This commit introduces a new iteration of the proxy discovery
algorithm implemented as a separate component from the main
reversetunnel agent/agentpool system. This isolation is
intended to improve our ability to test and reason about the
algorithm in isolation from IO and other implementation
details.
When emitting session related events, emit them with the ID of the host
not of the server. This is because the forwarding server has a randomly
generated ID that will note validate with TLS identity that connects to
the Auth Server.
The currentUserAction endpoint on the Auth Server allows access to a
user "Nop" if no form of client authentication is provided. Since this
user is not associated with a role, it has no logins, and can not obtain
SSH x509 credentials.
To strengthen access controls, currentUserAction only allows locally
authenticated users whose with a name match access.
If an attacker can force a username change at an IdP, upon second login,
the services.User object of the original user can be updated with new
roles and traits. If these new roles and traits differ, the original
user can have their privileges raised (or lowered).
To mitigate this, encode roles and traits within the certificate and use
these when fetching roles to make RBAC decisions. If roles and traits are
not encoded within an certificate (for example for old style SSH
certificates then fallback to using the services.User object and log a
warning.
Before sending and receiving a session recording, parse the session ID
to make sure it's a UUID to prevent an attacker from uploading an
arbitrary file.
Validate all incoming events (and archives) to ensure that the server ID
within the event matches the x509 identity of the connected host. This
check makes sure nodes can only submit events for themselves.
In addition, make sure session recordings to disk or S3 can not be
overwritten.
* Support resource-based bootstrapping for backend.
Outside of static configuration, most of the persistent state of an
auth server exists as a collection of resources, stored in its
backend. The resource API also forms the basis of Teleport's more
advanced dynamic configuration options.
This commit extends the usefulness of the resource API by adding
the ability to bootstrap backend state with a set of previously
exported resources. This allows the resource API to serve as a
rudimentary backup/migration tool.
Notes: This features is a work in progress, and very easy to misuse;
while it will prevent you from overwriting the state of an existing
auth server, it won't stop you from bootstrapping into a wildly
misconfigured state. In general, resource-based bootstrapping is
not a complete solution for backup or migration.
* update e-ref
Upon calling "tsh login <clusterName>", Teleport will save the cluster
name in ~/.tsh/profile. This value will then be used similar to the
--cluster flag to select which cluster to run a tsh subcommand on.
Fixes#2648
Teleport does not support SAML identity provider
initiated logins, this commit gives a better
error message to the user instructing them
what to do.
This commit fixes memory leak in the cache module:
* Cache calls in to create a NewWatcher
* NewWatcher gets registered in the backend
* Cache closes the watcher
* Watcher never gets deleted from the backend
fanout internal structure.
This is a defect in the way watchers are implemented:
closing a watcher should result from it's removal
from the fanout internal circular buffer prefix tree.
