web

package
v3.2.17 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 4, 2021 License: Apache-2.0 Imports: 55 Imported by: 0

Documentation

Overview

Package web implements web proxy handler that provides web interface to view and connect to teleport nodes

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ClearSession

func ClearSession(w http.ResponseWriter) error

func ConstructSSHResponse

func ConstructSSHResponse(response AuthParams) (*url.URL, error)

ConstructSSHResponse creates a special SSH response for SSH login method that encodes everything using the client's secret key

func CreateSignupLink(client auth.ClientI, token string) (string, string)

CreateSignupLink generates and returns a URL which is given to a new user to complete registration with Teleport via Web UI

func EncodeCookie

func EncodeCookie(user, sid string) (string, error)

func NewStaticFileSystem

func NewStaticFileSystem(debugMode bool) (http.FileSystem, error)

NewStaticFileSystem returns the initialized implementation of http.FileSystem interface which can be used to serve Teleport Proxy Web UI

If 'debugMode' is true, it will load the web assets from the same git repo directory where the executable is, otherwise it will load them from the embedded zip archive.

func SetPlugin

func SetPlugin(p Plugin)

SetPlugin sets plugin for the web handler

func SetSession

func SetSession(w http.ResponseWriter, user, sid string) error

Types

type AuthParams

type AuthParams struct {
	// Username is authenticated teleport username
	Username string
	// Identity contains validated OIDC identity
	Identity services.ExternalIdentity
	// Web session will be generated by auth server if requested in OIDCAuthRequest
	Session services.WebSession
	// Cert will be generated by certificate authority
	Cert []byte
	// TLSCert is PEM encoded TLS certificate
	TLSCert []byte
	// HostSigners is a list of signing host public keys
	// trusted by proxy, used in console login
	HostSigners []services.CertAuthority
	// ClientRedirectURL is a URL to redirect client to
	ClientRedirectURL string
}

AuthParams are used to construct redirect URL containing auth information back to tsh login

type AuthProvider

type AuthProvider interface {
	GetNodes(namespace string, opts ...services.MarshalOption) ([]services.Server, error)
	GetSessionEvents(namespace string, sid session.ID, after int, includePrintEvents bool) ([]events.EventFields, error)
}

AuthProvider is a subset of the full Auth API.

type ClusterHandler

type ClusterHandler func(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *SessionContext, site reversetunnel.RemoteSite) (interface{}, error)

ClusterHandler is a authenticated handler that is called for some existing remote cluster

type Config

type Config struct {
	// Proxy is a reverse tunnel proxy that handles connections
	// to various sites
	Proxy reversetunnel.Server
	// AuthServers is a list of auth servers this proxy talks to
	AuthServers utils.NetAddr
	// DomainName is a domain name served by web handler
	DomainName string
	// ProxyClient is a client that authenticated as proxy
	ProxyClient auth.ClientI
	// DisableUI allows to turn off serving web based UI
	DisableUI bool
	// ProxySSHAddr points to the SSH address of the proxy
	ProxySSHAddr utils.NetAddr
	// ProxyWebAddr points to the web (HTTPS) address of the proxy
	ProxyWebAddr utils.NetAddr

	// CipherSuites is the list of cipher suites Teleport suppports.
	CipherSuites []uint16

	// ProxySettings is a settings communicated to proxy
	ProxySettings client.ProxySettings
}

Config represents web handler configuration parameters

type ContextHandler

type ContextHandler func(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *SessionContext) (interface{}, error)

ContextHandler is a handler called with the auth context, what means it is authenticated and ready to work

type CreateSessionResponse

type CreateSessionResponse struct {
	// Type is token type (bearer)
	Type string `json:"type"`
	// Token value
	Token string `json:"token"`
	// ExpiresIn sets seconds before this token is not valid
	ExpiresIn int `json:"expires_in"`
}

