From b03d06e910d5a045b1614fe1fbf636b3e7811091 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Wed, 23 Oct 2024 18:03:11 +0100 Subject: [PATCH 1/9] [entraid] add setup script for offline clusters. This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible. The UX is the following: ```text Step 1: Run the Setup Script 1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility. 2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar. 3. Once uploaded, execute the script by running the following command: $ bash entraid.sh **Important Considerations**: - You must have **Azure privileged administrator permissions** to complete the integration. - Ensure you're using the **Bash** environment in Cloud Shell. - During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials. - **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. Once the script completes, type 'continue' to proceed, 'exit' to quit: continue Step 2: Input Tenant ID and Client ID With the output of Step 1, please copy and paste the following information: Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79 Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79 Successfully created EntraID plugin "name". ``` Signed-off-by: Tiago Silva --- lib/config/configuration.go | 3 + lib/integrations/azureoidc/enterprise_app.go | 10 +- tool/tctl/common/plugin/entraid.go | 403 ++++++++++++++++++ tool/tctl/common/plugin/plugins_command.go | 18 +- .../common/plugin/plugins_command_test.go | 22 +- tool/teleport/common/integration_configure.go | 2 +- tool/teleport/common/teleport.go | 1 + 7 files changed, 450 insertions(+), 9 deletions(-) create mode 100644 tool/tctl/common/plugin/entraid.go diff --git a/lib/config/configuration.go b/lib/config/configuration.go index 0f23047f64f74..5b7cdd96f491c 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -297,6 +297,9 @@ type IntegrationConfAzureOIDC struct { // When this is true, the integration script will produce // a cache file necessary for TAG synchronization. AccessGraphEnabled bool + + // SkipOIDCConfiguration is a flag indicating that OIDC configuration should be skipped. + SkipOIDCConfiguration bool } // IntegrationConfDeployServiceIAM contains the arguments of diff --git a/lib/integrations/azureoidc/enterprise_app.go b/lib/integrations/azureoidc/enterprise_app.go index e159470d0bb39..e7de09225ec58 100644 --- a/lib/integrations/azureoidc/enterprise_app.go +++ b/lib/integrations/azureoidc/enterprise_app.go @@ -52,7 +52,7 @@ var appRoles = []string{ // - Provides Teleport with OIDC authentication to Azure // - Is given the permissions to access certain Microsoft Graph API endpoints for this tenant. // - Provides SSO to the Teleport cluster via SAML. -func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string) (string, string, error) { +func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string, skipOIDCSetup bool) (string, string, error) { var appID, tenantID string tenantID, err := getTenantID() @@ -120,8 +120,12 @@ func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnect } } - if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil { - return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential") + // Skip OIDC setup if requested. + // This is useful for clusters that can't use OIDC because they are not reachable from the public internet. + if !skipOIDCSetup { + if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil { + return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential") + } } acsURL, err := url.Parse(proxyPublicAddr) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go new file mode 100644 index 0000000000000..040bbbaacade0 --- /dev/null +++ b/tool/tctl/common/plugin/entraid.go @@ -0,0 +1,403 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package plugin + +import ( + "bufio" + "context" + "encoding/json" + "errors" + "fmt" + "io" + "os" + "path/filepath" + "strings" + + "github.com/alecthomas/kingpin/v2" + "github.com/google/safetext/shsprintf" + "github.com/google/uuid" + "github.com/gravitational/trace" + + pluginspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/plugins/v1" + "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/e/lib/entraid" + "github.com/gravitational/teleport/lib/integrations/azureoidc" + "github.com/gravitational/teleport/lib/utils/oidc" + "github.com/gravitational/teleport/lib/web/scripts/oneoff" +) + +type entraArgs struct { + cmd *kingpin.CmdClause + authConnectorName string + defaultOwners []string + useSystemCredentials bool + accessGraph bool + force bool +} + +func (p *PluginsCommand) initInstallEntra(parent *kingpin.CmdClause) { + p.install.entraID.cmd = parent.Command("entraid", "Install an EntraId integration.") + cmd := p.install.entraID.cmd + cmd. + Flag("name", "Name of the plugin resource to create"). + Default("entra-id"). + StringVar(&p.install.name) + + cmd. + Flag("auth-connector-name", "Name of the SAML connector resource to create"). + Default("entra-id-default"). + StringVar(&p.install.entraID.authConnectorName) + + cmd. + Flag("use-system-credentials", "Uses system credentials instead of OIDC."). + BoolVar(&p.install.entraID.useSystemCredentials) + + cmd.Flag("default-owner", "List of Teleport users that are default owners for the imported access lists. Multiple flags allowed."). + Required(). + StringsVar(&p.install.entraID.defaultOwners) + + cmd. + Flag("access-graph", "Enables Access Graph cache build."). + Default("true"). + BoolVar(&p.install.entraID.accessGraph) + + cmd. + Flag("force", "Proceed with installation even if plugin already exists."). + Short('f'). + Default("false"). + BoolVar(&p.install.scim.force) +} + +type entraSettings struct { + accessGraphCache *azureoidc.TAGInfoCache + clientID string + tenantID string +} + +var ( + errCancel = trace.BadParameter("operation canceled") +) + +func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, error) { + fileLoc, err := pathForFile(os.Stdout, os.Stdin) + if err != nil { + return entraSettings{}, trace.Wrap(err, "failed to get file location") + } + + buildScript, err := buildScript(proxyPublicAddr, p.install.entraID.authConnectorName, p.install.entraID.accessGraph, p.install.entraID.useSystemCredentials) + if err != nil { + return