[v13] Secure File Removal Improvements#32434
Closed
jentfoo wants to merge 2876 commits intobranch/v12from
Closed
Conversation
Backports #30176 * Update eks helm guide for AWS PCA updating cert manger instructions when using AWS PCA plugin * Update aws.mdx * Update cspell.json * Update docs/pages/deploy-a-cluster/helm-deployments/aws.mdx * Update docs/pages/deploy-a-cluster/helm-deployments/aws.mdx * Update aws.mdx --------- Co-authored-by: Paul Schisa <75806143+pschisa@users.noreply.github.com> Co-authored-by: Steven Martin <steven@goteleport.com>
…cess Request plugin docs (#30449) * Use partial for Access Request plugin install docs The Access Request plugin installation instructions are _almost_ standard. Make the instructions more consistent and easier to edit by replacing them with a partial. Use our partial parameter substitution syntax to supply the name of each plugin. * Respond to alexfornuto feedback * Add a missing `sudo` Partially responds to stevenGravy feedback * Add consistent Helm details Ensure all Access Request plugin guides include the same Helm-related steps. Excluding the Jira plugin because that guide is out of date and will be addressed in a separate change. Also removes the "Feedback" section from each Access Request plugin guide. These are out of step with the rest of the docs, which don't include a feedback section, and do not reflect the current location of the Access Request plugin source. * Spelling and linter fixes
* Changes to Discord plugin for running in hosted mode. Includes: * Moves Default API URL setting into Sidcord config CheckAndSetDefaults() * Only creates a Teleport client is one is not supplied during plugin construction. * Optional hosted-plugin status updates * fmt
AuthorizeContextWithVerbs has been exposed for callers who want to call Authorize explicitly but still use the AuthorizeWithVerbs call to verify access to a resource.
The access list enterprise tests were broken by changing the custom JSON
marshaling of the access list audit from `map[string]interface{}` to
`map[string]string`. This change restores the old behavior.
* Metrics: expose install method counter This PR adds a new metric that exposes the number of servers currently running grouped by their install method. Note: install method is a list o strings, so the metric sorts its values and then joins them by "," to create a single identifier. * do not mutate original install methods list
* Replace multi-line ScopedBlocks with Tabs Backports #30616 * Replace multi-line ScopedBlocks with Tabs Contributes to #30268 The documentation scope switcher tends to confuse users, and the ScopedBlock component hides docs content based on the scope switcher. To help remove ScopedBlocks from the docs site, this change replaces multi-line ScopedBlocks with Tabs components if they include variations for different scopes. While most multi-line ScopedBlocks function like Tabs, there are a few edge cases, which this change addresses individually. Note that this change does not intend to remove all ScopedBlocks that are placed inline within a paragraph. That will be the goal of a separate change. * Remove more ScopedBlocks (#30623) This builds on the work done in #30616 and contributes to #30616. * Finish removing ScopedBlocks from the docs Backports #30629 Closes #30268 * Remove `Tabs` components with one `TabItem` Backports #30769 In #30616, we replaced `ScopedBlocks` with `Tabs` components. This was because most `ScopedBlocks` included variations on the same text for multiple scopes, and replacing them with `TabItem`s was straightforward. However, some replacements included only a single `TabItem`, which displays awkwardly in the docs. This change removes `Tabs` components with only one `TabItem`, replacing them with body text. * Remove the remaining ScopedBlocks in the docs
Fixes #23564 The `install-linux-enterprise.mdx` partial already includes instructions for installing Teleport Enterprise using package managers, so this change introduces another partial to incorporate those instructions into `install-linux.mdx`.
Fixes #27161 Mention the Okta integration to ensure that the "Application Access" section introduction mentions all major categories of application access features.
…30996) * Use the most recent user object for the bot generation label. The bot generation label now uses the current user object instead of the existing user state label. * validateGenerationLabel uses username instead of passing in the user state.
* AWS OIDC: Configure IAM for EC2 Instance Connect Endpoint This PR adds a new teleport command that sets up the required permissions to use EC2 Instance Connect Endpoint to connect to an EC2 instance. It also adds a oneoff script that runs this command. The goal is to give a user a script for them to run, the script then downloads teleport and calls AWS APIs to create the inline policy. * add const and lowercase error * use correct client
…eptors (#30991) * Avoid memory leaking in `otelgrpc` interceptors * Fix for non go 1.21 usage * Add link to issue reported in otel-go-contrib
This test starts a session and then immediately tries to join it. Sometimes we're too fast, and the session tracker doesn't yet exist so the join fails. Fix by waiting for the session tracker to show up before attempting the join. Closes #13607
* Additional safety with `X-Forwarded-Host` handling This adds `utils.GetSingleHeader` as a common way to make sure that additional headers are not being inserted into the request. We use this in the `aws`, `azure`, and `gcp` handler as part of verifying the source of the request. In addition `alpnproxy/local_proxy.go` contains a fix where an invalid `Host` header can allow an arbitrary `X-Forwarded-Host` value to pass through unchanged. * Apply PR feedback around error type and testing
This change updates SSH server heartbeats to fetch metadata in the background so that the first heartbeat won't be delayed (this was causing flakiness in tests).
This change adds a few more places for the Discovery service to get the Teleport cluster's public proxy address for VM discovery.
…ace guide (#30807) * Address 15812 and do some testing and editing while in the file * Fix some typos * Google Workspace WIP * Modify images and text * Clarify the client_id setting is the ID for the OAuth client * Change client_id setting to be the service account unique ID, add link to troubleshooting. * Fix typo * Updates from review * Modify images, update content with corrections * new line and extraneous line complaints * remove a new line
In #30277 we made the discovery process make two DNS queries in parallel. There was an error in this logic - since we don't write to the channel on error, if both queries fail we end up waiting a full 5 seconds even if the failures occur much quicker than that.
While most AWS uses within Teleport fully support EC2 IMDSv2, two places were not. Correct both those paths to procure a token first before trying to access IMDS. Fixes #30364.
* utils.RemoveSecure: Still attempt a removal after error in overwrite As extra caution, even if an error occurs during the overwrite process, we still want to attempt a removal of sensitive files. * keystore.go: More secure removal of keyfiles This commit ensures that deleted keyfiles have been overwritten. This has little value on SSD's but can improve the security when the disk is magnetic. * Apply PR feedback, notably better testing and early unlinking if possible This adds an OS conditional so that if possible the file will be removed and then overwritten using the previous file handle. This will reduces the chance that the file will be witnessed with unexpected contents.
jentfoo
requested review from
codingllama,
espadolini,
rosstimothy,
wadells,
xacrimon and
zmb3
jentfoo
requested review from
klizhentas,
r0mant and
russjones
as code owners
|
@jentfoo - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
github-actions
Bot
added
application-access
audit-log
Contributor
Author
|
Whoops, this is pointing to the wrong branch, recreating |
Contributor
|
You can just change the base branch of a PR, fyi. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport #32260 to branch/v13