* Span forwarding
Modifies the auth grpc server to implement the OTLP Collector
RegisterTraceServiceServer API (https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/collector/trace/v1/trace_service.proto).
This allows the auth server to receive spans from other services
like `tsh`, `tctl`, and `tbot`. Any spans received by the auth
server will be forwarded to the exporter configured via the
`tracing_service` if it is enabled. All received spans will be
dropped in the event that the`tracing_service` disabled. By
forwarding spans to the auth server, `tsh` doesn't need to
be provided with any of the telemetry backend information
to have its spans exported.
Adds a new `--trace` flag to `tsh` to enable collecting and
forwarding spans to the auth server. When set, the tracing
provider is initialized with a sampling rate of 1.0 to force
all spans to be recorded. Teleport respects the sampling rate
from remote spans, which means that when `--trace` is set, all
spans from `tsh` and any downstream Teleport services will be
recorded and exported regardless of the sampling rate that each
Teleport service is configured with.
* convert GetDomainNAme endpoint to gRPC
* migrate GetClusterCACert from http to grpc
* fix tests failing due to switch to gRPC transport
* Correct mispelt json tag
* remove `GetLocalClusterName` and `UpsertLocalClusterName` which are unused
* remove unused prefix constant from presence
* start refactoring tbot to have a core struct
* refactor tbot into lib/
* move `tbot` subpackages to `lib/tbot`
* remove mutex pointer
* move `tshwrap` to `lib/` from `/tool/tbot/`
* move new template ssh client render test to lib/
* address pr feedback
* add request changed
`tshwrap` performs a tsh version check to ensure it has the
functionality we need. Unfortunately, during a final refactoring
before merging, we changed the function signature of `capture()` to
require an explicit path to a `tsh` binary but in a way that was
unfortunately not caught by the compiler. The previous syntax meant
we just tried to execute the first argument, i.e. `version`, which
is never what we want.
This PR correctly passes the tsh path to `capture()` to fix the
version check.
Since #12794 we now build `tsh` binaries with touch ID capabilities. This calls
for a more sophisticated mechanism to determine if touch ID functions should be
enabled, as compile-time support only is not enough.
I've added the following checks, on top of compile-time / `touchid` build tag:
Binary is signed
Binary has entitlements
Machine is touch ID capable
Machine has a Secure Enclave
Put together this give us a much better proxy on whether to enable touch ID.
I've also added the `tsh touchid diag` command, mentioned in the Passwordless
macOS RFD (see
https://github.com/gravitational/teleport/blob/master/rfd/0054-passwordless-macos.md#tsh-support-commands).
#9160
* Improved touch ID availability and diagnostics
* Add the `tsh touchid diag` command
* Set min macOS version to 10.12 (macOS Sierra)
* Re-add `kinds` config field with a deprecation warning
This re-adds the `kinds` config field with a deprecation warning. We
removed the field in #11596 but due to strict YAML parsing this
causes existing otherwise compatible configs to error out.
* Update tool/tbot/config/config_destination.go
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
* Use standardized deprecation comment formatting
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
This fixes a bug where the SSH HostCA is missing in impersonated
identities. We only include it in primary identities via the
server-side `includeHostCA` flag which can't be directly set by
clients. Without this CA, impersonated identities can't successfully
connect to the auth server via an SSH tunnel, so database requests
fail when using IoT joining.
We fix this by instead copying SSH CAs from the primary identity.
* Extend support for identity files in tsh
This enhances support for identity files in tsh, which previously only
worked for regular SSH access. The largest blocker for support is that
tsh uses profiles for all non-SSH resource access, and profiles have a
direct mapping to some on-disk resources. This patch works around this
in a few ways:
* Virtual profiles: When an identity file is specified with `-i`, we
use it to create an in-memory virtual profile using the cert as the
root identity _and_ for every `RouteToDatabase` (and in the future,
app) field contained in the cert.
* Virtual profile paths: Certain profile operations require paths to
valid certificates and other resources on disk, which may not exist
inside the identity file.
As the driving use-case for this change is integration with Machine
ID, we can "cheat" and pass the correct paths to tsh via
environment variables. A cooperating wrapper in `tbot` will execute
`tsh` with appropriate flags and environment variables, which
override tsh's usual certifiate paths. This allows commands like
`tsh db connect ...` to work as expected.
* Key stores: previously we used a `noLocalKeyStore{}` with which all
lookups fail. This patch replaces it with an in-memory keystore if
a client key is available.
* Profile status: lastly, we add a new `StatusCurrentWithIdentity()`
function to load virtual profiles where supported. Some commands
are not supported in this PR (like `tsh app ...`), but others
don't make sense to support (like cert reissuing).
