* Add Yubikey PrivateKey implementation for use by Teleport clients.
- Add yubikey login logic, reusing previously stored private keys.
- Fix identity file decoding with PIV keys, which sign ecdsa certificates.
- Add libpcsclite-dev pre-req for building on linux.
- Remove unnecessary keys.Signer interface and move its functionality to keys.PrivateKey.
- Move retry and jitter utils to new api/utils/retryutils package.
Update metalinter, fix a few lint warnings and replace deprecated linters.
`deadcode`, `structcheck` and `varcheck` are abandoned and now replaced by [`unused`][1].
Since 1.19, `go fmt` reformats godocs according to https://go.dev/doc/comment. I've done a bulk-reformatting of the codebase to keep the linter happy. Backporting is mostly harmless (the exception being `lib/services/role_test.go`, that for some reason breaks the _old_ linter using the new format).
[1]: https://golangci-lint.run/usage/linters/
* Bump golangci-lint version
* Replace abandoned linters
* Fix bodyclose on lib/auth/github.com
* Fix bodyclose on lib/kube/proxy/streamproto/proto_test.go
* Fix bodyclose on lib/srv/alpnproxy/proxy_test.go
* Fix bodyclose on lib/web/conn_upgrade_test.go
* Silence staticcheck on lib/kube/proxy/forwarder_test.go
* Silence staticcheck on lib/utils/certs_test.go
* Address BuildNameToCertificate deprecation warnings
* Run `go fmt ./...`
* Run `go fmt ./...` on api/
* Ignore formatting in role_test.go
* Remove redundant initializers in lib/srv/uacc/
* Update e/
* Add `where` predicate and Machine ID support to SSH host certificates
This adds `where` RBAC predicate support to `host_cert`
pseudo-resources, and adds support for requesting host certs to
Machine ID (with or without these RBAC predicates).
More specifically, this:
* Makes 3 new set functions available during `where` predicate
evaluation: `all_equal`, `all_end_with`, and `is_subset`. These
make it possible to examine the `host_cert.principals` field.
* Adds a new optional `host_cert` field to the standard `where`
context. It's only ever set specifically in `GenerateHostCert()`.
* Sets a custom context in `GenerateHostCert()` to pass along host
cert parameters.
* Makes current config available to tbot config templates
* Adds a new `ssh_host_cert` config template to Machine ID
* Refactors `tbot/config` tests to use shared mock bot / auth
implementations.
Host certs can be requested in Machine ID by adding a new config
template:
```yaml
destinations:
- directory: /opt/machine-id
configs:
- ssh_host_cert:
principals: [foo.example.com]
```
Bots will need a role like the following:
```yaml
kind: role
metadata:
name: hostcert-bot
version: v5
spec:
allow:
rules:
- resources:
- host_cert
verbs:
- create
where: 'is_subset(host_cert.principals, "foo.example.com")'
```
See the RFD for more information:
https://github.com/gravitational/teleport/blob/master/rfd/0083-machine-id-host-certs.md
* Fix lint failure
* Improve doc comments on the new predicate functions.
* Address review feedback
* Address review feedback
- Remove `AuthenticatedUserClientFromIdentity`'s unnecessary
AuthServer param
- Add missing doc comments
- Pull out `getTestIdent` from the Kubernetes template test
- Move various test helpers into their own file
- Unexport new predicate functions
Primary Changes:
- Remove reliance on Private Key PEM:
- Update native and keygen packages to return PrivateKey instead of PEM key
- Add new PrivateKey interface which implements crypto.Signer
- Replace PEM encoded private key usage where possible
- Replace calls to tls.(Load)X509KeyPair with keys.(Load)X509KeyPair in
client packages
Minor Changes:
- Remove unused agent.AddedKey return from LoadKey
- Simplify sshutils and removed unused code paths
- Add ecdsa and ed25519 key support
* Add app access support to Machine ID
This adds support for app access to Machine ID. Users can specify a
new destination-level `app` field which will request certificates
with the given app. Users can then either open a proxied connection
to the app, or supply the credentials via `curl` and access the app
through the public-facing proxy.
This includes a small change to `tsh` to support identity files in
various app-related commands (`proxy app`, `app ls`, etc). The
existing `tsh` wrappers in `tbot` automatically support these app
commands.
* Add app request test
* Clean up test
* Update lib/tbot/config/config_destination.go
Co-authored-by: Noah Stride <noah.stride@goteleport.com>
* Address review feedback
* Simplify `getApp` call
* Simplify `getApp` further
Co-authored-by: Noah Stride <noah.stride@goteleport.com>
* Add Kubernetes Access support to Machine ID
This adds support for Kubernetes Access to Machine ID. Users can now
request access to a Kubernetes cluster with the new
`kubernetes_cluster` config field. When a request is configured, a
`kubeconfig.yaml` is generated which can be used to access the given
cluster.
As part of this, we also refactor a few parts of the bot code to help
cache various requests that config templates make frequently by
passing a new trivial `bot.B` interface to the `Render()` function.
For good measure, we also fix the `destination.Destination` stutter
by moving the interface to `bot.Destination`.
* Remove unused CLI param and fix docstring typo
* Cache cert authority requests
We now cache most cert authority requests from config templates and
purge the cache after each cert renewal.
* Move bot.B to config.Bot
* Add a matching marshaller for the KubernetesCluster type.
* configure golangci-lint misspell to check for anglicized spellings
* Americanize spellings
* fix aws constant value with british spelling 🇬🇧
* update api types with americanized spellings
* use american spellings .cloudbuild/scripts
* start hashing out machine id CA rotation
* filter out incoming ca events by type
* support multiple trusted certificate authorities in known_hosts
* remove redundant trace.Debug from `tbot` `main()`
* filter to only recieve relevant CA events
* add exponential backoff to renewal
* remove unnecessary `.Ping()` check with new client
* add unit test for filtering CA events
* debounce reloads
* add retry limit and backoff for CA watching
* add integration test for CA rotation
* modify CA rotation watcher loop to retry forever
Co-authored-by: Tim Buckley <tim@goteleport.com>
This changes tbot's configuration to access the token via a
getter/setter instead of a direct property, to allow us to fetch the
token (possibly reading it from a file) when we need it instead of when
the configuration is created.
This also changes the identity fetching logic, to try and read the token
when there is an identity present but not error, allowing for the token
file to have been deleted between restarts. If it can read the token,
it'll check to see if it has changed and refetch the identity if so.
* Properly handle empty list of role requests
Currently, an empty list of role requests results in an ambiguous
situation: we usually use the presence of role requests to determine
whether or not we'd return impersonated certs or not. An empty list
of role requests returns a fresh set of non-impersonated certs
(possibly renewed if allowed), while a non-empty list of role requests
returns certs with just those roles. However, if a client _intends_
to request impersonated certs but provides an empty list of role
requests it will instead receive non-impersonated (possibly renewable)
certs with the full permissions of the original user.
This could theoretically result in privilege escalation if a Machine
ID bot: (a) had any worthwhile permissions of its own, which is not
the case unless the bot role was manually modified and (b)
accidentally handed certs off to an attacker.
In practice this bug is fairly difficult to hit: `tbot` always
auto-fills all requestable roles if they are otherwise unset, and
`tctl bots add` requires `--roles=` to be passed. An empty string
here can trigger the bug however it is unlikely a user would pass this
by accident. Moreover, a bot without requestable roles cannot
accomplish much of anything, so this is exceedingly unlikely to
be intended behavior.
Additionally, certificate generation checks help to mitigate the
issue: bots currently lock themselves by accident after the first
renewal when this bug is triggered as they don't explicitly handle
receiving renewable certs when impersonated certs are expected. If an
attacker were to attempt a renewal, the generation counter would
similarly limit access, and as noted previously, the bot role grants
only minimal read-only access anyway.
---
To resolve the issue, this adds a new `RoleRequestsOnly` flag to
`UserCertsRequest` that allows clients to unambiguously specify if
they wish to receive a non-impersonated, possibly renewable, cert with
all the original user's roles and permissions, or if they wish to
receive only role-impersonated certs (or an error if roles are empty).
Machine ID passes this flag in all situations where an impersonated
cert is desired.
Additionally, we also now ensure users add at least one role in
`CreateBot()` (called by `tctl bots add`) as this is almost certainly
an unintended situation.
Fixes#13411
* Address review feedback, rename flag to UseRoleRequests
* Return a local error if no roles are specified
* Fix file descriptor leaks in `tbot`
This fixes two file descriptor leaks in `tbot`, caused by a failure to close
the previous socket connected to the auth server after renewing an identity.
* Remove unnecessary `defer` from socket close
* Make `TestDefaultTemplateRendering` less failure prone
The test requires the Teleport server to report a sane public proxy
address, however occasionally it takes some time to initialize and
returns an invalid value until that point.
This adds a wait loop to the client initialization helper to wait up
to 10 seconds for the server to return a sane value, which should
improve reliability of the test.
* Use `require.Eventually()`, reduce tick interval
* convert GetDomainNAme endpoint to gRPC
* migrate GetClusterCACert from http to grpc
* fix tests failing due to switch to gRPC transport
* Correct mispelt json tag
* remove `GetLocalClusterName` and `UpsertLocalClusterName` which are unused
* remove unused prefix constant from presence
* start refactoring tbot to have a core struct
* refactor tbot into lib/
* move `tbot` subpackages to `lib/tbot`
* remove mutex pointer
* move `tshwrap` to `lib/` from `/tool/tbot/`
* move new template ssh client render test to lib/
* address pr feedback
* add request changed