Enforces that all ACS endpoints are HTTPS to prevent any
XSS attacks. To allow admins to interogate any existing resources
which may be impacted validation only happens on create and update
but not get. All usages of SAMLIdPServiceProviders within teleport
follow all internal retrievals with a call to
services.ValidateAssertionConsumerServicesEndpoint in order to
subvert invalid ACS endpoints.
Test that CreateHomeDirectory does not follow symlinks
resolve comments
add our own recursive directory copy
Resolve comments
Fix for "Manually create the users HOME rather than letting useradd do it"
This PR updates the name of the step that checks that there's no changes to `go.mod` and `go.sum` after a `go mod tidy` to make it more obvious what the issue is.
* convert go's zero time into protobuf zero's time
* Update api/types/header/convert/v1/header.go
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
---------
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Fixes#25090
An earlier change to this page clarified URL values to assign when
setting up an Azure AD connector, but left a malformed `Var` component.
This change fixes the `Var` component.
Fixes#31353
Include instructions to write the join token for the Jamf service to a
file, name the file within the Teleport configuration, then start the
`teleport` service via systemd.
To avoid security issues caused by a possible lack of file system
permissions on Windows tsh only loads global config if the path
to the file is explicitly provided in the TELEPORT_GLOBAL_TSH_CONFIG
environment variable.
Used the following command to find unused images. This lists all image
files in the docs and, for each image, searches all docs pages for
references to the image file (which include the `/img` path segment but
usually not `docs`). If there are no matches, it prints the image file
name:
```bash
$ find docs/img -name "*.png" | sed -E "s|docs/(.*)|\1|" | xargs -I{} bash -c '
grep -qR "{}" docs/pages; if [ $? -ne 0 ]; then echo {}; fi'
```
Also fixes a minor linter error that did not come up in earlier commits.
The ssh session was not being closed for web sessions which resulted
in zombie sessions being left around until the ssh service was
restarted. TestTerminal was updated to assert that the session
tracker eventually transitions to the terminated state when the
client terminates the web socket.
Fixes#32120
Access lists will now leave access intact for members even if the access
list hasn't been reviewed by the next audit date. Revoking access on a
missed audit review may be too disruptive. This may be restored at a
later date by adding in options to access lists to control behavior.
* Execute time-bound graceful shutdowns on SIGINT/SIGTERM.
We introduce a delay of up to 3 seconds into the "immediate shutdown"
path. If the graceful shutdown doesn't complete within this time, the process
will exit anyway.
* Run `process.Shutdown()` in separate goroutine, to account for possible bugs.
* Support TELEPORT_UNSTABLE_SHUTDOWN_TIMEOUT env var.
* Extract `getShutdownTimeout`, add tests.
* Update lib/service/signals.go
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Remove untrappable SIGKILL to reduce confusion.
---------
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
The Cf-Access-Token header seems to be a infrequently used header that can
easily increase the size of the header by `len(roles) + len(traits)`, which
can cause problems. Users are able to add this in on their own if they need
it using header rewriting, so we'll remove this.
* Remove non-file path links from partials
Fixes#12618
Ensure that all partials use relative links to MDX files for more
accurate linting. Only two partials contain links to URL paths, and one
of these is not included anywhere in the docs.
This change removes the unused partial and changes the remaining link to
a file path.
* Fix linter error
* Remove old indicator from unified resources
* Use lowercase for unified name sort
* Include friendly name in app icon guess
* Add filters exist indicator
* Remove uppercase from filter buttons and add filter count
* Remove indicator import
* Resource custom sort by contained resource
* Add unified name compare test
Without this, the helm lint prints hundreds of lines of messages
that just tell you that everything was good. This makes it harder
to spot real problems.
* Add error to Attempt in useAsync
* Ensure attempt.error refers to the same object as expectedError
* Refactor error handling to use instanceof with attempt.error
* makeErrorAttempt: Require an Error object
In real code, the function can throw any object. But since makeErrorAttempt
is a helper function, we can make it require an Error object.
This test has had two failures (timeouts) on oss-fuzz that are false positives (5894581923479552 & 5112269123747840). Both are very large and when run in go fuzz are not reproducible (local execution ~2 seconds)
Disabling due to the false positives
* remove prefix matching in tctl
* replace prefix matching with exact discovered name match as a fallback
when no resource full name matches the name given by a user
* refactor test helpers
* avoid decoding yaml/json into already initialized var
This suppresses some noisy warnings, and provides useful debug
information (such as the assumedRoleId) baked into the command.
AWS Account IDs are no longer masked by default.
* convert protobuf's zero time into go's zero time
* Update api/types/header/convert/v1/header.go
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Some users have encountered cases where they connect multiple
distinct AD domains to Teleport, but the name of the domain is
the same and the name of some of the hosts within the domain are
also the same.
As a result, Teleport incorrectly deduplicates these desktops in
the UI (we can't distinguish them from identical desktops reported
by multiple agents).
Fix this by appending a portion of the objectGUID to the desktop name.
Even if mutiple domains have identical names and hostnames, the GUID
will differ and both will be shown in the UI.
* Revise desktop access-Active Directory automatic
* Update title, text, and image
* tested steps
* Change the existing server description
* Fix typos
* Make the linter happy
* Updated from Paul's suggestions
* Make the linter happy
* trusted cluster revision WIP
* Complete rewrite of trusted clusters under management/admin section
* Replace images, miscellaneous fixes
* Remove single root cluster statement
* Move the jq command examples to a separate topic
* Move lookup commands to a separate file
* Fix some spelling issues
* Some fixes and clarification
* Add leaf cluster Auth Server > Proxy service on th eroot cluster
* Add service interaction diagram
* Updates from review
* Update image
* Add an example
* Add direct and remove security vulnerability clause
* Fix duplicate entry for `X-Forwarded-For` header
PR #27761 replaced `oxy.Forwarder` with `httputil.ReverseProxy`.
The new forwarder based on `httputil.ReverseProxy` is appending the
`X-Forwarder-For` header values instead of replacing them.
This PR fixes that behavior and forces the XFF header to be a single
value.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Update lib/httplib/reverseproxy/rewriter_test.go
Co-authored-by: Reed Loden <reed@goteleport.com>
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Reed Loden <reed@goteleport.com>
* Update the desktop introduction
* Updates from review, keep old file names and locations for now
* Replace mermaid diagram
* Update diagram
* Remove reference to Desktop Access