web

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2022 License: Apache-2.0 Imports: 109 Imported by: 0

Documentation

Overview

Package web implements web proxy handler that provides web interface to view and connect to teleport nodes

Package web implements web proxy handler that provides web interface to view and connect to teleport nodes

Index

Constants

View Source 
const (
	// CookieName is the name of the session cookie.
	CookieName = "__Host-session"
)

Variables

View Source 
var (
	ErrInvalidLengthEnvelope        = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowEnvelope          = fmt.Errorf("proto: integer overflow")
	ErrUnexpectedEndOfGroupEnvelope = fmt.Errorf("proto: unexpected end of group")
)

Functions

func CheckResourceUpsertableByError 

func CheckResourceUpsertableByError(err error, httpMethod, resourceName string) error

CheckResourceUpsertableByError checks if the resource is upsertable by the state of error with the request http method used.

func ClearSession 

func ClearSession(w http.ResponseWriter)

func ConstructSSHResponse 

func ConstructSSHResponse(response AuthParams) (*url.URL, error)

ConstructSSHResponse creates a special SSH response for SSH login method that encodes everything using the client's secret key

func EncodeCookie 

func EncodeCookie(user, sid string) (string, error)

func ExtractResourceAndValidate 

func ExtractResourceAndValidate(yaml string) (*services.UnknownResource, error)

ExtractResourceAndValidate extracts resource information from given string and validates basic fields.

func NewDebugFileSystem 

func NewDebugFileSystem(assetsPath string) (http.FileSystem, error)

NewDebugFileSystem returns the HTTP file system implementation rooted at the specified assetsPath.

func NewStaticFileSystem 

func NewStaticFileSystem() (http.FileSystem, error)

NewStaticFileSystem is a no-op in this build mode.

func OK 

func OK() interface{}

OK is a response that indicates request was successful.

func SetSessionCookie 

func SetSessionCookie(w http.ResponseWriter, user, sid string) error

Types

type APIHandler 

type APIHandler struct {
	// contains filtered or unexported fields
}

func NewHandler 

func NewHandler(cfg Config, opts ...HandlerOption) (*APIHandler, error)

NewHandler returns a new instance of web proxy handler

func (*APIHandler) Close 

func (h *APIHandler) Close() error

func (*APIHandler) HandleConnection 

func (h *APIHandler) HandleConnection(ctx context.Context, conn net.Conn) error

HandleConnection handles connections from plain TCP applications.

func (*APIHandler) ServeHTTP 

func (h *APIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

Check if this request should be forwarded to an application handler to be handled by the UI and handle the request appropriately.

type AuthParams 

type AuthParams struct {
	// Username is authenticated teleport username
	Username string
	// Identity contains validated OIDC identity
	Identity types.ExternalIdentity
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session types.WebSession
	// Cert will be generated by certificate authority
	Cert []byte
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []types.CertAuthority
	// ClientRedirectURL is a URL to redirect client to
	ClientRedirectURL string
	// FIPS mode means Teleport started in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool
}

AuthParams are used to construct redirect URL containing auth information back to tsh login

type AuthProvider 

type AuthProvider interface {
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
	GetSessionEvents(namespace string, sid session.ID, after int, includePrintEvents bool) ([]events.EventFields, error)
	GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)
	IsMFARequired(ctx context.Context, req *authproto.IsMFARequiredRequest) (*authproto.IsMFARequiredResponse, error)
	GenerateUserSingleUseCerts(ctx context.Context) (authproto.AuthService_GenerateUserSingleUseCertsClient, error)
}

AuthProvider is a subset of the full Auth API.

type ClusterClientHandler 

type ClusterClientHandler func(http.ResponseWriter, *http.Request, httprouter.Params, *SessionContext, ClusterClientProvider) (interface{}, error)

ClusterClientHandler is an authenticated handler which can get a client for any remote cluster.

type ClusterClientProvider 

type ClusterClientProvider interface {
	// UserClientForCluster returns a client to the local or remote cluster
	// identified by clusterName and is authenticated with the identity of the
	// user.
	UserClientForCluster(ctx context.Context, clusterName string) (auth.ClientI, error)
}

