Skip to content

Commit

Permalink
Merge branch 'branch/v15' into bot/backport-40172-branch/v15
Browse files Browse the repository at this point in the history
  • Loading branch information
oshati authored Jun 20, 2024
2 parents 7ee6762 + 48ae542 commit a36dbd7
Show file tree
Hide file tree
Showing 13 changed files with 82 additions and 52 deletions.
11 changes: 2 additions & 9 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions assets/aws/files/system/teleport-acm.service
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,6 @@ ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --diag-addr=
ExecReload=/bin/sh -c "exec pkill -HUP -L -F /run/teleport/teleport.pid"
PIDFile=/run/teleport/teleport.pid
LimitNOFILE=524288

[Install]
WantedBy=multi-user.target
14 changes: 14 additions & 0 deletions docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -677,6 +677,8 @@ $ aws route53 get-change --id "${CHANGEID?}" | jq '.ChangeInfo.Status'
Create a user to be able to log into Teleport. This needs to be done on the Teleport auth server,
so we can run the command using `kubectl`:

<Tabs>
<TabItem scope={["oss"]} label="Teleport Community Edition">
```code
$ kubectl --namespace <Var name="namespace" /> exec deploy/<Var name="release-name" />-auth -- tctl users add test --roles=access,editor
Expand All @@ -685,6 +687,18 @@ https://teleport.example.com:443/web/invite/91cfbd08bc89122275006e48b516cc68
NOTE: Make sure teleport.example.com:443 points at a Teleport proxy that users can access.
```
</TabItem>
<TabItem scope={["enterprise", "cloud"]} label="Commercial">
```code
$ kubectl --namespace <Var name="namespace" /> exec deploy/<Var name="release-name" />-auth -- tctl users add test --roles=access,editor,reviewer
User "test" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://teleport.example.com:443/web/invite/91cfbd08bc89122275006e48b516cc68
NOTE: Make sure teleport.example.com:443 points at a Teleport proxy that users can access.
```
</TabItem>
</Tabs>

Load the user creation link to create a password and set up multi-factor authentication for the Teleport user via the web UI.

Expand Down
2 changes: 1 addition & 1 deletion examples/chart/event-handler/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ This chart sets up and configures a Deployment for the Event Handler plugin.

## Installation

See the [Access Requests with Slack guide](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/).
See the [Export Events with FluentD Guide](https://goteleport.com/docs/management/export-audit-events/fluentd/).

## Settings

Expand Down
26 changes: 12 additions & 14 deletions lib/client/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,6 @@ import (
"github.com/gravitational/teleport/lib/client/terminal"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/devicetrust"
dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn"
dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll"
"github.com/gravitational/teleport/lib/events"
kubeutils "github.com/gravitational/teleport/lib/kube/utils"
"github.com/gravitational/teleport/lib/modules"
Expand Down Expand Up @@ -463,20 +461,20 @@ type Config struct {
// PROXYSigner is used to sign PROXY headers for securely propagating client IP address
PROXYSigner multiplexer.PROXYHeaderSigner

// DTAuthnRunCeremony allows tests to override the default device
// authentication function.
// Defaults to "dtauthn.NewCeremony().Run()".
// DTAuthnRunCeremony is the device authentication function to execute
// during device login ceremonies. If not provided and device trust is
// required, then the device login will fail.
DTAuthnRunCeremony DTAuthnRunCeremonyFunc

// dtAttemptLoginIgnorePing and dtAutoEnrollIgnorePing allow Device Trust
// tests to ignore Ping responses.
// Useful to force flows that only typically happen on Teleport Enterprise.
dtAttemptLoginIgnorePing, dtAutoEnrollIgnorePing bool

// dtAutoEnroll allows tests to override the default device auto-enroll
// function.
// Defaults to [dtenroll.AutoEnroll].
dtAutoEnroll dtAutoEnrollFunc
// DTAutoEnroll is the device auto-enroll function to execute during
// device enrollment. If not provided and device trust auto-enrollment
// is enabled, then the enrollment process will fail.
DTAutoEnroll DTAutoEnrollFunc

// WebauthnLogin allows tests to override the Webauthn Login func.
// Defaults to [wancli.Login].
Expand Down Expand Up @@ -1069,8 +1067,8 @@ func (c *Config) ResourceFilter(kind string) *proto.ListResourcesRequest {
// DTAuthnRunCeremonyFunc matches the signature of [dtauthn.Ceremony.Run].
type DTAuthnRunCeremonyFunc func(context.Context, devicepb.DeviceTrustServiceClient, *devicepb.UserCertificates) (*devicepb.UserCertificates, error)