We might consider merging everything into the traditional
`StatusCurrent()` when adding app support.
App access is still broken and will be addressed in a later change.
Partially fixes#11770
* Fix failing lint
* Add `tbot proxy` and `tbot db` wrapper commands
This adds new wrapper commands that leverage tsh for proxy and
database access.
It also adds a new `tshwrap` helper package which contains utilities
for locating the tsh executable, checking its version, and loading
all necessary data (certificates, destinations, etc) that will need
to be passed to tsh for wrapped commands to function.
* Fix failing unit test due to incorrect default IsVirtual profile flag
* Combine `StatusCurrentWithIdentity()` into `StatusCurrent()`
Additionally, log a warning when environment variable paths aren't
found.
* Fix virtual profile flag always being true
* Update lib/client/api.go
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
* Address review feedback
* Use `tbot proxy` in generated `ssh_config`
* Add tests for mockable parts of our tsh integration
* Fix lints
* Clarify docstrings in CLIConf
* Tweak comment for clarity; fix typo in `onProxyCommand`
* Add missing copyright header
* Fix failing unit test and pass destination to `Describe()`
This fixes a failing unit test by making the description for
`ssh_config` match its behavior in practice. This necessitated
passing the destination to all templates, unfortunately.
* Add a few extra tests
* Apply suggestions from code review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Address another batch of review comments
* Comment tweaks
* Refactor tshwrap to remove the Runner interface.
* Apply suggestions from code review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Address review comments
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Added node labels support to the configure command.
* added test for new config node labels flag.
* improve flag messaging for node-labels
* Fail with a help message if an invalid node label is provided to the configure command.
* Use = as a delimeter for label key=value instead of a : to be consistent with existing CLI commands.
* update tests to different label format.
* Wrap any returned error from the label parsing.
If the auth server's major version is less than the connecting Teleport
agent, the agent will now log an error and exit to avoid cryptic errors like
in #11161. '--skip-version-check' flag was added so users can override this
behavior if they wish.
Fixes#11854.
The code for `tsh play` is a bit hard to follow
(it's a triple-nested switch statement) because
the command is overloaded to do lots of different
things.
Try to make things clearer by adding docs and breaking
the code up into separate functions.
* Add tracing instrumentation for ssh clients/servers
Add tracing context to the existing ProxyHelloSignature to provide
span information across ssh connections. To add span context per
ssh session on top of new connections, the same tracing context is
passed in the first global request of the session.
In order to ensure that tracing context is pulled from and inserted
into the proper context.Context, some interfaces and methods were
changed to take one as the first argument.
* Extend support for identity files in tsh
This enhances support for identity files in tsh, which previously only
worked for regular SSH access. The largest blocker for support is that
tsh uses profiles for all non-SSH resource access, and profiles have a
direct mapping to some on-disk resources. This patch works around this
in a few ways:
* Virtual profiles: When an identity file is specified with `-i`, we
use it to create an in-memory virtual profile using the cert as the
root identity _and_ for every `RouteToDatabase` (and in the future,
app) field contained in the cert.
* Virtual profile paths: Certain profile operations require paths to
valid certificates and other resources on disk, which may not exist
inside the identity file.
As the driving use-case for this change is integration with Machine
ID, we can "cheat" and pass the correct paths to tsh via
environment variables. A cooperating wrapper in `tbot` will execute
`tsh` with appropriate flags and environment variables, which
override tsh's usual certifiate paths. This allows commands like
`tsh db connect ...` to work as expected.
* Key stores: previously we used a `noLocalKeyStore{}` with which all
lookups fail. This patch replaces it with an in-memory keystore if
a client key is available.
* Profile status: lastly, we add a new `StatusCurrentWithIdentity()`
function to load virtual profiles where supported. Some commands
are not supported in this PR (like `tsh app ...`), but others
don't make sense to support (like cert reissuing).
We might consider merging everything into the traditional
`StatusCurrent()` when adding app support.
App access is still broken and will be addressed in a later change.
Partially fixes#11770
* Fix failing lint
* Combine `StatusCurrentWithIdentity()` into `StatusCurrent()`
Additionally, log a warning when environment variable paths aren't
found.
* Fix virtual profile flag always being true
* Update lib/client/api.go
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
* Address review feedback
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
Adding a "marker" to Keychain labels lets us detect unexpected entries (which I
did see happen) and gives us flexibility to change formats in the future.
A marker in the "label" field seems to be enough to achieve the purposes above,
so I stopped at that. Added a couple minor UX tweaks as well.
#9160
* Use a marker for Keychain labels
* Tweak: Rename "Key Handle" to "Credential ID" for consistency
* Tweak: Do not prompt MFA/OTP if doing Touch ID
* Use trace errors
* New method: GetCurrentUser().
