* Add plugin exchange service
* Add Plugin methods to auth
* Add gRPC-layer methods for Plugin
* Add RBAC presets for Plugin
* Test GetPlugin()/NoSecrets access
* Make error assertions more correct in role test
* Deny setting credentials if user can not read them
* gofmt
* Apply minor suggestions from code review
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
* Move dependency into an existing block in go.mod
* Improve error messages for failed type assertions
* DRY WithSecrets access checks for Plugins
* Run new tests in parallel
* Improve error assertions in auth_with_roles_test
* TestGetPluginWithSecrets: split cases to subtests
* Clean up test servers and clients
* Add proto for plugin service
* Remove Plugin methods from auth service
Moved to a dedicated service
* Remove plugin-related auth methods
Moved to a dedicated service in Enterprise
* Remove CreatePlugin test from auth_with_roles_test
Moved to a dedicated service in Enterprise
* Pass "backend getter" to local plugins service
This pattern is used in Enterprise to set up secondary services
before auth (and backend) are created.
* Rename InitialCredentials to BootstrapCredentials
* Add plugins service to genproto.sh
* Reformat generated proto
* Remove obsolete PluginExchangeService
The equivalent of this is now in Enterprise
* Add kube service to genproto.sh; regenerate
* Add ListPlugins to plugin backend service
* Reimplement GetPlugins on top of ListPlugins
This is a "convenience" implementation for the backend service layer.
* Replace GetPlugins with ListPlugins in gRPC schema
* Fix ListKubernetesResources unit test
* Simplify plugin pagination key to just the name
* Use existing constant for page size
* Make dummy clients return errors instead of panic
* Remove obsolete field
* Ensure go.mod is valid for corresponding e changes
* Fix passing mutex ref
* Move teleport-plugins import to e_imports
* Revert oauth change in go.mod
* Use limit+1 to look-ahead when paginating plugins
* Test plugin pagination with pageSize > numPlugins
* Add descriptive messages to gRPC dummy clients
* Plugin: add RW for editor; remove secrets from gRPC
* Make message more descriptive for dummy gRPC conn
---------
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
Without this early return, createPtyProcess of PtyHostService would call
the callback twice on error. This doesn't have much negative implications
since the gRPC implementation will simply ignore the second call, however
it does pose some problems when trying to manually test PTY failures
by making `new PtyProcess` return an error.
* check if --cert-file, --key-file are given when tunnel is required
* require tunnel mode for SQL Server and Cassandra
* deprecate --cert-file and --key-file flags in favor of --tunnel
* Add flag to only check tsh binary version and not server version
* Update language
* Update variable comment
* Removed unncessary default flag, changed to --client from --client-only, updated variables used
* Add showing proxy address to tsh version
* Verbiage change for client flag
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* client only flag in docs
* Fix word for tsh —client
* Change flag description
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Updated tsh version comments, --client description
* copy edits
* Remove CLI docs, putting in a sep PR
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
* handle tctl create device.yaml
* delete + fix create
* delete by asset tag
* factor out finder
* tctl get device
* gci
* use unmarshaler
* device
* test + unmarshal version check
* improve error
* fix device asset search
* fix parse shortcut bug
* various fixes
* rename CheckAndSetDefaults to checkAndSetDefaults
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/collection.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* fix import
* improve findDeviceByIDOrTag and allow multiple returns for fuzzy asset tag searching in tctl get devices/
* update create/delete messages
* print warn instead of error
* mark sanity check
* resource rework
* add comments
* fix typo
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* drop findmultiple
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* various feedback updates
* user friendly enum for ostypes
* add comments
* Update tool/tctl/common/resource_command.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* gci
* feedback
* typos
* Update tool/tctl/common/device/resource.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
WrapContextWithUser has been split into two functions that allows for using
the TLS connection state logic without having an actual TLS connection. This
will be used by the SAML IdP logic to wrap the user context information into
the request context.
