Fixed regressions in how the cluster name was set in the profile when
doing "tsh login <clusterName>". The following examples illustrate
expected behavior.
Suppose root cluster is example.com and the leaf cluster is
leaf.example.com.
* "tsh login" will update profile to example.com.
* "tsh login example.com" will update profile to example.com.
* "tsh login leaf.example.com" will update profile to
leaf.example.com.
* "tsh login invalid.example.com" will return an error.
Note: The profile is only updated when a identity flag is NOT provided.
This means the following command will NOT update the profile:
tsh --proxy=example.com login --out=certs.pem leaf.example.com
* Add image types, AMI IDs, extend AuthASG timeout
Added options for m4.large and m5.large. Added AMI IDs for all regions. Extended the timeout on the Auth ASG from 20 minutes to 30 minutes.
* Update ent.yaml
Co-authored-by: Ben Arent <ben@gravitational.com>
Co-authored-by: Gus Luxton <gus@gravitational.com>
Changes the lifetime of agent forwarding to be scoped
to the underlying ssh connection, instead of the
specific ssh channel which initially passed the agent
forwarding request.
Fixed findings:
```
lib/sshutils/server_test.go:163:2: SA4006: this value of `clt` is never used (staticcheck)
clt, err := ssh.Dial("tcp", srv.Addr(), &cc)
^
lib/sshutils/server_test.go:91:3: SA5001: should check returned error before deferring ch.Close() (staticcheck)
defer ch.Close()
^
lib/shell/shell_test.go:33:2: SA4006: this value of `shell` is never used (staticcheck)
shell, err = GetLoginShell("non-existent-user")
^
lib/cgroup/cgroup_test.go:111:2: SA9003: empty branch (staticcheck)
if err != nil {
^
lib/cgroup/cgroup_test.go:119:2: SA5001: should check returned error before deferring service.Close() (staticcheck)
defer service.Close()
^
lib/client/keystore_test.go:138:2: SA4006: this value of `keyCopy` is never used (staticcheck)
keyCopy, err = s.store.GetKey("host.a", "bob")
^
lib/client/api.go:1604:3: SA4004: the surrounding loop is unconditionally terminated (staticcheck)
return makeProxyClient(sshClient, m), nil
^
lib/backend/test/suite.go:156:2: SA4006: this value of `err` is never used (staticcheck)
result, err = s.B.GetRange(ctx, prefix("/prefix/c/c1"), backend.RangeEnd(prefix("/prefix/c/cz")), backend.NoLimit)
^
lib/utils/timeout_test.go:84:2: SA1019: t.Dial is deprecated: Use DialContext instead, which allows the transport to cancel dials as soon as they are no longer needed. If both are set, DialContext takes priority. (staticcheck)
t.Dial = func(network string, addr string) (net.Conn, error) {
^
lib/utils/websocketwriter.go:83:3: SA4006: this value of `err` is never used (staticcheck)
utf8, err = w.encoder.String(string(data))
^
lib/utils/loadbalancer_test.go:134:2: SA4006: this value of `out` is never used (staticcheck)
out, err = Roundtrip(frontend.String())
^
lib/utils/loadbalancer_test.go:209:2: SA4006: this value of `out` is never used (staticcheck)
out, err = RoundtripWithConn(conn)
^
lib/srv/forward/sshserver.go:582:3: SA4004: the surrounding loop is unconditionally terminated (staticcheck)
return
^
lib/service/service.go:347:4: SA4006: this value of `err` is never used (staticcheck)
i, err = auth.GenerateIdentity(process.localAuth, id, principals, dnsNames)
^
lib/service/signals.go:60:3: SA1016: syscall.SIGKILL cannot be trapped (did you mean syscall.SIGTERM?) (staticcheck)
syscall.SIGKILL, // fast shutdown
^
lib/config/configuration_test.go:184:2: SA4006: this value of `conf` is never used (staticcheck)
conf, err = ReadFromFile(s.configFileBadContent)
^
lib/config/configuration.go:129:2: SA5001: should check returned error before deferring reader.Close() (staticcheck)
defer reader.Close()
^
