Add Support for Oracle protocol by smallinsky · Pull Request #23227 · gravitational/teleport

smallinsky · 2023-03-17T11:44:55Z

What

Add Oracle Protocol Integration

Changes:

RFD
tsh local proxy listener on TLS port with local self signed certs where oracle client uses a wallet with local proxy certs.
tctl auth sign --format=oracle command detects if Orapki binary is avable in user env in order to create Oracle wallet. Otherwise a user need manual steps to convert teleport certs to oracle wallet format.

UX:

tctl example:

 $ tctl  auth sign --format=oracle --host=localhost --out=certs/server --ttl=2190h
 To enable mutual TLS on your Oracle server, add the following settings to oracle sqlnet.ora configuration file:
 WALLET_LOCATION = (SOURCE = (METHOD = FILE)(METHOD_DATA = (DIRECTORY = /path/to/oracleWalletDir)))
 SSL_CLIENT_AUTHENTICATION = TRUE
 SQLNET.AUTHENTICATION_SERVICES = (TCPS)
 To enable mutual TLS on your Oracle server, add the following TCPS entreis to its listener.ora configuration file:
 LISTENER =
   (DESCRIPTION_LIST =
     (DESCRIPTION =
       (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
     )
   )
 WALLET_LOCATION = (SOURCE = (METHOD = FILE)(METHOD_DATA = (DIRECTORY = /path/to/oracleWalletDir)))
 SSL_CLIENT_AUTHENTICATION = TRUE

tsh proxy db:

$ tsh proxy db oracle  --db-user=alice --db-name=XE --tunnel
    Started authenticated tunnel for the Oracle database "oracle" in cluster "ice-berg.dev" on 127.0.0.1:51584.
    To avoid port randomization, you can choose the listening port using the --port flag.
    Use the following command to connect to the Oracle database server using CLI:
      $ sql -L jdbc:oracle:thin:@tcps://localhost:51584/XE?TNS_ADMIN=/Users/marek/.tsh/keys/ice-berg.dev/marek-db/ice-berg.dev/oracle-wallet
    or using following Oracle JDBC connection string in order to connect with other GUI/CLI clients:
      jdbc:oracle:thin:@tcps://localhost:51584/XE?TNS_ADMIN=/Users/marek/.tsh/keys/ice-berg.dev/marek-db/ice-berg.dev/oracle-wallet

Testing:

checkout e related changes: smallinsky/oracle_protocol_v3 https://github.com/gravitational/teleport.e/pull/1011
build Teleprot Enterprise
Setup local Oracle Database https://github.com/smallinsky/infra/tree/main/oracle
- cd infra/oracle
- make make sure that you are current logged into teleport cluster with a user that has a permission to issue DB certs.

Next Steps:

Add support for audit logs
Align Teleport Connect

smallinsky · 2023-03-20T14:06:30Z

/gcbrun

gabrielcorado

Overall LGTM. While testing, I run into a few issues:

This doesn’t happen for every error, but if Teleport DB service can reach the database but cannot connect to it due to misconfigured certificates or half setup is done (e.g., not setting up the server wallet). Then, it doesn't log any error message on the server side, only on the client:
```
Error Message = IO Error: Read error 'CLOSED', connect lapse 162 ms., Authentication lapse 0 ms.
```

Couldn't connect to my database with the following error:

