tsh shows clusters alerts for both `tsh login` and `tsh status`.
We intentionally used a short (500ms) timeout to avoid slowing down
`tsh status` which was previously an "offline" command.
As a side effect, cluster alerts would not always show on login if
they took longer than 500ms to fetch.
This change ensures that we always wait for cluster alerts to come
back for `tsh login`, but we still enforce a short timeout for the
`tsh status` command. (The timeout was increased slightly since the
context now wraps the entire command and not just the cluster alerts
call)
Fixes#25239
* Add the credential_rp_id field to WebauthnDevice
* Update generated protos
* Record credential RPID on registration and login
* React to unexpected RPIDs when issuing challenges
* Log number of allowed credentials
* Fix TestServer_CreateAuthenticateChallenge_authPreference
* Use slices.Delete
* Try to appease the flaky test detector
This PR parallelizes the test and removes the requirement of using a
HTTPS proxy to intercept the calls to proxy's ping endpoint.
It also introduces simplifications and improves the test readability.
Fixes#18882
This PR allows users to change the kubeconfig's context name when `tsh
kube login` is executed.
It allows users to override our default naming convention
`{teleport-cluster}-{kube-cluster}` and replace it with a custom name.
`tsh kube login cluster --set-context-name=ctx` overrides the context
name to `ctx`. `--set-context` cannot be executed with `--all`.
Fixes#12833
* * Use Stderr during headless login to fix rsync compatibility
* Improve error messages when attempting to login without a terminal
* Skip MOTD acknowledement when logging in without a terminal (headless,
sso)
* When attempting re-login without a terminal, make a debug log and
return the original error
* Return access denied error on unexpected handshake failures in tsh
proxy ssh
* Fix TestProxySSH test and add it to the flaky test detector testsToSkip
list.
* Show <1m for remaining tsh status time instead of 0s
* simplify time check
* logic change
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
---------
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
This is a partial fix for #25017
The latest version of the YubiHSM2 SDK has changed the behavior for keys
longer than 2 bytes, which used to be silently truncated for all
operations.
This causes an unfortunate interaction with `DeleteUnusedKeys` when the
SDK is upgraded in an active Teleport cluster.
Because none of the active keys can be queried from the HSM
individually by their ID, but they can be listed by their label, all of
the active keys end up being deleted.
Yeah that's bad.
`DeleteUnusedKeys` is written this way in an attempt to be "stateless".
Trying to synchronously delete keys at the instant they are
rotated out during a CA rotation would be error-prone.
If the auth server were to restart or crash at the wrong moment, you
could be left with an orphaned key on your HSM forever, with no
reference to it stored by Teleport or anywhere else.
Instead, the Auth server labels all keys it creates with its own host
UUID.
Then periodically (during startup) it lists all keys in the HSM that are
labeled with its own UUID, and if they are not currently active, deletes
them.
This goes catastrophically wrong when individual lookup operations fail,
but list operations succeed.
The fix here is to avoid deleting any keys if any single lookup fails.
The YubiHSM2 SDK version 2023.1 is still not supported, but with this
fix at least we won't delete any active keys.
* Simplify Okta assignment statuses.
The Okta assignment statuses have been simplfieid so that there's only a
status on the Okta assignment object itself and the number of states is
reduced.
* Fix tests, remove unused code.
* Add in Duration for update statuses to prevent changing status too soon.
* Make sure LastTransition is UTC.
* Remove actions in favor of targets, make cleanup time non-nullable.
* Fix logout sequence
* Adjust `useLoggedInUser` documentation
* Mark clusters as disconnected after logging out
* Refactor `ClusterLogout` to not use the hook/container pattern
* Run prettier
* Fix test
* Use `routing.belongsToProfile`
* Render ExtraTopComponent based on computed action picker status
* Fix formatting
* Use named args for getActionPickerStatus
* Use const for nonRetryableResourceSearchErrors
* Fix logic behind determining remaining filters
* Adjust copy of db action
* Use retryWithRelogin when getting db usernames
* useAsync: Remove unnecessary useCallback
The state setter coming from useState is always stable.
https://legacy.reactjs.org/docs/hooks-reference.html#usestate
* useAsync: Expand docs with `run` return value example
* useSearch: Rename `restrictions` to `filters`
* useSearch: Remove unnecessary useState calls
* Refactor lockOpen into pauseUserInteraction
lockOpen worked great when we were concerned only about user interaction
with a modal closing the search bar as well. However, in the next commit
I'm going to add a login modal that's shown if the search fails with a
retryable error.
In that scenario, pressing Enter in the modal wouldn't work, as it would
be captured by the window listener that ResultList adds.