lib/kube/kubeconfig/kubeconfig_test.go:227:2: SA4006: this value of `err` is never used (staticcheck)
tlsCert, err := ca.GenerateCertificate(tlsca.CertificateRequest{
^
lib/srv/sess.go:720:3: SA4006: this value of `err` is never used (staticcheck)
result, err := s.term.Wait()
^
lib/multiplexer/multiplexer_test.go:169:11: SA1006: printf-style function with dynamic format string and no further arguments should use print-style function instead (staticcheck)
_, err = fmt.Fprintf(conn, proxyLine.String())
^
lib/multiplexer/multiplexer_test.go:221:11: SA1006: printf-style function with dynamic format string and no further arguments should use print-style function instead (staticcheck)
_, err = fmt.Fprintf(conn, proxyLine.String())
^
```
Fixed findings:
```
lib/services/github_test.go:99:2: SA4006: this value of `kubeUsers` is never used (staticcheck)
logins, kubeGroups, kubeUsers = connector.MapClaims(GithubClaims{
^
lib/services/github_test.go:107:2: SA4006: this value of `kubeUsers` is never used (staticcheck)
logins, kubeGroups, kubeUsers = connector.MapClaims(GithubClaims{
^
lib/services/local/configuration_test.go:84:2: SA4006: this value of `clusterConfig` is never used (staticcheck)
clusterConfig, err := services.NewClusterConfig(services.ClusterConfigSpecV3{
^
lib/services/local/configuration_test.go:102:2: SA4006: this value of `clusterConfig` is never used (staticcheck)
clusterConfig, err := services.NewClusterConfig(services.ClusterConfigSpecV3{})
^
lib/services/local/presence_test.go:108:2: SA4006: this value of `gotTC` is never used (staticcheck)
gotTC, err = presenceBackend.GetTrustedCluster("foo")
^
lib/services/suite/suite.go:157:2: SA4006: this value of `err` is never used (staticcheck)
out, err := s.WebS.GetUser("user1", false)
^
lib/services/suite/suite.go:208:2: SA4006: this value of `u` is never used (staticcheck)
u, err = s.WebS.GetUser("foo", false)
^
lib/services/suite/suite.go:277:2: SA4006: this value of `err` is never used (staticcheck)
err = s.CAS.CompareAndSwapCertAuthority(&newCA, ca)
^
lib/services/suite/suite.go:339:2: SA4006: this value of `err` is never used (staticcheck)
out, err = s.PresenceS.GetProxies()
^
lib/services/suite/suite.go:1136:5: SA4006: this value of `err` is never used (staticcheck)
role, err := services.NewRole("role1", services.RoleSpecV3{
^
lib/services/suite/suite.go:1166:5: SA4006: this value of `err` is never used (staticcheck)
err := s.Users().UpsertUser(user)
^
```
Fixed findings:
```
lib/events/test/suite.go:88:2: SA4006: this value of `err` is never used (staticcheck)
err := s.Log.EmitAuditEvent(events.UserLocalLogin, events.EventFields{
^
lib/events/auditlog_test.go:98:2: SA4006: this value of `err` is never used (staticcheck)
fileHandler, err := filesessions.NewHandler(filesessions.Config{
^
lib/events/auditlog_test.go:121:2: SA4006: this value of `err` is never used (staticcheck)
err = os.MkdirAll(filepath.Join(uploadDir, "upload", "sessions", defaults.Namespace), 0755)
^
lib/events/auditlog_test.go:224:2: SA4006: this value of `err` is never used (staticcheck)
fileHandler, err := filesessions.NewHandler(filesessions.Config{
^
lib/events/auditlog_test.go:246:2: SA4006: this value of `err` is never used (staticcheck)
err = os.MkdirAll(filepath.Join(uploadDir, "upload", "sessions", defaults.Namespace), 0755)
^
lib/events/auditlog_test.go:381:2: SA4006: this value of `err` is never used (staticcheck)
fileHandler, err := filesessions.NewHandler(filesessions.Config{
^
lib/events/auditlog_test.go:403:2: SA4006: this value of `err` is never used (staticcheck)
fileHandler, err := filesessions.NewHandler(filesessions.Config{
^
lib/events/auditlog_test.go:431:2: SA4006: this value of `err` is never used (staticcheck)
