self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-21 01:34:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
5974 commits 3231 branches 4169 tags 1.3 GiB
Commit graph

5974 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alexey Ivanov fa4d7eb977
Update docs structure (#5849) 2021-03-04 10:07:48 -08:00
jane quin 20f2b8874a
update e (#5786) 
update e

Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
 2021-03-03 18:04:23 -08:00
dmitri ae4e5bfc97 Remove args as these can be deduced automatically 2021-03-03 17:49:12 -08:00
dmitri bed6679e0e Quote the address arguments to avoid issues with formats that use symbols that require escaping 2021-03-03 17:49:12 -08:00
dmitri ca87f92ed5 Use non-greedy Mkdir variant and add a test-case for non-existing remote location with intermediate directories 2021-03-03 17:49:12 -08:00
dmitri ea4adc8b7e Add more test coverage for sink mode 2021-03-03 17:49:12 -08:00
dmitri fb8c71c6fa Check whether . is a base directory directly 2021-03-03 17:49:12 -08:00
dmitri 007235446f Use correct target directory path. 
Handle target directory/file renames.

Fixes https://github.com/gravitational/teleport/issues/5695.
 2021-03-03 17:49:12 -08:00
corkrean 2e7b253d55 Update CHANGELOG.md 
Corrected a typo.
 2021-03-03 17:27:36 -08:00
Roman Tkachenko 5e0178d3f6
Fix db server test data race (#5832) 2021-03-03 13:02:42 -08:00
Russell Jones 5b87e74a05 Updated CHANGELOG.md. 2021-03-03 10:19:36 -08:00
Andrew Lytvynov 4588a7951a
mfa: delete user MFA devices on account reset (#5805) 
This fixes user reset when they have an MFA device registered with a
known name ("otp" or "u2f").
 2021-03-02 15:47:16 -08:00
Andrej Tokarčík f7a2eb4ed5 Include CA cert file path in the error message 2021-03-02 13:20:43 -08:00
Andrej Tokarčík 012b1235a6 Get rid of unnecessary var declarations 2021-03-02 13:20:43 -08:00
Andrej Tokarčík 539ba24550 Fix support for insecure etcd mode 2021-03-02 13:20:43 -08:00
Andrej Tokarčík 976d8517cb
Remove support for migrating from legacy etcd prefix (#5798) 
This code should have been removed in 4.4.
 2021-03-02 20:49:11 +01:00
Alexey Kontsevoy 472df28f2a
Add "billing_information" RBAC resource (#5676) 
* Expose GRPC client connection to plugins
* Replaces global plugin state with the PluginRegistry
 2021-03-01 22:47:03 -05:00
Russell Jones 4f102552ee
Fixed build failure for non-Linux platforms. (#5800) 2021-03-01 18:17:02 -04:00
Joel Wejdenstål f3e07356c1
fix #5783 utmp regression on macos (#5784) 2021-03-01 17:40:59 -04:00
Andrej Tokarčík f4e13ea8f3 Don't defer Close calls on writable files 2021-03-01 22:14:10 +01:00
Andrej Tokarčík f5dc4e84f6 [auto] Update webassets in andrej/master/security-fixes 
fbea7a4 Implement OAuth-style state token for AAP auth flow https://github.com/gravitational/webapps/commit/fbea7a4

[source: -w master] [target: -t andrej/master/security-fixes]
 2021-03-01 22:14:10 +01:00
Andrej Tokarčík ee7693f41d Prevent AAP login CSRF with OAuth-style state tokens 2021-03-01 22:14:10 +01:00
Andrej Tokarčík ff18d38d7e Set cookies with '__Host-' prefix 2021-03-01 22:14:10 +01:00
Andrej Tokarčík c4faea980f Set stricter HTTP Content-Security-Policy directives 2021-03-01 22:14:10 +01:00
Andrej Tokarčík 8720b1872a Assemble safe FQDN values for AAP redirects 2021-03-01 22:14:10 +01:00
Andrej Tokarčík 89f0432ad5 Introduce utils.ReadAtMost to prevent resource exhaustion 2021-03-01 22:14:10 +01:00
Andrej Tokarčík 85244157b0 Check CA expiration status when joining a cluster 2021-03-01 22:14:10 +01:00
Andrej Tokarčík f88665fe12 Add obfuscation to diagnostic metrics 2021-03-01 22:14:10 +01:00
Andrej Tokarčík a7f3a05e53 Fix AAP headers injection 2021-03-01 22:14:10 +01:00
Andrej Tokarčík 46aa81b1ce Fix CLI content spoofing through access request reason 2021-03-01 22:14:10 +01:00
Andrej Tokarčík f958e03439 Require initialized TLS config in utils.TLSDial 2021-03-01 22:14:10 +01:00
Andrej Tokarčík 80cf3ae749 Fix existence leak of label-restricted resources 2021-03-01 22:14:10 +01:00
Andrej Tokarčík 899cc1c0ec
Propagate the mapped local user identity via auth.Context (#5794) 
In `auth.Context`, the `Identity` field used to contain the original
caller identity and `User` field contained the mapped local user. These
are different, if the request comes from a remote trusted cluster.

