diff --git a/CHANGELOG.md b/CHANGELOG.md
index bec19fe1e57cb..4d61fb7d5e868 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,20 @@
# Changelog
+## 13.3.5 (08/22/23)
+
+* Fixed a bug in teleport-cluster Helm chart causing Teleport to crash when AWS DynamoDB autoscaling is enabled. [#30841](https://github.com/gravitational/teleport/pull/30841)
+* Added Teleport Assist to Web Terminal. [#30811](https://github.com/gravitational/teleport/pull/30811)
+* Fixed S3 metric name for completed multipart uploads. [#30710](https://github.com/gravitational/teleport/pull/30710)
+* Added the ability for `tsh` to register and enroll the `--current-device`. [#30702](https://github.com/gravitational/teleport/pull/30702)
+* Fixed Review Requests to disallow reviews after request is resolved. [#30690](https://github.com/gravitational/teleport/pull/30690)
+* Ensure that SSH session errors are reported to the terminal. [#30684](https://github.com/gravitational/teleport/pull/30684)
+* Fixed an issue with `tsh aws ssm start-session`. [#30668](https://github.com/gravitational/teleport/pull/30668)
+* Fixed an issue with the access request failing with `invalid maxDuration`. [teleport.e#2037](https://github.com/gravitational/teleport.e/pull/2037)
+
+### Security fix
+
+* Security improvements with possible `medium` severity DoS conditions through protocol level attacks. [#30854](https://github.com/gravitational/teleport/pull/30854)
+
## 13.3.4 (08/18/23)
* Allow host users to be created with specific UID/GIDs [#30178](https://github.com/gravitational/teleport/pull/30178)
diff --git a/Makefile b/Makefile
index a1697b7fb236f..2a12fb721563b 100644
--- a/Makefile
+++ b/Makefile
@@ -11,7 +11,7 @@
# Stable releases: "1.0.0"
# Pre-releases: "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
# Master/dev branch: "1.0.0-dev"
-VERSION=13.3.4
+VERSION=13.3.5
DOCKER_IMAGE ?= teleport
diff --git a/api/version.go b/api/version.go
index 550b030652796..1732ba8d5b327 100644
--- a/api/version.go
+++ b/api/version.go
@@ -1,7 +1,7 @@
// Code generated by "make version". DO NOT EDIT.
package api
-const Version = "13.3.4"
+const Version = "13.3.5"
// Gitref is set to the output of "git describe" during the build process.
var Gitref string
diff --git a/build.assets/macos/tsh/tsh.app/Contents/Info.plist b/build.assets/macos/tsh/tsh.app/Contents/Info.plist
index b9952372d41a9..97aa542983ce8 100644
--- a/build.assets/macos/tsh/tsh.app/Contents/Info.plist
+++ b/build.assets/macos/tsh/tsh.app/Contents/Info.plist
@@ -19,13 +19,13 @@
CFBundlePackageType
APPL
CFBundleShortVersionString
- 13.3.4
+ 13.3.5
CFBundleSupportedPlatforms
MacOSX
CFBundleVersion
- 13.3.4
+ 13.3.5
DTCompiler
com.apple.compilers.llvm.clang.1_0
DTPlatformBuild
diff --git a/build.assets/macos/tshdev/tsh.app/Contents/Info.plist b/build.assets/macos/tshdev/tsh.app/Contents/Info.plist
index e65c9f84c9ef1..800a07f41d570 100644
--- a/build.assets/macos/tshdev/tsh.app/Contents/Info.plist
+++ b/build.assets/macos/tshdev/tsh.app/Contents/Info.plist
@@ -17,13 +17,13 @@
CFBundlePackageType
APPL
CFBundleShortVersionString
- 13.3.4
+ 13.3.5
CFBundleSupportedPlatforms
MacOSX
CFBundleVersion
- 13.3.4
+ 13.3.5
DTCompiler
com.apple.compilers.llvm.clang.1_0
DTPlatformBuild
diff --git a/examples/chart/teleport-cluster/Chart.yaml b/examples/chart/teleport-cluster/Chart.yaml
index 4de9e695c9b4e..874c5c902e7ae 100644
--- a/examples/chart/teleport-cluster/Chart.yaml
+++ b/examples/chart/teleport-cluster/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "13.3.4"
+.version: &version "13.3.5"
name: teleport-cluster
apiVersion: v2
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml
index 3143754408cdb..b2997c4b6db68 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "13.3.4"
+.version: &version "13.3.5"
name: teleport-operator
apiVersion: v2
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
index e375219958981..a389eb844b86a 100644
--- a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
+++ b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
@@ -1,6 +1,6 @@
should add an operator side-car when operator is enabled:
1: |
- image: public.ecr.aws/gravitational/teleport-operator:13.3.4
