teleport/lib/auth/auth.go

// package auth implements certificate signing authority and access control server
// Authority server is composed of several parts:
//
// * Authority server itself that implements signing and acl logic
// * HTTP server wrapper for authority server
// * HTTP client wrapper
//
package auth

import (
	"fmt"
	"time"

	"github.com/gravitational/teleport/Godeps/_workspace/src/github.com/gravitational/session"
	"github.com/gravitational/teleport/Godeps/_workspace/src/github.com/mailgun/lemma/secret"
	"github.com/gravitational/teleport/lib/backend/encryptedbk"
	"github.com/gravitational/teleport/lib/services"
)

// Authority implements minimal key-management facility for generating OpenSSH
//compatible public/private key pairs and OpenSSH certificates
type Authority interface {
	GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error)

	// GenerateHostCert generates host certificate, it takes pkey as a signing
	// private key (host certificate authority)
	GenerateHostCert(pkey, key []byte, id, hostname string, ttl time.Duration) ([]byte, error)

	// GenerateHostCert generates user certificate, it takes pkey as a signing
	// private key (user certificate authority)
	GenerateUserCert(pkey, key []byte, id, username string, ttl time.Duration) ([]byte, error)
}

type Session struct {
	SID session.SecureID
	PID session.PlainID
	WS  services.WebSession
}

func NewAuthServer(bk *encryptedbk.ReplicatedBackend, a Authority, scrt secret.SecretService) *AuthServer {
	as := AuthServer{}

	as.bk = bk
	as.Authority = a
	as.scrt = scrt

	as.CAService = services.NewCAService(as.bk)
	as.LockService = services.NewLockService(as.bk)
	as.PresenceService = services.NewPresenceService(as.bk)
	as.ProvisioningService = services.NewProvisioningService(as.bk)
	as.UserService = services.NewUserService(as.bk)
	as.WebService = services.NewWebService(as.bk)
	as.BkKeysService = services.NewBkKeysService(as.bk)

	return &as
}

// AuthServer implements key signing, generation and ACL functionality
// used by teleport
type AuthServer struct {
	bk *encryptedbk.ReplicatedBackend
	Authority
	scrt secret.SecretService

	*services.CAService
	*services.LockService
	*services.PresenceService
	*services.ProvisioningService
	*services.UserService
	*services.WebService
	*services.BkKeysService
}

// UpsertUserKey takes user's public key, generates certificate for it
// and adds it to the authorized keys database. It returns certificate signed
// by user CA in case of success, error otherwise. The certificate will be
// valid for the duration of the ttl passed in.
func (s *AuthServer) UpsertUserKey(
	user string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error) {

	cert, err := s.GenerateUserCert(key.Value, key.ID, user, ttl)
	if err != nil {
		return nil, err
	}
	key.Value = cert
	if err := s.UserService.UpsertUserKey(user, key, ttl); err != nil {
		return nil, err
	}
	return cert, nil
}

// ResetHostCA generates host certificate authority and updates the backend
func (s *AuthServer) ResetHostCA(pass string) error {
	priv, pub, err := s.Authority.GenerateKeyPair(pass)
	if err != nil {
		return err
	}
	return s.CAService.UpsertHostCA(services.CA{Pub: pub, Priv: priv})
}

// ResetHostCA generates user certificate authority and updates the backend
func (s *AuthServer) ResetUserCA(pass string) error {
	priv, pub, err := s.Authority.GenerateKeyPair(pass)
	if err != nil {
		return err
	}
	return s.CAService.UpsertUserCA(services.CA{Pub: pub, Priv: priv})
}

// GenerateHostCert generates host certificate, it takes pkey as a signing
// private key (host certificate authority)
func (s *AuthServer) GenerateHostCert(
	key []byte, id, hostname string, ttl time.Duration) ([]byte, error) {

	hk, err := s.CAService.GetHostCA()
	if err != nil {
		return nil, err
	}
	return s.Authority.GenerateHostCert(hk.Priv, key, id, hostname, ttl)
}

