* Move gRPC error intercetpors to api/utils/grpc/interceptors.
* Use error interceptors in api client and mock server.
* Apply suggestions from CR.
* Unwrap FromGRPC errors in middleware.
* Use gRPC auth service in tests instead of external example service.
* It's gRPC!!!
* Fix unit test.
* Add error interceptor to proxy client.
* Fix merge conflict.
* Start fleshing out UAC elevation
* Use `runas` and ShellExecuteW to open a child process with elevated privileges
* Add tsh command to re-execute
* Add method to be called in the elevated child process
* Ugly, but working, credential activation in UAC dialogued child
* Add TODO
* Add some further notes/explanation on windows.ShellExecute
* Change error message to match function name
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Improve comment
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Use `trace.BadParameter` instead of `Errorf`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Use `tpm-activate-credential` instead of `activate-credential`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Remove spurious newline
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Move towards more production ready elevated process
* Add stubs for darwin/other
* Use path in state dir for cred activation results
* Fix stub return values
* Fix test missing context.Context pass
* Add additional message when cred activation completes
* Use ShellExecuteExW to get handle to process to wait on
* Improve comment in windowsexec
* Minor stylistic changes from review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Minor adjustments to error handling and logging
* Use `windows` over `syscall`
* Leverage `mkwinsyscall`'s error handling
* Missing param in test
* Always show error, not just when `-d` is provided
* Remove unnecessary trace.Wrap(err)
* Restore cf.Debug check
* Explicitly ignore return values from `FPrintln`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Simplify code
* Add null check to `info.hProcess`
* Minor format changes from review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Add types for storing Platform Attestation
* Add to/from resource conversion
* Use bytes for nonce field
* Tidy up usage of pointers
* Ensure tests cover multiple entries
* Adjust comments as per PR review
* Start of Windows support for authentication
* Finish clientside implementation of TPM device auth
* Rename getOSType -> getDeviceOSType everywhere
* More efficient byte trimming suggested by Zac
* Use `filepath.Join` rather than `path.Join`
* Add test for device auth
* Improve comments
* Log TPM closure errors
* Rename Auth -> Authn for clarity
* GoDoc for FakeDevice iface
* Use UserConfigDir rather than UserHomeDir
* Send EKCert if one is present
* Consistent naming
* Add configuration types for EKCertAllowedCAs
* Add fileconfig support for EKAllowedCAs
* Add test cases for fileconf loading and parsing
* Rename helper functions for consistency
* Correct GoDoc format
* Add source URL for pem file
* Start implementation of Windows TPM enrollment
* Basic device data collection for windows
* Add AK get/creatiom
* Add helpers for converting tpm protos
* Don't create AK in inappropriate circumstances
* Furhter simplify AK load/create
* Add tests for proto/attest conversions
* Ensure that digestalg varies between test cases
* More accurate proto field name
* Missing license header
* Add credential fingerprinting function
* Add getDeviceCredential implementation for windows
* Add dependencies so this builds
* Fix generation of credential id
* Introduce AKPublic field
* Collect other key data
* Add some additional debug logging
* Add more specific serial number fields to dcd
* Use faster powershell call for determining OS version
* Fix missing field in DeviceFromResource
* Add link to to-do issue
* Add packages necessary for enterprise submodule
* Fix import orders
* bump go-tpm-tools to latest versions
* Tidy up returned errors
* Add failure case test for Linux enrollment
* move linux device fake to lib/devicetrust/testenv
* Add test to exercise `RunCeremony`
* Tidier assertion messages
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Further simplifcations of test assertions/errors
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Further fixes as per the llama's suggestions
* Further simplification and header on logs
* Use BadParameter rather than platform unsupported
* Add further notes on RSAness of `go-attestation`
* Minor adjustments to comments
* Unused import removed
* License headers
* rename `mustRandomBytes` -> `randomBytes`
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Proto and Go module changes for Windows TPM support
* Obligatory `go mod tidy` && `make fix-imports`
* Godocs for proto conversion methods
* Move dependencies to main indirect block
* Handle nil more gracefully
* Define the DeviceV1 resource proto
* Update generated protos
* Move device conversions to API
* Test device conversions
* Handle nil gracefully
* Add license to new files
* handle tctl create device.yaml
* delete + fix create
* delete by asset tag
* factor out finder
* tctl get device
* gci
* use unmarshaler
* device
* test + unmarshal version check
* improve error
* fix device asset search
* fix parse shortcut bug
* various fixes
* rename CheckAndSetDefaults to checkAndSetDefaults
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/collection.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* fix import
* improve findDeviceByIDOrTag and allow multiple returns for fuzzy asset tag searching in tctl get devices/
* update create/delete messages
* print warn instead of error
* mark sanity check
* resource rework
* add comments
* fix typo
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* drop findmultiple
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* various feedback updates
* user friendly enum for ostypes
* add comments
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* gci
* feedback
* typos
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Expose device verification methods in lib/devicetrust/authz
* Set device fields in auth.Context.GetAccessState
* Enable role-based device verification for SSH
* Enable role-based device verification for DBs
* Add TODO for better SSH error messages
* Do not override device error on lib/kube/proxy
* Run gci
Add device-aware authorization for SSH access, including both long-lived and
single-use certificates.
If the device trust mode is set to "required", then the presence of the
corresponding extensions is enforced. (Requires Teleport Enterprise.)
Adds logic related to TLS validation and single-use certificates as well, where
appropriate. TLS device-aware validation is not wired into Teleport yet, but
will be in follow up PRs.
gravitational/teleport.e#514
Implement the client-side device authentication ceremony.
Device authentication requires a previously registered and enrolled device. In
exchange for solving a challenge, the ceremony allows the user to augment their
certificates with device extensions, which are necessary to clear device-aware
authentication.
Wiring to `tsh` to be done in a follow-up PR.
gravitational/teleport.e#514
Handle a few common macOS errors, as well as gRPC unimplemented errors, and
return more user-friendly messages in their place.
gravitational/teleport.e#514
Implement native macOS methods required by device enrollment, namely methods to
Create/Get the device key, Sign challenges with it, and to collect device data
(aka serial number).
The implementation is rather similar to lib/auth/touchid, but simpler in a few
aspects:
1. Device keys don't require user interaction (as in they don't cause a touch ID
prompt); and
2. There exists, at most, a single device key at all times.
I've added a tiny refactor to reuse Apple public key parsing from touchid, plus
some changes so touchid doesn't break in the face of unexpected keys (which the
device key didn't cause, per se, but my experiments getting to it did).
gravitational/teleport.e#514
Implement the client-side enrollment ceremony and define the interfaces for
native-only methods.
The server-side implementation for Device Trust is Enterprise-only, so sadly we
can't against the real server here. I've opted to write a couple of fakes that
we can reuse for the device authentication ceremony and, eventually, to test
against other OS implementations. The current design attempts to write as much
as possible without build tags, so we can unit test the most of it.
Follow ups will add the native parts and wire the ceremony to the corresponding
`tsh` command.
gravitational/teleport.e#514
Wire the Device Trust client into existing clients, a necessity for implementing
device-related commands.
A few user-friendly enum conversions are added as well, as these are useful to
write said commands.
gravitational/teleport.e#514