+ image: public.ecr.aws/gravitational/teleport-operator:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -34,7 +34,7 @@ should add an operator side-car when operator is enabled:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -167,7 +167,7 @@ should set nodeSelector when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -264,7 +264,7 @@ should set resources when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -350,7 +350,7 @@ should set securityContext when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
index 46891c94e8976..8e7d2adebd76f 100644
--- a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
+++ b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
@@ -5,7 +5,7 @@ should provision initContainer correctly when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
name: wait-auth-update
- args:
- echo test
@@ -62,7 +62,7 @@ should set nodeSelector when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -123,7 +123,7 @@ should set nodeSelector when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
name: wait-auth-update
nodeSelector:
environment: security
@@ -174,7 +174,7 @@ should set resources when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -242,7 +242,7 @@ should set resources when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
@@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -343,7 +343,7 @@ should set securityContext for initContainers when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
@@ -383,7 +383,7 @@ should set securityContext when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -451,7 +451,7 @@ should set securityContext when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
diff --git a/examples/chart/teleport-kube-agent/Chart.yaml b/examples/chart/teleport-kube-agent/Chart.yaml
index 92501029ada5a..012bb98f1ae98 100644
--- a/examples/chart/teleport-kube-agent/Chart.yaml
+++ b/examples/chart/teleport-kube-agent/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "13.3.4"
+.version: &version "13.3.5"
name: teleport-kube-agent
apiVersion: v2
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap
index 38843d4a68d7c..1841b46289e26 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap
@@ -30,7 +30,7 @@ sets Deployment annotations when specified if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -101,7 +101,7 @@ sets Deployment labels when specified if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -159,7 +159,7 @@ sets Pod annotations when specified if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -217,7 +217,7 @@ sets Pod labels when specified if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -292,7 +292,7 @@ should add emptyDir for data when existingDataVolume is not set if action is Upg
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -351,7 +351,7 @@ should add insecureSkipProxyTLSVerify to args when set in values if action is Up
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -409,7 +409,7 @@ should correctly configure existingDataVolume when set if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -465,7 +465,7 @@ should expose diag port if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -535,7 +535,7 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -605,7 +605,7 @@ should have multiple replicas when replicaCount is set (using highAvailability.r
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -663,7 +663,7 @@ should have one replica when replicaCount is not set if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -721,7 +721,7 @@ should mount extraVolumes and extraVolumeMounts if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -786,7 +786,7 @@ should mount tls.existingCASecretName and set environment when set in values if
value: "true"
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -854,7 +854,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu
value: http://username:password@my.proxy.host:3128
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -918,7 +918,7 @@ should provision initContainer correctly when set in values if action is Upgrade
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1012,7 +1012,7 @@ should set SecurityContext if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1090,7 +1090,7 @@ should set affinity when set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1148,7 +1148,7 @@ should set default serviceAccountName when not set in values if action is Upgrad
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1219,7 +1219,7 @@ should set environment when extraEnv set in values if action is Upgrade:
value: "true"
- name: HTTPS_PROXY
value: http://username:password@my.proxy.host:3128
