This fixes `tctl alerts ack ls` which used to not work due to the reasons
described in the comment.
Providing a reason is still required. The only difference is that instead
of having the CLI fail immediately if the flag is missing, the CLI will
issue a request to the cluster which will fail due to a missing reason.
When the number of replicas of a resource is bigger than 1 - i.e.
`kube_cluster`, `app`, `db` - `tsh request search` printed
all the registered resources instead of ignoring the repeated rows.
This PR excludes the repeated resource ids from the table and request
command.
Before:
```
$ tsh request search --kind kube_cluster
Name Hostname Labels Resource ID
---------- -------- ------------------------------------------------------------------ -----------------------------------
local env=tiago /tele.local/kube_cluster/local
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
To request access to these resources, run
> tsh request create --resource /tele.local/kube_cluster/local --resource /tele.local/kube_cluster/my-cluster --resource /tele.local/kube_cluster/my-cluster --resource /tele.local/kube_cluster/my-cluster \
--reason <request reason>
```
After:
```
$ tsh request search --kind kube_cluster
Name Hostname Labels Resource ID
---------- -------- ------------------------------------------------------------------ -----------------------------------
local env=tiago /tele.local/kube_cluster/local
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
To request access to these resources, run
> tsh request create --resource /tele.local/kube_cluster/local --resource /tele.local/kube_cluster/my-cluster \
--reason <request reason>
```
This PR moves the creation of the `lock` file right before the login
call is attempted instead of creating it for any call.
This fixes a problem where we create the lock file even if no login is
required which limits the number of parallel kubectl invocations.
* tsh: Implement puttyconfig command to add saved PuTTY sessions to Windows registry
* Addressed comments from code review
* Add support for leaf clusters
* Refactoring from code review
Also moved registry/hostname functions into external packages
* Address more feedback from code review
* Rebase following tsh/common changes
* Fix up putty_config_windows
* Reorder command
* Remove surplus comment
* Use a separate list instead of overloading the 'extra' key
* Address Tim's code review comments
* Address some of Zac's comments
* Refactor formatLocalCommandString to use text/template
* Refactor non-Windows logic into puttyhosts
* Fix subcommand name
* Fix test structure
* Add some more hostnames test cases
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Fix up
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Added the `t.Parallel()` function call in each test function to enable parallel test execution. This should reduce the overall time it takes to run all these tests by enabling them to run concurrently.
#24864 added a dependency of lib/web into tsh which broke windows
tsh builds because lib/web transiently depends on lib/srv which
has linux specific code. This shuffles around a few things so
that lib/web is no longer importing lib/srv at all by:
- Indirectly using the srv.SessionController to apply session
control for web ssh sessions
- Moving the common reversetunnel interfaces into
reversetunnelclient since lib/reversetunnel imports
lib/srv/forward which imports lib/srv.
- Directly converting mysql client errors in the connection
tester instead of calling a common function.
* Introduce new tbot output configuration
* Remove code that will be included in future test refactor PR
* Add config version header
* Fix TestInitSymlink
* Add support for `standard` database type
* Set CA type
* `make fix-imports`
* More closely mimic original database output behaviour
* Make output of additional TLS files for application output optional
* Spell compatability properly
* Add test for config marshalling
* Fix cluster field yaml name
* Fix YAML marshalling/unmarshalling
* Fix sidecar invocation of tbot
* Add WrapDestination helper function to protect wrappedDestination
* Apply changes to sidecar
* Spell Marshalling the way the linter insists
* Fix some logging
* Tidy mutex usage on outputRenewalCache
* Fix ssh_host generation
* TBot Config V2 migration support
* Fix misspelling
* Get rid of `destinationWrapper`
* Single l in Unmarshaling
* Fix operator sidecar tbot
* Add UnmarshalYAML for SSHHostOutput
* Fix migration for removed destinationWrapper
* Use updated KubernetesCluster field name
* Add real world test case for migration
* Add additional migration tests
* Use `KubernetesCluster` instead of `ClusterName` for clarity
* Add additional "real-world" migrations from customer feedback
* Rename `Subtype` -> `Format` for `DatabaseOutput`
* Rename Subtype -> Format for DatabaseOutput
* Remove a very british "u" from Behaviour
* Add godoc for interfacemethods
* Fix double dot in comment
Co-authored-by: Michael Wilson <mike@mdwn.dev>
* Use const for database formats
* Reuse constant type string in Stringer
* Add godoc comment explaining behaviour if no destination found
* Inject executablePathGetter rather than using package level variable
* Use correct case in error
* Add warning for destination reuse
* Try to improve confusing log message
* Remove 'u' from behaviour
* Emit error when v2 config possibly being migrated as v1
* Fix imports
* Ensure they dont overwrite original config
* Remove redundant check
---------
Co-authored-by: Michael Wilson <mike@mdwn.dev>
* Introduce new tbot output configuration
* Remove code that will be included in future test refactor PR
* Add config version header
* Fix TestInitSymlink
* Add support for `standard` database type
* Set CA type
* `make fix-imports`
* More closely mimic original database output behaviour
* Make output of additional TLS files for application output optional
* Spell compatability properly
* Add test for config marshalling
* Fix cluster field yaml name
* Fix YAML marshalling/unmarshalling
* Fix sidecar invocation of tbot
* Add WrapDestination helper function to protect wrappedDestination
* Apply changes to sidecar
* Spell Marshalling the way the linter insists
* Fix some logging
* Tidy mutex usage on outputRenewalCache
* Fix ssh_host generation
* Get rid of `destinationWrapper`
* Single l in Unmarshaling
* Fix operator sidecar tbot
* Add UnmarshalYAML for SSHHostOutput
* Use `KubernetesCluster` instead of `ClusterName` for clarity
* Rename `Subtype` -> `Format` for `DatabaseOutput`
* Remove a very british "u" from Behaviour
* Add godoc for interfacemethods
* Fix double dot in comment
Co-authored-by: Michael Wilson <mike@mdwn.dev>
* Use const for database formats
* Reuse constant type string in Stringer
* Add godoc comment explaining behaviour if no destination found
* Inject executablePathGetter rather than using package level variable
* Use correct case in error
* Add warning for destination reuse
* Try to improve confusing log message
* Remove 'u' from behaviour
---------
Co-authored-by: Michael Wilson <mike@mdwn.dev>
* InstallScripts: pin teleport version using ServerVersion
When Automatic Upgrades are enabled and the current installation is an
enterprise build, it will install teleport using:
- stable/cloud repo channel (yum, apt)
- pin the version to the one present at:
https://updates.releases.teleport.dev/v1/stable/cloud/version
* improve comments
Adds `tsh bench web ssh` to allow benchmarking ssh sessions that are
created via the web api. To prevent import cycles between `lib/web`
and `lib/client` the cookie implementation in `lib/web/cookie.go`
was moved into its own package `lib/web/session`. There is curerntly
no support for SSO users - adding a local server to handle the login
was out of scope and can be added in the future.
* Add option to allow for host users not to be deleted
This adds a new role option called create_host_users_mode which allows
for it to be configured to not delete users when a session ends. The
old `create_host_user` option will be deprecated with this.
If the deprecated option is set, the new mode option will default to
dropping users as is the current behavior.
* add generated protos
* use combined output for commands, dont set CreateHostUser
* fix tests
* ci fixes
* add godocs to HostUserMode constants, fix tests
* remain -> keep
* Use an enum instead of a string
* fix merge errors
* Add tests & resolve comments
* Resolve issues
* fmt
* update message on empty tsh ls results
* Update message to have no docs
* update verbiage
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Start fleshing out UAC elevation
* Use `runas` and ShellExecuteW to open a child process with elevated privileges
* Add tsh command to re-execute
* Add method to be called in the elevated child process
* Ugly, but working, credential activation in UAC dialogued child
* Add TODO
* Add some further notes/explanation on windows.ShellExecute
* Change error message to match function name
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Improve comment
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Use `trace.BadParameter` instead of `Errorf`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Use `tpm-activate-credential` instead of `activate-credential`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Remove spurious newline
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Move towards more production ready elevated process
* Add stubs for darwin/other
* Use path in state dir for cred activation results
* Fix stub return values
* Fix test missing context.Context pass
* Add additional message when cred activation completes
* Use ShellExecuteExW to get handle to process to wait on
* Improve comment in windowsexec
* Minor stylistic changes from review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Minor adjustments to error handling and logging
* Use `windows` over `syscall`
* Leverage `mkwinsyscall`'s error handling
* Missing param in test
* Always show error, not just when `-d` is provided
* Remove unnecessary trace.Wrap(err)
* Restore cf.Debug check
* Explicitly ignore return values from `FPrintln`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Simplify code
* Add null check to `info.hProcess`
* Minor format changes from review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Add prompt to machine id page when using `tctl auth sign` for a user credential
* Use FPrintf with stderr instead of `log.Info`
* Move newline
* Remove emoji from message in case it breaks terminals
Fixes a discrepancy in overwriting the environment value with the
address observed for the Web UI for sessions not originating from
the Web UI. All sessions will now use `tc.WebProxyAddr` as the
default value and *only* update if an override is provided.