// dtAutoEnrollFunc matches the signature of [dtenroll.AutoEnroll].
type dtAutoEnrollFunc func(context.Context, devicepb.DeviceTrustServiceClient) (*devicepb.Device, error)
// DTAutoEnrollFunc matches the signature of [dtenroll.AutoEnroll].
type DTAutoEnrollFunc func(context.Context, devicepb.DeviceTrustServiceClient) (*devicepb.Device, error)

// TeleportClient is a wrapper around SSH client with teleport specific
// workflow built in.
Expand Down Expand Up @@ -3735,7 +3733,7 @@ func (tc *TeleportClient) DeviceLogin(ctx context.Context, rootAuthClient authcl
// Allow tests to override the default authn function.
runCeremony := tc.DTAuthnRunCeremony
if runCeremony == nil {
runCeremony = dtauthn.NewCeremony().Run
return nil, trace.BadParameter("device authentication not enabled")
}

// Login without a previous auto-enroll attempt.
Expand All @@ -3756,9 +3754,9 @@ func (tc *TeleportClient) DeviceLogin(ctx context.Context, rootAuthClient authcl
return nil, trace.Wrap(loginErr) // err swallowed for loginErr
}

autoEnroll := tc.dtAutoEnroll
autoEnroll := tc.DTAutoEnroll
if autoEnroll == nil {
autoEnroll = dtenroll.AutoEnroll
return nil, trace.BadParameter("device auto enrollment not enabled")
}

// Auto-enroll and Login again.
Expand Down
4 changes: 2 additions & 2 deletions lib/client/export_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@ func (tc *TeleportClient) SetDTAuthnRunCeremony(fn DTAuthnRunCeremonyFunc) {
tc.DTAuthnRunCeremony = fn
}

func (tc *TeleportClient) SetDTAutoEnroll(fn dtAutoEnrollFunc) {
tc.dtAutoEnroll = fn
func (tc *TeleportClient) SetDTAutoEnroll(fn DTAutoEnrollFunc) {
tc.DTAutoEnroll = fn
}
4 changes: 4 additions & 0 deletions lib/teleterm/clusters/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ import (

"github.com/gravitational/teleport/api/profile"
"github.com/gravitational/teleport/lib/client"
dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn"
dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll"
"github.com/gravitational/teleport/lib/teleterm/api/uri"
)

Expand Down Expand Up @@ -285,6 +287,8 @@ func (s *Storage) makeDefaultClientConfig() *client.Config {
// true.
cfg.AllowStdinHijack = true

cfg.DTAuthnRunCeremony = dtauthn.NewCeremony().Run
cfg.DTAutoEnroll = dtenroll.AutoEnroll
return cfg
}

Expand Down
23 changes: 10 additions & 13 deletions lib/web/scripts/oneoff/oneoff.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,16 @@ cdnBaseURL='{{.CDNBaseURL}}'
teleportVersion='{{.TeleportVersion}}'
teleportFlavor='{{.TeleportFlavor}}' # teleport or teleport-ent
successMessage='{{.SuccessMessage}}'
teleportArgs='{{.TeleportArgs}}'

# shellcheck disable=all
tempDir=$({{.BinMktemp}} -d)
# Use $HOME or / as base dir
tempDir=$({{.BinMktemp}} -d -p ${HOME:-}/)
OS=$({{.BinUname}} -s)
ARCH=$({{.BinUname}} -m)
# shellcheck enable=all

teleportArgs='{{.TeleportArgs}}'
trap 'rm -rf -- "$tempDir"' EXIT

teleportTarballName() {
if [ ${OS} = "Darwin" ]; then
Expand All @@ -36,19 +38,14 @@ teleportTarballName() {
}

main() {
cd $tempDir

tarballName=$(teleportTarballName)
curl --show-error --fail --location --remote-name ${cdnBaseURL}/${tarballName}
echo "Extracting teleport to $tempDir ..."
tar -xzf ${tarballName}

mkdir -p ./bin
mv ./${teleportFlavor}/teleport ./bin/teleport
echo "> ./bin/teleport ${teleportArgs} $@"
./bin/teleport ${teleportArgs} $@ && echo $successMessage
echo "Downloading from ${cdnBaseURL}/${tarballName} and extracting teleport to ${tempDir} ..."
curl --show-error --fail --location ${cdnBaseURL}/${tarballName} | tar xzf - -C ${tempDir} ${teleportFlavor}/teleport

