Boilerplate for a new service and API objects:
- windows_desktop_service config section
- service registration and heartbeats
- static host registration and heartbeats
- caching, permissions, etc
- "tctl get" support
For new connections the service aborts after authentication, since the
RDP client implementation is not ready yet (pending in
https://github.com/gravitational/teleport/pull/7824).
Tested that the service starts, registers (both over a tunnel and
directly) and creates the API objects.
* Revert "Send web idle timeout with new web session response (#7839)"
which contains a bug where web idle timeout returns zero despite settings
* Retrieving web idle timeout in auth service and setting it with new web
session fixes the bug
Teleport will fail to start when when a k8s cluster is unavailable when
using the kubeconfig in a `kubernetes_service` configuration. This means
that a single missing cluster can disrupt _all_ of the configured
clusters, even if the others are online.
This change makes failing the cluster credential enumeration a
per-k8s-cluster warning, rather than a stop-the-world error.
It also expands the testing shims inside the k8s proxy to allow more
sophisticated mocked scenarios, in order to test the above.
See-Also: #7215
Fixed two issues that were causing a performance issue with the Web UI.
The first issue was that when an "Authorizer" was being created at
process startup by Auth Service, it was by-passing the cache and always
hitting the backend directly. All services have been updated to now use
an cached access point.
The second issue was that the Web UI was not using the local cache when
fetching the list of roles for a user. The Web UI has been updated to
now use the local cached access point.
Adds the ability to block network traffic on SSH sessions.
The deny/allow lists of IPs are specified in teleport.yaml file.
Supports both IPv4 and IPv6 communication.
This feature currently relies on enhanced recording for
cgroup management so that needs to be enabled as well.
-- Design rationale:
This patch uses Linux Security Module (LSM) hooks, specifically
security_socket_connect and security_socket_sendmsg, to control
egress traffic. The LSM provides two advantages over socket filtering
program types.
- It's executed early enough that the task information is available.
This makes it easy to report PID, COMM, etc.
- It becomes a model for extending restrictions beyond networking.
The set of enforced cgroups is stored in a BPF hash map and the
deny/allow lists are stored in BPF trie maps. An IP address is
first checked against the allow list. If found, it's checked for
an override in the deny list. The policy is default deny. However,
the absence of the NetworkRestrictions API object is allow all.
IPv4 addresses are additionally registered in IPv6 trie (as mapped)
to account for dual stacks. However it is unclear if this is sufficient
as 4-to-6 transition methods utilize a multitude of translation and
tunneling methods.
Multiple routines were fighting over the global logrus `Logger`
instance, causing the race detector to trip roughly once in every 10
test runs.
This patch addresses this race condition by supplying each of the
competing processes an entirely separate logger, and ensuring that
these log instances are plumbed through to the code that would otherwise
trip the race detector.
* Adds the idle_timeout_message to the auth_service config file block
* Plumbs the value through to the session monitor
* Writes the message to stderr when a session times out due to inactivity
* Adds some machinery to the test helpers to configure appropriate tests
See-Also: #6091
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.
This change adds:
* the`port_forwarding` key to the yaml SSH config block, with a boolean value
* Plumbing to pipe the resulting config value through to the SSH server
* A predicate check in the SSH server to [dis]allow port forwarding based on the setting.
This change also:
* adds a common way for integration tests to await the establishment of an SSH session
* refactors several integration tests to use this new method rather than manually waiting
* adds some marshaling code to move errors from spawned goroutines back into the
main test routine in verifySessionJoin()
See-Also: Issue #6783
* Use cmp.Equal instead of manual Equals methods
Equals methods can get out-of-sync with the fields added in structs they
compare. Using `cmp.Equal` handles that, removes a ton of code and makes
it more explicit when specific fields are excluded from comparison.
* Use gogoproto equal plugin for comparing proto values
This will be faster than reflect-based go-cmp.
* Init web handler with auth server feature flags on proxy init
* Retrieve auth server features by calling Ping when connecting
to auth svc which contains the server feature flags in the response