entraSettings{}, trace.Wrap(err, "failed to build script") + } + + if err := os.WriteFile(fileLoc, []byte(buildScript), 0644); err != nil { + return entraSettings{}, trace.Wrap(err, "failed to write script to file") + } + + tmpl := `Step 1: Run the Setup Script + +1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility. +2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar. +3. Once uploaded, execute the script by running the following command: + $ bash %s + +**Important Considerations**: +- You must have **Azure privileged administrator permissions** to complete the integration. +- Ensure you're using the **Bash** environment in Cloud Shell. +- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials. +- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. + +` + + fmt.Fprintf(os.Stdout, tmpl, filepath.Base(fileLoc)) + + op, err := readData(os.Stdin, os.Stdout, + "Once the script completes, type 'continue' to proceed, 'exit' to quit", + func(input string) bool { + return input == "continue" || input == "exit" + }, "Invalid input. Please enter 'continue' or 'exit'.") + if err != nil { + return entraSettings{}, trace.Wrap(err, "failed to read operation") + } + if op == "exit" { // User chose to exit + return entraSettings{}, errCancel + } + + validUUID := func(input string) bool { + _, err := uuid.Parse(input) + return err == nil + } + + tmpl = ` + +Step 2: Input Tenant ID and Client ID + +With the output of Step 1, please copy and paste the following information: +` + fmt.Fprint(os.Stdout, tmpl) + var settings entraSettings + settings.tenantID, err = readData(os.Stdin, os.Stdout, "Enter the Tenant ID", validUUID, "Invalid Tenant ID") + if err != nil { + return settings, trace.Wrap(err, "failed to read Tenant ID") + } + + settings.clientID, err = readData(os.Stdin, os.Stdout, "Enter the Client ID", validUUID, "Invalid Client ID") + if err != nil { + return settings, trace.Wrap(err, "failed to read Client ID") + } + + if p.install.entraID.accessGraph { + dataValidator := func(input string) bool { + settings.accessGraphCache, err = readTAGCache(input) + return err == nil + } + _, err = readData(os.Stdin, os.Stdout, "Enter the Access Graph Cache file location", dataValidator, "File does not exist or is invalid") + if err != nil { + return settings, trace.Wrap(err, "failed to read Access Graph Cache file") + } + } + return settings, nil +} + +func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArgs) error { + inputs := p.install + + proxyPublicAddr, err := getProxyPublicAddr(ctx, args.authClient) + if err != nil { + return trace.Wrap(err) + } + + settings, err := p.entraSetupGuide(proxyPublicAddr) + if err != nil { + if errors.Is(err, errCancel) { + return nil + } + return trace.Wrap(err) + } + + var tagSyncSettings *types.PluginEntraIDAccessGraphSettings + if settings.accessGraphCache != nil { + tagSyncSettings = &types.PluginEntraIDAccessGraphSettings{ + AppSsoSettingsCache: settings.accessGraphCache.AppSsoSettingsCache, + } + } + + saml, err := types.NewSAMLConnector(inputs.entraID.authConnectorName, types.SAMLConnectorSpecV2{ + AssertionConsumerService: proxyPublicAddr + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName, + AllowIDPInitiated: true, + // AttributesToRoles is required, but Entra ID does not by have a default group (like Okta's "Everyone"), + // so we add a dummy claim that will never be fulfilled with the default configuration instead, + // and expect the user to modify it per their requirements. + AttributesToRoles: []types.AttributeMapping{ + { + Name: "https://example.com/my_attribute", + Value: "my_value", + Roles: []string{"requester"}, + }, + }, + Display: "Entra ID", + EntityDescriptorURL: entraid.FederationMetadataURL(settings.tenantID, settings.clientID), + }) + if err != nil { + return trace.Wrap(err, "failed to create SAML connector") + } + + if _, err = args.authClient.CreateSAMLConnector(ctx, saml); err != nil { + if !trace.IsAlreadyExists(err) || !inputs.entraID.force { + return trace.Wrap(err, "failed to create SAML connector") + } + if _, err = args.authClient.UpsertSAMLConnector(ctx, saml); err != nil { + return trace.Wrap(err, "failed to upsert SAML connector") + } + } + + if !inputs.entraID.useSystemCredentials { + integrationSpec, err := types.NewIntegrationAzureOIDC( + types.Metadata{Name: inputs.name}, + &types.AzureOIDCIntegrationSpecV1{ + TenantID: settings.tenantID, + ClientID: settings.clientID, + }, + ) + if err != nil { + return trace.Wrap(err, "failed to create Azure OIDC integration") + } + + if _, err = args.authClient.CreateIntegration(ctx, integrationSpec); err != nil { + if !trace.IsAlreadyExists(err) || !inputs.entraID.force { + return trace.Wrap(err, "failed to create Azure OIDC integration") + } + if err = args.authClient.DeleteIntegration(ctx, integrationSpec.GetName()); err != nil { + return trace.Wrap(err, "failed to delete Azure OIDC integration") + } + if _, err = args.authClient.CreateIntegration(ctx, integrationSpec); err != nil { + return trace.Wrap(err, "failed to create Azure OIDC integration") + } + } + } + + credentialsSource := types.EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_OIDC + if inputs.entraID.useSystemCredentials { + credentialsSource = types.EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS + } + req := &pluginspb.CreatePluginRequest{ + Plugin: &types.PluginV1{ + Metadata: types.Metadata{ + Name: inputs.name, + Labels: map[string]string{ + "teleport.dev/hosted-plugin": "true", + }, + }, + Spec: types.PluginSpecV1{ + Settings: &types.PluginSpecV1_EntraId{ + EntraId: &types.PluginEntraIDSettings{ + SyncSettings: &types.PluginEntraIDSyncSettings{ + DefaultOwners: inputs.entraID.defaultOwners, + SsoConnectorId: inputs.entraID.authConnectorName, + CredentialsSource: credentialsSource, + TenantId: settings.tenantID, + }, + AccessGraphSettings: tagSyncSettings, + }, + }, + }, + }, + } + + _, err = args.plugins.CreatePlugin(ctx, req) + if err != nil { + if !trace.IsAlreadyExists(err) || !inputs.entraID.force { + return trace.Wrap(err) + } + if _, err = args.plugins.DeletePlugin(ctx, &pluginspb.DeletePluginRequest{ + Name: inputs.name, + }); err != nil { + return trace.Wrap(err) + } + if _, err = args.plugins.CreatePlugin(ctx, req); err != nil { + return trace.Wrap(err) + } + } + + fmt.Printf("Successfully created EntraID plugin %q\n\n", p.install.name) + + return nil +} + +func buildScript(proxyPublicAddr string, authConnectorName string, accessGraph, skipOIDCSetup bool) (string, error) { + + oidcIssuer, err := oidc.IssuerFromPublicAddress(proxyPublicAddr, "") + if err != nil { + return "", trace.Wrap(err) + } + + // The script must execute the following command: + argsList := []string{ + "integration", "configure", "azure-oidc", + fmt.Sprintf("--proxy-public-addr=%s", shsprintf.EscapeDefaultContext(oidcIssuer)), + fmt.Sprintf("--auth-connector-name=%s", shsprintf.EscapeDefaultContext(authConnectorName)), + } + + if accessGraph { + argsList = append(argsList, "--access-graph") + } + + if skipOIDCSetup { + argsList = append(argsList, "--skip-oidc-integration") + } + + script, err := oneoff.BuildScript(oneoff.OneOffScriptParams{ + TeleportArgs: strings.Join(argsList, " "), + SuccessMessage: "Success! You can now go back to the Teleport Web UI to use the integration with Azure.", + }) + if err != nil { + return "", trace.Wrap(err) + } + return script, nil +} + +func getProxyPublicAddr(ctx context.Context, authClient authClient) (string, error) { + pingResp, err := authClient.Ping(ctx) + if err != nil { + return "", trace.Wrap(err, "failed fetching cluster info") + } + proxyPublicAddr := pingResp.GetProxyPublicAddr() + return proxyPublicAddr, nil +} + +func pathForFile(w io.Writer, r io.Reader) (string, error) { + + pwd, err := os.Getwd() + if err != nil { + return "", trace.Wrap(err) + } + + const defaultFileName = "entraid.sh" + + file := filepath.Join(pwd, defaultFileName) + _, err = readData(r, w, fmt.Sprintf("Enter the path to write the script file [%s]", file), func(input string) bool { + if input != "" { + file = input + } + // Check if the directory exists + _, err = os.Stat(filepath.Dir(file)) + return err == nil + }, + "Invalid directory file location", + ) + + return file, trace.Wrap(err) +} + +var ( + errNoTAGCache = trace.BadParameter("no TAG cache file found") +) + +func readTAGCache(fileLoc string) (*azureoidc.TAGInfoCache, error) { + if fileLoc == "" { + return nil, trace.Wrap(errNoTAGCache) + } + + file, err := os.Open(fileLoc) + if err != nil { + return nil, trace.Wrap(err) + } + defer file.Close() + + var result azureoidc.TAGInfoCache + if err := json.NewDecoder(file).Decode(&result); err != nil { + return nil, trace.Wrap(err) + } + + return &result, nil +} + +func readData(r io.Reader, w io.Writer, message string, validate func(string) bool, errorMessage string) (string, error) { + reader := bufio.NewReader(r) + for { + fmt.Fprintf(w, "%s: ", message) + input, _ := reader.ReadString('\n') + input = strings.TrimSpace(input) // Clean up any extra newlines or spaces + + if !validate(input) { + fmt.Fprintf(w, "%s\n", errorMessage) + continue + } + return input, nil + } +} diff --git a/tool/tctl/common/plugin/plugins_command.go b/tool/tctl/common/plugin/plugins_command.go index ba6c92f7ae5a9..8d970da800ec0 100644 --- a/tool/tctl/common/plugin/plugins_command.go +++ b/tool/tctl/common/plugin/plugins_command.go @@ -49,10 +49,11 @@ func logErrorMessage(err error) slog.Attr { } type pluginInstallArgs struct { - cmd *kingpin.CmdClause - name string - okta oktaArgs - scim scimArgs + cmd *kingpin.CmdClause + name string + okta oktaArgs + scim scimArgs + entraID entraArgs } type scimArgs struct { @@ -98,6 +99,7 @@ func (p *PluginsCommand) initInstall(parent *kingpin.CmdClause, config *servicec p.initInstallOkta(p.install.cmd) p.initInstallSCIM(p.install.cmd) + p.initInstallEntra(p.install.cmd) } func (p *PluginsCommand) initInstallSCIM(parent *kingpin.CmdClause) { @@ -200,11 +202,16 @@ func (p *PluginsCommand) Cleanup(ctx context.Context, clusterAPI *authclient.Cli type authClient interface { GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error) + CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) + UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) + CreateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error) + DeleteIntegration(ctx context.Context, name string) error Ping(ctx context.Context) (proto.PingResponse, error) } type pluginsClient interface { CreatePlugin(ctx context.Context, in *pluginsv1.CreatePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) + DeletePlugin(ctx context.Context, in *pluginsv1.DeletePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) } type installPluginArgs struct { @@ -310,6 +317,9 @@ func (p *PluginsCommand) TryRun(ctx context.Context, cmd string, client *authcli err = p.InstallOkta(ctx, args) case p.install.scim.cmd.FullCommand(): err = p.InstallSCIM(ctx, client) + case p.install.entraID.cmd.FullCommand(): + args := installPluginArgs{authClient: client, plugins: client.PluginsClient()} + err = p.InstallEntra(ctx, args) case p.delete.cmd.FullCommand(): err = p.Delete(ctx, client) default: diff --git a/tool/tctl/common/plugin/plugins_command_test.go b/tool/tctl/common/plugin/plugins_command_test.go index e42f21e26310f..160401e64a989 100644 --- a/tool/tctl/common/plugin/plugins_command_test.go +++ b/tool/tctl/common/plugin/plugins_command_test.go @@ -449,6 +449,11 @@ func (m *mockPluginsClient) CreatePlugin(ctx context.Context, in *pluginsv1.Crea return result.Get(0).(*emptypb.Empty), result.Error(1) } +func (m *mockPluginsClient) DeletePlugin(ctx context.Context, in *pluginsv1.DeletePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) { + result := m.Called(ctx, in, opts) + return result.Get(0).(*emptypb.Empty), result.Error(1) +} + type mockAuthClient struct { mock.Mock } @@ -457,7 +462,22 @@ func (m *mockAuthClient) GetSAMLConnector(ctx context.Context, id string, withSe result := m.Called(ctx, id, withSecrets) return result.Get(0).(types.SAMLConnector), result.Error(1) } - +func (m *mockAuthClient) CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) { + result := m.Called(ctx, connector) + return result.Get(0).(types.SAMLConnector), result.Error(1) +} +func (m *mockAuthClient) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) { + result := m.Called(ctx, connector) + return result.Get(0).(types.SAMLConnector), result.Error(1) +} +func (m *mockAuthClient) CreateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error) { + result := m.Called(ctx, ig) + return result.Get(0).