Lots of code assumed that `auth.Context.Identity` contained the local
identity and used roles/traits from there.

To prevent this confusion, populate `auth.Context.Identity` with the
*mapped* identity, and add `auth.Context.UnmappedIdentity` for callers
that actually need it.

One caller that needs `UnmappedIdentity` is the k8s proxy. It uses that
identity to generate an ephemeral user cert. Using the local mapped
identity in that case would make the downstream server (e.g.
kubernetes_service) to treat it like a real local user, which doesn't
exist in the backend and causes trouble.

`ProcessKubeCSR` endpoint on the auth server was also updated to
understand the unmapped remote identities.

Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
 2021-03-01 21:55:59 +01:00
Acrimon b9f7d2a53a fix last output timestamps on some systems 2021-02-26 22:59:51 +01:00
Andrew Lytvynov ff129306e3 docs: clarify why etcd doesn't store audit events 2021-02-26 11:25:38 -08:00
Travis Swientek 90b8e788f5 Remove categories in favor of using labels instead. 2021-02-26 11:15:16 -08:00
Travis Swientek e6f210413d Update Issue Templates. 
- Changed task lists to standard lists, due to undesired Github Issue List layout.
- Removed question template, use Github Discussions for questions.
 2021-02-26 11:15:16 -08:00
Yael Jay Perez dd1eef2b54 Update ssh-kubernetes-fedramp.mdx 
The parameter `proxy_checks_host_keys` accepts only yes|no in the config file. If set to true you get the below error:

```
ERROR REPORT:
Original Error: *trace.BadParameterError proxy_checks_host_keys must be one of: yes,no
Stack Trace:
	/go/src/github.com/gravitational/teleport/lib/services/clusterconfig.go:392 github.com/gravitational/teleport/lib/services.(*ClusterConfigV3).CheckAndSetDefaults
	/go/src/github.com/gravitational/teleport/lib/services/clusterconfig.go:119 github.com/gravitational/teleport/lib/services.NewClusterConfig
	/go/src/github.com/gravitational/teleport/lib/config/configuration.go:459 github.com/gravitational/teleport/lib/config.applyAuthConfig
	/go/src/github.com/gravitational/teleport/lib/config/configuration.go:339 github.com/gravitational/teleport/lib/config.ApplyFileConfig
	/go/src/github.com/gravitational/teleport/lib/config/configuration.go:1047 github.com/gravitational/teleport/lib/config.Configure
	/go/src/github.com/gravitational/teleport/tool/teleport/common/teleport.go:170 github.com/gravitational/teleport/tool/teleport/common.Run
	/go/src/github.com/gravitational/teleport/e/tool/teleport/main.go:22 main.main
	/opt/go/src/runtime/proc.go:213 runtime.main
	/opt/go/src/runtime/asm_amd64.s:1375 runtime.goexit
User Message: proxy_checks_host_keys must be one of: yes,no
```
 2021-02-26 10:27:22 -08:00
Gus Luxton 01fbe15b32
[tctl] Don't explicitly set value for config path and preserve backwards compatibility (#5731) 2021-02-25 22:00:48 -04:00
Allen Vailliencourt 65ce3a122c Fixed a typo in GCP documentation 2021-02-25 17:42:56 -08:00
Russell Jones d4b726d8cf Added RFD 18: Agent loading. 2021-02-25 17:29:57 -08:00
Russell Jones 7f862b494f Update rfd/0008-application-access.md 
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
 2021-02-25 17:24:07 -08:00
Russell Jones e5cb45cae3 Update 0008-application-access.md 2021-02-25 17:24:07 -08:00
Roman Tkachenko ac7dea4345 Update old proxy version detection algorithm 2021-02-25 16:29:53 -08:00
Alexander Klizhentas 03161e8a6b
Sasha/newlines (#5738) 
* Improves CLI error reporting

Escapes control characters, while allowing newlines.
Removes tabs in output.
 2021-02-25 14:52:25 -08:00
Alexander Klizhentas 5e12308fa7
Adds public_addr when using ACME (#5734) 
Fixes #5711

Adds required public_addr when using ACME mode.
 2021-02-25 13:47:33 -08:00
Lisa Kim 131dd002cf
[auto] Update webassets in master (#5735) 
e4e9418 Disable use of web workers in ace editor (#232) gravitational/webapps@e4e9418
394c775 Fix bug and consistent error banner placement (#233) gravitational/webapps@394c775

[source: -w master] [target: -t master]
 2021-02-25 13:31:00 -08:00
Andrew Lytvynov af81a7892f
Make /lib/web tests more reliable (#5703) 
Fix condition on the proxy registration check.

Use t.Cleanup to close all servers and clients reliably and avoid
running out of file descriptors.
 2021-02-25 13:09:25 -08:00
Andrew Lytvynov 31e3e93fdb
testplan: add MFA management tests (#5661) 2021-02-25 12:52:31 -08:00
Andrew Lytvynov 513ee899dd
testplan: update EKS/GKE testing steps (#5662) 
EKS can be fronted by teleport, just like GKE.
 2021-02-25 12:46:19 -08:00