Skip to content

Enable hardware key support in the WebUI#32781

Merged
Joerger merged 7 commits intomasterfrom
joerger/hardware-key-support-webui
Oct 13, 2023
Merged

Enable hardware key support in the WebUI#32781
Joerger merged 7 commits intomasterfrom
joerger/hardware-key-support-webui

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Sep 29, 2023
edited
Loading

This PR enables hardware key support in the WebUI.

Changes:

  • Update RFD
  • Add the web_session private key policy
  • Insert attestation data for web authenticated session -> web session certs and re-issued certs will be given the web_session private key policy.
  • Update grpc GetWebSession to require read permissions for KindWebSession instead of allowing users to read their own web session secrets.

Depends on #31743

@Joerger Joerger mentioned this pull request Sep 29, 2023
Closed
@Joerger Joerger force-pushed the joerger/piv-pin-policy branch from 7f12ca7 to 8d7be07 Compare September 29, 2023 18:33
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from 4ef7396 to 3a67608 Compare September 29, 2023 18:33
@Joerger Joerger force-pushed the joerger/piv-pin-policy branch from 8d7be07 to 1af3971 Compare September 29, 2023 20:12
@Joerger Joerger mentioned this pull request Sep 29, 2023
Closed
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch 3 times, most recently from 19613bc to 84a9664 Compare September 30, 2023 00:57
@Joerger Joerger force-pushed the joerger/piv-pin-policy branch from 1af3971 to b404ad1 Compare September 30, 2023 01:10
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from 84a9664 to 1357803 Compare September 30, 2023 01:10
@Joerger Joerger marked this pull request as ready for review September 30, 2023 01:12
@github-actions github-actions Bot added rfd Request for Discussion size/sm ui labels Sep 30, 2023
ravicious
ravicious reviewed Oct 2, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@ravicious ravicious left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me on paper, but I think it'd be better if you requested a review from someone who knows more about lib/auth than I do. I certainly don't fully grasp all possible consequences of this change!

Comment thread lib/services/identity.go Outdated
Comment thread lib/auth/auth_with_roles.go Outdated
Comment thread rfd/0080-hardware-key-support.md Outdated
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from 0894bbe to 6b0b257 Compare October 2, 2023 20:05
gzdunek
gzdunek approved these changes Oct 3, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@gzdunek gzdunek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but the same as Rafał, I don't fully understand consequences of it :)

Comment thread web/packages/teleport/src/Login/useLogin.ts Outdated
@Joerger Joerger mentioned this pull request Oct 3, 2023
Merged
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from 6b0b257 to 0571f9f Compare October 3, 2023 18:35
@Joerger Joerger force-pushed the joerger/piv-pin-policy branch 2 times, most recently from 2b4ff18 to 2e1ba1c Compare October 3, 2023 18:49
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from 0571f9f to e1e76d9 Compare October 3, 2023 18:51
@Joerger Joerger force-pushed the joerger/piv-pin-policy branch from 2e1ba1c to e3f57ba Compare October 3, 2023 20:46
@Joerger Joerger removed the ui label Oct 4, 2023
@Joerger Joerger marked this pull request as draft October 4, 2023 00:15
@Joerger Joerger marked this pull request as ready for review October 4, 2023 00:15
@github-actions github-actions Bot requested a review from EdwardDowling October 4, 2023 00:16
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from 52823a4 to 5345444 Compare October 12, 2023 00:35
@ravicious ravicious removed their request for review October 12, 2023 12:33
@Joerger Joerger force-pushed the joerger/piv-pin-policy branch 3 times, most recently from 90634af to 90f7580 Compare October 12, 2023 19:31
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch 2 times, most recently from b249e1b to ba245d4 Compare October 13, 2023 02:20
@Joerger Joerger mentioned this pull request Oct 13, 2023
Merged
@Joerger Joerger force-pushed the joerger/piv-pin-policy branch from 608b436 to 1e41ef0 Compare October 13, 2023 18:15
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from ba245d4 to c216758 Compare October 13, 2023 18:30
Base automatically changed from joerger/piv-pin-policy to master October 13, 2023 19:26
@Joerger Joerger force-pushed the joerger/hardware-key-support-webui branch from c216758 to 81e9395 Compare October 13, 2023 19:41
@Joerger Joerger enabled auto-merge October 13, 2023 19:41
@Joerger Joerger added this pull request to the merge queue Oct 13, 2023
Merged via the queue into master with commit 129df08 Oct 13, 2023
@Joerger Joerger deleted the joerger/hardware-key-support-webui branch October 13, 2023 20:17
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Oct 13, 2023

@Joerger See the table below for backport results.

Branch Result
branch/v14 Failed

Joerger added a commit that referenced this pull request Oct 13, 2023
@Joerger @jentfoo
Enable hardware key support in the WebUI (#32781)
25b4868 
* Add web_session private key policy.

* Add attestation logic for web session.

* Prevent users from retrieving their own web session secrets.

* Update RFD.

* Attest extended web sessions if the original web session was attested.

* Update rfd/0080-hardware-key-support.md

Co-authored-by: Mike Jensen <jentfoo@users.noreply.github.com>

* Fix policy set unit test.

---------

Co-authored-by: Mike Jensen <jentfoo@users.noreply.github.com>
@Joerger Joerger mentioned this pull request Oct 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ravicious ravicious ravicious left review comments

@r0mant r0mant r0mant approved these changes

@gzdunek gzdunek gzdunek approved these changes

+2 more reviewers

@jentfoo jentfoo jentfoo approved these changes

@EdwardDowling EdwardDowling EdwardDowling approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

rfd Request for Discussion size/md size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Joerger @ravicious @r0mant @jentfoo @EdwardDowling @gzdunek