GetCurrentUser returns current user as seen by the server.
Useful especially in the context of remote clusters which perform role and trait mapping.
* Fix "tsh db ls" for remote clusters.
Attempt to resolve remote roles and traits. Fail gracefully if this isn't possible.
* Implement global tsh config file: `/etc/tsh.yaml`. The default location can be changed with `TELEPORT_GLOBAL_TSH_CONFIG` env var.
* The user config file is merged with the global config file. The user config file has a higher priority.
* If the global config file is absent, no error is raised.
Implement touch ID credential management via tsh touchid ls and tsh touchid rm.
Departs slightly from RFD command names in order to better match the tsh mfa.
See https://github.com/gravitational/teleport/blob/master/rfd/0054-passwordless-macos.md.
#9160
* Implement touch ID credential listing
* Add the `tsh touchid ls` command
* Implement touch ID credential deletion
* Add the `tsh touchid rm` command
* Delegate MFA prompts to WebAuthn
* Undo changes to tsh.go command switch
* Prompt newline. Trace errors.
* Update e/ to 6abb96b
* Var initialization. Guard against NULL. Return all credentials.
* Address review comments: simplifications and style
Why
---
Current CA rotation require you to rotate the key 3 times
* `init` - to add new CA to the DB
* `update_clients` - to generate new client certificate and add it to DB
* `standby` to remove the old CA from DB.
If any of the steps is skipped the integration will stop working as either Teleport or DB are not able to authenticate the connection.
Solution
---
Signing the client certificate with the new CA will allow to reduce the number of certificate updates and potencial DB restarts/reloads that should make the procedure simpler and less error prone. From now on the certificate will only need to be updated on `init` phase and after `standby` to remove the old CA.
Co-authored-by: Jim Bishopp <jamesbishopp@gmail.com>
Add the --mfa-mode flag and wire touch ID into tsh authn/registration.
In the default MFA mode (auto), touch ID should be eager if there is a
credential present in the system. Users may change this behavior using other MFA
modes.
See https://github.com/gravitational/teleport/blob/master/rfd/0054-passwordless-macos.md.
#9160
* Add AuthenticatorAttachment/MFAMode to tsh
* Add support for touch ID in wancli.Login
* Warn users about passwordless in U2F mode
* Add support for touch ID in `tsh mfa add`
* Add new `identityfile` config template to `tbot`
This adds a new `identityfile` config template to tbot which
generates an identity file from any of the formats supported by
`tctl auth sign`.
It can be used by specifying one or more formats in the configuration
like so:
```yaml
destinations:
- directory: /foo
kinds: [ssh, tls]
configs:
- identityfile:
formats: [file]
```
It requires both SSH and TLS certificates to work properly. App,
Kubernetes, and Database certs are unlikely to work as they have
additional cert requirements that will be added in separate PRs.
Multiple formats can be specified, and each will be written to its
own subdirectory within the destination using the name of the format.
The particular files written inside this directory depend on the
particular format selected, but n the above example, this means a
file named `/foo/file/identity` is written.
The files all have an `identity` prefix at the moment. This could be
made configurable if desired.
The `file` format can be used in conjunction with `tsh -i` and
`tctl -i` to use those tools with a tbot-generated identity.
Fixes#10812
* Make identityfile formats first-class config templates
This promotes most of the important identityfile formats to proper
config templates. User-facing `kinds` are removed to reduce confusion
and several config templates are now required.
* The `ssh_client` template is now required and will be added
automatically in all cases if not specified.
* A new required `tls_cas` template is added to always export
the current Teleport server CAs in a usable format.
* A new required `identity` template is added to always export an
identity file usable with tsh/tctl.
* New optional `cockroach`, `mongo`, and `tls` templates can export
specifically-formatted TLS certs for various databases and apps.
Additionally some other changes were caught during testing:
* `botfs` now allows users to specify if files should be opened for
reading or for writing; previously, written files were never
truncated when opened for writing leading to garbage at the end of
files if the length changed. Truncation isn't sane for reading so
the two use-cases are now split.
* Update lib/client/identityfile/identity.go
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
* Address first batch of review comments
Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to
accept a plain file mode, and removed a ton of boilerplate in
`configtemplate.go`.
* Fix problematic nil interface check in configtemplate
* Clarify comment about `client.Key` DB certs
* Address review feedback
- Use `DatabaseCA` for database specific templates; make the `tls`
template's CA configurable; write the database CA alongside the
others.
- Simplify nil interface check
* Fix outdated var names
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
* Add hint message when removing access requests.
* Add hint message if removing an access request that has already been approved.
* fixed typo.
* do not delete access requests unless it hasn't been approved or a force flag has been provided.
* Tweaked hint messaging.
