self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-22 02:03:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

some interface adjustments

Browse source
This commit is contained in:
klizhentas 2016-04-10 13:29:32 -07:00
parent 7931b6bd95
commit e1808b8579
7 changed files with 132 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
lib/auth/apiserver.go
View file

@ -295,7 +295,14 @@ func (s *APIServer) createWebSession(w http.ResponseWriter, r *http.Request, p h
return nil, trace.Wrap(err)
}
user := p[0].Value
sess, err := s.a.CreateWebSession(user, req.PrevSessionID)
if req.PrevSessionID != "" {
sess, err := s.a.ExtendWebSession(user, req.PrevSessionID)
if err != nil {
return nil, trace.Wrap(err)
}
return sess, nil
}
sess, err := s.a.CreateWebSession(user)
if err != nil {
return nil, trace.Wrap(err)
}

18
lib/auth/auth.go
View file

@ -224,9 +224,9 @@ func (s *AuthServer) SignIn(user string, password []byte) (*Session, error) {
return sess, nil
}
// CreateWebSession creates a new web session for a user based on a valid previous sessionID,
// ExtendWebSession creates a new web session for a user based on a valid previous sessionID,
// method is used to renew the web session for a user
func (s *AuthServer) CreateWebSession(user string, prevSessionID string) (*Session, error) {
func (s *AuthServer) ExtendWebSession(user string, prevSessionID string) (*Session, error) {
prevSession, err := s.GetWebSession(user, prevSessionID)
if err != nil {
return nil, trace.Wrap(err)
@ -253,6 +253,20 @@ func (s *AuthServer) CreateWebSession(user string, prevSessionID string) (*Sessi
return sess, nil
}
// CreateWebSession creates a new web session for user without any
// checks, is used by admins
func (s *AuthServer) CreateWebSession(user string) (*Session, error) {
sess, err := s.NewWebSession(user)
if err != nil {
return nil, trace.Wrap(err)
}
if err := s.UpsertWebSession(user, sess, WebSessionTTL); err != nil {
return nil, trace.Wrap(err)
}
sess.WS.Priv = nil
return sess, nil
}
func (s *AuthServer) GenerateToken(role teleport.Role, ttl time.Duration) (string, error) {
if err := role.Check(); err != nil {
return "", trace.Wrap(err)

