-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement tbot init
subcommand and ACL management
#10289
Commits on Jan 14, 2022
-
This adds a new `tbot` tool to continuously renew a set of certificates after registering with a Teleport cluster using a similar process to standard node joining. This makes some modifications to user certificate generation to allow for certificates that can be renewed beyond their original TTL, and exposes new gRPC endpoints: * `CreateBotJoinToken` creates a join token for a bot user * `GenerateInitialRenewableUserCerts` exchanges a token for a set of certificates with a new `renewable` flag set A new `tctl` command, `tctl bots add`, creates a bot user and calls `CreateBotJoinToken` to issue a token. A bot instance can then be started using a provided command.
Configuration menu - View commit details
-
Copy full SHA for 0642d9b - Browse repository at this point
Copy the full SHA 0642d9bView commit details
Commits on Jan 21, 2022
-
* Use role requests to split renewable certs from end-user certs * Add bot configuration file * Use `teleport.dev/bot` label * Remove `impersonator` flag on initial bot certs * Remove unnecessary `renew` package * Misc other cleanup
Configuration menu - View commit details
-
Copy full SHA for 278373b - Browse repository at this point
Copy the full SHA 278373bView commit details
Commits on Jan 26, 2022
-
Do not pass through
renewable
flag when role requests are setThis adds additional restrictions on when a certificate's `renewable` flag is carried over to a new certificate. In particular, it now also denies the flag when either role requests are present, or the `disallowReissue` flag has been previously set. In practice `disallow-reissue` would have prevented any undesired behavior but this improves consistency and resolves a TODO.
Configuration menu - View commit details
-
Copy full SHA for 3cb5f41 - Browse repository at this point
Copy the full SHA 3cb5f41View commit details -
Various tbot UX improvements; render SSH config
* Fully flesh out config template rendering * Fix rendering for SSH configuration templates * Added `String()` impls for destination types * Improve certificate renewal logging; show more detail * Properly fall back to default (all) roles * Add mode hints for files * Add/update copyright headers
Configuration menu - View commit details
-
Copy full SHA for 65997a6 - Browse repository at this point
Copy the full SHA 65997a6View commit details -
Configuration menu - View commit details
-
Copy full SHA for ff58ccf - Browse repository at this point
Copy the full SHA ff58ccfView commit details
Commits on Jan 27, 2022
-
Add gRPC endpoints for managing bots
* Add `CreateBot`, `DeleteBot`, and `GetBotUsers` gRPC endpoints * Replace `tctl bot (add|rm|ls)` implementations with gRPC calls * Define a few new constants, `DefaultBotJoinTTL`, `BotLabel`, `BotGenerationLabel`
Configuration menu - View commit details
-
Copy full SHA for 75ee80b - Browse repository at this point
Copy the full SHA 75ee80bView commit details
Commits on Feb 2, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 65b4f91 - Browse repository at this point
Copy the full SHA 65b4f91View commit details -
* Fixed a few nil pointer derefs when using config from CLI args * Properly create destination if `--destination-dir` flag is used * Remove improper default on CLI flag * `DestinationConfig` is now a list of pointers
Configuration menu - View commit details
-
Copy full SHA for fced606 - Browse repository at this point
Copy the full SHA fced606View commit details
Commits on Feb 4, 2022
-
Address first wave of review feedback
Fixes the majority of smaller issues caught by reviewers, thanks all!
Configuration menu - View commit details
-
Copy full SHA for e8b3b0f - Browse repository at this point
Copy the full SHA e8b3b0fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 773a4ef - Browse repository at this point
Copy the full SHA 773a4efView commit details -
Configuration menu - View commit details
-
Copy full SHA for 34ae6a6 - Browse repository at this point
Copy the full SHA 34ae6a6View commit details
Commits on Feb 8, 2022
-
Split initial user cert issuance from
generateUserCerts()
Issuing initial renewable certificate ended up requiring a lot of hacks to skip checks that prevented anonymous bots from getting certs even though we'd verified their identity elsewhere (via token). This reverts all those hacks and splits initial bot cert logic into a dedicated `generateInitialRenewableUserCerts()` function which should make the whole process much easier to follow.
Configuration menu - View commit details
-
Copy full SHA for 9c5ca57 - Browse repository at this point
Copy the full SHA 9c5ca57View commit details -
Configuration menu - View commit details
-
Copy full SHA for 17a1c77 - Browse repository at this point
Copy the full SHA 17a1c77View commit details -
Configuration menu - View commit details
-
Copy full SHA for bd3152b - Browse repository at this point
Copy the full SHA bd3152bView commit details
Commits on Feb 10, 2022
-
Implement
tbot init
subcommandThis adds a new CLI subcommand to initialize a tbot destination directory by creating required files ahead of time and assigning proper permissions (and ACLs, where possible).
