[v9] Add tbot proxy and tbot db wrapper commands (#12687)
#12990
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Extend support for identity files in tsh
This enhances support for identity files in tsh, which previously only
worked for regular SSH access. The largest blocker for support is that
tsh uses profiles for all non-SSH resource access, and profiles have a
direct mapping to some on-disk resources. This patch works around this
in a few ways:
* Virtual profiles: When an identity file is specified with `-i`, we
use it to create an in-memory virtual profile using the cert as the
root identity _and_ for every `RouteToDatabase` (and in the future,
app) field contained in the cert.
* Virtual profile paths: Certain profile operations require paths to
valid certificates and other resources on disk, which may not exist
inside the identity file.
As the driving use-case for this change is integration with Machine
ID, we can "cheat" and pass the correct paths to tsh via
environment variables. A cooperating wrapper in `tbot` will execute
`tsh` with appropriate flags and environment variables, which
override tsh's usual certifiate paths. This allows commands like
`tsh db connect ...` to work as expected.
* Key stores: previously we used a `noLocalKeyStore{}` with which all
lookups fail. This patch replaces it with an in-memory keystore if
a client key is available.
* Profile status: lastly, we add a new `StatusCurrentWithIdentity()`
function to load virtual profiles where supported. Some commands
are not supported in this PR (like `tsh app ...`), but others
don't make sense to support (like cert reissuing).
We might consider merging everything into the traditional
`StatusCurrent()` when adding app support.
App access is still broken and will be addressed in a later change.
Partially fixes #11770
* Fix failing lint
* Add `tbot proxy` and `tbot db` wrapper commands
This adds new wrapper commands that leverage tsh for proxy and
database access.
It also adds a new `tshwrap` helper package which contains utilities
for locating the tsh executable, checking its version, and loading
all necessary data (certificates, destinations, etc) that will need
to be passed to tsh for wrapped commands to function.
* Fix failing unit test due to incorrect default IsVirtual profile flag
* Combine `StatusCurrentWithIdentity()` into `StatusCurrent()`
Additionally, log a warning when environment variable paths aren't
found.
* Fix virtual profile flag always being true
* Update lib/client/api.go
Co-authored-by: Krzysztof Skrzętnicki <[email protected]>
* Address review feedback
* Use `tbot proxy` in generated `ssh_config`
* Add tests for mockable parts of our tsh integration
* Fix lints
* Clarify docstrings in CLIConf
* Tweak comment for clarity; fix typo in `onProxyCommand`
* Add missing copyright header
* Fix failing unit test and pass destination to `Describe()`
This fixes a failing unit test by making the description for
`ssh_config` match its behavior in practice. This necessitated
passing the destination to all templates, unfortunately.
* Add a few extra tests
* Apply suggestions from code review
Co-authored-by: Alan Parra <[email protected]>
* Address another batch of review comments
* Comment tweaks
* Refactor tshwrap to remove the Runner interface.
* Apply suggestions from code review
Co-authored-by: Alan Parra <[email protected]>
* Address review comments
Co-authored-by: Krzysztof Skrzętnicki <[email protected]>
Co-authored-by: Alan Parra <[email protected]>
github-actions
bot
requested review from
codingllama,
ibeckermayer and
strideynet
strideynet
approved these changes
May 27, 2022
r0mant
approved these changes
May 27, 2022
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #12687 for branch/v9
This enhances support for identity files in tsh, which previously only
worked for regular SSH access. The largest blocker for support is that
tsh uses profiles for all non-SSH resource access, and profiles have a
direct mapping to some on-disk resources. This patch works around this
in a few ways:
Virtual profiles: When an identity file is specified with
-i, weuse it to create an in-memory virtual profile using the cert as the
root identity and for every
RouteToDatabase(and in the future,app) field contained in the cert.
Virtual profile paths: Certain profile operations require paths to
valid certificates and other resources on disk, which may not exist
inside the identity file.
As the driving use-case for this change is integration with Machine
ID, we can "cheat" and pass the correct paths to tsh via
environment variables. A cooperating wrapper in
tbotwill executetshwith appropriate flags and environment variables, whichoverride tsh's usual certifiate paths. This allows commands like
tsh db connect ...to work as expected.Key stores: previously we used a
noLocalKeyStore{}with which alllookups fail. This patch replaces it with an in-memory keystore if
a client key is available.
Profile status: lastly, we add a new
StatusCurrentWithIdentity()function to load virtual profiles where supported. Some commands
are not supported in this PR (like
tsh app ...), but othersdon't make sense to support (like cert reissuing).
We might consider merging everything into the traditional
StatusCurrent()when adding app support.App access is still broken and will be addressed in a later change.
Partially fixes #11770
Fix failing lint
Add
tbot proxyandtbot dbwrapper commandsThis adds new wrapper commands that leverage tsh for proxy and
database access.
It also adds a new
tshwraphelper package which contains utilitiesfor locating the tsh executable, checking its version, and loading
all necessary data (certificates, destinations, etc) that will need
to be passed to tsh for wrapped commands to function.
Fix failing unit test due to incorrect default IsVirtual profile flag
Combine
StatusCurrentWithIdentity()intoStatusCurrent()Additionally, log a warning when environment variable paths aren't
found.
Fix virtual profile flag always being true
Update lib/client/api.go
Co-authored-by: Krzysztof Skrzętnicki [email protected]
Address review feedback
Use
tbot proxyin generatedssh_configAdd tests for mockable parts of our tsh integration
Fix lints
Clarify docstrings in CLIConf
Tweak comment for clarity; fix typo in
onProxyCommandAdd missing copyright header
Fix failing unit test and pass destination to
Describe()This fixes a failing unit test by making the description for
ssh_configmatch its behavior in practice. This necessitatedpassing the destination to all templates, unfortunately.
Add a few extra tests
Apply suggestions from code review
Co-authored-by: Alan Parra [email protected]
Address another batch of review comments
Comment tweaks
Refactor tshwrap to remove the Runner interface.
Apply suggestions from code review
Co-authored-by: Alan Parra [email protected]
Co-authored-by: Krzysztof Skrzętnicki [email protected]
Co-authored-by: Alan Parra [email protected]