* Switch to go1.16. Use embed package to embed webassets instead of ad-hoc attaching to binary
* Fix pipeline duplicate step error
* Resolve duplicate pipeline step name error. Explicitly define platform for 'exec' pipelines. Remove the uid/gid environment from 'exec' pipelines as redundant.
* Set proper dependencies when building darwin package fips pipelines. Use enterprise build directory for tsh
* Address review comments
Username is the teleport username (either from SSO or for local user).
SSH login name is one of the OS logins allowed for the user.
In a user cert request, Username means the former, not the latter.
* Update Go runtime to 1.16.2 and bump the boringcrypto version correspondingly for linux FIPS builds
* Address review comments
* Don't fail if buildbox image is not present
* Update other go1.15.5 references not yet handled by dronegen
* Build from source on CentOS 6
Co-authored-by: Gus Luxton <gus@goteleport.com>
* fix race in filelog
* Fixed data race in Audit Log.
Fixed data race in Audit Log where Close and EmitAuditEvent race during
tests. Use a RWMutex to protect the local log to prevent race.
Co-authored-by: Forrest Marshall <forrest@gravitational.com>
Purpose is to allow users with admin privilege that are able to view audit logs,
to be able to debug SSO login failures from the UI as much as possible
* Return generic error message for sso console login failures to hide
sensitive data from reaching client. Previously errors were returning as
empty messages b/c of a trace bug.
* Remove emit event for createOIDCClient to allow outer caller to
emit event and prevent double emits on error.
* Temporarily direct users to check teleports log on errors that come back
empty to tsh client.
Check whether MFA is required for the current session and send a
challenge over the websocket.
client.IssueUserCertsWithMFA had to be modified to inject proxy's
cached user certs and websocket-based U2F prompt.
Addresses Issue #5774
Prior to this change key enumeration could fail with an error if the cluster value in the `tsh` config was missing, which is possible when a post-v6.0 `tsh` reads a ~/.tsh directory created by a pre-v6.0 `tsh`. This would ultimately cause the key enumeration code to search the wrong directory for keys, resulting in an attempt to read a directory as a key file, and failing.
This patch adds detection for an empty cluster name, and gracefully aborts the key enumeration without error if found.
By specifying `device_attestation_cas` in `teleport.yaml`, admins can
restrict U2F device manufacturers. For example, specifying the yubico
attestation CA
(https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt), you can
restrict users to only yubikeys.
Example error when using the yubico CA and trying to register a Google
Titan key:
```
$ tsh mfa add --type u2f --name test && tsh mfa rm test
Tap any *registered* security key
Tap your *new* security key
ERROR: rpc error: code = InvalidArgument desc = U2F device attestation certificate is signed by "CN=Security Key,O=Google", but this cluster only accepts certificates from ["CN=Yubico U2F Root CA Serial 457200631"]; make sure you're using a U2F device from a trusted manufacturer
```
* Added support for connecting API client through tunnel proxy and web proxy addresses (with identity file).
* Added concurrent dialing logic to dial several possible dialing combinations and seamlessly return the first client to connect.
Addresses #5624
When a k8s stream exits it emits events that mark the session recording
as complete. Prior to this patch, the `exec` handler exited before
emitting these "session complete" events, leaving the recordings
orphaned.
This patch wraps the stream cleanup in a `defer`ed cleanup handler
that marks the stream as complete in any exit mode.
The use of non-UTF8 keys with the DynamoDB back-end causes a failure
deep within the AWS request deserialization code, presenting a
non-obvious failure to the user.
This change adds validation to all backends that requires all keys
are valid UTF8 strings. It also adds a warning to the Backend
interface declaration that the keys may be constrained to valid
UTF8.
Other changes include:
* Updating the `Backend` conformance test suite to not present binary
keys to the various backend implementations.
* Adding a `region` value to the DynamoDB configuration test input
* Adding missing imports to `_test` files.
* Updating build instructions in README
Fixes#5352
```yaml
allow:
impersonate:
users: ['alice', 'bob']
roles: ['*']
where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```
Adds "impersonator" to all X.509 and SSH client certs
issued using impersonation and does best effort to track
requests by impersonators in audit events.
Limits certs TTL to the impersonator's max session TTL.
Prevents impersonating users to recursively impersonate
other users.
Allows impersonating users to renew their own certificate,
for example to set route to cluster.
Adds missing token permission for editor role.