168
lib/auth/auth_with_roles.go
View file

@ -56,45 +56,42 @@ func NewAuthWithRoles(authServer *AuthServer, permChecker PermissionChecker,
func (a *AuthWithRoles) GetSessions() ([]session.Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetSessions); err != nil {
return nil, trace.Wrap(err)
} else {
return a.sessions.GetSessions()
}
return a.sessions.GetSessions()
}
func (a *AuthWithRoles) GetSession(id session.ID) (*session.Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetSession); err != nil {
return nil, trace.Wrap(err)
} else {
return a.sessions.GetSession(id)
}
return a.sessions.GetSession(id)
}
func (a *AuthWithRoles) CreateSession(s session.Session) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertSession); err != nil {
return trace.Wrap(err)
} else {
return a.sessions.CreateSession(s)
}
return a.sessions.CreateSession(s)
}
func (a *AuthWithRoles) UpdateSession(req session.UpdateRequest) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertSession); err != nil {
return trace.Wrap(err)
} else {
return a.sessions.UpdateSession(req)
}
return a.sessions.UpdateSession(req)
}
func (a *AuthWithRoles) UpsertParty(id session.ID, p session.Party, ttl time.Duration) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertParty); err != nil {
return trace.Wrap(err)
} else {
return a.sessions.UpsertParty(id, p, ttl)
}
return a.sessions.UpsertParty(id, p, ttl)
}
func (a *AuthWithRoles) UpsertCertAuthority(ca services.CertAuthority, ttl time.Duration) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertCertAuthority); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.UpsertCertAuthority(ca, ttl)
}
return a.authServer.UpsertCertAuthority(ca, ttl)
}
func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKeys bool) ([]*services.CertAuthority, error) {
if loadKeys {
@ -112,220 +109,217 @@ func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKey
func (a *AuthWithRoles) GetLocalDomain() (string, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetLocalDomain); err != nil {
return "", trace.Wrap(err)
} else {
return a.authServer.GetLocalDomain()
}
return a.authServer.GetLocalDomain()
}
func (a *AuthWithRoles) DeleteCertAuthority(id services.CertAuthID) error {
if err := a.permChecker.HasPermission(a.role, ActionDeleteCertAuthority); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.DeleteCertAuthority(id)
}
return a.authServer.DeleteCertAuthority(id)
}
func (a *AuthWithRoles) GenerateToken(role teleport.Role, ttl time.Duration) (string, error) {
if err := a.permChecker.HasPermission(a.role, ActionGenerateToken); err != nil {
return "", trace.Wrap(err)
} else {
return a.authServer.GenerateToken(role, ttl)
}
return a.authServer.GenerateToken(role, ttl)
}
func (a *AuthWithRoles) RegisterUsingToken(token, hostID string, role teleport.Role) (*PackedKeys, error) {
if err := a.permChecker.HasPermission(a.role, ActionRegisterUsingToken); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.RegisterUsingToken(token, hostID, role)
}
return a.authServer.RegisterUsingToken(token, hostID, role)
}
func (a *AuthWithRoles) RegisterNewAuthServer(token string) error {
if err := a.permChecker.HasPermission(a.role, ActionRegisterNewAuthServer); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.RegisterNewAuthServer(token)
}
return a.authServer.RegisterNewAuthServer(token)
}
func (a *AuthWithRoles) Log(id lunk.EventID, e lunk.Event) {
if err := a.permChecker.HasPermission(a.role, ActionLog); err != nil {
return
} else {
a.elog.Log(id, e)
}
a.elog.Log(id, e)
}
func (a *AuthWithRoles) LogEntry(en lunk.Entry) error {
if err := a.permChecker.HasPermission(a.role, ActionLogEntry); err != nil {
return trace.Wrap(err)
} else {
return a.elog.LogEntry(en)
}
return a.elog.LogEntry(en)
}
func (a *AuthWithRoles) GetEvents(filter events.Filter) ([]lunk.Entry, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetEvents); err != nil {
return nil, trace.Wrap(err)
} else {
return a.elog.GetEvents(filter)
}
return a.elog.GetEvents(filter)
}
func (a *AuthWithRoles) LogSession(sess session.Session) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertSession); err != nil {
return trace.Wrap(err)
} else {
return a.elog.LogSession(sess)
}
return a.elog.LogSession(sess)
}
func (a *AuthWithRoles) GetSessionEvents(filter events.Filter) ([]session.Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetSessions); err != nil {
return nil, trace.Wrap(err)
} else {
return a.elog.GetSessionEvents(filter)
}
return a.elog.GetSessionEvents(filter)
}
func (a *AuthWithRoles) GetChunkWriter(id string) (recorder.ChunkWriteCloser, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetChunkWriter); err != nil {
return nil, trace.Wrap(err)
} else {
return a.recorder.GetChunkWriter(id)
}
return a.recorder.GetChunkWriter(id)
}
func (a *AuthWithRoles) GetChunkReader(id string) (recorder.ChunkReadCloser, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetChunkReader); err != nil {
return nil, trace.Wrap(err)
} else {
return a.recorder.GetChunkReader(id)
}
return a.recorder.GetChunkReader(id)
}
func (a *AuthWithRoles) UpsertNode(s services.Server, ttl time.Duration) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertServer); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.UpsertNode(s, ttl)
}
return a.authServer.UpsertNode(s, ttl)
}
func (a *AuthWithRoles) GetNodes() ([]services.Server, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetServers); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.GetNodes()
}
return a.authServer.GetNodes()
}
func (a *AuthWithRoles) UpsertAuthServer(s services.Server, ttl time.Duration) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertAuthServer); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.UpsertAuthServer(s, ttl)
}
return a.authServer.UpsertAuthServer(s, ttl)
}
func (a *AuthWithRoles) GetAuthServers() ([]services.Server, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetAuthServers); err != nil {
return nil, err
} else {
return a.authServer.GetAuthServers()
}
return a.authServer.GetAuthServers()
}
func (a *AuthWithRoles) UpsertProxy(s services.Server, ttl time.Duration) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertProxy); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.UpsertProxy(s, ttl)
