[v8] Client Certificate Authentication for GCP Cloud SQL #10058
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Packer was failing with a error that looked like the following:
Error processing tag: Name:{{user `ami_name`}}
Appears to be an issue with latest version of Packer 1.7.7. Temporarily
pin Packer to 1.7.6.
- Ensure Rust is installed in the buildbox image - Install Rust toolchains for each arch we support - Use openssl's vendor feature to ensure we always link a static lib - Automatically include RDP client if Rust is detected
The Rust code now uses vendored mode [1] to statically link openssl, so we no longer need dynamic linking for these libraries. This also resolves an issue where extra flags were needed to build locally on macOS. [1]: https://docs.rs/openssl/0.10.36/openssl/#vendored
Download Rust and Go per-build to ensure that the right version is used and that builds do not step on each other. Also rungs cbindgen in quiet mode to suppress the annoying output it spews for non-public symbols.
…8816) Removes the call for wait for ssh.Session end to check for errors in web terminal which fixes a regression bug where typing "exit" in web terminal does not return session end event. PR #8081 removed the need to check for errors as it correctly returns exit errors whereas before it returned nil.
The default user verification setting, "preferred", leaves it open for client-side implementations whether to to perform verification checks. In theory it sounds reasonable, but in practice it takes a variety of forms: Chrome will perform PIN checks if a PIN is configured, a redundant check in face of our existing password checks. Windows goes a step further and directs user to set a PIN, a further deviation from the usual security key workflow. The traditional workflow is achieved by setting user verification to discouraged, implemented here. Reference: - https://chromium.googlesource.com/chromium/src/+/refs/heads/main/content/browser/webauth/uv_preferred.md * Set user verification to "discouraged" for WebAuthn * Add user verification to CredentialAssertion proto * Add authenticator selection to CredentialCreation proto
This pulls in the fixes from gravitational/rdp-rs#4 Updates #8742 Backport to v8 required.
* go get google.golang.org/api go get: upgraded cloud.google.com/go v0.60.0 => v0.100.2 go get: upgraded github.com/golang/snappy v0.0.1 => v0.0.3 go get: upgraded github.com/googleapis/gax-go/v2 v2.0.5 => v2.1.1 go get: upgraded go.opencensus.io v0.22.5 => v0.23.0 go get: upgraded golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d => v0.0.0-20211104180415-d3ed0bb246c8 go get: upgraded golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 => v0.0.0-20211216021012-1d35b9e2eb4e go get: upgraded google.golang.org/api v0.29.0 => v0.65.0 go get: upgraded google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c => v0.0.0-20220107163113-42d7afdf6368 go get: upgraded google.golang.org/protobuf v1.26.0 => v1.27.1 * Optionally fetch transitive groups in the Google OIDC connector * Refactor the google workspace parts of the OIDC code * Further refactoring This undoes the user account impersonation changes, and always requires an admin account again. * Test coverage * Address review comments * Minor refactor and name changes * Allow domain filtering, tests now bypass addGoogleWorkspaceClaims * Update `OIDCConnectorV2` to `OIDCConnectorV3` * Backwards compatibility for OIDCConnector v2 This also removes the extra boolean flag that was added previously. * Update e-ref Enterprise builds will break unless gravitational/teleport.e#387 is included.
* Refactor most uses of `UserMetadata` into a handful of functions * Add access requests to `UserMetadata` * Explanation for the reserved field in SessionStart
This change adds a new audit event, `session.connect`, that is emitted when dialing to either an OpenSSH server or a trusted cluster. It also adds `emitConn`, a wrapper for a `net.Conn` that peeks at the first few bytes read and emits session.connect when it detects a non-Teleport connection.
…) (#10015) * Update golang.org/x/crypto to v0.0.0-20220126234351-aa10faf2a1f8 (#9984) The newer version automatically renews certificates affected by the Let's Encrypt TLS-ALPN-01 issue[1]. This is a fix for the autocert method, certbot users are unaffected. [1] https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450 * Update vendor
Allow users to secure GCP Cloud SQL instances by setting "Allow only SSL connections", which enforces client certificate authentication. This implementation does not require any configuration changes for Teleport users. Teleport will detect whether client certificate authentication is required and handle either case automatically. Client certificates are ephemeral. They are created for every connection by calling the GCP Cloud SQL API's GenerateEphemeralCert function. Certificates are only created when the destination Cloud SQL instance is configured to require client certificate authentication. The configuration is detected by requesting instance settings from the GCP Cloud SQL API on every connection attempt. A special case was implemented for MySQL. MySQL servers in GCP Cloud SQL do not trust the ephemeral certificate's CA but GCP Cloud Proxy does. To work around this issue, the implementation will connect to the MySQL Cloud Proxy port using a TLS dialer instead of the default MySQL port when client certificate authentication is required. The common.CloudClients interface and implementation now return an interface (GCPSQLAdminClient) from the GetGCPSQLAdminClient function instead of the GCP client's sqladmin.Service. Returning an interface simplified calling code and allowed for the client to be mocked for testing. Existing GCP Cloud SQL tests are configured to not require client certificate authentication by default. A new test named TestGCPRequireSSL was created to simulate client certificate authentication for both Postgres and MySQL. This required some minor changes to the test server code. A new ConnectWithDialer function was added to the github.com/gravitational/go-mysql fork. This function is available upstream in v1.4.0 but other changes upstream resulted in a number of errors and a panic processing network packets. So instead of upgrading, the dialer function was copied to the Teleport fork and a custom version was created instead: v1.1.1-teleport.1.
jimbishopp
requested review from
klizhentas,
r0mant,
russjones and
zmb3
as code owners
github-actions
bot
added
application-access
audit-log
github-actions
bot
requested review from
hatched,
ptgott,
timothyb89 and
xinding33
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #9991.