* Introduce an OktaAssignmentsGetter and use it in the watcher.
The `OktaAssignmentWatcher` has been adjusted to use an
`OktaAssignmentsGetter` interface, which is a read only interface. This is
due to the fact that the `OktaAccessPoint`, used by the Okta service, does
not fully implement the `OktaAssignments` interface (it does not implement
`DeleteAllOktaAssignments`). As the watcher only needs the read functions,
this will allow us to prevent the Okta service from having access to the
`DeleteAll` while still being able to use the `OktaAssignmentWatcher`.
* Update lib/services/okta.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Update lib/services/okta.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
---------
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0
Bumps [github.com/jonboulle/clockwork](https://github.com/jonboulle/clockwork) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/jonboulle/clockwork/releases)
- [Commits](https://github.com/jonboulle/clockwork/compare/v0.3.0...v0.4.0)
---
updated-dependencies:
- dependency-name: github.com/jonboulle/clockwork
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* also update clockwork in api/
* consistently use fake clock in TestGenerateCerts
* fix TestGenerateUserCerts
* test fixes
* `go mod tidy` in api/
* fix TestGetKubeCredentialData
* tentative fix for TestUsageReporterDiscard
* fix test timeouts in lib/srv
* pass current time to getCredentialData
* fix timezone for circuit breaker test
* remove UTC conversions in test instead of adding in the production code
* tentative fix for TestSessionTracker_UpdateRetry flakiness
* fix aggregating.TestSubmitOnce
* add initial wait for session tracker retries
* fix kube proxy forwarder tests
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
The server may kill the stream prior to sending or receiving a message
so the test now checks whether an io.EOF was received in response
interacting with the server. We expect that an io.EOF should be
received either when sending or receiving a message. If both complete
successfully then we expect to receive the actual access denied error.
Teleport 13 supports clients running `>=12.0.0 && <=13.x.x` and all of
them already support Role `v6`, thus the downgrade logic can be removed
without impact.
* Add ability to request RouteToCluster in generated certs
* Start to account for identity impersonation when using client
* Expose routed and unrouted impersonated identities
* Fix tests
* Add Close method to mock auth
* Add support for other tests to use AuthenticatedUserClientFromIdentity
* Neater wrapping of args
* athena audit logs - publisher
* pass also version id
* Update lib/events/athena/publisher.go
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* rename snsCli and parse large_events_payload url before
* use aws sdk retry
* Wrapping errors
* update description
* go mod tidy
* Drop unused endpoints
* move log and awsCOnfig to top level config
* update aws-sdk-go-v2 deps
* address last PR comments
* update e_import and run go mod tidy
* go mod tidy
* make ci linter happy
---------
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* AWS-hosted OpenSearch support.
* Review: comments, case, cleanup.
* Review: comments, region discovery, typos, shared func, fix error type, fix empty CA case.
* Review: address comments.
- add docs
- refactor opensearch engine code
- make `opensearchsql` default client
- drop utils.CloneRequest function, it is not suitable for general use
- drop "extra args" functionality, it should be a separate PR and more generic
- minor refactorings
* Fix: linting, refactoring issues.
* Review: update the comment for accuracy.
* Correct merge issue.
* Review: reuse transport, use different context, rename tests
* Review: unexport internal error types, explicitly test the error serialization.
* fix iam statements for AWS assumed-role identity
* configurator tries to convert assumed-role to role
* revert IAM semaphore to use identity name
* hide the unused --attach flag, fix typo
* godoc reminder for databases with IAM db users
* add AWS Keyspaces and DynamoDB to AWS configurator
* relax constraint on external id in fileconfig
* add fileconf test for externalid w/o assume role
* check for actions before prompting to confirm
* fix teleport discovery bootstrap --confirm
Instead of modifying the current `TeleportClient` to have no jump
hosts, a new one is cloned from the existing one without the jump
hosts set.
Closes#24185
Adds `GetResource` helpers that leverage generics to return a slice
of the expected resource type. This eliminates the need to use
a `type.ListResourcesResponse` and then call `AsServers` to convert
the `[]types.ResourceWithLabels` to `[]types.Server`.
Only calls for `types.Server` have been converted. Other resources
can be converted over time.
