* Update RFD with hardware key pin policies.
* Consolidate policy logic and update tests.
* Add pin private key policies; Make PIV PIN/Touch prompts work together.
* Prompt user to set pin/puk from default.
* Handle unexpected PIN auth errors.
* Resolve RFD password prompt comment.
* Handle incompatible private key policy in role sets (future-proof).
* Resolve comment on require mfa type string godocs and tests.
* A satisfying change.
* Address PIN/PUK prompt comments and other code suggestions.
* Resolve comments.
* Fix test that prompts for pin twice.
* Fix test.
Alters the tracing initialization logic such that 50% of all
tsh ssh commands run against Cloud are sampled. Additionally some
of the detectors have been dropped to eliminate any details about
a users machine being included in the attributes.
When logging in via `tsh` or doing a `tsh status`, a message expressing which
access lists need to be reviewed will be displayed along with the amount of
time left until the next review.
Access requests are now able to use the user login state as opposed to just
the static user definition. This will allow access lists to influence who can
review access requests.
* DiscoveryConfig: init service and add it to `tctl`
This PR starts the DiscoveryConfig service in gRPC server and allows
`tctl` to interact with those records.
It also adds access to the `editor` role.
Users should be able to RW any DiscoveryConfig.
DiscoveryService should be able to watch those resources, so that it can
act upon any changes.
* add revision
* add upsert method
* improve tctl -f command
services.UsersService now takes a context and returns the user
from write operations as shown in the diff below. The bulk of the
changes are from modifying code to account for the additional
parameter and/or return value. Functional changes to better make
use of the new API will come in follow up PRs.
```diff
// UserGetter is responsible for getting users
type UserGetter interface {
// GetUser returns a user by name
- GetUser(user string, withSecrets bool) (types.User, error)
+ GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}
// UsersService is responsible for basic user management
type UsersService interface {
UserGetter
// CreateUser creates user, only if the user entry does not exist
- CreateUser(user types.User) error
+ CreateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateUser updates an existing user.
- UpdateUser(ctx context.Context, user types.User) error
+ UpdateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
// the result to storage. Return `false` from `fn` to avoid storage changes.
// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
// Returns the storage user.
UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
// UpsertUser updates parameters about user
- UpsertUser(user types.User) error
+ UpsertUser(ctx context.Context, user types.User) (types.User, error)
// CompareAndSwapUser updates an existing user, but fails if the user does
// not match an expected backend value.
CompareAndSwapUser(ctx context.Context, new, existing types.User) error
// DeleteUser deletes a user with all the keys from the backend
DeleteUser(ctx context.Context, user string) error
// GetUsers returns a list of users registered with the local auth server
- GetUsers(withSecrets bool) ([]types.User, error)
+ GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
// DeleteAllUsers deletes all users
- DeleteAllUsers() error
+ DeleteAllUsers(ctx context.Context) error
}
```
Depends on gravitational/teleport.e#2346
Implements step 3 of #32949
* Fix `tsh kube credentials` when root cluster roles don't allow Kube access
This PR fixes an edge case where an error message is printed to the
users without proper knowledge of the role mappings between root and
leaf clusters.
The user certificates include the `kubernetes_users` and
`kubernetes_groups` allowed in the root cluster but nothing prevents the
access to be sucessfull if the leaf cluster roles after the mapping
introduce the kubernetes principals.
This PR prevents tsh from failing when generating certificates for leaf
Kubernetes clusters.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Update tool/tsh/common/kube.go
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* add check to tsh proxy
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Header `Connection: close` causes `kubectl` to fail exec
The header `Connection: close` causes failure in kubetl when it upgrades
the connection to SPDY.
The `ReadTimeout` and `WriteTimeout` are known to cause problems to
Kubernetes watch streams.
Fixes#33020
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* add unit tests
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
When user starts a session, we do not report the initial command used
which causes visibility problems to moderators when they need to figure
out if they join or not the session.
This PR exposes the intial command for SSH and Kubernetes so moderators
can decide if they want to join the session or not based on the initial
command.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Access Lists now have audit review recurrence presets. These allow users to
specify review frequencies of 1, 3, 6, or 12 months, and specify the 1st,
15th, or last days of the target month. Presets have been used for their
simplicity over other various recurrence definition mechanisms, as these
presets are much clearer than many of the other options.
* puttyconfig: Switch to string-based Validity format and deprecate MatchHosts
* Switch to more restrictive, reliable parsing
* Add validity string errors to docs
* Remove invalid test case
* Add test case
* Remove any spaces from user-provided input and use sanitized hostname
* Apply fixes from code review
* Tidy up errors, provide consistent detail about which field contains an error
* Disable docs lint for dots in heading
This is needed here, as there are 5 error messages which all start the same way but end differently.
