* assist: support recording non-interactive forwarded sessions
* assist: add integration tests for assist command recording on agentless
This also fixes a bugged openssh integration test check.
* Mock OpenAI API in integration tests.
Also fixes the OpenAI mock handler that was not supporting the "/v1/*"
routes used in some web/ tests.
* Docstrings + adressing again a feedback that got lost during a rebase
* restore signer function signature
* Address Jakub's feedback + diverse improvements
- improve comments
- simpler file creation
- more efficient rsa key generation
- use assert instead of require in other goroutines
- only save env vars if they are Teleport-related
- move more logic into newTestCredentials for readability
* Update lib/srv/forward/sshserver.go
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Add a timeout in the ssh handler coroutine
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
OpenSSL disabled some legacy algorithms when moving to 3.0. The tool
we use for Windows Code Signing - `osslsigncode` - recently upgraded to
OpenSSL >= 3.0, which broke our Windows Code Sigining path as the
Windows Code Signing certificate certificate depends on at least
one of these legacy algorithms.
The osslsigncode progect has published a release that fixed this issue,
but that release has not made it through to Ubuntu yet; hence we are
manyally downloading and installing the tool from github during the
buildbox image creation.
See-Also: #28722
When the script detects throttling it automatically scales the RCU,
however it was allowing the RCU to reach 0 which is an invalid
value. Any subsequent requests with a 0 RCU end up terminating the
script due to errors from the request. The RCU is no capped at a
minimum value of 1 to prevent this.
CredentialsChainVerboseErrors is now set in the aws.Config to provide
more actionable error messages when credentials are not configured
correctly. Users who had authentication issues would previously see
the following:
> 2023/07/11 16:50:25 NoCredentialProviders: no valid providers in chain. Deprecated.
> For verbose messaging see aws.Config.CredentialsChainVerboseErrors
By setting the config value to true users will now see more detailed output:
> 2023/07/12 10:56:06 NoCredentialProviders: no valid providers in chain
> caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
> SharedCredsLoad: failed to load profile, .
> EC2RoleRequestError: no EC2 instance role found
> caused by: RequestError: send request failed
The README was also updated to include instructions on how to authenticate
and run the script from outside the Auth server if they so choose.
* helm: Add ingress template
* helm: Add ingress support
With the changes introducing automatic websocket upgrades for TLS routing in Teleport 13, we can finally add support for a Kubernetes ingress.
* Remove unnecessary brackets
* Tidying
* Gating
* Fix lint and schema
* Fix lint examples
* Handle wildcards
* Tidy up wildcard support
* Don't add AWS annotations when using ingress
* Update AWS docs to use Ingress/ALB with ACM
* Automatically listens on 443, make values simpler
* Support ingress.spec overrides
* Enable ingress and set spec.ingressClassName
* Update values schema
* typo
* Whitelist 'healthcheck' for spellcheck
* Address Hugo's comments from code review
* Apply Paul's comments from code review
* Few more docs fixes
* Update teleport-cluster reference
* Add values file and fix lint/tests
* Fix docs lint
* Add proxy_service.trust_x_forwarded_for when ingress is enabled and Teleport version >=14
* Fix semver check for pre-releases
* Indent ingress section correctly
* Address docs feedback from Hugo/Tiago
* Add warning about using tsh with ingress
* Fix lint spelling
* Add instructions for checking AWS LB controller installation
* Whitelist ingressclass in spellcheck
* What a stupid error
* docs: proxy peering out of preview
* checks for tsh play session type
* Check for session type in tsh play file
* lint fix
* mention using tsh recordings export
* comments
* use switch to provide specific checks on session type
* add switch for file play
* lint fix
* output change
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
If the upload completer fails due to a permissions error, emit a
warning indicating that the upload completer will not function
properly, but suppress the stack trace.
Closes#28999
* Always show the typing dots when Assist is generating a reply
* Make the typing dots smaller and reactive to the theme
* Prevent the message list from scrolling if the user has scrolled up
* Move the landing page & improve the auto scrolling logic
* Improve the boolean logic for showing the footer
* Introduce AccessList gRPC service and calls.
The AccessList gRPC service has been introduced along with modifications
to the auth client to support it. A few changes have been made to ensure
that packages generated in protobuf map more cleanly to existing patterns.
