[pull] master from gravitational:master #5
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
* Add support for per-session MFA in databases by using the cert returned from `onExpiredCert` * Remove test helpers that are not needed anymore * Add integration tests requiring per-session MFA to be supported * Make `Application` in `MFA is required to access Application "abc"` lowercase * Refactor `DBCertChecker` to fit Connect needs and remove `dbMiddleware` * Remove unnecessary condition in a test * Convert positional arguments to `dbGatewayCertRenewalParams` * Do not nest the function to issue a db cert * Remove mongodb check from `reissueDBCert` in tshd * Revert "Do not nest the function to issue a db cert" This reverts commit c3a9bf2. * Revert "Refactor `DBCertChecker` to fit Connect needs and remove `dbMiddleware`" This reverts commit e018610.
* Skeleton out SSHProxyService * Skeleton out actual service implementation * Simple unit tests for yaml/validation * Add main config file unit test * Crudely copy in the connection handle code * Copy in basic setup code * Add rudimentary "dial cycler" * Tidy up handling of listener closure * Add basic prometheus metrics * Add ssh proxy command connect * Fix crashes * Make session resumption enabled by default * Use `utils.ProxyConn` * last few changes before i convert to socks5 * Rename socket * Add support for loading proxy templates * Tidy up logging * rename to multiplexer * Fix up a few bits * Generate artifacts on initial start * Support specifying command and subcommand * Add identity generation and renewal to ssh multiplexer * Tidy up code post-identity generation * Tidy up logging for connection multiplexing/proxying * Americanize spellings * Info( -> InfoContext( * stash * Replace low-level cycler with higher-level but broken cycler * Remove reference to grpcClientConnInterfaceCloser * minor tweaks and fixes to the cycler * Fix lone tab in the ssh_config template * Better metrics * Fix ineff assign * Simplify config for custom muxcommand * Start wrtiign test * Fix broken fdpass * Potentially flaky but working test * Switch to NULL delimited * Tidy up tests * Remove commented out code * Drain buffer after the conn resumption has been enabled * Change socket name to `v1.sock` * Switch away from JSON * Switch to ProxyCommand style config for overrides * Switch to `filepath` * Update lib/tbot/service_ssh_multiplexer.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Update lib/tbot/ssh/ssh.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Update lib/tbot/service_ssh_multiplexer.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Absolute paths * Remove unused dep * Update lib/tbot/service_ssh_multiplexer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/tbot/ssh/ssh.go Co-authored-by: Tim Buckley <tim@goteleport.com> * Drain buffer as part of proxying goroutine * Fix missing godoc * Missing godoc * Add test for connection cycler * Update lib/tbot/service_ssh_multiplexer.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Simpler buffer draining * Fix race in test * More generous time outs --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Tim Buckley <tim@goteleport.com>
* Add `AvailableResourceMode` to the updated preferences in the handler * Improve the preferences parser to handle missing properties, as well as the entire object being undefined * Add support for resource availability switcher * Show requestable resources only if the cluster supports access requests * Return an object with `searchAsRoles` and `includeRequestable`
Co-authored-by: GitHub <noreply@github.com>
* requiredAll rule that wraps multiple input validation rule * prettier-write
* chore: Bump google.golang.org/protobuf to v1.34.2 * Update generated protos
Failed uploads could get in an infinite backoff of 10s instead of linearly backing off as intended. Due to the asynchronous nature of launching uploads by `(Uploader) Scan`, it could return without an error which resulted in resetting the backoff to its initial value even if previous failed uploads had incremented the backoff. To avoid this, resetting the backoff delay was modified to only occur if an upload completed successfully. Additionally error messaging was attempted to be improved. Any errors caused by the stream being terminated should now be returned instead of a vague message.
* docs: Update role reference to be more inclusive to v7 We previously mentioned `v4`, `v5` and `v6` as special cases, but my understanding is that this is now true across the board for role versions `v4`+ in most cases. * Further clarification on number of roles * Apply suggestions from code review Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> --------- Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* docs: Add WinSCP troubleshooting step and tsh.exe path advice * Other tsh.exe locations * Apply suggestions from code review Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Update suggested PATH and use ordered list * Use SystemRoot instead of WINDIR and flip order * Update admonition * Update install-tsh.mdx * Update putty-winscp.mdx * Spelling error --------- Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Fix panic in app dialing #35501 incorrectly checked the length on the local servers variable instead of `t.c.servers` which could lead to panics like the one below. ```bash panic: runtime error: slice bounds out of range [1:0] goroutine 6558252 [running]: github.com/gravitational/teleport/lib/web/app.(*transport).DialContext(0xc00296d5f0, {0xae8bbd8, 0xc002596a20}, {0x42c525?, 0xc001dc4d80?}, {0x120?, 0x118?}) github.com/gravitational/teleport/lib/web/app/transport.go:264 +0x5dc net/http.(*Transport).dial(0xc002596a20?, {0xae8bbd8?, 0xc002596a20?}, {0x92ff0a2?, 0x4e4fc13?}, {0xc000b8dfc0?, 0xc00226f000?}) net/http/transport.go:1183 +0xd2 net/http.(*Transport).dialConn(0xc002f9cb40, {0xae8bbd8, 0xc002596a20}, {{}, 0x0, {0x9301a85, 0x5}, {0xc000b8dfc0, 0x1a}, 0x0}) net/http/transport.go:1625 +0x7e8 net/http.(*Transport).dialConnFor(0xae8bc10?, 0xc003340370) net/http/transport.go:1467 +0x9f created by net/http.(*Transport).queueForDial in goroutine 6562349 net/http/transport.go:1436 +0x3cb ``` * prevent modifying servers if changed
…2012) * AWS OIDC: Remove App Server that uses the integration credentials Users can enable the AWS App Access using the Integration credentials. We are also creating a way for them to disable this access. * change url placeholders
This PR adds token support to the web ACL. This will be used to conditionally render the join tokens page similar to other features. It also adds the api route/path route for the tokens feature but neither will be used yet
* Web: export decodeUrlQueryParam funciton * Pull out decodeUrlQueryParam into own file
) The limits on these endpoints can cause issues with legitimate use cases trying to establish large numbers of connections from a single host(i.e. Ansible Tower). Extending the limits would likely result in a bar that constantly needs to be raised as clusters with this workflow become larger. Instead the limits were removed entirely.