}
return a.authServer.UpsertProxy(s, ttl)
}
func (a *AuthWithRoles) GetProxies() ([]services.Server, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetProxies); err != nil {
return nil, err
} else {
return a.authServer.GetProxies()
}
return a.authServer.GetProxies()
}
func (a *AuthWithRoles) UpsertReverseTunnel(r services.ReverseTunnel, ttl time.Duration) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertReverseTunnel); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.UpsertReverseTunnel(r, ttl)
}
return a.authServer.UpsertReverseTunnel(r, ttl)
}
func (a *AuthWithRoles) GetReverseTunnels() ([]services.ReverseTunnel, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetReverseTunnels); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.GetReverseTunnels()
}
return a.authServer.GetReverseTunnels()
}
func (a *AuthWithRoles) DeleteReverseTunnel(domainName string) error {
if err := a.permChecker.HasPermission(a.role, ActionDeleteReverseTunnel); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.DeleteReverseTunnel(domainName)
}
return a.authServer.DeleteReverseTunnel(domainName)
}
func (a *AuthWithRoles) UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error) {
if err := a.permChecker.HasPermission(a.role, ActionUpsertPassword); err != nil {
return "", nil, err
} else {
return a.authServer.UpsertPassword(user, password)
}
return a.authServer.UpsertPassword(user, password)
}
func (a *AuthWithRoles) CheckPassword(user string, password []byte, hotpToken string) error {
if err := a.permChecker.HasPermission(a.role, ActionCheckPassword); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.CheckPassword(user, password, hotpToken)
}
return a.authServer.CheckPassword(user, password, hotpToken)
}
func (a *AuthWithRoles) SignIn(user string, password []byte) (*Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionSignIn); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.SignIn(user, password)
}
return a.authServer.SignIn(user, password)
}
func (a *AuthWithRoles) CreateWebSession(user string, prevSessionID string) (*Session, error) {
func (a *AuthWithRoles) CreateWebSession(user string) (*Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionCreateWebSession); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.CreateWebSession(user, prevSessionID)
}
return a.authServer.CreateWebSession(user)
}
func (a *AuthWithRoles) ExtendWebSession(user, prevSessionID string) (*Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionExtendWebSession); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.ExtendWebSession(user, prevSessionID)
}
func (a *AuthWithRoles) GetWebSessionInfo(user string, sid string) (*Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetWebSession); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.GetWebSessionInfo(user, sid)
}
return a.authServer.GetWebSessionInfo(user, sid)
}
func (a *AuthWithRoles) DeleteWebSession(user string, sid string) error {
if err := a.permChecker.HasPermission(a.role, ActionDeleteWebSession); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.DeleteWebSession(user, sid)
}
return a.authServer.DeleteWebSession(user, sid)
}
func (a *AuthWithRoles) GetUsers() ([]services.User, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetUsers); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.GetUsers()
}
return a.authServer.GetUsers()
}
func (a *AuthWithRoles) GetUser(name string) (services.User, error) {
if err := a.permChecker.HasPermission(a.role, ActionGetUser); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.Identity.GetUser(name)
}
return a.authServer.Identity.GetUser(name)
}
func (a *AuthWithRoles) DeleteUser(user string) error {
if err := a.permChecker.HasPermission(a.role, ActionDeleteUser); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.DeleteUser(user)
}
return a.authServer.DeleteUser(user)
}
func (a *AuthWithRoles) GenerateKeyPair(pass string) ([]byte, []byte, error) {
if err := a.permChecker.HasPermission(a.role, ActionGenerateKeyPair); err != nil {
return nil, nil, trace.Wrap(err)
} else {
return a.authServer.GenerateKeyPair(pass)
}
return a.authServer.GenerateKeyPair(pass)
}
func (a *AuthWithRoles) GenerateHostCert(
key []byte, hostname, authDomain string, role teleport.Role,
@ -333,48 +327,48 @@ func (a *AuthWithRoles) GenerateHostCert(
if err := a.permChecker.HasPermission(a.role, ActionGenerateHostCert); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.GenerateHostCert(key, hostname, authDomain, role, ttl)
}
return a.authServer.GenerateHostCert(key, hostname, authDomain, role, ttl)
}
func (a *AuthWithRoles) GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error) {
if err := a.permChecker.HasPermission(a.role, ActionGenerateUserCert); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.GenerateUserCert(key, user, ttl)
}
return a.authServer.GenerateUserCert(key, user, ttl)
}
func (a *AuthWithRoles) CreateSignupToken(user services.User) (token string, e error) {
if err := a.permChecker.HasPermission(a.role, ActionCreateSignupToken); err != nil {
return "", trace.Wrap(err)
} else {
return a.authServer.CreateSignupToken(user)
}
return a.authServer.CreateSignupToken(user)
}
func (a *AuthWithRoles) GetSignupTokenData(token string) (user string,
QRImg []byte, hotpFirstValues []string, e error) {
if err := a.permChecker.HasPermission(a.role, ActionGetSignupTokenData); err != nil {
return "", nil, nil, trace.Wrap(err)
} else {
return a.authServer.GetSignupTokenData(token)
}
return a.authServer.GetSignupTokenData(token)
}
func (a *AuthWithRoles) CreateUserWithToken(token, password, hotpToken string) (*Session, error) {
if err := a.permChecker.HasPermission(a.role, ActionCreateUserWithToken); err != nil {
return nil, trace.Wrap(err)
} else {
return a.authServer.CreateUserWithToken(token, password, hotpToken)
}
return a.authServer.CreateUserWithToken(token, password, hotpToken)
}
func (a *AuthWithRoles) UpsertUser(u services.User) error {
if err := a.permChecker.HasPermission(a.role, ActionUpsertUser); err != nil {
return trace.Wrap(err)
} else {
return a.authServer.UpsertUser(u)
}
return a.authServer.UpsertUser(u)
}
func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector, ttl time.Duration) error {