cd -
mkdir -p ${tempDir}/bin
mv ${tempDir}/${teleportFlavor}/teleport ${tempDir}/bin/teleport
echo "> ${tempDir}/bin/teleport ${teleportArgs} $@"
${tempDir}/bin/teleport ${teleportArgs} $@ && echo $successMessage
}

main $@
26 changes: 18 additions & 8 deletions lib/web/scripts/oneoff/oneoff_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ func TestOneOffScript(t *testing.T) {
teleportVersionOutput := "Teleport v13.1.0 git:api/v13.1.0-0-gd83ec74 go1.20.4"
scriptName := "oneoff.sh"

homeDir, err := os.UserHomeDir()
require.NoError(t, err)
homeDir = homeDir + "/"

unameMock, err := bintest.NewMock("uname")
require.NoError(t, err)
defer func() {
Expand Down Expand Up @@ -96,7 +100,7 @@ func TestOneOffScript(t *testing.T) {

unameMock.Expect("-s").AndWriteToStdout("Linux")
unameMock.Expect("-m").AndWriteToStdout("x86_64")
mktempMock.Expect("-d").AndWriteToStdout(testWorkingDir)
mktempMock.Expect("-d", "-p", homeDir).AndWriteToStdout(testWorkingDir)
teleportMock.Expect("version").AndWriteToStdout(teleportVersionOutput)

err = os.WriteFile(scriptLocation, []byte(script), 0700)
Expand All @@ -112,9 +116,12 @@ func TestOneOffScript(t *testing.T) {
require.True(t, mktempMock.Check(t))
require.True(t, teleportMock.Check(t))

require.Contains(t, string(out), "> ./bin/teleport version")
require.Contains(t, string(out), "teleport version")
require.Contains(t, string(out), teleportVersionOutput)
require.Contains(t, string(out), "Test was a success.")

// Script should remove the temporary directory.
require.NoDirExists(t, testWorkingDir)
})

t.Run("command can be executed with extra arguments", func(t *testing.T) {
Expand Down Expand Up @@ -151,7 +158,7 @@ func TestOneOffScript(t *testing.T) {

unameMock.Expect("-s").AndWriteToStdout("Linux")
unameMock.Expect("-m").AndWriteToStdout("x86_64")
mktempMock.Expect("-d").AndWriteToStdout(testWorkingDir)
mktempMock.Expect("-d", "-p", homeDir).AndWriteToStdout(testWorkingDir)
teleportMock.Expect("help", "start").AndWriteToStdout(teleportHelpStart)

err = os.WriteFile(scriptLocation, []byte(script), 0700)
Expand All @@ -167,9 +174,12 @@ func TestOneOffScript(t *testing.T) {
require.True(t, mktempMock.Check(t))
require.True(t, teleportMock.Check(t))

require.Contains(t, string(out), "> ./bin/teleport help start")
require.Contains(t, string(out), "/bin/teleport help start")
require.Contains(t, string(out), teleportHelpStart)
require.Contains(t, string(out), "Test was a success.")

// Script should remove the temporary directory.
require.NoDirExists(t, testWorkingDir)
})

t.Run("invalid OS", func(t *testing.T) {
Expand All @@ -179,7 +189,7 @@ func TestOneOffScript(t *testing.T) {

unameMock.Expect("-s").AndWriteToStdout("Windows")
unameMock.Expect("-m").AndWriteToStdout("x86_64")
mktempMock.Expect("-d").AndWriteToStdout(testWorkingDir)
mktempMock.Expect("-d", "-p", homeDir).AndWriteToStdout(testWorkingDir)

err = os.WriteFile(scriptLocation, []byte(script), 0700)
require.NoError(t, err)
Expand All @@ -199,7 +209,7 @@ func TestOneOffScript(t *testing.T) {

unameMock.Expect("-s").AndWriteToStdout("Linux")
unameMock.Expect("-m").AndWriteToStdout("apple-silicon")
mktempMock.Expect("-d").AndWriteToStdout(testWorkingDir)
mktempMock.Expect("-d", "-p", homeDir).AndWriteToStdout(testWorkingDir)

err = os.WriteFile(scriptLocation, []byte(script), 0700)
require.NoError(t, err)
Expand Down Expand Up @@ -261,7 +271,7 @@ func TestOneOffScript(t *testing.T) {

unameMock.Expect("-s").AndWriteToStdout("Linux")
unameMock.Expect("-m").AndWriteToStdout("x86_64")
mktempMock.Expect("-d").AndWriteToStdout(testWorkingDir)
mktempMock.Expect("-d", "-p", homeDir).AndWriteToStdout(testWorkingDir)
teleportMock.Expect("version").AndWriteToStdout(teleportVersionOutput)

err = os.WriteFile(scriptLocation, []byte(script), 0700)
Expand All @@ -277,7 +287,7 @@ func TestOneOffScript(t *testing.T) {
require.True(t, mktempMock.Check(t))
require.True(t, teleportMock.Check(t))

require.Contains(t, string(out), "> ./bin/teleport version")
require.Contains(t, string(out), "/bin/teleport version")
require.Contains(t, string(out), teleportVersionOutput)
require.Contains(t, string(out), "Test was a success.")
})
Expand Down
14 changes: 12 additions & 2 deletions tool/tsh/common/tsh.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ import (
dbprofile "github.com/gravitational/teleport/lib/client/db"
"github.com/gravitational/teleport/lib/client/identityfile"
"github.com/gravitational/teleport/lib/defaults"
dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn"
dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll"
"github.com/gravitational/teleport/lib/kube/kubeconfig"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/observability/tracing"
Expand Down Expand Up @@ -522,6 +524,11 @@ type CLIConf struct {
// Defaults to [dtauthn.NewCeremony().Run].
DTAuthnRunCeremony client.DTAuthnRunCeremonyFunc

// DTAutoEnroll allows tests to override the default device
// auto-enroll function.
// Defaults to [dtenroll.AutoEnroll].
DTAutoEnroll client.DTAutoEnrollFunc

// WebauthnLogin allows tests to override the Webauthn Login func.
// Defaults to [wancli.Login].
WebauthnLogin client.WebauthnLoginFunc
Expand Down Expand Up @@ -680,8 +687,10 @@ func initLogger(cf *CLIConf) {
// DO NOT RUN TESTS that call Run() in parallel (unless you taken precautions).
func Run(ctx context.Context, args []string, opts ...CliOption) error {
cf := CLIConf{
Context: ctx,
TracingProvider: tracing.NoopProvider(),
Context: ctx,
TracingProvider: tracing.NoopProvider(),
DTAuthnRunCeremony: dtauthn.NewCeremony().Run,
DTAutoEnroll: dtenroll.AutoEnroll,
}

// run early to enable debug logging if env var is set.
Expand Down Expand Up @@ -4028,6 +4037,7 @@ func loadClientConfigFromCLIConf(cf *CLIConf, proxy string) (*client.Config, err
c.MockSSOLogin = cf.MockSSOLogin
c.MockHeadlessLogin = cf.MockHeadlessLogin
c.DTAuthnRunCeremony = cf.DTAuthnRunCeremony
c.DTAutoEnroll = cf.DTAutoEnroll
c.WebauthnLogin = cf.WebauthnLogin

// pass along MySQL/Postgres path overrides (only used in tests).
Expand Down
1 change: 1 addition & 0 deletions web/packages/build/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
"@testing-library/jest-dom": "^6.1.5",
"@testing-library/react": "^14.1.2",
"@testing-library/user-event": "^14.5.1",
"@types/google-protobuf": "^3.10.0",
"@types/jest": "^29.5.10",
"@types/jsdom": "^21.1.6",
"@types/node": "^20.14.2",
Expand Down
5 changes: 3 additions & 2 deletions web/packages/teleport/src/Users/UserAddEdit/UserAddEdit.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ export function UserAddEdit(props: ReturnType<typeof useDialog>) {
dialogCss={() => ({
maxWidth: '700px',
width: '100%',
height: '70%',
height: '100%',
maxHeight: '600px',
})}
disableEscapeKeyDown={false}
onClose={onClose}
Expand All @@ -84,7 +85,7 @@ export function UserAddEdit(props: ReturnType<typeof useDialog>) {
<DialogHeader>
<DialogTitle>{isNew ? 'Create User' : 'Edit User'}</DialogTitle>
</DialogHeader>
<DialogContent maxHeight={620} overflow={'auto'}>
<DialogContent overflow={'auto'}>
{attempt.status === 'failed' && (
<Alert kind="danger" children={attempt.statusText} />
)}
Expand Down
1 change: 0 additions & 1 deletion web/packages/teleterm/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@
"@protobuf-ts/grpc-transport": "^2.9.3",
"@protobuf-ts/runtime": "^2.9.3",
"@protobuf-ts/runtime-rpc": "^2.9.3",
"@types/google-protobuf": "^3.10.0",
"@types/node-forge": "^1.0.4",
"@types/tar-fs": "^2.0.1",
"@types/whatwg-url": "^11.0.1",
Expand Down

0 comments on commit a36dbd7

Please sign in to comment.