// GenerateHostCert generates user certificate, it takes pkey as a signing
// private key (user certificate authority)
func (s *AuthServer) GenerateUserCert(
	key []byte, id, username string, ttl time.Duration) ([]byte, error) {

	hk, err := s.CAService.GetUserCA()
	if err != nil {
		return nil, err
	}
	return s.Authority.GenerateUserCert(hk.Priv, key, id, username, ttl)
}

func (s *AuthServer) SignIn(user string, password []byte) (*Session, error) {
	if err := s.CheckPasswordWOToken(user, password); err != nil {
		return nil, err
	}
	sess, err := s.NewWebSession(user)
	if err != nil {
		return nil, err
	}
	if err := s.UpsertWebSession(user, sess, WebSessionTTL); err != nil {
		return nil, err
	}
	return sess, nil
}

func (s *AuthServer) GenerateToken(fqdn string, ttl time.Duration) (string, error) {
	p, err := session.NewID(s.scrt)
	if err != nil {
		return "", err
	}
	if err := s.ProvisioningService.UpsertToken(string(p.PID), fqdn, ttl); err != nil {
		return "", err
	}
	return string(p.SID), nil
}

func (s *AuthServer) ValidateToken(token, fqdn string) error {
	pid, err := session.DecodeSID(session.SecureID(token), s.scrt)
	if err != nil {
		return err
	}
	out, err := s.ProvisioningService.GetToken(string(pid))
	if err != nil {
		return err
	}
	if out != fqdn {
		return fmt.Errorf("fqdn does not match")
	}
	return nil
}

func (s *AuthServer) DeleteToken(token string) error {
	pid, err := session.DecodeSID(session.SecureID(token), s.scrt)
	if err != nil {
		return err
	}
	return s.ProvisioningService.DeleteToken(string(pid))
}

func (s *AuthServer) NewWebSession(user string) (*Session, error) {
	p, err := session.NewID(s.scrt)
	if err != nil {
		return nil, err
	}
	priv, pub, err := s.GenerateKeyPair("")
	if err != nil {
		return nil, err
	}
	hk, err := s.CAService.GetUserCA()
	if err != nil {
		return nil, err
	}
	cert, err := s.Authority.GenerateUserCert(hk.Priv, pub, user, user, WebSessionTTL)
	if err != nil {
		return nil, err
	}
	sess := &Session{
		SID: p.SID,
		PID: p.PID,
		WS:  services.WebSession{Priv: priv, Pub: cert},
	}
	return sess, nil
}

func (s *AuthServer) UpsertWebSession(user string, sess *Session, ttl time.Duration) error {
	return s.WebService.UpsertWebSession(user, string(sess.PID), sess.WS, ttl)
}

func (s *AuthServer) GetWebSession(user string, sid session.SecureID) (*Session, error) {
	pid, err := session.DecodeSID(sid, s.scrt)
	if err != nil {
		return nil, err
	}
	ws, err := s.WebService.GetWebSession(user, string(pid))
	if err != nil {
		return nil, err
	}
	return &Session{
		SID: sid,
		PID: pid,
		WS:  *ws,
	}, nil
}

func (s *AuthServer) DeleteWebSession(user string, sid session.SecureID) error {
	pid, err := session.DecodeSID(sid, s.scrt)
	if err != nil {
		return err
	}
	return s.WebService.DeleteWebSession(user, string(pid))
}

const (
	Week          = time.Hour * 24 * 7
	WebSessionTTL = time.Hour * 10
)
Initial working prototype 2015-03-02 20:11:23 +00:00			`// package auth implements certificate signing authority and access control server`
			`// Authority server is composed of several parts:`
			`//`
			`// * Authority server itself that implements signing and acl logic`
			`// * HTTP server wrapper for authority server`
			`// * HTTP client wrapper`
			`//`
			`package auth`

			`import (`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`"fmt"`
Initial working prototype 2015-03-02 20:11:23 +00:00			`"time"`

Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`"github.com/gravitational/teleport/Godeps/_workspace/src/github.com/gravitational/session"`
			`"github.com/gravitational/teleport/Godeps/_workspace/src/github.com/mailgun/lemma/secret"`
Fixed imports 2015-10-05 14:33:25 +00:00			`"github.com/gravitational/teleport/lib/backend/encryptedbk"`
More folders arrangments 2015-10-05 17:36:55 +00:00			`"github.com/gravitational/teleport/lib/services"`
Initial working prototype 2015-03-02 20:11:23 +00:00			`)`