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1335,7 +1335,7 @@ should set imagePullPolicy when set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: Always
livenessProbe:
failureThreshold: 6
@@ -1393,7 +1393,7 @@ should set nodeSelector if set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1453,7 +1453,7 @@ should set not set priorityClassName when not set in values if action is Upgrade
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1523,7 +1523,7 @@ should set preferred affinity when more than one replica is used if action is Up
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1581,7 +1581,7 @@ should set priorityClassName when set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1640,7 +1640,7 @@ should set probeTimeoutSeconds when set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1708,7 +1708,7 @@ should set required affinity when highAvailability.requireAntiAffinity is set if
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1766,7 +1766,7 @@ should set resources when set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1831,7 +1831,7 @@ should set serviceAccountName when set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1889,7 +1889,7 @@ should set tolerations when set in values if action is Upgrade:
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap
index 3012fd7006cc4..64b77d433af12 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap
@@ -25,7 +25,7 @@ should create ServiceAccount for post-delete hook by default:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
@@ -104,7 +104,7 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
@@ -132,7 +132,7 @@ should not create ServiceAccount, Role or RoleBinding for post-delete hook if se
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
@@ -160,7 +160,7 @@ should set nodeSelector in post-delete hook:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
@@ -190,7 +190,7 @@ should set securityContext in post-delete hook:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
index 1d6d17ab6d11e..464d3e0720584 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
@@ -16,7 +16,7 @@ sets Pod annotations when specified:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -84,7 +84,7 @@ sets Pod labels when specified:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -176,7 +176,7 @@ sets StatefulSet labels when specified:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -272,7 +272,7 @@ should add insecureSkipProxyTLSVerify to args when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -340,7 +340,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and action
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -428,7 +428,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -506,7 +506,7 @@ should add volumeMount for data volume when using StatefulSet:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -574,7 +574,7 @@ should expose diag port:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -642,7 +642,7 @@ should generate Statefulset when storage is disabled and mode is a Upgrade:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -724,7 +724,7 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -804,7 +804,7 @@ should have multiple replicas when replicaCount is set (using highAvailability.r
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -872,7 +872,7 @@ should have one replica when replicaCount is not set:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -940,7 +940,7 @@ should install Statefulset when storage is disabled and mode is a Fresh Install:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1010,7 +1010,7 @@ should mount extraVolumes and extraVolumeMounts:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1085,7 +1085,7 @@ should mount tls.existingCASecretName and set environment when set in values:
value: RELEASE-NAME
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1165,7 +1165,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu
value: /etc/teleport-tls-ca/ca.pem
- name: HTTPS_PROXY
value: http://username:password@my.proxy.host:3128
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1241,7 +1241,7 @@ should not add emptyDir for data when using StatefulSet:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1309,7 +1309,7 @@ should provision initContainer correctly when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1413,7 +1413,7 @@ should set SecurityContext:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1501,7 +1501,7 @@ should set affinity when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1569,7 +1569,7 @@ should set default serviceAccountName when not set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1650,7 +1650,7 @@ should set environment when extraEnv set in values:
value: RELEASE-NAME
- name: HTTPS_PROXY
value: http://username:password@my.proxy.host:3128
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1786,7 +1786,7 @@ should set imagePullPolicy when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: Always
livenessProbe:
failureThreshold: 6
@@ -1854,7 +1854,7 @@ should set nodeSelector if set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -1936,7 +1936,7 @@ should set preferred affinity when more than one replica is used:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -2004,7 +2004,7 @@ should set probeTimeoutSeconds when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -2082,7 +2082,7 @@ should set required affinity when highAvailability.requireAntiAffinity is set:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -2150,7 +2150,7 @@ should set resources when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -2225,7 +2225,7 @@ should set serviceAccountName when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -2293,7 +2293,7 @@ should set storage.requests when set in values and action is an Upgrade:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -2361,7 +2361,7 @@ should set storage.storageClassName when set in values and action is an Upgrade:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -2429,7 +2429,7 @@ should set tolerations when set in values:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- image: public.ecr.aws/gravitational/teleport-distroless:13.3.4
+ image: public.ecr.aws/gravitational/teleport-distroless:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap
index bed7d347f8490..3ee020b02d1b6 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap
@@ -27,7 +27,7 @@ sets the affinity:
- --base-image=public.ecr.aws/gravitational/teleport-distroless
- --version-server=https://my-custom-version-server/v1
- --version-channel=custom/preview
- image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.4
+ image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
@@ -71,7 +71,7 @@ sets the tolerations:
- --base-image=public.ecr.aws/gravitational/teleport-distroless
- --version-server=https://my-custom-version-server/v1
- --version-channel=custom/preview
- image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.4
+ image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
diff --git a/fuzz/oss-fuzz-build.sh b/fuzz/oss-fuzz-build.sh
index ca202da6b06b6..e5c1829fb6b7b 100755
--- a/fuzz/oss-fuzz-build.sh
+++ b/fuzz/oss-fuzz-build.sh
@@ -91,7 +91,10 @@ build_teleport_fuzzers() {
FuzzParseCredentialRequestResponseBody fuzz_parse_credential_request_response_body
compile_native_go_fuzzer $TELEPORT_PREFIX/lib/web \
- FuzzTdpMFACodecDecode fuzz_tdp_mfa_codec_decode
+ FuzzTdpMFACodecDecodeChallenge fuzz_tdp_mfa_codec_decode_challenge
+
+ compile_native_go_fuzzer $TELEPORT_PREFIX/lib/web \
+ FuzzTdpMFACodecDecodeResponse fuzz_tdp_mfa_codec_decode_response
}
diff --git a/integrations/kube-agent-updater/version.go b/integrations/kube-agent-updater/version.go
index ad594547201e8..2f683607e5df7 100644
--- a/integrations/kube-agent-updater/version.go
+++ b/integrations/kube-agent-updater/version.go
@@ -1,7 +1,7 @@
// Code generated by "make version". DO NOT EDIT.
package kubeversionupdater
-const Version = "13.3.4"
+const Version = "13.3.5"
// Gitref is set to the output of "git describe" during the build process.
var Gitref string
diff --git a/lib/auth/http_client.go b/lib/auth/http_client.go
index 2ac9301762635..c4aedb7238cff 100644
--- a/lib/auth/http_client.go
+++ b/lib/auth/http_client.go
@@ -840,7 +840,7 @@ func (c *HTTPClient) ValidateOIDCAuthCallback(ctx context.Context, q url.Values)
if err != nil {
return nil, trace.Wrap(err)
}
- var rawResponse *OIDCAuthRawResponse
+ var rawResponse OIDCAuthRawResponse
if err := json.Unmarshal(out.Bytes(), &rawResponse); err != nil {
return nil, trace.Wrap(err)
}
@@ -878,7 +878,7 @@ func (c *HTTPClient) ValidateSAMLResponse(ctx context.Context, re string, connec
if err != nil {
return nil, trace.Wrap(err)
}
- var rawResponse *SAMLAuthRawResponse
+ var rawResponse SAMLAuthRawResponse
if err := json.Unmarshal(out.Bytes(), &rawResponse); err != nil {
