Added support for an identity aware, RBAC enforcing, mutually
authenticated, web application proxy to Teleport.
* Updated services.Server to support an application servers.
* Updated services.WebSession to support application sessions.
* Added CRUD RPCs for "AppServers".
* Added CRUD RPCs for "AppSessions".
* Added RBAC support using labels for applications.
* Added JWT signer as a services.CertAuthority type.
* Added support for signing and verifying JWT tokens.
* Refactored dynamic label and heartbeat code into standalone packages.
* Added application support to web proxies and new "app_service" to
proxy mutually authenticated connections from proxy to an internal
application.
* Implement kubernetes_service registration and sratup
The new service now starts, registers (locally or via a join token) and
heartbeats its presence to the auth server.
This service can handle k8s requests (like a proxy) but not to remote
teleport clusters. Proxies will be responsible for routing those.
The client (tsh) will not yet go to this service, until proxy routing is
implemented. I manually tweaked server addres in kubeconfig to test it.
You can also run `tctl get kube_service` to list all registered
instances. The self-reported info is currently limited - only listening
address is set.
* Address review feedback
* Add monorepo
* Add reset/passwd capability for local users (#3287)
* Add UserTokens to allow password resets
* Pass context down through ChangePasswordWithToken
* Rename UserToken to ResetPasswordToken
* Add auto formatting for proto files
* Add common Marshaller interfaces to reset password token
* Allow enterprise "tctl" reuse OSS user methods (#3344)
* Pass localAuthEnabled flag to UI (#3412)
* Added LocalAuthEnabled prop to WebConfigAuthSetting struct in webconfig.go
* Added LocalAuthEnabled state as part of webCfg in apiserver.go
* update e-refs
* Fix a regression bug after merge
* Update tctl CLI output msgs (#3442)
* Use local user client when resolving user roles
* Update webapps ref
* Add and retrieve fields from Cluster struct (#3476)
* Set Teleport versions for node, auth, proxy init heartbeat
* Add and retrieve fields NodeCount, PublicURL, AuthVersion from Clusters
* Remove debug logging to avoid log pollution when getting public_addr of proxy
* Create helper func GuessProxyHost to get the public_addr of a proxy host
* Refactor newResetPasswordToken to use GuessProxyHost and remove publicUrl func
* Remove webapps submodule
* Add webassets submodule
* Replace webapps sub-module reference with webassets
* Update webassets path in Makefile
* Update webassets
1b11b26 Simplify and clean up Makefile (#62) https://github.com/gravitational/webapps/commit/1b11b26
* Retrieve cluster details for user context (#3515)
* Let GuessProxyHost also return proxy's version
* Unit test GuessProxyHostAndVersion & GetClusterDetails
* Update webassets
4dfef4e Fix build pipeline (#66) https://github.com/gravitational/webapps/commit/4dfef4e
* Update e-ref
* Update webassets
0647568 Fix OSS redirects https://github.com/gravitational/webapps/commit/0647568
* update e-ref
* Update webassets
e0f4189 Address security audit warnings Updates "minimist" package which is used by 7y old "optimist". https://github.com/gravitational/webapps/commit/e0f4189
* Add new attr to Session struct (#3574)
* Add fields ServerHostname and ServerAddr
* Set these fields on newSession
* Ensure webassets submodule during build
* Update e-ref
* Ensure webassets before running unit-tests
* Update E-ref
Co-authored-by: Lisa Kim <lisa@gravitational.com>
Co-authored-by: Pierre Beaucamp <pierre@gravitational.com>
Co-authored-by: Jenkins <jenkins@gravitational.io>
This commit introduced mutual TLS authentication
for auth server API server.
Auth server multiplexes HTTP over SSH - existing
protocol and HTTP over TLS - new protocol
on the same listening socket.
Nodes and users authenticate with 2.5.0 Teleport
using TLS mutual TLS except backwards-compatibility
cases.
Instead of quietly changing behavior because `DEBUG` envar was set to
true, Teleport now explicitly requires scary --insecure flag to enable
this behavior.
I know comments are very lacking right now. Once things are stable I will add
proper comments. Minimal manual testing of the U2F registration API was done
with a hardware U2F key. Some of the code may need to be cleaned up later to
remove excessively long variable names...
Currently we return an error rightaway if the username/password combo is wrong.
It's difficult to do U2F without revealing either whether a user exists or
whether the password is correct. Returning error immediately reveals whether
the user/password combo is valid, while waiting until we get a signed response
from the U2F device to announce whether the user/pass combo is valid can reveal
which users exist since we need to return a keyHandle in the U2F SignRequest
and generating fake keyHandles for nonexistent users can be difficult to get
right since there is no rigid format for keyHandle.
Teleport CA-signed host certificates used to support only one
server role per cert.
This commit adds the ability to store multiple roles in a
certificate, paving the road for multi-role node support in
a near future.
This commit:
- Makes all Teleport tokens multi-role (a token is associated with a
list of roles its owner can assume)
- Removes some unused/obsolete features
a) "AllowedTokens" config setting which we don't use
b) "authorities" TCTL command
It does not affect how Teleport works, just preparing the plumbing for
--roles flag for `tctl nodes add`
auth server. This is needed when you configure cluster from scratch and
all nodes including auth server spin up simultaneously.
* Add tctl tools to generate keys and certificates
+ Command "tctl authorities gen" generates public and private keypair.
+ Command "tctl authorities gencert" generates public and private keypair signed
by existng private key
+ Command "tctl authorities export" was modified to be able to export exisitng private
CA keys to local storage
All of these commands are hidden by default.
section "static configuration"
* Add ability to configure teleport from environment variable
Environment variable TELEPORT_CONFIG can contain base64 encoded
YAML file config file of the standard file format, so teleport will use it on start
* Add special secrets section to the config file
Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys
* Add special rts hidden section to add support for provisioning
This commit introduces heartbeats of AuthServers and Proxies and fixes several issues:
1. Server init problem
There was an issue in server init, when certificates of multiple roles were overwriting each otther.
Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert
This also means that it's backwards incompatible with previous on disk format.
2. Proxy and Auth heartbeats
Auth servers and proxies now heartbeat into cluster as well
3. Bugfixes:
* Proxy role was missing, it is now treated as a separate role with permissions
* AdvertiseIP is now a global setting that can be used by all roles
* --advertise-ip flag was ignored and was never applied
* teleport service initialization has been simplified, now each role get it's own client
* minor cleanups