.

func (RemoteBuiltinRole) GetIdentity 

func (r RemoteBuiltinRole) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RemoteProxyAccessPoint 

type RemoteProxyAccessPoint interface {
	// ReadRemoteProxyAccessPoint provides methods to read data
	ReadRemoteProxyAccessPoint
	// contains filtered or unexported methods
}

RemoteProxyAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentProxy.

func NewRemoteProxyWrapper 

func NewRemoteProxyWrapper(base RemoteProxyAccessPoint, cache ReadRemoteProxyAccessPoint) RemoteProxyAccessPoint

type RemoteProxyWrapper 

type RemoteProxyWrapper struct {
	ReadRemoteProxyAccessPoint

	NoCache RemoteProxyAccessPoint
	// contains filtered or unexported fields
}

func (*RemoteProxyWrapper) Close 

func (w *RemoteProxyWrapper) Close() error

Close closes all associated resources

type RemoteUser 

type RemoteUser struct {
	// Username is a name of the remote user
	Username string `json:"username"`

	// ClusterName is the name of the remote cluster
	// of the user.
	ClusterName string `json:"cluster_name"`

	// RemoteRoles is optional list of remote roles
	RemoteRoles []string `json:"remote_roles"`

	// Principals is a list of Unix logins.
	Principals []string `json:"principals"`

	// KubernetesGroups is a list of Kubernetes groups
	KubernetesGroups []string `json:"kubernetes_groups"`

	// KubernetesUsers is a list of Kubernetes users
	KubernetesUsers []string `json:"kubernetes_users"`

	// DatabaseNames is a list of database names a user can connect to.
	DatabaseNames []string `json:"database_names"`

	// DatabaseUsers is a list of database users a user can connect as.
	DatabaseUsers []string `json:"database_users"`

	// Identity is source x509 used to build this role
	Identity tlsca.Identity
}

RemoteUser defines encoded remote user.

func (RemoteUser) GetIdentity 

func (r RemoteUser) GetIdentity() tlsca.Identity

GetIdentity returns client identity

type RotateRequest 

type RotateRequest struct {
	// Type is a certificate authority type, if omitted, both user and host CA
	// will be rotated.
	Type types.CertAuthType `json:"type"`
	// GracePeriod is used to generate cert rotation schedule that defines
	// times at which different rotation phases will be applied by the auth server
	// in auto mode. It is not used in manual rotation mode.
	// If omitted, default value is set, if 0 is supplied, it is interpreted as
	// forcing rotation of all certificate authorities with no grace period,
	// all existing users and hosts will have to re-login and re-added
	// into the cluster.
	GracePeriod *time.Duration `json:"grace_period,omitempty"`
	// TargetPhase sets desired rotation phase to move to, if not set
	// will be set automatically, it is a required argument
	// for manual rotation.
	TargetPhase string `json:"target_phase,omitempty"`
	// Mode sets manual or auto rotation mode.
	Mode string `json:"mode"`
	// Schedule is an optional rotation schedule,
	// autogenerated based on GracePeriod parameter if not set.
	Schedule *types.RotationSchedule `json:"schedule"`
}

RotateRequest is a request to start rotation of the certificate authority.

func (*RotateRequest) CheckAndSetDefaults 

func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default values.

func (*RotateRequest) Types 

func (r *RotateRequest) Types() []types.CertAuthType

Types returns cert authority types requested to be rotated.

type SAMLAuthRequest 

type SAMLAuthRequest struct {
	// ID is a unique request ID.
	ID string `json:"id"`
	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth.
	PublicKey []byte `json:"public_key"`
	// CSRFToken is associated with user web session token.
	CSRFToken string `json:"csrf_token"`
	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication.
	CreateWebSession bool `json:"create_web_session"`
	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication.
	ClientRedirectURL string `json:"client_redirect_url"`
}

SAMLAuthRequest is a SAML auth request that supports standard json marshaling.

func SAMLAuthRequestFromProto 

func SAMLAuthRequestFromProto(req *types.SAMLAuthRequest) SAMLAuthRequest

SAMLAuthRequestFromProto converts the types.SAMLAuthRequest to SAMLAuthRequestData.

type SAMLAuthResponse 

type SAMLAuthResponse struct {
	// Username is an authenticated teleport username
	Username string `json:"username"`
	// Identity contains validated SAML identity
	Identity types.ExternalIdentity `json:"identity"`
	// Web session will be generated by auth server if requested in SAMLAuthRequest
	Session types.WebSession `json:"session,omitempty"`
	// Cert will be generated by certificate authority
	Cert []byte `json:"cert,omitempty"`
	// TLSCert is a PEM encoded TLS certificate
	TLSCert []byte `json:"tls_cert,omitempty"`
	// Req is an original SAML auth request
	Req SAMLAuthRequest `json:"req"`
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority `json:"host_signers"`
}

SAMLAuthResponse is returned when auth server validated callback parameters returned from SAML identity provider

type SSHLoginResponse 

type SSHLoginResponse struct {
	// User contains a logged-in user information
	Username string `json:"username"`
	// Cert is a PEM encoded  signed certificate
	Cert []byte `json:"cert"`
	// TLSCertPEM is a PEM encoded TLS certificate signed by TLS certificate authority
	TLSCert []byte `json:"tls_cert"`
	// HostSigners is a list of signing host public keys trusted by proxy
	HostSigners []TrustedCerts `json:"host_signers"`
}

SSHLoginResponse is a response returned by web proxy, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

type Server 

type Server struct {
	sshca.Authority

	// AuthServiceName is a human-readable name of this CA. If several Auth services are running
	// (managing multiple teleport clusters) this field is used to tell them apart in UIs
	// It usually defaults to the hostname of the machine the Auth service runs on.
	AuthServiceName string

	// ServerID is the server ID of this auth server.
	ServerID string

	// Services encapsulate services - provisioner, trust, etc. used by the auth
	// server in a separate structure. Reads through Services hit the backend.
	*Services

	// Cache should either be the same as Services, or a caching layer over it.
	// As it's an interface (and thus directly implementing all of its methods)
	// its embedding takes priority over Services (which only indirectly
	// implements its methods), thus any implemented GetFoo method on both Cache
	// and Services will call the one from Cache. To bypass the cache, call the
	// method on Services instead.
	Cache
	// contains filtered or unexported fields
}

Server keeps the cluster together. It acts as a certificate authority (CA) for a cluster and:

  • generates the keypair for the node it's running on
  • invites other SSH nodes to a cluster, by issuing invite tokens
  • adds other SSH nodes to a cluster, by checking their token and signing their keys
  • same for users and their sessions
  • checks public keys to see if they're signed by it (can be trusted or not)

func Init 

func Init(cfg InitConfig, opts ...ServerOption) (*Server, error)

Init instantiates and configures an instance of AuthServer

func NewServer 

func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error)

NewServer creates and configures a new Server instance

func (*Server) AddMFADeviceSync 

func (a *Server) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)

AddMFADeviceSync implements AuthService.AddMFADeviceSync.

func (*Server) AuthenticateSSHUser 

func (s *Server) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates an SSH user and returns SSH and TLS certificates for the public key in req.

func (*Server) AuthenticateUser 

func (s *Server) AuthenticateUser(req AuthenticateUserRequest) (string, error)

AuthenticateUser authenticates user based on the request type. Returns the username of the authenticated user.

func (*Server) AuthenticateWebUser 

func (s *Server) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns a web session if authentication is successful. In case the existing session ID is used to authenticate, returns the existing session instead of creating a new one

func (*Server) ChangePassword 

func (s *Server) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*Server) ChangeUserAuthentication 

func (s *Server) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

ChangeUserAuthentication implements AuthService.ChangeUserAuthentication.

func (*Server) Close 

func (a *Server) Close() error

func (*Server) CloseContext 

func (a *Server) CloseContext() context.Context

func (*Server) CompareAndSwapUser 

func (s *Server) CompareAndSwapUser(ctx context.Context, new, existing types.User) error

CompareAndSwapUser updates a user but fails if the value on the backend does not match the expected value.

func (*Server) CompleteAccountRecovery 

func (s *Server) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

CompleteAccountRecovery implements AuthService.CompleteAccountRecovery.

func (*Server) CreateAccessRequest 

func (a *Server) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error

func (*Server) CreateAccountRecoveryCodes 

func (s *Server) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes implements AuthService.CreateAccountRecoveryCodes.

func (*Server) CreateApp 

func (a *Server) CreateApp(ctx context.Context, app types.Application) error

CreateApp creates a new application resource.

func (*Server) CreateAppSession 

func (s *Server) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest, user types.User, identity tlsca.Identity, checker services.AccessChecker) (types.WebSession, error)

CreateAppSession creates and inserts a services.WebSession into the backend with the identity of the caller used to generate the certificate. The certificate is used for all access requests, which is where access control is enforced.

func (*Server) CreateAuditStream 

func (a *Server) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates audit event stream

func (*Server) CreateAuthenticateChallenge 

func (a *Server) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)

CreateAuthenticateChallenge implements AuthService.CreateAuthenticateChallenge.

func (*Server) CreateDatabase 

func (a *Server) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*Server) CreateGithubAuthRequest 

func (a *Server) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)

CreateGithubAuthRequest creates a new request for Github OAuth2 flow

func (*Server) CreateKubernetesCluster 

func (a *Server) CreateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*Server) CreateOIDCAuthRequest 

func (a *Server) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

func (*Server) CreatePrivilegeToken 

func (s *Server) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken implements AuthService.CreatePrivilegeToken.

func (*Server) CreateRegisterChallenge 

func (a *Server) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

CreateRegisterChallenge implements AuthService.CreateRegisterChallenge.

func (*Server) CreateResetPasswordToken 

func (s *Server) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

CreateResetPasswordToken creates a reset password token

func (*Server) CreateSAMLAuthRequest 

func (a *Server) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

func (*Server) CreateSessionTracker 

func (a *Server) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*Server) CreateSnowflakeSession 

func (s *Server) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest,
	identity tlsca.Identity, checker services.AccessChecker,
) (types.WebSession, error)

func (*Server) CreateUser 

func (s *Server) CreateUser(ctx context.Context, user types.User) error

CreateUser inserts a new user entry in a backend.

func (*Server) CreateWebSession 

func (a *Server) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for user without any checks, is used by admins

func (*Server) DeleteAccessRequest 

func (a *Server) DeleteAccessRequest(ctx context.Context, name string) error

func (*Server) DeleteApp 

func (a *Server) DeleteApp(ctx context.Context, name string) error

DeleteApp deletes an application resource.

func (*Server) DeleteDatabase 

func (a *Server) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase deletes a database resource.

func (*Server) DeleteKubernetesCluster 

func (a *Server) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster deletes a kubernetes cluster resource.

func (*Server) DeleteLock 

func (a *Server) DeleteLock(ctx context.Context, lockName string) error

DeleteLock deletes a lock and emits a related audit event.

func (*Server) DeleteMFADeviceSync 

func (a *Server) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error

DeleteMFADeviceSync implements AuthService.DeleteMFADeviceSync.

func (*Server) DeleteNamespace 

func (a *Server) DeleteNamespace(namespace string) error

func (*Server) DeleteOIDCConnector 

func (a *Server) DeleteOIDCConnector(ctx context.Context, connectorName string) error

DeleteOIDCConnector deletes an OIDC connector by name.

func (*Server) DeleteRemoteCluster 

func (a *Server) DeleteRemoteCluster(clusterName string) error

DeleteRemoteCluster deletes remote cluster resource, all certificate authorities associated with it

func (*Server) DeleteRole 

func (a *Server) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes a role and emits a related audit event.

func (*Server) DeleteSAMLConnector 

func (a *Server) DeleteSAMLConnector(ctx context.Context, connectorName string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*Server) DeleteToken 

func (a *Server) DeleteToken(ctx context.Context, token string) (err error)

func (*Server) DeleteTrustedCluster 

func (a *Server) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster removes types.CertAuthority, services.ReverseTunnel, and services.TrustedCluster resources.

func (*Server) DeleteUser 

func (s *Server) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes an existng user in a backend by username.

func (*Server) ExtendWebSession 

func (a *Server) ExtendWebSession(ctx context.Context, req WebSessionReq, identity tlsca.Identity) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous (current) session.

If there is an approved access request, additional roles are appended to the roles that were extracted from identity. The new session expiration time will not exceed the expiration time of the previous session.

