* Introduce Github Actions join support
* Go mod tidy
* run goimports on source files
* Address PR comments
* More PR review comments
* Changes to tests based on PR feedback
* Improve error message in github rule validation
* Add support for SHA
* Add short message describing which fields shouldb be included
This reverts commit 4f3aa9a3f2.
We're unable to build for 32-bit Linux due to
https://github.com/golang/go/issues/55152,
which looks like it will be fixed with Go 1.19.2 next week.
We'll re-evaluate with the next Go release and reintroduce this change
as soon as we can.
Do another large batch of dependency updates.
Most updates are around minor versions, so _theoretically_ safe. The following
v0.x updates draw attention:
* cloud.google.com/go/iam (likely safe, as Google is largely trunk-based)
* github.com/Microsoft/go-winio
Notable exceptions are k8s-related modules, which are harder to update for
various reasons.
* Update Go dependencies
* Fix lib/srv/app/aws/endpoints_test.go
Update various "assorted" dependencies, that either are used throughout
(logging, testing), are mostly algorithmic or otherwise difficult to pinpoint
"ownership".
I've dropped a couple of deprecated/mostly meaningless dependencies. I suspect
`github.com/mitchellh/mapstructure` could be dropped to, but I didn't look
further now.
* Drop dependency on Clever/go-utils
* Drop dependency on github.com/pkg/errors
* Update various Go dependencies
* Use CompareAndSwap instead of CAS (uber/atomic)
* Add a comment after replaced dependencies
* switch underlying protocol used for 'tsh scp' to SFTP
* address TODO
* appease linter
* add method to make it easier for other callers to transfer files
* add tests
* print transfer progress with progress bar by default
Also allow a SIGINT to gracefully stop the SFTP connection. This is
necessary because the progress bar will ignore signals and prevent the
process from exiting.
* address SFTP fork issues
* make tests less flakey
* fix specifying dir for dst not copying files to correct paths
* make tests less flakey (again)
* don't check file access times, often differs when run in CI
* few small fixes from review, simplify Create method now that HTTP FS isn't needed
* create dst files and dirs with src mode
* improved error messages when doing file operations
* expand home dirs in remote paths
* addressed more feedback
* add license to get_home_dir.go
* address minor feedback of tests, add home dir expansion test
* update sftp fork to point to latest commit on master branch
* addressed feedback
* don't cache home dir lookups, only one remote path can ever be used
Update duo-labs/webauthn to latest and adapt/make use of new APIs.
Relevant commits:
- ResidentKey: 048000f85e
- Discoverable login (aka passwordless): 09bc59f777
* Update duo-labs/webauthn to `20220815211337`
* Use the new ResidentKey field
* Use the new passwordless APIs
* Record AppID TODOs for posteriority
* Add Yubikey PrivateKey implementation for use by Teleport clients.
- Add yubikey login logic, reusing previously stored private keys.
- Fix identity file decoding with PIV keys, which sign ecdsa certificates.
- Add libpcsclite-dev pre-req for building on linux.
- Remove unnecessary keys.Signer interface and move its functionality to keys.PrivateKey.
- Move retry and jitter utils to new api/utils/retryutils package.
Update `duo-labs/webauthn` up to `20220122034320`, which is the latest version
we can get without dipping into dependency hell (`etcd` and `opentelemetry` woes
ensue after [2365c59d9f][1]).
`tstranex` could be dropped for a while now (we moved on to WebAuthn-like
interfaces for mocks). `cfssl` was only imported due to what I assume was an
IDE mishap.
I've elected to keep `fxamacker/cbor`, instead of trying to move to
[webauthncbor][2]. fxamacker is solid, past v0, seems more appropriate for
client-side libs and still backs webauthncbor.
There are no updates for `flynn/hid` and `flynn/u2f`.
Release notes for fxamacker/cbor:
https://github.com/fxamacker/cbor/releases/tag/v2.4.0.
