Package accesspoint provides helpers for configuring caches in the context of setting up service-level auth access points.

Package authclient contains common code for creating an auth server client which may use SSH tunneling through a proxy.

Package keystore provides a generic client and associated helpers for handling private keys that may be backed by an HSM or KMS.

Package storage provides a mechanism for interacting with the persisted state of a Teleport process.

package test contains CA authority acceptance test suite.

Package testauthority implements a wrapper around native.Keygen that uses pre-computed keys.

Package webauthn implements server-side support for the Web Authentication specification.

Package webauthncli provides the client-side implementation for WebAuthn.

Package webauthntypes provides WebAuthn types and conversions for both client-side and server-side implementations.

Package webauthnwin is wrapper around Windows webauthn API.

AuthorizeAccessReviewRequest checks if the current user is allowed to submit the given access review request.

CertAuthorityInfo returns debugging information about certificate authority.

CertInfo returns diagnostic information about certificate.

CreateAccessPluginUser creates a user with list/read abilites for access requests, and list/read/update abilities for access plugin data.

CreateRole creates a role without assigning any users.

CreateUser creates user and role and assigns role to a user, used in tests.

CreateUserAndRole creates user and role and assigns role to a user, used in tests If allowRules is nil, the role has admin privileges.

CreateUserAndRoleWithoutRoles creates user and role, but does not assign user to a role, used in tests.

CreateUserRoleAndRequestable creates two roles for a user, one base role with allowed login matching username, and another role with a login matching rolename that can be requested.

DefaultDNSNamesForRole returns default DNS names for the specified role.

ExtractHostID returns host id based on the hostname.

GenerateIdentity generates identity for the auth server.

GetPresetRoles returns a list of all preset roles expected to be available on this cluster.

GithubAuthRequestFromProto converts the types.GithubAuthRequest to GithubAuthRequest.

HasBuiltinRole checks if the identity is a builtin role with the matching name.

HasRemoteBuiltinRole checks if the identity is a remote builtin role with the matching name.

HostFQDN consists of host UUID and cluster name joined via .

IdentityForwardingHeaders returns a copy of the provided headers with the TeleportImpersonateUserHeader and TeleportImpersonateIPHeader headers set to the identity provided.

Init instantiates and configures an instance of AuthServer.

LocalRegister is used to generate host keys when a node or proxy is running within the same process as the Auth Server and as such, does not need to use provisioning tokens.

MFARequiredToBool translates a [proto.MFARequired] value to a simple "required bool".

NewAPIServer returns a new instance of APIServer HTTP handler.

NewClientTLSConfigGenerator sets up a new generator based on the supplied parameters.

NewFakeTeleportVersion creates fake version storage.

NewGRPCServer returns a new instance of gRPC server.

NewImpersonatorRoundTripper returns a new impersonator round tripper.

NewServer creates and configures a new Server instance.

NewServerIdentity generates new server identity, used in tests.

NewSessionAccessEvaluator creates a new session access evaluator for a given session kind and a set of roles attached to the host user.

NewSSODiagContext returns new ssoDiagContext referencing particular Server.

NewTestAuthServer returns new instances of Auth server.

NewTestServer creates a new test server configuration.

NewTestTLSServer returns new test TLS server that is started and is listening on 127.0.0.1 loopback on any available port.

NewTLSServer returns new unstarted TLS server.

NewTransportCredentials returns a new TransportCredentials.

PrivateKeyToPublicKeyTLS gets the TLS public key from a raw private key.

ReconcileServerInfos periodically reconciles the labels of ServerInfo resources with their corresponding Teleport SSH servers.

RegisterTestDevice creates and registers a TestDevice.

ReRegister renews the certificates based on the client's existing identity.

RoleSupportsModeratedSessions checks if the role version is higher or equal to V5 - V5 is the version where ModeratedSession support was introduced.

TestAdmin returns TestIdentity for admin user.

