Download mTLS files from Web #14526

marcoandredinis · 2022-07-15T17:46:40Z

In the context of Teleport Discover we are trying to ease the usage of Teleport for the user's first interaction.

When adding a new database resource the user must, among other things, generate the mTLS files
Examples:
https://goteleport.com/docs/database-access/guides/postgres-self-hosted/#step-25-create-a-certificatekey-pair
https://goteleport.com/docs/database-access/guides/mysql-self-hosted/#step-24-create-a-certificatekey-pair

This PR aims to reduce this friction: the user should be able to setup the resource without prior setup of local tools (tsh login)
We're doing this by providing an endpoint that will return those exact files

Demo

marco@lenix ~/p/downloadmtls> curl --silent --insecure 'https://127.0.0.1.nip.io:3080/v1/webapi/sites/lenix/sign' --dat
a '{"hostname":"discover.example.com", "ttl":"9999h", "format": "db"}' --header 'Authorization: Bearer 308bf3dd3019ddc4
2cff44a48e028480' --header 'Content-Type: application/json' -OJ
marco@lenix ~/p/downloadmtls> tar -xvf teleport_mTLS_discover.example.com.tar.gz
server.key
server.crt
server.cas
marco@lenix ~/p/downloadmtls> head -1 server.*
==> server.cas <==
-----BEGIN CERTIFICATE-----

==> server.crt <==
-----BEGIN CERTIFICATE-----

==> server.key <==
-----BEGIN RSA PRIVATE KEY-----

Fixes #14049

lib/web/apiserver.go

lib/web/sign.go

r0mant

@marcoandredinis Didn't review in detail yet but a couple of things I've noticed so far:

Agree with changing method to POST (or PUT) and building archive in memory.
We should use .tar.gz or just .tar archive instead of .zip.

marcoandredinis · 2022-07-20T10:01:14Z

@hugoShaka @r0mant
It uses a POST request now, the output is a tar.gz file, we handle everything in memory
Can you please take another look?

ryanclark

LGTM, one minor comment

lib/client/identityfile/inmemory_config_writer.go

marcoandredinis · 2022-07-25T07:52:02Z

@r0mant friendly ping

lib/auth/auth_with_roles.go

lib/web/apiserver.go

lib/web/sign.go

r0mant

Couple final remarks, but otherwise it looks good now!

r0mant · 2022-07-29T20:00:52Z

lib/client/db/database_certificates.go

+		req.Principals = append([]string{"node"}, req.Principals...)
+	}
+
+	subject := pkix.Name{CommonName: req.Principals[0]}


Just noticed that we don't validate that req.Principals is not empty anywhere here, might be worth adding a check somewhere here to avoid panics.

r0mant · 2022-07-29T20:01:46Z

lib/services/provisioning.go

@@ -38,6 +38,7 @@ type Provisioner interface {
 	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

 	// DeleteToken deletes provisioning token
+	// Imlementations must guarantee that this returns trace.NotFound error is the token doesn't exist


Suggested change

// Imlementations must guarantee that this returns trace.NotFound error is the token doesn't exist

// Imlementations must guarantee that this returns trace.NotFound error if the token doesn't exist

r0mant · 2022-07-29T20:04:11Z

lib/web/apiserver.go

@@ -2693,6 +2696,61 @@ func (h *Handler) WithClusterAuth(fn ClusterHandler) httprouter.Handle {
 	})
 }

+// ProvisionTokenHandler is a authenticated handler that is called for some existing Token
+type ProvisionTokenHandler func(w http.ResponseWriter, r *http.Request, p httprouter.Params, site reversetunnel.RemoteSite, roles types.SystemRoles) (interface{}, error)


Why not just pass the entire token to the handler instead of roles? Would make things a little cleaner I think.

r0mant · 2022-07-29T20:09:11Z

tool/tctl/common/auth_command.go

+	if outputFormat == identityfile.FormatSnowflake {
+		delete(tplVars, "output")
+	}


Do we need this? If the template variable is present but just not used in the template, it should be fine, right?

New endpoint to return an archive with mTLS files for a given resource. This endpoint is protect by a Provision Token which is consumed by the API Call: it is used as a one time password.

