* Fix bug with OIDC powered sessions logged out after 10 minutes
* Adjust web sessions durations by taking roles into account
* Provide explicit TTL enforced on the server side for bearer tokens
Before this PR the web session TTL was measured using defaults,
10 minutes for local sessions and 1 hour for OIDC sessions and
the system relied on client to renew the bearer token.
With this change bearer token TTL is set to 10 minutes
and the entire web session will expire if not renewed before
The maximum session duration is set to 12 hours, if not
limited to a smaller value by roles in RBAC modules.
The base SSH server implementation now sends SSH keepalive at ta rate of
1/4 of "idle timeout" constant. The client properly responds to keepalive
pings.
The SSH client, instead of creating 2 goroutines for handling SSH
requests and SSH channels now uses the same (existing) goroutine with
for-loop + select statement.
BoltDB backend is now compatible with how all backends should
initialize.
Also all BoltDB-specific code/constants have been consolidated inside of
`backend.boltbk` package.
Also, some DynamoDB bug fixes. The migration algo:
- load all existing entries and keep them in RAM
- create <table_name>.bak backup table and copy all entries to it
- delete the original table_name
- re-create table_name with a new schema (with "FullPath" instead of "Key")
- copy all entries to it
- Added ability to read AWS config from `~/.aws` directory for testing
- Fixed TTL bug in DynamoDB back-end
- Made FS back-end return similar error types as Boltdb does
- Cleaned up buggy tests for DynamoDB
- Removed unnecessary locks everywhere in code
Note: had to add my own implementation of TimeSource interface because
it will take some time to get Mailgun team to accept my PR into their
timetools package.
This backend can be enabled by optionally adding a new build flag.
See lib/backend/dynamo/README.md for details.
It should not affect default Teleport builds.
* clients to tun servers are now supporting failover on the client
* clients periodically pull and sync auth servers that are available in the cluster
* teleport stores the information about cluster state locally and reuses it on restart
This commit includes refactoring and cleanup of cert authority sybsystem:
* User keys methods are deleted
* Authorities CRUD is simplified
* Lots of code removed