The Rust code now uses vendored mode [1] to statically link openssl,
so we no longer need dynamic linking for these libraries.
This also resolves an issue where extra flags were needed to build
locally on macOS.
[1]: https://docs.rs/openssl/0.10.36/openssl/#vendored
- Ensure Rust is installed in the buildbox image
- Install Rust toolchains for each arch we support
- Use openssl's vendor feature to ensure we always link a static lib
- Automatically include RDP client if Rust is detected
In some cases, it's possible for a package to be marked as a test
failure even if no tests inside it have failed. The motivating example
for this change is a timeout: a test overshooting the allotted timeout
is considered by go test to be a package-level failure, even if no
tests inside the package are considered failures.
This led to cases where the user would see an "All tests passed"
message from the go test filter, but still mysteriously fail the make
step.
To address this, the test renderer now:
* treats package-level pass/fail/skip events as first-class citizens
and includes them in its event count,
* tracks the cached test output at both a package and individual test
level, and
* displays the whole package output if a package is marked as failed,
but only if there is no obvious failed test top account for the
package-level failure.
This patch also removes the json files created by the unit tests, as
they are not yet needed for anything.
Allow users to opt in to changing routing behavior when duplicate
nodes are present. Legacy behavior is to return an error when multiple
nodes are matched by the routing logic in proxyToHost. A new RouteToMostRecent
flag in ClusterNetworkingConfig can be set to allow users to opt in to returning
the most recent node instead of an error. By default, the legacy behavior
is preserved.
Since our LDAP-based desktop discovery is not very configurable,
we opt to have it disabled by default.
Teleport will log a warning if desktop discovery is disabled and there
are no statically defined Windows desktops. In this case, the Windows
Desktop Service will simply sit idle, as there will be no desktops
available to connect to.
This commit implements the above, but also paves the way towards
a more flexible discovery system (described in the RFD).
We introduce a new config section:
discovery:
base_dn: '*'
filters:
- filter1
- filter2
For now, the only valid value for base_dn is the wildcard, which
instructs Teleport to search from the domain root. Additionally,
teleport will validate that any provided filters are valid but
does not currently respect them when performing the search.
Future updates will allow for changing the base DN to something
more specific and filtering the results with LDAP filters.
Since the connection is made from Rust, we just hard code a
5-second connection timeout.
In a future change we can decide if we want to pass a timeout down
from Go, but for now this should improve the user experience.
We embed the name of the desktop in the server name when establishing
a connection, and the backend uses this to figure out which desktop
to route to.
Our wildcard certificate for desktop access is only valid for
*.desktop.teleport.cluster.local, so we need replace '.' characters
in the name in order to avoid creating a new subdomain for which
the cert is not valid.
This logic already exists for statically defined desktops, and
was lacking for desktops discovered via LDAP.
Prior to this change, statically defined Windows desktops just got
a random UUID for their name, which is not nice to look at in the UI.
Instead, name hosts with a "static-" prefix and the addr.
- Fixes a bug where proper user lock expire date wasn't used
- Have CreateAuthenticateChallenge return error as is instead
of overriding all errors with AccessDenied, which fixes a
backwards comp error where older proxies assume
AccessDenied type error means user got locked
Looks like this validation just got missed in one of the early
desktop access PRs. This enables behavior that is consistent
with our current docs and the message printed by tctl.