* Catch a few more error cases
* Only delete old MatchHosts key after new Validity key has been written successfully
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Address Zac's comments from code review
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
This change adds the `client_id` optio nto the Discovery Service for
Azure VMs, which sets the client ID of the managed identity for discovered
nodes to use when joining the cluster. This allows the discovered nodes
to be discovered while having multiple managed identities assigned.
`tctl edit` was always performing a forceful update in the same way
that `tctl create -f` was. This prevents optimistic from being
enforced during the update step of the edit command and thus nullifies
some of the usefulness of the feature(preventing concurrent updates
to a resource).
Since not all resources support Update operations, some only support
Upsert, and optimistic locking will slowly be added one resource at
at time the new behavior was only implemented for user resources.
The UpdateHandlers will be updated in follow up PRs when the resource
has support for optimistic locking added.
* Set revision on resources retrieved from the backend
Adds a new `MarshalOption` that ensures the resource revision is
set when unmarshalling a backend item. The new `WithRevision` option
was also applied everywhere that the legacy `WithResourceID` was
being used.
* Prevent storing resource revision in the backend item value
The revision follows the same semantics as the resource id for
marshalling. This prevents both items from showing up in the value
of the backend item, which can prevent compare and swap operations
from completing succesfully. Each backend is responsible for
persisting the revision in some manner.
The existing PreserveResourceID was reused to prevent having to
make multiple copies of a resource when clearing the id and revision.
The marshal option will be updated in a follow up when the resource
id is removed.
* Ignore revision in resource comparisons
* Generate access list suggestions on access request creation
* Add test
Cleanup code
* Add comment
* Fix typo and refactor access suggestion in services library
Fixed a typo in a comment in `access_list.go`. Refactored `accessrequest/suggestion.go` for enhanced code structure. The old model had all methods related to access request in a single interface, `accessRequestAPIGetter`, which had been divided among multiple interfaces for better division of responsibilities. A new function `GetSuggestedAccessLists` was created to narrow down the single duty for each function. These changes ensure more convenient unit testing and better accountability.
* Improve access request suggestions logic
This commit improves the logic for generating access request suggestions. It includes the requester's roles and traits as well as those from the access list and provides suggestions only for resource-based requests. A new method was also introduced for initializing AccessRequestSuggestions to avoid nil error.
* Refactor access list suggestions to promotions
The concept of 'suggestions' was updated to 'promotions' in different files (auth.go, client.go, auth_service_test.go, auth_service.proto among others) to make it more intuitive and align with the business context. This implies changing the wording, the functions called and the variable names. The feature itself hasn't changed, just the way it is referred.
* This commit changes the method name "GenerateAccessListSuggestions" to "GenerateAccessRequestPromotions" in multiple files. The naming is changed to reflect the actual function of the method, which is generating promotions for given access requests, rather than generating list suggestions. All relevant mentions and usages of this method are updated to reflect the name change. Modification also includes adjustments to the comments and interfaces related to the updated function for better code clarity.
* Refactor "GenerateAccessListSuggestions" to "GenerateAccessRequestPromotions"
Renamed method "GenerateAccessListSuggestions" to "GenerateAccessRequestPromotions" across the codebase. This change reflects the actual functionality of the method, which is to generate promotions for access requests, not suggestions. This aligns the method name with its purpose, and offers better code readability. Comments related to this function were also updated to maintain consistency.
* Update method handling access requests promotions
Revised the method of handling failures when generating access requests promotions. Now, even if promotions fail to generate, the request will not fail entirely. Instead, the request can still be approved but without promotions. Also, changed the UpsertAccessRequestAllowedPromotions method to CreateAccessRequestAllowedPromotions to clearly indicate its purpose, while revising related test cases and comments.
* Add a challenge identifier to TOTPRegisterChallenge
* Update generated protos
* Allow correct TOTP registrations via AddMFADeviceSync
* Use GetClock() instead of `.clock`
* Add daemon.Service.ResolveClusterURI
* Accept agents dir through command line flag
tshd needs to know this out of band, so that when the Electron app tells
it to watch for host UUID file for a specific cluster, the Electron app
can send just the profile name of the cluster instead of an arbitrary path
on the computer.
* Implement WaitForConnectMyComputerNodeJoin in tsh daemon
* wait: Use addEventListener instead of onabort
* Make TshAbortController emit abort event only once
This aligns it with a regular AbortController, which also emits the event
only once.