* Partially revert 09633dd47f
* Hide old features from String, add comments
* Add new reporting license flag
* Add testing
* add comment to LicenseV3/LicenseSpecV3
* Less ambiguous name for the new field
* Elaborate more on the unused flags
* RFD: Agent Census
* Add install methods
* Add tarball
* Fill in TODOs
* Track multiple installation methods
* Detect EKS & GKE
* Add container runtime back
* Improve wording
* Use `/etc/os-release` for OS version
* Use `/.dockerenv` for Docker
* Improve wording
* Remove ps scripts
* Be less vague in goal
* Link to agent census section
Co-authored-by: Michelle Bergquist <11967646+michellescripts@users.noreply.github.com>
* Track `systemctl`
* Add new `UpstreamInventoryAgentMetadata` message
* ICS
* Improve wording
* Improve wording
* Improve wording
* Be more explict about the possible values in `UpstreamInventoryAgentMetadata` fields
* Improve wording
* Simplify agent metadata fetching flow
* Add note about command output parsing
* Add note about ICS flow
* Improve glibc description
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Fix typo
Co-authored-by: Walt <walt@goteleport.com>
* Add Teleport AMIs to list of install methods we want to track
* Add note about data sanitization
* RFD number
* Update required approvals
* Improve code sketch with suggestion
* Include git version in `UpstreamInventoryAgentMetadata.ContainerOrchestrator`
* Merge dev plan steps 2 and 3
* Remove `TeleportAccessProtocol` enum and detail how info will be stored in PostHog
* Update `UpstreamInventoryAgentMetadata` comments
* RFD number
* Fix PostHog data
* server_id -> host_id
* RFD number
* RFD number
---------
Co-authored-by: Michelle Bergquist <11967646+michellescripts@users.noreply.github.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Walt <walt@goteleport.com>
* Remove sans serif from config
* Pass 'fonts.monoFamily' as style prop
* Get rid of `getSansSerif` function
* Use mono font from theme
* Add 'terminal.fontFamily' and 'terminal.fontSize' config options
* Require 'terminal.fontSize' size to be int
* Revert unneeded changes to mono font usage
* Add comment with a link to `ctrl.ts`
* Allow 'terminal.fontSize' to be in the range 1-256
* Install deb/yum repos when using node-join script
When a repo is available for the current Linux distro/version, use it
instead of just installing Teleport from the deb/rpm files.
It fallsback to the traditional binary installation when the repo is not
available.
* comment /etc/os-release
* remove sudo; add comment to runners
* improve is_repo_available function
Update the helm chart for kube-agent.
The image swap logic was already there.
Update the UI to include `enterprise: <isEnterprise>` when installing
the kube-agent.
Currently the `tsh` debug log is polluted with "errors" created by the
[automatic access request feature](https://goteleport.com/docs/access-controls/access-requests/resource-requests/?scope=enterprise#automatically-request-access-for-ssh)
even in completely expected scenarios, e.g. when the user has no
permission to create Resource Access Requests.
Before this change:
```
$ tsh ssh -d alice@one-auth
...<omitted>...
2023-02-17T15:30:16-08:00 DEBU [TSH] unable to request access to node error:[
ERROR REPORT:
Original Error: *trace.BadParameterError user attempted a resource request but does not have any "search_as_roles"
Stack Trace:
github.com/gravitational/teleport/api@v0.0.0/client/client.go:880 github.com/gravitational/teleport/api/client.(*Client).CreateAccessRequest
github.com/gravitational/teleport/tool/tsh/tsh.go:2896 main.accessRequestForSSH.func1
github.com/gravitational/teleport/lib/client/api.go:1351 github.com/gravitational/teleport/lib/client.(*TeleportClient).WithRootClusterClient
github.com/gravitational/teleport/tool/tsh/tsh.go:2895 main.accessRequestForSSH
github.com/gravitational/teleport/tool/tsh/tsh.go:2916 main.retryWithAccessRequest
github.com/gravitational/teleport/tool/tsh/tsh.go:2993 main.onSSH
github.com/gravitational/teleport/tool/tsh/tsh.go:1086 main.Run
github.com/gravitational/teleport/tool/tsh/tsh.go:482 main.main
runtime/proc.go:250 runtime.main
runtime/asm_amd64.s:1598 runtime.goexit
User Message: user attempted a resource request but does not have any "search_as_roles"] tsh/tsh.go:2920
ERROR REPORT:
Original Error: *trace.AccessDeniedError access denied to alice connecting to one-auth:0@default@cluster-one
Stack Trace:
github.com/gravitational/teleport/lib/client/client.go:1633 github.com/gravitational/teleport/lib/client.NewNodeClient
github.com/gravitational/teleport/lib/client/client.go:1563 github.com/gravitational/teleport/lib/client.(*ProxyClient).ConnectToNode
github.com/gravitational/teleport/lib/client/api.go:1451 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToNode
github.com/gravitational/teleport/lib/client/api.go:1525 github.com/gravitational/teleport/lib/client.(*TeleportClient).runShellOrCommandOnSingleNode
github.com/gravitational/teleport/lib/client/api.go:1408 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSH
github.com/gravitational/teleport/tool/tsh/tsh.go:2995 main.onSSH.func1.1
github.com/gravitational/teleport/lib/client/api.go:504 github.com/gravitational/teleport/lib/client.RetryWithRelogin
github.com/gravitational/teleport/tool/tsh/tsh.go:2994 main.onSSH.func1
github.com/gravitational/teleport/tool/tsh/tsh.go:2907 main.retryWithAccessRequest
github.com/gravitational/teleport/tool/tsh/tsh.go:2993 main.onSSH
github.com/gravitational/teleport/tool/tsh/tsh.go:1086 main.Run
github.com/gravitational/teleport/tool/tsh/tsh.go:482 main.main
runtime/proc.go:250 runtime.main
runtime/asm_amd64.s:1598 runtime.goexit
User Message: access denied to alice connecting to one-auth:0@default@cluster-one
```
After:
```
$ tsh ssh -d alice@one-auth
...<omitted>...
2023-02-17T16:42:29-08:00 DEBU [TSH] Not attempting to automatically request access, reason: Resource Access Requests require usable "search_as_roles", none found for user "nklaassen" tsh/tsh.go:2922
ERROR REPORT:
Original Error: *trace.AccessDeniedError access denied to alice connecting to one-auth:0@default@cluster-one
Stack Trace:
github.com/gravitational/teleport/lib/client/client.go:1633 github.com/gravitational/teleport/lib/client.NewNodeClient
github.com/gravitational/teleport/lib/client/client.go:1563 github.com/gravitational/teleport/lib/client.(*ProxyClient).ConnectToNode
github.com/gravitational/teleport/lib/client/api.go:1451 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToNode
github.com/gravitational/teleport/lib/client/api.go:1525 github.com/gravitational/teleport/lib/client.(*TeleportClient).runShellOrCommandOnSingleNode
github.com/gravitational/teleport/lib/client/api.go:1408 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSH
github.com/gravitational/teleport/tool/tsh/tsh.go:2997 main.onSSH.func1.1
github.com/gravitational/teleport/lib/client/api.go:504 github.com/gravitational/teleport/lib/client.RetryWithRelogin
github.com/gravitational/teleport/tool/tsh/tsh.go:2996 main.onSSH.func1
github.com/gravitational/teleport/tool/tsh/tsh.go:2907 main.retryWithAccessRequest
github.com/gravitational/teleport/tool/tsh/tsh.go:2995 main.onSSH
github.com/gravitational/teleport/tool/tsh/tsh.go:1086 main.Run
github.com/gravitational/teleport/tool/tsh/tsh.go:482 main.main
runtime/proc.go:250 runtime.main
runtime/asm_amd64.s:1598 runtime.goexit
User Message: access denied to alice connecting to one-auth:0@default@cluster-one
```
* SAML IdP sessions added to the API and cache.
SAML IdP sessions have now been added to the API and to the cache.
