Merge pull request #1683 from gravitational/sasha/go-client

Add go-client initial example.
gravitational · Feb 14, 2018 · 7b37387 · 7b37387
2 parents d898613 + 7b1b29b
commit 7b37387
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 3 deletions.
diff --git a/examples/go-client/README.md b/examples/go-client/README.md
@@ -0,0 +1,20 @@
+## Demo
+
+To run this program:
+
+**Setup TLS**
+
+Alongisde a running teleport auth server, run:
+
+```
+tctl auth export --type=tls > /var/lib/teleport/ca.cert
+```
+
+**Execute**
+
+
+```bash
+go get github.com/gravitational/teleport/lib/auth
+go run main.go
+```
+
diff --git a/examples/go-client/main.go b/examples/go-client/main.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2018 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"log"
+	"time"
+
+	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/lib/auth"
+	"github.com/gravitational/teleport/lib/utils"
+)
+
+func main() {
+	log.Printf("Starting teleport client...")
+
+	// Teleport HTTPS client uses TLS client authentication
+	// so we have to set up certificates there
+	tlsConfig, err := setupClientTLS()
+	if err != nil {
+		log.Fatalf("Failed to parse TLS config: %v", err)
+	}
+
+	authServerAddr := []utils.NetAddr{*utils.MustParseAddr("127.0.0.1:3025")}
+	client, err := auth.NewTLSClient(authServerAddr, tlsConfig)
+	if err != nil {
+		log.Fatalf("Failed to create client: %v", err)
+	}
+
+	token, err := client.GenerateToken(auth.GenerateTokenRequest{
+		Token: "mytoken-proxy",
+		Roles: teleport.Roles{teleport.RoleProxy},
+		TTL:   time.Hour,
+	})
+	if err != nil {
+		log.Fatalf("Failed to generate token: %v", err)
+	}
+	log.Printf("Generated token: %v\n", token)
+}
+
+// setupClientTLS sets up client TLS authentiction between TLS client
+// and Teleport Auth server. This function uses hardcoded certificate paths,
+// assuming program runs alongside auth server, but it can be ran
+// on a remote location, assuming client has all the client certificates.
+func setupClientTLS() (*tls.Config, error) {
+	// read auth server TLS certificate, used to verify auth server identity
+	authServerCert, err := ioutil.ReadFile("/var/lib/teleport/ca.cert")
+	if err != nil {
+		return nil, err
+	}
+
+	// client TLS key pair, used to authenticate with auth server
+	tlsCert, err := tls.LoadX509KeyPair("/var/lib/teleport/admin.tlscert", "/var/lib/teleport/admin.key")
+	if err != nil {
+		return nil, err
+	}
+
+	// set up TLS config for HTTPS client
+	tlsConfig := utils.TLSConfig()
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(authServerCert)
+	tlsConfig.Certificates = []tls.Certificate{tlsCert}
+	tlsConfig.RootCAs = certPool
+	tlsConfig.ClientCAs = certPool
+	return tlsConfig, nil
+}
diff --git a/lib/service/service.go b/lib/service/service.go
@@ -147,7 +147,7 @@ type TeleportProcess struct {
 	// identities of this process (credentials to auth sever, basically)
 	Identities map[teleport.Role]*auth.Identity
 	// registeredListeners keeps track of all listeners created by the process
-	// used to pass through the
+	// used to pass listeners to child processes during live reload
 	registeredListeners []RegisteredListener
 	// importedDescriptors is a list of imported file descriptors
 	// passed by the parent process

diff --git a/lib/services/local/provisioning.go b/lib/services/local/provisioning.go
@@ -24,7 +24,6 @@ import (
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/services"
-	log "github.com/sirupsen/logrus"
 
 	"github.com/gravitational/trace"
 )
@@ -90,7 +89,11 @@ func (s *ProvisioningService) GetTokens() (tokens []services.ProvisionToken, err
 	for _, k := range keys {
 		tok, err := s.GetToken(k)
 		if err != nil {
-			log.Error(err)
+			// token could have expired
+			if !trace.IsNotFound(err) {
+				return nil, trace.Wrap(err)
+			}
+			continue
 		}
 		tokens = append(tokens, *tok)
 	}