From e8bce8dd6463bdac5f5ba40e59da0f608ef48b19 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 20 Sep 2024 10:13:18 -0500 Subject: [PATCH] Displaying mode and controls to additional participants (#46450) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Displaying mode and controls to additional participants * Moving SessionControlsInfoBroadcast over to kube/proxy * Transitioning to consistent proxy-emitted mode+controls * Moving message broadcast so new participant wont see it * Possible unit test fix (cant seem to test locally) * Fixed unit test * Adding a line break before messaging the participant * Linter errors * Emitting audit event and controls message for additional parties, i.e. not the session initiator * Revert "Emitting audit event and controls message for additional parties, i.e. not the session initiator" This reverts commit b66ad2727098b5e310f24b9b7aee7860959162e5. * Add User Tasks resource - protos (#46059) * Add User Integration Tasks resource - protos * add account id * move state to task instead of instance * rename from user integration task to user task * add instance id * Add notice to web UI that users arent equal to MAU (#46686) This adds a dismissible notice to the Users page for usage based billing users that notifies them that the user count here isn't an accurate reflection of MAU * Clarify TLS requirements in the Jira guide (#46484) Closes #45654 - Indicate that certificates for the Jira web server cannot be self signed. - Remove references to Caddy and a `Certificate` resource, which were left over from an attempted change to this guide that was not fully completed. * Remove TXT record validation of custom DNS zones in VNet (#46709) * Remove TXT record validation from custom DNS zones * Remove mentions of TXT records from docs * Outline in the RFD why domain verification was dropped * Update rfd/0163-vnet.md Co-authored-by: Nic Klaassen --------- Co-authored-by: Nic Klaassen * docs: mention the --days flag when executing an audit log query (#45764) * Update access-monitoring.mdx Include the default date range in the CLI example. This range is otherwise unclear and is hidden in the tctl audit help menu. * Update access-monitoring.mdx * Update docs/pages/admin-guides/access-controls/access-monitoring.mdx Co-authored-by: Zac Bergquist --------- Co-authored-by: Zac Bergquist * Remove access-graph path resolution, proxy `/enterprise` requests (#46541) * Remove `access-graph` path from tsconfig * Proxy /enterprise requested in dev * update e ref (#46726) * fix: tolerate mismatched key PEM headers (#46725) * fix: tolerate mismatched key PEM headers Issue #43381 introduced a regression where we now fail to parse PKCS8 encoded RSA private keys within an "RSA PRIVATE KEY" PEM block in some cases. This format is somewhat non-standard, usually PKCS8 data should be in a "PRIVATE KEY" PEM block. However, certain versions of OpenSSL and possibly even Teleport in specific cases have generated private keys in this format. This commit updates ParsePrivateKey and ParsePublicKey to be more tolerant of PKCS8, PKCS1, or PKIX key data no matter which PEM header is used. Fixes #46710 changelog: fixed regression in private key parser to handle mismatched PEM headers * fix typo in comment Co-authored-by: Edoardo Spadolini --------- Co-authored-by: Edoardo Spadolini * Use dynamic base path for favicon images (#46719) * Add Datadog Incident Management plugin support (#46271) * Implement datadog plugin * Add unit tests * Add fallback recipient config * Rename to Datadog Incident Management * Update tests * Datadog Incident Management * Update tctl resource plugin command * Typos * Lint * Exclude api changes for now * Set channel size * Address feedback - Add PluginShutdownTimeout const - Support api endpoint configuration - Add additional godocs/comments * Comment about datadog client package * Document Datadog API types * Only post resolution message when the AR is resolved * Fix lint * Unused function --------- Co-authored-by: hugoShaka * Add AutoUpdate Client/Cache implementation (#46661) * Add AutoUpdate Client/Cache implementation * CR changes * Add permission