self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-22 02:03:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
12758 commits 3216 branches 4173 tags 1.3 GiB
Commit graph

12758 commits

This branch
This branch
All branches
Author SHA1 Message Date
Paul Gottschling bb1f9899c1
Alphabetize the GUI Client page (#25013) 
Closes #20018
 2023-04-24 19:38:31 +00:00
Brian Joerger 40ba8f3879
Headless Login explicit username (#24689) 
* Return an error if user is not explicity set for headless login.

* Add test.

* Resolve comments.

* Fix typo.
 2023-04-24 19:36:32 +00:00
dependabot[bot] e2efb22deb
Bump github.com/aws/aws-sdk-go-v2/service/rds from 1.42.3 to 1.43.1 (#25039) 
Bumps [github.com/aws/aws-sdk-go-v2/service/rds](https://github.com/aws/aws-sdk-go-v2) from 1.42.3 to 1.43.1.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/rds/v1.42.3...service/ec2/v1.43.1)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/rds
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:10:37 +00:00
Brian Joerger a84bab8bd2
[RFD] Proxy Templates update: cluster switching and tsh ssh parity (#24586) 
* Update proxy templates rfd to include cluster switching section and tsh ssh section.

* Resolve comments.
 2023-04-24 17:52:04 +00:00
Michael Wilson 5d6b5adca4
Add login hooks. (#24828) 
* Add login hooks.

Login hooks have been added to support performing arbitrary operations on
user login. This is done to support generating of an Okta assignment on
user login for the Okta service feature.

* Don't use error channel for calling hooks, test login hooks.

* Expose ResetLoginHooks for external testing.

* Provide user as part of login hook.

* Update lib/auth/methods.go

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

* Improve the documentation for LoginHook, AuthenticateUser returns types.User.

* Use user.GetName() instead of username in AuthenticateSSHUser response.

* Address nits and restore comments.

---------

Co-authored-by: Alan Parra <alan.parra@goteleport.com>
 2023-04-24 17:26:45 +00:00
Tiago Silva c98cb70625
Try fixing TestGetKubeCreds (#24964) 
This PR tries to fix an unknown and weirdly reported data race.

Fixes #23510
 2023-04-24 17:08:04 +00:00
Forrest edfb418cc3
fix github url formatting (#25089) 2023-04-24 17:03:18 +00:00
dependabot-batcher[bot] 55d132a135
Batched Dependabot updates (#25054) 
* Bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2

Bumps [github.com/alicebob/miniredis/v2](https://github.com/alicebob/miniredis) from 2.30.1 to 2.30.2.
- [Release notes](https://github.com/alicebob/miniredis/releases)
- [Changelog](https://github.com/alicebob/miniredis/blob/master/CHANGELOG.md)
- [Commits](https://github.com/alicebob/miniredis/compare/v2.30.1...v2.30.2)

---
updated-dependencies:
- dependency-name: github.com/alicebob/miniredis/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/fsouza/fake-gcs-server from 1.44.1 to 1.44.2

Bumps [github.com/fsouza/fake-gcs-server](https://github.com/fsouza/fake-gcs-server) from 1.44.1 to 1.44.2.
- [Release notes](https://github.com/fsouza/fake-gcs-server/releases)
- [Commits](https://github.com/fsouza/fake-gcs-server/compare/v1.44.1...v1.44.2)

---
updated-dependencies:
- dependency-name: github.com/fsouza/fake-gcs-server
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/aws/aws-sdk-go-v2/service/athena from 1.25.0 to 1.25.2

Bumps [github.com/aws/aws-sdk-go-v2/service/athena](https://github.com/aws/aws-sdk-go-v2) from 1.25.0 to 1.25.2.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.25.0...service/fsx/v1.25.2)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/athena
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.31.3 to 1.32.0

Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.31.3 to 1.32.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.31.3...service/s3/v1.32.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2

Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2](https://github.com/Azure/azure-sdk-for-go) from 2.2.0 to 2.2.1.
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/resourcemanager/redis/armredis/v2.2.0...sdk/resourcemanager/redis/armredis/v2.2.1)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/Microsoft/go-winio from 0.6.0 to 0.6.1

Bumps [github.com/Microsoft/go-winio](https://github.com/Microsoft/go-winio) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/Microsoft/go-winio/releases)
- [Commits](https://github.com/Microsoft/go-winio/compare/v0.6.0...v0.6.1)

---
updated-dependencies:
- dependency-name: github.com/Microsoft/go-winio
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump sigs.k8s.io/controller-tools from 0.11.3 to 0.11.4

Bumps [sigs.k8s.io/controller-tools](https://github.com/kubernetes-sigs/controller-tools) from 0.11.3 to 0.11.4.
- [Release notes](https://github.com/kubernetes-sigs/controller-tools/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-tools/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-tools/compare/v0.11.3...v0.11.4)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.14.0 to 1.15.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.14.0...v1.15.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump libc from 0.2.141 to 0.2.142

Bumps [libc](https://github.com/rust-lang/libc) from 0.2.141 to 0.2.142.
- [Release notes](https://github.com/rust-lang/libc/releases)
- [Commits](https://github.com/rust-lang/libc/compare/0.2.141...0.2.142)

---
updated-dependencies:
- dependency-name: libc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 16:33:22 +00:00
Tiago Silva 12be6aaf5d
Hide tsh bench commands (#25078) 
PR #23763 introduced `tsh bench kube ls|exec` and `tsh bench ssh` but didn't correctly hide those flags from the `tsh` binary.

Co-authored-by: Steven Martin <steven@goteleport.com>
 2023-04-24 16:13:04 +00:00
Marco André Dinis a93e086bcc
Join Script: fix tarball folder for ent builds (#25057) 2023-04-24 15:08:18 +00:00
Alan Parra 48dd429917
Return auto-enroll status on Ping (#24752) 
* Return auto-enroll status on Ping

* Verify both old and new flags
 2023-04-24 14:43:29 +00:00
Michael Wilson a611435a17
OktaAssignment and UserGroup in auth cache. (#25015) 
The OktaAssignment and UserGroup read resources have been added to the auth
server's cache.
 2023-04-24 13:51:22 +00:00
Michael Wilson d115832d0e
Correct add application in test plan. (#24979) 
Add Application has been changed to link directly to the documentation,
so the test plan has been updated accordingly.
 2023-04-24 13:51:10 +00:00
Michael Wilson 583d0d3248
Add in group labels for role conditions. (#24811) 
Group labels have been added in for role conditions that will allow
access to UserGroup objects.
 2023-04-24 13:32:11 +00:00
Steven Martin fe4b58aa9f
docs: fix spelling and remove misspelled word from spellcheck skip (#25027) 2023-04-24 09:31:36 +00:00
Steven Martin 16163390df
Go spell fixes (#25033) 2023-04-24 09:21:26 +00:00
Tiago Silva 85585290b4
Fix disconnect_expired_cert when Kube Identity forwarding is used (#24913) 
* Fix `disconnect_expired_cert` not being respected for Kube

Teleport 13 introduces the identity forwarding mechanism that allows
a proxy to forward the client's identity without re-signing a new
certificate on his behalf. Proxy uses its certificate key pair and it's
valid for a long period of time resulting in the current version not
respecting the connection termination.

This PR removes the parsing of the connection certificate and uses the
value provided by the unmapped identity - supports the new and old
forwarding methods.

Fixes #24910

* fix test
 2023-04-24 09:00:16 +00:00
Anton Miniailo cf2c7059a3
Add full IP pinning enforcement (#24743) 
* Add full IP pinning enforcement

We're adding IP pinning check to `authorizer.Authorize` which is used for every call,
so now all communications with teleport should enforce IP pinning.
Also making sure we always provide login IP for user certificate creation
and correct client IP propagation everywhere.

* Add integration test for App IP pinning.