Configuration menu - View commit details
-
Copy full SHA for d7c49e7 - Browse repository at this point
Copy the full SHA d7c49e7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 12942dd - Browse repository at this point
Copy the full SHA 12942ddView commit details
Commits on Feb 11, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 8cd83c7 - Browse repository at this point
Copy the full SHA 8cd83c7View commit details -
Remove CreateBotJoinToken endpoint
Users should instead use the CreateBot/DeleteBot endpoints.
Configuration menu - View commit details
-
Copy full SHA for 28bab88 - Browse repository at this point
Copy the full SHA 28bab88View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5a71864 - Browse repository at this point
Copy the full SHA 5a71864View commit details
Commits on Feb 15, 2022
-
Configuration menu - View commit details
-
Copy full SHA for d800382 - Browse repository at this point
Copy the full SHA d800382View commit details -
Configuration menu - View commit details
-
Copy full SHA for cefe734 - Browse repository at this point
Copy the full SHA cefe734View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5003459 - Browse repository at this point
Copy the full SHA 5003459View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0b7e7e5 - Browse repository at this point
Copy the full SHA 0b7e7e5View commit details
Commits on Feb 16, 2022
-
Configuration menu - View commit details
-
Copy full SHA for f725b62 - Browse repository at this point
Copy the full SHA f725b62View commit details -
Clean up error handling in custom YAML unmarshallers
Also, add notes about the supported YAML shapes.
Configuration menu - View commit details
-
Copy full SHA for 4a3a417 - Browse repository at this point
Copy the full SHA 4a3a417View commit details -
Configuration menu - View commit details
-
Copy full SHA for 28f930b - Browse repository at this point
Copy the full SHA 28f930bView commit details
Commits on Feb 17, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 00e29b5 - Browse repository at this point
Copy the full SHA 00e29b5View commit details
Commits on Feb 18, 2022
-
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a7529b9 - Browse repository at this point
Copy the full SHA a7529b9View commit details -
Configuration menu - View commit details
-
Copy full SHA for b1bbcb8 - Browse repository at this point
Copy the full SHA b1bbcb8View commit details -
Add renewable certificate generation checks (#10098)
* Add renewable certificate generation checks This adds a new validation check for renewable certificates that maintains a renewal counter as both a certificate extension and a user label. This counter is used to ensure only a single certificate lineage can exist: for example, if a renewable certificate is stolen, only one copy of the certificate can be renewed as the generation counter will not match When renewing a certificate, first the generation counter presented by the user (via their TLS identity) is compared to a value stored with the associated user (in a new `teleport.dev/bot-generation` label field). If they aren't equal, the renewal attempt fails. Otherwise, the generation counter is incremented by 1, stored to the database using a `CompareAndSwap()` to ensure atomicity, and set on the generated certificate for use in future renewals. * Add unit tests for the generation counter This adds new unit tests to exercise the generation counter checks. Additionally, it fixes two other renewable cert tests that were failing. * Remove certRequestGeneration() function * Emit audit event when cert generations don't match * Fully implement `tctl bots lock` * Show bot name in `tctl bots ls` * Lock bots when a cert generation mismatch is found * Make CompareFailed respones from validateGenerationLabel() more actionable * Update lib/services/local/users.go Co-authored-by: Nic Klaassen <nic@goteleport.com> * Backend changes for tbot IoT and AWS joining (#10360) * backend changes * add token permission check * pass ctx from caller Co-authored-by: Roman Tkachenko <roman@goteleport.com> * fix comment typo Co-authored-by: Roman Tkachenko <roman@goteleport.com> * use UserMetadata instead of Identity in RenewableCertificateGenerationMismatch event * Client changes for tbot IoT joining (#10397) * client changes * delete replaced APIs * delete unused tbot/auth.go * add license header * don't unecessarily fetch host CA * log fixes * s/tunnelling/tunneling/ Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com> * auth server addresses may be proxies Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com> * comment typo fix Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com> * move *Server methods out of auth_with_roles.go (#10416) Co-authored-by: Tim Buckley <tim@goteleport.com> Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com> Co-authored-by: Tim Buckley <tim@goteleport.com> Co-authored-by: Roman Tkachenko <roman@goteleport.com> Co-authored-by: Tim Buckley <tim@goteleport.com> Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> Co-authored-by: Roman Tkachenko <roman@goteleport.com> Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 004b25c - Browse repository at this point
Copy the full SHA 004b25cView commit details -
Configuration menu - View commit details
-
Copy full SHA for c3be5d6 - Browse repository at this point
Copy the full SHA c3be5d6View commit details -
Addres another batch of review feedback
Add `Role.SetMetadata()`, simplify more `trace.WrapWithMessage()` calls, clear some TODOs and lints, and address other misc feedback items.