(types.Integration), result.Error(1) +} +func (m *mockAuthClient) DeleteIntegration(ctx context.Context, name string) error { + result := m.Called(ctx, name) + return result.Error(0) +} func (m *mockAuthClient) Ping(ctx context.Context) (proto.PingResponse, error) { result := m.Called(ctx) return result.Get(0).(proto.PingResponse), result.Error(1) diff --git a/tool/teleport/common/integration_configure.go b/tool/teleport/common/integration_configure.go index bfd762d1322ec..97f531910e45e 100644 --- a/tool/teleport/common/integration_configure.go +++ b/tool/teleport/common/integration_configure.go @@ -251,7 +251,7 @@ func onIntegrationConfAzureOIDCCmd(ctx context.Context, params config.Integratio fmt.Println("Teleport is setting up the Azure integration. This may take a few minutes.") - appID, tenantID, err := azureoidc.SetupEnterpriseApp(ctx, params.ProxyPublicAddr, params.AuthConnectorName) + appID, tenantID, err := azureoidc.SetupEnterpriseApp(ctx, params.ProxyPublicAddr, params.AuthConnectorName, params.SkipOIDCConfiguration) if err != nil { return trace.Wrap(err) } diff --git a/tool/teleport/common/teleport.go b/tool/teleport/common/teleport.go index 3ccaa6ad1928a..9cd4436c68680 100644 --- a/tool/teleport/common/teleport.go +++ b/tool/teleport/common/teleport.go @@ -552,6 +552,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con integrationConfAzureOIDCCmd.Flag("proxy-public-addr", "The public address of Teleport Proxy Service").Required().StringVar(&ccf.IntegrationConfAzureOIDCArguments.ProxyPublicAddr) integrationConfAzureOIDCCmd.Flag("auth-connector-name", "The name of Entra ID SAML Auth connector in Teleport.").Required().StringVar(&ccf.IntegrationConfAzureOIDCArguments.AuthConnectorName) integrationConfAzureOIDCCmd.Flag("access-graph", "Enable Access Graph integration.").BoolVar(&ccf.IntegrationConfAzureOIDCArguments.AccessGraphEnabled) + integrationConfAzureOIDCCmd.Flag("skip-oidc-integration", "Skip OIDC integration.").BoolVar(&ccf.IntegrationConfAzureOIDCArguments.SkipOIDCConfiguration) integrationConfSAMLIdP := integrationConfigureCmd.Command("samlidp", "Manage SAML IdP integrations.") integrationSAMLIdPGCPWorkforce := integrationConfSAMLIdP.Command("gcp-workforce", "Configures GCP Workforce Identity Federation pool and SAML provider.") From ff60a0f27643ae9bf29838bb00fa219f2e44e512 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Thu, 24 Oct 2024 11:01:55 +0100 Subject: [PATCH 2/9] move function to api --- api/utils/entraid/federation_metadata.go | 33 ++++++++++++++++++++++++ tool/tctl/common/plugin/entraid.go | 4 +-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 api/utils/entraid/federation_metadata.go diff --git a/api/utils/entraid/federation_metadata.go b/api/utils/entraid/federation_metadata.go new file mode 100644 index 0000000000000..2dfa76080cdeb --- /dev/null +++ b/api/utils/entraid/federation_metadata.go @@ -0,0 +1,33 @@ +/* +Copyright 2024 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package entraid + +import ( + "net/url" + "path" +) + +// FederationMetadataURL returns the URL for the federation metadata endpoint +func FederationMetadataURL(tenantID, appID string) string { + return (&url.URL{ + Scheme: "https", + Host: "login.microsoftonline.com", + Path: path.Join(tenantID, "federationmetadata", "2007-06", "federationmetadata.xml"), + RawQuery: url.Values{ + "appid": {appID}, + }.Encode(), + }).String() +} diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index 040bbbaacade0..0d9edccfb1296 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -36,7 +36,7 @@ import ( pluginspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/plugins/v1" "github.com/gravitational/teleport/api/types" - "github.com/gravitational/teleport/e/lib/entraid" + entraapiutils "github.com/gravitational/teleport/api/utils/entraid" "github.com/gravitational/teleport/lib/integrations/azureoidc" "github.com/gravitational/teleport/lib/utils/oidc" "github.com/gravitational/teleport/lib/web/scripts/oneoff" @@ -211,7 +211,7 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg }, }, Display: "Entra ID", - EntityDescriptorURL: entraid.FederationMetadataURL(settings.tenantID, settings.clientID), + EntityDescriptorURL: entraapiutils.FederationMetadataURL(settings.tenantID, settings.clientID), }) if err != nil { return trace.Wrap(err, "failed to create SAML connector") From c7dd3156e33c25bbadc148b5c8d1d5a26640ec74 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Mon, 28 Oct 2024 15:12:39 +0000 Subject: [PATCH 3/9] handle code review comments --- tool/tctl/common/plugin/entraid.go | 65 ++++++++++++------------------ 1 file changed, 26 insertions(+), 39 deletions(-) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index 0d9edccfb1296..e689cdef9b180 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -30,6 +30,7 @@ import ( "strings" "github.com/alecthomas/kingpin/v2" + "github.com/fatih/color" "github.com/google/safetext/shsprintf" "github.com/google/uuid" "github.com/gravitational/trace" @@ -95,32 +96,46 @@ var ( ) func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, error) { - fileLoc, err := pathForFile(os.Stdout, os.Stdin) + pwd, err := os.Getwd() + if err != nil { + return entraSettings{}, trace.Wrap(err) + } + f, err := os.CreateTemp(pwd, "entraid-setup-*.sh") if err != nil { - return entraSettings{}, trace.Wrap(err, "failed to get file location") + return entraSettings{}, trace.Wrap(err, "failed to create temp file") } + defer os.Remove(f.Name()) + buildScript, err := buildScript(proxyPublicAddr, p.install.entraID.authConnectorName, p.install.entraID.accessGraph, p.install.entraID.useSystemCredentials) if err != nil { return entraSettings{}, trace.Wrap(err, "failed to build script") } - if err := os.WriteFile(fileLoc, []byte(buildScript), 0644); err != nil { + if _, err := f.Write([]byte(buildScript)); err != nil { return entraSettings{}, trace.Wrap(err, "failed to write script to file") } + if err := f.Close(); err != nil { + return entraSettings{}, trace.Wrap(err, "failed to close file") + } + fileLoc := f.Name() + + bold := color.New(color.Bold).SprintFunc() + boldRed := color.New(color.Bold, color.FgRed).SprintFunc() + tmpl := `Step 1: Run the Setup Script -1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility. -2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar. +1. Open ` + bold("Azure Cloud Shell") + ` (Bash) using ` + bold("Google Chrome") + ` or ` + bold("Safari") + ` for the best compatibility. +2. Upload the setup script in ` + boldRed(fileLoc) + ` using the ` + bold("Upload") + ` button in the Cloud Shell toolbar. 