If there is a switchback request, the roles will switchback to user's default roles and the expiration time is derived from users recently logged in time.

func (*Server) GenerateCertAuthorityCRL 

func (a *Server) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for the local CA of a given type.

func (*Server) GenerateDatabaseCert 

func (s *Server) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates client certificate used by a database service to authenticate with the database instance.

func (*Server) GenerateDatabaseTestCert 

func (a *Server) GenerateDatabaseTestCert(req DatabaseTestCertRequest) ([]byte, error)

GenerateDatabaseTestCert generates a database access certificate for the provided parameters. Used only internally in tests.

func (*Server) GenerateHostCert 

func (a *Server) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error)

GenerateHostCert uses the private key of the CA to sign the public key of the host (along with meta data like host ID, node name, roles, and ttl) to generate a host certificate.

func (*Server) GenerateHostCerts 

func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.

func (*Server) GenerateSnowflakeJWT 

func (s *Server) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the format required by Snowflake.

func (*Server) GenerateToken 

func (a *Server) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token.

func (*Server) GenerateUserAppTestCert 

func (a *Server) GenerateUserAppTestCert(req AppTestCertRequest) ([]byte, error)

GenerateUserAppTestCert generates an application specific certificate, used internally for tests.

func (*Server) GenerateUserTestCerts 

func (a *Server) GenerateUserTestCerts(key []byte, username string, ttl time.Duration, compatibility, routeToCluster, sourceIP string) ([]byte, []byte, error)

GenerateUserTestCerts is used to generate user certificate, used internally for tests

func (*Server) GenerateWindowsDesktopCert 

func (s *Server) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates client certificate for Windows RDP authentication.

func (*Server) GetAccessCapabilities 

func (a *Server) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*Server) GetAccountRecoveryCodes 

func (s *Server) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes implements AuthService.GetAccountRecoveryCodes.

func (*Server) GetAccountRecoveryToken 

func (s *Server) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)

GetAccountRecoveryToken implements AuthService.GetAccountRecoveryToken.

func (*Server) GetClock 

func (a *Server) GetClock() clockwork.Clock

func (*Server) GetClusterCACert 

func (a *Server) GetClusterCACert(ctx context.Context) (*proto.GetClusterCACertResponse, error)

GetClusterCACert returns the PEM-encoded TLS certs for the local cluster. If the cluster has multiple TLS certs, they will all be concatenated.

func (*Server) GetDomainName 

func (a *Server) GetDomainName() (string, error)

GetDomainName returns the domain name that identifies this authority server. Also known as "cluster name"

func (*Server) GetInventoryStatus 

func (a *Server) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) proto.InventoryStatusSummary

func (*Server) GetKeyStore 

func (a *Server) GetKeyStore() *keystore.Manager

GetKeyStore returns the KeyStore used by the auth server

func (*Server) GetMFADevices 

func (a *Server) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)

GetMFADevices returns all mfa devices for the user defined in the token or the user defined in context.

func (*Server) GetRemoteCluster 

func (a *Server) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

GetRemoteCluster returns remote cluster by name

func (*Server) GetRemoteClusters 

func (a *Server) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

GetRemoteClusters returns remote clusters with updated statuses

func (*Server) GetTokens 

func (a *Server) GetTokens(ctx context.Context, opts ...services.MarshalOption) (tokens []types.ProvisionToken, err error)

GetTokens returns all tokens (machine provisioning ones and user tokens). Machine tokens usually have "node roles", like auth,proxy,node and user invitation tokens have 'signup' role

func (*Server) GetWebSession 

func (a *Server) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns existing web session described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.

func (*Server) GetWebSessionInfo 

func (a *Server) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo returns the web session specified with sessionID for the given user. The session is stripped of any authentication details. Implements auth.WebUIService

func (*Server) GetWebToken 

func (a *Server) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns existing web token described by req. Explicitly delegating to Services as it's directly implemented by Cache as well.

func (*Server) IterateResources 

func (a *Server) IterateResources(ctx context.Context, req proto.ListResourcesRequest, f func(resource types.ResourceWithLabels) error) error

IterateResources loads all resources matching the provided request and passes them one by one to the provided callback function. To stop iteration callers may return ErrDone from the callback function, which will result in a nil return from IterateResources. Any other errors returned from the callback function cause iteration to stop and the error to be returned.

func (*Server) ListResources 

func (a *Server) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)

ListResources returns paginated resources depending on the resource type..

func (*Server) MakeLocalInventoryControlStream 

func (a *Server) MakeLocalInventoryControlStream(opts ...client.ICSPipeOption) client.DownstreamInventoryControlStream

MakeLocalInventoryControlStream sets up an in-memory control stream which automatically registers with this auth server upon hello exchange.

func (*Server) NewKeepAliver 

func (a *Server) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

NewKeepAliver returns a new instance of keep aliver

func (*Server) NewWebSession 

func (a *Server) NewWebSession(ctx context.Context, req types.NewWebSessionRequest) (types.WebSession, error)

NewWebSession creates and returns a new web session for the specified request

func (*Server) PingInventory 

func (a *Server) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)

func (*Server) PreAuthenticatedSignIn 

func (a *Server) PreAuthenticatedSignIn(ctx context.Context, user string, identity tlsca.Identity) (types.WebSession, error)

PreAuthenticatedSignIn is for MFA authentication methods where the password is already checked before issuing the second factor challenge

func (*Server) ProcessKubeCSR 

func (s *Server) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*Server) RegisterInventoryControlStream 

func (a *Server) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream, hello proto.UpstreamInventoryHello) error

func (*Server) RegisterUsingIAMMethod 

func (a *Server) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc, opts ...iamRegisterOption) (*proto.Certs, error)

RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.

The caller must provide a ChallengeResponseFunc which returns a *types.RegisterUsingTokenRequest with a signed sts:GetCallerIdentity request including the challenge as a signed header.

func (*Server) RegisterUsingToken 

func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

RegisterUsingToken returns credentials for a new node to join the Teleport cluster using a previously issued token.

A node must also request a specific role (and the role must match one of the roles the token was generated for.)

If a token was generated with a TTL, it gets enforced (can't register new nodes after TTL expires.)

If the token includes a specific join method, the rules for that join method will be checked.

func (*Server) ResetPassword 

func (s *Server) ResetPassword(username string) (string, error)

ResetPassword securely generates a new random password and assigns it to user. This method is used to invalidate existing user password during password reset process.

func (*Server) ResumeAuditStream 

func (a *Server) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes the stream that has been created

func (*Server) RotateCertAuthority 

func (a *Server) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

Rotation procedure is based on the state machine approach.

Here are the supported rotation states:

  • Standby - the cluster is in standby mode and ready to take action.
  • In-progress - cluster CA rotation is in progress.

In-progress state is split into multiple phases and the cluster can traverse between phases using supported transitions.

Here are the supported phases:

* Standby - no action is taken.

* Init - New CAs are issued, but all internal system clients and servers are still using the old certificates. New CAs are trusted, but are not used. New components that are joining the cluster are issued certificates signed by "old" CAs.

This phase is necessary for remote clusters to fetch new certificate authorities, otherwise remote clusters will be locked out, because they won't have a chance to discover the new certificate authorities to be issued.

* Update Clients - All internal system clients have to reconnect and receive the new credentials, but all servers TLS, SSH and Proxies will still use old credentials. Certs from old CA and new CA are trusted within the system. This phase is necessary because old clients should receive new credentials from the auth servers. If this phase did not exist, old clients could not trust servers serving new credentials, because old clients did not receive new information yet. It is possible to transition from this phase to phase "Update servers" or "Rollback".

* Update Servers - triggers all internal system components to reload and use new credentials both in the internal clients and servers, however old CA issued credentials are still trusted. This is done to make it possible for old components to be trusted within the system, to make rollback possible. It is possible to transition from this phase to "Rollback" or "Standby". When transitioning to "Standby" phase, the rotation is considered completed, old CA is removed from the system and components reload again, but this time they don't trust old CA any more.

* Rollback phase is used to revert any changes. When going to rollback phase the newly issued CA is no longer used, but set up as trusted, so components can reload and receive credentials issued by "old" CA back. This phase is useful when administrator makes a mistake, or there are some offline components that will lose the connection in case if rotation completes. It is only possible to transition from this phase to "Standby". When transitioning to "Standby" phase from "Rollback" phase, all components reload again, but the "new" CA is discarded and is no longer trusted, cluster goes back to the original state.

Rotation modes

There are two rotation modes supported - manual or automatic.

* Manual mode allows administrators to transition between phases explicitly setting a phase on every request.

* Automatic mode performs automatic transition between phases on a given schedule. Schedule is a time table that specifies exact date when the next phase should take place. If automatic transition between any phase fails, the rotation switches back to the manual mode and stops execution phases on the schedule. If schedule is not specified, it will be auto generated based on the "grace period" duration parameter, and time between all phases will be evenly split over the grace period duration.

It is possible to switch from automatic to manual by setting the phase to the rollback phase.

func (*Server) RotateExternalCertAuthority 

func (a *Server) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*Server) SetAccessRequestState 

func (a *Server) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error

func (*Server) SetAuditLog 

func (a *Server) SetAuditLog(auditLog events.IAuditLog)

SetAuditLog sets the server's audit log

func (*Server) SetClock 

func (a *Server) SetClock(clock clockwork.Clock)

SetClock sets clock, used in tests

func (*Server) SetEmitter 

func (a *Server) SetEmitter(emitter apievents.Emitter)

func (*Server) SetEnforcer 

func (a *Server) SetEnforcer(enforcer services.Enforcer)

SetEnforcer sets the server's enforce service

func (*Server) SetLockWatcher 

func (a *Server) SetLockWatcher(lockWatcher *services.LockWatcher)

SetLockWatcher sets the lock watcher.

func (*Server) SetUsageReporter 

func (a *Server) SetUsageReporter(reporter services.UsageReporter)

SetUsageReporter sets the server's usage reporter

func (*Server) SignDatabaseCSR 

func (s *Server) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*Server) StartAccountRecovery 

func (s *Server) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)

StartAccountRecovery implements AuthService.StartAccountRecovery.

func (*Server) SubmitAccessReview 

func (a *Server) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)

func (*Server) SubmitUsageEvent 

func (a *Server) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*Server) UnstableAssertSystemRole 

func (a *Server) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error

UnstableAssertSystemRole is not a stable part of the public API. Used by older instances to prove that they hold a given system role. DELETE IN: 12.0 (deprecated in v11, but required for back-compat with v10 clients)

func (*Server) UnstableGetSystemRoleAssertions 

func (a *Server) UnstableGetSystemRoleAssertions(ctx context.Context, serverID string, assertionID string) (proto.UnstableSystemRoleAssertionSet, error)

func (*Server) UpdateApp 

func (a *Server) UpdateApp(ctx context.Context, app types.Application) error

UpdateApp updates an existing application resource.

func (*Server) UpdateDatabase 

func (a *Server) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates an existing database resource.

func (*Server) UpdateKubernetesCluster 

func (a *Server) UpdateKubernetesCluster(ctx context.Context, kubeCluster types.KubeCluster) error

UpdateKubernetesCluster updates an existing kubernetes cluster resource.

func (*Server) UpdateUser 

func (s *Server) UpdateUser(ctx context.Context, user types.User) error

UpdateUser updates an existing user in a backend.

func (*Server) UpsertLock 

func (a *Server) UpsertLock(ctx context.Context, lock types.Lock) error

UpsertLock upserts a lock and emits a related audit event.

func (*Server) UpsertOIDCConnector 

func (a *Server) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error

UpsertOIDCConnector creates or updates an OIDC connector.

func (*Server) UpsertRole 

func (a *Server) UpsertRole(ctx context.Context, role types.Role) error

UpsertRole creates or updates a role and emits a related audit event.

func (*Server) UpsertSAMLConnector 

func (a *Server) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error

UpsertSAMLConnector creates or updates a SAML connector.

func (*Server) UpsertTrustedCluster 

func (a *Server) UpsertTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error)

UpsertTrustedCluster creates or toggles a Trusted Cluster relationship.

func (*Server) UpsertUser 

func (s *Server) UpsertUser(user types.User) error

UpsertUser updates a user.

func (*Server) ValidateGithubAuthCallback 

func (a *Server) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

ValidateGithubAuthCallback validates Github auth callback redirect

func (*Server) ValidateOIDCAuthCallback 

func (a *Server) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

ValidateOIDCAuthCallback is called by the proxy to check OIDC query parameters returned by OIDC Provider, if everything checks out, auth server will respond with OIDCAuthResponse, otherwise it will return error

func (*Server) ValidateSAMLResponse 

func (a *Server) ValidateSAMLResponse(ctx context.Context, samlResponse string, connectorID string) (*SAMLAuthResponse, error)

ValidateSAMLResponse consumes attribute statements from SAML identity provider

func (*Server) ValidateToken 

func (a *Server) ValidateToken(ctx context.Context, token string) (types.ProvisionToken, error)

ValidateToken takes a provisioning token value and finds if it's valid. Returns a list of roles this token allows its owner to assume and token labels, or an error if the token cannot be found.

func (*Server) VerifyAccountRecovery 

func (s *Server) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)