CreateSessionResponse returns OAuth compabible data about access token: https://tools.ietf.org/html/rfc6749

func NewSessionResponse

func NewSessionResponse(ctx *SessionContext) (*CreateSessionResponse, error)

type Envelope

type Envelope struct {
	// Version is the version of the protocol.
	Version string `protobuf:"bytes,1,opt,name=Version" json:"Version,omitempty"`
	// Type is the type of message. For version 1 of the protocol this must
	// not be longer than 1 character.
	Type string `protobuf:"bytes,2,opt,name=Type" json:"Type,omitempty"`
	// Payload is the actual data to send.
	Payload              string   `protobuf:"bytes,3,opt,name=Payload" json:"Payload,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Envelope is used to wrap and transend and receive messages between the web client and proxy.

func (*Envelope) Descriptor

func (*Envelope) Descriptor() ([]byte, []int)

func (*Envelope) GetPayload

func (m *Envelope) GetPayload() string

func (*Envelope) GetType

func (m *Envelope) GetType() string

func (*Envelope) GetVersion

func (m *Envelope) GetVersion() string

func (*Envelope) ProtoMessage

func (*Envelope) ProtoMessage()

func (*Envelope) Reset

func (m *Envelope) Reset()

func (*Envelope) String

func (m *Envelope) String() string

func (*Envelope) XXX_DiscardUnknown

func (m *Envelope) XXX_DiscardUnknown()

func (*Envelope) XXX_Marshal

func (m *Envelope) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Envelope) XXX_Merge

func (dst *Envelope) XXX_Merge(src proto.Message)

func (*Envelope) XXX_Size

func (m *Envelope) XXX_Size() int

func (*Envelope) XXX_Unmarshal

func (m *Envelope) XXX_Unmarshal(b []byte) error

type Handler

type Handler struct {
	sync.Mutex
	httprouter.Router
	// contains filtered or unexported fields
}

Handler is HTTP web proxy handler

func (*Handler) AuthenticateRequest

func (h *Handler) AuthenticateRequest(w http.ResponseWriter, r *http.Request, checkBearerToken bool) (*SessionContext, error)

AuthenticateRequest authenticates request using combination of a session cookie and bearer token

func (*Handler) Close

func (h *Handler) Close() error

Close closes associated session cache operations

func (*Handler) GetProxyClient

func (h *Handler) GetProxyClient() auth.ClientI

GetProxyClient returns authenticated auth server client

func (*Handler) ProxyHostPort

func (h *Handler) ProxyHostPort() string

ProxyHostPort returns the address of the proxy server using --proxy notation, i.e. "localhost:8030,8023"

func (*Handler) String

func (h *Handler) String() string

func (*Handler) WithAuth

func (h *Handler) WithAuth(fn ContextHandler) httprouter.Handle

WithAuth ensures that request is authenticated

func (*Handler) WithClusterAuth

func (h *Handler) WithClusterAuth(fn ClusterHandler) httprouter.Handle

WithClusterAuth ensures that request is authenticated and is issued for existing cluster

type HandlerOption

type HandlerOption func(h *Handler) error

HandlerOption is a functional argument - an option that can be passed to NewHandler function

func SetSessionStreamPollPeriod

func SetSessionStreamPollPeriod(period time.Duration) HandlerOption

SetSessionStreamPollPeriod sets polling period for session streams

type Plugin

type Plugin interface {
	// AddHandlers adds handlers to the web API handler
	AddHandlers(h *Handler)
}

Plugin is API Server extension setter if set, it will add handler methods during web handler initialization

func GetPlugin

func GetPlugin() Plugin

GetPlugin returns web API plugin that

type ResourceMap

type ResourceMap map[string]*zip.File

func (ResourceMap) Open

func (rm ResourceMap) Open(name string) (http.File, error)

type RewritingHandler

type RewritingHandler struct {
	http.Handler
	// contains filtered or unexported fields
}

func NewHandler

func NewHandler(cfg Config, opts ...HandlerOption) (*RewritingHandler, error)

NewHandler returns a new instance of web proxy handler

func (*RewritingHandler) Close

func (r *RewritingHandler) Close() error

func (*RewritingHandler) GetHandler

func (r *RewritingHandler) GetHandler() *Handler

type SessionContext

type SessionContext struct {
	sync.Mutex
	*log.Entry
	// contains filtered or unexported fields
}

