forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cfg.go
467 lines (370 loc) · 14.7 KB
/
cfg.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
/*
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package service
import (
"fmt"
"io"
"os"
"path/filepath"
"time"
"golang.org/x/crypto/ssh"
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/backend/dir"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/limiter"
"github.com/gravitational/teleport/lib/pam"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/teleport/lib/sshca"
"github.com/gravitational/teleport/lib/utils"
"github.com/ghodss/yaml"
"github.com/jonboulle/clockwork"
)
// Config structure is used to initialize _all_ services Teleporot can run.
// Some settings are global (like DataDir) while others are grouped into
// sections, like AuthConfig
type Config struct {
// DataDir provides directory where teleport stores it's permanent state
// (in case of auth server backed by BoltDB) or local state, e.g. keys
DataDir string
// Hostname is a node host name
Hostname string
// Token is used to register this Teleport instance with the auth server
Token string
// AuthServers is a list of auth servers nodes, proxies and peer auth servers
// connect to
AuthServers []utils.NetAddr
// Identities is an optional list of pre-generated key pairs
// for teleport roles, this is helpful when server is preconfigured
Identities []*auth.Identity
// AdvertiseIP is used to "publish" an alternative IP address or hostname this node
// can be reached on, if running behind NAT
AdvertiseIP string
// CachePolicy sets caching policy for nodes and proxies
// in case if they loose connection to auth servers
CachePolicy CachePolicy
// SSH role an SSH endpoint server
SSH SSHConfig
// Auth server authentication and authorization server config
Auth AuthConfig
// Keygen points to a key generator implementation
Keygen sshca.Authority
// Proxy is SSH proxy that manages incoming and outbound connections
// via multiple reverse tunnels
Proxy ProxyConfig
// HostUUID is a unique UUID of this host (it will be known via this UUID within
// a teleport cluster). It's automatically generated on 1st start
HostUUID string
// Console writer to speak to a user
Console io.Writer
// ReverseTunnels is a list of reverse tunnels to create on the
// first cluster start
ReverseTunnels []services.ReverseTunnel
// OIDCConnectors is a list of trusted OpenID Connect identity providers
OIDCConnectors []services.OIDCConnector
// PidFile is a full path of the PID file for teleport daemon
PIDFile string
// Trust is a service that manages users and credentials
Trust services.Trust
// Presence service is a discovery and hearbeat tracker
Presence services.Presence
// Provisioner is a service that keeps track of provisioning tokens
Provisioner services.Provisioner
// Trust is a service that manages users and credentials
Identity services.Identity
// Access is a service that controls access
Access services.Access
// ClusterConfiguration is a service that provides cluster configuration
ClusterConfiguration services.ClusterConfiguration
// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
// omitted, a Teleport selected list of defaults will be used.
CipherSuites []uint16
// Ciphers is a list of SSH ciphers that the server supports. If omitted,
// the defaults will be used.
Ciphers []string
// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
// server supports. If omitted, the defaults will be used.
KEXAlgorithms []string
// MACAlgorithms is a list of SSH message authentication codes (MAC) that
// the server supports. If omitted the defaults will be used.
MACAlgorithms []string
// DiagnosticAddr is an address for diagnostic and healthz endpoint service
DiagnosticAddr utils.NetAddr
// Debug sets debugging mode, results in diagnostic address
// endpoint extended with additional /debug handlers
Debug bool
// UploadEventsC is a channel for upload events
// used in tests
UploadEventsC chan *events.UploadEvent `json:"-"`
// FileDescriptors is an optional list of file descriptors for the process
// to inherit and use for listeners, used for in-process updates.
FileDescriptors []FileDescriptor
// PollingPeriod is set to override default internal polling periods
// of sync agents, used to speed up integration tests.
PollingPeriod time.Duration
// ClientTimeout is set to override default client timeouts
// used by internal clients, used to speed up integration tests.
ClientTimeout time.Duration
// ShutdownTimeout is set to override default shutdown timeout.
ShutdownTimeout time.Duration
// CAPin is the SKPI hash of the CA used to verify the Auth Server.
CAPin string
// Clock is used to control time in tests.
Clock clockwork.Clock
}
// ApplyToken assigns a given token to all internal services but only if token
// is not an empty string.