TestBuiltin returns TestIdentity for builtin user.

TestNop returns "Nop" - unauthenticated identity.

TestRemoteBuiltin returns TestIdentity for a remote builtin role.

TestRenewableUser returns a TestIdentity for a local user with renewable credentials.

TestServerID returns a TestIdentity for a node with the passed in serverID.

TestUser returns TestIdentity for local user.

TestUserWithDeviceExtensions returns a TestIdentity for a local user, including the supplied device extensions in the tlsca.Identity.

TLSCertInfo returns diagnostic information about certificate.

ValidateClientRedirect checks a desktop client redirect URL for SSO logins against some (potentially nil) settings from an auth connector; in the current implementation, that means either "http" schema with a hostname of "localhost", "127.0.0.1", or "::1" and a path of "/callback" (with any port), or "https" schema with a hostname that matches one in the https_hostname list, a path of "/callback" and either an empty port or explicitly 443.

WatchEvents watches for events and streams them to the provided stream.

WithAccessGraphConfig sets the access graph configuration.

WithClock is a functional server option that sets the server's clock.

WithGithubConnectorConversions takes a [authclient.ClientI] and returns one that ensures returned or passed [types.GithubConnector] interfaces use the registered implementation for the following methods: - ClientI.GetGithubConnector - ClientI.GetGithubConnectors - ClientI.UpsertGithubConnector This is function is necessary so that the [github.com/gravitational/teleport/api] module does not import [github.com/gravitational/teleport/lib/services].

WithLimiterConfig sets connection and request limiter configuration.

WithRoleMutator sets a function that will be called to mutate the role before it is created.

WithUserMutator sets a function that will be called to mutate the user before it is created.

GithubAuthPath is the GitHub authorization endpoint.

GithubTokenPath is the GitHub token exchange endpoint.

InvalidClientRedirectErrorMessage is a string added to SSO login errors caused by an invalid client redirect URL; the presence of this string is checked by the proxy to provide a more useful error message to the user when logging in.

MaxFailedAttemptsErrMsg is a user friendly error message that tells a user that they are locked.

MaxPages is the maximum number of pagination links that will be followed.

TeleportImpersonateIPHeader is a header that specifies the real user IP address.

TeleportImpersonateUserHeader is a header that specifies teleport user identity that the proxy is impersonating.

TokenExpiredOrNotFound is a special message returned by the auth server when provisioning tokens are either past their TTL, or could not be found.

ErrDone indicates that resource iteration is complete.

ErrGithubNoTeams results from a github user not belonging to any teams.

ErrSAMLRequiresEnterprise is the error returned by the SAML methods when not using the Enterprise edition of Teleport.

GithubScopes is a list of scopes requested during OAuth2 flow.

ResourceApplyPriority specifies in which order the resources must be applied to avoid consistency issues.

UserLoginCount counts user logins.

AccessGraphConfig contains the configuration about the access graph service and whether it is enabled or not.

APIServer implements http API server for AuthServer interface.

AppTestCertRequest combines parameters for generating a test app access cert.

AugmentUserCertificateOpts aggregates options for extending user certificates.

AugmentWebSessionCertificatesOpts aggregates arguments for [AugmentWebSessionCertificates].

ClientTLSConfigGenerator is a helper type used to implement fast & efficient client tls config specialization based upon the target cluster specified in the client TLS hello.

ClientTLSConfigGeneratorConfig holds parameters for ClientTLSConfigGenerator setup.

ConnectionIdentity contains the identifying properties of a client connection required to enforce connection limits.

CreateUserParams is a set of parameters used to create a user for an external identity provider.

DatabaseTestCertRequest combines parameters for generating test database access certificate.

FakeTeleportVersion fake version storage implementation always return current version.

GenerateUserTestCertsRequest is a request to generate test certificates.

GithubConverter is a thin wrapper around the [authclient.ClientI] interface that ensures GitHub auth connectors use the registered implementation.

