DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.
See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service
Regression from #34170.
Fixes#34804.
Additionally, clean-up a few more AWS session initiations to be consistent and clear.
* Untangle assert on CertsReloaded from assigning existing role
We used to assume that if the CMC role already exists and it's assigned
to the user already, then CertsReloaded must be false.
This assumption is wrong. If the user already has the role but the role
gets updated because it didn't include the current system username,
the certs need to be reloaded in order to refresh the list of available
logins.
To be able to represent this scenario as a test case, we must untangle
the expectation on CertsReloaded from the act of adding the existing role
to the user.
* Reload certs if user already has role but logins in role got updated
* Reorganize process config test fields
* Move PollingPeriod back from Testing field
* Fix comment text
Co-authored-by: Nic Klaassen <nic@goteleport.com>
---------
Co-authored-by: Nic Klaassen <nic@goteleport.com>
* Rename cluster to rootCluster
* Rename AgentConfigFileClusterProperties to CreateAgentConfigFileArgs
* Connect My Computer: Derive agent label from username in main process
This change improves the output of tsh ssh when running on multiple
nodes. Stdout and stderr are now labeled with the hostname of the
node they came from. The --log-dir flag on tsh ssh will create a
directory where the separated output of each command will be stored.
* Use remoteClient for remoteSite to ensure the correct authorization mechanism is used for openssh leaf nodes.
* Use remoteClient only for auth handler access point.
* Resolve nomenclature comments.
* Update integration test to cover same-name role mapping logic.
* Add nil check.
* Apply suggestions from code review
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
---------
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
In addition to adding server and backend handling for create and
update roles, the services.Access interface was updated to return
a role from the existing Create/UpsertRole methods. Bumps the e
ref to incorporate the associated changes needed there to prevent
breaking the build.
services.UsersService now takes a context and returns the user
from write operations as shown in the diff below. The bulk of the
changes are from modifying code to account for the additional
parameter and/or return value. Functional changes to better make
use of the new API will come in follow up PRs.
```diff
// UserGetter is responsible for getting users
type UserGetter interface {
// GetUser returns a user by name
- GetUser(user string, withSecrets bool) (types.User, error)
+ GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}
// UsersService is responsible for basic user management
type UsersService interface {
UserGetter
// CreateUser creates user, only if the user entry does not exist
- CreateUser(user types.User) error
+ CreateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateUser updates an existing user.
- UpdateUser(ctx context.Context, user types.User) error
+ UpdateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
// the result to storage. Return `false` from `fn` to avoid storage changes.
// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
// Returns the storage user.
UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
// UpsertUser updates parameters about user
- UpsertUser(user types.User) error
+ UpsertUser(ctx context.Context, user types.User) (types.User, error)
// CompareAndSwapUser updates an existing user, but fails if the user does
// not match an expected backend value.
CompareAndSwapUser(ctx context.Context, new, existing types.User) error
// DeleteUser deletes a user with all the keys from the backend
DeleteUser(ctx context.Context, user string) error
// GetUsers returns a list of users registered with the local auth server
- GetUsers(withSecrets bool) ([]types.User, error)
+ GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
// DeleteAllUsers deletes all users
- DeleteAllUsers() error
+ DeleteAllUsers(ctx context.Context) error
}
```
Depends on gravitational/teleport.e#2346
Implements step 3 of #32949
* log message improvements
* fix etcd cleanup
* re-enable TestHSMDualAuthRotation
* retry client connection tests
* fixes based on code review
* make fix-imports
* fix: use EventuallyWithT
* set short polling period
* fix leaf SSH sessions not getting recorded
* add integration test
* address feedback, overhaul integration test
* make each test case use fresh clusters to fix failing case
* address feedback
* Apply suggestions from code review
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* fix integration test failures
---------
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
This commit includes a 7 character fix in lib/service/connect.go to call
connector.Close() instead of connector.Client.Close() when a new client
fails to ping the auth server.
connector.Close() correctly avoids closing the client if it is a shared
copy of the Instance client.
The call to connector.Client.Close() was causing intermittent problems
where reconnectToAuthService could get stuck repeatedly trying to use
the same client that was just closed.
This appears to be fixed now that the Instance client is not being
improperly closed by other components.
