* Prohibit the Okta service from resetting user passwords
There are no circumstances where the Okta service should be resetting
a user password, so creating a reset token is strictly prohibited.
Includes some test refactoring to re-use the general Okta user CRUD test
machinery to test this change.
Special thanks to @tigrato for spotting this.
* Test that okta may not create a bot user
* Make `types.User` implement `ResourceWithLabels`
Embeds the `ResourceWithLabels` interface into `types.User` in order
to allow the Okta sync service re-use our existing reconciliation
tooling with User resources.
Also adds the appropriate methods to `types.UserV2` so that it still
implements the expanded `types.User` interface.
* spelling fixes
* Add method to check MFA challenge response for admin actions.
* Add tests.
* Move AuthorizeAdminAction to authz package.
Add ValidateMFAAuthResponse as a dependency for the authorizer.
Update tests to include a mock ValidateMFAAuthResponse method.
* Resolve comments.
When access list endpoints are not implemented, the access list app in the
access plugins will cease to run. This could happen if the integration is
being run against an open source server.
* Proxy TAG requests through Auth
* Integrate Access Graph feature and optimize services
This commit entails the integration of the Access Graph feature into the existing service configuration. This feature is manifested through an 'IsEnabled' method that checks the state of the access graph. Additionally, the auth service logic now includes a flag for enabling access graph. The services have been further optimized with adjustments geared towards improving performance and readability of the code.
* Move TAG enabled flag from proxy to user setting/auth context
* Swap a pointer to AccessGraph config with a value.
* Add 'TestNewAccessGraph' function to 'useracl_test.go' file.
The function 'TestNewAccessGraph' has been added to run tests checking the configuration of Access Graph. Furthermore, a small change is made for the 'KindAccessGraph' comment in 'constants.go' to provide more accurate information.
* Implement Access Graph feature across various files
The Access Graph feature has been incorporated in 'module.go', 'authservice.proto', 'auth.go', and 'plugin.go' files. A method 'EnableAccessGraph' is also introduced in 'module.go' to allow the usage of this feature. Descriptions of Access Graph have been adjusted across files to explicitly state the feature's enablement.
* Fix tests
* Remove unused access graph feature code
This commit removes all references and uses of the access graph feature from the codebase. It also updates corresponding tests to reflect this removal. It also adds EnableAccessGraph() method to testing module to fix test compilation.
Looks like we were depending on the golang-jwt library to catch
this case rather than checking explicitly, and an update to the
library broke us.
Fixes#34514
* Add Slack access list reminders.
Access list review reminders will now be sent to owners via Slack every week
until the access list is reviewed. Some small modifications were made to the
access list application to support partial success. Additionally, some changes
were made to the way access applications are instantiated to maintain
compatibility with enterprise.
* Tweak error returns, debug statements.
* Notify once per day after the next audit date has passed, remove access list name from slack notifications.
* Fix for day notifications.
* Read DMI files concurrently
* Refactor DMI logic into its own method
* Collect device data concurrently on Linux
* Drop the mutex on DMIInfoFromFS, simplify
* Reorganize process config test fields
* Move PollingPeriod back from Testing field
* Fix comment text
Co-authored-by: Nic Klaassen <nic@goteleport.com>
---------
Co-authored-by: Nic Klaassen <nic@goteleport.com>
* Added release server publishing retry
* dronegen: Run auto_publish 10 times (from 3) in a loop
Change the drone generation to use a loop to run the `auto_publish`
relcli command instead of listing them one-by-one and loop 10 times
instead of 3. The loop will terminate the first time `relcli` succeeds.
The loop has an `|| false` at the end to ensure the loop command fails
if all invocations of `relcli` fail. With `set -e`, even though the exit
status of the loop is non-zero, the shell seems to continue. With the
`|| false` at the end, it makes it exit on failure. I'm not sure exactly
how drone runs the commands so this may not be necessary but it seems
safer.
e.g.
set -e
for i in $(seq 10); do false && break; done
echo hello
This will echo "hello" even though all invocations inside the loop
failed.
set -e
for i in $(seq 10); do false && break; done || false
echo hello
This will not echo "hello" - `set -e` causes an exit before that command
due to the `|| false`.
---------
Co-authored-by: Cam Hutchison <camh@goteleport.com>
* feat: watcher for cluster ExternalCloudAudit configuration
* feat: enable External Cloud Audit feature
This commit enables the External Cloud Audit (BYOBucket) feature with a
fully functional backend by setting up the Athena and S3 audit
components with the right AWS configurations and resource locations.
* respond to code review
* close watcher to fix test
* fix aws config generation
* fix IsUsed for tests
We've had issues on macOS where we've unintentionally bumped the
minimum supported OS version. This check is intended to catch
these issues and ensure that the versions in our public docs
remain accurate.
* Bump go.mongodb.org/mongo-driver
Bumps [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) from 1.13.0-prerelease.0.20230726045955-5ee10b94cc66 to 1.13.0.