`TestIntegrations/EnvironmentVars` was updated to ensure that the
expected environment variables are present in both interactive and
non-interactive sessions.
* Fix an issue ALPN handshake test does not respect "HTTPS_PROXY"
* address review comment
* remove simplehttsproxy
* Add context to IsALPNConnUpgradeRequired in ten thousand places
* add goc and dial with context
* Fix moderated session presence checking
Addresses all of the issues that were preventing presence checking during
moderated sessions from working as described in
[#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859).
Closes#18092
* make presence test clearer
* fix presence checking on the web ui
* Refactor web socket message handling
A single message processing loop handles retrieving the envelope
and passing it off to individual message handlers. This allows all
messages to be processed outside of `Read` which was dependent on
the terminal being active to process any messages.
The webauthn challenge response was also moved from a raw message
to a webauthn message. By sending it as a raw message it made
presence checking fail because the response has a `t` in it which
caused the session to be killed during moderated sessions.
* enforce mfa ceremony when joining and cluster wide mfa is enabled
* fix conflicts with master
* moderated tests
* Add moderated session tests for the UI
* Add moderated session integration test
* fix lints
* clean up presence test
* refactor envelope handling
* fix build
* fix: revert test debug timeout
* fix: use local context in tests
* simplify closing streams
* generalize waitForOutput to work with an io.Reader
* fix error handling in stream close
* unexport PresenceOptions
* Improve waitForOutput to match against output in successive reads
* Change tsh test directory referenced in makefile.
Fix proxy template test case.
* Fix TestWriteSSHConfig.
---------
Co-authored-by: Steven Martin <steven@goteleport.com>
* feat: device resource in tctl get all
* check for device resource but ignore in favour of enterprise resource migration
* add firstStart indicator in auth service config. Tests
* remove device bootstrap from this PR
* multiple updates:
- remove resource marshaler, this will be added to e repo instead
- remove device resource checks in oss (not needed as resource marshaler now added to e). tests removed
* move device marshalers to service package
* run fix-imports, fix test
* remove device case from itemsFromResource
* feat: support authenticating with AWS IAM for MongoDB Atlas
* chore(lint): fix errors
* test(tsh): add missing database field
* refactor(mongodb): check for error on each authenticator branch
* refactor(mongodb): update log messages and atlas check
* refactor(auth): use IsRoleARN helper instead of IsARN
* chore(db): remove unused line
* chore(mongodb): split authenticator func
* refactor(db): rename get atlas token function
* tests(db): reuse already existent auth property
* chore(mongodb): add docs reference
* refactor(db): support role chaining
* feat(types): "require" iam role for atlas users
* refactor(db): use external id only on the first session
* refactor(services): add new database matcher for regular users and aws
* chore(db): rename functions to be more assertive
* chore(types): fix lint
* test(db): remove duplicated test
The test being removed here is covered by `TestMongoDBAtlas`
(lib/srv/db/auth_test.go).
* Start breaking apart bot renewal loops
* Refactor initial bot identity fetching
* Tidy up some log messages
* Add renewal loop for bot identity
* Tidy up logging
* Add channel broadcaster so multiple can listen
* Fix compilation
* Ensure template instructions include join-method
* Fail harder for template failure to render
* More graceful failure to describe identity
* support partial renewals of bot identity
* Move methods to helper functions to avoid potential state confusion
* Simplify how template renderers access the bot
* Simplify bot mock in tbot/config tests
* Add integration test for whole bot
* Further tidying of test
* Fix operator sidecar bot invocations
* Fix anonymous telemetry testing
* Ensure we always return the unlock
* Nicer error message
* Use better naming for provider/organise impersonated_identity file
* Ensure impersonated client closed on failure
* Close testclient after initialize complete
* Fix tests in main package
* Missing license header
* Allow join method to be omitted for `tbot init`
* Use correct limit in log messages for bot identity renewal
* Propagate new identity before persisting it to disk
* Move warning about renewal interval
* document unsubscribe
* Support SIGHUP again
* * Refactor tool/tsh to enable tsh e2e tests outside of the tsh package.
* Add tool/teleport/testenv to enable easier e2e tests from outside
packages.
* Skip all flaky test checks when * is provided.
