In addition to adding server and backend handling for create and
update roles, the services.Access interface was updated to return
a role from the existing Create/UpsertRole methods. Bumps the e
ref to incorporate the associated changes needed there to prevent
breaking the build.
* Add unified resource view gRPC handler to tshd
* Improve comments
* Move `kinds` validation to `unifiedresources.List`
* Make `listUnifiedResources` return a union
* Rename `CombinedResource` to `UnifiedResource`
* Support `pinnedOnly`
* Ignore unsupported resources
* Fix lint issues
* Run prettier
* Take kubes from `PaginatedResource_KubernetesServer`, not `PaginatedResource_KubeCluster`
services.UsersService now takes a context and returns the user
from write operations as shown in the diff below. The bulk of the
changes are from modifying code to account for the additional
parameter and/or return value. Functional changes to better make
use of the new API will come in follow up PRs.
```diff
// UserGetter is responsible for getting users
type UserGetter interface {
// GetUser returns a user by name
- GetUser(user string, withSecrets bool) (types.User, error)
+ GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}
// UsersService is responsible for basic user management
type UsersService interface {
UserGetter
// CreateUser creates user, only if the user entry does not exist
- CreateUser(user types.User) error
+ CreateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateUser updates an existing user.
- UpdateUser(ctx context.Context, user types.User) error
+ UpdateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
// the result to storage. Return `false` from `fn` to avoid storage changes.
// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
// Returns the storage user.
UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
// UpsertUser updates parameters about user
- UpsertUser(user types.User) error
+ UpsertUser(ctx context.Context, user types.User) (types.User, error)
// CompareAndSwapUser updates an existing user, but fails if the user does
// not match an expected backend value.
CompareAndSwapUser(ctx context.Context, new, existing types.User) error
// DeleteUser deletes a user with all the keys from the backend
DeleteUser(ctx context.Context, user string) error
// GetUsers returns a list of users registered with the local auth server
- GetUsers(withSecrets bool) ([]types.User, error)
+ GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
// DeleteAllUsers deletes all users
- DeleteAllUsers() error
+ DeleteAllUsers(ctx context.Context) error
}
```
Depends on gravitational/teleport.e#2346
Implements step 3 of #32949
As per https://support.apple.com/en-in/HT210176:
> TLS server certificates must contain an ExtendedKeyUsage (EKU)
extension containing the id-kp-serverAuth OID.
We were not specifying this EKU.
Validated by checking with the old self-signed certs:
$ security verify-cert -c webproxy_cert.pem -p ssl -r webproxy_cert.pem
Cert Verify Result: Invalid Extended Key Usage for policy
And then repeating the process after this change:
$ security verify-cert -c webproxy_cert.pem -p ssl -r webproxy_cert.pem
...certificate verification successful.
Closes#32531
* Kill agent after removing workspace on logout
Quick shutdown of an agent now induces a 3 second timeout if there are
active connections (#31869). I changed the logout procedure so that we
first remove the workspace (and thus close all tabs) and only then kill
the agent. This makes it so that if there were any open connections from
the app, we'll close them before killing the agent, which means the app
will close without that 3 second timeout.
* Make Start Agent button's handler ignore errors
* Avoid rendering labels if there's no node
This could happen if someone started and stopped the agent and then clicked
Start Agent with expired certs. agentNode would go from undefined to defined
back to undefined, but it seems that <Transition> doesn't unmount immediately.
* clusters.Cluster.Logout: Make error handling more explicit
!trace.IsNotFound(err) returns true both when the error is nil and when
it's not nil but the error is not NotFound. Meaning that code after the
conditional would run only when err is NotFound.
I added a bogus error to test something after the conditional and then
spent 30 minutes wondering what's going on.
* Display an empty ring if agent is set up but not running
This makes it consistent with the Connections list which also displays
an empty ring if there are no connections.
* Expand NavigationMenu stories, add story for agent starting
* Avoid calculating indicator status if user cannot use feature
* Copy progress icon from Cloud's ProgressBar
* Return 'not-configured' early if agent is not configured
* Add story for when agent is configured but not started, reorder stories
* Add server version to cluster
* Add components to display compatibility promise
* Show compatibility promise on status page
* Show compatibility promise on setup page
* Rename `serverVersion` -> `proxyVersion`, make all places to use `makeRootCluster`/`makeLeafCluster`
* Move `UpgradeAgentSuggestion` to a new file, make it stateless
* Return `isAgentCompatible` instead of `isNonCompatibleAgent` from context
* Add // DELETE IN comments
* Improve copies
* Add a story for too old client in Setup
* Extract CONNECT_MY_COMPUTER_RELEASE_MAJOR_VERSION
* Run prettier
* Fix license
* Show an error on the CMC icon when the agent is not compatible
* Always say "version" before the version number
* Adjust tests
* Drop "if you wish" from the copies
* Add RPCs for removing the node and reading its name
* Extract `isAccessDeniedError`
* Add a function to remove agent directory
* Add methods in Connect My Computer service to remove node, agent directory and connections
* Do not print warning when there is no agent to kill. The agent could not be started or even configured, so there is no point in showing that warning.