- [Release notes](https://github.com/mongodb/mongo-go-driver/releases)
- [Commits](https://github.com/mongodb/mongo-go-driver/commits/v1.13.0)
---
updated-dependencies:
- dependency-name: go.mongodb.org/mongo-driver
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* mongodb: Handle deprecated parsing logic
Because we want to support older mongo DB versions we need to continue to support parsing these now deprecated message types.
* Apply PR feedback and update to handle remaining deprecated fields
* update MongoDB test server to expect OpMsg instead of OpQuery for MongoAtlas
* deflake attempt 1
* bump test default max message size due to switch to OP_MSG
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mike Jensen <mike.jensen@goteleport.com>
Co-authored-by: STeve Huang <xin.huang@goteleport.com>
Closes#19192
Add introductory language to the Helm Deployments and Kubernetes Access
section introductions to clarify the relationship of these docs sections
to one another. The intention is to help newcomers to Teleport
understand when they need to read the Kubernetes Access docs and when
it is more appropriate to the read the Helm Deployments docs.
* Prevent `.tsh/environment` values from overloading prior set values
It's not possible to have duplicate environment values within an environment. And in fact the last value in the string slice will be preserved. Prior to this change that allows users to possibly change any environment values through the use of the `.tsh/environment` file. This is within user level control, where other environment value sources originate from a more protected location (for example the PAM configuration).
Prior to this change that allows users to possibly change any environment passed configuration through the use of the `.tsh/environment` file.
This change makes it so that the administrative set values will be preferred, and any duplicate records will be ignored.
* Apply PR feedback
* Only exclude duplicate environment values sourced from .tsh/environment
This change updates `SafeEnv` to be allow the caller to select if the value should be checked for duplicates.
We then leverage this to avoid this check when sourced from a trusted source. But then exclude potential duplicates when sourced from .tsh/environment file or the local environment.
* Allow locks to deny access to access lists.
Access list membership will now be impacted by active user locks. If a user
is locked, they will not be considered a part of an access list. This, in turn
will be used for things like Okta assignments to ensure that Okta access can be
rescinded while a lock is active.
* Access list membership checker is its own struct now.
* Rebase and fix tests.
* Grant the Okta service the right to write Users
In preparation for the Okta service syncing user accounts, this patch grants the Okta
service the right to create/update/delete users, in addition to the existing read
permission.
* Restricts User RBAC operations on the built-in Okta role
* Address review comments
- Consolidates update checking into a single function
- Adds implementation for new user service
* remove unused code
* Refactor Okta access and tests
* Fix merge detritus
* Doc updates
* Hopefully last pass
* Linter appeasement
* Consilidated checks
* Update auth_with_roles_okta_rbac_test.go
docs
This commit implements a "Configurator" for the BYOBucket feature that
provides AWS credentials that can be used by the v1 or v2 AWS SDKs for
Go.
These credentials are generated via an AWS OIDC integration: auth signs
a JWT and we swap that with AWS STS for AWS credentials.
It also reports whether or not the BYOB feature `IsUsed()` currently,
and provides access to the current cluster ExternalCloudAudit spec.
This looks a bit weird because of a chicken-egg problem where the audit
log must be set up before the auth server can be created, but the auth
server must be created to provide the OIDC signing facilities.
This will be more clear in following PRs.
Access Request follow their own set of RBAC rules.
Usually, none of the typical create/read/list/delete verbs are required
in any user's roles.
Access is handled via custom rules based on the allow.request, deny.request,
allow.review_requests, and deny.review_requests role fields.
The create/read/list/delete verbs commonly used for other resources are
usually all or nothing (barring `where` expressions), but a more nuanced
set of rules apply to access requests. E.g. users should always be
allowed to see access requests that they created or are allowed to
review, without being allowed to see other access requests in the
cluster.
This seemed mostly logical once you thought about it long enough, but
one detail that has been lacking so far is that explicit deny rules in
the user's roles have no effect at all, even though explicit allow rules
grant god-mode access to create or view any access requests in the
cluster.
Even with the following role, you could still create and view
access requests:
```yaml
kind: role
version: v6
metadata:
name: example
spec:
allow:
request:
roles: ["*"]
review_requests:
roles: ["*"]
deny:
rules:
- resources: ["access_request"]
verbs: ["create", "read", "list"]
```
This commit makes any explicit deny rules actually take effect.
Fixes https://github.com/gravitational/customer-sensitive-requests/issues/103
changelog: Respect explicit deny rules for Access Requests.
* Close streams on errors
* Rename fake_windows_device.go to fake_tpm_device.go
* Test enroll/authn ceremonies against Linux
* Allow Linux devices to enroll and authenticate
* Implement Linux TPM methods
* Attempt attestation without the event log on failures
* Rename others.go to device_others.go
* Move various functions to tpm_common.go
* Read device collected data on Linux
* Add the mode param to native.CollectDeviceData
* Add the mode param to collectDeviceData
* Run escalated `tsh device dmi-info`
* Write cached DMI info
* Read cached DMI info
* Avoid asset tags with spaces on them
* nit: Use deviceStateFolderName without a dot on Linux
* Test various data collection scenarios
* Fix macOS/Windows typo
This PR adds the boilerplate code so we can emmit usage events for TAG
queries
Part of https://github.com/gravitational/access-graph/issues/185
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