* Fix wording

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Wrap error

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Add godocs

* Clone TLS config

* Improve proxyHeaderSigner usage

* Wider use proxyHeaderDialer and remove adhoc writing of singed header

* Add helper function TLSDial

* Use proxyHeader dialer in authConnect

* Simplify tlsConfig manipulation

Co-authored-by: Przemko Robakowski <przemko.robakowski@goteleport.com>

* Remove redundant channels processing in TLSDial

* Reduce nesting

* Update generated protobufs

* Remove ignoring of bad IP on signed PROXY header generation

* Provide logger to CheckIPPinning function

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Przemko Robakowski <przemko.robakowski@goteleport.com>
 2023-04-23 17:09:49 +00:00
Andrew LeFevre 00bb19661e
ensure forwarded SSH agent is always closed (#24947) 
Previously when handling an SSH agent forward request from a SSH
connection to a registered SSH node, the forwarding SSH server would
open a SSH channel for the SSH agent but never close it. tsh wasn't
affected by this and would exit cleanly when the SSH session was closed.
OpenSSH ssh would hang waiting for the open SSH agent channel to close,
which would never happen.
 2023-04-21 22:58:20 +00:00
rosstimothy b6b57bcfe8
Unify errors returned from ProxyClient when targets are ambiguous (#25004) 
Ensures that SSH and gRPC connections via `tsh` return the same
error when dialing a host fails.

Closes #24943
 2023-04-21 20:36:47 +00:00
Edoardo Spadolini 091b1db314
Update e ref (#24893) 2023-04-21 19:39:24 +00:00
Edoardo Spadolini fe92efdb17
Pass the auth.Server itself to inventory.NewController (#24976) 2023-04-21 19:24:43 +00:00
Steven Martin 989d6ee73c
docs: Adds common Teleport configure,start and helm charts for non-iam db access guides (#23878) 
* Adds common Teleport configure,start and helm charts for db access

* Add helm install and standard configure, start for non-IAM DBs

* Correct teleport version used in helm install

* Correct helm reference

* Change helm install styles

Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>

* rm extra space

* elevate and expand multi-service warning

* Add oracle for helm option

* language update

* specify database name for db configure and helm

* spell fix

* lint fix

---------

Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
 2023-04-21 17:53:59 +00:00
Michelle Bergquist 2e9ed857da
Adds dependencies for teleport/e #1135 (#24574) 
- Adds helper methods for formatting dates
- Adds stripe dependencies to yarn lock
 2023-04-21 17:16:58 +00:00
Steven Martin e68d304531
docs: fix directory instruction for docs contributing (#24980) 2023-04-21 16:48:49 +00:00
Gus Luxton 2a76b2fb8d
docs: Change listen_addr to web_listen_addr in custom Helm deployment guide (#24933) 
* docs: Change `listen_addr` to `web_listen_addr` in custom deployment guide

`listen_addr` is the address for the SSH proxy. `web_listen_addr` is the correct value for the TLS/web listener.

* Update custom.mdx

Update other reference
 2023-04-21 14:16:34 +00:00
Andrew LeFevre 3cf48120af
don't rely on info in SSH user cert when connecting to agentless nodes (#24935) 
After finding now 2 very similar bugs today related to trying to pull
connection information out of SSH certificates instead of just passing
it directly, opt to pass the information directly to prevent future bugs.
 2023-04-21 13:44:17 +00:00
Anton Miniailo 702efde420
Add IP Pinning section to testplan (#24870) 2023-04-21 13:40:17 +00:00
Tobiasz Heller 941b7350d3
update go.mod and golangci to go1.20 (#24969) 2023-04-21 12:20:58 +00:00
STeve (Xin) Huang 9b749ce8a1
fix reverse tunnel cannot connect if proxy address contains https (#24871) 
* fix reverse tunnel cannot connect if proxy address contains https