3. Once uploaded, execute the script by running the following command: $ bash %s -**Important Considerations**: -- You must have **Azure privileged administrator permissions** to complete the integration. -- Ensure you're using the **Bash** environment in Cloud Shell. -- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials. -- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. +` + bold("Important Considerations") + `: +- You must have ` + bold("Azure privileged administrator permissions") + ` to complete the integration. +- Ensure you're using the ` + bold("Bash") + ` environment in Cloud Shell. +- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. ` + bold("Teleport") + ` does not store or persist your credentials. +- ` + bold("Mozilla Firefox") + ` users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. ` @@ -340,37 +355,9 @@ func getProxyPublicAddr(ctx context.Context, authClient authClient) (string, err return proxyPublicAddr, nil } -func pathForFile(w io.Writer, r io.Reader) (string, error) { - - pwd, err := os.Getwd() - if err != nil { - return "", trace.Wrap(err) - } - - const defaultFileName = "entraid.sh" - - file := filepath.Join(pwd, defaultFileName) - _, err = readData(r, w, fmt.Sprintf("Enter the path to write the script file [%s]", file), func(input string) bool { - if input != "" { - file = input - } - // Check if the directory exists - _, err = os.Stat(filepath.Dir(file)) - return err == nil - }, - "Invalid directory file location", - ) - - return file, trace.Wrap(err) -} - -var ( - errNoTAGCache = trace.BadParameter("no TAG cache file found") -) - func readTAGCache(fileLoc string) (*azureoidc.TAGInfoCache, error) { if fileLoc == "" { - return nil, trace.Wrap(errNoTAGCache) + return nil, trace.BadParameter("no TAG cache file found") } file, err := os.Open(fileLoc) From 37e9dee2b582be539eb812268347ef3175daebf9 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Mon, 28 Oct 2024 15:13:29 +0000 Subject: [PATCH 4/9] Apply suggestions from code review Co-authored-by: Marco Dinis --- tool/tctl/common/plugin/entraid.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index e689cdef9b180..e54607b904f44 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -82,7 +82,7 @@ func (p *PluginsCommand) initInstallEntra(parent *kingpin.CmdClause) { Flag("force", "Proceed with installation even if plugin already exists."). Short('f'). Default("false"). - BoolVar(&p.install.scim.force) + BoolVar(&p.install.entraID.force) } type entraSettings struct { @@ -215,7 +215,7 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg saml, err := types.NewSAMLConnector(inputs.entraID.authConnectorName, types.SAMLConnectorSpecV2{ AssertionConsumerService: proxyPublicAddr + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName, AllowIDPInitiated: true, - // AttributesToRoles is required, but Entra ID does not by have a default group (like Okta's "Everyone"), + // AttributesToRoles is required, but Entra ID does not have a default group (like Okta's "Everyone"), // so we add a dummy claim that will never be fulfilled with the default configuration instead, // and expect the user to modify it per their requirements. AttributesToRoles: []types.AttributeMapping{ @@ -315,7 +315,6 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg } func buildScript(proxyPublicAddr string, authConnectorName string, accessGraph, skipOIDCSetup bool) (string, error) { - oidcIssuer, err := oidc.IssuerFromPublicAddress(proxyPublicAddr, "") if err != nil { return "", trace.Wrap(err) From 8f04e0db3822b94a980d6a23fbb932b33b35b981 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Mon, 28 Oct 2024 18:43:48 +0000 Subject: [PATCH 5/9] fix url --- tool/tctl/common/plugin/entraid.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index e54607b904f44..58e0c5f6e5f08 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -213,7 +213,7 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg } saml, err := types.NewSAMLConnector(inputs.entraID.authConnectorName, types.SAMLConnectorSpecV2{ - AssertionConsumerService: proxyPublicAddr + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName, + AssertionConsumerService: strings.TrimRight(proxyPublicAddr, "/") + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName, AllowIDPInitiated: true, // AttributesToRoles is required, but Entra ID does not have a default group (like Okta's "Everyone"), // so we add a dummy claim that will never be fulfilled with the default configuration instead, @@ -315,15 +315,10 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg } func buildScript(proxyPublicAddr string, authConnectorName string, accessGraph, skipOIDCSetup bool) (string, error) { - oidcIssuer, err := oidc.IssuerFromPublicAddress(proxyPublicAddr, "") - if err != nil { - return "", trace.Wrap(err) - } - // The script must execute the following command: argsList := []string{ "integration", "configure", "azure-oidc", - fmt.Sprintf("--proxy-public-addr=%s", shsprintf.EscapeDefaultContext(oidcIssuer)), + fmt.Sprintf("--proxy-public-addr=%s", shsprintf.EscapeDefaultContext(proxyPublicAddr)), fmt.Sprintf("--auth-connector-name=%s", shsprintf.EscapeDefaultContext(authConnectorName)), } @@ -351,7 +346,8 @@ func getProxyPublicAddr(ctx context.Context, authClient authClient) (string, err return "", trace.Wrap(err, "failed fetching cluster info") } proxyPublicAddr := pingResp.GetProxyPublicAddr() - return proxyPublicAddr, nil + oidcIssuer, err := oidc.IssuerFromPublicAddress(proxyPublicAddr, "") + return oidcIssuer, trace.Wrap(err) } func readTAGCache(fileLoc string) (*azureoidc.TAGInfoCache, error) { From b1911b5bf7a9cab986247ee97613851ed5843fc6 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 29 Oct 2024 10:19:00 +0000 Subject: [PATCH 6/9] enable group claims --- lib/integrations/azureoidc/provision_sso.go | 3 +++ lib/msgraph/models.go | 14 +++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/integrations/azureoidc/provision_sso.go b/lib/integrations/azureoidc/provision_sso.go index 07d4366040752..9bb17aa5771dd 100644 --- a/lib/integrations/azureoidc/provision_sso.go +++ b/lib/integrations/azureoidc/provision_sso.go @@ -48,6 +48,9 @@ func setupSSO(ctx context.Context, graphClient *msgraph.Client, appObjectID stri webApp := &msgraph.WebApplication{} webApp.RedirectURIs = &uris app.Web = webApp + securityGroups := new(string) + *securityGroups = "SecurityGroup" + app.GroupMembershipClaims = securityGroups err = graphClient.UpdateApplication(ctx, appObjectID, app) diff --git a/lib/msgraph/models.go b/lib/msgraph/models.go index f867ecbb634c5..829d55a040464 100644 --- a/lib/msgraph/models.go +++ b/lib/msgraph/models.go @@ -18,6 +18,7 @@ package msgraph import ( "encoding/json" + "slices" "github.com/gravitational/trace" ) @@ -34,6 +35,12 @@ type DirectoryObject struct { type Group struct { DirectoryObject + GroupTypes []string `json:"groupTypes,omitempty"` +} + +func (g *Group) IsOffice365Group() bool { + const office365Group = "Unified" + return slices.Contains(g.GroupTypes, office365Group) } func (g *Group) isGroupMember() {} @@ -53,9 +60,10 @@ func (u *User) GetID() *string { return u.ID } type Application struct { DirectoryObject - AppID *string `json:"appId,omitempty"` - IdentifierURIs *[]string `json:"identifierUris,omitempty"` - Web *WebApplication `json:"web,omitempty"` + AppID *string `json:"appId,omitempty"` + IdentifierURIs *[]string `json:"identifierUris,omitempty"` + Web *WebApplication `json:"web,omitempty"` + GroupMembershipClaims *string `json:"groupMembershipClaims,omitempty"` } type WebApplication struct { From 5edc5140b5c88cc85c93a3014d18f4b3020812b6 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 29 Oct 2024 10:30:39 +0000 Subject: [PATCH 7/9] add godoc --- tool/tctl/common/plugin/entraid.go | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index 58e0c5f6e5f08..03c6b0322a067 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -98,7 +98,7 @@ var ( func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, error) { pwd, err := os.Getwd() if err != nil { - return entraSettings{}, trace.Wrap(err) + return entraSettings{}, trace.Wrap(err, "failed to get working dir") } f, err := os.CreateTemp(pwd, "entraid-setup-*.sh") if err != nil { @@ -126,7 +126,7 @@ func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, tmpl := `Step 1: Run the Setup Script -1. Open ` + bold("Azure Cloud Shell") + ` (Bash) using ` + bold("Google Chrome") + ` or ` + bold("Safari") + ` for the best compatibility. +1. Open ` + bold("Azure Cloud Shell") + ` (Bash) [https://portal.azure.com/#cloudshell/] using ` + bold("Google Chrome") + ` or ` + bold("Safari") + ` for the best compatibility. 2. Upload the setup script in ` + boldRed(fileLoc) + ` using the ` + bold("Upload") + ` button in the Cloud Shell toolbar. 3. Once uploaded, execute the script by running the following command: $ bash %s @@ -189,6 +189,22 @@ With the output of Step 1, please copy and paste the following information: return settings, nil } +// InstallEntra is the entry point for the `tctl plugins install entraid` command. +// This function guides users through an interactive setup process to configure EntraID integration, +// directing them to execute a script in Azure Cloud Shell and provide the required configuration inputs. +// The script creates an Azure EntraID Enterprise Application, enabling SAML logins in Teleport with +// the following claims: +// - givenname: user.givenname +// - surname: user.surname +// - emailaddress: user.mail +// - name: user.userprincipalname +// - groups: user.groups +// Additionally, the script establishes a Trust Policy in the application to allow Teleport +// to be recognized as a credential issuer when system credentials are not used. +// If system credentials are present, the script will skip the Trust policy creation using +// system credentials for EntraID authentication. +// Finally, if no system credentials are in use, the script will set up an Azure OIDC integration +// in Teleport and a Teleport plugin to synchronize access lists from EntraID to Teleport. func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArgs) error { inputs := p.install @@ -352,7 +368,7 @@ func getProxyPublicAddr(ctx context.Context, authClient authClient) (string, err func readTAGCache(fileLoc string) (*azureoidc.TAGInfoCache, error) { if fileLoc == "" { - return nil, trace.BadParameter("no TAG cache file found") + return nil, trace.BadParameter("no TAG cache file specified") } file, err := os.Open(fileLoc) From 209e239f67ee11fc00956e4af3b23aff7709c2e7 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 29 Oct 2024 16:39:02 +0000 Subject: [PATCH 8/9] handle code review comments --- tool/tctl/common/plugin/entraid.go | 102 ++++++++++-------- tool/tctl/common/plugin/plugins_command.go | 6 +- .../common/plugin/plugins_command_test.go | 19 +++- 3 files changed, 78 insertions(+), 49 deletions(-) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index 03c6b0322a067..7654193e52021 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -43,6 +43,33 @@ import ( "github.com/gravitational/teleport/lib/web/scripts/oneoff" ) +var ( + bold = color.New(color.Bold).SprintFunc() + boldRed = color.New(color.Bold, color.FgRed).SprintFunc() + + step1Template = `Step 1: Run the Setup Script + +1. Open ` + bold("Azure Cloud Shell") + ` (Bash) [https://portal.azure.com/#cloudshell/] using ` + bold("Google Chrome") + ` or ` + bold("Safari") + ` for the best compatibility. +2. Upload the setup script in ` + boldRed("%s") + ` using the ` + bold("Upload") + ` button in the Cloud Shell toolbar. +3. Once uploaded, execute the script by running the following command: + $ bash %s + +` + bold("Important Considerations") + `: +- You must have ` + bold("Azure privileged administrator permissions") + ` to complete the integration. +- Ensure you're using the ` + bold("Bash") + ` environment in Cloud Shell. +- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. ` + bold("Teleport") + ` does not store or persist your credentials. +- ` + bold("Mozilla