Introduce the prompt.Password function and use it consistently whenever we read
a password, OTP or PIN.
The PR makes it easy to support PINs during MFA authentication, so now we do so.
It also adds the capability to mock prompt.Stdin() for tests, adding a uniform
way to fake user input in tests without having to swap functions.
Complements #10953 and #9160.
* Prompt for OTPs as passwords (take 1), read PINs on MFA authentication
* Add the prompt.Password method
* Add Stdin mocking capabilities to the prompt package
* Delegate password reads to prompt.Stdin().ReadPassword()
* Remove stdinHijack from PromptMFAChallenge
* Change api_login_test.go to FakeReader
* Change tsh_test.go to FakeReader
* Retire client.ReadPassword in favor of prompt.Password
* Provider error info on data dir rights
* Added similar message for appropiate access when trying to use a Teleport configuration file (/etc/teleport.yaml) and it fails to load due to permission error.
A few FIDO2 scenarios are not respecting cancellation, causing problems in
certain `tsh` flows.
The PR fixes the issue above and sneaks a small fix in `tsh mfa add` as well.
#9160
* Add tests for various cancel conditions
* Respect context cancellation during select and PIN steps
* Do not ask for passwordless for non-webauthn devices
The Forwarder type has been replaced with the new GRPC/streaming based
session recording and was only used in tests.
The RecordSessions param is never consulted, as it was replaced with
AuditWriter's RecordOutput param a couple of years ago.
These events are remnants of the old system before our events
were strongly-typed protos, and were unused in the code
(save for a few tests, which were updated)
This changes prompt.ContextReader in the following ways:
Reads only happen as a response to Read methods being called. This allows
ContextReader to coexist with other readers as long as no reads are abandoned.
ReadPassword is now available, the underlying implementation being
term.ReadPassword. An abandoned password read may be turned into a clean read.
This gives us some UX flexibility when callers abandon password reads (looking
at you, PromptMFAChallenge). Turning clean reads into password reads is not
supported. It's tricky and I have a few ideas, but it's not paramount at this
moment.
This solves the woes caused by abandoned OTP reads followed by PIN reads in
different packages, such as client.PromptMFAChallenge followed by tsh mfa add's
implementation.
#9160
* Move ContextReader to its own file
* Refactor ContextReader and implement ReadPassword
* Test ReadPassword
* Fix typos
* Remove prompt.StdinSync()
prompt.Stdin() has the same behavior for non-abandoned reads.
* Group /x/term methods under a type
* Allow for probe timeouts to be configurable
When setting up a new Teleport enterprise cluster on GCP,
I noticed that I needed to set the probe timeouts to get the
cluster to be healthy. This seems to be a known issue (https://github.com/kubernetes/kubernetes/issues/89898).
As a "stopgap", I've updated the helm chart to allow for end users
to be able to configure these timeouts.
* Update configuration option name and add documentation
* Update docs/pages/kubernetes-access/helm/reference.mdx
Co-authored-by: Gus Luxton <gus@goteleport.com>
* Add tests for probeTimeoutSeconds
* Add probeTimeoutSeconds to required values
* Add probeTimeoutSeconds to teleport-kube-agent
* Add tests for probeTimeoutSeconds to teleport-kube-agent
* Add probeTimeoutSeconds to teleport-kube-agent reference
Co-authored-by: Hunter Madison <hunter.madison@instana.com>
Co-authored-by: Hunter Madison <hmadison@users.noreply.github.com>
* helm: Update NOTES.txt for AWS ACM
* Add support for separate Postgres/MongoDB listeners in teleport-cluster chart
* Special case backend listener protocol based on presence of ACM annotation
* Add tests for separate listeners
* Add tests for ACM annotation setting backend protocol
* Don't add AWS annotations when not in AWS mode
* Adds for separatePostgresListener/separateMongoListener
Also adds missing example for setitng proxyListenerMode
* Add continuous backups permission to DynamoDB policy
Fixes#11411
Our API getting started guide includes a go snippet that ends with
"EOF," which is not a Go keyword. If the reader isn't familiar with
Go but wants to follow this guide, the Go compiler will return a syntax
error.
This change removes the line.
* Split the AWS Node Joining guide
This is to better address users with different scopes (see #10633).
Since the EC2 method is irrelevant for Cloud users, this approach makes
it straightforward to add an edition warning to the top of the EC2 join
method guide and scoped Tabs components to the IAM join method guide.
The alternative was to add nested Tabs components, with the top level
including Cloud vs. Self-Hosted TabItems and the inner level including
TabItems for the IAM and EC2 join methods. This looked pretty
unattractive and couldn't accommodate the final section on using the
EC2 method with multiple AWS accounts.
* Respond to PR feedback
Co-authored-by: Nic Klaassen <nic@goteleport.com>
* Respond to PR feedback
Co-authored-by: Nic Klaassen <nic@goteleport.com>