err := os.MkdirAll(filepath.Join(uploadDir, "upload", "sessions", defaults.Namespace), 0755)
^
lib/events/filesessions/fileuploader.go:84:2: SA4006: this value of `err` is never used (staticcheck)
_, err := os.Stat(filepath.Dir(path))
^
lib/events/dynamoevents/dynamoevents.go:352:2: SA4006: this value of `err` is never used (staticcheck)
attributeValues, err := dynamodbattribute.MarshalMap(attributes)
^
lib/events/dynamoevents/dynamoevents.go:405:2: SA4006: this value of `err` is never used (staticcheck)
attributeValues, err := dynamodbattribute.MarshalMap(attributes)
^
```
Fixed issues:
```
lib/web/apiserver_test.go:499:2: SA4006: this value of `re` is never used (staticcheck)
re, err = pack.clt.Get(context.Background(), pack.clt.Endpoint("webapi", "sites"), url.Values{})
^
lib/web/apiserver_test.go:590:2: SA4006: this value of `re` is never used (staticcheck)
re, err = newPack.clt.Get(context.Background(), pack.clt.Endpoint("webapi", "sites"), url.Values{})
^
lib/web/apiserver_test.go:598:2: SA4006: this value of `re` is never used (staticcheck)
re, err = oldClt.Get(context.Background(), pack.clt.Endpoint("webapi", "sites"), url.Values{})
^
lib/web/apiserver_test.go:608:2: SA4006: this value of `re` is never used (staticcheck)
re, err = newPack.clt.Get(context.Background(), pack.clt.Endpoint("webapi", "sites"), url.Values{})
^
lib/web/apiserver_test.go:1106:2: SA4006: this value of `err` is never used (staticcheck)
loginReq, err := json.Marshal(createSessionReq{
^
lib/web/apiserver_test.go:1120:2: SA4006: this value of `err` is never used (staticcheck)
re, err := clt.Client.RoundTrip(func() (*http.Response, error) {
^
lib/web/apiserver_test.go:1148:2: SA4006: this value of `re` is never used (staticcheck)
re, err = clt.Get(context.Background(), clt.Endpoint("webapi", "sites"), url.Values{})
^
lib/web/apiserver_test.go:1154:2: SA4006: this value of `re` is never used (staticcheck)
re, err = clt.Get(context.Background(), clt.Endpoint("webapi", "sites"), url.Values{})
^
lib/web/apiserver_test.go:1192:2: SA4006: this value of `err` is never used (staticcheck)
data, err := json.Marshal(auth.ChangePasswordWithTokenRequest{
^
lib/web/apiserver_test.go:1206:2: SA4006: this value of `err` is never used (staticcheck)
re, err = clt.Client.RoundTrip(func() (*http.Response, error) {
^
lib/web/apiserver_test.go:1246:2: SA4006: this value of `err` is never used (staticcheck)
data, err := json.Marshal(auth.ChangePasswordWithTokenRequest{
^
lib/web/apiserver_test.go:1260:2: SA4006: this value of `err` is never used (staticcheck)
re, err = clt.Client.RoundTrip(func() (*http.Response, error) {
^
lib/web/static_test.go:93:2: SA4006: this value of `n` is never used (staticcheck)
n, err = f.Seek(-50, io.SeekEnd)
^
lib/web/static_test.go💯2: SA4006: this value of `n` is never used (staticcheck)
n, err = f.Seek(-50, io.SeekCurrent)
^
```
`localAgent` can be nil if `Config.SkipLocalAuth` was set (such as when
passing `-i` flag to `tsh`). Several places in client code didn't handle
missing `localAgent` causing nil pointer panics.
Fixes#3032
If TLS client key/cert or CA cert are missing, the kubeconfig ends up
generated successfully, but with those fields empty. For a user, this
looks like a successful `tsh login` with `kubectl` not working
afterwards with cryptic x509 errors.
We should always have the necessary fields provided. If not, `tsh login`
should say exactly what was missing.
Local keystore records trusted TLS CA certs in `<host>/certs.pem`.
When loading client.Key, also load the TLS CA cert for
`key.TrustedCertificates` field.
Without this field, `kubeconfig.Update` called by tsh can't populate the
CA cert in kubeconfig, which causes x509 validation errors with kubectl.
With OSS version and without using the github connector (only local
auth), logged in user won't have any `kubernetes_groups`. Without
usernames too, user can login but can't use kubectl.
All changes should be noop, except for
`integration/integration_test.go`.
The integration test was ignoring `recordingMode` test case parameter
and always used `RecordAtNode`. When switching to `recordingMode`, test
cases with `RecordAtProxy` fail with a confusing error about missing
user agent. Filed https://github.com/gravitational/teleport/issues/3606
to track that separately and unblock enabling `structcheck` linter.
The node first tries using the token with auth server. If that fails, it
tries the same address as a proxy server.
If both fail, user only sees the error from the latter attempt. If using
CA pin, this error will be "x509: certificate signed by unknown
authority", which is confusing.
Log both errors, and mention that a fallback is happening. The output
looks like:
ERRO [AUTH] Failed to register through auth server: "my-hostname" [3e53a982-afd1-4d2f-8864-54c25fbe5865] can not join the cluster with role Node, the token is not valid; falling back to trying the proxy server auth/register.go:123
ERRO [PROC:1] Node failed to establish connection to cluster: failed to register through proxy server: x509: certificate signed by unknown authority. time/sleep.go:149
If node hasn't fully initialized before getting stopped (such as when
join token isn't valid), most pointer vars in `initSSH` will be nil.
Handle that cleanly.
* Define a CreateUser event, code, and its related const
* Define CreateUser rpc in auth/proto file
* Define CreateUser between layers
* Replace UpsertUser with CreateUser in tctl and in unit test
Identity file formatting (former `client.MakeIdentityFile`) will soon
support writing a `kubeconfig` file.
`lib/kube/kubeconfig` depends on `lib/client`, if calls to
`kubeconfig.Update` were added to `client.MakeIdentityFile`, we'd have
an import cycle:
tool/tctl -> lib/client -> lib/kube/kubeconfig -> lib/client
To break the cycle, I extract the identity file formatting (and parsing)
code into a standalone package. It's logically isolated functionality
anyway.
Now the imports will be:
tool/tctl┬─> lib/client
├─> lib/kube/kubeconfig ─> lib/client
╰─> lib/client/identity ┬─> lib/client
╰─> lib/kube/kubeconfig -> lib/client
The path passed in is used as a base, different output formats generate
different file sets based on it. To make things less confusing, return
the list of filepaths written and report it to the user.
- rename package from `client` to `kubeconfig` and remove "kubeconfig"
from function names
(https://github.com/golang/go/wiki/CodeReviewComments#package-names)
- export `Update` and `UpdateWithClient` to allow updates without
building a full `TeleportClient`
- accept an optional user-specified path to kubeconfig, to bind to CLI
flags
`rest.TLSConfigFor` helper function exists to create `tls.Config` from
`rest.Config` (which represents `kubeconfig` essentially).
This commit uses the `rest.TLSConfigFor` helper from k8s packages
instead of doing manual conversion.
The previous code here re-implemented this logic, missing several parts:
- `CertFile`/`KeyFile` not supported, only `CertData`/`KeyData`
- `AuthProvider`/`ExecProvider` not supported
- `Insecure` not supported
- `ServerName` not verified
Effectively, this meant that a teleport proxy provided with kubeconfig
would only use a subset of authentication options.
Side note: the forwarder code should offload even more transport and
auth concerns to k8s libraries. Handling things like bearer tokens
shouldn't be our job.
* [docs] Add links to examples directory in Github repo.
* PR Feedback.
- Updated the Quick Start guide to link to the Production Guide instead.
Co-authored-by: Ben Arent <ben@gravitational.com>
https://github.com/golangci/golangci-lint#go cautions against using go
get due to various problems. Downloading a binary also saves on
compilation time and image size.
Also, increase timeout to 5m, linting the repo can take a while on a
throttled CPU.
TeleInstance manages an auth server and a set of proxies/nodes.
TeleInstance.Stop only stops the auth server. A bunch of tests used it
assuming it also cleans up any running nodes.
This has caused a lot of log spam from failing heartbeats and generally
wasted CPU cycles.
Rename it to Stop to StopAuth to make it's purpose more obvious. Add
TeleInstance.StopAll that cleans up everything, suitable for deferring
in tests.