Configuration menu - View commit details
-
Copy full SHA for f004e10 - Browse repository at this point
Copy the full SHA f004e10View commit details -
Configuration menu - View commit details
-
Copy full SHA for 77c0803 - Browse repository at this point
Copy the full SHA 77c0803View commit details -
Configuration menu - View commit details
-
Copy full SHA for 1f946f9 - Browse repository at this point
Copy the full SHA 1f946f9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 587974d - Browse repository at this point
Copy the full SHA 587974dView commit details -
Configuration menu - View commit details
-
Copy full SHA for bd5f514 - Browse repository at this point
Copy the full SHA bd5f514View commit details -
Configuration menu - View commit details
-
Copy full SHA for 01546ec - Browse repository at this point
Copy the full SHA 01546ecView commit details -
Configuration menu - View commit details
-
Copy full SHA for bf1cf3a - Browse repository at this point
Copy the full SHA bf1cf3aView commit details
Commits on Feb 19, 2022
-
Another pass of review feedback
Ensure all requestable roles exist when creating a bot, adjust the default renewable cert TTL down to 1 hour, and check types during `CompareAndSwapUser()`
Configuration menu - View commit details
-
Copy full SHA for c65c56a - Browse repository at this point
Copy the full SHA c65c56aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0300f52 - Browse repository at this point
Copy the full SHA 0300f52View commit details
Commits on Feb 22, 2022
-
Merge branch 'timothyb89/tbot' into timothyb89/tbot-init
Merge note: BotKinds() now includes SSH certificates to support IoT joining.
Configuration menu - View commit details
-
Copy full SHA for 73b7ba2 - Browse repository at this point
Copy the full SHA 73b7ba2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0ad110e - Browse repository at this point
Copy the full SHA 0ad110eView commit details
Commits on Feb 23, 2022
-
Configuration menu - View commit details
-
Copy full SHA for cf6406f - Browse repository at this point
Copy the full SHA cf6406fView commit details
Commits on Feb 24, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 0f78580 - Browse repository at this point
Copy the full SHA 0f78580View commit details -
Add
symlinks
flag to tbot configThe optional symlinks flag for directory destinations allows users to opt in / out of whichever symlink attack hardening mode is selected by default.
Configuration menu - View commit details
-
Copy full SHA for 3e0a05f - Browse repository at this point
Copy the full SHA 3e0a05fView commit details -
Add mostly-working secure implementation of botfs.Create/Write
This adds symlink mode selection (secure, try-secure, insecure) and Linux `Create()`/`Write()` implementations to open files safely.
Configuration menu - View commit details
-
Copy full SHA for 3da96dd - Browse repository at this point
Copy the full SHA 3da96ddView commit details
Commits on Mar 1, 2022
-
Configuration menu - View commit details
-
Copy full SHA for f94f724 - Browse repository at this point
Copy the full SHA f94f724View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5ddfd71 - Browse repository at this point
Copy the full SHA 5ddfd71View commit details -
Initialize destinations at startup and test before renewal
This initializes destinations at startup (to create directories if not using `tbot init`) and tests them to ensure the bot can write _before_ attempting to renew certificates; this should prevent most accidental generation counter locks.
Configuration menu - View commit details
-
Copy full SHA for 37400dc - Browse repository at this point
Copy the full SHA 37400dcView commit details -
Configuration menu - View commit details
-
Copy full SHA for c9fb533 - Browse repository at this point
Copy the full SHA c9fb533View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4b2fa72 - Browse repository at this point
Copy the full SHA 4b2fa72View commit details -
Configuration menu - View commit details
-
Copy full SHA for 40f6d0b - Browse repository at this point
Copy the full SHA 40f6d0bView commit details
Commits on Mar 2, 2022
-
Fully implement ACL Verify and Configure
- Fully implements ACL support for Linux - Adds bot-side verification support to ensure ACLs are configured properly at runtime. - Gracefully falls back to no ACLs if the platform / filesystem doesn't support them - Clear up outstanding lints
Configuration menu - View commit details
-
Copy full SHA for 9893602 - Browse repository at this point
Copy the full SHA 9893602View commit details -
Configuration menu - View commit details
-
Copy full SHA for 048b524 - Browse repository at this point
Copy the full SHA 048b524View commit details
Commits on Mar 3, 2022
-
Show init instructions in tctl bots add
Also: - Make --bot-user a flag in init (the tctl instructions were confusing otherwise) - Handle IsOwnedBy sanely on unsupported platforms - Add Bold colorizing support
Configuration menu - View commit details
-
Copy full SHA for 25017b4 - Browse repository at this point
Copy the full SHA 25017b4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7f25b5a - Browse repository at this point
Copy the full SHA 7f25b5aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 73bed1a - Browse repository at this point
Copy the full SHA 73bed1aView commit details -
Configuration menu - View commit details
-
Copy full SHA for b2460a4 - Browse repository at this point
Copy the full SHA b2460a4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 1276661 - Browse repository at this point
Copy the full SHA 1276661View commit details -
Actually read and write certs with symlink enforcement
Also, fix a config loading bug where CheckAndSetDefaults() wasn't being called in all cases with CLI destinations.