We will create a new package that installs teleport in the local system. In order to do so, we'll need to read `/etc/os-release`. This PR adds the required fields for detecting the distro if it is based on a popuplar distro.
* Switch ssh-multiplexer to use ssh agent for authentication * Update test to use agent to connect * Provide agent for compat with proxy recording mode * Update goldenfiles
Co-authored-by: edward <edward@edwards-MacBook-Pro.local>
…D SSH (#42822) * Use UnifiedResources API when resolving proxy templates * Use magic helper function * Fix missing SortBy
* Crown Jewel fixes * Allow passing multiple resource names as crown jewel * Rename requests fields * Add kind validation * GCI
The program is now invite-only, so the link will 404 for most users.
* support ECDSA JWTs * update example validation program * fix lint * update suites to use ECDSA for CA JWT keys
…3558) * Web: fix discover user update error * Address CRs
…ver enrollment in the Teleport cloud. (#43370) * Fix getting initial version for installation kube agent for EKS Discover enrollment in the Teleport cloud. * Use default channel instead of cloud default channel.
There is nothing that consumes or requires the randomly generated login applied to the preset auditor role, and nothing that prevents a user from removing it. This login was determined to be vestigial and seve no purpose anymore. Closes #25840
* Puts more focus on U.X. in the RFD * Some tweaks * Update header * Update rfd/0000-rfds.md Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Update rfd/0000-rfds.md Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Update rfd/0000-rfds.md Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Update rfd/0000-rfds.md Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* configurable algorithms for proxy to database agent certs * rfd edit * use v1 suite in test * fix typo * fix bad merge
* rfd: database session playback * rfd: update required approvers * rfd: remove storing query results * rfd: review suggestions * rfd: web ui information
* Add a FieldCheckbox component Also use it wherever applicable * Remove old CheckboxInput and rename StyledCheckbox * Remove the old StyledCheckbox type alias * Add licenses
* Enable access monitoring rules for mattermost plugin * Add test for mattermost AMR creation * Remove unused const in mattermost test --------- Co-authored-by: edward <edward@edwards-MacBook-Pro.local>
…xy kube. (#43374) * Fix wrong context usage for reissuing expired certificate for tsh proxy kube. * Rename context to closeContext * Add test for request context expiration. * Add missing context in tests. * Remove flakiness from the test.
* Initial proposal for RFD-0173 * Clearer persona definition * typos * Apply suggestions from code review Co-authored-by: Brian Joerger <bjoerger@goteleport.com> * address noah's and brian first review * fixup! address noah's and brian first review * emphasis on the security improvements * Onboarding -> tctl helper * Apply Roman's feedback --------- Co-authored-by: Brian Joerger <bjoerger@goteleport.com>
Closes #16433 - The Installation page is far more visible than the Teleport Cloud Downloads page, so it makes sense to fold all of the information related to installing Teleport binaries for managed Teleport Enterprise users into the Installation page. - We are moving away from including a "Choose an Edition" section that treats Community Edition and the two Teleport Enterprise editions as separate options. Instead, we want to encourage users to move from OSS (personal use) to managed Enterprise and self-host in special circumstances. As a result, it makes sense to include a single Installation guide for all users.
Okta is not an acronym
- Cloud entitlements are now available on Features - Legacy logic applies if entitlements are not present
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: David Quartarolo <david.quartarolo@gmail.com> Co-authored-by: Gus Luxton <gus@goteleport.com>
This PR enhances teleport's intelligence by no longer assuming the cluster domain is `cluster.local`. Since many clusters use a non-default cluster domain, this assumption can disrupt app discovery access. Fixes #39007 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Start hacking on multicluster support for ssh multiplexer * Support specifying cluster name via multiplexing request * Generate known_hosts and ssh_config with multiple clusters * Remove unnecessary parameter * Test for specified and unspecified cluster name * Clarify comment
* Add apparmor profile for Connect * Run profile through apparmor_parser before copying it
* docs: include sts.amazonaws.com in troubleshooting * docs: update verbiage on connection failure
Update to dfbe947e5b9bd2da06f1e14620ee4d68bca4252f in order to fix an unhandled keyboard PDU error.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )