* Fix panic when fetching user preferences
Closes https://github.com/gravitational/teleport/issues/28740
* Prevent overwriting mismatched types in user preferences
* Add error handling to user preferences service
* GCI imports
* Refactor user preferences test and logic
This commit updates the approach for comparing equality in user preferences test. It introduces the use of the "go-cmp" library which provides more flexibility in handling comparison of struct elements, thus helping to catch any unexpected changes that could be overlooked with the standard equality checking. We also revised the logic to handle default preferences by overwriting values for better efficiency and readability, also removing unnecessary checking and merging of values.
* Add comments to overwriteValues method in userpreferences.go
Added detailed comments to better explain the overwriteValues function in userpreferences.go file. The comments clarify how the function uses proto.Ranges to iterate over fields and only overwrite non-nil/empty fields.
* Apply some magic to preferences test
* Change the import to avoid go.mod changed and match our other imports
In several places we were effectively wrapping the same error twice.
This resulted in an error message that was duplicated and hard to read.
Also improve our handling of LDAP timeouts by:
1. Increase the LDAP request timeout to 45s
2. Retrying LDAP connections sooner if we detect a timeout error
(this allows Teleport to recover quicker)
Fixes#10925
The backend_write_requests_total metric was missing from the metrics
reference. This change documents the metric using its Prometheus help
text.
* Fix headless authentication matching logic for watcher and add test.
* Move hasWatchPermissionForKind to a separate function.
* Clean up hasWatchPermissionForKind.
* Cleanup test code with suggestions from review.
* split recording session events and emitting audit events
This is a refactor of how audit events and session events are handled.
Previously, all events were emitted using the same interface,
api/types/events.Emitter. This lead to event-related code getting to be
very confusing, as it was often unclear whether a given event was being
recorded as a session event and emitted as an audit event, or only one
of the two. Naturally, a few bugs arose due to this.
To simplify event handling, a separate interface for recording session
events has been created. A api/types/events.Recorder should now only be
used to record session events, and an Emitter should now only be used to
emit audit events. Instead of using a confusing TeeWriter that would
transparently (and confusingly, given its name) hold a few event types
that only belonged in session recordings, callers can now explicitly
record and/or emit an event when necessary.
* ensure e build won't break
This PR fixes the property `value` used by Servers when listing
connected nodes. The value was incorrectly switched from `node` to
`server_id` by mistake which crashed the list of Servers.
This regression was introduced in #27395.
Fixes#28948
This change fixes a bug in the Azure join method where a VM's identity can't be
verified if it's in a different resource group from its managed identity.
Updated the ChatCompletionRequest in the agent model to include temperature parameter. The temperature parameter controls the randomness of the AI's responses, making the model more conservative and focused with a lower value. In this case, the temperature is set to 0.3 to produce more focused and consistent results. Default is 1.0. Max is 2.0.
This fixes `tctl alerts ack ls` which used to not work due to the reasons
described in the comment.
Providing a reason is still required. The only difference is that instead
of having the CLI fail immediately if the flag is missing, the CLI will
issue a request to the cluster which will fail due to a missing reason.
* Set and distribute proxy group ID and generation
* Replace proxy tracker with a proxygroup-aware one
* Eager proxy deletion
* godocs
* restore and update tracker_test
* Mixed workload test with proxy groups
* limit connectionCount if there's fewer proxies
* package docs
* use ints for the generation
* Explicitly zero out the Atoi return value on error
* Check TELEPORT_UNSTABLE_PROXYGROUP_GEN at startup
It's now required to be empty or a valid uint64
* Pointer receivers for discoveryRequest, add docs
* track docs
* expand and document lease field names
* remove proxy deletion via gossip
* Poll the tracker
* restore TestAgentPoolConnectionCount
* Improve and deflake tracker tests
* Update track package docs
* Update cannotLease docs
Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
* docs for TryAcquire
* TODO for logging
---------
Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
* Mention agentless in the OpenSSH guide for better SEO
* Apply suggestions from code review
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
---------
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Define the return type
* Add endpoint for config script
* Store the entire integration object instead of just the name
* Build the correct script string, renames, emit event
* Enable auto deploy as default
* Fix script endpoint and update story
* Add regex check, update story
* Touch ups, add test
* Address CR
* Remove sudo from bash command
* Make into ui friendly object
When the number of replicas of a resource is bigger than 1 - i.e.
`kube_cluster`, `app`, `db` - `tsh request search` printed
all the registered resources instead of ignoring the repeated rows.