Firefox") + ` users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. + +` + + step2Template = ` + +Step 2: Input Tenant ID and Client ID + +With the output of Step 1, please copy and paste the following information: +` +) + type entraArgs struct { cmd *kingpin.CmdClause authConnectorName string @@ -107,7 +134,7 @@ func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, defer os.Remove(f.Name()) - buildScript, err := buildScript(proxyPublicAddr, p.install.entraID.authConnectorName, p.install.entraID.accessGraph, p.install.entraID.useSystemCredentials) + buildScript, err := buildScript(proxyPublicAddr, p.install.entraID) if err != nil { return entraSettings{}, trace.Wrap(err, "failed to build script") } @@ -121,28 +148,10 @@ func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, } fileLoc := f.Name() - bold := color.New(color.Bold).SprintFunc() - boldRed := color.New(color.Bold, color.FgRed).SprintFunc() - - tmpl := `Step 1: Run the Setup Script - -1. Open ` + bold("Azure Cloud Shell") + ` (Bash) [https://portal.azure.com/#cloudshell/] using ` + bold("Google Chrome") + ` or ` + bold("Safari") + ` for the best compatibility. -2. Upload the setup script in ` + boldRed(fileLoc) + ` using the ` + bold("Upload") + ` button in the Cloud Shell toolbar. -3. Once uploaded, execute the script by running the following command: - $ bash %s - -` + bold("Important Considerations") + `: -- You must have ` + bold("Azure privileged administrator permissions") + ` to complete the integration. -- Ensure you're using the ` + bold("Bash") + ` environment in Cloud Shell. -- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. ` + bold("Teleport") + ` does not store or persist your credentials. -- ` + bold("Mozilla Firefox") + ` users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. - -` - - fmt.Fprintf(os.Stdout, tmpl, filepath.Base(fileLoc)) + fmt.Fprintf(os.Stdout, step1Template, fileLoc, filepath.Base(fileLoc)) op, err := readData(os.Stdin, os.Stdout, - "Once the script completes, type 'continue' to proceed, 'exit' to quit", + "Once the script completes, type 'continue' to proceed, 'exit' to quit. If you need to rerun the script, type 'exit' and restart the process.", func(input string) bool { return input == "continue" || input == "exit" }, "Invalid input. Please enter 'continue' or 'exit'.") @@ -158,13 +167,8 @@ func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, return err == nil } - tmpl = ` - -Step 2: Input Tenant ID and Client ID + fmt.Fprint(os.Stdout, step2Template) -With the output of Step 1, please copy and paste the following information: -` - fmt.Fprint(os.Stdout, tmpl) var settings entraSettings settings.tenantID, err = readData(os.Stdin, os.Stdout, "Enter the Tenant ID", validUUID, "Invalid Tenant ID") if err != nil { @@ -232,12 +236,11 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg AssertionConsumerService: strings.TrimRight(proxyPublicAddr, "/") + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName, AllowIDPInitiated: true, // AttributesToRoles is required, but Entra ID does not have a default group (like Okta's "Everyone"), - // so we add a dummy claim that will never be fulfilled with the default configuration instead, - // and expect the user to modify it per their requirements. + // so we add a dummy claim that will always be fulfilled and map them to the "requester" role. AttributesToRoles: []types.AttributeMapping{ { - Name: "https://example.com/my_attribute", - Value: "my_value", + Name: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", + Value: "*", Roles: []string{"requester"}, }, }, @@ -273,10 +276,13 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg if !trace.IsAlreadyExists(err) || !inputs.entraID.force { return trace.Wrap(err, "failed to create Azure OIDC integration") } - if err = args.authClient.DeleteIntegration(ctx, integrationSpec.GetName()); err != nil { - return trace.Wrap(err, "failed to delete Azure OIDC integration") + + integration, err := args.authClient.GetIntegration(ctx, integrationSpec.GetName()) + if err != nil { + return trace.Wrap(err, "failed to get Azure OIDC integration") } - if _, err = args.authClient.CreateIntegration(ctx, integrationSpec); err != nil { + integration.SetAWSOIDCIntegrationSpec(integrationSpec.GetAWSOIDCIntegrationSpec()) + if _, err = args.authClient.UpdateIntegration(ctx, integration); err != nil { return trace.Wrap(err, "failed to create Azure OIDC integration") } } @@ -315,12 +321,19 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg if !trace.IsAlreadyExists(err) || !inputs.entraID.force { return trace.Wrap(err) } - if _, err = args.plugins.DeletePlugin(ctx, &pluginspb.DeletePluginRequest{ - Name: inputs.name, - }); err != nil { - return trace.Wrap(err) + plugin := req.GetPlugin() + { + oldPlugin, err := args.plugins.GetPlugin(ctx, &pluginspb.GetPluginRequest{ + Name: inputs.name, + }) + if err != nil { + return trace.Wrap(err) + } + plugin.Metadata.Revision = oldPlugin.GetMetadata().Revision } - if _, err = args.plugins.CreatePlugin(ctx, req); err != nil { + if _, err = args.plugins.UpdatePlugin(ctx, &pluginspb.UpdatePluginRequest{ + Plugin: plugin, + }); err != nil { return trace.Wrap(err) } } @@ -330,19 +343,19 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg return nil } -func buildScript(proxyPublicAddr string, authConnectorName string, accessGraph, skipOIDCSetup bool) (string, error) { +func buildScript(proxyPublicAddr string, entraCfg entraArgs) (string, error) { // The script must execute the following command: argsList := []string{ "integration", "configure", "azure-oidc", fmt.Sprintf("--proxy-public-addr=%s", shsprintf.EscapeDefaultContext(proxyPublicAddr)), - fmt.Sprintf("--auth-connector-name=%s", shsprintf.EscapeDefaultContext(authConnectorName)), + fmt.Sprintf("--auth-connector-name=%s", shsprintf.EscapeDefaultContext(entraCfg.authConnectorName)), } - if accessGraph { + if entraCfg.accessGraph { argsList = append(argsList, "--access-graph") } - if skipOIDCSetup { + if entraCfg.useSystemCredentials { argsList = append(argsList, "--skip-oidc-integration") } @@ -366,6 +379,9 @@ func getProxyPublicAddr(ctx context.Context, authClient authClient) (string, err return oidcIssuer, trace.Wrap(err) } +// readTAGCache