2023-03-22T21:16:18-03:00 [DB:SERVIC] ERRO Oracle connection error db:oracle error:[
ERROR REPORT:
Original Error: x509.HostnameError x509: certificate relies on legacy Common Name field,                 use SANs instead
Stack Trace:
        github.com/gravitational/teleport/e/lib/db/oracle/protocol/conn.go:44     github.com/gravitational/teleport/e/lib/db/oracle/protocol.NewServerConn
        github.com/gravitational/teleport/e/lib/db/oracle/engine.go:107 github.com/gravitational/teleport/e/lib/db/oracle.(*Engine).connectToOracleDB
        github.com/gravitational/teleport/e/lib/db/oracle/engine.go:85 github.com/gravitational/teleport/e/lib/db/oracle.(*Engine).HandleConnection
        github.com/gravitational/teleport/lib/srv/db/server.go:936 github.com/gravitational/teleport/lib/srv/db.(*Server).handleConnection
        github.com/gravitational/teleport/lib/srv/db/server.go:846 github.com/gravitational/teleport/lib/srv/db.(*Server).HandleConnection
        github.com/gravitational/teleport/lib/reversetunnel/transport.go:295 github.com/gravitational/teleport/lib/reversetunnel.(*transport).start
        github.com/gravitational/teleport/lib/reversetunnel/agent.go:587 github.com/gravitational/teleport/lib/reversetunnel.(*agent).handleDrainChannels.func2
        runtime/asm_arm64.s:1172 runtime.goexit
User Message: x509: certificate relies on legacy Common Name field, use SANs instead]     id:ff55f687-44f6-4077-a35c-d22b69e2c952 oracle/engine.go:63

I'm using same setup as your repo (I only had to make small changes due to my docker being unable to write to volumes).

Also, great work on providing the repo with the database setup, that helped a lot on testing it.

greedy52

first pass. will try it out and do another pass

greedy52

LGTM. Tested both sql binary and jdbc (through SQuireLSQL predefined Oracle Thin Driver).

I think the oracle local configs and local TLS listener will break Teleport Connect, so we may want to fix that or track that in a separate ticket.

greedy52 · 2023-03-27T13:26:34Z


+	oracleAuthSignTpl = template.Must(template.New("").Parse(`
+{{if .manualOrapkiFlow}}
+Orapki binary was not found. Please create oracle wallet file manually by running following commands on the Oracle server:


nit

Suggested change

Orapki binary was not found. Please create oracle wallet file manually by running following commands on the Oracle server:

Orapki binary was not found. Please create Oracle wallet file manually by running the following commands on the Oracle server:

greedy52 · 2023-03-27T13:53:55Z

+//    │   │   │   └── dbC-wallet       --> Oracle Client wallet Configuration directory.
+//    │   │   ├── leaf                 --> App access certs for cluster "leaf"
+//    │   │   │   └── dbC-x509.pem     --> TLS cert for database service "dbC"
+//    │   │   └── proxy-localca.pem    --> Self-signed TLS Routing local proxy CA


For kube, I need specific DNS names per cluster so it has to be a separate file. But I am wondering if maybe we can just do one shared local CA per user keys/one.example.com/foo-localca.pem for aws/azure/gcp and oracle. Not a big deal either way.

gabrielcorado

LGTM. I tested using a different setup and everything worked as expected.

r0mant

Bot.

