* Fix remote pool of signed certs when exec into leaf clusters
This PR fixes the list of acceptable CAs from the leaf cluster when
exec into a leaf cluster pod.
Fixes#32380
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* add unit test
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Revise Docker handling in OS compatibility script
This commit revises how Docker containers are interacted with in build-test-compat.sh. Optimized Docker image pulling process by pulling images in parallel to speed up the testing process. Makefile targets in Github workflow are also parallelized to speed up the build process.
* Simplify and parallel docker logic
* Add ExistingMFAResponse to DeleteMFADeviceSyncRequest
* Update generated protos
* Support challenge-based deletion on DeleteMFADeviceSync
* Refactor TestDeleteMFADeviceSync; use optional mode and drop spares
* Make spacing of Connect My Computer status more consistent
* Add server labels to Running story, add ErrorWithAlertAndLogs story
* Change copy depending on whether the agent is running
* Fix proxyVersion in story
Co-authored-by: Grzegorz Zdunek <gzdunek@users.noreply.github.com>
---------
Co-authored-by: Grzegorz Zdunek <gzdunek@users.noreply.github.com>
* An attempt to fix our failing builds
* Add merge_group condition to checkout step in workflows
This update adds a condition to the checkout step in various GitHub workflows to ensure it only runs when the event_name is "merge_group".
* Fix syntax
* Use v4 tag for checkout action instead of pinned commit
Co-authored-by: Reed Loden <reed@goteleport.com>
---------
Co-authored-by: Reed Loden <reed@goteleport.com>
* DiscoveryConfig: add service with rbac support
This PR adds the DiscoveryConfig service protected by RBAC rules.
A PR will follow that uses this service to expose the service in the
gRPC server.
* review pt1
* Error when redundant prefixes are detected in events.
When creaeting a new events watcher, redundant prefixes will be detected
and produce an error. This should prevent developer mistakes where watched
prefixes overlap, causing subsets of events not to be parsed. This has been
verified manually.
* Add in test for event watcher verification.
* Run GCI.
* Make yubikey unit test interactive and add to test plan.
* Move yubikey hardware signer method tests to interactive yubikey test.
* Remove hardware key interactive unit test from testplan
This change drains unused SSH channels and requests to prevent a
situation where an attacker could repeatedly open channels and
send data that won't be read, causing Teleport to eventually run
out of memory.
Standardize `examples/teleport-usage` to use the same base image
and other (general) build commands as `integrations/kube-agent-updater`
and `integrations/operator`.
The main change is moving from `debian:stable-slim` to `distroless/static-debian12`.
* Do not pass --insecure to tshd in dev mode by default
We ran into a bug related to certs in tshd that wasn't uncovered during
development because of the --insecure flag being passed by default.
* Add --debug flag
We need a way to pass --debug to tshd from a packaged app.
* Add test for auto disconnect (disconnect happens, query updates the timer).
* Fix: In database service, `clientConn` returned from `MonitorConn`
was never used, causing unjustified idle timeouts.
`tctl edit` was always performing a forceful update in the same way
that `tctl create -f` was. This prevents optimistic from being
enforced during the update step of the edit command and thus nullifies
some of the usefulness of the feature(preventing concurrent updates
to a resource).
Since not all resources support Update operations, some only support
Upsert, and optimistic locking will slowly be added one resource at
at time the new behavior was only implemented for user resources.
The UpdateHandlers will be updated in follow up PRs when the resource
has support for optimistic locking added.
* Allow agent compatibility state to be 'unknown'
* Show warning icon instead of read dot as the status indicator
* Add a comment
* Remove unnecessary check for agent compatibility
* Avoid creating portal if topBarContainerRef is not present
* Check compatibility when autostarting, not before autostart
* Flip autoStart to false on failed autostart
* Don't show Alert from CompatibilityError if current action has failed
* Run prettier
---------
Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
* Fix Access List Members cache and eventing.
Two things were happening that were shadowing the Access List members cache
and eventing.
1. In the cache collections, the wrong reader was being assigned to the
lookup map. The correct reader was being used elsewhere, however, so the
caching tests appear to have still been working.
2. The watcher in lib/services/local/events.go apparently collapses prefixes
if they overlap. Prefix `access_list_members` is encompassed by
`access_list`, so the access list members prefix was eliminated from the
watcher. As a result, access list member events were being processed by
the access list parser, which resulted in non-critical warnings.
Local testing and dogfooding has yielded that this has had no apparent impact,
at least in situations without cache propagation. However, I've got a feeling
that this could affect situations with multiple auth servers.
While I'm here, I've eliminated the pointer-to-pointer logic in the access
list unmarshaling, which was excised elsewhere and should be excised here as
well.
* Use ExactKey, fix accessListMemberParser as well.
Proxy sends signed PROXY headers using cluster name from ServerIdentity.
If cluster name in file config was changed it didn't match with original cluster name and
auth service couldn't verify Proxy's signed headers.
Closesgravitational/docs#353
One dropdown menu item within the Installation page has a label that
overflows. This change shortens the label to fix the overflow.
While another route would have been to change the CSS of the dropdown
menu, widening it would start to approach the maximum width of some
mobile devices.
In general, the Installation page is filled with interactive boxes that
make for a somewhat convoluted reading experience. A later change will
reconsider the information architecture of this page.
* This change introduces a new 'promoted' access request state. The state represents that an access request has been promoted to an access list.
Affected code was modified to adjust to the new promoted state and ensure correct system's behavior.
Added a new 'GetAccessRequest' method for internal use to retrieve access request info.
Disallowed direct promotion of access requests. Introduced 'SubmitAccessReviewAllowPromotion' for promotions.
Added 'PromoteAccessRequest' method and updated its usage to restrict direct promotions.
Refactored code for better readability and testing. Renamed some functions, simplified logic, added test helpers.
Introduced 'promoted' state for access requests to handle promotion workflow.
Added 'PromotedAccessListTitle' in 'AccessReview' to track promotion state.
* Refactor function and message names for better clarity
The function and message names related to the promotion of an access request to an access list were restructured for better readability and consistency. Names like 'PromoteAccessReqResponse' have been replaced with more descriptive names such as 'PromoteAccessRequestResponse'. This increases clarity and consistency across the project.
* Remove the hacky GRPC server implementation
* Change method names to be more descriptive
Renamed all instances of 'PromoteAccessRequest' to 'AccessRequestPromote' in multiple files. The new method name provides a more descriptive and clear understanding of the method's function, which improves code readability and maintenance. This change applies to method definitions, comments, and error messages.
* Refine error message and introduce IsPromoted method
Refined the error message in 'access_request.go' to better indicate that only promoted requests can set the promoted access list title, not just have one. This enhances clarity of error message. Additionally, introduced 'IsPromoted' method in 'access_request.go' file. This method will be useful for quickly checking if a request is in the PROMOTED state.
* Rename variable in SubmitAccessReview method
Renamed the variable "params" to "submission" in the 'SubmitAccessReview' function, in 'auth_with_roles.go' file. The name "submission" provides clearer indictation of its role in submitting access review. This enhances code readability and understandability. No logic changes were made during this update.
Also note the updated release cadence:
- We release a major version every four months.
- With our policy to support three versions, each major version is supported for
12 months.
* Change PIV metadata cert to be self signed by an ephemeral key so it can be signed without touch/pin.
* Refactor touch prompt logic.
* Prompt user before overwriting non-teleport certificates instead of just returning an error.
* Update RFD and Docs.
* Address CR.
* Export some methods and variables for use in tests.
* Address comments.
Closes#32195
Correct some issues that were confusing or wrong:
- Move "Community Edition" to the first, default tab. Since we removed
scopes from the docs, and "Teleport Team" was the first tab in this
partial, it looked like Teleport Team was the intended default
installation. This is incorrect.
- Change the Teleport Team installation instructions to show the Cloud
installation steps.