return nil, trace.Wrap(err)
}
diff --git a/lib/auth/trustedcluster.go b/lib/auth/trustedcluster.go
index 9d85a0463b4e1..296c77d3d43fe 100644
--- a/lib/auth/trustedcluster.go
+++ b/lib/auth/trustedcluster.go
@@ -654,7 +654,7 @@ func (a *Server) sendValidateRequestToProxy(host string, validateRequest *Valida
return nil, trace.Wrap(err)
}
- var validateResponseRaw *ValidateTrustedClusterResponseRaw
+ var validateResponseRaw ValidateTrustedClusterResponseRaw
err = json.Unmarshal(out.Bytes(), &validateResponseRaw)
if err != nil {
return nil, trace.Wrap(err)
diff --git a/lib/client/redirect.go b/lib/client/redirect.go
index cb92e5206e24a..e5f3fb82fa388 100644
--- a/lib/client/redirect.go
+++ b/lib/client/redirect.go
@@ -196,13 +196,13 @@ func (rd *Redirector) issueSSOLoginConsoleRequest(req SSOLoginConsoleReq) (*SSOL
return nil, trace.Wrap(err)
}
- var re *SSOLoginConsoleResponse
+ var re SSOLoginConsoleResponse
err = json.Unmarshal(out.Bytes(), &re)
if err != nil {
return nil, trace.Wrap(err)
}
- return re, nil
+ return &re, nil
}
// Done is called when redirector is closed
@@ -247,13 +247,13 @@ func (rd *Redirector) callback(w http.ResponseWriter, r *http.Request) (*auth.SS
return nil, trace.BadParameter("failed to decrypt response: in %v, err: %v", r.URL.String(), err)
}
- var re *auth.SSHLoginResponse
+ var re auth.SSHLoginResponse
err = json.Unmarshal(plaintext, &re)
if err != nil {
return nil, trace.BadParameter("failed to decrypt response: in %v, err: %v", r.URL.String(), err)
}
- return re, nil
+ return &re, nil
}
// Close closes redirector and releases all resources
diff --git a/lib/client/weblogin.go b/lib/client/weblogin.go
index e408dc2692cf0..85f976c3106de 100644
--- a/lib/client/weblogin.go
+++ b/lib/client/weblogin.go
@@ -449,13 +449,13 @@ func SSHAgentLogin(ctx context.Context, login SSHLoginDirect) (*auth.SSHLoginRes
return nil, trace.Wrap(err)
}
- var out *auth.SSHLoginResponse
+ var out auth.SSHLoginResponse
err = json.Unmarshal(re.Bytes(), &out)
if err != nil {
return nil, trace.Wrap(err)
}
- return out, nil
+ return &out, nil
}
// SSHAgentHeadlessLogin begins the headless login ceremony, returning new user certificates if successful.
@@ -482,13 +482,13 @@ func SSHAgentHeadlessLogin(ctx context.Context, login SSHLoginHeadless) (*auth.S
return nil, trace.Wrap(err)
}
- var out *auth.SSHLoginResponse
+ var out auth.SSHLoginResponse
err = json.Unmarshal(re.Bytes(), &out)
if err != nil {
return nil, trace.Wrap(err)
}
- return out, nil
+ return &out, nil
}
// SSHAgentPasswordlessLogin requests a passwordless MFA challenge via the proxy.
diff --git a/lib/srv/desktop/tdp/proto.go b/lib/srv/desktop/tdp/proto.go
index 35718ddcf562c..99e85b45c4037 100644
--- a/lib/srv/desktop/tdp/proto.go
+++ b/lib/srv/desktop/tdp/proto.go
@@ -596,6 +596,8 @@ func DecodeMFA(in byteReader) (*MFA, error) {
if length > maxMFADataLength {
_, _ = io.CopyN(io.Discard, in, int64(length))
return nil, mfaDataMaxLenErr
+ } else if length == 0 {
+ return nil, trace.BadParameter("mfa data missing")
}
b := make([]byte, int(length))
@@ -636,6 +638,8 @@ func DecodeMFAChallenge(in byteReader) (*MFA, error) {
if length > maxMFADataLength {
return nil, trace.BadParameter("mfa challenge data exceeds maximum length")
+ } else if length == 0 {
+ return nil, trace.BadParameter("mfa challenge data missing")
}
b := make([]byte, int(length))
@@ -643,17 +647,14 @@ func DecodeMFAChallenge(in byteReader) (*MFA, error) {
return nil, trace.Wrap(err)
}
- var req *client.MFAAuthenticateChallenge
+ var req client.MFAAuthenticateChallenge
if err := json.Unmarshal(b, &req); err != nil {
return nil, trace.Wrap(err)
}
- if err != nil {
- return nil, trace.Wrap(err)
- }
return &MFA{
Type: mt,
- MFAAuthenticateChallenge: req,
+ MFAAuthenticateChallenge: &req,
}, nil
}
diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
index b4bf8e6626a05..03051638abdb1 100644
--- a/lib/web/apiserver.go
+++ b/lib/web/apiserver.go
@@ -2642,7 +2642,7 @@ func (h *Handler) siteNodeConnect(
if params == "" {
return nil, trace.BadParameter("missing params")
}
- var req *TerminalRequest
+ var req TerminalRequest
if err := json.Unmarshal([]byte(params), &req); err != nil {
return nil, trace.Wrap(err)
}
@@ -2671,13 +2671,13 @@ func (h *Handler) siteNodeConnect(
clusterName := site.GetName()
if req.SessionID.IsZero() {
// An existing session ID was not provided so we need to create a new one.