* Update lib/auth/sessions.go
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Revert changes to types.proto.
* Fix missing session ID, misnamed variable, gRPC update.
---------
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Create new local util lib to replace lodash.
* Replace usage of isInteger and debounce from lodash with highbar.
* Create isObject and runOnce utility methods.
* remove use of at, isObject, and once lodash method usage.
* remove map and transform lodash calls.
* Add memoize function to highbar.
* remove memoize lodash usage.
* remove merge and isEqual lodash methods and update other missing refs to highbar.
* convert the throttle to debounce.
* add throttle method to highbar.
* use the new throttle method instead of debounce where necessary.
* Add mergeDeep function for init config merge.
* remove lodash from the build process.
* Fix introduced bug in workspacesService.
* Added tests for highbar mergeDeep and expanded its functionality to support arrays.
* review updates.
* Added types to mergeDeep function.
* Add missing MapCache prototype methods.
* Add license notices, types and missing hash code.
* First pass at compare an array objects function.
* use new compareArrayObjs fn
* Add missing not
* Added types to arrayObjectIsEqual
* Add tests for arrayObjectIsEqual and fix some edge case bugs.
* update util fn name
Change the text on the MFA dialog to be less alarming.
Additionally, focus the OK button by default, so that users can
press enter to go straight to the MFA prompt without manually
clicking a button.
Closes#19042
* Start machine id client analytics rfd
* Add notes on warnings to logs
* Add details on event collection
* Make it clear no additional anonymization is required
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Use environment variable for telemetry opt in
* Add proto for event submission
* Set RFD number
* Correct name for consistency.
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Name fields for consistency
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* rename continous -> daemon
* Reflow text after PR fixes
* Add distinct_id field to event request
* Describe the UUID field
* Shorten and clarify attributes related to destinations
* Change env var for enabling telemetry
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
The DatabaseService was using the KeepAlive_Database type instead
of a new dedicated type. This caused the keepalive to fail because
the backend key that was created didn't actually exist which results
in #21454.
This adds the appropriate KeepAlive type and uses it in the appropriate
places.
Fixes#21454
Provides a client that can be used to connect to and interact with
the transport service in `lib/srv/transport`. The client abstracts
the fact that a gRPC stream is being used for the `net.Conn` created
by `DialCluster` and `DialHost`.
This also moves `lib/utils/grpc/stream` to `api/utils/grpc/stream`
so that the client and server can make use of the same stream
abstractions.
Part of #19812
* Add agentless mode section to ec2 discovery rfd
* Update the labels section
* use `teleport join` command instead of secret-manager
* update to include a full teleport join command example
* Add cert rotation section
* remove AWS Tags section
Clarify the usage of the `attributes_to_roles` parameter and reorder some
mapping keys for clarity in the example SAML connector resource.
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
The ConnectionStatus of the RemoteCluster resource was never being
set in UpdateRemoteCluster causing the backend to always contain
the original value. GetRemoteCluster, unfortunately, does an update
of the resource, yet it always returned the correct information, which
made things very confusing since `tctl get` didn't reflect the
actual backend. To make matters worse the initial value was not
explicitly set which meant it defaulted to an empty string.
A call to SetConnectionStatus was added to UpdateRemoteCluster so
it's value is actually persisted. Trusted Clusters are also now
explicitly initialized with status offline to avoid ambiguity. The
actual status of the resource will be updated appropriately when
the tunnel connections are verified.
Additionally TestRemoteClustersCRUD was added to capture this issue
and prevent any regressions.
Fixes#22006
* Support proxy reading of SAML IdP CA.
GetCertAuthority was not respecting CA type where clauses because the CA was
not being passed into the AccessChecker properly. This has been fixed.
Additionally, the SAML IdP CA's validation has been fixed so that it supports
more than 1 active key pair during key rotations.
With all this, the proxy will now be able to read the SAML IdP CA.
* Update lib/auth/tls_test.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Only parse the cert pem if the key can't be parsed.
* Fix imports.
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>