//
// Returns 'true' if token was modified
func (cfg *Config) ApplyToken(token string) bool {
if token != "" {
cfg.Token = token
return true
}
return false
}
// RoleConfig is a config for particular Teleport role
func (cfg *Config) RoleConfig() RoleConfig {
return RoleConfig{
DataDir: cfg.DataDir,
HostUUID: cfg.HostUUID,
HostName: cfg.Hostname,
AuthServers: cfg.AuthServers,
Auth: cfg.Auth,
Console: cfg.Console,
}
}
// DebugDumpToYAML is useful for debugging: it dumps the Config structure into
// a string
func (cfg *Config) DebugDumpToYAML() string {
shallow := *cfg
// do not copy sensitive data to stdout
shallow.Identities = nil
shallow.Auth.Authorities = nil
out, err := yaml.Marshal(shallow)
if err != nil {
return err.Error()
}
return string(out)
}
// CachePolicy sets caching policy for proxies and nodes
type CachePolicy struct {
// Enabled enables or disables caching
Enabled bool
// TTL sets maximum TTL for the cached values
// without explicit TTL set
TTL time.Duration
// NeverExpires means that cache values without TTL
// set by the auth server won't expire
NeverExpires bool
// RecentTTL is the recently accessed items cache TTL
RecentTTL *time.Duration
}
// GetRecentTTL either returns TTL that was set,
// or default recent TTL value
func (c *CachePolicy) GetRecentTTL() time.Duration {
if c.RecentTTL == nil {
return defaults.RecentCacheTTL
}
return *c.RecentTTL
}
// String returns human-friendly representation of the policy
func (c CachePolicy) String() string {
if !c.Enabled {
return "no cache policy"
}
recentCachePolicy := ""
if c.GetRecentTTL() == 0 {
recentCachePolicy = "will not cache frequently accessed items"
} else {
recentCachePolicy = fmt.Sprintf("will cache frequently accessed items for %v", c.GetRecentTTL())
}
if c.NeverExpires {
return fmt.Sprintf("cache that will not expire in case if connection to database is lost, %v", recentCachePolicy)
}
if c.TTL == 0 {
return fmt.Sprintf("cache that will expire after connection to database is lost after %v, %v", defaults.CacheTTL, recentCachePolicy)
}
return fmt.Sprintf("cache that will expire after connection to database is lost after %v, %v", c.TTL, recentCachePolicy)
}
// ProxyConfig specifies configuration for proxy service
type ProxyConfig struct {
// Enabled turns proxy role on or off for this process
Enabled bool
//DisableTLS is enabled if we don't want self signed certs
DisableTLS bool
// DisableWebInterface allows to turn off serving the Web UI interface
DisableWebInterface bool
// DisableWebService turnes off serving web service completely, including web UI
DisableWebService bool
// DisableReverseTunnel disables reverse tunnel on the proxy
DisableReverseTunnel bool
// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
ReverseTunnelListenAddr utils.NetAddr
// EnableProxyProtocol enables proxy protocol support
EnableProxyProtocol bool
// WebAddr is address for web portal of the proxy
WebAddr utils.NetAddr
// SSHAddr is address of ssh proxy
SSHAddr utils.NetAddr
// TLSKey is a base64 encoded private key used by web portal
TLSKey string
// TLSCert is a base64 encoded certificate used by web portal
TLSCert string
Limiter limiter.LimiterConfig
// PublicAddrs is a list of the public addresses the proxy advertises
// for the HTTP endpoint. The hosts in in PublicAddr are included in the
// list of host principals on the TLS and SSH certificate.
PublicAddrs []utils.NetAddr
// SSHPublicAddrs is a list of the public addresses the proxy advertises
// for the SSH endpoint. The hosts in in PublicAddr are included in the
// list of host principals on the TLS and SSH certificate.
SSHPublicAddrs []utils.NetAddr
// Kube specifies kubernetes proxy configuration
Kube KubeProxyConfig
}
// KubeProxyConfig specifies configuration for proxy service
type KubeProxyConfig struct {
// Enabled turns kubernetes proxy role on or off for this process
Enabled bool
// ListenAddr is address where reverse tunnel dialers connect to
ListenAddr utils.NetAddr
// KubeAPIAddr is address of kubernetes API server
APIAddr utils.NetAddr
// ClusterOverride causes all traffic to go to a specific remote
// cluster, used only in tests
ClusterOverride string
// CACert is a PEM encoded kubernetes CA certificate
CACert []byte
// PublicAddrs is a list of the public addresses the Teleport Kube proxy can be accessed by,
// it also affects the host principals and routing logic
PublicAddrs []utils.NetAddr
}
// AuthConfig is a configuration of the auth server
type AuthConfig struct {
// Enabled turns auth role on or off for this process
Enabled bool
// EnableProxyProtocol enables proxy protocol support
EnableProxyProtocol bool
// SSHAddr is the listening address of SSH tunnel to HTTP service
SSHAddr utils.NetAddr
// Authorities is a set of trusted certificate authorities
// that will be added by this auth server on the first start
Authorities []services.CertAuthority
// Roles is a set of roles to pre-provision for this cluster
Roles []services.Role
// ClusterName is a name that identifies this authority and all
// host nodes in the cluster that will share this authority domain name
// as a base name, e.g. if authority domain name is example.com,
// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
ClusterName services.ClusterName
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
// environments where paranoid security is not needed
StaticTokens services.StaticTokens
// StorageConfig contains configuration settings for the storage backend.