* Remove agent by clicking a button in the status document
* Remove agent by logging out
* Improve comments and error message
* `getConnectMyComputerNodeName` should return `string`, not `ServerUri`
* Move `removeConnections` method from `ConnectMyComputerService` to `ConnectMyComputerContext`
* Simplify integration test
* Document that connections have to be removed before removing agent dir
* Ignore NOT_FOUND errors
* Show a notification after removing the agent and close the tab
* `readUUid` -> `readUUID`
* Run prettier
* Extract a function that renders `useConnectMyComputerContext` hook to avoid duplicating the setup
* Move showing notification outside `catch` block, add tests
* Use `connection.kind` instead of parsing the resource URI
* Add `assertUnreachable`
* Pass `closeDocument` function to the status component instead of a document object
* Post-rebase fixes
* Add daemon.Service.ResolveClusterURI
* Accept agents dir through command line flag
tshd needs to know this out of band, so that when the Electron app tells
it to watch for host UUID file for a specific cluster, the Electron app
can send just the profile name of the cluster instead of an arbitrary path
on the computer.
* Implement WaitForConnectMyComputerNodeJoin in tsh daemon
* wait: Use addEventListener instead of onabort
* Make TshAbortController emit abort event only once
This aligns it with a regular AbortController, which also emits the event
only once.
* Refactor how types are imported in tshd fixtures
* Implement WaitForConnectMyComputerNodeJoin in Electron app
* createAbortController: Add signal.aborted, use emitter.once
* Improve wait function based on Deno implementation
72d6e6641e/async/delay.ts (L39)
* Add a comment about the events package
* Move gRPC error intercetpors to api/utils/grpc/interceptors.
* Use error interceptors in api client and mock server.
* Apply suggestions from CR.
* Unwrap FromGRPC errors in middleware.
* Use gRPC auth service in tests instead of external example service.
* It's gRPC!!!
* Fix unit test.
* Add error interceptor to proxy client.
* Fix merge conflict.
* Add WebauthnLogin field to teleportClient and tsh for tests.
* Use custom WebauthnLogin func instead of test export.
* Remove HasPlatformSupport exported function.
* Add todo to remove lib/client/export.go.
* Parallelize affected tests.
* Apply suggestions from CR.
* Fix test after Go 1.21 upgrade
Updated the error messages in the lib/teleterm/teleterm_test.go and lib/auth/tls_test.go test files from "tls: bad certificate" to more specific ones ("tls: certificate required", "unknown certificate authority") to accurately reflect the Go 1.21 update in the TLS server behavior.
* Apply suggestions from code review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Make sure Connect My Computer is not shown to SSO users
* Improve user type check in RoleSetup
* Reexport UserType
* Fix protos
* Add makeLoggedInUser test helper and use it in tests
* Add methods to create and remove tokens
* Add a function to create agent config file
* Integrate token generation and config file creation
* Move response formatting to the handler
* Remove doc links
* Declare struct before its methods
* Remove `useRetryWithRelogin` usage
* Hold a clock in `TokenProvisionerConfig`, add a function that creates `TokenProvisioner`
* Do not use `EmptyResponse` in proto
* Create a specialized struct to return token and labels
* Add an integration test
* Uncomment `runGenerateConfigFileAttempt` step
* Run prettier
* Remove duplicated assertion and use more meaningful name
* Fix lint issue
* Reduce headless watcher max backoff period to 90s; Propogate watcher error properly; Don't retry on not implemented error.
* Stop watcher if it wasn't stopped already.
