Converts usage of `newFixture` to `newFixtureWithoutDiskBasedLogging`
to prevent directory not empty errors caused by `t.TempDir` still
containing upload parts.
Fixes#19826
This creates a more human-readable representation of a role.
Fixes#7549
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: David Heitman <david.heitman@checkr.com>
Consolidates more of the build logic into the build.assets Makefile, transplanted from the workflow file in teleport.e
See comment gravitational/teleport.e#673 (comment)
* Fix listing all nodes in tsh
Usage of channels was flipped, we tried to write to collecting channel,
but nobody was reading from it, so we blocked forever. Now using simpler
version with mutex for synchronization, and doing it for db listings as
well for consistency.
Enable device authorization by plugging into auth.Authorizer and selectively
disabling it for processes that don't (yet) want device authz.
`GenerateUserCerts` is modified to issue device-aware certificates (DB/k8s
access), as well as `CreateAppSession`. The latter is not necessary for DB
access, but it does enable App Access to issue device-aware certs - commands
such as `tsh apps login` and `tsh proxy app` can benefit from those.
DB access is now ready to benefit from trusted devices. k8s access is likely
supported with these changes as well, but I've postponed enabling it after I've
done more testing.
Both `GenerateUserCerts` and `GenerateUserSingleUseCerts` now do early
device-aware authorization; this creates a better UX, as it allows us to return
error messages directly via `tsh`, instead of having to pipe them through
database-specific protocols. Further PRs could improve errors for scenarios
where the existing certificate became lacking due to higher server-side authz
enforcement.
gravitational/teleport.e#514
An accesss request watcher has been added to support access requests that
will require downstream reconciliation based on access request approval. This
will be useful for requests that trigger external APIs in other Teleport
services once they've been approved. This will be useful for the upcoming
Okta integration work.
This PR fixes multiple goroutine and memory leaks when interactive sessions are used.
- When the session terminates, the `multiResizeQueue` never returns, and the resize stream goroutine blocks.
- A goroutine leak exited when the server received resizing events after the connection terminated - this happens with fast exec requests.
- A memory leak existed when users tried to leave the session after the `session.tracker` was closed.
This PR also releases the connection monitor earlier. When the server is under heavy load, it might take a while for the connection to return an `EOF` - which triggers the service monitor automatic release - and the service monitor resources were leaking until the server resumed normal operation.
It also fixes reloads when new parties join and leave the `multiResizeQueue`.
* Correct redirect syntax
Redirects are evaluated in order left-to-right so cloning err from out (`2>&1`) before redirecting stdout (`> /dev/null`) has the effect of sending stderr to fd 1 and stdout to the redirected file.
* Do not expand here document text
Avoids need to escape quotes and variable references in pasted script.
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Add a new db engine
* Add tests for new engine
* Update tsh db subcommands
* Refactor error message and suggestions for unsupported tsh commands
* Add dynamodb to test plan
* Add AWS external ID to db config and update protos
This command allows you to modify a resource in place by opening
the resource YAML in your text editor.
The editor is selected by checking the following, in order of
precedence:
- the TELEPORT_EDITOR environment variable
- the VISUAL environment variable
- the EDITOR environment variable
- defaulting to 'vi'
We also prevent renaming resources with this command.
See gravitational/webapps#1465 where we do the same for the web UI.
This PR replaces the following PRs opened by dependabot:
- #19678
- #19677
It also bumps:
- Bump k8s.io/api from v0.25.4 to v0.26.0
- Bump k8s.io/apiextensions-apiserver from v0.25.4 to v0.26.0
- Bump k8s.io/apimachinery from v0.25.4 to v0.26.0
- Bump k8s.io/apiserver from v0.25.4 to v0.26.0
- Bump k8s.io/cli-runtime from v0.25.4 to v0.26.0
- Bump k8s.io/kubectl from v0.25.4 to v0.26.0
- Bump k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed to v0.0.0-20221128185143-99ec85e7a448
- Bump sigs.k8s.io/controller-runtime from v0.13.1 to v0.14.1
* Limit Device Name and User Agent lengths
* Spelling correction
* Increase ballast size while trimming message size
* Cleanup error message
* Remove additional check
* Adjust tests
* Add tests for large AuditEvent
* Rename func to add clarity
* Move limit to const and lowercase field name
* Add test for invalid device name length
* Add a test for trimming the user agent
* Replace custom emitter with MockEmitter
* Add additional background to const
* Add additional comments
* Fix import ordering
* Refactor trimN to better handle heavily quoted queries and add tests
* Convert to error assetion func
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Finish test refactor
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* add version compatibility callout to Cloud section
* consolidate partial usage in various guides
* remove partial consolidated into
* Apply suggestions from code review
Add missing roles to the tctl users add command and replace
the old admin role with the preset access and editor roles.
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Rob Langford <rob.langford1@gmail.com>
* Require enterprise license to create tokens including GHES support
* Enforce Enterprise on joining as well as token creation
* Fix tests and file formats for GHES enteprrise licenseing
* Use ErrRequiresEnterprise
* Fix imports >:(
The existing `build.assets` makefile targets had the actual build steps
coupled together with building the build box image. Because of how GHA
image builds work, we need to uncouple those tasks.
GHA also builds OSS and Enterprise teleports in parallel, so we needed
a new target to build the Enterprise release without also automatically
building the OSS bundle in series.
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Desktop session playback is currently the only playback that leverages
the StreamSessionEvents API (though that will change with RFD 91).
For this API, we were checking for VerbList instead of VerbRead.
(The SSH session APIs were correctly checking VerbRead).
Since all uses of actionForKindSession now use the same verb, I've
removed the verb as an argument to prevent this mistake from happening
again.
The session cache routine to purge expired sessions would not consider
a session which was not found in the cache or backend to be expired.
It would instead defer to the expiry of the session token. This results
in a window after a user has logged out for that session to still be
considered valid by any Proxy which did not process the logout request.
On logout the Proxy manually removes the session from the cache. So in
an HA configuration there is an inconsistent state between Proxies after
a user logs out which results in #197.
To remedy this the expiration routine should consider all sessions which
were not found in the cache/backend to be expired and purge them from
their session cache. This causes all Proxies to honor the logout as soon
as the deletion of the web session is processed.
Closes#197