Configuration menu - View commit details
-
Copy full SHA for 202a97d - Browse repository at this point
Copy the full SHA 202a97dView commit details
Commits on Mar 5, 2022
-
Add workaround for OpenSSH permissions check with ACLs
OpenSSH has an overly-paranoid permissions check that forces key files to be exclusively owner-readable. Unfortunately, for POSIX compatibility purposes, when ACLs are set, the ACL mask is set as the group permissions. This effectively makes any ACL incompatible with OpenSSH. However, OpenSSH's check does have an escape hatch: it only applies if the current user is the owner of the file. Therefore, this change tweaks the `tbot init` flow to create files as root, owned by a separate user (either `nobody` or even the bot user), with ACL permissions granting both the bot and reader user access to the certificates. This effectively bypasses OpenSSH's permissions check and should preserve our security boundaries.
Configuration menu - View commit details
-
Copy full SHA for b114926 - Browse repository at this point
Copy the full SHA b114926View commit details
Commits on Mar 7, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 24d066f - Browse repository at this point
Copy the full SHA 24d066fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6b9223f - Browse repository at this point
Copy the full SHA 6b9223fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8a8d656 - Browse repository at this point
Copy the full SHA 8a8d656View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3d55e48 - Browse repository at this point
Copy the full SHA 3d55e48View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5ac9aa2 - Browse repository at this point
Copy the full SHA 5ac9aa2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7a96daa - Browse repository at this point
Copy the full SHA 7a96daaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 126162d - Browse repository at this point
Copy the full SHA 126162dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1994858 - Browse repository at this point
Copy the full SHA 1994858View commit details
Commits on Mar 8, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 9bb139e - Browse repository at this point
Copy the full SHA 9bb139eView commit details -
- Rename ACLOn -> ACLRequired - Simplify fs_linux.Read() - Add missing fs_other.Read() - Hoist renewal loop logic into its own function - A few misc bugfixes
Configuration menu - View commit details
-
Copy full SHA for ca974b8 - Browse repository at this point
Copy the full SHA ca974b8View commit details -
Apply suggestions from code review
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8855518 - Browse repository at this point
Copy the full SHA 8855518View commit details -
- Only log syscall warning once - Formatting and wording changes - Improve error handling for `--clean`
Configuration menu - View commit details
-
Copy full SHA for 38c9fcb - Browse repository at this point
Copy the full SHA 38c9fcbView commit details
Commits on Mar 9, 2022
-
Configuration menu - View commit details
-
Copy full SHA for af1908a - Browse repository at this point
Copy the full SHA af1908aView commit details
Commits on Mar 10, 2022
-
Configuration menu - View commit details
-
Copy full SHA for d9f8ed1 - Browse repository at this point
Copy the full SHA d9f8ed1View commit details -
Configuration menu - View commit details
-
Copy full SHA for 26f8fc9 - Browse repository at this point
Copy the full SHA 26f8fc9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 19dc449 - Browse repository at this point
Copy the full SHA 19dc449View commit details -
Use the bot user as default owner
This is more likely to be a safe owner choice than `nobody:nobody`.
Configuration menu - View commit details
-
Copy full SHA for 33afc77 - Browse repository at this point
Copy the full SHA 33afc77View commit details -
Apply suggestions from code review
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Configuration menu - View commit details
-
Copy full SHA for 42aee8a - Browse repository at this point
Copy the full SHA 42aee8aView commit details -
Configuration menu - View commit details
-
Copy full SHA for e416fdb - Browse repository at this point
Copy the full SHA e416fdbView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8bb8a5c - Browse repository at this point
Copy the full SHA 8bb8a5cView commit details -
Configuration menu - View commit details
-
Copy full SHA for e76777c - Browse repository at this point
Copy the full SHA e76777cView commit details