StorageConfig backend.Config
Limiter limiter.LimiterConfig
// NoAudit, when set to true, disables session recording and event audit
NoAudit bool
// Preference defines the authentication preference (type and second factor) for
// the auth server.
Preference services.AuthPreference
// ClusterConfig stores cluster level configuration.
ClusterConfig services.ClusterConfig
// LicenseFile is a full path to the license file
LicenseFile string
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
PublicAddrs []utils.NetAddr
// KubeconfigPath is a path to kubeconfig
KubeconfigPath string
}
// SSHConfig configures SSH server node role
type SSHConfig struct {
Enabled bool
Addr utils.NetAddr
Namespace string
Shell string
Limiter limiter.LimiterConfig
Labels map[string]string
CmdLabels services.CommandLabels
PermitUserEnvironment bool
// PAM holds PAM configuration for Teleport.
PAM *pam.Config
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
PublicAddrs []utils.NetAddr
}
// MakeDefaultConfig creates a new Config structure and populates it with defaults
func MakeDefaultConfig() (config *Config) {
config = &Config{}
ApplyDefaults(config)
return config
}
// ApplyDefaults applies default values to the existing config structure
func ApplyDefaults(cfg *Config) {
// Get defaults for Cipher, Kex algorithms, and MAC algorithms from
// golang.org/x/crypto/ssh default config.
var sc ssh.Config
sc.SetDefaults()
// Remove insecure and (borderline insecure) cryptographic primitives from
// default configuration. These can still be added back in file configuration by
// users, but not supported by default by Teleport. See #1856 for more
// details.
kex := utils.RemoveFromSlice(sc.KeyExchanges,
defaults.DiffieHellmanGroup1SHA1,
defaults.DiffieHellmanGroup14SHA1)
macs := utils.RemoveFromSlice(sc.MACs,
defaults.HMACSHA1,
defaults.HMACSHA196)
hostname, err := os.Hostname()
if err != nil {
hostname = "localhost"
log.Errorf("Failed to determine hostname: %v.", err)
}
// global defaults
cfg.Hostname = hostname
cfg.DataDir = defaults.DataDir
cfg.Console = os.Stdout
cfg.CipherSuites = utils.DefaultCipherSuites()
cfg.Ciphers = sc.Ciphers
cfg.KEXAlgorithms = kex
cfg.MACAlgorithms = macs
// defaults for the auth service:
cfg.Auth.Enabled = true
cfg.Auth.SSHAddr = *defaults.AuthListenAddr()
cfg.Auth.StorageConfig.Type = dir.GetName()
cfg.Auth.StorageConfig.Params = backend.Params{defaults.BackendPath: filepath.Join(cfg.DataDir, defaults.BackendDir)}
cfg.Auth.StaticTokens = services.DefaultStaticTokens()
cfg.Auth.ClusterConfig = services.DefaultClusterConfig()
defaults.ConfigureLimiter(&cfg.Auth.Limiter)
// set new style default auth preferences
ap := &services.AuthPreferenceV2{}
ap.CheckAndSetDefaults()
cfg.Auth.Preference = ap
cfg.Auth.LicenseFile = filepath.Join(cfg.DataDir, defaults.LicenseFile)
// defaults for the SSH proxy service:
cfg.Proxy.Enabled = true
cfg.Proxy.SSHAddr = *defaults.ProxyListenAddr()
cfg.Proxy.WebAddr = *defaults.ProxyWebListenAddr()
cfg.Proxy.ReverseTunnelListenAddr = *defaults.ReverseTunnellListenAddr()
defaults.ConfigureLimiter(&cfg.Proxy.Limiter)
// defaults for the Kubernetes proxy service
cfg.Proxy.Kube.Enabled = false
cfg.Proxy.Kube.ListenAddr = *defaults.KubeProxyListenAddr()
// defaults for the SSH service:
cfg.SSH.Enabled = true
cfg.SSH.Addr = *defaults.SSHServerListenAddr()
cfg.SSH.Shell = defaults.DefaultShell
defaults.ConfigureLimiter(&cfg.SSH.Limiter)
cfg.SSH.PAM = &pam.Config{Enabled: false}
}