			`// Authority implements minimal key-management facility for generating OpenSSH`
			`//compatible public/private key pairs and OpenSSH certificates`
			`type Authority interface {`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`GenerateKeyPair(passphrase string) (privKey []byte, pubKey []byte, err error)`
Initial working prototype 2015-03-02 20:11:23 +00:00
ship audit logs to auth server via SSH endpoint 2015-05-12 00:04:22 +00:00			`// GenerateHostCert generates host certificate, it takes pkey as a signing`
			`// private key (host certificate authority)`
Initial working prototype 2015-03-02 20:11:23 +00:00			`GenerateHostCert(pkey, key []byte, id, hostname string, ttl time.Duration) ([]byte, error)`

ship audit logs to auth server via SSH endpoint 2015-05-12 00:04:22 +00:00			`// GenerateHostCert generates user certificate, it takes pkey as a signing`
			`// private key (user certificate authority)`
Initial working prototype 2015-03-02 20:11:23 +00:00			`GenerateUserCert(pkey, key []byte, id, username string, ttl time.Duration) ([]byte, error)`
			`}`

Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`type Session struct {`
			`SID session.SecureID`
			`PID session.PlainID`
Moved from backend to services 2015-08-25 17:54:16 +00:00			`WS services.WebSession`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`}`

Added replicated backend, but it needs more test 2015-09-12 01:19:20 +00:00			`func NewAuthServer(bk encryptedbk.ReplicatedBackend, a Authority, scrt secret.SecretService) AuthServer {`
Moved from backend to services 2015-08-25 17:54:16 +00:00			`as := AuthServer{}`

			`as.bk = bk`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`as.Authority = a`
Moved from backend to services 2015-08-25 17:54:16 +00:00			`as.scrt = scrt`

Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`as.CAService = services.NewCAService(as.bk)`
			`as.LockService = services.NewLockService(as.bk)`
			`as.PresenceService = services.NewPresenceService(as.bk)`
			`as.ProvisioningService = services.NewProvisioningService(as.bk)`
			`as.UserService = services.NewUserService(as.bk)`
			`as.WebService = services.NewWebService(as.bk)`
Added replicated backend, but it needs more test 2015-09-12 01:19:20 +00:00			`as.BkKeysService = services.NewBkKeysService(as.bk)`
Moved from backend to services 2015-08-25 17:54:16 +00:00
			`return &as`
Initial working prototype 2015-03-02 20:11:23 +00:00			`}`

ship audit logs to auth server via SSH endpoint 2015-05-12 00:04:22 +00:00			`// AuthServer implements key signing, generation and ACL functionality`
			`// used by teleport`
Initial working prototype 2015-03-02 20:11:23 +00:00			`type AuthServer struct {`
Added replicated backend, but it needs more test 2015-09-12 01:19:20 +00:00			`bk *encryptedbk.ReplicatedBackend`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`Authority`
Updated mailgun/lemma/secret and gravitational/session 2015-09-06 14:54:34 +00:00			`scrt secret.SecretService`
Moved from backend to services 2015-08-25 17:54:16 +00:00
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`*services.CAService`
			`*services.LockService`
			`*services.PresenceService`
			`*services.ProvisioningService`
			`*services.UserService`
			`*services.WebService`
Added replicated backend, but it needs more test 2015-09-12 01:19:20 +00:00			`*services.BkKeysService`
Initial working prototype 2015-03-02 20:11:23 +00:00			`}`

			`// UpsertUserKey takes user's public key, generates certificate for it`
ship audit logs to auth server via SSH endpoint 2015-05-12 00:04:22 +00:00			`// and adds it to the authorized keys database. It returns certificate signed`
			`// by user CA in case of success, error otherwise. The certificate will be`
			`// valid for the duration of the ttl passed in.`
			`func (s *AuthServer) UpsertUserKey(`
Moved from backend to services 2015-08-25 17:54:16 +00:00			`user string, key services.AuthorizedKey, ttl time.Duration) ([]byte, error) {`
ship audit logs to auth server via SSH endpoint 2015-05-12 00:04:22 +00:00
Initial working prototype 2015-03-02 20:11:23 +00:00			`cert, err := s.GenerateUserCert(key.Value, key.ID, user, ttl)`
			`if err != nil {`
			`return nil, err`
			`}`
			`key.Value = cert`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`if err := s.UserService.UpsertUserKey(user, key, ttl); err != nil {`
Initial working prototype 2015-03-02 20:11:23 +00:00			`return nil, err`
			`}`
			`return cert, nil`
			`}`