- sessionData, err = h.generateSession(ctx, clt, req, clusterName, sessionCtx)
+ sessionData, err = h.generateSession(ctx, clt, &req, clusterName, sessionCtx)
if err != nil {
h.log.WithError(err).Debug("Unable to generate new ssh session.")
return nil, trace.Wrap(err)
}
} else {
- sessionData, tracker, err = h.fetchExistingSession(ctx, clt, req, clusterName)
+ sessionData, tracker, err = h.fetchExistingSession(ctx, clt, &req, clusterName)
if err != nil {
return nil, trace.Wrap(err)
}
diff --git a/lib/web/command.go b/lib/web/command.go
index fb176e14ec1d8..c861057d9ed23 100644
--- a/lib/web/command.go
+++ b/lib/web/command.go
@@ -135,7 +135,7 @@ func (h *Handler) executeCommand(
if params == "" {
return nil, trace.BadParameter("missing params")
}
- var req *CommandRequest
+ var req CommandRequest
if err := json.Unmarshal([]byte(params), &req); err != nil {
return nil, trace.BadParameter("failed to read JSON message: %v", err)
}
diff --git a/lib/web/cookie.go b/lib/web/cookie.go
index d84d567e65baf..ec50218ace9c4 100644
--- a/lib/web/cookie.go
+++ b/lib/web/cookie.go
@@ -42,11 +42,11 @@ func DecodeCookie(b string) (*SessionCookie, error) {
if err != nil {
return nil, err
}
- var c *SessionCookie
+ var c SessionCookie
if err := json.Unmarshal(bytes, &c); err != nil {
return nil, err
}
- return c, nil
+ return &c, nil
}
func SetSessionCookie(w http.ResponseWriter, user, sid string) error {
diff --git a/lib/web/fuzz_test.go b/lib/web/fuzz_test.go
index f421f6faeb28d..a14ac0df971d5 100644
--- a/lib/web/fuzz_test.go
+++ b/lib/web/fuzz_test.go
@@ -17,13 +17,87 @@ limitations under the License.