* Refactor how types are imported in tshd fixtures
* Implement WaitForConnectMyComputerNodeJoin in Electron app
* createAbortController: Add signal.aborted, use emitter.once
* Improve wait function based on Deno implementation
72d6e6641e/async/delay.ts (L39)
* Add a comment about the events package
To avoid security issues caused by a possible lack of file system
permissions on Windows tsh only loads global config if the path
to the file is explicitly provided in the TELEPORT_GLOBAL_TSH_CONFIG
environment variable.
* remove prefix matching in tctl
* replace prefix matching with exact discovered name match as a fallback
when no resource full name matches the name given by a user
* refactor test helpers
* avoid decoding yaml/json into already initialized var
* remove tsh kube prefix matching
* fix retry with relogin for ambiguous clusters
* fix access request func to only request specified cluster
* consolidate test setup for login/proxy kube selection tests
* add more test cases for kube selection
* remove prefix testing
* fix testism
* add origin cloud label in tests
* refactor the check for multiple cluster login into a func
* AWS OIDC: command to configure IAM for listing databases
Previously we were guiding users in a series of screens and copy/paste
so that the user could configure the AWS OIDC Integration.
This guide also included adding the first feature: enroll an RDS
Database.
We created a new command that sets up the OIDC IdP, but decoupled from
the enroll rds feature.
After updating the guide to use the new command and remove the guide, we
must provide a way for users to set up the required policy for Enrolling
RDS Databases.
This PR adds that command
* review pt1
* rename to ConfigureIAMListDatabasesRequest
* removed wrapper
* fix command description
* move aws client setup to common
* use logrus instead of log
* Careful handling when loading files
This commit attempts to provide a common API so that the decision of when to follow symlinks is a conscious decision.
Because Teleport (particularly the agent) runs in a privilege context, there is risk that following symlinks may allow information disclosure.
After review of the cases covered in this commit (and some additional cases where this API was not a natural fit), this does not appear to be a broad problem. This commit however does fix the one known flaw described in the issue https://github.com/gravitational/teleport-private/issues/1009
* Apply PR feedback to rename OpenFile
* fs.go: Fix symlink evaluation
* fs.go: Fix for rebuilding absolute paths in symlink check
* fs_test.go: Add symlink testing
* Apply suggestions from code review
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
* fs_test.go: Fix build for err reference
* fs.go: Apply PR feedback and consider Hardlinks
After PR discussion it was highlighted that MacOS does not guard against hardlinks in the same way linux does. For that reason this implementation has been updated with OS conditional logic to validate against hardlinks.
* fs.go: Switch loop to range over components instead of index
* Minor improvements from PR feedback
* fs_test.go: Test public OpenFile API's and include OS specific validation
* Fix windows build
Make hardlink count lookup code build conditional to avoid undefined syscall.Stat_t.
* utils.getHardLinkCount result order update from PR feedback
* fs_windows.go: Comment improvements from PR feedback
* fs: Fix build for OSX
* Disable lint error due to unecessary cast on linux
---------
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
* disallow prefix matching
* select by exact name match first,
* otherwise look for unambiguous discovered name label match.
* look for an active db to resolve discovered name match ambiguity.
* add more predicate builder helpers
* check for db name in not found error for stale cert hint
* no error status on tsh db logout with no logged in dbs
* remove dead code
* refactor helper funcs to simplify code and make it easier to test
* test complex database selection
* test findActiveDatabase
* test choosing one db by discovered name
* add more resource selectors tests
* test formatDatabaseLoginCommand
* add debug logging for db selection
* AWS OIDC: Set up integration with a single command
Creating an AWS OIDC Integration requires a lot of clicks, copy/paste,
navigation between tabs.
This PR adds a single teleport command that creates all the required
resources in AWS:
- AWS OIDC Identity Provider that uses Teleport as source
- AWS IAM Role that can be used by this Identity Provider
This role, will then have inline policies allowing multiple features in
Teleport.
Example: a policy must be added to this role that has
`rds:DescribeInstances` and `rds:DescribeClusters` so that the user can
use the integration to enroll RDS Databases.
* improve docs
* improve godoc
`tctl sso configure github` was producing an untestable connector
spec, or at least a spec that would _always fail_ when tested with
`tctl ssl test`, due to missing GitHub endpoints in the generated
spec.
This change adds the default GitHub endpoint URLs as default values
for the endpoint flags in `tctl sso configure github` so that the
produces spec is valis and testable.
Note: Our WebUI appears to magically add these values when saving
a connector, so this issue only really effects `tctl sso test`
Includes doc update to match new output.
Fixes: #31396
Changelog: `tctl sso configure github` now includes default Github endpoints
This PR chains `client.RetryWithRelogin` and `retryWithAccessRequest`
helpers to deal with cases where user's credentials don't exist or are
already expired.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>