To work around this problem, I refactored lockOpen into pauseUserInteraction.
It still works pretty much the same way. But then instead of having checking
isLockedOpen in the close function, we have a new addWindowEventListener
function.
addWindowEventListener automatically removes the listener after
pauseUserInteraction is called. This solves both the problem of closing
the modal and the problem of using the enter key in the modal.
* Relogin & retry resource search if current workspace cert has expired
* addWindowEventListener: Name the cleanup function
* Make addWindowEventListener a prop of ResultList
* Pin the plugins/slack image for dronegen pipelines
The latest version of this image has a regression where it reports
builds as successful even when they've failed.
Fixes https://github.com/gravitational/SecOps/issues/317
* Rework slack notifications in dronegen
Remove the call to action language, and leave only the relevant links.
Flatten several short lines into one longer line. This allows the
entire message to render without needing to expand it.
* Rework slack notifications in unmanaged pipelines
Remove the call to action language, and leave only the relevant links.
Flatten several short lines into one longer line. This allows the
entire message to render without needing to expand it.
We're regularly seeing workflows queue for 40 minutes and then fail to
finish within the 1 hour timeout window.
The teleport repo has a hard limit configured at 3 hours. So 2:30 gives
plenty of leeway for checkout before and sending the slack notification
after.
* Clean up aws oidc integration instructions
* Change ResourceSpec icon type from ReactElement to string
When storing state into location URL, it doesn't allow storing
ReactElement, so I changed the icon element into string that
refers to the correct icon. Also adds rds aurora tiles to
Select Resources screen.
* Fix the expected backend aws status value for RDS list
* For RDS list, allow refreshing the table
Helpful when user makes changes to the RDS instance
(eg. tags) and needs to get the most up to date listing
* Update rds db setup access text info
* Make create database dialog more consistent btwn states
* Fix label matching
Previously we required the agent matcher labels
be an exact match of registered db labels otherwise we
prevented the user from deploying an agent (which was wrong).
Now the only requirement is that the matcher labels are all
able to match against registered db labels.
* Implement resuming discover flow from where user left of
* Enable integration access and rds flow
* Strip 443 ports from cluster uri
* Use the labels returned from polling db instaed
* Various touch ups
- Make label matching error less confusing by showing
error upon user trying to generate command
- Make label messaging clearer
- Emit errors when failing to fetch rds dbs
* Address CR and update test
* Create locks using the correct property
The "lock target" in Teleport's backend uses a different value
depending on the type of lock you want to create. For example,
to lock a node you use its UUID, but to lock a role you use its
name.
We were incorrectly always using the name to create a lock,
which appears to work fine in the UI but is not correctly
enforced on the backend.
This change adds a new required field called targetValue, allowing
us to specify the value to be used for the lock on a per-resource
basis.
Fixesgravitational/teleport-private#556
* Simplify useGetTargetData
* docs: append cluster name for example ansible hosts list
* Use variable for cluster name
* language update
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Closes#12506
This change adds H2-level headings to the Cloud FAQ page in order to
help users navigate the page. The order of headings is based on my guess
as to the importance of each topic.
This change does **not** attempt to refresh the content of each
question/answer entry, but will make it easier to update the page in the
future since the page should be easier to navigate.
* Finish defining rest of fields for fetching aws db list
* Define aurora postgres/mysql engine type
* Finish checking for integration access
* Remove aws related logic and pull out dialog into own file
* Refactor useCreateDatabase hook
- Remove hook prop and use context instead
- Instead of automatically taking user to nextstep after
registering db, let user manually go to next
step by clicking button (removes brief flashing of loading
dialog before next step)
* Add the new fields from response to table
* Finish implementing the after user selects a database
- on submit db, re-use the hook that creates database,
checks if a database service exists to pick up this
database by matching labels
- while this is happening, a dialog will render showing
the process
* Update test
* Address CR
* Apply create db feedback and apply backend changes
* Document relative link paths in partials
Closes#18155
Add a section to the docs UI reference explaining how relative path
evaluation works for partials.
* Linter fix
* Add login hooks.
Login hooks have been added to support performing arbitrary operations on
user login. This is done to support generating of an Okta assignment on
user login for the Okta service feature.
* Don't use error channel for calling hooks, test login hooks.
* Expose ResetLoginHooks for external testing.
* Provide user as part of login hook.
* Update lib/auth/methods.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Improve the documentation for LoginHook, AuthenticateUser returns types.User.
* Use user.GetName() instead of username in AuthenticateSSHUser response.
* Address nits and restore comments.
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>