[1]: 2365c59d9f
[2]: https://pkg.go.dev/github.com/duo-labs/webauthn@v0.0.0-20220815211337-00c9fb5711f5/protocol/webauthncbor
* Drop tstranex/u2f dependency
* Drop direct dependency to cloudflare/cfssl
* Update fxamacker/cbor/v2 to v2.4.0
* Update duo-labs/webauthn to 2022-01-22
* Fix: Make sure all credentials are set in the user
* Simplify: Drop now unnecessary AuthenticationSelection copy
While looking up github.com/gokyle/hotp I found some old deprecation warnings
and decided to address them.
* Remove HOTP support
* Update comment on checkOTP
* Remove OTPType
* Remove a few more HOTP references
* Add Username to sqlbk and don't leak connConfigs
* Azure AD authentication for sqlbk/Postgres
* Add a Postgres Config test
* Cache Azure tokens, document azureBeforeConnect
* Move the config test to sqlbk
* go mod tidy
* go get azcore azidentity
This PR extends the Kubernetes Service to support the WebSocket protocol in Kubernetes Exec calls.
The Websocket protocol is required so that Kubernetes clients like C#, Python, and Javascript can call the `exec` and `attach` methods.
File `remotecommand_websocket.go` was vendored from [kubernetes repo](d5fdf3135e/pkg/kubelet/cri/streaming/remotecommand/websocket.go).
Fixes#15463
Future work:
- Extend support for `port-forward`
- Extend support for `cp`
* Add Azure auto-discovery configuration fields
* Init databases if azure matchers are in config
* Use AzureMatchers in db service
* Use all azure subscriptions/resource groups if omitted in matcher
* Add azure config tests
* Go mod tidy to update dependencies
* Add azure response error conversion
* Check for azure access denied and give a helpful error message
* Add azure subscriptions api
* Add azure mysql/postgresql api and wrappers
* Test generic db server for azure
* Make server properties its own type
* Convert server types manually instead of via json
* Move server list method selection logic out of api client
* Update azure db server tests
* Fixup merge
* Update comments
* Update more comments and remove junk code
* Move all azure api into lib/cloud/azure
* Update state and version checks
* Add mutex to subscription client for caching, just in case
* Update lib/cloud/azure/db_server_test.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Update lib/cloud/azure/subscriptions_test.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Update lib/cloud/azure/db_server_test.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Update lib/cloud/azure/db_server_test.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Update lib/cloud/azure/db_server_test.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Rename azure subscription client and remove sub ID caching
* Add reference links for azure db ports
* Move indirect dep into group
* Wrap all converted azure response errors
* Remove unreachable panic
* Godoc DBServer
* Remove maxPages arg to azure client funcs
* Gofmt
* Spacing between copyright and package
* import order
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* start work on self signed tsh fixes
* fix go sum
* Adjust error formatting
* Complete less explicit error checks last
* Adjust PR feedback
* Further PR review
* Support darwin and linux certificate errors
* aliases are read from global and user configs.
* we prevent Kingpin from terminating `tsh`; we handle parsing errors better.
* added support for `TELEPORT_DEBUG` env variable, changed how logging is initialized.
* debugging aliases is possible via `TELEPORT_DEBUG=1` env variable; `--debug` is ineffective as it comes into play too late.
* if alias definition calls `tsh`, we call the `Run()` function directly instead of spawning fresh `tsh`; this improves the UX.
* alias loops are detected and a proper error is shown.
* all flags are made repeatable; if only one value for a given flag is possible, the last instance of the flag will be effective.
Co-authored-by: Marek Smoliński <marek@goteleport.com>
This commit adds the Teleport operator. The operator reconciles
TeleportUsers and TeleportRoles Kubernetes resources with Users and
Roles Teleport resources.
Add a credential picker to the tsh FIDO2/WebAuthn backend.
The PR pulls a recent patch in our go-libfido2 fork that makes it correctly
return multiple assertions from the authenticator. This allows us to implement
the credential picker for FIDO2, simplify our implementation and provide the
exact same UX that browsers use (always 1-touch for bio, touch->PIN->touch
otherwise).
I've dropped concepts like "optimistic assertions" and "eager PIN prompts" in
favor of a simple, uniform implementation.
Issue #13901.
* Prompt for credentials in LoginPrompt
* Update go-libfido2
* Implement FIDO2 credential picker
* Drop optimistic assertions, only set user if explicit
* Add license to fido2_prompt_test.go