teleterm (alpha)

Makefile

@@ -732,6 +732,7 @@ ADDLICENSE_ARGS := -c 'Gravitational, Inc' -l apache \
 		-ignore 'e/**' \
 		-ignore 'gitref.go' \
 		-ignore 'lib/web/build/**' \
+		-ignore 'lib/teleterm/api/protogen/**' \
 		-ignore 'version.go' \
 		-ignore 'webassets/**' \
 		-ignore 'ignoreme' \
@@ -914,6 +915,7 @@ buildbox-grpc:
 		--gogofast_out=plugins=grpc,$(GOGOPROTO_IMPORTMAP):. \
 		envelope.proto
 
+	cd lib/teleterm && buf generate
 
 .PHONY: goinstall
 goinstall:

api/profile/profile.go

@@ -173,6 +173,16 @@ func SetCurrentProfileName(dir string, name string) error {
 	return nil
 }
 
+// RemoveProfile removes cluster profile file
+func RemoveProfile(dir, name string) error {
+	profilePath := filepath.Join(dir, name+".yaml")
+	if err := os.Remove(profilePath); err != nil {
+		return trace.ConvertSystemError(err)
+	}
+
+	return nil
+}
+
 // GetCurrentProfileName attempts to load the current profile name.
 func GetCurrentProfileName(dir string) (name string, err error) {
 	if dir == "" {

build.assets/Dockerfile

@@ -189,5 +189,27 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --pr
     cargo install cbindgen
 
 USER root
+
+# Install buf
+RUN BIN="/usr/local/bin" && \
+    VERSION="1.0.0-rc1" && \
+    BINARY_NAME="buf" && \
+    curl -sSL \
+     "https://github.com/bufbuild/buf/releases/download/v${VERSION}/${BINARY_NAME}-$(uname -s)-$(uname -m)" \
+    -o "${BIN}/${BINARY_NAME}" && \
+    chmod +x "${BIN}/${BINARY_NAME}"
+
+# Install node
+ARG NODE_VERSION=v15.14.0
+ENV NODE_URL="https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-x64.tar.xz"
+ENV NODE_PATH="/usr/local/lib/node-${NODE_VERSION}-linux-x64"
+ENV PATH="$PATH:${NODE_PATH}/bin"
+RUN (curl -o /tmp/nodejs.tar.xz -L ${NODE_URL} && tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib)
+
+# Install js proto tools
+RUN (npm install --global [email protected])
+RUN (npm install --global [email protected])
+RUN go install github.com/golang/protobuf/[email protected]
+
 VOLUME ["/go/src/github.com/gravitational/teleport"]
-EXPOSE 6600 2379 2380
+EXPOSE 6600 2379 2380

build.assets/Makefile

@@ -32,7 +32,7 @@ RUNTIME_ARCH_arm64 := arm64
 RUNTIME_ARCH_aarch64 := arm64
 RUNTIME_ARCH := $(RUNTIME_ARCH_$(HOST_ARCH))
 
-PROTOC_VER ?= 3.6.1
+PROTOC_VER ?= 3.13.0
 GOGO_PROTO_TAG ?= v1.3.2
 
 BUILDBOX=quay.io/gravitational/teleport-buildbox:$(BUILDBOX_VERSION)

go.mod

@@ -229,6 +229,7 @@ require (
 	github.com/spf13/cobra v1.2.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
+	github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.0.2 // indirect

go.sum

@@ -892,6 +892,8 @@ github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhV
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tstranex/u2f v0.0.0-20160508205855-eb799ce68da4 h1:aR+lGR8m0zBjvDlHkHOCmdsk79ipIPeiP75GqUlywKM=
 github.com/tstranex/u2f v0.0.0-20160508205855-eb799ce68da4/go.mod h1:eahSLaqAS0zsIEv80+vXT7WanXs7MQQDg3j3wGBSayo=
+github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb h1:Ywfo8sUltxogBpFuMOFRrrSifO788kAFxmvVw31PtQQ=
+github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb/go.mod h1:ikPs9bRWicNw3S7XpJ8sK/smGwU9WcSVU3dy9qahYBM=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=

lib/client/api.go

@@ -571,10 +571,10 @@ func RetryWithRelogin(ctx context.Context, tc *TeleportClient, fn func() error)
 	return fn()
 }
 
-// readProfile reads in the profile as well as the associated certificate
+// ReadProfileStatus reads in the profile as well as the associated certificate
 // and returns a *ProfileStatus which can be used to print the status of the
 // profile.
-func readProfile(profileDir string, profileName string) (*ProfileStatus, error) {
+func ReadProfileStatus(profileDir string, profileName string) (*ProfileStatus, error) {
 	var err error
 
 	if profileDir == "" {
@@ -783,7 +783,7 @@ func Status(profileDir, proxyHost string) (*ProfileStatus, []*ProfileStatus, err
 	// Read in the target profile first. If readProfile returns trace.NotFound,
 	// that means the profile may have been corrupted (for example keys were
 	// deleted but profile exists), treat this as the user not being logged in.
-	profileStatus, err = readProfile(profileDir, profileName)
+	profileStatus, err = ReadProfileStatus(profileDir, profileName)
 	if err != nil {
 		log.Debug(err)
 		if !trace.IsNotFound(err) {
@@ -804,7 +804,7 @@ func Status(profileDir, proxyHost string) (*ProfileStatus, []*ProfileStatus, err
 			// already loaded this one
 			continue
 		}
-		ps, err := readProfile(profileDir, name)
+		ps, err := ReadProfileStatus(profileDir, name)
 		if err != nil {
 			log.Debug(err)
 			// parts of profile are missing?
@@ -2492,6 +2492,15 @@ func (tc *TeleportClient) PingAndShowMOTD(ctx context.Context) (*webclient.PingR
 	return pr, nil
 }
 