GithubOrgResponse represents a Github organization.

GithubTeamResponse represents a single team entry in the "teams" API response.

GithubUserResponse represents response from "user" API call.

GRPCServer is gRPC Auth Server API.

GRPCServerConfig specifies gRPC server configuration.

HostAndUserCAPoolInfo bundles a CA pool with a map of CA raw subjects to the registered types of that CA.

IdentityInfo contains the auth information and identity for an authenticated TLS connection.

ImpersonatorRoundTripper is a round tripper that impersonates a user with the identity provided.

InitConfig is auth server init config.

Metrics handles optional metrics for TLSServerConfig.

Middleware is authentication middleware checking every request.

NewAppSessionRequest defines a request to create a new user app session.

NewWebSessionRequest defines a request to create a new user web session.

PolicyOptions is a set of settings for the session determined by the matched required policy.

ReRegisterParams specifies parameters for re-registering in the cluster (rotating certificates for existing members).

Server keeps the cluster together.

ServerWithRoles is a wrapper around auth service methods that focuses on authorizing every request.

Services is a collection of services that are used by the auth server.

SessionAccessContext is the context that must be provided per participant in the session.

SessionAccessEvaluator takes a set of policies and uses rules to evaluate them to determine when a session may start and if a user can join a session.

SessionCertsRequest is a request for new user session certs.

SSODiagContext is a helper type for accumulating the SSO diagnostic info prior to writing it to the backend.

TestAuthServer is auth server using local filesystem backend and test certificate authority key generation that speeds up keygen by using the same private key.

TestAuthServerConfig is auth server test config.

TestDevice is a test MFA device.

TestIdentity is test identity spec used to generate identities in tests.

TestServer defines the set of server components for a test.

TestServerConfig defines the configuration for all server components.

TestTLSServer is a test TLS server.

TestTLSServerConfig is a configuration for test TLS server.

TLSServer is TLS auth server.

TLSServerConfig is a configuration for TLS server.

TransportCredentials is a [credentials.TransportCredentials] that enforces mTLS and retrieves the [IdentityGetter] for use by middleware to perform authorization.

TransportCredentialsConfig configures the behavior that occurs during the server handshake by the TransportCredentials.

AccessCacheWithEvents extends the [authclient.AccessCache] interface with [types.Events].

ConnectionEnforcer limits incoming connections based on max connection settings.

PresetRoleManager contains the required Role Management methods to create a Preset Role.

PresetUsers contains the required User Management methods to create a preset User.

ReRegisterClient abstracts over local auth servers and remote clients when performing a re-registration.

SAMLService are the methods that the auth server delegates to a plugin for implementing the SAML connector.

ServerInfoAccessPoint is the subset of the auth server interface needed to reconcile server info resources.

SSODiagService is a thin slice of services.Identity required by SSODiagContext to record the SSO diagnostic info in a store.

UserGetter is responsible for building an authenticated user based on TLS metadata.

VersionStorage local storage for saving the version.

WatchEvent is a stream interface for sending events.

CreateDeviceAssertionFunc creates a new device assertion ceremony to authenticate a trusted device.

CreateDeviceWebTokenFunc creates a new DeviceWebToken for the logged in user.

CreateUserAndRoleOption is a functional option for CreateUserAndRole.

DeviceExtensions hold device-aware user certificate extensions.

HandlerWithAuthFunc is http handler with passed auth context.

LoginHook is a function that will be called on a successful login.

ReadOnlyCache is a type alias used to assist with embedding [readonly.Cache] in places where it would have a naming conflict with other types named Cache.

ServerOption allows setting options as functional arguments to Server.

SSODiagServiceFunc is an adaptor allowing a function to be used in place of the SSODiagService interface.

TestDeviceOpt is a creation option for TestDevice.

TestTLSServerOption is a functional option passed to NewTestTLSServer.