			`// ResetHostCA generates host certificate authority and updates the backend`
			`func (s *AuthServer) ResetHostCA(pass string) error {`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`priv, pub, err := s.Authority.GenerateKeyPair(pass)`
Initial working prototype 2015-03-02 20:11:23 +00:00			`if err != nil {`
			`return err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`return s.CAService.UpsertHostCA(services.CA{Pub: pub, Priv: priv})`
Initial working prototype 2015-03-02 20:11:23 +00:00			`}`

			`// ResetHostCA generates user certificate authority and updates the backend`
			`func (s *AuthServer) ResetUserCA(pass string) error {`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`priv, pub, err := s.Authority.GenerateKeyPair(pass)`
Initial working prototype 2015-03-02 20:11:23 +00:00			`if err != nil {`
			`return err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`return s.CAService.UpsertUserCA(services.CA{Pub: pub, Priv: priv})`
Initial working prototype 2015-03-02 20:11:23 +00:00			`}`

ship audit logs to auth server via SSH endpoint 2015-05-12 00:04:22 +00:00			`// GenerateHostCert generates host certificate, it takes pkey as a signing`
			`// private key (host certificate authority)`
			`func (s *AuthServer) GenerateHostCert(`
			`key []byte, id, hostname string, ttl time.Duration) ([]byte, error) {`

Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`hk, err := s.CAService.GetHostCA()`
Initial working prototype 2015-03-02 20:11:23 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`return s.Authority.GenerateHostCert(hk.Priv, key, id, hostname, ttl)`
Initial working prototype 2015-03-02 20:11:23 +00:00			`}`

ship audit logs to auth server via SSH endpoint 2015-05-12 00:04:22 +00:00			`// GenerateHostCert generates user certificate, it takes pkey as a signing`
			`// private key (user certificate authority)`
			`func (s *AuthServer) GenerateUserCert(`
			`key []byte, id, username string, ttl time.Duration) ([]byte, error) {`

Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`hk, err := s.CAService.GetUserCA()`
Initial working prototype 2015-03-02 20:11:23 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`return s.Authority.GenerateUserCert(hk.Priv, key, id, username, ttl)`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`}`

Added 2 factor hotp authentication, everyting works 2015-10-23 20:34:09 +00:00			`func (s AuthServer) SignIn(user string, password []byte) (Session, error) {`
			`if err := s.CheckPasswordWOToken(user, password); err != nil {`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`return nil, err`
			`}`
			`sess, err := s.NewWebSession(user)`
			`if err != nil {`
			`return nil, err`
			`}`
Added time limits for certificates 2015-10-27 23:30:16 +00:00			`if err := s.UpsertWebSession(user, sess, WebSessionTTL); err != nil {`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`return nil, err`
			`}`
			`return sess, nil`
			`}`

Provisioning and clear role separation Distinct roles separation: * Stateful auth server, it is stateful and exposes SSH authentication endpoint to the cluster * Stateless ssh node, it connects to the auth server to authenticate access requests * Stateless cp node, it provides web portal to access the cluster and update users keys Provisioning: * Auth server automatically sets itself up on the first start, no need to explicitly set encryption keys and authority certs * SSH node connects to the Auth server to provision host private keys and sertificates using special SSH provisioning key issued by the auth server 2015-05-07 03:10:44 +00:00			`func (s *AuthServer) GenerateToken(fqdn string, ttl time.Duration) (string, error) {`
			`p, err := session.NewID(s.scrt)`
			`if err != nil {`
			`return "", err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`if err := s.ProvisioningService.UpsertToken(string(p.PID), fqdn, ttl); err != nil {`
Provisioning and clear role separation Distinct roles separation: * Stateful auth server, it is stateful and exposes SSH authentication endpoint to the cluster * Stateless ssh node, it connects to the auth server to authenticate access requests * Stateless cp node, it provides web portal to access the cluster and update users keys Provisioning: * Auth server automatically sets itself up on the first start, no need to explicitly set encryption keys and authority certs * SSH node connects to the Auth server to provision host private keys and sertificates using special SSH provisioning key issued by the auth server 2015-05-07 03:10:44 +00:00			`return "", err`
			`}`
			`return string(p.SID), nil`
			`}`