for proxy to access resources * Rename all occurrences auto update to camelcase * Remove auto update client wrapper * Drop AutoUpdateServiceClient helper Rename comments for consistency * User Tasks: services and clients implementation (#46131) This PR adds the implementation for the User Tasks: - services (backend+cache) - clients (API + tctl) - light validation to set up the path for later PRs * expanding testplan for host user creation (#46729) * Fix operator docs reference generator bug (#46732) In the reference page for one Kubernetes operator resource, some Markdown links are malformed. The issue is that some fields of custom resource definitions used by the operator consist of arrays of anonymous objects with fields that are also objects. When creating docs based on these fields, the operator resource docs generator creates a malformed link reference. This change modifies the generator to replace any spaces with hyphens before outputting link references, causing the resulting internal links to work correctly. This change also does some light refactoring to remove an unnecessary `switch` statement. * [auto] Update AMI IDs for 16.4.0 (#46746) Co-authored-by: GitHub * Remove deprecated HTTP RemoteCluster endpoints (#46756) * Remove deprecated HTTP RemoteCluster endpoints * Remove redundant test * Add `tbot` helm chart to `version.mk` (#46763) * Remove LockConfiguration.LockName (#46772) Cleans up the deprecated config option now that https://github.com/gravitational/teleport.e/pull/5034 has been merged. * adding a reference to to the host user guide (#46765) * Replace more Logrus usage with Slog (#46757) * Remove logrus from lib/auth/machineid * Switch authclient.Config.Log and TunnelAuthDialerConfig.Log to Slog * Add *slog.Logger to auth.Server * Remove logrus usage in `lib/auth/access.go` * Replace logrus with slog in lib/auth/accountrecovery.go * Replace logrus with slog in `lib/auth/apiserver.go` * Add missing logger to auth.Server * Fix test * Update AWS roles ARNs displayed on `tsh app login` for AWS console apps (#44983) * feat(tsh): list aws console logins from server * chore(services): remove unified resources change This is being covered on another PR. * test(tsh): solve TestAzure flakiness by waiting using app servers are ready * fix(tsh): apps with logins were fallingback into using aws arns * refactor(client): use GetEnrichedResources * chore(client): rename function * refactor(tsh): directly resource lisiting for apps and reuse cluster client * chore(client): reset client changes * refactor(tsh): reuse cluster client for fetching allowed logins * chore(tsh): remove unused function param * refactor(tsh): update getApp retry with login * refactor(tsh): use a single function to grab profile and cluste client * refactor(tsh): perform retry with login at caller site * fix(tsh): close auth client * test(tsh): fix test failing due to login misconfiguration * test(tsh): fix lint errors * test(tsh): remove unused imports * bulk audit event export api (#46399) * Reverting back to using the emitSessionJoin boolean * Nits and removing a debug log --------- Co-authored-by: Marco Dinis Co-authored-by: Michael Co-authored-by: Paul Gottschling Co-authored-by: Rafał Cieślak Co-authored-by: Nic Klaassen Co-authored-by: Dan Johns <117299936+djohns7@users.noreply.github.com> Co-authored-by: Zac Bergquist Co-authored-by: Ryan Clark Co-authored-by: Edoardo Spadolini Co-authored-by: Bernard Kim Co-authored-by: hugoShaka Co-authored-by: Vadym Popov Co-authored-by: Erik Tate Co-authored-by: teleport-post-release-automation[bot] <128860004+teleport-post-release-automation[bot]@users.noreply.github.com> Co-authored-by: GitHub Co-authored-by: Noah Stride Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Gabriel Corado Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com> --- lib/client/api.go | 2 -- lib/client/kubesession.go | 2 -- lib/kube/proxy/forwarder.go | 4 +--- lib/kube/proxy/sess.go | 16 +++++++++++----- lib/srv/sess.go | 34 ++++++++++++++++++++++++++-------- lib/web/apiserver_test.go | 6 +++--- 6 files changed, 41 insertions(+), 23 deletions(-) diff --git