@jentfoo

* Metrics: add IsSSO to Discover Events (#23791) * Metrics: add IsSSO to Discover Events * review pt1 * use services.UserGetter interface * godocs, renamings * add isSSO to user identity * remove ctx from convert * add godocs to usermetadata fields * add UserType enum * Integration resource: add types and grpc methods (#23553) * Integration resource: add types and grpc methods This commit adds the new types for Integration resource. It also adds the gRPC methods that will be used later on for: - Integrations CRUD management - Integrations resource caching * decouple integration service from auth * return resource on CRU operations * Add OneOf prop to distinguish Integrations subkind * Version subkind spec * godocs * Set CRL LDAP path based on certificate authority type (#23814) * refactor(windows): use CA type to define CRL path * chore(windows): update updateCRL comment * chore(windows): fix imports * split and notate new vs existing mysql user (#18010) * Fix Flaky Tests Detector bypass on merge queue (#23896) * Fix Flaky Tests Detector bypass on merge queue * Do not run fld in the mq --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Implement `tctl create -f` for devices (#23801) * Implement `tctl create -f` for devices * Update e/ reference * Prevent unknown ssh requests from terminating sessions (#23874) Instead of returning and aborting a session if an unknown request is received servers now log the warning and continue on. * Update SFTP library (#23711) Update SFTP fork to include gravitational/sftp@dfe4e0d Fixes #22263 * Migrate to OpenSSL 3.0 (#23810) * Use OpenSSL 3.0.x (buildbox) * Use OpenSSL 3.0.x (buildbox-centos7) * Use OpenSSL 3.0.x (macOS) * Hosted plugins onboarding prerequisites (#23234) * Respect route exactness in TopNav * Allow submitting CSRF token via form * Skip "safe" methods in CSRF checks * Export getXCSRFToken * Add WithAuth2 * Passthrough "name" of FieldInput Allows it to be used in an actual form * icomoon: add hashtag icon * Add GetAvailablePluginTypes to PluginService proto * Expose ProxyPublicAddr For use in Enterprise web Plugin * Run prettier * Factor out app.MetaRedirect * Rename: WithAuth2 -> WithAuthCookieAndCSRF * Run GCI * Renegerate protos * Use RUNNER_TEMP for teleport bins in plugin tests (#23773) When gravitational/teleport-plugins imports this test suite in CI, the repo root gravitational/teleport/... is not writable. This uses GitHub's `RUNNER_TEMP` instead, if it is set. * Add Support for Oracle protocol (#23227) * kube-updater: Wire up main executable (#23565) * kube-updater: write main function, fix scheme, reduce grace period * fixup! kube-updater: write main function, fix scheme, reduce grace period * Address feedback * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Roman Tkachenko <roman@goteleport.com> --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add Flaky detector Bypass before merging (#23923) * Add Flaky Bypass before merging * edit to descriptions * Add advisory and troubleshooting on non-tls mode for machineid kube (#23575) * Add advisory and troubleshooting on non-tls mode for machineid kube * Apply suggestions from code review Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> --------- Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * Show the server name (instead of UUID) in errors (#23724) When the web UI was updated to dial by UUID instead of hostname, access denied erorrs started to surface a UUID that is not visible in the UI. Where possible, pass through the node name so that we can raise a better error. * chore: Bump libfido2 from 1.12.0 to 1.13.0 (#23926) * chore: Bump libfido2 from 1.12.0 to 1.13.0 * Bump OpenSSL on Dockerfile-multiarch * docs: add description of config versions (#23624) This was originally added as part of #15761, but removed during the review cycle. Closes #20016 * Recommend Proxy Service in event-handler guides (#23879) See #21305 In order to standardize the docs around connecting Teleport services to the Proxy Service, rather than the Auth Service, change Event Handler guides to remove instructions for connecting to the Auth Service. This includes modifying partials used by the Access Request plugin guides so they work for the Event Handler guides as well. * Security fixes 03/23 (#23864) * Prevent tunneling if the os login doesn't exist A user.Lookup was added to srv.RunForward to prevent dialing and forwarding any data if the os login is not found. The check alone only terminates the direct-tcpip ssh channel and not the underlying ssh connection. In order for the parent process to determine if the ssh connection should be terminated it needs to know why the child exited. That was not possible by looking at the exit code and any data written to standard error of the child process was forwarded to standard error on the parent; which was used to simply log the error and move on. To pass more detailed errors to the parent, the child process spawned by srv.RunForward now json marshals the trace.Error to standard error which is then decoded by the parent process. If the parent detects the error was due to a missing user it terminates the ssh connection. tsh ssh -N was also modified to terminate if the command context of tsh OR the ssh connection to the node is closes. Prior, it only terminated if the user cancelled the process by blocking on ctx.Done(). While this was necessary to end session if the os login does not exit, it also forces tsh to exit if the node goes offline. Note: This does not include any propagation of error messages to the user, so there won't be any indication from tsh about why the connection was closed. The session also will not be terminated until the first attempt to forward data and NOT when the session is created due to the way -N is implemented. Fixes #217 * Prevent unauthorized access to kube clusters by upserting kube_servers This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469 --------- Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Update e ref. (#23938) Update the e ref to make sure that e CI will run properly with the recent OSS Okta changes. * Add a guide to creating Teleport roles via the API (#23204) * Add a guide to creating Teleport roles via the API See #19716 This guide uses a small demo application to show how to create Teleport roles based on an external RBAC system. The demo revolves around a local `minikube` cluster. I chose this approach because Teleport works well with Kubernetes RBAC, and Kubernetes RBAC resources are pretty straightforward to set up locally. * Based the guide on a program in the examples dir * Respond to zmb3 PR feedback * Run make fix-license * Respond to PR feedback * Respond to alexfornuto feedback * Add Azure auto-join docs (#22752) This change adds documentation for Azure VM auto-joining. * Reduce DefaultIdleTimeout to 30s (#23943) An idle timeout of 6m keeps web api connections open too long on Proxies that have any agents which do not have the changes from #22832. Because the http.Server.IdleTimeout is set on all release versions now, even when built with go.19, we experience this issue because we no longer exercise the bug that was fixed in go1.20. * Allow make update-tag to push to teleport-private (#23957) This is useful for making private test builds. * Add Docker Hub login to Drone's Kubernetes pipelines (#23956) * Add Docker Hub login to kubernetes pipelines After moving Drone to AWS, we're seeing image pulls get rate limited because they're all coming from the same IP (an AWS NAT gateway). To avoid this, we refactor pipelines to cache/reuse images where possible, as well as add authentication to dockerhub pulls. * Drop dockerVolumes and dockerVolumeRefs We don't actually consistently want these in all places. E.g. parallel pipelines cannot share a volumeRefDockerConfig, as they'll stop on each others login information. * Remove shared docker config from parallel pipelines A shared volume results in the different steps racing against each other. * Remove docker config from relcli steps We don't actually pull from dockerhub in these steps. * Fix typos Co-authored-by: Reed Loden <reed@goteleport.com> Co-authored-by: Walt <walt@goteleport.com> --------- Co-authored-by: Trent Clarke <trent@goteleport.com> Co-authored-by: Reed Loden <reed@goteleport.com> * release: Update build for product signing (#23820) Update the build scripts to properly set up the key for signing packages using `productsign`, and parameterise the bundle ID for packages in the packaging scripts. * RFD Spell fixes (#23954) * Kube forward identity RFD (#22533) RFD for the new credentials forwarding mechanism for Kubernetes access. This RFD pretends to drop the requirement of keeping the cert-key pair in cache for each user that accesses the cluster. Part of #21609 * athena audit logs - config (#23703) * athena audit logs - config * use sqs timeout as duration * compile regexp once * Rename to QueueURL * add aws docs and comments * update log decsription * add license * rename getQueryResultsInterval * use aws sdk v2 * Fixes unsused flags from `tsh kube exec` command (#23836) * Fixes unsused flags from `tsh kube exec` command Since its introduction, `tsh kube exec` didn't have any use for the `--reason` and `--invite` flags and completely ignored what users did with it. This PR transports those flags as query parameters to Teleport Kubernetes Service which includes them when creating the session resource in Teleport. * add tests * fix flaky test * GitLab Delegated Joining docs (#23047) * Skeleton out docs for GitLab joining * Adjust description of guide * Add more GitLab docs * Explain the possible constraints * Add final example of GitLab CI * Correct token name * Further clarify a few parts of the documentation * Correct example of project_path constraint * Add more specific link to GitLab docs * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Update docs/pages/machine-id/guides/github-actions.mdx Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * add new guide to navbar * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * Update docs/pages/machine-id/guides/github-actions.mdx Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * More concise/precise language in bot creation * Add further explanation of fields * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * Add reference page for gitlab joining * Fix link * line break adjustments * note bot role is built in * Minor spag correction --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * Enforce Kubernetes license when creating Kube resources (#23755) This PR prevents the registration of Kubernetes clusters in Teleport Auth server when the auth isn't licensed for Kubernetes access. This is required because with the new credentials forwarding mechanism, services won't call Auth server `ProcessKubeCSR` endpoint and thus we cannot enforce the license. This change prevents any agent to register its `KubeServers` in Auth server if the server isn't properly licensed to Kube. It only affects enterprise users because the open source version of Auth is licensed for Kubernetes access. Part of #22533 * Docs: prefer `curl .../auth/export` instead of `tctl auth export` (#23560) * Docs: prefer `curl .../auth/export` instead of `tctl auth export` * consistent usage of curl command * Update docs/pages/desktop-access/active-directory-manual.