			`func (s *AuthServer) ValidateToken(token, fqdn string) error {`
			`pid, err := session.DecodeSID(session.SecureID(token), s.scrt)`
			`if err != nil {`
			`return err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`out, err := s.ProvisioningService.GetToken(string(pid))`
Provisioning and clear role separation Distinct roles separation: * Stateful auth server, it is stateful and exposes SSH authentication endpoint to the cluster * Stateless ssh node, it connects to the auth server to authenticate access requests * Stateless cp node, it provides web portal to access the cluster and update users keys Provisioning: * Auth server automatically sets itself up on the first start, no need to explicitly set encryption keys and authority certs * SSH node connects to the Auth server to provision host private keys and sertificates using special SSH provisioning key issued by the auth server 2015-05-07 03:10:44 +00:00			`if err != nil {`
			`return err`
			`}`
			`if out != fqdn {`
			`return fmt.Errorf("fqdn does not match")`
			`}`
			`return nil`
			`}`

			`func (s *AuthServer) DeleteToken(token string) error {`
			`pid, err := session.DecodeSID(session.SecureID(token), s.scrt)`
			`if err != nil {`
			`return err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`return s.ProvisioningService.DeleteToken(string(pid))`
Provisioning and clear role separation Distinct roles separation: * Stateful auth server, it is stateful and exposes SSH authentication endpoint to the cluster * Stateless ssh node, it connects to the auth server to authenticate access requests * Stateless cp node, it provides web portal to access the cluster and update users keys Provisioning: * Auth server automatically sets itself up on the first start, no need to explicitly set encryption keys and authority certs * SSH node connects to the Auth server to provision host private keys and sertificates using special SSH provisioning key issued by the auth server 2015-05-07 03:10:44 +00:00			`}`

Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`func (s AuthServer) NewWebSession(user string) (Session, error) {`
			`p, err := session.NewID(s.scrt)`
			`if err != nil {`
			`return nil, err`
			`}`
			`priv, pub, err := s.GenerateKeyPair("")`
			`if err != nil {`
			`return nil, err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`hk, err := s.CAService.GetUserCA()`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Added time limits for certificates 2015-10-27 23:30:16 +00:00			`cert, err := s.Authority.GenerateUserCert(hk.Priv, pub, user, user, WebSessionTTL)`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`sess := &Session{`
			`SID: p.SID,`
			`PID: p.PID,`
Moved from backend to services 2015-08-25 17:54:16 +00:00			`WS: services.WebSession{Priv: priv, Pub: cert},`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`}`
			`return sess, nil`
			`}`

			`func (s AuthServer) UpsertWebSession(user string, sess Session, ttl time.Duration) error {`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`return s.WebService.UpsertWebSession(user, string(sess.PID), sess.WS, ttl)`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`}`

			`func (s AuthServer) GetWebSession(user string, sid session.SecureID) (Session, error) {`
			`pid, err := session.DecodeSID(sid, s.scrt)`
			`if err != nil {`
			`return nil, err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`ws, err := s.WebService.GetWebSession(user, string(pid))`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return &Session{`
			`SID: sid,`
			`PID: pid,`
			`WS: *ws,`
			`}, nil`
			`}`

			`func (s *AuthServer) DeleteWebSession(user string, sid session.SecureID) error {`
			`pid, err := session.DecodeSID(sid, s.scrt)`
			`if err != nil {`
			`return err`
			`}`
Modified AuthServer: removed one-line functions, some functions moved to services 2015-08-27 14:39:33 +00:00			`return s.WebService.DeleteWebSession(user, string(pid))`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`}`

			`const (`
Added time limits for certificates 2015-10-27 23:30:16 +00:00			`Week = time.Hour * 24 * 7`
			`WebSessionTTL = time.Hour * 10`
Implement web proxying, and web SSH console proof of concept 2015-03-19 04:13:56 +00:00			`)`