-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Implement tbot init subcommand and ACL management
#10289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 77 commits
Commits
Show all changes
82 commits
Select commit
Hold shift + click to select a range
0642d9b
Add certificate renewal bot
timothyb89 278373b
Cert bot refactoring pass
timothyb89 3cb5f41
Do not pass through `renewable` flag when role requests are set
timothyb89 65997a6
Various tbot UX improvements; render SSH config
timothyb89 ff58ccf
Add stubs for tbot init and watch commands
timothyb89 75ee80b
Add gRPC endpoints for managing bots
timothyb89 65b4f91
Fix outdated destination flag in example tbot command
timothyb89 fced606
Bugfix pass for demo
timothyb89 e8b3b0f
Address first wave of review feedback
timothyb89 773a4ef
Add doc comments for bot.go functions
timothyb89 34ae6a6
Return the token TTL from CreateBot
timothyb89 9c5ca57
Split initial user cert issuance from `generateUserCerts()`
timothyb89 17a1c77
Set bot traits to silence log messages
timothyb89 bd3152b
tbot log message consistency pass
timothyb89 d7c49e7
Implement `tbot init` subcommand
timothyb89 12942dd
Resolve lints
timothyb89 8cd83c7
Add config tests
timothyb89 28bab88
Remove CreateBotJoinToken endpoint
timothyb89 5a71864
Merge remote-tracking branch 'origin/master' into timothyb89/tbot
timothyb89 d800382
Create a fresh private key for every impersonated identity renewal
timothyb89 cefe734
Hide `config` subcommand
timothyb89 5003459
Rename bot label prefix to `teleport.internal/`
timothyb89 0b7e7e5
Merge branch 'timothyb89/tbot' into timothyb89/tbot-init
timothyb89 f725b62
Use types.NewRole() to create bot roles
timothyb89 4a3a417
Clean up error handling in custom YAML unmarshallers
timothyb89 28f930b
Fetch proxy host via gRPC Ping() instead of GetProxies()
timothyb89 00e29b5
Merge remote-tracking branch 'origin/master' into timothyb89/tbot
timothyb89 a7529b9
Update lib/auth/bot.go
timothyb89 b1bbcb8
Fix some review comments
timothyb89 004b25c
Add renewable certificate generation checks (#10098)
timothyb89 c3be5d6
Address another batch of review feedback
timothyb89 f004e10
Addres another batch of review feedback
timothyb89 77c0803
Merge remote-tracking branch 'origin/master' into timothyb89/tbot
timothyb89 1f946f9
Fix lint
timothyb89 587974d
Add missing doc comments to SaveIdentity / LoadIdentity
timothyb89 bd5f514
Merge remote-tracking branch 'origin/master' into timothyb89/tbot
timothyb89 01546ec
Remove pam tag from tbot build
timothyb89 bf1cf3a
Update note about bot lock deletion
timothyb89 c65c56a
Another pass of review feedback
timothyb89 0300f52
Merge remote-tracking branch 'origin/master' into timothyb89/tbot
timothyb89 73b7ba2
Merge branch 'timothyb89/tbot' into timothyb89/tbot-init
timothyb89 0ad110e
Merge remote-tracking branch 'origin/master' into timothyb89/tbot-init
timothyb89 cf6406f
Remove ModeHint
timothyb89 0f78580
Rename Identity.Cert and Identity.XCert
timothyb89 3e0a05f
Add `symlinks` flag to tbot config
timothyb89 3da96dd
Add mostly-working secure implementation of botfs.Create/Write
timothyb89 f94f724
Merge remote-tracking branch 'origin/master' into timothyb89/tbot-init
timothyb89 5ddfd71
Add configurable ACL modes and verify ACL support in tbot init
timothyb89 37400dc
Initialize destinations at startup and test before renewal
timothyb89 c9fb533
Hide watch for now
timothyb89 4b2fa72
Issue a new identity if a token change is detected
timothyb89 40f6d0b
Warn if identity appears to be expired on startup
timothyb89 9893602
Fully implement ACL Verify and Configure
timothyb89 048b524
Make `tbot init` work without a config file
timothyb89 25017b4
Show init instructions in tctl bots add
timothyb89 7f25b5a
Clear some TODOs and rephrase tctl help
timothyb89 73bed1a
Fix typo
timothyb89 b2460a4
Merge remote-tracking branch 'origin/master' into timothyb89/tbot-init
timothyb89 1276661
Fix token hash detection bug
timothyb89 202a97d
Actually read and write certs with symlink enforcement
timothyb89 b114926
Add workaround for OpenSSH permissions check with ACLs
timothyb89 24d066f
Fix lints
timothyb89 6b9223f
Fix an improper directory chmod to 0600 if ACL test fails
timothyb89 8a8d656
First pass of tbot init unit tests
timothyb89 3d55e48
Add symlink tests and fix bug with resolving the default owner
timothyb89 5ac9aa2
Fix err misuse
timothyb89 7a96daa
Fix an ACL error if the bot or reader user is the owner.
timothyb89 126162d
Merge remote-tracking branch 'origin/master' into timothyb89/tbot-init
timothyb89 1994858
Fix typo
timothyb89 9bb139e
Fix missing error case in VerifyACL causing unreadable directories
timothyb89 ca974b8
Address review feedback
timothyb89 8855518
Apply suggestions from code review
timothyb89 38c9fcb
Address review feedback
timothyb89 af1908a
Fix lint error
timothyb89 d9f8ed1
Merge branch 'master' into timothyb89/tbot-init
timothyb89 26f8fc9
Fix imports in fs_other
timothyb89 19dc449
Fix possible nil pointer deref if storage is unset
timothyb89 33afc77
Use the bot user as default owner
timothyb89 42aee8a
Apply suggestions from code review
timothyb89 e416fdb
Code review fixes
timothyb89 8bb8a5c
Merge branch 'master' into timothyb89/tbot-init
timothyb89 e76777c
Merge branch 'master' into timothyb89/tbot-init
timothyb89 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,156 @@ | ||
| /* | ||
| Copyright 2022 Gravitational, Inc. | ||
|
|
||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
|
|
||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
|
|
||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package botfs | ||
|
|
||
| import ( | ||
| "io/fs" | ||
| "os" | ||
| "os/user" | ||
| "runtime" | ||
| "strconv" | ||
| "syscall" | ||
|
|
||
| "github.com/gravitational/teleport" | ||
| "github.com/gravitational/teleport/api/constants" | ||
| "github.com/gravitational/trace" | ||
| "github.com/sirupsen/logrus" | ||
| ) | ||
|
|
||
| var log = logrus.WithFields(logrus.Fields{ | ||
| trace.Component: teleport.ComponentTBot, | ||
| }) | ||
|
|
||
| // SymlinksMode is an enum type listing various symlink behavior modes. | ||
| type SymlinksMode string | ||
|
|
||
| const ( | ||
| // SymlinksInsecure does allow resolving symlink paths and does not issue | ||
| // any symlink-related warnings. | ||
| SymlinksInsecure SymlinksMode = "insecure" | ||
|
|
||
| // SymlinksTrySecure attempts to write files securely and avoid symlink | ||
| // attacks, but falls back with a warning if the necessary OS / kernel | ||
| // support is missing. | ||
| SymlinksTrySecure SymlinksMode = "try-secure" | ||
|
|
||
| // SymlinksSecure attempts to write files securely and fails with an error | ||
| // if the operation fails. This should be the default on systems were we | ||
| // expect it to be supported. | ||
| SymlinksSecure SymlinksMode = "secure" | ||
| ) | ||
|
|
||
| // ACLMode is an enum type listing various ACL behavior modes. | ||
| type ACLMode string | ||
|
|
||
| const ( | ||
| // ACLOff disables ACLs | ||
| ACLOff ACLMode = "off" | ||
|
|
||
| // ACLTry attempts to use ACLs but falls back to no ACLs with a warning if | ||
| // unavailable. | ||
| ACLTry ACLMode = "try" | ||
|
|
||
| // ACLRequired enables ACL support and fails if ACLs are unavailable. | ||
| ACLRequired ACLMode = "required" | ||
| ) | ||
|
|
||
| const ( | ||
| // DefaultMode is the preferred permissions mode for bot files. | ||
| DefaultMode fs.FileMode = 0600 | ||
|
|
||
| // DefaultDirMode is the preferred permissions mode for bot directories. | ||