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * add proxy Var instead of using ScopedBlock * Update docs/pages/desktop-access/active-directory-manual.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Update docs/pages/management/guides/ssh-key-extensions.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Update docs/pages/desktop-access/troubleshooting.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Update docs/pages/server-access/guides/recording-proxy-mode.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> --------- Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Make `proxy.Client` infer the cluster name from Proxy (#23644) Instead of relying on users to provide the cluster name, the client now determines the cluster name by inspecting the certificate presented by the Proxy during the TLS or SSH handshake. This is required when connecting to a Proxy via a jump host since the name of the cluster may not match the currently logged in cluster. This is achieved by leveraging a custom `credentials.TransportCredentials` when connecting via gRPC and a custom `ssh.HostKeyCallback` when connecting SSH. * tsh: Fix redundant error in PPK generation on relogin (#23899) * tsh: Fix redundant error in PPK generation on relogin The logic for when we outputted an error was not very sound. Reworked it. Fixes #23778 * Switch to error at debug level rather than stack trace Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * docs: include enable teleport service in systemctl start (#23971) * docs: include enable teleport service. * Mention to enable * ClusterItem: Remove usage of colors.secondary.lighter (#23979) * Integration status: proto (#23912) * Integration status: proto * Caps IntegrationStatus values * Update e reference (#23983) * Fix relaxed moderator joining for Kube Access (#23674) This PR fixes the relaxed mode for moderator joining moderated sessions. Previously, when the moderator didn't had access to the Kubernetes cluster where the session he tried to join was active, Teleport would panic because the user didn't had at least one `kubernetes_user` or `kubernetes_group`. This PR moves the check of kubernetes principals into the autorization step instead of the authentication step in order to prevent the failure of authentication followed by a panic. * Move ALPN dialer, ALPN conn upgrade, Ping conn to api (#23860) * Bump github.com/crewjam/saml in /examples/api-sync-roles (#23942) Bumps [github.com/crewjam/saml](https://github.com/crewjam/saml) from 0.4.12 to 0.4.13. - [Release notes](https://github.com/crewjam/saml/releases) - [Commits](crewjam/saml@v0.4.12...v0.4.13) --- updated-dependencies: - dependency-name: github.com/crewjam/saml dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Batched Dependabot updates (#23975) * Bump github.com/crewjam/saml in /examples/api-sync-roles Bumps [github.com/crewjam/saml](https://github.com/crewjam/saml) from 0.4.12 to 0.4.13. - [Release notes](https://github.com/crewjam/saml/releases) - [Commits](crewjam/saml@v0.4.12...v0.4.13) --- updated-dependencies: - dependency-name: github.com/crewjam/saml dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription](https://github.com/Azure/azure-sdk-for-go) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@v1.0...v1.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql](https://github.com/Azure/azure-sdk-for-go) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@v1.0...v1.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/elastic/go-elasticsearch/v8 from 8.6.0 to 8.7.0 Bumps [github.com/elastic/go-elasticsearch/v8](https://github.com/elastic/go-elasticsearch) from 8.6.0 to 8.7.0. - [Release notes](https://github.com/elastic/go-elasticsearch/releases) - [Changelog](https://github.com/elastic/go-elasticsearch/blob/main/CHANGELOG.md) - [Commits](elastic/go-elasticsearch@v8.6.0...v8.7.0) --- updated-dependencies: - dependency-name: github.com/elastic/go-elasticsearch/v8 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/go-logr/logr from 1.2.3 to 1.2.4 Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.3...v1.2.4) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2 Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2](https://github.com/Azure/azure-sdk-for-go) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@sdk/resourcemanager/nginx/armnginx/v2.1.0...sdk/resourcemanager/redis/armredis/v2.2.0) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.91.0 to 1.92.1 Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.91.0 to 1.92.1. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](aws/aws-sdk-go-v2@service/ec2/v1.91.0...service/ec2/v1.92.1) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 Bumps [github.com/jonboulle/clockwork](https://github.com/jonboulle/clockwork) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/jonboulle/clockwork/releases) - [Commits](jonboulle/clockwork@v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: github.com/jonboulle/clockwork dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 in /api Bumps [github.com/jonboulle/clockwork](https://github.com/jonboulle/clockwork) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/jonboulle/clockwork/releases) - [Commits](jonboulle/clockwork@v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: github.com/jonboulle/clockwork dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump github.com/aws/aws-sdk-go from 1.44.231 to 1.44.234 Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.231 to 1.44.234. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.44.231...v1.44.234) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Revert "Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 in /api" This reverts commit 9ac0990. * Revert "Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0" This reverts commit aa32f5d. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-batcher[bot] <122306277+dependabot-batcher[bot]@users.noreply.github.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> * Headless Authn: documentation (#23272) * Add docs. * Update docs/pages/access-controls/guides/headless-login.mdx Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Fix lint error. * Ellaborate on how headless login differs from standard login. * Resolve comments; Fix capitalization. * Resolves comments. * Add cli reference docs. * Restructure guide; Remove scoped blocks; Update descriptions; resolve other comments. * Make configuration options/alternatives collapsible; Fix typos. * Fix file names, titles, and make new config details begin as closed. * Fix hidden merge conflict. * Add line breaks. * Fix dead link. --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers (#23962) Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers](https://github.com/Azure/azure-sdk-for-go) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@v1.0...v1.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * helm: Add support for imagePullSecrets to teleport-cluster chart (#23927) * helm: Add support for imagePullSecrets to teleport-cluster chart This was added to the teleport-kube-agent chart in #6941 but for some reason we never added it to teleport-cluster. This PR rectifies that. * Add imagePullSecrets to teleport-cluster chart reference * Close auth clients in tctl tests (#24011) Goroutine dumps from failed tests show a large number of goroutines blocked in GRPC client code. Our tctl tests create auth clients but only expose them via auth.ClientI, which doesn't have a close method. Updates #19372 and #24005 * fix joining moderated sessions in ui (#23807) * Define an explicit device resource as DeviceV1 (#23901) * Define the DeviceV1 resource proto * Update generated protos * Move device conversions to API * Test device conversions * Handle nil gracefully * Add license to new files * Add agentless items to test plan (#23918) * add agentless items to test plan * add link to agentless docs * operator: revert to old dockerfile and oci image build process (#24022) * Declare device resource CRUD methods (#23913) * docs: device trust edits (#23639) * docs: make device trust cluster auth config cloud scoped * docs: include required version for device trust * Simplify cap example * Fix listing of participant modes in UI (#23858) * change default session join mode to observer and add message (#23886) * Update default session join mode in docs (#23934) * GHA: Update path filters to include workflow files and Makefile (#23940) * Add missing `join_method` in azure joining docs (#24013) * add `set -eu` to discovery installer (#23761) * Connect: Collect protocol origin (#23898) * Add `origin` field to protocol event * Capture protocol event origin * Use positional arguments * Missing rename * Connect: Add SearchBar (#23980) This commit adds an MVP of the search bar to Connect. Currently it's behind a feature flag (`feature.searchBar`) but we'll enable it by default before the release. The plan was to merge the code ASAP, potentially even straight to v12 when we have the chance, which didn't exactly pan out but there's no harm to having this feature flag for now. On top of that, this commit adds a new shortcut to open the search bar (this replaces the current shortcut to open the command bar) and a shortcut to open a new terminal tab. The search works by essentially making a `ListResources` request for each supported resource type to every cluster the user is logged in to. We repurposed the old command palette UI for that but rewritten it to use React context and hooks rather than a class and a store. This allowed us to be a little bit more flexible as the old approach required every picker to conform to the same interface, both in terms of UI and code. This implementation has two main pickers so far: * `ActionPicker` which is the main one. It searches for resources but at the moment it also supports applying filters. In the future, we plan to add more actions to it such as "Open a new tab" or "Install tsh". * `ParameterPicker` is activated when you pick an action from the `ActionPicker` that requires an additional parameter. Think choosing an SSH server or a db – you need to provide an SSH login or a db user for those item. In those situations, `ActionPicker` will switch to `ParameterPicker` and let you pick a relevant item from the list. Everything is contained within `web/packages/teleterm/src/ui/Search`. Arguably, `useSearch` could be refactored a little bit to maybe make its structure a little more clear as it handles both the resource search and the filter search. However, at the moment we're not totally sure how the search bar will evolve, so we want to leave any bigger refactors for later. We added a couple of basic tests for regressions that happened so far. We also have stories for the items from the action picker. Error handling will be added in an upcoming PR. Docs updates will be done in a separate PR as well. Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> * docs: correct mongodb atlas example config (#24041) * Support SQL Server through RDS Proxy (#23600) * feat(db): add support for sqlserver rds proxy * chore(gomod): go mod tidy * chore(gomod): go mod tidy * chore(sqlserver): move params keys to constants * Update RFD Template for security reviewers to include @jentfoo (#24010) * Update RFD Template for security @ Add myself to the list of security reviewers. * Update rfd/0000-rfds.md Co-authored-by: Reed Loden <reed@goteleport.com> --------- Co-authored-by: Reed Loden <reed@goteleport.com> * Introduce `tsh bench kube` tool (#23781) This PR introduces a Kubernetes benchmark tool that allows us to test the Kubernetes access flow using a similar approach used for ssh. This PR renames the default SSH benchmark to `tsh bench ssh` while Kube benchmarks are available using `tsh bench kube`. Closes #23763 * helm: delete hook-related resource on re-apply (#24054) In case of a previously failed deployment this will allow users to attempt directly another chart release without having to delete the jobs. This behaviour is less awkward but might hide previous failures. We can legitimnately expect users to monitor their own failures though. * Docs: Remove Details block from tctl partial. (#24000) * remove details blocks in tctl partial * add bullet point when calling tctl partial * docs linter fixes * Add MDM-related protobuf definitions (#23880) * Add device_data to CreateDeviceEnrollTokenRequest * Add definitions for the SyncInventory RPC * Add source to Device * Add profile to Device * Add profile information to DeviceCollectedData * Update generated protos * update Makefile to use cargo sparse protocol in all cargo commands (#23856) * update Makefile to use cargo sparse protocol in all cargo commands * Adds a cargo version print to build-macos for debugging * uses the same setup steps for the rust and go toolchains as are being used in the similar enterprise workflow * Uses the prepare-toolchain-mac composite action in the build-macos.yaml workflow. * checkout e so that the prepare-toolchain-mac composite action is available * Fetch the correct e ref for the composite action * Attempts to checkout with submodules * fetch-depth: 0 * seems that I can't get to teleport.e from the oss actions * updates bypass * testing ci * testing ci * testing for ci * fixing indentation * trying to get CI to actually run * fixing indentation * fixing lib/srv/desktop/rdp/rdpclient/client.go * Bump Cloud SLA to 99.9% (#24076) * Remove the Access Controls FAQ (#23997) Fixes #11829 Teleport's Access Controls section is pretty sprawling, with 8 top-level subsections and 46 pages. The Access Controls FAQ, meanwhile, is unusually short, with only three questions. This can become misleading, since there's a good chance that any information someone is looking for in the FAQ will not exist there. This change removes the Access Controls FAQ. If an answer found in the FAQ does not exist explicitly elsewhere in the docs, I have added it. * Discover: Add more database type event names (#23742) * Add unguided database event names * Add database doc event names * Clarify how to decide undocumented style questions (#23999) Fixes #10716 There are too many style rules for us to have a style guide entry for everything. We could use a professional style guide, e.g., the AP manual, but these usually require subscriptions, which isn't great for an open source documentation site. Instead, we can side with consistency within a single page. * chore: Bump Go to 1.20.3 (#24060) * chore: Bump Go to 1.20.3 * Run `make dronegen` * Update e/ reference * Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting * DiscoverWeb: Emit events when clicking on unguided resources (#23746) * Rename following naming convention * Rename and add more db protocols * Define new events and add event names to resource spec * Emit events for unguided resources Also clear the loc state if the search bar was cleared to fix a weird quirk where when user goes back to the select resources screen, the preserved loc state applied filter again * Update tests * Add database doc event types * Remove deprecated web api routes (#24050) * Fix compilation errors after branch update --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com> Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com> Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Roman Tkachenko <roman@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Justinas Stankevičius <justinas@users.noreply.github.com> Co-authored-by: Marek Smoliński <marek@goteleport.com> Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Steven Martin <steven@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Michael Wilson <mike@mdwn.dev> Co-authored-by: Andrew Burke <31974658+atburke@users.noreply.github.com> Co-authored-by: Walt <walt@goteleport.com> Co-authored-by: Trent Clarke <trent@goteleport.com> Co-authored-by: Reed Loden <reed@goteleport.com> Co-authored-by: Cam Hutchison <camh@goteleport.com> Co-authored-by: Tobiasz Heller <14020794+tobiaszheller@users.noreply.github.com> Co-authored-by: Noah Stride <noah.stride@goteleport.com> Co-authored-by: Gus Luxton <gus@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-batcher[bot] <122306277+dependabot-batcher[bot]@users.noreply.github.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> Co-authored-by: Brian Joerger <bjoerger@goteleport.com> Co-authored-by: Yassine Bounekhla <56373201+rudream@users.noreply.github.com> Co-authored-by: Andrew LeFevre <andrew.lefevre@goteleport.com> Co-authored-by: Alex McGrath <alex.mcgrath@goteleport.com> Co-authored-by: Grzegorz Zdunek <gzdunek@users.noreply.github.com> Co-authored-by: Mike Jensen <jentfoo@users.noreply.github.com> Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> Co-authored-by: Jim Bishopp <jim@goteleport.com> Co-authored-by: Lisa Kim <lisa@goteleport.com> Co-authored-by: Michael <michael.myers@goteleport.com>