23
lib/auth/clt.go
View file

@ -472,9 +472,9 @@ func (c *Client) SignIn(user string, password []byte) (*Session, error) {
return sess, nil
}
// CreateWebSession creates a new web session for a user based on another
// ExtendWebSession creates a new web session for a user based on another
// valid web session
func (c *Client) CreateWebSession(user string, prevSessionID string) (*Session, error) {
func (c *Client) ExtendWebSession(user string, prevSessionID string) (*Session, error) {
out, err := c.PostJSON(
c.Endpoint("users", user, "web", "sessions"),
createWebSessionReq{
@ -491,6 +491,22 @@ func (c *Client) CreateWebSession(user string, prevSessionID string) (*Session,
return sess, nil
}
// CreateWebSession creates a new web session for a user
func (c *Client) CreateWebSession(user string) (*Session, error) {
out, err := c.PostJSON(
c.Endpoint("users", user, "web", "sessions"),
createWebSessionReq{},
)
if err != nil {
return nil, trace.Wrap(err)
}
var sess *Session
if err := json.Unmarshal(out.Bytes(), &sess); err != nil {
return nil, err
}
return sess, nil
}
// GetWebSessionInfo check if a web sesion is valid, returns session id in case if
// it is valid, or error otherwise.
func (c *Client) GetWebSessionInfo(user string, sid string) (*Session, error) {
@ -815,7 +831,8 @@ type ClientI interface {
UpsertPassword(user string, password []byte) (hotpURL string, hotpQR []byte, err error)
CheckPassword(user string, password []byte, hotpToken string) error
SignIn(user string, password []byte) (*Session, error)
CreateWebSession(user string, prevSessionID string) (*Session, error)
CreateWebSession(user string) (*Session, error)
ExtendWebSession(user string, prevSessionID string) (*Session, error)
GetWebSessionInfo(user string, sid string) (*Session, error)
DeleteWebSession(user string, sid string) error
GetUsers() ([]services.User, error)

5
lib/auth/permissions.go
View file

@ -46,7 +46,7 @@ func NewStandardPermissions() PermissionChecker {
sp.permissions[teleport.RoleUser] = map[string]bool{
ActionGetAuthServers: true,
ActionSignIn: true,
ActionCreateWebSession: true,
ActionExtendWebSession: true,
ActionGenerateUserCert: true,
ActionGetCertAuthorities: true,
ActionGetServers: true,
@ -103,7 +103,7 @@ func NewStandardPermissions() PermissionChecker {
ActionGetUser: true,
ActionGetAuthServers: true,
ActionUpsertSession: true,
ActionCreateWebSession: true,
ActionExtendWebSession: true,
ActionGetWebSession: true,
ActionDeleteWebSession: true,
ActionGetSession: true,
@ -197,6 +197,7 @@ const (
ActionUpsertPassword = "UpsertPassword"
ActionCheckPassword = "CheckPassword"
ActionSignIn = "SignIn"
ActionExtendWebSession = "ExtendWebSession"
ActionCreateWebSession = "CreateWebSession"
ActionGetWebSession = "GetWebSession"
ActionDeleteWebSession = "DeleteWebSession"

6
lib/web/sessions.go
View file

@ -105,10 +105,10 @@ func (c *SessionContext) GetWebSession() *auth.Session {
return c.sess
}
// CreateWebSession creates a new web session for this user
// ExtendWebSession creates a new web session for this user
// based on the previous session
func (c *SessionContext) CreateWebSession() (*auth.Session, error) {
sess, err := c.clt.CreateWebSession(c.user, c.sess.ID)
func (c *SessionContext) ExtendWebSession() (*auth.Session, error) {
sess, err := c.clt.ExtendWebSession(c.user, c.sess.ID)
if err != nil {
return nil, trace.Wrap(err)
}

2
lib/web/web.go
View file

@ -530,7 +530,7 @@ func (m *Handler) deleteSession(w http.ResponseWriter, r *http.Request, _ httpro
//
//
func (m *Handler) renewSession(w http.ResponseWriter, r *http.Request, _ httprouter.Params, ctx *SessionContext) (interface{}, error) {
newSess, err := ctx.CreateWebSession()
newSess, err := ctx.ExtendWebSession()
if err != nil {
return nil, trace.Wrap(err)
}