+// GetWebConfig retreives Teleport proxy web config
+func (tc *TeleportClient) GetWebConfig(ctx context.Context) (*WebConfig, error) {
+	cfg, err := GetWebConfig(ctx, tc.WebProxyAddr, tc.InsecureSkipVerify)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return cfg, nil
+}
+
 // Login logs the user into a Teleport cluster by talking to a Teleport proxy.
 //
 // If tc.Passwordless is set, then the passwordless authentication flow is used.

lib/client/keyagent.go

@@ -175,13 +175,19 @@ func (a *LocalKeyAgent) UpdateProxyHost(proxyHost string) {
 	a.proxyHost = proxyHost
 }
 
+// UpdateUsername changes username that the local agent operates on.
+func (a *LocalKeyAgent) UpdateUsername(username string) {
+	a.username = username
+}
+
 // LoadKeyForCluster fetches a cluster-specific SSH key and loads it into the
 // SSH agent.
 func (a *LocalKeyAgent) LoadKeyForCluster(clusterName string) (*agent.AddedKey, error) {
 	key, err := a.GetKey(clusterName, WithSSHCerts{})
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+
 	return a.LoadKey(*key)
 }
 

lib/client/weblogin.go

@@ -17,10 +17,12 @@ limitations under the License.
 package client
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/url"
 	"os"
@@ -35,6 +37,8 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/defaults"
+	"github.com/gravitational/teleport/lib/web/ui"
+
 	"github.com/gravitational/trace"
 	"github.com/sirupsen/logrus"
 
@@ -436,3 +440,33 @@ func HostCredentials(ctx context.Context, proxyAddr string, insecure bool, req t
 
 	return &certs, nil
 }
+
+// GetWebConfig is used by teleterm to fetch webconfig.js from proxies
+func GetWebConfig(ctx context.Context, proxyAddr string, insecure bool) (*ui.WebConfig, error) {
+	clt, _, err := initClient(proxyAddr, insecure, nil)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	response, err := clt.Get(ctx, clt.Endpoint("web", "config.js"), url.Values{})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	body, err := io.ReadAll(response.Reader())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	// WebConfig is served as JS file where GRV_CONFIG is a global object name
+	text := bytes.TrimSuffix(bytes.Replace(body, []byte("var GRV_CONFIG = "), []byte(""), 1), []byte(";"))
+
+	cfg := ui.WebConfig{}
+	if err := json.Unmarshal(text, &cfg); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return &cfg, nil
+}
+
+type WebConfig = ui.WebConfig

lib/teleterm/api/proto/buf.yaml

@@ -0,0 +1,9 @@
+version: v1
+lint:
+  use:
+    - DEFAULT
+  except:
+    - RPC_RESPONSE_STANDARD_NAME
+breaking:
+  use:
+    - FILE

lib/teleterm/api/proto/v1/app.proto

@@ -0,0 +1,50 @@
+// Copyright 2021 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.terminal.v1;
+
+option go_package = "github.com/gravitational/teleport/lib/teleterm/v1";
+
+import "v1/label.proto";
+
+// App describes connected Application
+message App {
+    // uri is the app resource URI
+    string uri = 1;
+    // name is the app name
+    string name = 2;
+    // description is the app description.
+    string description = 3;
+    // uri is the internal address the application is available at.
+    string app_uri = 4;
+    // public_addr is the public address the application is accessible at.
+    string public_addr = 5;
+    // fqdn is a fully qualified domain name of the application (app.example.com)
+    string fqdn = 6;
+    // labels is a map of static labels associated with an application.
+    repeated Label labels = 7;
+    // aws_console if true, indicates that the app represents AWS management console.
+    bool aws_console = 8;
+    // aws_roles is a list of AWS IAM roles for the application representing AWS console.
+    repeated AWSRole aws_roles = 9;
+
+    message AWSRole {
+        // display is the role display name.
+        string display = 1;
+        // arn is the full role ARN.
+        string arn = 2;
+    }
+}

lib/teleterm/api/proto/v1/auth_settings.proto

@@ -0,0 +1,46 @@
+// Copyright 2021 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.terminal.v1;
+
+option go_package = "github.com/gravitational/teleport/lib/teleterm/v1";
+
+// AuthSettings contains the form of authentication the auth server supports.
+message AuthSettings {
+    // local_auth_enabled is a flag that enables local authentication
+    bool local_auth_enabled = 1;
+    // second_factor is the type of second factor to use in authentication.
+    string second_factor = 2;
+    // preferred_mfa is the prefered mfa for local logins
+    string preferred_mfa = 3;
+    // auth_providers contains a list of auth providers
+    repeated AuthProvider auth_providers = 4;
+    // has_message_of_the_day is a flag indicating that the cluster has MOTD
+    // banner text that must be retrieved, displayed and acknowledged by
+    // the user.
+    bool has_message_of_the_day = 5;
+}
+
+// AuthProvider describes a way of authentication that is supported by the server. Auth provider is
+// referred to as "auth connector" on the backend.
+message AuthProvider {
+    // Type is the auth provider type (github|oidc|etc)
+    string type = 1;
+    // Name is the internal name of the connector.
+    string name = 2;
+    // Display is the display name for the connector.
+    string display_name = 3;
+}