SessionContext is a context associated with users' web session, it stores connected client that persists between requests for example to avoid connecting to the auth server on every page hit

func (*SessionContext) AddClosers

func (c *SessionContext) AddClosers(closers ...io.Closer)

func (*SessionContext) ClientTLSConfig

func (c *SessionContext) ClientTLSConfig(clusterName ...string) (*tls.Config, error)

ClientTLSConfig returns client TLS authentication associated with the web session context

func (*SessionContext) Close

func (c *SessionContext) Close() error

Close cleans up connections associated with requests

func (*SessionContext) ExtendWebSession

func (c *SessionContext) ExtendWebSession() (services.WebSession, error)

ExtendWebSession creates a new web session for this user based on the previous session

func (*SessionContext) GetAgent

func (c *SessionContext) GetAgent() (agent.Agent, *ssh.Certificate, error)

GetAgent returns agent that can be used to answer challenges for the web to ssh connection as well as certificate

func (*SessionContext) GetCertificates added in v3.1.10

func (c *SessionContext) GetCertificates() (*ssh.Certificate, *x509.Certificate, error)

GetCertificates returns the *ssh.Certificate and *x509.Certificate associated with this session.

func (*SessionContext) GetClient

func (c *SessionContext) GetClient() (auth.ClientI, error)

GetClient returns the client connected to the auth server

func (*SessionContext) GetUser

func (c *SessionContext) GetUser() string

GetUser returns the authenticated teleport user

func (*SessionContext) GetUserClient

func (c *SessionContext) GetUserClient(site reversetunnel.RemoteSite) (auth.ClientI, error)

GetUserClient will return an auth.ClientI with the role of the user at the requested site. If the site is local a client with the users local role is returned. If the site is remote a client with the users remote role is returned.

func (*SessionContext) GetWebSession

func (c *SessionContext) GetWebSession() services.WebSession

GetWebSession returns a web session

func (*SessionContext) Invalidate

func (c *SessionContext) Invalidate() error

func (*SessionContext) RemoveCloser

func (c *SessionContext) RemoveCloser(closer io.Closer)

func (*SessionContext) TransferClosers

func (c *SessionContext) TransferClosers() []io.Closer

type SessionCookie

type SessionCookie struct {
	User string `json:"user"`
	SID  string `json:"sid"`
}

SessionCookie stores information about active user and session

func DecodeCookie

func DecodeCookie(b string) (*SessionCookie, error)

type TerminalHandler

type TerminalHandler struct {
	// contains filtered or unexported fields
}

TerminalHandler connects together an SSH session with a web-based terminal via a web socket.

func NewTerminal

func NewTerminal(req TerminalRequest, authProvider AuthProvider, ctx *SessionContext) (*TerminalHandler, error)

NewTerminal creates a web-based terminal based on WebSockets and returns a new TerminalHandler.

func (*TerminalHandler) Close

func (t *TerminalHandler) Close() error

Close the websocket stream.

func (*TerminalHandler) Serve

Serve builds a connect to the remote node and then pumps back two types of events: raw input/output events for what's happening on the terminal itself and audit log events relevant to this session.

type TerminalRequest

type TerminalRequest struct {
	// Server describes a server to connect to (serverId|hostname[:port]).
	Server string `json:"server_id"`

	// Login is Linux username to connect as.
	Login string `json:"login"`

	// Term is the initial PTY size.
	Term session.TerminalParams `json:"term"`

	// SessionID is a Teleport session ID to join as.
	SessionID session.ID `json:"sid"`

	// Namespace is node namespace.
	Namespace string `json:"namespace"`

	// ProxyHostPort is the address of the server to connect to.
	ProxyHostPort string `json:"-"`

	// Cluster is the name of the remote cluster to connect to.
	Cluster string `json:"-"`

	// InteractiveCommand is a command to execut.e
	InteractiveCommand []string `json:"-"`
}

TerminalRequest describes a request to create a web-based terminal to a remote SSH server.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL