stringify & remove the jwt values when asked
Plumb up the file configuration
Add a test for jwt token rewriting
resolve comments
Use string instead of enum
* AWSOIDC Integration: ListDatabases
This PR adds a new Action for the AWSOIDC Integration: ListDatabases
The goal of this action is to provide the User a list of RDS Databases
from which the User will pick one to be added as a Teleport Database
Resource.
This way, the user doesn't need to copy/paste DB name, endpoints and
labels.
Before being able to call this action, the User has to set up an AWS
OIDC integration.
How does it work:
```
Client (web app)
│ ▲
│ │4. Returns list of DBs
1. List Databases │ │ (name, tags, status, endpoint)
│ │
│ │
│ │
│ │
▼ │ 3. rds.DescribeDBInstances
┌───────────┴────┐ (auth: token) ┌─────────┐
│ ├─────────────────────────────────►│ │
│ Teleport Proxy │ │ AWS │
│ │ 3.1. Get OIDC Config │ │
│ │◄─────────────────────────────────┤ │
│ │ 3.2. Get RSA Public Key │ │
│ │◄─────────────────────────────────┤ ├─────────┐ 3.3.
│ │ │ │ │Validates token signature
│ │ │ │ │with received public key
│ │ 3.4 Returns list of DBs │ │◄────────┘
│ │◄─────────────────────────────────┤ │
└─┬──────────────┘ └─────────┘
│
│ 2. Sign Token
│
▼
┌───────────────────┐
│ │
│ Teleport Auth │
│ RSA Private Key │
└───────────────────┘
```
* add resource and account ids to DB resource
* move api namespaces
* use types.Database instead of custom database format
* add database uri
* fix comments and rate limiter
* test name override when converting RDS V2 DBs
* fix webapi database URI field
* TestClusterDatabasesGet: add parallel
* Add secure IP propagation from proxy to auth server when using ALPN
We're using PROXY protocol extensions called TLVs to send
signed JWT and proxy's certificate to the auth server. Auth
validates JWT using provided signing certificate and host CA
to make sure that IP information comes from our internal proxy.
* feat: add GCP KMS support for Teleport CA key material
This commit implements support for GCP KMS as a backend for CA
operations in Teleport.
This is able to take advantage of much of the infrastucture that we have
already created for HSM support, and simply appears as a new backend for
the private key material.
The necessary configuration parameters include only the name of the KMS
keyring to use, and the protection level (which can be HSM or SOFTWARE).
These are configured in the teleport.yaml directly, in a new section
under the existing `ca_key_params` used for HSM configuration.
The GCP credentials are expected to be provided to the Teleport auth
server via the
[Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc).
This means that it "just works" if the auth server is running on a GCP
compute instance with the correct attached role, and you can run tests
locally by authenticating with `gcloud auth login`.
This does not support Teleport Cloud, as our current HSM support does
not, because the Auth server needs the configuration and the access to
the GCP account. That would be a larger effort probably requiring a new
Teleport service.
* Update logrus package to fix data races
* Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting.
* Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests.
* Run integration test for e as well
* Use make with a cap and append to only copy the relevant roles.
* Address review comments
* Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output.
* Revert changes to InitLoggerForTests API
* Create a new logger instance when applying defaults or merging with file service configuration
* Introduce a local logger interface to be able to test file configuration merge.
* Fix kube integration tests w.r.t log
* Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
Added support for an identity aware, RBAC enforcing, mutually
authenticated, web application proxy to Teleport.
* Updated services.Server to support an application servers.
* Updated services.WebSession to support application sessions.
* Added CRUD RPCs for "AppServers".
* Added CRUD RPCs for "AppSessions".
* Added RBAC support using labels for applications.
* Added JWT signer as a services.CertAuthority type.
* Added support for signing and verifying JWT tokens.
* Refactored dynamic label and heartbeat code into standalone packages.
* Added application support to web proxies and new "app_service" to
proxy mutually authenticated connections from proxy to an internal
application.