* Default headless to --mlock=best_effort to reduce errors to a debug
log.
* Add error for non-linux operating systems using headless.
* Add a better mlock error message and add corresponding troubleshooting
docs.
Migrates `tsh ls` to connect to the cluster via the new
`client.ClusterClient` to help reduce latency caused by geolocation.
Doing so resulted in some tests failing due to the cluster name of
the client not being set correctly. The `ClusterClient` now only
uses the guessed client if jump hosts were provided and the inferred
cluster name is not the root cluster.
* Add CA, Role, Lock AuthPreference RO persmissions to RoleOkta.
RoleOkta now has read only access for CertAuthority, Role, Lock, and
ClusterAuthPreference objects so that it can utilize an authorizer when
redirecting apps.
* Remove lock from Okta cache, remove tasks*.go.
* Expose Ping() in bare auth server
* Handle both pointer and bare PluginStatusV1
* Add metric name
* Add StatusSink
* Run GCI
* Move comment back to auth_with_roles
* Update lib/auth/auth.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Rework SetStatus
* Inline TryEmitStatus and use a proper context
* Fix copyright notice
* Fix bug in statusFromStatusCode
* Test statusFromResponse
* Add link to Slack API schema
* Refactor statusFromStatusCode
* Expand comment for Ping()
* Add basic check for status in slack test
* Address nits
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* client-side upgrade window export
adds client-side logic for exporting maintenance windows
for external updaters. export behavior is enabled via
env var (`TELEPORT_EXT_UPGRADER=kube|unit`).
* print raw version
* update e-ref
* Fix headless authetnication watcher race condition on initial backend
check
* Fix rare race conition in headless authn watcher test using sync.Once
* Customize time between put events to avoid unwanted stale checks.
* Ensure the Okta service can connect through the reverse tunnel.
A few additional spots were not updated when enabling tunneling for the new
enterprise Okta service. Those spots are:
* `auth.DefaultDNSNamesForRole` needed to be updated to ensure that wildcard
certs for the API domain are generated.
* `reversetunnel` updates to ensure the `OktaTunnel` is handled in a similar
fashion to the `AppTunnel`.
* `process.getAdditionalPrincipals` needed to be updated to account for the
`HostUUID` as part of the principals supported for certificates.
With these, the Okta service is able to handle connections over the reverse
tunnel properly.
* Add comment to getConn switch statement.
* Consistency for role impersonation expiry between normal join & delegated joining bots
* Add testing for certificate expiry configuration
* Add another test case
* refactor SFTP backend to use upstream dep, not our fork
This change also greatly reduces the number of SFTP audit logs.
Now SFTP events are only sent when files are opened or modified
in any way, instead of for *every* SFTP request.
* added to SFTP integration test
* fix error when handling setstat on dirs
* fix linter warning
* move file/dir permission constants to lib/defaults package
* Export desktop recordings to video
Add a new tsh command that will write Windows desktop recordings
to an AVI file for offline playback. Encoding is done client side
to avoid consuming server resources.
This uses the Motion JPEG codec (https://en.wikipedia.org/wiki/Motion_JPEG)
for its simplicity and ease of use. Something like ffmpeg would perform
better in nearly every aspect (run time, compression / file size, video
quality, etc), but that would complicate our build process and add extra
native dependencies. This implementation uses pure Go and works on any
platform where tsh runs today.
Also make sure `tsh recordings ls` shows Windows and SSH recordings.
* Untangle test imports
lib/events/eventstest is allowed to import lib/events
(it needs to in order to implement interfaces and use types)
This means lib/events can not import lib/events/eventstest,
which requires that we move some tests from package events
to package events_test
* tdp: break dependency on lib/srv
The lib/srv package is large and contains Unix-specific code.
Now that tsh needs to understand the TDP protocol, we need to
avoid importing lib/srv so that tsh can still build on Windows.
* Delete teleterm's ptyHost/v1, added by mistake
* Add package name to protos conforming to PACKAGE_VERSION_SUFFIX
* use go run in buf-connect-go.gen.yaml directly
* Run protogen in place
* Run the buf-go generation off of go run
This also adds protoc-gen-go-grpc to go.mod