ClusterClientProvider is an interface for a type which can provide authenticated clients to remote clusters.

type ClusterHandler 

type ClusterHandler func(w http.ResponseWriter, r *http.Request, p httprouter.Params, sctx *SessionContext, site reversetunnel.RemoteSite) (interface{}, error)

ClusterHandler is a authenticated handler that is called for some existing remote cluster

type Config 

type Config struct {
	// PluginRegistry handles plugin registration
	PluginRegistry plugin.Registry
	// Proxy is a reverse tunnel proxy that handles connections
	// to local cluster or remote clusters using unified interface
	Proxy reversetunnel.Tunnel
	// AuthServers is a list of auth servers this proxy talks to
	AuthServers utils.NetAddr
	// DomainName is a domain name served by web handler
	DomainName string
	// ProxyClient is a client that authenticated as proxy
	ProxyClient auth.ClientI
	// ProxySSHAddr points to the SSH address of the proxy
	ProxySSHAddr utils.NetAddr
	// ProxyKubeAddr points to the Kube address of the proxy
	ProxyKubeAddr utils.NetAddr
	// ProxyWebAddr points to the web (HTTPS) address of the proxy
	ProxyWebAddr utils.NetAddr
	// ProxyPublicAddr contains web proxy public addresses.
	ProxyPublicAddrs []utils.NetAddr

	// CipherSuites is the list of cipher suites Teleport suppports.
	CipherSuites []uint16

	// FIPS mode means Teleport started in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool

	// AccessPoint holds a cache to the Auth Server.
	AccessPoint auth.ProxyAccessPoint

	// Emitter is event emitter
	Emitter events.StreamEmitter

	// HostUUID is the UUID of this process.
	HostUUID string

	// Context is used to signal process exit.
	Context context.Context

	// StaticFS optionally specifies the HTTP file system to use.
	// Enables web UI if set.
	StaticFS http.FileSystem

	// ClusterFeatures contains flags for supported/unsupported features.
	ClusterFeatures proto.Features

	// ProxySettings allows fetching the current proxy settings.
	ProxySettings proxySettingsGetter

	// MinimalReverseTunnelRoutesOnly mode handles only the endpoints required for
	// a reverse tunnel agent to establish a connection.
	MinimalReverseTunnelRoutesOnly bool

	// PublicProxyAddr is used to template the public proxy address
	// into the installer script responses
	PublicProxyAddr string

	// ALPNHandler is the ALPN connection handler for handling upgraded ALPN
	// connection through a HTTP upgrade call.
	ALPNHandler ConnectionHandler

	// TraceClient is used to forward spans to the upstream collector for the UI
	TraceClient otlptrace.Client

	// Router is used to route ssh sessions to hosts
	Router *proxy.Router

	// SessionControl is used to determine if users are
	// allowed to spawn new sessions
	SessionControl *srv.SessionController

	// TracerProvider generates tracers to create spans with
	TracerProvider oteltrace.TracerProvider
	// contains filtered or unexported fields
}

Config represents web handler configuration parameters

type ConnectionHandler 

type ConnectionHandler func(ctx context.Context, conn net.Conn) error

ConnectionHandler defines a function for serving incoming connections.

type ContextHandler 

type ContextHandler func(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *SessionContext) (interface{}, error)

ContextHandler is a handler called with the auth context, what means it is authenticated and ready to work

type CreateAppSessionRequest 

type CreateAppSessionRequest resolveAppParams

type CreateAppSessionResponse 

type CreateAppSessionResponse struct {
	// CookieValue is the application session cookie value.
	CookieValue string `json:"value"`
	// FQDN is application FQDN.
	FQDN string `json:"fqdn"`
}

type CreateSessionReq 

type CreateSessionReq struct {
	// User is the Teleport username.
	User string `json:"user"`
	// Pass is the password.
	Pass string `json:"pass"`
	// SecondFactorToken is the OTP.
	SecondFactorToken string `json:"second_factor_token"`
}

