* update tsh db resource selection
* add --labels and --query to tsh db subcommands
* tsh db [login | logout | env | config | connect]
* tsh proxy db
* add hasPrefix to predicate lang
* add teleport.dev/discovered-name
* print "discovered name" of databases discovered by discovery service,
which is the name of the database resource in the cloud, when using
tsh db ls without --verbose flag. This avoids printing verbose
uniquely identifying names when discovery service is updated to append
a uniquely identify suffix to discovered databases in AWS/Azure/GCP.
* tsh db ls --verbose ignores the label
* fix db connect string in tsh db ls
* select database by prefix, labels, and/or query predicate.
* chooses active database by exact match if the "prefix" matches exactly
and no labels/predicate is given.
* logout of a subset of databases with tsh db logout.
* print an "ambiguous match" error if prefix/labels/query matches
multiple databases where one is required.
* move all --labels cli flags to cf.Labels from cf.UserHost
* update tsh db tests
* speedup slow tsh db tests
* postgres/mysql profile respect home dir
* rename test cases for consistency
* test database listing uses discovered-name
* test login/env/config/logout with prefix/label/predicate selectors
* test active db filtering logic
* fix tests broken by merge
When the number of replicas of a resource is bigger than 1 - i.e.
`kube_cluster`, `app`, `db` - `tsh request search` printed
all the registered resources instead of ignoring the repeated rows.
This PR excludes the repeated resource ids from the table and request
command.
Before:
```
$ tsh request search --kind kube_cluster
Name Hostname Labels Resource ID
---------- -------- ------------------------------------------------------------------ -----------------------------------
local env=tiago /tele.local/kube_cluster/local
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
To request access to these resources, run
> tsh request create --resource /tele.local/kube_cluster/local --resource /tele.local/kube_cluster/my-cluster --resource /tele.local/kube_cluster/my-cluster --resource /tele.local/kube_cluster/my-cluster \
--reason <request reason>
```
After:
```
$ tsh request search --kind kube_cluster
Name Hostname Labels Resource ID
---------- -------- ------------------------------------------------------------------ -----------------------------------
local env=tiago /tele.local/kube_cluster/local
my-cluster teleport.internal/resource-id=89b78b53-600f-4545-922c-96d20ee15182 /tele.local/kube_cluster/my-cluster
To request access to these resources, run
> tsh request create --resource /tele.local/kube_cluster/local --resource /tele.local/kube_cluster/my-cluster \
--reason <request reason>
```
This PR moves the creation of the `lock` file right before the login
call is attempted instead of creating it for any call.
This fixes a problem where we create the lock file even if no login is
required which limits the number of parallel kubectl invocations.
* tsh: Implement puttyconfig command to add saved PuTTY sessions to Windows registry
* Addressed comments from code review
* Add support for leaf clusters
* Refactoring from code review
Also moved registry/hostname functions into external packages
* Address more feedback from code review
* Rebase following tsh/common changes
* Fix up putty_config_windows
* Reorder command
* Remove surplus comment
* Use a separate list instead of overloading the 'extra' key
* Address Tim's code review comments
* Address some of Zac's comments
* Refactor formatLocalCommandString to use text/template
* Refactor non-Windows logic into puttyhosts
* Fix subcommand name
* Fix test structure
* Add some more hostnames test cases
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Fix up
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Added the `t.Parallel()` function call in each test function to enable parallel test execution. This should reduce the overall time it takes to run all these tests by enabling them to run concurrently.
#24864 added a dependency of lib/web into tsh which broke windows
tsh builds because lib/web transiently depends on lib/srv which
has linux specific code. This shuffles around a few things so
that lib/web is no longer importing lib/srv at all by:
- Indirectly using the srv.SessionController to apply session
control for web ssh sessions
- Moving the common reversetunnel interfaces into
reversetunnelclient since lib/reversetunnel imports
lib/srv/forward which imports lib/srv.
- Directly converting mysql client errors in the connection
tester instead of calling a common function.
* InstallScripts: pin teleport version using ServerVersion
When Automatic Upgrades are enabled and the current installation is an
enterprise build, it will install teleport using:
- stable/cloud repo channel (yum, apt)
- pin the version to the one present at:
https://updates.releases.teleport.dev/v1/stable/cloud/version
* improve comments
Adds `tsh bench web ssh` to allow benchmarking ssh sessions that are
created via the web api. To prevent import cycles between `lib/web`
and `lib/client` the cookie implementation in `lib/web/cookie.go`
was moved into its own package `lib/web/session`. There is curerntly
no support for SSO users - adding a local server to handle the login
was out of scope and can be added in the future.
* update message on empty tsh ls results
* Update message to have no docs
* update verbiage
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Start fleshing out UAC elevation
* Use `runas` and ShellExecuteW to open a child process with elevated privileges
* Add tsh command to re-execute
* Add method to be called in the elevated child process
* Ugly, but working, credential activation in UAC dialogued child
* Add TODO
* Add some further notes/explanation on windows.ShellExecute
* Change error message to match function name
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Improve comment
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Use `trace.BadParameter` instead of `Errorf`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Use `tpm-activate-credential` instead of `activate-credential`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Remove spurious newline
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Move towards more production ready elevated process
* Add stubs for darwin/other
* Use path in state dir for cred activation results
* Fix stub return values
* Fix test missing context.Context pass
* Add additional message when cred activation completes
* Use ShellExecuteExW to get handle to process to wait on
* Improve comment in windowsexec
* Minor stylistic changes from review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Minor adjustments to error handling and logging
* Use `windows` over `syscall`
* Leverage `mkwinsyscall`'s error handling
* Missing param in test
* Always show error, not just when `-d` is provided
* Remove unnecessary trace.Wrap(err)
* Restore cf.Debug check
* Explicitly ignore return values from `FPrintln`
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Simplify code
* Add null check to `info.hProcess`
* Minor format changes from review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Fixes a discrepancy in overwriting the environment value with the
address observed for the Web UI for sessions not originating from
the Web UI. All sessions will now use `tc.WebProxyAddr` as the
default value and *only* update if an override is provided.