* move check to process.singleProcessMode
 2023-04-21 10:44:05 +00:00
Ryan Clark bdc3db931e
Add the favicon back (#24904) 2023-04-20 23:02:26 +00:00
Alex Fornuto 95b30cc51a
replace 'machine' with 'host' or 'workstation' (#24932) 2023-04-20 22:22:46 +00:00
Alex Fornuto 5b07934e9d
clarify tctl command location and secret destination (#24931) 2023-04-20 22:21:56 +00:00
Steven Martin efba92ae64
docs: make adopters table markdown for cleaner look (#24939) 2023-04-20 22:20:47 +00:00
Roman Tkachenko e62745eda8
Add RFD for fetching EC2 tags via API (#22033) 2023-04-20 20:06:03 +00:00
Alan Parra de8c4af08f
Remove U2F migration testplan instructions (#24923) 2023-04-20 19:52:46 +00:00
Andrew LeFevre 4160f8e438
use correct certificate extension when getting cluster of agentless node (#24909) 
lib/utils.CertTeleportClusterName is set by the SSH user key auth
handlers, so it should always be set.
 2023-04-20 19:22:48 +00:00
Alan Parra dd20892fa7
Add auto-enroll toggle to device trust config (#24747) 
* Add auto-enroll toggle to DeviceTrust proto

* Update generated protos

* Add auto-enroll toggle to fileconf

* Document Mode caveat on AutoEnroll

* Add a minimal config test
 2023-04-20 19:21:48 +00:00
Isaiah Becker-Mayer 61e4301b9b
Makes the Per Role per session mfa example accurate (#24863) 
* simplifies and edits example to make it accurate

* as login jerry
 2023-04-20 18:27:30 +00:00
Brian Joerger 3883084766
Add key attestation to generate user certs to catch non-login flows. (#24867) 2023-04-20 17:28:01 +00:00
Steven Martin 73a941c1f3
docs: remove unneeded sudo for removing user data dirs (#24901) 2023-04-20 17:18:38 +00:00
teleport-post-release-automation[bot] 0f183f9398
[auto] Update AMI IDs for 12.2.4 (#24903) 
Co-authored-by: GitHub <noreply@github.com>
 2023-04-20 16:54:41 +00:00
Steven Martin 8f80db470a
docs: remove duplicate content in oracle guide (#24882) 
* docs: remove duplicate content in oracle guide

* fix headers

* correct header numbers
 2023-04-20 15:43:59 +00:00
Michael Wilson 1f02e4807e
Update crewjam/saml dependency. (#24884) 
Update the crewjam/saml dependency to pull in HSM support from
https://github.com/crewjam/saml/pull/503.
 2023-04-20 14:16:46 +00:00
Paul Schisa 04f1fe8c3c
Update Cloud FAQ doc to remove latency note (#24886) 
With the rollout of all proxies to all prod tenants, this is no longer an opt-in functionality
 2023-04-20 14:12:54 +00:00
Alan Parra 8dd586b985
Log informative messages for device authn failures (#24849) 2023-04-20 13:50:44 +00:00
Hugo Shaka 68bf10d3d1
Fixes for teleport-kube-agent-updater (#24746) 
* integrations/updater: disable CGO to ensure static builds

* helm: fix updater selectors in `teleport-kube-agent`

* helm: fix updater flags

* helm: make the updater able to watch secrets, create events and acquire leases

* integrations/updater: add dummy healthz route

* integrations/updater: fix typo in DEBUG instructions

* helm: update test snapshots
 2023-04-20 13:17:03 +00:00
Marco André Dinis ec6085e949
Web TestPlan: add Discover wizard (#24808) 2023-04-20 09:07:33 +00:00
Marco André Dinis d53e422998
Use apt.releases to fetch pub key (#24813) 2023-04-20 07:56:16 +00:00
Andrew LeFevre a76e411a44
refactor how 'tsh scp' destinations are parsed (#24441) 
A complex regex was previously used to parse 'tsh scp'
destinations, which was hard to understand and even harder
to maintain for those not intimately familiar with regex,
despite it being heavily commented. Instead parse destinations
directly and add more test cases and a fuzz test to ensure
parsing won't panic and the new parse function doesn't
have any regressions.
 2023-04-19 22:17:47 +00:00