CreateSessionReq is a request to create session from username, password and second factor token.

type CreateSessionResponse 

type CreateSessionResponse struct {
	// TokenType is token type (bearer)
	TokenType string `json:"type"`
	// Token value
	Token string `json:"token"`
	// TokenExpiresIn sets seconds before this token is not valid
	TokenExpiresIn int `json:"expires_in"`
	// SessionExpires is when this session expires.
	SessionExpires time.Time `json:"sessionExpires,omitempty"`
	// SessionInactiveTimeoutMS specifies how long in milliseconds
	// a user WebUI session can be left idle before being logged out
	// by the server. A zero value means there is no idle timeout set.
	SessionInactiveTimeoutMS int `json:"sessionInactiveTimeout"`
}

CreateSessionResponse returns OAuth compabible data about access token: https://tools.ietf.org/html/rfc6749

func (*CreateSessionResponse) String 

func (r *CreateSessionResponse) String() string

String returns text description of this response

type Envelope 

type Envelope struct {
	// Version is the version of the protocol.
	Version string `protobuf:"bytes,1,opt,name=Version,proto3" json:"Version,omitempty"`
	// Type is the type of message. For version 1 of the protocol this must
	// not be longer than 1 character.
	Type string `protobuf:"bytes,2,opt,name=Type,proto3" json:"Type,omitempty"`
	// Payload is the actual data to send.
	Payload              string   `protobuf:"bytes,3,opt,name=Payload,proto3" json:"Payload,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Envelope is used to wrap and transend and receive messages between the web client and proxy.

func (*Envelope) Descriptor 

func (*Envelope) Descriptor() ([]byte, []int)

func (*Envelope) GetPayload 

func (m *Envelope) GetPayload() string

func (*Envelope) GetType 

func (m *Envelope) GetType() string

func (*Envelope) GetVersion 

func (m *Envelope) GetVersion() string

func (*Envelope) Marshal 

func (m *Envelope) Marshal() (dAtA []byte, err error)

func (*Envelope) MarshalTo 

func (m *Envelope) MarshalTo(dAtA []byte) (int, error)

func (*Envelope) MarshalToSizedBuffer 

func (m *Envelope) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*Envelope) ProtoMessage 

func (*Envelope) ProtoMessage()

func (*Envelope) Reset 

func (m *Envelope) Reset()

func (*Envelope) Size 

func (m *Envelope) Size() (n int)

func (*Envelope) String 

func (m *Envelope) String() string

func (*Envelope) Unmarshal 

func (m *Envelope) Unmarshal(dAtA []byte) error

func (*Envelope) XXX_DiscardUnknown 

func (m *Envelope) XXX_DiscardUnknown()

func (*Envelope) XXX_Marshal 

func (m *Envelope) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Envelope) XXX_Merge 

func (m *Envelope) XXX_Merge(src proto.Message)

func (*Envelope) XXX_Size 

func (m *Envelope) XXX_Size() int

func (*Envelope) XXX_Unmarshal 

func (m *Envelope) XXX_Unmarshal(b []byte) error

type GetAppFQDNRequest 

type GetAppFQDNRequest resolveAppParams

type GetAppFQDNResponse 

type GetAppFQDNResponse struct {
	// FQDN is application FQDN.
	FQDN string `json:"fqdn"`
}

type Handler 

type Handler struct {
	sync.Mutex
	httprouter.Router

	// ClusterFeatures contain flags for supported and unsupported features.
	ClusterFeatures proto.Features
	// contains filtered or unexported fields
}

Handler is HTTP web proxy handler

func (*Handler) AuthenticateRequest 

func (h *Handler) AuthenticateRequest(w http.ResponseWriter, r *http.Request, checkBearerToken bool) (*SessionContext, error)

