* Adds automatic approver user for use with access plugins
Adds an internal user `@teleport-access-approval-bot` with the associated
role `@teleport-access-approver`. This new role has grants the right to
approve any and all role access requests, and both the user and role
resources are automatically created on startup if not already present.
While the `@teleport-access-approval-bot` should under no circumstances
be allowed to log into the cluster or appear in UI user listings of any
kind (except as the approver in an access request), this PR does not
implement any or the requisite filtering or enforcement. This is coming
in a future PR.
* Don't crash when building OSS
* fix test fixup
* Adds labels to the Preset approval bot user
Also ads basic update functionality for preset users, and tests
for same.
* typo fix
* Commentary
* linter appeasement
* Update tests
* Update docs
* Post-merge cleanup
* Update lib/auth/init_test.go
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* Address review feedback
* Filter out user in WebUI and plumb Teleport user through
---------
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* Adds AccessDenied reporting to PagerDuty
The PagerDuty plugin now returns a `trace.AccessDeniedErorr` when a
request fails due to an authentication error. This is to allow the
integrations UI to display a useful error state when the plugin
exits, rather than a generic "unknown error".
* Extra documentation
* Changes to PagerDuty plugin to support running as a hosted plugin
The major structural change is to provide a new PagerDuty app constructor
that allows the auth server to inject a Teleport client, rather than the
plugin automaticaly creating a GRPC client on startup.
Other changes include:
- Added more PagerDuty API types
- Extra logging
- Small refactors here & there
* Update integrations/access/pagerduty/app.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Shorten PagerDuty typenames
* Address review feedback
- Moved API URL to plugin parameters
- Removed obsolete settings loader
* Address @marcoandredinis' review feedback
---------
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Compile binaries for access plugin tests
* Fix PD test asserts for newer Teleport versions
* Unpin role from V6 in access plugin tests
* Remove license from OSS plugins tests
We now run tests against OSS Teleport in the OSS repo,
and against Enterprise Teleport in the E repo.
So the assumption that CI always needs an enterprise license
is incorrect.
* Only compile the required binaries
* Vendors the `pagerduty` plugin source into `teleport`
This commit vendors the PagerDuty Access Plugiun code into the `teleport`
repo (from `teleport-plugins`), with only the minimal set of changes
required to get it to compile and tests to pass.
Changes include:
- updating the package name (`main` -> `pagerduty`)
- removing `main.go`
- removing installation scripts
- minor testing tweaks to aid local debugging
* Revert test change
* `go mod tidy`
* fmt
* linter appeasement
* Move opsgenie client code to integrations/access
* Add initial opsgenie bot skeleton and stubs
* Add opsgenie check and set default to pluginv1
* Fix check and set defaults for opsgenie plugin config
* Fill out bot stubs for opsgenie bot
* Add loadOpsgenieConfig to integrations
* Swap to using bearer token for opsgenie plugin
* Fix formating in opsgenie bot
* Reorder imports to fix lint errors
* Add config field to plugins to allow for different recipient logic
Allows bots that use schedules as recipients to determine their own
logic for defaulting etc
* Add notimplemented err for check health for opsgenie bots
* Add check health to opsgenie client and bot
* Rename recipientsAreSchedules to usersAsRecipients
* Add pluginBearertokencredentials checkAndSetdefaults
* Add resolveAnnotations to reqdata and use schedules from that
* Update integrations/access/opsgenie/bot.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Prevent default schedules being processed if annotations are set
* Remove loadOpsgenieConfig
* Rename opsgneie addr field
* Add more verbose error messages to opsgenie client
* Update api/proto/teleport/legacy/types/types.proto
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Update integrations/access/opsgenie/bot.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Fix error message for recipients field in opsgenie bot
* Change apiEndpoint field name
* Remove check for unused field from opsgenie config
* Remove usersAsRecipients flag
* Reserve addr and change change field number of api_endpoint
* Update integrations/access/opsgenie/client.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Rename reqAnnotationresponderskey to reqannotationscheduleskey
* Remove unused check and set defaults
* Rename REqAnnotationScheduleskey
* Use types.Labels alias where possible
* Simplify loop in opsgenie bot to satisfy linter
---------
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Expose Ping() in bare auth server
* Handle both pointer and bare PluginStatusV1
* Add metric name
* Add StatusSink
* Run GCI
* Move comment back to auth_with_roles
* Update lib/auth/auth.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Rework SetStatus
* Inline TryEmitStatus and use a proper context
* Fix copyright notice
* Fix bug in statusFromStatusCode
* Test statusFromResponse
* Add link to Slack API schema
* Refactor statusFromStatusCode
* Expand comment for Ping()
* Add basic check for status in slack test
* Address nits
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Vendor slack plugin and supporting libraries
* Fix up plugin integration tests (wip)
* Run GCI on vendored code
* Use newtype instead of type alias
golangci-lint currently panics on this,
"skip-files" et al don't help, as it is a linter panic, not an error
See d717045480
* Remove long-runing plugins tests from difftest
* Move access plugin tests to unit-tests-integrations