* adds public web addresses to self-signed cert
* skips adding ip addresses to self-signed cert
* skip error on public addresses
* lint fix
* optimize logic and log error
* Update lib/service/service.go
Co-authored-by: Noah Stride <noah.stride@goteleport.com>
* skip adding IP addresses to DNS SANS and log warning
* lint fix and update log message
* add public addresses into IP sans if ips
* remove comment
* lint fix
* include empty ipaddress for GeneratedSelfSignedCert calls
* removed
* update function call
* logic updates
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* handle when a IP addressed can't be parsed for self-signed cert
---------
Co-authored-by: Noah Stride <noah.stride@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Ignore specific teleterm proto file rather than whole package
* clusters.Storage: Avoid unnecessary casting of URI back to string
* Storage.fromProfile: Move loading profile status to separate function
* Return client.TeleportClient together with clusters.Cluster
This is a stopgap to make clusters.Cluster a regular struct with no extra
behavior and a much smaller interface.
At the moment, almost all RPCs go through layers like these:
gRPC handler → daemon.Service → clusters.Storage → clusters.Cluster →
→ TeleportClient
As a result, clusters.Cluster has a gigantic interface that's hard to test.
Instead, we want to make it hold basic information about the cluster.
The real work will be done by collaborator structs which take clusters.Cluster
and TeleportClient as args. This way we can mock them out more easily in tests.
See the issue linked in the comment of clusters.Storage.GetByResourceURI
for more details.
* Make AddMetadataToRetryableError public
Since we're moving away from doing everything in clusters.Cluster, we'll
need to use this function from within the daemon package.
* Add IsRoot and IsLeaf methods to uri.ResourceURI
These methods will be used to return early if someone tries to set up
roles for a leaf cluster. Connect My Computer works with root clusters only.
* Add handler for creating Connect My Computer role
* Add test for calling GenerateUserCerts with bogus request ID
* Fix checking logins of existing role
* Remove commented out argument to ReissueUserCerts
* Add a stopgap comment to Storage.GetByURI
* Remove invalid doc links
* Ensure owner node label has expected value if role already exists
* Add unit test which checks RoleSetup.Run idempotency
* Add godoc for Resolver
* Simplify watcher equality check, add a comment
* Expand the comment for DropAccessRequests
* Fix position of Connect My Computer popover
* Integrate role setup with setup document
* Add temporary action to additional actions
This will be removed once the parent PR is approved. I just wanted to give
reviewers a shortcut to triggering the endpoint from the actual app.
* Add return type to createRole
* Add useRetryWithRelogin
* Wrap role setup in retryWithRelogin
* Remove useRetryWithRelogin in favor of retryWithRelogin & useCallback
* Remove CMC role setup from AdditionalActions
* Prettier fix
* Fix eslint
* Connect Kube gateway part 2: command provider
* gateway.Database and gateway.Kube interface
* remove cmd.ProviderManager and fix integration test
* revert cluster.RootClusterName change for now as profile may not have key
* Move CMC icon and setup document to common `ConnectMyComputer` directory
* Add permissions to show CMC
* Use `cluster.leaf` to check if a cluster is a root cluster
* Rename `isConnectMyComputerPermittedForRootCluster` to `canUseConnectMyComputer`
* Add licenses
* Rename `DocumentSetup` to `DocumentConnectMyComputerSetup`
* Check `cluster.leaf` flag to verify if the cluster is a root cluster
* Do not throw in `canUseConnectMyComputer`
* Add comments
* Use the same field name in a documentation comment
* Use relative import
* Add ACL to Connect
* Apply Zac's suggestions
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Rename `convertToApiResourceAccess`
* Use `recorded_sessions` and `active_sessions` instead of `sessions` to avoid confusion.
Web has two fields for "sessions", and we should have too.
* Reserve "sessions" too
* Rename `ACL` to `acl`
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Fix an issue ALPN handshake test does not respect "HTTPS_PROXY"
* address review comment
* remove simplehttsproxy
* Add context to IsALPNConnUpgradeRequired in ten thousand places
* add goc and dial with context
* At the notion of friendly names to access request details.
Access request details can now return friendly names. This will help display
access request resources in a way that allows easier reviewing of Okta apps
and user groups, where the names are not human readable.
* Use friendly name for nodes, tune variable names.
* Add in DetailsID helper function for use by the enterprise UI.
* Request apps instead of app servers, remove DetailsID as its no longer needed.
* Push friendly name into app and usergroup UI objects.
* Fix apps test.
* Linting.
* [Connect] Add FriendlyName to AccessRequest (#27694)
---------
Co-authored-by: Michael <michael.myers@goteleport.com>
Teleport Connect didn't purge the cache on assume roles action which resulted in certificates being reused without the new role.
This PR drops locally cached certificates when a new assume role action is invoked.