`TestIntegrations/EnvironmentVars` was updated to ensure that the
expected environment variables are present in both interactive and
non-interactive sessions.
* Fix an issue ALPN handshake test does not respect "HTTPS_PROXY"
* address review comment
* remove simplehttsproxy
* Add context to IsALPNConnUpgradeRequired in ten thousand places
* add goc and dial with context
* Fix moderated session presence checking
Addresses all of the issues that were preventing presence checking during
moderated sessions from working as described in
[#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859).
Closes#18092
* make presence test clearer
* fix presence checking on the web ui
* Refactor web socket message handling
A single message processing loop handles retrieving the envelope
and passing it off to individual message handlers. This allows all
messages to be processed outside of `Read` which was dependent on
the terminal being active to process any messages.
The webauthn challenge response was also moved from a raw message
to a webauthn message. By sending it as a raw message it made
presence checking fail because the response has a `t` in it which
caused the session to be killed during moderated sessions.
* enforce mfa ceremony when joining and cluster wide mfa is enabled
* fix conflicts with master
* moderated tests
* Add moderated session tests for the UI
* Add moderated session integration test
* fix lints
* clean up presence test
* refactor envelope handling
* fix build
* fix: revert test debug timeout
* fix: use local context in tests
* simplify closing streams
* generalize waitForOutput to work with an io.Reader
* fix error handling in stream close
* unexport PresenceOptions
* Improve waitForOutput to match against output in successive reads
* Change tsh test directory referenced in makefile.
Fix proxy template test case.
* Fix TestWriteSSHConfig.
---------
Co-authored-by: Steven Martin <steven@goteleport.com>
* feat: support authenticating with AWS IAM for MongoDB Atlas
* chore(lint): fix errors
* test(tsh): add missing database field
* refactor(mongodb): check for error on each authenticator branch
* refactor(mongodb): update log messages and atlas check
* refactor(auth): use IsRoleARN helper instead of IsARN
* chore(db): remove unused line
* chore(mongodb): split authenticator func
* refactor(db): rename get atlas token function
* tests(db): reuse already existent auth property
* chore(mongodb): add docs reference
* refactor(db): support role chaining
* feat(types): "require" iam role for atlas users
* refactor(db): use external id only on the first session
* refactor(services): add new database matcher for regular users and aws
* chore(db): rename functions to be more assertive
* chore(types): fix lint
* test(db): remove duplicated test
The test being removed here is covered by `TestMongoDBAtlas`
(lib/srv/db/auth_test.go).
* * Refactor tool/tsh to enable tsh e2e tests outside of the tsh package.
* Add tool/teleport/testenv to enable easier e2e tests from outside
packages.
* Skip all flaky test checks when * is provided.
* TLS Routing behind ALB: tsh kube subcommands
* fix lint and ut
* fix ut again
* review comment round 1
* fix an issue where local proxy should be not recreated on top a local proxy kubeconfig
* move maybeStartKubeLocalProxy to runKubectlReexec, remove os.Setenv
* use cf.Stdout
* revert kube util.pointer
* revert kube util.pointer
* Fix fullArgs vs args and remove old KUBECONFIG from env
`onLogin` was inadvertently retrieving ClusterAlerts twice by
explicitly retrieving them and by calling `onStatus`, which also gets
the alerts so they are shown when `tsh status` is invoked. The portion
of `onStatus` which prints the profile has been separated into
`outputProfiles` so that `onLogin` may call that directly instead
of `onStatus`.
`tsh login` was fetching each role for a user during login to perform
calculations required to determine if auto access requests were
required. To reduce some of the login latency this logic was moved
to `proto.AuthService/GetAccessCapabilities` so that only a single
RPC to Auth is required instead of one per role.
* Use web address when appropriate for a jump hosts
Determines whether the jump host provided via `tsh ssh -J` is belongs
to the Proxy SSH or Web server to ensure when using jump hosts that
connections are established directly on the target cluster.
Closes#25178
* Modify tsh tests to capture issues with jump hosts
Alters the root and leaf cluster and node names used by tsh tests
so that the root cluster is named `root` instead of `localhost` and
sets a unique `NodeName` for each cluster instead of reusing
`localnode` for both. This was masking problems in jump hosts tests
by connecting to the node in the root cluster instead of the leaf
cluster.
Some additional changes to tsh tests were made as a result of
changing the cluster and node names.
* fix proxy client tests
* update TestList to login once
* * Add cluster parsing to proxy templates
* Check ProxyTemplates even if -J is not provided
* Modify proxy templates logic to work with tsh ssh
* Apply suggestions from code review
Co-authored-by: Gavin Frazar <gavin.frazar@goteleport.com>
---------
Co-authored-by: Tim Ross <tim.ross@goteleport.com>
Co-authored-by: Gavin Frazar <gavin.frazar@goteleport.com>
* Add `tsh kubectl` support for tracer exporter
This PR adds support for `--trace` exporter when running `tsh kubectl`.
It allows any user to automatically export traces from `tsh`.
* Update tool/tsh/kubectl.go
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* apply feedback
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>