* Tuning of backend and gRPC calls, correction of tests and comments.
* Regenerate protobuf, update access list client.
* Split up tests, service returns AccessList directly.
* Remove client wrapper, as it can't depend on lib/types.
* Update GRPC.
* Clean up access list protos, add in conversion functions tests.
The access list protos have been cleaned up to fit into the existing generated
protos a little more cleanly, and conversion functions have been migrated to
their own packages and tests for them have been added.
* Remove access list test (covered in other PR), run GCI.
* Rebase on master.
* Move internal storage repreesentation of objects into lib.
* Rename trait conversion From/ToProto.
* GCI.
* Reduce stuttering where possible.
This change adds the `labelReconciler` to the discovery service, which periodically
reconciles the labels it receives from discovered EC2 instances with the labels of the
corresponding SSH servers stored in the auth server.
We were escaping the command arguments with double quotes.
It works with bash4.3+.
However, AWS CloudShell has bash 4.2 which:
>
> zz. When using the pattern substitution word expansion, bash now runs the
> replacement string through quote removal, since it allows quotes in that
> string to act as escape characters. This is not backwards compatible, so
> it can be disabled by setting the bash compatibility mode to 4.2.
http://tiswww.case.edu/php/chet/bash/CHANGES
When running this script in bash 4.2, the arguments end up being `"xyz"`
instead of `xyz`.
So, errors like this happen:
```
ERROR: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.\"us-east-1\".amazonaws.com/": dial tcp: lookup sts."us-east-1".amazonaws.com: no such host
```
Removing the quotes means it will work on older and newer bash versions:
Demo:
```
> ./bin/teleport integration configure deployservice-iam --cluster=kimlisa.cloud.gravitational.io --name=r0mant --aws-region=us-east-1 --role=r0mant-oidc --task-role=Test+1=2,3.4@5-6_7
2023/07/07 08:04:05 TaskRole: Boundary Policy "Test+1=2,3.4@5-6_7Boundary" created.
2023/07/07 08:04:05 TaskRole: Role "Test+1=2,3.4@5-6_7" created with Boundary "arn:aws:iam::278576220453:policy/Test+1=2,3.4@5-6_7Boundary".
2023/07/07 08:04:05 TaskRole: IAM Policy "Test+1=2,3.4@5-6_7" added to Role "Test+1=2,3.4@5-6_7".
2023/07/07 08:04:05 IntegrationRole: IAM Policy "DeployService" added to Role "r0mant-oidc"
```
Addresses part of #24096 via a new integration test.
> With HA you should be able to reboot the
> cluster without dropping the connection
The test starts two processes, one running just Auth, another
running SSH+Proxy. An interactive session is created which
periodically executes a command and verifies the output contains
the expected values. The Auth instance is restarted in the
background while the command validation occurs.
* Allow configuring number of parallel execution workers
* Remove an obsolete command
* Revert test: do not check parallel behavior
* Move worker count field into Assist config
* Replace waitgroup and semaphore with errgroup
* Adjust log message
* Switch ACEW to int32, add additional validation
* RFD 133 - Connect My Computer
* Add security section
* Add notes on how UI behaves with given version differences
* Add jentfoo to required approvers
Co-authored-by: Mike Jensen <jentfoo@users.noreply.github.com>
* Explain the reason why tools such as systemd are not used
* Extend the lifecycle section with PID monitoring
* Prohibit an unsupported mix of versions
* Mention security concerns earlier
* Link to ideas on reinforcing security in the future
* Do not remove role on agent removal, ensure system username is in role
* Store just a single version of the agent
* Mention using $XDG_CACHE_HOME on Linux
---------
Co-authored-by: Mike Jensen <jentfoo@users.noreply.github.com>
* dronegen: Switch linux-based push builds to GitHub
Change the drone pipelines for linux-based push builds to call a GitHub
actions workflow instead of running on drone runners. This includes one
of the builds for Windows which is done in a Linux container.
The old push pipelines that run the build on drone runners is now
removed as it is no longer used.
* ci: Update .drone.yml
This updates the linux-based push pipelines to delegate to github
actions.
* Update e ref for push linux workflows