AuthenticateRequest authenticates request using combination of a session cookie and bearer token

func (*Handler) Close 

func (h *Handler) Close() error

Close closes associated session cache operations

func (*Handler) GetProxyClient 

func (h *Handler) GetProxyClient() auth.ClientI

GetProxyClient returns authenticated auth server client

func (*Handler) ProxyHostPort 

func (h *Handler) ProxyHostPort() string

ProxyHostPort returns the address of the proxy server using --proxy notation, i.e. "localhost:8030,8023"

func (*Handler) ProxyWithRoles 

func (h *Handler) ProxyWithRoles(ctx *SessionContext) (reversetunnel.Tunnel, error)

ProxyWithRoles returns a reverse tunnel proxy verifying the permissions of the given user.

func (*Handler) String 

func (h *Handler) String() string

func (*Handler) WithAuth 

func (h *Handler) WithAuth(fn ContextHandler) httprouter.Handle

WithAuth ensures that a request is authenticated.

func (*Handler) WithClusterAuth 

func (h *Handler) WithClusterAuth(fn ClusterHandler) httprouter.Handle

WithClusterAuth wraps a ClusterHandler to ensure that a request is authenticated to this proxy (the same as WithAuth), as well as to grab the RemoteSite (which can represent this local cluster or a remote trusted cluster) as specified by the ":site" url parameter.

func (*Handler) WithClusterClientProvider 

func (h *Handler) WithClusterClientProvider(fn ClusterClientHandler) httprouter.Handle

WithClusterClientProvider wraps a ClusterClientHandler to ensure that a request is authenticated to this proxy (the same as WithAuth), and passes a ClusterClientProvider so that the handler can access remote clusters. Use this instead of WithClusterAuth when the remote cluster cannot be encoded in the path or multiple clusters may need to be accessed from a single handler.

func (*Handler) WithMetaRedirect 

func (h *Handler) WithMetaRedirect(fn redirectHandlerFunc) httprouter.Handle

WithMetaRedirect is a handler that redirects to the path specified using HTML rather than HTTP. This is needed for redirects that can have a header size larger than 8kb, which some middlewares will drop. See https://github.com/gravitational/teleport/issues/7467.

func (*Handler) WithProvisionTokenAuth 

func (h *Handler) WithProvisionTokenAuth(fn ProvisionTokenHandler) httprouter.Handle

WithProvisionTokenAuth ensures that request is authenticated with a provision token. Provision tokens, when used like this are invalidated as soon as used. Doesn't matter if the underlying response was a success or an error.

func (*Handler) WithRedirect 

func (h *Handler) WithRedirect(fn redirectHandlerFunc) httprouter.Handle

WithRedirect is a handler that redirects to the path specified in the returned value.

type HandlerOption 

type HandlerOption func(h *Handler) error

HandlerOption is a functional argument - an option that can be passed to NewHandler function

func SetClock 

func SetClock(clock clockwork.Clock) HandlerOption

SetClock sets the clock on a handler

func SetSessionStreamPollPeriod 

func SetSessionStreamPollPeriod(period time.Duration) HandlerOption

SetSessionStreamPollPeriod sets polling period for session streams

type JWKSResponse 

type JWKSResponse struct {
	// Keys is a list of public keys in JWK format.
	Keys []jwt.JWK `json:"keys"`
}

type ProvisionTokenHandler 

type ProvisionTokenHandler func(w http.ResponseWriter, r *http.Request, p httprouter.Params, site reversetunnel.RemoteSite, token types.ProvisionToken) (interface{}, error)

ProvisionTokenHandler is a authenticated handler that is called for some existing Token

type ResourceMap 

type ResourceMap map[string]*zip.File

func (ResourceMap) Open 

func (rm ResourceMap) Open(name string) (http.File, error)

type SessionContext 

type SessionContext struct {
	// contains filtered or unexported fields
}

SessionContext is a context associated with a user's web session. An instance of the context is created for each web session generated for the user and provides a basic client cache for remote auth server connections.

func NewSessionContext 

func NewSessionContext(cfg SessionContextConfig) (*SessionContext, error)

func (*SessionContext) AddClosers 

func (c *SessionContext) AddClosers(closers ...io.Closer)

