* fix race in filelog
* Fixed data race in Audit Log.
Fixed data race in Audit Log where Close and EmitAuditEvent race during
tests. Use a RWMutex to protect the local log to prevent race.
Co-authored-by: Forrest Marshall <forrest@gravitational.com>
Purpose is to allow users with admin privilege that are able to view audit logs,
to be able to debug SSO login failures from the UI as much as possible
* Return generic error message for sso console login failures to hide
sensitive data from reaching client. Previously errors were returning as
empty messages b/c of a trace bug.
* Remove emit event for createOIDCClient to allow outer caller to
emit event and prevent double emits on error.
* Temporarily direct users to check teleports log on errors that come back
empty to tsh client.
Check whether MFA is required for the current session and send a
challenge over the websocket.
client.IssueUserCertsWithMFA had to be modified to inject proxy's
cached user certs and websocket-based U2F prompt.
Addresses Issue #5774
Prior to this change key enumeration could fail with an error if the cluster value in the `tsh` config was missing, which is possible when a post-v6.0 `tsh` reads a ~/.tsh directory created by a pre-v6.0 `tsh`. This would ultimately cause the key enumeration code to search the wrong directory for keys, resulting in an attempt to read a directory as a key file, and failing.
This patch adds detection for an empty cluster name, and gracefully aborts the key enumeration without error if found.
By specifying `device_attestation_cas` in `teleport.yaml`, admins can
restrict U2F device manufacturers. For example, specifying the yubico
attestation CA
(https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt), you can
restrict users to only yubikeys.
Example error when using the yubico CA and trying to register a Google
Titan key:
```
$ tsh mfa add --type u2f --name test && tsh mfa rm test
Tap any *registered* security key
Tap your *new* security key
ERROR: rpc error: code = InvalidArgument desc = U2F device attestation certificate is signed by "CN=Security Key,O=Google", but this cluster only accepts certificates from ["CN=Yubico U2F Root CA Serial 457200631"]; make sure you're using a U2F device from a trusted manufacturer
```
* Added support for connecting API client through tunnel proxy and web proxy addresses (with identity file).
* Added concurrent dialing logic to dial several possible dialing combinations and seamlessly return the first client to connect.
Addresses #5624
When a k8s stream exits it emits events that mark the session recording
as complete. Prior to this patch, the `exec` handler exited before
emitting these "session complete" events, leaving the recordings
orphaned.
This patch wraps the stream cleanup in a `defer`ed cleanup handler
that marks the stream as complete in any exit mode.
The use of non-UTF8 keys with the DynamoDB back-end causes a failure
deep within the AWS request deserialization code, presenting a
non-obvious failure to the user.
This change adds validation to all backends that requires all keys
are valid UTF8 strings. It also adds a warning to the Backend
interface declaration that the keys may be constrained to valid
UTF8.
Other changes include:
* Updating the `Backend` conformance test suite to not present binary
keys to the various backend implementations.
* Adding a `region` value to the DynamoDB configuration test input
* Adding missing imports to `_test` files.
* Updating build instructions in README
Fixes#5352
```yaml
allow:
impersonate:
users: ['alice', 'bob']
roles: ['*']
where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```
Adds "impersonator" to all X.509 and SSH client certs
issued using impersonation and does best effort to track
requests by impersonators in audit events.
Limits certs TTL to the impersonator's max session TTL.
Prevents impersonating users to recursively impersonate
other users.
Allows impersonating users to renew their own certificate,
for example to set route to cluster.
Adds missing token permission for editor role.
* mfa: add cluster-level require_session_mfa option
Users may choose to require MFA for all sessions in some clusters, or
only on select roles in others.
This PR adds the cluster-level option in the `auth_service` config.
To expose this field to non-auth services, opened up `GetAuthPreference`
access over the auth API, including all the cache plumbing.
* Address review feedback