smallinsky force-pushed the smallinsky/oracle_protocol_v3 branch 2 times, most recently from ceebbf0 to 593295e Compare March 20, 2023 13:32

smallinsky marked this pull request as ready for review March 20, 2023 13:59

github-actions Bot added database-access Database access related issues and PRs size/lg tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Mar 20, 2023

github-actions Bot requested review from hatched and zmb3 March 20, 2023 14:00

smallinsky removed request for hatched and zmb3 March 20, 2023 14:04

smallinsky force-pushed the smallinsky/oracle_protocol_v3 branch 2 times, most recently from 97b480c to 139093b Compare March 20, 2023 14:18

smallinsky requested review from gabrielcorado, greedy52 and r0mant March 20, 2023 14:56

gabrielcorado reviewed Mar 23, 2023

View reviewed changes

Comment thread tool/tsh/db.go Outdated

Comment thread lib/client/identityfile/identity.go Outdated

Comment thread lib/client/identityfile/identity.go

Comment thread lib/client/db/dbcmd/dbcmd.go Outdated

greedy52 reviewed Mar 24, 2023

View reviewed changes

greedy52 approved these changes Mar 27, 2023

View reviewed changes

gabrielcorado approved these changes Mar 30, 2023

View reviewed changes

smallinsky force-pushed the smallinsky/oracle_protocol_v3 branch 4 times, most recently from d907d73 to 0655a1c Compare March 30, 2023 11:48

r0mant approved these changes Mar 30, 2023

View reviewed changes

smallinsky force-pushed the smallinsky/oracle_protocol_v3 branch 2 times, most recently from 6d178d0 to b4a0dc7 Compare March 31, 2023 09:53

smallinsky mentioned this pull request Mar 31, 2023

[v12] Add Support for Oracle protocol #23892

Merged