AddClosers adds the specified closers to this context

func (*SessionContext) ClientTLSConfig 

func (c *SessionContext) ClientTLSConfig(ctx context.Context, clusterName ...string) (*tls.Config, error)

ClientTLSConfig returns client TLS authentication associated with the web session context

func (*SessionContext) Close 

func (c *SessionContext) Close() error

Close cleans up resources associated with this context and removes it from the user context

func (*SessionContext) GetAgent 

func (c *SessionContext) GetAgent() (agent.ExtendedAgent, *ssh.Certificate, error)

GetAgent returns agent that can be used to answer challenges for the web to ssh connection as well as certificate

func (*SessionContext) GetClient 

func (c *SessionContext) GetClient() (auth.ClientI, error)

GetClient returns the client connected to the auth server

func (*SessionContext) GetClientConnection 

func (c *SessionContext) GetClientConnection() *grpc.ClientConn

GetClientConnection returns a connection to Auth Service

func (*SessionContext) GetIdentity 

func (c *SessionContext) GetIdentity() (*tlsca.Identity, error)

GetIdentity returns identity parsed from the session's TLS certificate.

func (*SessionContext) GetProxyListenerMode 

func (c *SessionContext) GetProxyListenerMode(ctx context.Context) (types.ProxyListenerMode, error)

GetProxyListenerMode returns cluster proxy listener mode form cluster networking config.

func (*SessionContext) GetSSHCertificate 

func (c *SessionContext) GetSSHCertificate() (*ssh.Certificate, error)

GetSSHCertificate returns the *ssh.Certificate associated with this session.

func (*SessionContext) GetSessionID 

func (c *SessionContext) GetSessionID() string

GetSessionID returns the ID of the underlying user web session.

func (*SessionContext) GetUser 

func (c *SessionContext) GetUser() string

GetUser returns the authenticated teleport user

func (*SessionContext) GetUserAccessChecker 

func (c *SessionContext) GetUserAccessChecker() (services.AccessChecker, error)

GetUserAccessChecker returns AccessChecker derived from the SSH certificate associated with this session.

func (*SessionContext) GetUserClient 

func (c *SessionContext) GetUserClient(ctx context.Context, site reversetunnel.RemoteSite) (auth.ClientI, error)

GetUserClient will return an auth.ClientI with the role of the user at the requested site. If the site is local a client with the users local role is returned. If the site is remote a client with the users remote role is returned.

func (*SessionContext) GetX509Certificate 

func (c *SessionContext) GetX509Certificate() (*x509.Certificate, error)

GetX509Certificate returns the *x509.Certificate associated with this session.

func (*SessionContext) Invalidate 

func (c *SessionContext) Invalidate(ctx context.Context) error

Invalidate invalidates this context by removing the underlying session and closing all underlying closers

func (*SessionContext) RemoveCloser 

func (c *SessionContext) RemoveCloser(closer io.Closer)

RemoveCloser removes the specified closer from this context

func (*SessionContext) String 

func (c *SessionContext) String() string

String returns the text representation of this context

type SessionContextConfig 

type SessionContextConfig struct {
	// Log is used to emit logs
	Log *logrus.Entry
	// User is the name of the current user
	User string

	// RootClusterName is the name of the root cluster
	RootClusterName string

	// RootClient holds a connection to the root auth. Note that requests made using this
	// client are made with the identity of the user and are NOT cached.
	RootClient *auth.Client

	// UnsafeCachedAuthClient holds a read-only cache to root auth. Note this access
	// point cache is authenticated with the identity of the node, not of the
	// user. This is why its prefixed with "unsafe".
	//
	// This access point should only be used if the identity of the caller will
	// not affect the result of the RPC. For example, never use it to call
	// "GetNodes".
	UnsafeCachedAuthClient auth.ReadProxyAccessPoint