I discovered this issue because it manifested itself in flaky failures
of TestHSMMigrate, where logs indicated that the Instance client was
being repeatedly reused but the connection was never successful
```
{"caller":"service/connect.go:1057","component":"proc:18","level":"info","message":"Reusing Instance client for Proxy. additionalSystemRoles=[Proxy]","pid":"34558.18","timestamp":"2023-09-27T21:30:05Z"}
{"caller":"service/connect.go:166","component":"proc:18","level":"debug","message":"Connected client: Identity(Proxy, cert(c90e905c-76e7-4c68-803b-ba364167ec6f.testcluster issued by testcluster:173887050308815087166604899475019267945),trust root(testcluster:322819974523436048061473591931335284057),trust root(testcluster:173887050308815087166604899475019267945),trust root(testcluster:135083743987735629230336583041497316143))","pid":"34558.18","timestamp":"2023-09-27T21:30:05Z"}
{"caller":"service/connect.go:98","component":"proc:18","level":"debug","message":"Connected client Proxy failed to execute test call: rpc error: code = Canceled desc = grpc: the client connection is closing. Node or proxy credentials are out of sync.","pid":"34558.18","timestamp":"2023-09-27T21:30:05Z"}
time="2023-09-27T21:30:13Z" level=warning msg="connection problem: readfrom tcp 172.18.0.2:38114->172.18.0.2:41065: use of closed network connection *net.OpError" dest="172.18.0.2:41065" source="172.18.0.2:37496" trace.component=loadbalancer trace.fields="map[listen:8ce2fe8a89f0:0]"
time="2023-09-27T21:30:13Z" level=warning msg="Failed to forward connection: readfrom tcp 172.18.0.2:38114->172.18.0.2:41065: use of closed network connection." trace.component=loadbalancer trace.fields="map[listen:8ce2fe8a89f0:0]"
time="2023-09-27T21:30:17Z" level=warning msg="Failed to create inventory control stream: rpc error: code = Canceled desc = grpc: the client connection is closing."
{"caller":"service/connect.go:124","component":"proc:18","level":"debug","message":"Retrying connection to auth server after waiting 41.323026451s.","pid":"34558.18","timestamp":"2023-09-27T21:30:46Z"}
{"caller":"service/connect.go:189","component":"proc:18","level":"debug","message":"Connected state: rotating servers (mode: manual, started: Sep 27 2023 21:29:24 UTC, ending: Sep 29 2023 03:29:24 UTC).","pid":"34558.18","timestamp":"2023-09-27T21:30:46Z"}
{"caller":"service/connect.go:1057","component":"proc:18","level":"info","message":"Reusing Instance client for Proxy. additionalSystemRoles=[Proxy]","pid":"34558.18","timestamp":"2023-09-27T21:30:46Z"}
...repeating...
```
The HSM tests have become flaky in the past when reload/reconnect bugs like
this have been introduced, but they are long tests that are a bit tricky
to run locally and issues like this one can be difficult to diagnose.
To try to improve our chances of catching these issues in the future,
I've written a new test that starts up an Auth and Proxy process and
repeatedly reloads both of them, asserting that the reload is always
successful in a reasonable amount of time.
The new test is able to catch the bug every time I have run it locally,
usually in ~4 out of the 8 parallel invocations to runs.
I have not seen any failures with the fix applied.
The entire test completes in ~12 seconds on my local machine.
* Allow sudoer files to be created without host users
* Dont sort when fetching HostUsers
* Dont cleanup at session end
* Resolve comments
* Resolve comments, switch to a notimplemented host sudoers
* Add RPCs for removing the node and reading its name
* Extract `isAccessDeniedError`
* Add a function to remove agent directory
* Add methods in Connect My Computer service to remove node, agent directory and connections
* Do not print warning when there is no agent to kill. The agent could not be started or even configured, so there is no point in showing that warning.
* Remove agent by clicking a button in the status document
* Remove agent by logging out
* Improve comments and error message
* `getConnectMyComputerNodeName` should return `string`, not `ServerUri`
* Move `removeConnections` method from `ConnectMyComputerService` to `ConnectMyComputerContext`
* Simplify integration test
* Document that connections have to be removed before removing agent dir
* Ignore NOT_FOUND errors
* Show a notification after removing the agent and close the tab
* `readUUid` -> `readUUID`
* Run prettier
* Extract a function that renders `useConnectMyComputerContext` hook to avoid duplicating the setup
* Move showing notification outside `catch` block, add tests
* Use `connection.kind` instead of parsing the resource URI
* Add `assertUnreachable`
* Pass `closeDocument` function to the status component instead of a document object
* Post-rebase fixes
* Add daemon.Service.ResolveClusterURI
* Accept agents dir through command line flag
tshd needs to know this out of band, so that when the Electron app tells
it to watch for host UUID file for a specific cluster, the Electron app
can send just the profile name of the cluster instead of an arbitrary path
on the computer.
* Implement WaitForConnectMyComputerNodeJoin in tsh daemon
* wait: Use addEventListener instead of onabort
* Make TshAbortController emit abort event only once
This aligns it with a regular AbortController, which also emits the event
only once.
