* start refactoring tbot to have a core struct
* refactor tbot into lib/
* move `tbot` subpackages to `lib/tbot`
* remove mutex pointer
* move `tshwrap` to `lib/` from `/tool/tbot/`
* move new template ssh client render test to lib/
* address pr feedback
* add request changed
* Extend support for identity files in tsh
This enhances support for identity files in tsh, which previously only
worked for regular SSH access. The largest blocker for support is that
tsh uses profiles for all non-SSH resource access, and profiles have a
direct mapping to some on-disk resources. This patch works around this
in a few ways:
* Virtual profiles: When an identity file is specified with `-i`, we
use it to create an in-memory virtual profile using the cert as the
root identity _and_ for every `RouteToDatabase` (and in the future,
app) field contained in the cert.
* Virtual profile paths: Certain profile operations require paths to
valid certificates and other resources on disk, which may not exist
inside the identity file.
As the driving use-case for this change is integration with Machine
ID, we can "cheat" and pass the correct paths to tsh via
environment variables. A cooperating wrapper in `tbot` will execute
`tsh` with appropriate flags and environment variables, which
override tsh's usual certifiate paths. This allows commands like
`tsh db connect ...` to work as expected.
* Key stores: previously we used a `noLocalKeyStore{}` with which all
lookups fail. This patch replaces it with an in-memory keystore if
a client key is available.
* Profile status: lastly, we add a new `StatusCurrentWithIdentity()`
function to load virtual profiles where supported. Some commands
are not supported in this PR (like `tsh app ...`), but others
don't make sense to support (like cert reissuing).
We might consider merging everything into the traditional
`StatusCurrent()` when adding app support.
App access is still broken and will be addressed in a later change.
Partially fixes#11770
* Fix failing lint
* Add `tbot proxy` and `tbot db` wrapper commands
This adds new wrapper commands that leverage tsh for proxy and
database access.
It also adds a new `tshwrap` helper package which contains utilities
for locating the tsh executable, checking its version, and loading
all necessary data (certificates, destinations, etc) that will need
to be passed to tsh for wrapped commands to function.
* Fix failing unit test due to incorrect default IsVirtual profile flag
* Combine `StatusCurrentWithIdentity()` into `StatusCurrent()`
Additionally, log a warning when environment variable paths aren't
found.
* Fix virtual profile flag always being true
* Update lib/client/api.go
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
* Address review feedback
* Use `tbot proxy` in generated `ssh_config`
* Add tests for mockable parts of our tsh integration
* Fix lints
* Clarify docstrings in CLIConf
* Tweak comment for clarity; fix typo in `onProxyCommand`
* Add missing copyright header
* Fix failing unit test and pass destination to `Describe()`
This fixes a failing unit test by making the description for
`ssh_config` match its behavior in practice. This necessitated
passing the destination to all templates, unfortunately.
* Add a few extra tests
* Apply suggestions from code review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Address another batch of review comments
* Comment tweaks
* Refactor tshwrap to remove the Runner interface.
* Apply suggestions from code review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Address review comments
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