VerifyAccountRecovery implements AuthService.VerifyAccountRecovery.

func (*Server) WithUserLock 

func (a *Server) WithUserLock(username string, authenticateFn func() error) error

WithUserLock executes function authenticateFn that performs user authentication if authenticateFn returns non nil error, the login attempt will be logged in as failed. The only exception to this rule is ConnectionProblemError, in case if it occurs access will be denied, but login attempt will not be recorded this is done to avoid potential user lockouts due to backend failures In case if user exceeds defaults.MaxLoginAttempts the user account will be locked for defaults.AccountLockInterval

type ServerOption 

type ServerOption func(*Server) error

ServerOption allows setting options as functional arguments to Server

func WithClock 

func WithClock(clock clockwork.Clock) ServerOption

WithClock is a functional server option that sets the server's clock

type ServerWithRoles 

type ServerWithRoles struct {
	// contains filtered or unexported fields
}

ServerWithRoles is a wrapper around auth service methods that focuses on authorizing every request

func (*ServerWithRoles) AcquireSemaphore 

func (a *ServerWithRoles) AcquireSemaphore(ctx context.Context, params types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error)

AcquireSemaphore acquires lease with requested resources from semaphore.

func (*ServerWithRoles) ActivateCertAuthority 

func (a *ServerWithRoles) ActivateCertAuthority(id types.CertAuthID) error

ActivateCertAuthority not implemented: can only be called locally.

func (*ServerWithRoles) AddMFADevice 

func (a *ServerWithRoles) AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADeviceClient, error)

AddMFADevice exists to satisfy auth.ClientI but is not implemented here. Use auth.GRPCServer.AddMFADevice or client.Client.AddMFADevice instead.

func (*ServerWithRoles) AddMFADeviceSync 

func (a *ServerWithRoles) AddMFADeviceSync(ctx context.Context, req *proto.AddMFADeviceSyncRequest) (*proto.AddMFADeviceSyncResponse, error)

AddMFADeviceSync is implemented by AuthService.AddMFADeviceSync.

func (*ServerWithRoles) AppendDiagnosticTrace 

func (a *ServerWithRoles) AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)

AppendDiagnosticTrace adds a new trace for the given ConnectionDiagnostic.

func (*ServerWithRoles) AuthenticateSSHUser 

func (a *ServerWithRoles) AuthenticateSSHUser(ctx context.Context, req AuthenticateSSHRequest) (*SSHLoginResponse, error)

AuthenticateSSHUser authenticates SSH console user, creates and returns a pair of signed TLS and SSH short lived certificates as a result

func (*ServerWithRoles) AuthenticateWebUser 

func (a *ServerWithRoles) AuthenticateWebUser(ctx context.Context, req AuthenticateUserRequest) (types.WebSession, error)

AuthenticateWebUser authenticates web user, creates and returns a web session in case authentication is successful

func (*ServerWithRoles) CancelSemaphoreLease 

func (a *ServerWithRoles) CancelSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

CancelSemaphoreLease cancels semaphore lease early.

func (*ServerWithRoles) ChangePassword 

func (a *ServerWithRoles) ChangePassword(req services.ChangePasswordReq) error

ChangePassword updates users password based on the old password.

func (*ServerWithRoles) ChangeUserAuthentication 

func (a *ServerWithRoles) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error)

ChangeUserAuthentication is implemented by AuthService.ChangeUserAuthentication.

func (*ServerWithRoles) CheckPassword 

func (a *ServerWithRoles) CheckPassword(user string, password []byte, otpToken string) error

func (*ServerWithRoles) Close 

func (a *ServerWithRoles) Close() error

func (*ServerWithRoles) CloseContext 

func (a *ServerWithRoles) CloseContext() context.Context

CloseContext is closed when the auth server shuts down

func (*ServerWithRoles) CompareAndSwapCertAuthority 

func (a *ServerWithRoles) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority value matches the value stored in the backend.

func (*ServerWithRoles) CompareAndSwapUser 

func (a *ServerWithRoles) CompareAndSwapUser(ctx context.Context, new, existing types.User) error

CompareAndSwapUser updates an existing user in a backend, but fails if the backend's value does not match the expected value. Captures the auth user who modified the user record.

func (*ServerWithRoles) CompleteAccountRecovery 

func (a *ServerWithRoles) CompleteAccountRecovery(ctx context.Context, req *proto.CompleteAccountRecoveryRequest) error

CompleteAccountRecovery is implemented by AuthService.CompleteAccountRecovery.

func (*ServerWithRoles) CreateAccessRequest 

func (a *ServerWithRoles) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error

func (*ServerWithRoles) CreateAccountRecoveryCodes 

func (a *ServerWithRoles) CreateAccountRecoveryCodes(ctx context.Context, req *proto.CreateAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

CreateAccountRecoveryCodes is implemented by AuthService.CreateAccountRecoveryCodes.

func (*ServerWithRoles) CreateApp 

func (a *ServerWithRoles) CreateApp(ctx context.Context, app types.Application) error

CreateApp creates a new application resource.

func (*ServerWithRoles) CreateAppSession 

func (a *ServerWithRoles) CreateAppSession(ctx context.Context, req types.CreateAppSessionRequest) (types.WebSession, error)

CreateAppSession creates an application web session. Application web sessions represent a browser session the client holds.

func (*ServerWithRoles) CreateAuditStream 

func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error)

CreateAuditStream creates audit event stream

func (*ServerWithRoles) CreateAuthenticateChallenge 

func (a *ServerWithRoles) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)

CreateAuthenticateChallenge is implemented by AuthService.CreateAuthenticateChallenge.

func (*ServerWithRoles) CreateBot 

func (a *ServerWithRoles) CreateBot(ctx context.Context, req *proto.CreateBotRequest) (*proto.CreateBotResponse, error)

CreateBot creates a new certificate renewal bot and returns a join token.

func (*ServerWithRoles) CreateCertAuthority 

func (a *ServerWithRoles) CreateCertAuthority(ca types.CertAuthority) error

CreateCertAuthority not implemented: can only be called locally.

func (*ServerWithRoles) CreateConnectionDiagnostic 

func (a *ServerWithRoles) CreateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

CreateConnectionDiagnostic creates a new connection diagnostic.

func (*ServerWithRoles) CreateDatabase 

func (a *ServerWithRoles) CreateDatabase(ctx context.Context, database types.Database) error

CreateDatabase creates a new database resource.

func (*ServerWithRoles) CreateGithubAuthRequest 

func (a *ServerWithRoles) CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) (*types.GithubAuthRequest, error)

func (*ServerWithRoles) CreateKubernetesCluster 

func (a *ServerWithRoles) CreateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

CreateKubernetesCluster creates a new kubernetes cluster resource.

func (*ServerWithRoles) CreateOIDCAuthRequest 

func (a *ServerWithRoles) CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest) (*types.OIDCAuthRequest, error)

func (*ServerWithRoles) CreatePrivilegeToken 

func (a *ServerWithRoles) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePrivilegeTokenRequest) (*types.UserTokenV3, error)

CreatePrivilegeToken is implemented by AuthService.CreatePrivilegeToken.

func (*ServerWithRoles) CreateRegisterChallenge 

func (a *ServerWithRoles) CreateRegisterChallenge(ctx context.Context, req *proto.CreateRegisterChallengeRequest) (*proto.MFARegisterChallenge, error)

CreateRegisterChallenge is implemented by AuthService.CreateRegisterChallenge.

func (*ServerWithRoles) CreateRemoteCluster 

func (a *ServerWithRoles) CreateRemoteCluster(conn types.RemoteCluster) error

func (*ServerWithRoles) CreateResetPasswordToken 

func (a *ServerWithRoles) CreateResetPasswordToken(ctx context.Context, req CreateUserTokenRequest) (types.UserToken, error)

func (*ServerWithRoles) CreateRole 

func (a *ServerWithRoles) CreateRole(ctx context.Context, role types.Role) error

CreateRole not implemented: can only be called locally.

func (*ServerWithRoles) CreateSAMLAuthRequest 

func (a *ServerWithRoles) CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest) (*types.SAMLAuthRequest, error)

func (*ServerWithRoles) CreateSession 

func (a *ServerWithRoles) CreateSession(ctx context.Context, s session.Session) error

DELETE IN 12.0.0

func (*ServerWithRoles) CreateSessionTracker 

func (a *ServerWithRoles) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error)

CreateSessionTracker creates a tracker resource for an active session.

func (*ServerWithRoles) CreateSnowflakeSession 

func (a *ServerWithRoles) CreateSnowflakeSession(ctx context.Context, req types.CreateSnowflakeSessionRequest) (types.WebSession, error)

CreateSnowflakeSession creates a Snowflake web session.

func (*ServerWithRoles) CreateToken 

func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.ProvisionToken) error

func (*ServerWithRoles) CreateUser 

func (a *ServerWithRoles) CreateUser(ctx context.Context, user types.User) error

CreateUser inserts a new user entry in a backend.

func (*ServerWithRoles) CreateWebSession 

func (a *ServerWithRoles) CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

CreateWebSession creates a new web session for the specified user

func (*ServerWithRoles) CreateWindowsDesktop 

func (a *ServerWithRoles) CreateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

CreateWindowsDesktop creates a new windows desktop host.

func (*ServerWithRoles) DeactivateCertAuthority 

func (a *ServerWithRoles) DeactivateCertAuthority(id types.CertAuthID) error

DeactivateCertAuthority not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAccessRequest 

func (a *ServerWithRoles) DeleteAccessRequest(ctx context.Context, name string) error

func (*ServerWithRoles) DeleteAllAppSessions 

func (a *ServerWithRoles) DeleteAllAppSessions(ctx context.Context) error

DeleteAllAppSessions removes all application web sessions.

func (*ServerWithRoles) DeleteAllApplicationServers 

func (a *ServerWithRoles) DeleteAllApplicationServers(ctx context.Context, namespace string) error

DeleteAllApplicationServers deletes all registered application servers.

func (*ServerWithRoles) DeleteAllApps 

func (a *ServerWithRoles) DeleteAllApps(ctx context.Context) error

DeleteAllApps removes all application resources.

func (*ServerWithRoles) DeleteAllAuthServers 

func (a *ServerWithRoles) DeleteAllAuthServers() error

DeleteAllAuthServers deletes all auth servers

func (*ServerWithRoles) DeleteAllCertAuthorities 

func (a *ServerWithRoles) DeleteAllCertAuthorities(caType types.CertAuthType) error

DeleteAllCertAuthorities not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllDatabaseServers 

func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespace string) error

DeleteAllDatabaseServers removes all registered database proxy servers.

func (*ServerWithRoles) DeleteAllDatabases 

func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error

DeleteAllDatabases removes all database resources.

func (*ServerWithRoles) DeleteAllInstallers 

func (a *ServerWithRoles) DeleteAllInstallers(ctx context.Context) error

DeleteAllInstallers removes all installer script resources

func (*ServerWithRoles) DeleteAllKubeServices 

func (a *ServerWithRoles) DeleteAllKubeServices(ctx context.Context) error

DeleteAllKubeService deletes all registered kubernetes services.

func (*ServerWithRoles) DeleteAllKubernetesClusters 

func (a *ServerWithRoles) DeleteAllKubernetesClusters(ctx context.Context) error

DeleteAllKubernetesClusters removes all kubernetes cluster resources.

func (*ServerWithRoles) DeleteAllKubernetesServers 

func (a *ServerWithRoles) DeleteAllKubernetesServers(ctx context.Context) error

DeleteAllKubernetesServers deletes all registered kubernetes servers.

func (*ServerWithRoles) DeleteAllLocks 

func (a *ServerWithRoles) DeleteAllLocks(context.Context) error

DeleteAllLocks not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllNamespaces 

func (a *ServerWithRoles) DeleteAllNamespaces() error

DeleteAllCertNamespaces not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllNodes 

func (a *ServerWithRoles) DeleteAllNodes(ctx context.Context, namespace string) error

DeleteAllNodes deletes all nodes in a given namespace

func (*ServerWithRoles) DeleteAllProxies 

func (a *ServerWithRoles) DeleteAllProxies() error

DeleteAllProxies deletes all proxies

func (*ServerWithRoles) DeleteAllRemoteClusters 

func (a *ServerWithRoles) DeleteAllRemoteClusters() error

func (*ServerWithRoles) DeleteAllReverseTunnels 

func (a *ServerWithRoles) DeleteAllReverseTunnels() error

DeleteAllReverseTunnels not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllRoles 

func (a *ServerWithRoles) DeleteAllRoles() error

DeleteAllRoles not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllSnowflakeSessions 

func (a *ServerWithRoles) DeleteAllSnowflakeSessions(ctx context.Context) error

DeleteAllSnowflakeSessions removes all Snowflake web sessions.

func (*ServerWithRoles) DeleteAllTokens 

func (a *ServerWithRoles) DeleteAllTokens() error

DeleteAllTokens not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllTunnelConnections 

func (a *ServerWithRoles) DeleteAllTunnelConnections() error

func (*ServerWithRoles) DeleteAllUsers 

func (a *ServerWithRoles) DeleteAllUsers() error

DeleteAllUsers not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAllWindowsDesktopServices 

func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) error

DeleteAllWindowsDesktopServices removes all registered windows desktop services.

func (*ServerWithRoles) DeleteAllWindowsDesktops 

func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error

DeleteAllWindowsDesktops removes all registered windows desktop hosts.

func (*ServerWithRoles) DeleteApp 

func (a *ServerWithRoles) DeleteApp(ctx context.Context, name string) error

DeleteApp removes the specified application resource.

func (*ServerWithRoles) DeleteAppSession 

func (a *ServerWithRoles) DeleteAppSession(ctx context.Context, req types.DeleteAppSessionRequest) error

DeleteAppSession removes an application web session.

func (*ServerWithRoles) DeleteApplicationServer 

func (a *ServerWithRoles) DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error

DeleteApplicationServer deletes specified application server.

func (*ServerWithRoles) DeleteAuthPreference 

func (a *ServerWithRoles) DeleteAuthPreference(context.Context) error

DeleteAuthPreference not implemented: can only be called locally.

func (*ServerWithRoles) DeleteAuthServer 

func (a *ServerWithRoles) DeleteAuthServer(name string) error

DeleteAuthServer deletes auth server by name

func (*ServerWithRoles) DeleteBot 

func (a *ServerWithRoles) DeleteBot(ctx context.Context, botName string) error

DeleteBot removes a certificate renewal bot by name.

func (*ServerWithRoles) DeleteCertAuthority 

func (a *ServerWithRoles) DeleteCertAuthority(id types.CertAuthID) error

func (*ServerWithRoles) DeleteClusterAuditConfig 

func (a *ServerWithRoles) DeleteClusterAuditConfig(ctx context.Context) error

DeleteClusterAuditConfig not implemented: can only be called locally.

func (*ServerWithRoles) DeleteClusterName 

func (a *ServerWithRoles) DeleteClusterName() error

DeleteClusterName deletes cluster name

func (*ServerWithRoles) DeleteClusterNetworkingConfig 

func (a *ServerWithRoles) DeleteClusterNetworkingConfig(ctx context.Context) error

DeleteClusterNetworkingConfig not implemented: can only be called locally.

func (*ServerWithRoles) DeleteDatabase 

func (a *ServerWithRoles) DeleteDatabase(ctx context.Context, name string) error

DeleteDatabase removes the specified database resource.

func (*ServerWithRoles) DeleteDatabaseServer 

func (a *ServerWithRoles) DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error

DeleteDatabaseServer removes the specified database proxy server.

func (*ServerWithRoles) DeleteGithubConnector 

func (a *ServerWithRoles) DeleteGithubConnector(ctx context.Context, connectorID string) error

DeleteGithubConnector deletes a Github connector by name.

func (*ServerWithRoles) DeleteInstaller 

func (a *ServerWithRoles) DeleteInstaller(ctx context.Context, name string) error

DeleteInstaller removes an installer script resource

func (*ServerWithRoles) DeleteKubeService 

func (a *ServerWithRoles) DeleteKubeService(ctx context.Context, name string) error

DeleteKubeService deletes a named kubernetes service.

func (*ServerWithRoles) DeleteKubernetesCluster 

func (a *ServerWithRoles) DeleteKubernetesCluster(ctx context.Context, name string) error

DeleteKubernetesCluster removes the specified kubernetes cluster resource.

func (*ServerWithRoles) DeleteKubernetesServer 

func (a *ServerWithRoles) DeleteKubernetesServer(ctx context.Context, hostID, name string) error

DeleteKubernetesServer deletes specified kubernetes server.

func (*ServerWithRoles) DeleteLock 

func (a *ServerWithRoles) DeleteLock(ctx context.Context, name string) error

DeleteLock deletes a lock.

func (*ServerWithRoles) DeleteMFADevice 

func (a *ServerWithRoles) DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error)

DeleteMFADevice exists to satisfy auth.ClientI but is not implemented here. Use auth.GRPCServer.DeleteMFADevice or client.Client.DeleteMFADevice instead.

func (*ServerWithRoles) DeleteMFADeviceSync 

func (a *ServerWithRoles) DeleteMFADeviceSync(ctx context.Context, req *proto.DeleteMFADeviceSyncRequest) error

DeleteMFADeviceSync is implemented by AuthService.DeleteMFADeviceSync.

func (*ServerWithRoles) DeleteNamespace 

func (a *ServerWithRoles) DeleteNamespace(name string) error

DeleteNamespace deletes namespace by name

func (*ServerWithRoles) DeleteNetworkRestrictions 

func (a *ServerWithRoles) DeleteNetworkRestrictions(ctx context.Context) error

DeleteNetworkRestrictions deletes the network restrictions.

func (*ServerWithRoles) DeleteNode 

func (a *ServerWithRoles) DeleteNode(ctx context.Context, namespace, node string) error

DeleteNode deletes node in the namespace

func (*ServerWithRoles) DeleteOIDCConnector 

func (a *ServerWithRoles) DeleteOIDCConnector(ctx context.Context, connectorID string) error

func (*ServerWithRoles) DeleteProxy 

func (a *ServerWithRoles) DeleteProxy(name string) error

DeleteProxy deletes proxy by name

func (*ServerWithRoles) DeleteRemoteCluster 

func (a *ServerWithRoles) DeleteRemoteCluster(clusterName string) error

func (*ServerWithRoles) DeleteReverseTunnel 

func (a *ServerWithRoles) DeleteReverseTunnel(domainName string) error

func (*ServerWithRoles) DeleteRole 

func (a *ServerWithRoles) DeleteRole(ctx context.Context, name string) error

DeleteRole deletes role by name

func (*ServerWithRoles) DeleteSAMLConnector 

func (a *ServerWithRoles) DeleteSAMLConnector(ctx context.Context, connectorID string) error

DeleteSAMLConnector deletes a SAML connector by name.

func (*ServerWithRoles) DeleteSemaphore 

func (a *ServerWithRoles) DeleteSemaphore(ctx context.Context, filter types.SemaphoreFilter) error

DeleteSemaphore deletes a semaphore matching the supplied filter.

func (*ServerWithRoles) DeleteSession 

func (a *ServerWithRoles) DeleteSession(ctx context.Context, namespace string, id session.ID) error

DeleteSession removes an active session from the backend. DELETE IN 12.0.0

func (*ServerWithRoles) DeleteSessionRecordingConfig 

func (a *ServerWithRoles) DeleteSessionRecordingConfig(ctx context.Context) error

DeleteSessionRecordingConfig not implemented: can only be called locally.

func (*ServerWithRoles) DeleteSnowflakeSession 

func (a *ServerWithRoles) DeleteSnowflakeSession(ctx context.Context, req types.DeleteSnowflakeSessionRequest) error

DeleteSnowflakeSession removes a Snowflake web session.

func (*ServerWithRoles) DeleteStaticTokens 

func (a *ServerWithRoles) DeleteStaticTokens() error

DeleteStaticTokens deletes static tokens

func (*ServerWithRoles) DeleteToken 

func (a *ServerWithRoles) DeleteToken(ctx context.Context, token string) error

func (*ServerWithRoles) DeleteTrustedCluster 

func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string) error

DeleteTrustedCluster deletes a trusted cluster by name.

func (*ServerWithRoles) DeleteTunnelConnection 

func (a *ServerWithRoles) DeleteTunnelConnection(clusterName string, connName string) error

func (*ServerWithRoles) DeleteTunnelConnections 

func (a *ServerWithRoles) DeleteTunnelConnections(clusterName string) error

func (*ServerWithRoles) DeleteUser 

func (a *ServerWithRoles) DeleteUser(ctx context.Context, user string) error

DeleteUser deletes an existng user in a backend by username.

func (*ServerWithRoles) DeleteUserAppSessions 

func (a *ServerWithRoles) DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error

DeleteUserAppSessions deletes all user’s application sessions.

func (*ServerWithRoles) DeleteWindowsDesktop 

func (a *ServerWithRoles) DeleteWindowsDesktop(ctx context.Context, hostID, name string) error

DeleteWindowsDesktop removes the specified Windows desktop host. Note: unlike GetWindowsDesktops, this will delete at-most one desktop. Passing an empty host ID will not trigger "delete all" behavior. To delete all desktops, use DeleteAllWindowsDesktops.

func (*ServerWithRoles) DeleteWindowsDesktopService 

func (a *ServerWithRoles) DeleteWindowsDesktopService(ctx context.Context, name string) error

DeleteWindowsDesktopService removes the specified windows desktop service.

func (*ServerWithRoles) EmitAuditEvent 

func (a *ServerWithRoles) EmitAuditEvent(ctx context.Context, event apievents.AuditEvent) error

EmitAuditEvent emits a single audit event

func (*ServerWithRoles) Export 

func (a *ServerWithRoles) Export(ctx context.Context, req *collectortracev1.ExportTraceServiceRequest) (*collectortracev1.ExportTraceServiceResponse, error)

Export forwards OTLP traces to the upstream collector configured in the tracing service. This allows for tsh, tctl, etc to be able to export traces without having to know how to connect to the upstream collector for the cluster.

All spans received will have a `teleport.forwarded.for` attribute added to them with the value being one of two things depending on the role of the forwarder:

  1. User forwarded: `teleport.forwarded.for: alice`
  2. Instance forwarded: `teleport.forwarded.for: Proxy.clustername:Proxy,Node,Instance`

This allows upstream consumers of the spans to be able to identify forwarded spans and act on them accordingly.

func (*ServerWithRoles) ExtendWebSession 

func (a *ServerWithRoles) ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)

ExtendWebSession creates a new web session for a user based on a valid previous session. Additional roles are appended to initial roles if there is an approved access request. The new session expiration time will not exceed the expiration time of the old session.

func (*ServerWithRoles) GenerateAppToken 

func (a *ServerWithRoles) GenerateAppToken(ctx context.Context, req types.GenerateAppTokenRequest) (string, error)

GenerateAppToken creates a JWT token with application access.

func (*ServerWithRoles) GenerateCertAuthorityCRL 

func (a *ServerWithRoles) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error)

GenerateCertAuthorityCRL generates an empty CRL for a CA.

func (*ServerWithRoles) GenerateDatabaseCert 

func (a *ServerWithRoles) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)

GenerateDatabaseCert generates a certificate used by a database service to authenticate with the database instance.

This certificate can be requested by:

  • Cluster administrator using "tctl auth sign --format=db" command locally on the auth server to produce a certificate for configuring a self-hosted database.
  • Remote user using "tctl auth sign --format=db" command with a remote proxy (e.g. Teleport Cloud), as long as they can impersonate system role Db.
  • Database service when initiating connection to a database instance to produce a client certificate.
  • Proxy service when generating mTLS files to a database

func (*ServerWithRoles) GenerateHostCert 

func (a *ServerWithRoles) GenerateHostCert(
	ctx context.Context, key []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration,
) ([]byte, error)

func (*ServerWithRoles) GenerateHostCerts 

func (a *ServerWithRoles) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error)

GenerateHostCerts generates new host certificates (signed by the host certificate authority) for a node.

func (*ServerWithRoles) GenerateSnowflakeJWT 

func (a *ServerWithRoles) GenerateSnowflakeJWT(ctx context.Context, req *proto.SnowflakeJWTRequest) (*proto.SnowflakeJWTResponse, error)

GenerateSnowflakeJWT generates JWT in the Snowflake required format.

func (*ServerWithRoles) GenerateToken 

func (a *ServerWithRoles) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequest) (string, error)

GenerateToken generates multi-purpose authentication token.

func (*ServerWithRoles) GenerateUserCerts 

func (a *ServerWithRoles) GenerateUserCerts(ctx context.Context, req proto.UserCertsRequest) (*proto.Certs, error)

GenerateUserCerts generates users certificates

func (*ServerWithRoles) GenerateUserSingleUseCerts 

func (a *ServerWithRoles) GenerateUserSingleUseCerts(ctx context.Context) (proto.AuthService_GenerateUserSingleUseCertsClient, error)

GenerateUserSingleUseCerts exists to satisfy auth.ClientI but is not implemented here.

Use auth.GRPCServer.GenerateUserSingleUseCerts or client.Client.GenerateUserSingleUseCerts instead.

func (*ServerWithRoles) GenerateWindowsDesktopCert 

func (a *ServerWithRoles) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)

GenerateWindowsDesktopCert generates a certificate for Windows RDP authentication.

func (*ServerWithRoles) GetAccessCapabilities 

func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)

func (*ServerWithRoles) GetAccessRequests 

func (a *ServerWithRoles) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)

func (*ServerWithRoles) GetAccountRecoveryCodes 

func (a *ServerWithRoles) GetAccountRecoveryCodes(ctx context.Context, req *proto.GetAccountRecoveryCodesRequest) (*proto.RecoveryCodes, error)

GetAccountRecoveryCodes is implemented by AuthService.GetAccountRecoveryCodes.

func (*ServerWithRoles) GetAccountRecoveryToken 

func (a *ServerWithRoles) GetAccountRecoveryToken(ctx context.Context, req *proto.GetAccountRecoveryTokenRequest) (types.UserToken, error)

GetAccountRecoveryToken is implemented by AuthService.GetAccountRecoveryToken.

func (*ServerWithRoles) GetActiveSessionTrackers 

func (a *ServerWithRoles) GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

GetActiveSessionTrackers returns a list of active session trackers.

func (*ServerWithRoles) GetActiveSessionTrackersWithFilter 

func (a *ServerWithRoles) GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.

func (*ServerWithRoles) GetAllTunnelConnections 

func (a *ServerWithRoles) GetAllTunnelConnections(opts ...services.MarshalOption) ([]types.TunnelConnection, error)

func (*ServerWithRoles) GetApp 

func (a *ServerWithRoles) GetApp(ctx context.Context, name string) (types.Application, error)

GetApp returns specified application resource.

func (*ServerWithRoles) GetAppSession 

func (a *ServerWithRoles) GetAppSession(ctx context.Context, req types.GetAppSessionRequest) (types.WebSession, error)

GetAppSession gets an application web session.

func (*ServerWithRoles) GetAppSessions 

func (a *ServerWithRoles) GetAppSessions(ctx context.Context) ([]types.WebSession, error)

GetAppSessions gets all application web sessions.

func (*ServerWithRoles) GetApplicationServers 

func (a *ServerWithRoles) GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)

GetApplicationServers returns all registered application servers.

func (*ServerWithRoles) GetApps 

func (a *ServerWithRoles) GetApps(ctx context.Context) (result []types.Application, err error)

GetApps returns all application resources.

func (*ServerWithRoles) GetAuthPreference 

func (a *ServerWithRoles) GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

GetAuthPreference gets cluster auth preference.

func (*ServerWithRoles) GetAuthServers 

func (a *ServerWithRoles) GetAuthServers() ([]types.Server, error)

func (*ServerWithRoles) GetBotUsers 

func (a *ServerWithRoles) GetBotUsers(ctx context.Context) ([]types.User, error)

GetBotUsers fetches all users with bot labels. It does not fetch users with secrets.

func (*ServerWithRoles) GetCertAuthorities 

func (a *ServerWithRoles) GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error)

func (*ServerWithRoles) GetCertAuthority 

func (a *ServerWithRoles) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...services.MarshalOption) (types.CertAuthority, error)

func (*ServerWithRoles) GetClusterAlerts 

func (a *ServerWithRoles) GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

func (*ServerWithRoles) GetClusterAuditConfig 

func (a *ServerWithRoles) GetClusterAuditConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterAuditConfig, error)

GetClusterAuditConfig gets cluster audit configuration.

func (*ServerWithRoles) GetClusterCACert 

func (a *ServerWithRoles) GetClusterCACert(
	ctx context.Context,
) (*proto.GetClusterCACertResponse, error)

getClusterCACert returns the PEM-encoded TLS certs for the local cluster without signing keys. If the cluster has multiple TLS certs, they will all be concatenated.

func (*ServerWithRoles) GetClusterName 

func (a *ServerWithRoles) GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

GetClusterName gets the name of the cluster.

func (*ServerWithRoles) GetClusterNetworkingConfig 

func (a *ServerWithRoles) GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

GetClusterNetworkingConfig gets cluster networking configuration.

func (*ServerWithRoles) GetConnectionDiagnostic 

func (a *ServerWithRoles) GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

GetConnectionDiagnostic returns the connection diagnostic with the matching name

func (*ServerWithRoles) GetCurrentUser 

func (a *ServerWithRoles) GetCurrentUser(ctx context.Context) (types.User, error)

GetCurrentUser returns current user as seen by the server. Useful especially in the context of remote clusters which perform role and trait mapping.

func (*ServerWithRoles) GetCurrentUserRoles 

func (a *ServerWithRoles) GetCurrentUserRoles(ctx context.Context) ([]types.Role, error)

GetCurrentUserRoles returns current user's roles.

func (*ServerWithRoles) GetDatabase 

func (a *ServerWithRoles) GetDatabase(ctx context.Context, name string) (types.Database, error)

GetDatabase returns specified database resource.

func (*ServerWithRoles) GetDatabaseServers 

func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error)

GetDatabaseServers returns all registered database servers.

func (*ServerWithRoles) GetDatabases 

func (a *ServerWithRoles) GetDatabases(ctx context.Context) (result []types.Database, err error)

GetDatabases returns all database resources.

func (*ServerWithRoles) GetDomainName 

func (a *ServerWithRoles) GetDomainName(ctx context.Context) (string, error)

func (*ServerWithRoles) GetGithubAuthRequest 

func (a *ServerWithRoles) GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

GetGithubAuthRequest returns Github auth request if found.

func (*ServerWithRoles) GetGithubConnector 

func (a *ServerWithRoles) GetGithubConnector(ctx context.Context, id string, withSecrets bool) (types.GithubConnector, error)

func (*ServerWithRoles) GetGithubConnectors 

func (a *ServerWithRoles) GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

func (*ServerWithRoles) GetInstaller 

func (a *ServerWithRoles) GetInstaller(ctx context.Context, name string) (types.Installer, error)

GetInstaller retrieves an installer script resource

func (*ServerWithRoles) GetInstallers 

func (a *ServerWithRoles) GetInstallers(ctx context.Context) ([]types.Installer, error)

GetInstallers gets all the installer resources.

func (*ServerWithRoles) GetInventoryStatus 

func (a *ServerWithRoles) GetInventoryStatus(ctx context.Context, req proto.InventoryStatusRequest) (proto.InventoryStatusSummary, error)

func (*ServerWithRoles) GetKubeServices 

func (a *ServerWithRoles) GetKubeServices(ctx context.Context) ([]types.Server, error)

GetKubeServices returns all Servers representing teleport kubernetes services. DELETE in 12.0.0

func (*ServerWithRoles) GetKubernetesCluster 

func (a *ServerWithRoles) GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)

GetKubernetesCluster returns specified kubernetes cluster resource.

func (*ServerWithRoles) GetKubernetesClusters 

func (a *ServerWithRoles) GetKubernetesClusters(ctx context.Context) (result []types.KubeCluster, err error)

GetKubernetesClusters returns all kubernetes cluster resources.

func (*ServerWithRoles) GetKubernetesServers 

func (a *ServerWithRoles) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)

GetKubernetesServers returns all registered kubernetes servers.

func (*ServerWithRoles) GetLock 

func (a *ServerWithRoles) GetLock(ctx context.Context, name string) (types.Lock, error)

GetLock gets a lock by name.

func (*ServerWithRoles) GetLocks 

func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)

GetLocks gets all/in-force locks that match at least one of the targets when specified.

func (*ServerWithRoles) GetMFADevices 

func (a *ServerWithRoles) GetMFADevices(ctx context.Context, req *proto.GetMFADevicesRequest) (*proto.GetMFADevicesResponse, error)

GetMFADevices returns a list of MFA devices.

func (*ServerWithRoles) GetNamespace 

func (a *ServerWithRoles) GetNamespace(name string) (*types.Namespace, error)

GetNamespace returns namespace by name

func (*ServerWithRoles) GetNamespaces 

func (a *ServerWithRoles) GetNamespaces() ([]types.Namespace, error)

GetNamespaces returns a list of namespaces

func (*ServerWithRoles) GetNetworkRestrictions 

func (a *ServerWithRoles) GetNetworkRestrictions(ctx context.Context) (types.NetworkRestrictions, error)

GetNetworkRestrictions retrieves all the network restrictions (allow/deny lists).

func (*ServerWithRoles) GetNode 

func (a *ServerWithRoles) GetNode(ctx context.Context, namespace, name string) (types.Server, error)

GetNode gets a node by name and namespace.

func (*ServerWithRoles) GetNodes 

func (a *ServerWithRoles) GetNodes(ctx context.Context, namespace string) ([]types.Server, error)

func (*ServerWithRoles) GetOIDCAuthRequest 

func (a *ServerWithRoles) GetOIDCAuthRequest(ctx context.Context, id string) (*types.OIDCAuthRequest, error)

GetOIDCAuthRequest returns OIDC auth request if found.

func (*ServerWithRoles) GetOIDCConnector 

func (a *ServerWithRoles) GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)

func (*ServerWithRoles) GetOIDCConnectors 

func (a *ServerWithRoles) GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

func (*ServerWithRoles) GetPluginData 

func (a *ServerWithRoles) GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)

GetPluginData loads all plugin data matching the supplied filter.

func (*ServerWithRoles) GetProxies 

func (a *ServerWithRoles) GetProxies() ([]types.Server, error)

func (*ServerWithRoles) GetRemoteCluster 

func (a *ServerWithRoles) GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

func (*ServerWithRoles) GetRemoteClusters 

func (a *ServerWithRoles) GetRemoteClusters(opts ...services.MarshalOption) ([]types.RemoteCluster, error)

func (*ServerWithRoles) GetResetPasswordToken 

func (a *ServerWithRoles) GetResetPasswordToken(ctx context.Context, tokenID string) (types.UserToken, error)

func (*ServerWithRoles) GetReverseTunnel 

func (a *ServerWithRoles) GetReverseTunnel(name string, opts ...services.MarshalOption) (types.ReverseTunnel, error)

func (*ServerWithRoles) GetReverseTunnels 

func (a *ServerWithRoles) GetReverseTunnels(ctx context.Context, opts ...services.MarshalOption) ([]types.ReverseTunnel, error)

func (*ServerWithRoles) GetRole 

func (a *ServerWithRoles) GetRole(ctx context.Context, name string) (types.Role, error)

GetRole returns role by name

func (*ServerWithRoles) GetRoles 

func (a *ServerWithRoles) GetRoles(ctx context.Context) ([]types.Role, error)

GetRoles returns a list of roles

func (*ServerWithRoles) GetSAMLAuthRequest 

func (a *ServerWithRoles) GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

GetSAMLAuthRequest returns SAML auth request if found.

func (*ServerWithRoles) GetSAMLConnector 

func (a *ServerWithRoles) GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)

func (*ServerWithRoles) GetSAMLConnectors 

func (a *ServerWithRoles) GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

func (*ServerWithRoles) GetSSODiagnosticInfo 

func (a *ServerWithRoles) GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

GetSSODiagnosticInfo returns SSO diagnostic info records.

func (*ServerWithRoles) GetSemaphores 

func (a *ServerWithRoles) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error)

GetSemaphores returns a list of all semaphores matching the supplied filter.

func (*ServerWithRoles) GetSession 

func (a *ServerWithRoles) GetSession(ctx context.Context, namespace string, id session.ID) (*session.Session, error)

DELETE IN 12.0.0

func (*ServerWithRoles) GetSessionChunk 

func (a *ServerWithRoles) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*ServerWithRoles) GetSessionEvents 

func (a *ServerWithRoles) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]events.EventFields, error)

func (*ServerWithRoles) GetSessionRecordingConfig 

func (a *ServerWithRoles) GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

GetSessionRecordingConfig gets session recording configuration.

func (*ServerWithRoles) GetSessionTracker 

func (a *ServerWithRoles) GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

GetSessionTracker returns the current state of a session tracker for an active session.

func (*ServerWithRoles) GetSessions 

func (a *ServerWithRoles) GetSessions(ctx context.Context, namespace string) ([]session.Session, error)

DELETE IN 12.0.0

func (*ServerWithRoles) GetSnowflakeSession 

func (a *ServerWithRoles) GetSnowflakeSession(ctx context.Context, req types.GetSnowflakeSessionRequest) (types.WebSession, error)

GetSnowflakeSession gets a Snowflake web session.

func (*ServerWithRoles) GetSnowflakeSessions 

func (a *ServerWithRoles) GetSnowflakeSessions(ctx context.Context) ([]types.WebSession, error)

GetSnowflakeSessions gets all Snowflake web sessions.

func (*ServerWithRoles) GetStaticTokens 

func (a *ServerWithRoles) GetStaticTokens() (types.StaticTokens, error)

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*ServerWithRoles) GetToken 

func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

func (*ServerWithRoles) GetTokens 

func (a *ServerWithRoles) GetTokens(ctx context.Context) ([]types.ProvisionToken, error)

func (*ServerWithRoles) GetTrustedCluster 

func (a *ServerWithRoles) GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

func (*ServerWithRoles) GetTrustedClusters 

func (a *ServerWithRoles) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

func (*ServerWithRoles) GetTunnelConnections 

func (a *ServerWithRoles) GetTunnelConnections(clusterName string, opts ...services.MarshalOption) ([]types.TunnelConnection, error)

func (*ServerWithRoles) GetUser 

func (a *ServerWithRoles) GetUser(name string, withSecrets bool) (types.User, error)

func (*ServerWithRoles) GetUsers 

func (a *ServerWithRoles) GetUsers(withSecrets bool) ([]types.User, error)

func (*ServerWithRoles) GetWebSession 

func (a *ServerWithRoles) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns the web session specified with req. Implements auth.ReadAccessPoint.

func (*ServerWithRoles) GetWebSessionInfo 

func (a *ServerWithRoles) GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)

GetWebSessionInfo returns the web session for the given user specified with sid. The session is stripped of any authentication details. Implements auth.WebUIService

func (*ServerWithRoles) GetWebToken 

func (a *ServerWithRoles) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns the web token specified with req. Implements auth.ReadAccessPoint.

func (*ServerWithRoles) GetWindowsDesktopService 

func (a *ServerWithRoles) GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)

GetWindowsDesktopService returns a registered windows desktop service by name.

func (*ServerWithRoles) GetWindowsDesktopServices 

func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)

GetWindowsDesktopServices returns all registered windows desktop services.

func (*ServerWithRoles) GetWindowsDesktops 

func (a *ServerWithRoles) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)

GetWindowsDesktops returns all registered windows desktop hosts.

func (*ServerWithRoles) IsMFARequired 

func (a *ServerWithRoles) IsMFARequired(ctx context.Context, req *proto.IsMFARequiredRequest) (*proto.IsMFARequiredResponse, error)

func (*ServerWithRoles) KeepAliveNode 

func (a *ServerWithRoles) KeepAliveNode(ctx context.Context, handle types.KeepAlive) error

DELETE IN: 5.1.0

This logic has moved to KeepAliveServer.

func (*ServerWithRoles) KeepAliveSemaphoreLease 

func (a *ServerWithRoles) KeepAliveSemaphoreLease(ctx context.Context, lease types.SemaphoreLease) error

KeepAliveSemaphoreLease updates semaphore lease.

func (*ServerWithRoles) KeepAliveServer 

func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.KeepAlive) error

KeepAliveServer updates expiry time of a server resource.

func (*ServerWithRoles) ListResources 

func (a *ServerWithRoles) ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)

ListResources returns a paginated list of resources filtered by user access.

func (*ServerWithRoles) ListWindowsDesktopServices 

func (a *ServerWithRoles) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)

ListWindowsDesktopServices not implemented: can only be called locally.

func (*ServerWithRoles) ListWindowsDesktops 

func (a *ServerWithRoles) ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)

ListWindowsDesktops not implemented: can only be called locally.

func (*ServerWithRoles) MaintainSessionPresence 

func (a *ServerWithRoles) MaintainSessionPresence(ctx context.Context) (proto.AuthService_MaintainSessionPresenceClient, error)

UpdatePresence is coupled to the service layer and must exist here but is never actually called since it's handled by the session presence task. This is never valid to call.

func (*ServerWithRoles) NewKeepAliver 

func (a *ServerWithRoles) NewKeepAliver(ctx context.Context) (types.KeepAliver, error)

NewKeepAliver not implemented: can only be called locally.

func (*ServerWithRoles) NewWatcher 

func (a *ServerWithRoles) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher returns a new event watcher

func (*ServerWithRoles) Ping 

func (a *ServerWithRoles) Ping(ctx context.Context) (proto.PingResponse, error)

Ping gets basic info about the auth server.

func (*ServerWithRoles) PingInventory 

func (a *ServerWithRoles) PingInventory(ctx context.Context, req proto.InventoryPingRequest) (proto.InventoryPingResponse, error)

func (*ServerWithRoles) PreAuthenticatedSignIn 

func (a *ServerWithRoles) PreAuthenticatedSignIn(ctx context.Context, user string) (types.WebSession, error)

func (*ServerWithRoles) ProcessKubeCSR 

func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)

ProcessKubeCSR processes CSR request against Kubernetes CA, returns signed certificate if successful.

func (*ServerWithRoles) RegisterInventoryControlStream 

func (a *ServerWithRoles) RegisterInventoryControlStream(ics client.UpstreamInventoryControlStream) error

func (*ServerWithRoles) RegisterUsingIAMMethod 

func (a *ServerWithRoles) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterChallengeResponseFunc) (*proto.Certs, error)

RegisterUsingIAMMethod registers the caller using the IAM join method and returns signed certs to join the cluster.

See (*Server).RegisterUsingIAMMethod for further documentation.

This wrapper does not do any extra authz checks, as the register method has its own authz mechanism.

func (*ServerWithRoles) RegisterUsingToken 

func (a *ServerWithRoles) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)

func (*ServerWithRoles) RemoveSessionTracker 

func (a *ServerWithRoles) RemoveSessionTracker(ctx context.Context, sessionID string) error

RemoveSessionTracker removes a tracker resource for an active session.

func (*ServerWithRoles) ReplaceRemoteLocks 

func (a *ServerWithRoles) ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error

ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.

func (*ServerWithRoles) ResetAuthPreference 

func (a *ServerWithRoles) ResetAuthPreference(ctx context.Context) error

ResetAuthPreference resets cluster auth preference to defaults.

func (*ServerWithRoles) ResetClusterNetworkingConfig 

func (a *ServerWithRoles) ResetClusterNetworkingConfig(ctx context.Context) error

ResetClusterNetworkingConfig resets cluster networking configuration to defaults.

func (*ServerWithRoles) ResetSessionRecordingConfig 

func (a *ServerWithRoles) ResetSessionRecordingConfig(ctx context.Context) error

ResetSessionRecordingConfig resets session recording configuration to defaults.

func (*ServerWithRoles) ResumeAuditStream 

func (a *ServerWithRoles) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error)

ResumeAuditStream resumes the stream that has been created

func (*ServerWithRoles) RotateCertAuthority 

func (a *ServerWithRoles) RotateCertAuthority(ctx context.Context, req RotateRequest) error

RotateCertAuthority starts or restarts certificate authority rotation process.

func (*ServerWithRoles) RotateExternalCertAuthority 

func (a *ServerWithRoles) RotateExternalCertAuthority(ctx context.Context, ca types.CertAuthority) error

RotateExternalCertAuthority rotates external certificate authority, this method is called by a remote trusted cluster and is used to update only public keys and certificates of the certificate authority.

func (*ServerWithRoles) SearchEvents 

func (a *ServerWithRoles) SearchEvents(fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) (events []apievents.AuditEvent, lastKey string, err error)

SearchEvents allows searching audit events with pagination support.

func (*ServerWithRoles) SearchSessionEvents 

func (a *ServerWithRoles) SearchSessionEvents(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startKey string, cond *types.WhereExpr, sessionID string) (events []apievents.AuditEvent, lastKey string, err error)

SearchSessionEvents allows searching session audit events with pagination support.

func (*ServerWithRoles) SetAccessRequestState 

func (a *ServerWithRoles) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error

func (*ServerWithRoles) SetAuthPreference 

func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref types.AuthPreference) error

SetAuthPreference sets cluster auth preference.

func (*ServerWithRoles) SetClusterAuditConfig 

func (a *ServerWithRoles) SetClusterAuditConfig(ctx context.Context, auditConfig types.ClusterAuditConfig) error

SetClusterAuditConfig not implemented: can only be called locally.

func (*ServerWithRoles) SetClusterName 

func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error

SetClusterName sets the name of the cluster. SetClusterName can only be called once.

func (*ServerWithRoles) SetClusterNetworkingConfig 

func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNetConfig types.ClusterNetworkingConfig) error

SetClusterNetworkingConfig sets cluster networking configuration.

func (*ServerWithRoles) SetInstaller 

func (a *ServerWithRoles) SetInstaller(ctx context.Context, inst types.Installer) error

SetInstaller sets an Installer script resource

func (*ServerWithRoles) SetNetworkRestrictions 

func (a *ServerWithRoles) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error

SetNetworkRestrictions updates the network restrictions.

func (*ServerWithRoles) SetSessionRecordingConfig 

func (a *ServerWithRoles) SetSessionRecordingConfig(ctx context.Context, newRecConfig types.SessionRecordingConfig) error

SetSessionRecordingConfig sets session recording configuration.

func (*ServerWithRoles) SetStaticTokens 

func (a *ServerWithRoles) SetStaticTokens(s types.StaticTokens) error

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*ServerWithRoles) SignDatabaseCSR 

func (a *ServerWithRoles) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error)

SignDatabaseCSR generates a client certificate used by proxy when talking to a remote database service.

func (*ServerWithRoles) StartAccountRecovery 

func (a *ServerWithRoles) StartAccountRecovery(ctx context.Context, req *proto.StartAccountRecoveryRequest) (types.UserToken, error)

StartAccountRecovery is implemented by AuthService.StartAccountRecovery.

func (*ServerWithRoles) StreamSessionEvents 

func (a *ServerWithRoles) StreamSessionEvents(ctx context.Context, sessionID session.ID, startIndex int64) (chan apievents.AuditEvent, chan error)

StreamSessionEvents streams all events from a given session recording. An error is returned on the first channel if one is encountered. Otherwise the event channel is closed when the stream ends. The event channel is not closed on error to prevent race conditions in downstream select statements.

func (*ServerWithRoles) SubmitAccessReview 

func (a *ServerWithRoles) SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)

func (*ServerWithRoles) SubmitUsageEvent 

func (a *ServerWithRoles) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error

SubmitUsageEvent submits an external usage event.

func (*ServerWithRoles) UnstableAssertSystemRole 

func (a *ServerWithRoles) UnstableAssertSystemRole(ctx context.Context, req proto.UnstableSystemRoleAssertion) error

func (*ServerWithRoles) UpdateApp 

func (a *ServerWithRoles) UpdateApp(ctx context.Context, app types.Application) error

UpdateApp updates existing application resource.

func (*ServerWithRoles) UpdateConnectionDiagnostic 

func (a *ServerWithRoles) UpdateConnectionDiagnostic(ctx context.Context, connectionDiagnostic types.ConnectionDiagnostic) error

UpdateConnectionDiagnostic updates a connection diagnostic.

func (*ServerWithRoles) UpdateDatabase 

func (a *ServerWithRoles) UpdateDatabase(ctx context.Context, database types.Database) error

UpdateDatabase updates existing database resource.

func (*ServerWithRoles) UpdateKubernetesCluster 

func (a *ServerWithRoles) UpdateKubernetesCluster(ctx context.Context, cluster types.KubeCluster) error

UpdateKubernetesCluster updates existing kubernetes cluster resource.

func (*ServerWithRoles) UpdatePluginData 

func (a *ServerWithRoles) UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error

UpdatePluginData updates a per-resource PluginData entry.

func (*ServerWithRoles) UpdatePresence 

func (a *ServerWithRoles) UpdatePresence(ctx context.Context, sessionID, user string) error

UpdatePresence is coupled to the service layer and must exist here but is never actually called since it's handled by the session presence task. This is never valid to call.

func (*ServerWithRoles) UpdateRemoteCluster 

func (a *ServerWithRoles) UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error

func (*ServerWithRoles) UpdateSession 

func (a *ServerWithRoles) UpdateSession(ctx context.Context, req session.UpdateRequest) error

DELETE IN 12.0.0

func (*ServerWithRoles) UpdateSessionTracker 

func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

UpdateSessionTracker updates a tracker resource for an active session.

func (*ServerWithRoles) UpdateUser 

func (a *ServerWithRoles) UpdateUser(ctx context.Context, user types.User) error

UpdateUser updates an existing user in a backend. Captures the auth user who modified the user record.

func (*ServerWithRoles) UpdateWindowsDesktop 

func (a *ServerWithRoles) UpdateWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

UpdateWindowsDesktop updates an existing windows desktop host.

func (*ServerWithRoles) UpsertAppSession 

func (a *ServerWithRoles) UpsertAppSession(ctx context.Context, session types.WebSession) error

UpsertAppSession not implemented: can only be called locally.

func (*ServerWithRoles) UpsertApplicationServer 

func (a *ServerWithRoles) UpsertApplicationServer(ctx context.Context, server types.AppServer) (*types.KeepAlive, error)

UpsertApplicationServer registers an application server.

func (*ServerWithRoles) UpsertAuthServer 

func (a *ServerWithRoles) UpsertAuthServer(s types.Server) error

func (*ServerWithRoles) UpsertCertAuthority 

func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error

UpsertCertAuthority updates existing cert authority or updates the existing one.

func (*ServerWithRoles) UpsertClusterAlert 

func (a *ServerWithRoles) UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error

func (*ServerWithRoles) UpsertClusterName 

func (a *ServerWithRoles) UpsertClusterName(c types.ClusterName) error

UpsertClusterName sets the name of the cluster.

func (*ServerWithRoles) UpsertDatabaseServer 

func (a *ServerWithRoles) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error)

UpsertDatabaseServer creates or updates a new database proxy server.

func (*ServerWithRoles) UpsertGithubConnector 

func (a *ServerWithRoles) UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error

UpsertGithubConnector creates or updates a Github connector.

func (*ServerWithRoles) UpsertKubeService 

func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s types.Server) error

UpsertKubeService creates or updates a Server representing a teleport kubernetes service.

func (*ServerWithRoles) UpsertKubeServiceV2 

func (a *ServerWithRoles) UpsertKubeServiceV2(ctx context.Context, s types.Server) (*types.KeepAlive, error)

UpsertKubeServiceV2 creates or updates a Server representing a teleport kubernetes service.

func (*ServerWithRoles) UpsertKubernetesServer 

func (a *ServerWithRoles) UpsertKubernetesServer(ctx context.Context, s types.KubeServer) (*types.KeepAlive, error)

UpsertKubernetesServer creates or updates a Server representing a teleport kubernetes server.

func (*ServerWithRoles) UpsertLock 

func (a *ServerWithRoles) UpsertLock(ctx context.Context, lock types.Lock) error

UpsertLock upserts a lock.

func (*ServerWithRoles) UpsertNamespace 

func (a *ServerWithRoles) UpsertNamespace(ns types.Namespace) error

UpsertNamespace upserts namespace

func (*ServerWithRoles) UpsertNode 

func (a *ServerWithRoles) UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error)

func (*ServerWithRoles) UpsertOIDCConnector 

func (a *ServerWithRoles) UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error

UpsertOIDCConnector creates or updates an OIDC connector.

func (*ServerWithRoles) UpsertProxy 

func (a *ServerWithRoles) UpsertProxy(s types.Server) error

func (*ServerWithRoles) UpsertReverseTunnel 

func (a *ServerWithRoles) UpsertReverseTunnel(r types.ReverseTunnel) error

func (*ServerWithRoles) UpsertRole 

func (a *ServerWithRoles) UpsertRole(ctx context.Context, role types.Role) error

UpsertRole creates or updates role.

func (*ServerWithRoles) UpsertSAMLConnector 

func (a *ServerWithRoles) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error

UpsertSAMLConnector creates or updates a SAML connector.

func (*ServerWithRoles) UpsertSnowflakeSession 

func (a *ServerWithRoles) UpsertSnowflakeSession(_ context.Context, _ types.WebSession) error

UpsertSnowflakeSession not implemented: can only be called locally.

func (*ServerWithRoles) UpsertToken 

func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.ProvisionToken) error

func (*ServerWithRoles) UpsertTrustedCluster 

func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)

UpsertTrustedCluster creates or updates a trusted cluster.

func (*ServerWithRoles) UpsertTunnelConnection 

func (a *ServerWithRoles) UpsertTunnelConnection(conn types.TunnelConnection) error

func (*ServerWithRoles) UpsertUser 

func (a *ServerWithRoles) UpsertUser(u types.User) error

func (*ServerWithRoles) UpsertWindowsDesktop 

func (a *ServerWithRoles) UpsertWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error

UpsertWindowsDesktop updates a windows desktop resource, creating it if it doesn't exist.

func (*ServerWithRoles) UpsertWindowsDesktopService 

func (a *ServerWithRoles) UpsertWindowsDesktopService(ctx context.Context, s types.WindowsDesktopService) (*types.KeepAlive, error)

UpsertWindowsDesktopService creates or updates a new windows desktop service.

func (*ServerWithRoles) ValidateGithubAuthCallback 

func (a *ServerWithRoles) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*GithubAuthResponse, error)

func (*ServerWithRoles) ValidateOIDCAuthCallback 

func (a *ServerWithRoles) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*OIDCAuthResponse, error)

func (*ServerWithRoles) ValidateSAMLResponse 

func (a *ServerWithRoles) ValidateSAMLResponse(ctx context.Context, re string, connectorID string) (*SAMLAuthResponse, error)

ValidateSAMLResponse validates SAML auth response.

func (*ServerWithRoles) ValidateTrustedCluster 

func (a *ServerWithRoles) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error)

func (*ServerWithRoles) VerifyAccountRecovery 

func (a *ServerWithRoles) VerifyAccountRecovery(ctx context.Context, req *proto.VerifyAccountRecoveryRequest) (types.UserToken, error)

VerifyAccountRecovery is implemented by AuthService.VerifyAccountRecovery.

func (*ServerWithRoles) WebSessions 

func (a *ServerWithRoles) WebSessions() types.WebSessionInterface

WebSessions returns the web session manager. Implements services.WebSessionsGetter.

func (*ServerWithRoles) WebTokens 

func (a *ServerWithRoles) WebTokens() types.WebTokenInterface

WebTokens returns the web token manager. Implements services.WebTokensGetter.

type Services 

type Services struct {
	services.Trust
	services.Presence
	services.Provisioner
	services.Identity
	services.Access
	services.DynamicAccessExt
	services.ClusterConfiguration
	services.Restrictions
	services.Apps
	services.Kubernetes
	services.Databases
	services.WindowsDesktops
	services.SessionTrackerService
	services.Enforcer
	services.ConnectionsDiagnostic
	services.StatusInternal
	services.UsageReporter
	types.Events
	events.IAuditLog
}

func (*Services) GetWebSession 

func (r *Services) GetWebSession(ctx context.Context, req types.GetWebSessionRequest) (types.WebSession, error)

GetWebSession returns existing web session described by req. Implements ReadAccessPoint

func (*Services) GetWebToken 

func (r *Services) GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

GetWebToken returns existing web token described by req. Implements ReadAccessPoint

type SessionAccessContext 

type SessionAccessContext struct {
	Username string
	Roles    []types.Role
	Mode     types.SessionParticipantMode
}

SessionAccessContext is the context that must be provided per participant in the session.

func (*SessionAccessContext) GetIdentifier 

func (ctx *SessionAccessContext) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier is used by the `predicate` library to evaluate variable expressions when evaluating policy filters. It deals with evaluating strings like `participant.name` to the appropriate value.

func (*SessionAccessContext) GetResource 

func (ctx *SessionAccessContext) GetResource() (types.Resource, error)

type SessionAccessEvaluator 

type SessionAccessEvaluator struct {
	// contains filtered or unexported fields
}

SessionAccessEvaluator takes a set of policies and uses rules to evaluate them to determine when a session may start and if a user can join a session.

The current implementation is very simple and uses a brute-force algorithm. More efficient implementations that run in non O(n^2)-ish time are possible but require complex code that is harder to debug in the case of misconfigured policies or other error and are harder to intuitively follow. In the real world, the number of roles and session are small enough that this doesn't have a meaningful impact.

func NewSessionAccessEvaluator 

func NewSessionAccessEvaluator(policySets []*types.SessionTrackerPolicySet, kind types.SessionKind, owner string) SessionAccessEvaluator

NewSessionAccessEvaluator creates a new session access evaluator for a given session kind and a set of roles attached to the host user.

func (*SessionAccessEvaluator) CanJoin 

func (e *SessionAccessEvaluator) CanJoin(user SessionAccessContext) []types.SessionParticipantMode

CanJoin returns the modes a user has access to join a session with. If the list is empty, the user doesn't have access to join the session at all.

func (*SessionAccessEvaluator) FulfilledFor 

func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContext) (bool, PolicyOptions, error)

FulfilledFor checks if a given session may run with a list of participants.

func (*SessionAccessEvaluator) IsModerated 

func (e *SessionAccessEvaluator) IsModerated() bool

IsModerated returns true if the session needs moderation.

func (*SessionAccessEvaluator) PrettyRequirementsList 

func (e *SessionAccessEvaluator) PrettyRequirementsList() string

Generate a pretty-printed string of precise requirements for session start suitable for user display.

type SessionCreds 

type SessionCreds struct {
	// ID is a web session id
	ID string `json:"id"`
}

SessionCreds is a web session credentials

type SnowflakeSessionWatcher 

type SnowflakeSessionWatcher interface {
	// NewWatcher returns a new event watcher.
	NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)
	// GetSnowflakeSession gets a Snowflake web session for a given request.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)
}

SnowflakeSessionWatcher is watcher interface used by Snowflake web session watcher.

type StateSpecV2 

type StateSpecV2 struct {
	// Rotation holds local process rotation state.
	Rotation types.Rotation `json:"rotation"`
}

StateSpecV2 is a state spec.

type StateV2 

type StateV2 struct {
	// ResourceHeader is a common resource header.
	types.ResourceHeader
	// Spec is a process spec.
	Spec StateSpecV2 `json:"spec"`
}

StateV2 is a local process state.

func (*StateV2) CheckAndSetDefaults 

func (s *StateV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults values.

type TLSServer 

type TLSServer struct {
	// contains filtered or unexported fields
}

TLSServer is TLS auth server

func NewTLSServer 

func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) Close 

func (t *TLSServer) Close() error

Close closes TLS server non-gracefully - terminates in flight connections

func (*TLSServer) GetConfigForClient 

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve 

func (t *TLSServer) Serve() error

Serve starts GRPC and HTTP1.1 services on the mux listener

func (*TLSServer) Shutdown 

func (t *TLSServer) Shutdown(ctx context.Context) error

Shutdown shuts down TLS server

type TLSServerConfig 

type TLSServerConfig struct {
	// Listener is a listener to bind to
	Listener net.Listener
	// TLS is a base TLS configuration
	TLS *tls.Config
	// API is API server configuration
	APIConfig
	// LimiterConfig is limiter config
	LimiterConfig limiter.Config
	// AccessPoint is a caching access point
	AccessPoint AccessCache
	// Component is used for debugging purposes
	Component string
	// AcceptedUsage restricts authentication
	// to a subset of certificates based on the metadata
	AcceptedUsage []string
	// ID is an optional debugging ID
	ID string
	// Metrics are optional TLSServer metrics
	Metrics *Metrics
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults 

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type TestAuthServer 

type TestAuthServer struct {
	// TestAuthServer config is configuration used for auth server setup
	TestAuthServerConfig
	// AuthServer is an auth server
	AuthServer *Server
	// AuditLog is an event audit log
	AuditLog events.IAuditLog
	// SessionServer is a session service
	SessionServer session.Service
	// Backend is a backend for auth server
	Backend backend.Backend
	// Authorizer is an authorizer used in tests
	Authorizer Authorizer
	// LockWatcher is a lock watcher used in tests.
	LockWatcher *services.LockWatcher
}

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key

func NewTestAuthServer 

func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error)

NewTestAuthServer returns new instances of Auth server

func (*TestAuthServer) Clock 

func (a *TestAuthServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestAuthServer) Close 

func (a *TestAuthServer) Close() error

func (*TestAuthServer) GenerateUserCert 

func (a *TestAuthServer) GenerateUserCert(key []byte, username string, ttl time.Duration, compatibility string) ([]byte, error)

GenerateUserCert takes the public key in the OpenSSH `authorized_keys` plain text format, signs it using User Certificate Authority signing key and returns the resulting certificate.

func (*TestAuthServer) NewCertificate 

func (a *TestAuthServer) NewCertificate(identity TestIdentity) (*tls.Certificate, error)

NewCertificate returns new TLS credentials generated by test auth server

func (*TestAuthServer) NewRemoteClient 

func (a *TestAuthServer) NewRemoteClient(identity TestIdentity, addr net.Addr, pool *x509.CertPool) (*Client, error)

NewRemoteClient creates new client to the remote server using identity generated for this certificate authority

func (*TestAuthServer) NewTestTLSServer 

func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server

func (*TestAuthServer) Trust 

func (a *TestAuthServer) Trust(ctx context.Context, remote *TestAuthServer, roleMap types.RoleMap) error

Trust adds other server host certificate authority as trusted

type TestAuthServerConfig 

type TestAuthServerConfig struct {
	// ClusterName is cluster name
	ClusterName string
	// Dir is directory for local backend
	Dir string
	// AcceptedUsage is an optional list of restricted
	// server usage
	AcceptedUsage []string
	// CipherSuites is the list of ciphers that the server supports.
	CipherSuites []uint16
	// Clock is used to control time in tests.
	Clock clockwork.FakeClock
	// ClusterNetworkingConfig allows a test to change the default
	// networking configuration.
	ClusterNetworkingConfig types.ClusterNetworkingConfig
	// Streamer allows a test to set its own audit events streamer.
	Streamer events.Streamer
	// AuditLog allows a test to configure its own audit log.
	AuditLog events.IAuditLog
	// TraceClient allows a test to configure the trace client
	TraceClient otlptrace.Client
	// AuthPreferenceSpec is custom initial AuthPreference spec for the test.
	AuthPreferenceSpec *types.AuthPreferenceSpecV2
}