reads the TAG cache file and returns the TAGInfoCache object. +// azureoidc.TAGInfoCache is a struct that contains the information necessary for Access Graph to analyze Azure SSO. +// It contains a list of AppID and their corresponding FederatedSsoV2 information. func readTAGCache(fileLoc string) (*azureoidc.TAGInfoCache, error) { if fileLoc == "" { return nil, trace.BadParameter("no TAG cache file specified") diff --git a/tool/tctl/common/plugin/plugins_command.go b/tool/tctl/common/plugin/plugins_command.go index 8d970da800ec0..df8b9eeb4ed3b 100644 --- a/tool/tctl/common/plugin/plugins_command.go +++ b/tool/tctl/common/plugin/plugins_command.go @@ -205,13 +205,15 @@ type authClient interface { CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) CreateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error) - DeleteIntegration(ctx context.Context, name string) error + GetIntegration(ctx context.Context, name string) (types.Integration, error) + UpdateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error) Ping(ctx context.Context) (proto.PingResponse, error) } type pluginsClient interface { CreatePlugin(ctx context.Context, in *pluginsv1.CreatePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) - DeletePlugin(ctx context.Context, in *pluginsv1.DeletePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) + GetPlugin(ctx context.Context, in *pluginsv1.GetPluginRequest, opts ...grpc.CallOption) (*types.PluginV1, error) + UpdatePlugin(ctx context.Context, in *pluginsv1.UpdatePluginRequest, opts ...grpc.CallOption) (*types.PluginV1, error) } type installPluginArgs struct { diff --git a/tool/tctl/common/plugin/plugins_command_test.go b/tool/tctl/common/plugin/plugins_command_test.go index 160401e64a989..9033311f3272c 100644 --- a/tool/tctl/common/plugin/plugins_command_test.go +++ b/tool/tctl/common/plugin/plugins_command_test.go @@ -449,9 +449,14 @@ func (m *mockPluginsClient) CreatePlugin(ctx context.Context, in *pluginsv1.Crea return result.Get(0).(*emptypb.Empty), result.Error(1) } -func (m *mockPluginsClient) DeletePlugin(ctx context.Context, in *pluginsv1.DeletePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) { +func (m *mockPluginsClient) GetPlugin(ctx context.Context, in *pluginsv1.GetPluginRequest, opts ...grpc.CallOption) (*types.PluginV1, error) { result := m.Called(ctx, in, opts) - return result.Get(0).(*emptypb.Empty), result.Error(1) + return result.Get(0).(*types.PluginV1), result.Error(1) +} + +func (m *mockPluginsClient) UpdatePlugin(ctx context.Context, in *pluginsv1.UpdatePluginRequest, opts ...grpc.CallOption) (*types.PluginV1, error) { + result := m.Called(ctx, in, opts) + return result.Get(0).(*types.PluginV1), result.Error(1) } type mockAuthClient struct { @@ -474,10 +479,16 @@ func (m *mockAuthClient) CreateIntegration(ctx context.Context, ig types.Integra result := m.Called(ctx, ig) return result.Get(0).(types.Integration), result.Error(1) } -func (m *mockAuthClient) DeleteIntegration(ctx context.Context, name string) error { +func (m *mockAuthClient) UpdateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error) { + result := m.Called(ctx, ig) + return result.Get(0).(types.Integration), result.Error(1) +} + +func (m *mockAuthClient) GetIntegration(ctx context.Context, name string) (types.Integration, error) { result := m.Called(ctx, name) - return result.Error(0) + return result.Get(0).(types.Integration), result.Error(1) } + func (m *mockAuthClient) Ping(ctx context.Context) (proto.PingResponse, error) { result := m.Called(ctx) return result.Get(0).(proto.PingResponse), result.Error(1) From 803810ae0d5f7d2e7d1c39f73f401699e66855de Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 29 Oct 2024 17:02:36 +0000 Subject: [PATCH 9/9] fix gomod --- go.mod | 2 +- tool/tctl/common/plugin/entraid.go | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index b75dec86e94a7..a519a2efb5d59 100644 --- a/go.mod +++ b/go.mod @@ -91,6 +91,7 @@ require ( github.com/elimity-com/scim v0.0.0-20240320110924-172bf2aee9c8 github.com/envoyproxy/go-control-plane v0.13.0 github.com/evanphx/json-patch v5.9.0+incompatible + github.com/fatih/color v1.17.0 github.com/fsnotify/fsnotify v1.7.0 github.com/fsouza/fake-gcs-server v1.49.3 github.com/fxamacker/cbor/v2 v2.7.0 @@ -323,7 +324,6 @@ require ( github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/camelcase v1.0.0 // indirect - github.com/fatih/color v1.17.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/gabriel-vasile/mimetype v1.4.3 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index 7654193e52021..ea5010504ca9f 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -47,7 +47,7 @@ var ( bold = color.New(color.Bold).SprintFunc() boldRed = color.New(color.Bold, color.FgRed).SprintFunc() - step1Template = `Step 1: Run the Setup Script + step1Template = bold("Step 1: Run the Setup Script") + ` 1. Open ` + bold("Azure Cloud Shell") + ` (Bash) [https://portal.azure.com/#cloudshell/] using ` + bold("Google Chrome") + ` or ` + bold("Safari") + ` for the best compatibility. 2. Upload the setup script in ` + boldRed("%s") + ` using the ` + bold("Upload") + ` button in the Cloud Shell toolbar. @@ -60,11 +60,13 @@ var ( - During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. ` + bold("Teleport") + ` does not store or persist your credentials. - ` + bold("Mozilla Firefox") + ` users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. +To rerun the script, type 'exit' to close and then restart the process. + ` step2Template = ` -Step 2: Input Tenant ID and Client ID +` + bold("Step 2: Input Tenant ID and Client ID") + ` With the output of Step 1, please copy and paste the following information: ` @@ -151,7 +153,7 @@ func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, fmt.Fprintf(os.Stdout, step1Template, fileLoc, filepath.Base(fileLoc)) op, err := readData(os.Stdin, os.Stdout, - "Once the script completes, type 'continue' to proceed, 'exit' to quit. If you need to rerun the script, type 'exit' and restart the process.", + `Once the script completes, type 'continue' to proceed, 'exit' to quit`, func(input string) bool { return input == "continue" || input == "exit" }, "Invalid input. Please enter 'continue' or 'exit'.")