It also changes the format from zip to tar.gz

github-actions · 2022-08-01T09:15:36Z

@marcoandredinis See the table below for backport results.

Branch	Result
branch/v10	Failed

In the context of Teleport Discover we are trying to ease the usage of Teleport for the user's first interaction. When adding a new database resource the user must, among other things, generate the mTLS files Examples: https://goteleport.com/docs/database-access/guides/postgres-self-hosted/#step-25-create-a-certificatekey-pair https://goteleport.com/docs/database-access/guides/mysql-self-hosted/#step-24-create-a-certificatekey-pair This PR aims to reduce this friction: the user should be able to setup the resource without prior setup of local tools (`tsh login`) We're doing this by providing an endpoint that will return those exact files Demo ```shell marco@lenix ~/p/downloadmtls> curl --silent --insecure 'https://127.0.0.1.nip.io:3080/v1/webapi/sites/lenix/sign' --dat a '{"hostname":"discover.example.com", "ttl":"9999h", "format": "db"}' --header 'Authorization: Bearer 308bf3dd3019ddc4 2cff44a48e028480' --header 'Content-Type: application/json' -OJ marco@lenix ~/p/downloadmtls> tar -xvf teleport_mTLS_discover.example.com.tar.gz server.key server.crt server.cas marco@lenix ~/p/downloadmtls> head -1 server.* ==> server.cas <== -----BEGIN CERTIFICATE----- ==> server.crt <== -----BEGIN CERTIFICATE----- ==> server.key <== -----BEGIN RSA PRIVATE KEY----- ``` Fixes #14049

zmb3 · 2022-08-01T15:22:54Z

FYI @LKozlowski - this may help you automate the setup for Desktop Access

Download mTLS files from Web (#14526) In the context of Teleport Discover we are trying to ease the usage of Teleport for the user's first interaction. When adding a new database resource the user must, among other things, generate the mTLS files Examples: https://goteleport.com/docs/database-access/guides/postgres-self-hosted/#step-25-create-a-certificatekey-pair https://goteleport.com/docs/database-access/guides/mysql-self-hosted/#step-24-create-a-certificatekey-pair This PR aims to reduce this friction: the user should be able to setup the resource without prior setup of local tools (`tsh login`) We're doing this by providing an endpoint that will return those exact files Demo ```shell marco@lenix ~/p/downloadmtls> curl --silent --insecure 'https://127.0.0.1.nip.io:3080/v1/webapi/sites/lenix/sign' --dat a '{"hostname":"discover.example.com", "ttl":"9999h", "format": "db"}' --header 'Authorization: Bearer 308bf3dd3019ddc4 2cff44a48e028480' --header 'Content-Type: application/json' -OJ marco@lenix ~/p/downloadmtls> tar -xvf teleport_mTLS_discover.example.com.tar.gz server.key server.crt server.cas marco@lenix ~/p/downloadmtls> head -1 server.* ==> server.cas <== -----BEGIN CERTIFICATE----- ==> server.crt <== -----BEGIN CERTIFICATE----- ==> server.key <== -----BEGIN RSA PRIVATE KEY----- ``` Fixes #14049

LKozlowski · 2022-08-02T08:19:02Z

FYI @LKozlowski - this may help you automate the setup for Desktop Access

Oh, nice, Looks promising. Thanks!

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch 2 times, most recently from a97baa9 to 1fecfe0 Compare July 18, 2022 07:45

marcoandredinis added the discover Issues related to Teleport Discover label Jul 18, 2022

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch from 1fecfe0 to 031f53e Compare July 18, 2022 10:54

marcoandredinis marked this pull request as ready for review July 18, 2022 13:59

github-actions bot requested review from hugoShaka and timothyb89 July 18, 2022 14:00

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch 2 times, most recently from c9c6c2d to 1879089 Compare July 18, 2022 14:30

hugoShaka reviewed Jul 18, 2022

View reviewed changes

lib/web/apiserver.go Outdated Show resolved Hide resolved

lib/web/sign.go Outdated Show resolved Hide resolved

marcoandredinis added backport backport/branch/v10 labels Jul 18, 2022

r0mant requested changes Jul 18, 2022

View reviewed changes

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch 5 times, most recently from 8a07af7 to 9c4425c Compare July 20, 2022 07:54

ryanclark approved these changes Jul 20, 2022

View reviewed changes

lib/client/identityfile/inmemory_config_writer.go Outdated Show resolved Hide resolved