| // Directories need the execute bit set for most operations on their | ||
| // contents to succeed. | ||
| DefaultDirMode fs.FileMode = 0700 | ||
| ) | ||
|
|
||
| // ACLOptions contains parameters needed to configure ACLs | ||
| type ACLOptions struct { | ||
| // BotUser is the bot user that should have write access to this entry | ||
| BotUser *user.User | ||
|
|
||
| // ReaderUser is the user that should have read access to the file. This | ||
| // may be nil if the reader user is not known. | ||
| ReaderUser *user.User | ||
| } | ||
|
|
||
| // openStandard attempts to open the given path for writing with O_CREATE set. | ||
| func openStandard(path string) (*os.File, error) { | ||
| file, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, DefaultMode) | ||
| if err != nil { | ||
| return nil, trace.Wrap(err) | ||
|
timothyb89 marked this conversation as resolved.
Outdated
|
||
| } | ||
|
|
||
| return file, nil | ||
| } | ||
|
|
||
| // createStandard creates an empty file or directory at the given path without | ||
| // attempting to prevent symlink attacks. | ||
| func createStandard(path string, isDir bool) error { | ||
| if isDir { | ||
| if err := os.Mkdir(path, DefaultDirMode); err != nil { | ||
| return trace.Wrap(err) | ||
|
timothyb89 marked this conversation as resolved.
Outdated
|
||
| } | ||
|
timothyb89 marked this conversation as resolved.
Outdated
|
||
|
|
||
| return nil | ||
| } | ||
|
|
||
| f, err := openStandard(path) | ||
| if err != nil { | ||
| return trace.Wrap(err) | ||
| } | ||
|
|
||
| if err := f.Close(); err != nil { | ||
| log.Warnf("Failed to close file at %q: %+v", path, err) | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| // GetOwner attempts to retrieve the owner of the given file. This is not | ||
| // supported on all platforms and will return a trace.NotImplemented in that | ||
| // case. | ||
| func GetOwner(fileInfo fs.FileInfo) (*user.User, error) { | ||
| info, ok := fileInfo.Sys().(*syscall.Stat_t) | ||
| if !ok { | ||
| return nil, trace.NotImplemented("Cannot verify file ownership on this platform.") | ||
| } | ||
|
|
||
| user, err := user.LookupId(strconv.Itoa(int(info.Uid))) | ||
| if err != nil { | ||
| return nil, trace.Wrap(err) | ||
| } | ||
|
|
||
| return user, nil | ||
| } | ||
|
|
||
| // IsOwnedBy checks that the file at the given path is owned by the given user. | ||
| // Returns a trace.NotImplemented() on unsupported platforms. | ||
| func IsOwnedBy(fileInfo fs.FileInfo, user *user.User) (bool, error) { | ||
| if runtime.GOOS == constants.WindowsOS { | ||
| // no-op on windows | ||
| return false, trace.NotImplemented("Cannot verify file ownership on this platform.") | ||
| } | ||
|
|
||
| info, ok := fileInfo.Sys().(*syscall.Stat_t) | ||
| if !ok { | ||
| return false, trace.NotImplemented("Cannot verify file ownership on this platform.") | ||
| } | ||
|
|
||
| // Our files are 0600, so don't bother checking gid. | ||
| return strconv.Itoa(int(info.Uid)) == user.Uid, nil | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.