a/lib/client/api.go b/lib/client/api.go index b7a4b604e2c0..57a03924c526 100644 --- a/lib/client/api.go +++ b/lib/client/api.go @@ -2106,8 +2106,6 @@ func (tc *TeleportClient) Join(ctx context.Context, mode types.SessionParticipan } } - fmt.Printf("Joining session with participant mode: %v. \n\n", mode) - // running shell with a given session means "join" it: err = nc.RunInteractiveShell(ctx, mode, session, tc.OnChannelRequest, beforeStart) return trace.Wrap(err) diff --git a/lib/client/kubesession.go b/lib/client/kubesession.go index 0ce75de9522b..b3222ac5530a 100644 --- a/lib/client/kubesession.go +++ b/lib/client/kubesession.go @@ -63,8 +63,6 @@ func NewKubeSession(ctx context.Context, tc *TeleportClient, meta types.SessionT TLSClientConfig: tlsConfig, } - fmt.Printf("Joining session with participant mode: %v. \n\n", mode) - ws, resp, err := dialer.DialContext(ctx, joinEndpoint, nil) if resp != nil && resp.Body != nil { defer resp.Body.Close() diff --git a/lib/kube/proxy/forwarder.go b/lib/kube/proxy/forwarder.go index 544952da0e6b..7f5fef31c124 100644 --- a/lib/kube/proxy/forwarder.go +++ b/lib/kube/proxy/forwarder.go @@ -1656,9 +1656,7 @@ func (f *Forwarder) exec(authCtx *authContext, w http.ResponseWriter, req *http. } f.setSession(session.id, session) - // When Teleport attaches the original session creator terminal streams to the - // session, we don't want to emit session.join event since it won't be required. - if err = session.join(party, false /* emitSessionJoinEvent */); err != nil { + if err = session.join(party, true /* emitSessionJoinEvent */); err != nil { return trace.Wrap(err) } diff --git a/lib/kube/proxy/sess.go b/lib/kube/proxy/sess.go index f09770c5380d..54ed10105b8e 100644 --- a/lib/kube/proxy/sess.go +++ b/lib/kube/proxy/sess.go @@ -498,7 +498,6 @@ func newSession(ctx authContext, forwarder *Forwarder, req *http.Request, params s.io.OnReadError = s.disconnectPartyOnErr s.BroadcastMessage("Creating session with ID: %v...", id.String()) - s.BroadcastMessage(srv.SessionControlsInfoBroadcast) go func() { if _, open := <-s.io.TerminateNotifier(); open { @@ -982,7 +981,7 @@ func (s *session) join(p *party, emitJoinEvent bool) error { return trace.Wrap(err) } - // we only want to emit the session.join when someone tries to join a session via + // We only want to emit the session.join when someone tries to join a session via // tsh kube join and not when the original session owner terminal streams are // connected to the Kubernetes session. if emitJoinEvent { @@ -993,6 +992,7 @@ func (s *session) join(p *party, emitJoinEvent bool) error { if _, err := p.Client.stdoutStream().Write(recentWrites); err != nil { s.log.Warnf("Failed to write history to client: %v.", err) } + s.BroadcastMessage("User %v joined the session with participant mode: %v.", p.Ctx.User.GetName(), p.Mode) // increment the party track waitgroup. // It is decremented when session.leave() finishes its execution. @@ -1017,10 +1017,17 @@ func (s *session) join(p *party, emitJoinEvent bool) error { if p.Mode == types.SessionPeerMode { s.io.AddReader(stringID, p.Client.stdinStream()) } - s.io.AddWriter(stringID, p.Client.stdoutStream()) - s.BroadcastMessage("User %v joined the session with participant mode: %v.", p.Ctx.User.GetName(), p.Mode) + // Send the participant mode and controls to the additional participant + if p.Ctx.User.GetName() != s.ctx.User.GetName() { + err := srv.MsgParticipantCtrls(p.Client.stdoutStream(), p.Mode) + if err != nil { + s.log.Errorf("Could not send intro message to participant: %v", err) + } + } + + // Allow the moderator to force terminate the session if p.Mode == types.SessionModeratorMode { s.weakEventsWaiter.Add(1) go func() { @@ -1095,7 +1102,6 @@ func (s *session) join(p *party, emitJoinEvent bool) error { s.log.Warnf("Failed to set tracker state to %v", types.SessionState_SessionStateRunning) } } - return nil } diff --git a/lib/srv/sess.go b/lib/srv/sess.go index 7633ebe054f0..328ca574e629 100644 --- a/lib/srv/sess.go +++ b/lib/srv/sess.go @@ -19,6 +19,7 @@ package srv import ( + "bytes" "context" "encoding/json" "errors" @@ -66,10 +67,6 @@ const ( PresenceMaxDifference = time.Minute ) -// SessionControlsInfoBroadcast is sent in tandem with session creation -// to inform any joining users about the session controls. -const SessionControlsInfoBroadcast = "Controls\r\n - CTRL-C: Leave the session\r\n - t: Forcefully terminate the session (moderators only)" - const ( // sessionRecordingWarningMessage is sent when the session recording is // going to be disabled. @@ -86,6 +83,21 @@ var serverSessions = prometheus.NewGauge( }, ) +func MsgParticipantCtrls(w io.Writer, m types.SessionParticipantMode) error { + var modeCtrl bytes.Buffer + modeCtrl.WriteString(fmt.Sprintf("\r\nTeleport > Joining session with participant mode: %s\r\n", string(m))) + modeCtrl.WriteString("Teleport > Controls\r\n") + modeCtrl.WriteString("Teleport > - CTRL-C: Leave the session\r\n") + if m == types.SessionModeratorMode { + modeCtrl.WriteString("Teleport > - t: Forcefully terminate the session\r\n") + } + _, err := w.Write(modeCtrl.Bytes()) + if err != nil { + return fmt.Errorf("could not write bytes: %w", err) + } + return nil +} + // SessionRegistry holds a map of all active sessions on a given // SSH server type SessionRegistry struct { @@ -1292,7 +1304,6 @@ func (s *session) startInteractive(ctx context.Context, scx *ServerContext, p *p s.io.AddReader("reader", inReader) s.io.AddWriter(sessionRecorderID, utils.WriteCloserWithContext(scx.srv.Context(), s.Recorder())) s.BroadcastMessage("Creating session with ID: %v", s.id) - s.BroadcastMessage(SessionControlsInfoBroadcast) if err := s.startTerminal(ctx, scx); err != nil { return trace.Wrap(err) @@ -1942,16 +1953,23 @@ func (s *session) addParty(p *party, mode types.SessionParticipantMode) error { s.participants[p.id] = p p.ctx.AddCloser(p) - // Write last chunk (so the newly joined parties won't stare at a blank - // screen). + // Write last chunk (so the newly joined parties won't stare at a blank screen). if _, err := p.Write(s.io.GetRecentHistory()); err != nil { return trace.Wrap(err) } + s.BroadcastMessage("User %v joined the session with participant mode: %v.", p.user, p.mode) // Register this party as one of the session writers (output will go to it). s.io.AddWriter(string(p.id), p) - s.BroadcastMessage("User %v joined the session with participant mode: %v.", p.user, p.mode) + // Send the participant mode and controls to the additional participant + if s.login != p.login { + err := MsgParticipantCtrls(p.ch, mode) + if err != nil { + s.log.Errorf("Could not send intro message to participant: %v", err) + } + } + s.log.Infof("New party %v joined the session with participant mode: %v.", p.String(), p.mode) if mode == types.SessionPeerMode { diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go index d824e953a10b..2e2d4411594a 100644 --- a/lib/web/apiserver_test.go +++ b/lib/web/apiserver_test.go @@ -7579,7 +7579,7 @@ func waitForOutputWithDuration(r ReaderWithDeadline, substr string, timeout time timeoutCh := time.After(timeout) var prev string - out := make([]byte, int64(len(substr)*2)) + out := make([]byte, int64(len(substr)*3)) for { select { case <-timeoutCh: @@ -9495,7 +9495,7 @@ func TestModeratedSession(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { require.NoError(t, peerTerm.Close()) }) - require.NoError(t, waitForOutput(peerTerm, "Teleport > User foo joined the session with participant mode: peer."), "waiting for peer to enter session") + require.NoError(t, waitForOutput(peerTerm, "Teleport > Waiting for required participants..."), "waiting for peer to enter session") moderatorTerm, err := connectToHost(ctx, connectConfig{ pack: s.authPack(t, "bar", moderatorRole.GetName()), @@ -9613,7 +9613,7 @@ func TestModeratedSessionWithMFA(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { require.NoError(t, peerTerm.Close()) }) - require.NoError(t, waitForOutput(peerTerm, "Teleport > User foo joined the session with participant mode: peer."), "waiting for peer to start session") + require.NoError(t, waitForOutput(peerTerm, "Teleport > Waiting for required participants..."), "waiting for peer to start session") moderatorTerm, err := connectToHost(ctx, connectConfig{ pack: moderator,