Some unusual shells like [fish](https://fishshell.com/) don't support
`$(cmd)` nested command syntax.
Print window size as two separate commands separated by newline instead.
Also, scan more of the output, in case the prompt is very long.
This type uses an inner bytes.Buffer to store terminal output. Terminal
is used by concurrent goroutines as io.ReadWriter, so access to the
buffer needs to be synchronized.
`SyncBuffer` has a goroutine running `io.Copy` to read from the
underlying pipe. Close stops the pipe, but doesn't wait for the last
chunk of data to be written by `io.Copy` to the buffer.
Both `Bytes` and `String` assume that the buffer received no further
writes after `Close`.
Add explicit synchronization between `io.Copy` goroutine and `Close`.
Several tests to confirm correctness of kubeconfig update logic.
Specifically - to make sure existing configuration is not deleted.
`UpdateKubeconfig` was split into two functions because mocking
`*client.TeleportClient` was really difficult.
Fixes#3209
To execute an SSH command, Teleport re-executes itself and execs the
command from this child process:
teleport -> teleport exec -> sh -c "user command"
Both parent teleport processes could exit unexpectedly (from SIGKILL or
even connection interruption).
Make sure all child processes get cleaned up and not orphaned to PID 1:
- teleport exec via SIGQUIT to request graceful shutdown
- user command via SIGKILL because it might ignore other signals
* Add monorepo
* Add reset/passwd capability for local users (#3287)
* Add UserTokens to allow password resets
* Pass context down through ChangePasswordWithToken
* Rename UserToken to ResetPasswordToken
* Add auto formatting for proto files
* Add common Marshaller interfaces to reset password token
* Allow enterprise "tctl" reuse OSS user methods (#3344)
* Pass localAuthEnabled flag to UI (#3412)
* Added LocalAuthEnabled prop to WebConfigAuthSetting struct in webconfig.go
* Added LocalAuthEnabled state as part of webCfg in apiserver.go
* update e-refs
* Fix a regression bug after merge
* Update tctl CLI output msgs (#3442)
* Use local user client when resolving user roles
* Update webapps ref
* Add and retrieve fields from Cluster struct (#3476)
* Set Teleport versions for node, auth, proxy init heartbeat
* Add and retrieve fields NodeCount, PublicURL, AuthVersion from Clusters
* Remove debug logging to avoid log pollution when getting public_addr of proxy
* Create helper func GuessProxyHost to get the public_addr of a proxy host
* Refactor newResetPasswordToken to use GuessProxyHost and remove publicUrl func
* Remove webapps submodule
* Add webassets submodule
* Replace webapps sub-module reference with webassets
* Update webassets path in Makefile
* Update webassets
1b11b26 Simplify and clean up Makefile (#62) https://github.com/gravitational/webapps/commit/1b11b26
* Retrieve cluster details for user context (#3515)
* Let GuessProxyHost also return proxy's version
* Unit test GuessProxyHostAndVersion & GetClusterDetails
* Update webassets
4dfef4e Fix build pipeline (#66) https://github.com/gravitational/webapps/commit/4dfef4e
* Update e-ref
* Update webassets
0647568 Fix OSS redirects https://github.com/gravitational/webapps/commit/0647568
* update e-ref
* Update webassets
e0f4189 Address security audit warnings Updates "minimist" package which is used by 7y old "optimist". https://github.com/gravitational/webapps/commit/e0f4189
* Add new attr to Session struct (#3574)
* Add fields ServerHostname and ServerAddr
* Set these fields on newSession
* Ensure webassets submodule during build
* Update e-ref
* Ensure webassets before running unit-tests
* Update E-ref
Co-authored-by: Lisa Kim <lisa@gravitational.com>
Co-authored-by: Pierre Beaucamp <pierre@gravitational.com>
Co-authored-by: Jenkins <jenkins@gravitational.io>
Adding following principals:
- `localhost`
- `127.0.0.1`
- `::1`
With these, `tsh` (both `ssh` and `join`) works with a local proxy
without any SSH handshake errors.
Removed the warning from quickstart docs, but keeping `--proxy=grav-00`
since that implies to the reader that proxy is usually remote.
Fixes#2910