	Parent *sessionCache
	// Resources is a persistent resource store this context is bound to.
	// The store maintains a list of resources between session renewals
	Resources *sessionResources
	// Session refers the web session created for the user.
	Session types.WebSession
	// contains filtered or unexported fields
}

func (*SessionContextConfig) CheckAndSetDefaults 

func (c *SessionContextConfig) CheckAndSetDefaults() error

type SessionCookie 

type SessionCookie struct {
	User string `json:"user"`
	SID  string `json:"sid"`
}

SessionCookie stores information about active user and session

func DecodeCookie 

func DecodeCookie(b string) (*SessionCookie, error)

type TerminalHandler 

type TerminalHandler struct {
	// contains filtered or unexported fields
}

TerminalHandler connects together an SSH session with a web-based terminal via a web socket.

func NewTerminal 

func NewTerminal(ctx context.Context, cfg TerminalHandlerConfig) (*TerminalHandler, error)

NewTerminal creates a web-based terminal based on WebSockets and returns a new TerminalHandler.

func (*TerminalHandler) Close 

func (t *TerminalHandler) Close() error

Close the websocket stream.

func (*TerminalHandler) ServeHTTP 

func (t *TerminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP builds a connection to the remote node and then pumps back two types of events: raw input/output events for what's happening on the terminal itself and audit log events relevant to this session.

type TerminalHandlerConfig 

type TerminalHandlerConfig struct {
	// term is the initial PTY size.
	Term session.TerminalParams
	// sctx is the context for the users web session.
	SessionCtx *SessionContext
	// authProvider is used to fetch nodes and sessions from the backend.
	AuthProvider AuthProvider
	// displayLogin is the login name to display in the UI.
	DisplayLogin string
	// sessionData is the data to send to the client on the initial session creation.
	SessionData session.Session
	// keepAliveInterval is the interval for sending ping frames to web client.
	// This value is pulled from the cluster network config and
	// guaranteed to be set to a nonzero value as it's enforced by the configuration.
	KeepAliveInterval time.Duration
	// proxyHostPort is the address of the server to connect to.
	ProxyHostPort string
	// interactiveCommand is a command to execute.
	InteractiveCommand []string
	// Router determines how connections to nodes are created
	Router *proxy.Router
	// TracerProvider is used to create the tracer
	TracerProvider oteltrace.TracerProvider
	// contains filtered or unexported fields
}

TerminalHandlerConfig contains the configuration options necessary to correctly setup the TerminalHandler

func (*TerminalHandlerConfig) CheckAndSetDefaults 

func (t *TerminalHandlerConfig) CheckAndSetDefaults() error

type TerminalRequest 

type TerminalRequest struct {
	// Server describes a server to connect to (serverId|hostname[:port]).
	Server string `json:"server_id"`

	// Login is Linux username to connect as.
	Login string `json:"login"`

	// Term is the initial PTY size.
	Term session.TerminalParams `json:"term"`

	// SessionID is a Teleport session ID to join as.
	SessionID session.ID `json:"sid"`

	// ProxyHostPort is the address of the server to connect to.
	ProxyHostPort string `json:"-"`

	// InteractiveCommand is a command to execute
	InteractiveCommand []string `json:"-"`

	// KeepAliveInterval is the interval for sending ping frames to web client.
	// This value is pulled from the cluster network config and
	// guaranteed to be set to a nonzero value as it's enforced by the configuration.
	KeepAliveInterval time.Duration
}

TerminalRequest describes a request to create a web-based terminal to a remote SSH server.

type WebsocketIO 

type WebsocketIO struct {
	Conn *websocket.Conn
	// contains filtered or unexported fields
}

func (*WebsocketIO) Close 

func (ws *WebsocketIO) Close() error

func (*WebsocketIO) Read 

func (ws *WebsocketIO) Read(p []byte) (int, error)

func (*WebsocketIO) Write 

func (ws *WebsocketIO) Write(p []byte) (int, error)

Source Files

View all Source files

Directories

Path Synopsis
Package app connections to applications over a reverse tunnel and forwards HTTP requests to them.
 Package app connections to applications over a reverse tunnel and forwards HTTP requests to them.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.