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch from 445c004 to 09441d0 Compare July 20, 2022 10:57

hugoShaka approved these changes Jul 20, 2022

View reviewed changes

marcoandredinis mentioned this pull request Jul 22, 2022

Add RBAC instructions for DB tctl auth sign #14528

Merged

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch from 09441d0 to e938bab Compare July 25, 2022 07:51

r0mant requested changes Jul 26, 2022

View reviewed changes

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch 4 times, most recently from 28741c8 to 3711f5f Compare July 27, 2022 15:28

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch 5 times, most recently from 9edeebd to 666dd58 Compare July 29, 2022 14:06

r0mant approved these changes Jul 29, 2022

View reviewed changes

github-actions bot removed the request for review from timothyb89 July 29, 2022 20:10

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch 2 times, most recently from ef66db6 to 472114a Compare August 1, 2022 07:24

marcoandredinis added 10 commits August 1, 2022 08:51

WebAPI: download mTLS files for database resources

05b2815

New endpoint to return an archive with mTLS files for a given resource. This endpoint is protect by a Provision Token which is consumed by the API Call: it is used as a one time password.

Write and serve archive from memory

5505cb5

It also changes the format from zip to tar.gz

Change from GET to POST for auth sign requests

c01e421

set the correct file mode when generating the files

df16f7b

change to readers lock when stat'ing a file

9c350cb

roman review part 1

ddd54aa

extract generation of mtls files

edb7830

validate token type and role

9a34f5f

improve docs and code location

4a0b085

check for empty list of principals

25ecbc9

marcoandredinis force-pushed the marco/download_mtls_for_dbaccess branch from 472114a to 25ecbc9 Compare August 1, 2022 07:51

marcoandredinis merged commit a60d1c0 into master Aug 1, 2022

marcoandredinis mentioned this pull request Aug 1, 2022

[V10] Download mTLS files from Web (#14526) #15081

Merged

marcoandredinis deleted the marco/download_mtls_for_dbaccess branch August 2, 2022 08:47

marcoandredinis mentioned this pull request Aug 10, 2022

gRPC conversions - public CA Cert endpoint #7413

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Download mTLS files from Web #14526

Download mTLS files from Web #14526

marcoandredinis commented Jul 15, 2022 •

edited

Loading

r0mant left a comment

marcoandredinis commented Jul 20, 2022

ryanclark left a comment

marcoandredinis commented Jul 25, 2022

r0mant left a comment

r0mant Jul 29, 2022

r0mant Jul 29, 2022

r0mant Jul 29, 2022

r0mant Jul 29, 2022

github-actions bot commented Aug 1, 2022

zmb3 commented Aug 1, 2022

LKozlowski commented Aug 2, 2022

	// Imlementations must guarantee that this returns trace.NotFound error is the token doesn't exist
	// Imlementations must guarantee that this returns trace.NotFound error if the token doesn't exist

Download mTLS files from Web #14526

Download mTLS files from Web #14526

Conversation

marcoandredinis commented Jul 15, 2022 • edited Loading

r0mant left a comment

Choose a reason for hiding this comment

marcoandredinis commented Jul 20, 2022

ryanclark left a comment

Choose a reason for hiding this comment

marcoandredinis commented Jul 25, 2022

r0mant left a comment

Choose a reason for hiding this comment

r0mant Jul 29, 2022

Choose a reason for hiding this comment

r0mant Jul 29, 2022

Choose a reason for hiding this comment

r0mant Jul 29, 2022

Choose a reason for hiding this comment

r0mant Jul 29, 2022

Choose a reason for hiding this comment

github-actions bot commented Aug 1, 2022

zmb3 commented Aug 1, 2022

LKozlowski commented Aug 2, 2022

marcoandredinis commented Jul 15, 2022 •

edited

Loading