* Refactor how types are imported in tshd fixtures
* Implement WaitForConnectMyComputerNodeJoin in Electron app
* createAbortController: Add signal.aborted, use emitter.once
* Improve wait function based on Deno implementation
72d6e6641e/async/delay.ts (L39)
* Add a comment about the events package
Test that CreateHomeDirectory does not follow symlinks
resolve comments
add our own recursive directory copy
Resolve comments
Fix for "Manually create the users HOME rather than letting useradd do it"
The Cf-Access-Token header seems to be a infrequently used header that can
easily increase the size of the header by `len(roles) + len(traits)`, which
can cause problems. Users are able to add this in on their own if they need
it using header rewriting, so we'll remove this.
This change adds support for the btmp file (failed logins)
for user accounting. It also fixes a bug where the remote
address of a connection was not being correctly logged.
* Change 'proxy_protocol' default mode and behavior
Now by default `proxy_protocol` is unspecified and in that mode
we don't allow IP pinned connections and mark incoming conection with setting
source port = 0.
'on' mode now requires PROXY header.
* Don't require PROXY headers for connection to itself.
There cases when Telelport will call itself and it can go directly,
avoiding load balancer, so connection will not have unsigned PROXY header.
* Refactor validation of 'proxy_protocol' input
* Clarify PROXY protocol modes description
* Tweak unexpected PROXY protocol line error message
* Add comments about setting port to 0
* Return an error if we get unsigned PROXY line after signed
* Improve wording for error when IP pinning is now allowed when source port = 0
* Add test for checking unspecified PROXY protocol mode on multiplexer
* Fix the test
* Refactor tracking of receiving of unsigned PROXY line.
It makes sure we don't allow multiple PROXY lines with LOCAL command.
* Improve comment wording.
* Fix typo and improve wording.
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Clarify PROXYProtocolMode description
* Add comment about self connections
* Set correct PROXYProtocolMode for multiplexers that don't need unsigned PROXY support
* Fix typo.
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Add comment about PROXY protocol mode on kube service.
* Clarify comment for starting auth service in unspecified PROXY protocol mode
* Add dedicated error for rejecting IP pinning on connection with port=0
* Improve error message
* Rate limit logging error about unexpected PROXY line.
* Tweak error message.
---------
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* return an error when attempting to join a session of an OpenSSH node
* remove item from test plan and note to docs
* add test coverage to integration test
* fix integration test
* fixed linter issue
* Increase timeout for waiting for label update
* Advance clock more often
* Make TestReconcileLabels a unit test
* Fix imports
* Fix test
* Increase require.Eventually wait time
* Mock control stream
* Remove use of require assertions inside Eventually calls
require.Eventually runs the predicate function in a background
goroutine. It is invalid to use require to make assertions
inside the eventually, because require will fail the test if the
assertion fails, and tests can only be failed from the test's
main goroutine.
* Use EventuallyWithT
* Dont allow directly dialing to servers not in inventory
add direct dial escape hatch
* Fix failing unit test
* Fix TestProxySSH
* Fix TestTraitsPropagation
* resolve comment
* fix non-multiplexed trusted cluster setup in tsh test suite
* Fix TestProxySSH
* wait on nodes
* Skip the flaky check for TestSSHLoadAllCAs
---------
Co-authored-by: Forrest Marshall <forrest@goteleport.com>
* Get accessInfo based on user on access request drop
That's how it used to be before user login state was introduced. When
dropping a resource access request, we want to restore certs back to the
state before the access request was assumed, so that the user access is
not limited only to select resources. In the past, this was done by
calculating accessInfo from a plan user object.
This approach had the side effect of refreshing the role list of the user
based on the current backend state without the need to provide credentials
again. Teleport Connect used this side effect to make the setup of Connect
My Computer interaction-free.
Theoretically, it'd be beneficial for `tsh request drop` to use login state
rather than the current backend state, as it'd make it impossible to "escalate"
privileges by refreshing the list of roles without authenticating again.
However, this brakes the setup of Connect My Computer as it expects
GenerateUserCerts to return a role list based on a current user role list.
This commit reverts that change. An alternative would be to change Connect
My Computer setup to require a one-time relogin midway through.
* Use regular login flow in CreateConnectMyComputerRole integration test
* Fix typo
* Add WebauthnLogin field to teleportClient and tsh for tests.
* Use custom WebauthnLogin func instead of test export.
* Remove HasPlatformSupport exported function.
* Add todo to remove lib/client/export.go.
* Parallelize affected tests.
* Apply suggestions from CR.
* test RDS database discovery
* test RDS postgres instance connection
* organize some common test helpers for eks/rds e2e tests
* exclude e2e tests from flaky test base step
* exclude e2e tests in other test flows
* skip e2e db tests by default via env var check
* add postgres web conn test