TestAuthServerConfig is auth server test config

func (*TestAuthServerConfig) CheckAndSetDefaults 

func (cfg *TestAuthServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type TestDevice 

type TestDevice struct {
	MFA        *types.MFADevice
	TOTPSecret string
	Key        *mocku2f.Key
	// contains filtered or unexported fields
}

TestDevice is a test MFA device.

func NewTestDeviceFromChallenge 

func NewTestDeviceFromChallenge(c *proto.MFARegisterChallenge, opts ...TestDeviceOpt) (*TestDevice, *proto.MFARegisterResponse, error)

func RegisterTestDevice 

func RegisterTestDevice(
	ctx context.Context, clt authClient, devName string, devType proto.DeviceType, authenticator *TestDevice, opts ...TestDeviceOpt) (*TestDevice, error)

RegisterTestDevice creates and registers a TestDevice. TOTP devices require a clock option.

func (*TestDevice) Origin 

func (d *TestDevice) Origin() string

func (*TestDevice) SolveAuthn 

func (d *TestDevice) SolveAuthn(c *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)

type TestDeviceOpt 

type TestDeviceOpt func(d *TestDevice)

TestDeviceOpt is a creation option for TestDevice.

func WithPasswordless 

func WithPasswordless() TestDeviceOpt

func WithTestDeviceClock 

func WithTestDeviceClock(clock clockwork.Clock) TestDeviceOpt

type TestIdentity 

type TestIdentity struct {
	I              interface{}
	TTL            time.Duration
	AcceptedUsage  []string
	RouteToCluster string
	Renewable      bool
	Generation     uint64
}

TestIdentity is test identity spec used to generate identities in tests

func TestAdmin 

func TestAdmin() TestIdentity

TestAdmin returns TestIdentity for admin user

func TestBuiltin 

func TestBuiltin(role types.SystemRole) TestIdentity

TestBuiltin returns TestIdentity for builtin user

func TestNop 

func TestNop() TestIdentity

TestNop returns "Nop" - unauthenticated identity

func TestRemoteBuiltin 

func TestRemoteBuiltin(role types.SystemRole, remoteCluster string) TestIdentity

TestRemoteBuiltin returns TestIdentity for a remote builtin role.

func TestRenewableUser 

func TestRenewableUser(username string, generation uint64) TestIdentity

TestUser returns a TestIdentity for a local user with renewable credentials.

func TestServerID 

func TestServerID(role types.SystemRole, serverID string) TestIdentity

TestServerID returns a TestIdentity for a node with the passed in serverID.

func TestUser 

func TestUser(username string) TestIdentity

TestUser returns TestIdentity for local user

type TestServer 

type TestServer struct {
	TLS        *TestTLSServer
	AuthServer *TestAuthServer
}

TestServer defines the set of server components for a test

func NewTestServer 

func NewTestServer(cfg TestServerConfig) (*TestServer, error)

NewTestServer creates a new test server configuration

func (*TestServer) Auth 

func (a *TestServer) Auth() *Server

Auth returns the underlying auth server instance

func (*TestServer) ClusterName 

func (a *TestServer) ClusterName() string

func (*TestServer) NewClient 

func (a *TestServer) NewClient(identity TestIdentity) (*Client, error)

func (*TestServer) Shutdown 

func (a *TestServer) Shutdown(ctx context.Context) error

Shutdown stops this server instance gracefully

type TestServerConfig 

type TestServerConfig struct {
	// Auth specifies the auth server configuration
	Auth TestAuthServerConfig
	// TLS optionally specifies the configuration for the TLS server.
	// If unspecified, will be generated automatically
	TLS *TestTLSServerConfig
}

TestServerConfig defines the configuration for all server components

type TestTLSServer 

type TestTLSServer struct {
	// TestTLSServerConfig is a configuration for TLS server
	TestTLSServerConfig
	// Identity is a generated TLS/SSH identity used to answer in TLS
	Identity *Identity
	// TLSServer is a configured TLS server
	TLSServer *TLSServer
}

TestTLSServer is a test TLS server

func NewTestTLSServer 

func NewTestTLSServer(cfg TestTLSServerConfig) (*TestTLSServer, error)

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port

func (*TestTLSServer) Addr 

func (t *TestTLSServer) Addr() net.Addr

Addr returns address of TLS server

func (*TestTLSServer) Auth 

func (t *TestTLSServer) Auth() *Server

Auth returns auth server used by this TLS server

func (*TestTLSServer) CertPool 

func (t *TestTLSServer) CertPool() (*x509.CertPool, error)

CertPool returns cert pool that auth server represents

func (*TestTLSServer) ClientTLSConfig 

func (t *TestTLSServer) ClientTLSConfig(identity TestIdentity) (*tls.Config, error)

ClientTLSConfig returns client TLS config based on the identity

func (*TestTLSServer) Clock 

func (t *TestTLSServer) Clock() clockwork.Clock

Clock returns clock used by auth server

func (*TestTLSServer) CloneClient 

func (t *TestTLSServer) CloneClient(clt *Client) *Client

CloneClient uses the same credentials as the passed client but forces the client to be recreated

func (*TestTLSServer) Close 

func (t *TestTLSServer) Close() error

Close closes the listener and HTTP server

func (*TestTLSServer) ClusterName 

func (t *TestTLSServer) ClusterName() string

ClusterName returns name of test TLS server cluster

func (*TestTLSServer) NewClient 

func (t *TestTLSServer) NewClient(identity TestIdentity) (*Client, error)

NewClient returns new client to test server authenticated with identity

func (*TestTLSServer) NewClientFromWebSession 

func (t *TestTLSServer) NewClientFromWebSession(sess types.WebSession) (*Client, error)

NewClientFromWebSession returns new authenticated client from web session

func (*TestTLSServer) NewClientWithCert 

func (t *TestTLSServer) NewClientWithCert(clientCert tls.Certificate) *Client

NewClientWithCert creates a new client using given cert and private key

func (*TestTLSServer) Shutdown 

func (t *TestTLSServer) Shutdown(ctx context.Context) error

Shutdown closes the listener and HTTP server gracefully

func (*TestTLSServer) Start 

func (t *TestTLSServer) Start() error

Start starts TLS server on loopback address on the first listening socket

func (*TestTLSServer) Stop 

func (t *TestTLSServer) Stop() error

Stop stops listening server, but does not close the auth backend

type TestTLSServerConfig 

type TestTLSServerConfig struct {
	// APIConfig is a configuration of API server
	APIConfig *APIConfig
	// AuthServer is a test auth server used to serve requests
	AuthServer *TestAuthServer
	// Limiter is a connection and request limiter
	Limiter *limiter.Config
	// Listener is a listener to serve requests on
	Listener net.Listener
	// AcceptedUsage is a list of accepted usage restrictions
	AcceptedUsage []string
}

TestTLSServerConfig is a configuration for test TLS server

func (*TestTLSServerConfig) CheckAndSetDefaults 

func (cfg *TestTLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets limiter defaults

type TrustedCerts 

type TrustedCerts struct {
	// ClusterName identifies teleport cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `json:"domain_name"`
	// HostCertificates is a list of SSH public keys that can be used to check
	// host certificate signatures
	HostCertificates [][]byte `json:"checking_keys"`
	// TLSCertificates  is a list of TLS certificates of the certificate authority
	// of the authentication server
	TLSCertificates [][]byte `json:"tls_certs"`
}

TrustedCerts contains host certificates, it preserves backwards compatibility on the wire, which is the primary reason for non-matching json tags

func AuthoritiesToTrustedCerts 

func AuthoritiesToTrustedCerts(authorities []types.CertAuthority) []TrustedCerts

AuthoritiesToTrustedCerts serializes authorities to TrustedCerts data structure

func (*TrustedCerts) SSHCertPublicKeys 

func (c *TrustedCerts) SSHCertPublicKeys() ([]ssh.PublicKey, error)

SSHCertPublicKeys returns a list of trusted host SSH certificate authority public keys

type ValidateTrustedClusterRequest 

type ValidateTrustedClusterRequest struct {
	Token           string                `json:"token"`
	CAs             []types.CertAuthority `json:"certificate_authorities"`
	TeleportVersion string                `json:"teleport_version"`
}

func (*ValidateTrustedClusterRequest) ToRaw 

func (v *ValidateTrustedClusterRequest) ToRaw() (*ValidateTrustedClusterRequestRaw, error)

type ValidateTrustedClusterRequestRaw 

type ValidateTrustedClusterRequestRaw struct {
	Token           string   `json:"token"`
	CAs             [][]byte `json:"certificate_authorities"`
	TeleportVersion string   `json:"teleport_version"`
}

func (*ValidateTrustedClusterRequestRaw) ToNative 

func (v *ValidateTrustedClusterRequestRaw) ToNative() (*ValidateTrustedClusterRequest, error)

type ValidateTrustedClusterResponse 

type ValidateTrustedClusterResponse struct {
	CAs []types.CertAuthority `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponse) ToRaw 

func (v *ValidateTrustedClusterResponse) ToRaw() (*ValidateTrustedClusterResponseRaw, error)

type ValidateTrustedClusterResponseRaw 

type ValidateTrustedClusterResponseRaw struct {
	CAs [][]byte `json:"certificate_authorities"`
}

func (*ValidateTrustedClusterResponseRaw) ToNative 

func (v *ValidateTrustedClusterResponseRaw) ToNative() (*ValidateTrustedClusterResponse, error)

type WebService 

type WebService interface {
	// GetWebSessionInfo checks if a web session is valid, returns session id in case if
	// it is valid, or error otherwise.
	GetWebSessionInfo(ctx context.Context, user, sessionID string) (types.WebSession, error)
	// ExtendWebSession creates a new web session for a user based on another
	// valid web session
	ExtendWebSession(ctx context.Context, req WebSessionReq) (types.WebSession, error)
	// CreateWebSession creates a new web session for a user
	CreateWebSession(ctx context.Context, user string) (types.WebSession, error)

	// AppSession defines application session features.
	services.AppSession
	// SnowflakeSession defines Snowflake session features.
	services.SnowflakeSession
}

WebService implements features used by Web UI clients

type WebSessionReq 

type WebSessionReq struct {
	// User is the user name associated with the session id.
	User string `json:"user"`
	// PrevSessionID is the id of current session.
	PrevSessionID string `json:"prev_session_id"`
	// AccessRequestID is an optional field that holds the id of an approved access request.
	AccessRequestID string `json:"access_request_id"`
	// Switchback is a flag to indicate if user is wanting to switchback from an assumed role
	// back to their default role.
	Switchback bool `json:"switchback"`
	// ReloadUser is a flag to indicate if user needs to be refetched from the backend
	// to apply new user changes e.g. user traits were updated.
	ReloadUser bool `json:"reload_user"`
}

type WindowsDesktopAccessPoint 

type WindowsDesktopAccessPoint interface {
	// ReadWindowsDesktopAccessPoint provides methods to read data
	ReadWindowsDesktopAccessPoint
	// contains filtered or unexported methods
}

WindowsDesktopAccessPoint is an API interface implemented by a certificate authority (CA) to be used by a teleport.ComponentWindowsDesktop.

func NewWindowsDesktopWrapper 

func NewWindowsDesktopWrapper(base WindowsDesktopAccessPoint, cache ReadWindowsDesktopAccessPoint) WindowsDesktopAccessPoint

type WindowsDesktopWrapper 

type WindowsDesktopWrapper struct {
	ReadWindowsDesktopAccessPoint

	NoCache WindowsDesktopAccessPoint
	// contains filtered or unexported fields
}

func (*WindowsDesktopWrapper) Close 

func (w *WindowsDesktopWrapper) Close() error

Close closes all associated resources

type WrapIdentity 

type WrapIdentity tlsca.Identity

WrapIdentity wraps identity to return identity getter function

func (WrapIdentity) GetIdentity 

func (i WrapIdentity) GetIdentity() tlsca.Identity

GetIdentity returns identity

Source Files

View all Source files

Directories

Path Synopsis
Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.
 Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.
Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.
 Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.
internal/faketime
package test contains CA authority acceptance test suite.
 package test contains CA authority acceptance test suite.
Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.
 Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.
Package webauthn implements server-side support for the Web Authentication specification.
 Package webauthn implements server-side support for the Web Authentication specification.
httpserver
Package webauthncli provides the client-side implementation for WebAuthn.
 Package webauthncli provides the client-side implementation for WebAuthn.
Package webauthnwin is wrapper around Windows webauthn API.
 Package webauthnwin is wrapper around Windows webauthn API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.