package web
import (
+ "bytes"
+ "encoding/binary"
+ "encoding/json"
+ "math"
"testing"
"github.com/stretchr/testify/require"
+
+ apiproto "github.com/gravitational/teleport/api/client/proto"
+ wanpb "github.com/gravitational/teleport/api/types/webauthn"
+ "github.com/gravitational/teleport/lib/defaults"
+ "github.com/gravitational/teleport/lib/srv/desktop/tdp"
)
-func FuzzTdpMFACodecDecode(f *testing.F) {
- f.Add([]byte(""))
+func FuzzTdpMFACodecDecodeChallenge(f *testing.F) {
+ allowedCreds := wanpb.CredentialDescriptor{
+ Type: "public-key",
+ Id: []byte{0x02, 0x02, 0x02, 0x02},
+ }
+ extensions := wanpb.AuthenticationExtensionsClientInputs{AppId: "id"}
+ jsonData, err := json.Marshal(&apiproto.MFAAuthenticateChallenge{
+ WebauthnChallenge: &wanpb.CredentialAssertion{
+ PublicKey: &wanpb.PublicKeyCredentialRequestOptions{
+ Challenge: []byte{0xAA, 0xAA, 0xAA, 0xAA},
+ TimeoutMs: int64(120),
+ RpId: "RelyingPartyID",
+ AllowCredentials: []*wanpb.CredentialDescriptor{&allowedCreds},
+ Extensions: &extensions,
+ UserVerification: "verification",
+ },
+ },
+ })
+ require.NoError(f, err)
+ var normalBuf bytes.Buffer
+ var maxSizeBuf bytes.Buffer
+ // add initial bytes for protocol
+ _, err = normalBuf.Write([]byte{byte(tdp.TypeMFA), []byte(defaults.WebsocketWebauthnChallenge)[0]})
+ require.NoError(f, err)
+ _, err = maxSizeBuf.Write([]byte{byte(tdp.TypeMFA), []byte(defaults.WebsocketWebauthnChallenge)[0]})
+ require.NoError(f, err)
+ // Write the length using BigEndian encoding
+ require.NoError(f, binary.Write(&normalBuf, binary.BigEndian, uint32(len(jsonData))))
+ require.NoError(f, binary.Write(&maxSizeBuf, binary.BigEndian, uint32(math.MaxUint32)))
+ // Write the JSON data itself
+ _, err = normalBuf.Write(jsonData)
+ require.NoError(f, err)
+ _, err = maxSizeBuf.Write(jsonData)
+ require.NoError(f, err)
+
+ f.Add(normalBuf.Bytes())
+ f.Add(maxSizeBuf.Bytes())
+ f.Add([]byte{0xa, 0x6e, 0x0, 0x0, 0x0, 0x4, 0x6e, 0x75, 0x6c, 0x6c}) // nil json unmarshal without error
+
+ f.Fuzz(func(t *testing.T, buf []byte) {
+ require.NotPanics(t, func() {
+ codec := tdpMFACodec{}
+ _, _ = codec.decodeChallenge(buf, "")
+ })
+ })
+}
+
+func FuzzTdpMFACodecDecodeResponse(f *testing.F) {
+ var normalBuf bytes.Buffer
+ var maxSizeBuf bytes.Buffer
+ // add initial bytes for protocol
+ _, err := normalBuf.Write([]byte{byte(tdp.TypeMFA), []byte(defaults.WebsocketWebauthnChallenge)[0]})
+ require.NoError(f, err)
+ _, err = maxSizeBuf.Write([]byte{byte(tdp.TypeMFA), []byte(defaults.WebsocketWebauthnChallenge)[0]})
+ require.NoError(f, err)
+ mfaData := []byte("fake-data")
+ // Write the length using BigEndian encoding
+ require.NoError(f, binary.Write(&normalBuf, binary.BigEndian, uint32(len(mfaData))))
+ require.NoError(f, binary.Write(&maxSizeBuf, binary.BigEndian, uint32(math.MaxUint32)))
+ // add data field
+ _, err = normalBuf.Write(mfaData)
+ require.NoError(f, err)
+ _, err = maxSizeBuf.Write(mfaData)
+ require.NoError(f, err)
+
+ f.Add(normalBuf.Bytes())
+ f.Add(maxSizeBuf.Bytes())
f.Fuzz(func(t *testing.T, buf []byte) {
require.NotPanics(t, func() {
diff --git a/version.go b/version.go
index 6cab7a796957a..3d0367973218e 100644
--- a/version.go
+++ b/version.go
@@ -1,7 +1,7 @@
// Code generated by "make version". DO NOT EDIT.
package teleport
-const Version = "13.3.4"
+const Version = "13.3.5"
// Gitref is set to the output of "git describe" during the build process.
var Gitref string