This PR excludes the repeated resource ids from the table and request
command.
Before:
```
$ tsh request search --kind kube_cluster
Name Hostname Labels Resource ID
---------- -------- ------------------------------------------------------------------ -----------------------------------
local env=tiago /tele.local/kube_cluster/local
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
To request access to these resources, run
> tsh request create --resource /tele.local/kube_cluster/local --resource /tele.local/kube_cluster/my-cluster --resource /tele.local/kube_cluster/my-cluster --resource /tele.local/kube_cluster/my-cluster \
--reason <request reason>
```
After:
```
$ tsh request search --kind kube_cluster
Name Hostname Labels Resource ID
---------- -------- ------------------------------------------------------------------ -----------------------------------
local env=tiago /tele.local/kube_cluster/local
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
To request access to these resources, run
> tsh request create --resource /tele.local/kube_cluster/local --resource /tele.local/kube_cluster/my-cluster \
--reason <request reason>
```
* First pass at adding buttons to the integrations page
* Add analytics events for clicking Machine ID enrollment tiles
* Run prettier
* Fix eslint complaints
* Push fixed icons
* Flatten the styling for the Jenkins logo
* Rearrange machine ID title code
* Remove logs from event processing
* Switch to coloured gitLab icon
* Use GitLabs proper name for CI/Cd
* Fix imports
* Further adjustments from PR
---------
Co-authored-by: Ryan Clark <ryan.clark@goteleport.com>
* Add more details about specifying a CA pin
Closes#9946
The CA pin is the only Teleport configuration field where we have not
yet documented the possibility of specifying a value using a file path.
This change includes this information, as well as the (also
undocumented) fact that you can specify a list of CA pins. Also updates
the docs path that the CA pin reference links to.
* Respond to zmb3 feedback
* Respond to lsgunn-teleport feedback
* Mark nodes as done when command finishes in Assist
* Split Close/CloseWithPayload
* Expect a close message before the summary in test
* Remediate confusing type usage in test
`Envelope` is the outer layer used (in protobuf format)
for execution / terminal sessions.
Meanwhile `outEnvelope` is the inner layer
used (in JSON) spefically with assist (execution),
when outer envelope is of "raw" type
Using `Envelope` where decoding `outEnvelope` in tests
previously worked "by accident" due to matching field names
* Assert that server ID is set in the close message
* Refactor command execution logic and adjust WebSocket handling
This commit changes how command execution and WebSocket handling are performed in the code. Instead of manually managing session close signals and command execution notifications via WebSocket, we have wrapped it into more easily manageable form.
Changed parts: assist and websocket libraries, test and several components of 'teleport'.
Why:
This allows cleaner command management and error handling, leading to more reliable and maintainable application. Also made code more readable and easy to understand. Made WebSocket more precise with its handling to prevent cases where stale or incorrect data might interrupt the session.
Details:
Instead of sending a close signal after all commands have been executed, we now send individual session end updates for each command. Sessions no longer remain active unnecessarily.
Message handling in command execution has been refactored for better error propagation.
All these changes were also adjusted and reflected in the associated test cases.
Also, names and types of various data structures are edited to reflect their actual usage.
* Change ServerID to NodeID to improve code consistency
This commit replaces occurrences of `ServerID` with `NodeID` across several files.
`ServerID` was misleading and causing confusion as it was serving as an identifier for nodes, so to improve comprehension and consistency in the codebase, all instances of `ServerID` have been replaced with `NodeID`. Tests have also been updated to reflect this change.
---------
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
* Access list backend service and marshal/unmarshal.
The access list backend service and marshaling/unmarshaling functions have
been implemented. This will allow for CRUD operations for access lists.
* Test audit marshal/unmarshal.
* Fix configuration typo.
* GCI.
* Add in access list marshaling test.
* Remove unused header parse.
This PR moves the creation of the `lock` file right before the login
call is attempted instead of creating it for any call.
This fixes a problem where we create the lock file even if no login is
required which limits the number of parallel kubectl invocations.
* DeployService: auto upsert IAM Join Token
When using the DeployService, the deployed services (database service
only for now) will join the Teleport Cluster using the IAM Join Method.
In order to do so, we require an IAM Token that allows the AWS Account
ID and ARN of the assumed-role.
Instead of asking the user to create it, we do it for them.
This PR creates or updates the IAM Join Token.
* AccountID is optional when calling DeployService
* dry code when upserting the token