diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml index c4283a09f..2d6037e6b 100644 --- a/.github/workflows/unit-tests.yaml +++ b/.github/workflows/unit-tests.yaml @@ -11,40 +11,7 @@ env: TELEPORT_ENTERPRISE_LICENSE: ${{ secrets.TELEPORT_ENTERPRISE_LICENSE }} jobs: -# This test exists to ensure that we don't break compatibility of the event handler -# when we merge the unstructured events support. -# This is a temporary test and should be removed in Teleport 14. -# Since unstructured events API was intoduced in 13.1.0, this test fallbacks to -# the old SearchEvents and StreamSessionIDEvents API and should be able to complete -# without errors. -# DELETE IN 14.0.0 - test-structured: - name: Plugins Tests (Go) - runs-on: ubuntu-22.04-16core - - permissions: - contents: read - - steps: - - name: Checkout Teleport Plugins - uses: actions/checkout@v3 - - - name: Setup Go - uses: actions/setup-go@v3 - with: - go-version: '1.21.1' - - - name: Install Teleport - uses: teleport-actions/setup@v1 - with: - version: 14.0.0 - enterprise: true - - - name: Run unit tests - run: make test-unit - -# This test uses the new auditlog service that supports unstructured events. - test-unstructured: + test: name: Plugins Tests (Go) runs-on: ubuntu-22.04-16core diff --git a/Makefile b/Makefile index 4cf786bba..4b20f8624 100644 --- a/Makefile +++ b/Makefile @@ -44,13 +44,9 @@ access-msteams: access-pagerduty: $(MAKE) -C access/pagerduty -.PHONY: access-example -access-example: - go build -o build/access-example ./access/example - .PHONY: access-email access-email: - go build -o build/access-email ./access/email + $(MAKE) -C access/email # Build specific access plugin with docker .PHONY: docker-build-access-% @@ -288,6 +284,7 @@ update-goversion: $(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' access/pagerduty/Makefile $(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' access/email/Makefile $(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' event-handler/Makefile + $(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' event-handler/build.assets/Makefile $(SED) 's/^RUNTIME ?= go.*/RUNTIME ?= go$(GOVERSION)/' docker/Makefile $(SED) 's/Setup Go .*/Setup Go $(GOVERSION)/g' .github/workflows/unit-tests.yaml $(SED) 's/Setup Go .*/Setup Go $(GOVERSION)/g' .github/workflows/terraform-tests.yaml diff --git a/README.md b/README.md index d180caeb6..22a7dcf68 100644 --- a/README.md +++ b/README.md @@ -1,67 +1,35 @@ -# Teleport Plugins and Example Applications +# Teleport plugins and example applications -A set of plugins for Teleport's for Access Workflows and example applications for Teleport Application Access. - -[![Build Status](https://drone.platform.teleport.sh/api/badges/gravitational/teleport-plugins/status.svg)](https://drone.platform.teleport.sh/gravitational/teleport-plugins/) +Teleport plugins allow you to integrate the Teleport Access Platform and Teleport workflows with other tools you use to support your infrastructure. +For example, Teleport Access Request plugins enable you to integrate access requests for resources protected by Teleport with your organization's existing messaging and project management solutions, such as Slack, JIRA, and Mattermost. +If you have a self-hosted Teleport deployment, you can find information about configuring access request plugins in [Just-in-Time Access Request Plugins](https://goteleport.com/docs/access-controls/access-request-plugins/). ## Access API The [access](./access) package exposes a simple API for managing access requests -which can be used for writing plugins. More info can be found in -[access/README.md](./access/README.md), including instructions on how to -properly provision necessary certificates. - -### API Example - -The [access/example](./access/example) plugin automatically approves access -requests based on a user whitelist. This is a good place to start if you are -trying to understand how to use the [`access`](./access) API. - -Use `make access-example` to build the plugin and -`./build/access-example configure` to print out a sample configuration file. - -### Slack - -[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/) - -A basic slack plugin (WIP) can be found in [access/slack](./access/slack). The -plugin can be built with `make access-slack` and instructions for configuring -the plugin can be found in the plugin's [README](./access/slack/README.md). - -### JIRA - -[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-jira/) - -A basic Teleport / JIRA integration (WIP) can be found in -[access/jira](./access/jira). The plugin can be built with `make access-jira` -and instructions for configuring the plugin can be found in the plugin's -[README](./access/jira/README.md). - -### Mattermost - -[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/) - -Mattermost is a private cloud messaging platform (think Slack for enterprise). -Teleport provides a Mattermost integration that supports request flows similar -to Slack integration above. The plugin can be built with -`make access-mattermost`, and instructions for configuring the plugin can be -found in the plugin's [README](./access/mattermost/README.md). +that can be used for writing plugins. You can find the current Teleport Access API in the main [Teleport repository](https://github.com/gravitational/teleport). For +more information, see [access/README.md](./access/README.md). -### PagerDuty +## Existing plugin guides -[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-pagerduty/) +The Teleport documentation includes access request plugins guides for integration +with the following solutions: -A Teleport integration with Pagerduty that allows your team to treat Teleport -permission requests as Pagerduty incidents, and provides Pagerduty special -actions to approve or deny permission requests. Run `make teleport-pagerduty` to -build it. More docs in the [README](./access/pagerduty/README.md). +- [Discord](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/) +- [Email](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-email/) +- [JIRA](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-jira/) +- [Mattermost](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/) +- [Microsoft Teams](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-msteams/) +- [PagerDuty](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-pagerduty/) +- [Slack](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/) ## Event Handler -The [Teleport Event Handler Plugin](./event-handler) is used to export audit log events to a fluentd service. For more information, visit the Fluentd setup guide at [goteleport.com](https://goteleport.com/docs/management/export-audit-events/fluentd/) or checkout the [README](./event-handler/README.md). +The [Teleport Event Handler Plugin](./event-handler) is used to export audit log events to a `fluentd` service. +For more information, see [Fluentd](https://goteleport.com/docs/management/export-audit-events/fluentd/). ## Terraform Provider -The [Teleport Terraform Provider](./terraform) makes it easy to create resources using -Terraform. More info can be found in [terraform/README.md](./terraform/README.md). +The [Teleport Terraform Provider](./terraform) makes it easy to create resources using Terraform. +For more information, see [Terraform Provider]((https://goteleport.com/docs/setup/guides/terraform-provider/). diff --git a/access/README.md b/access/README.md index f84c5d3ef..4bc1fbf57 100644 --- a/access/README.md +++ b/access/README.md @@ -1,11 +1,26 @@ -# Access Plugins +# Access request plugins -The various plugins within this directory allow teleport users the ability to intergrate access request notifications and approval workflows with third party technologies. They also serve as examples for building your own integration. For more information on the plugins available visit the `README.md` within each plugins respective directory. +The access request plugins in this directory allow Teleport users to integrate access request notifications and approval workflows with third party messaging, project management, and scheduling solutions. These plugins also serve as examples for building your own integration. +If you have a self-hosted Teleport deployment, you can find information for configuring these access +request plugins in [Just-in-Time Access Request Plugins](https://goteleport.com/docs/access-controls/access-request-plugins/). -For more information on Access Requests with Teleport, check out this [blog post](https://goteleport.com/blog/access-requests/) +For an overview of the complete workflow for access requests and how messaging, project management, and scheduling solutions integrate with Teleport, see the [Access Requests for Cloud Infrastructure](https://goteleport.com/blog/access-requests/) blog post. -### Access API +## Access API -The Teleport Access API has been moved into the main Teleport repo, and can be imported from `github.com/gravitational/teleport/api`. To see examples of how to get started with the Teleport API, take a look at our [go-client example](https://github.com/gravitational/teleport/tree/master/examples/go-client) or read the [API docs](https://goteleport.com/docs/api/introduction/). +The Teleport Access API has been moved into the main Teleport repository. +You can import it from `github.com/gravitational/teleport/api`. To see examples of how to get started with the Teleport API, see the [go-client example](https://github.com/gravitational/teleport/tree/master/examples/go-client) or read the [API docs](https://goteleport.com/docs/api/introduction/). +For more specific examples of how to build a custom access request workflow with the Teleport API, see [How to Build an Access Request Plugin](https://goteleport.com/docs/api/access-plugin/). -For more specific examples of how to manage workflows with the Teleport API, take a look at the [Plugin example](https://goteleport.com/docs/api/access-plugin/). +## Existing plugin guides + +The Teleport documentation includes access request plugins guides for integration +with the following solutions: + +- [Discord](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/) +- [Email](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-email/) +- [JIRA](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-jira/) +- [Mattermost](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/) +- [Microsoft Teams](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-msteams/) +- [PagerDuty](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-pagerduty/) +- [Slack](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/) \ No newline at end of file diff --git a/access/discord/Makefile b/access/discord/Makefile index 7d3462ea0..2344ea094 100644 --- a/access/discord/Makefile +++ b/access/discord/Makefile @@ -7,7 +7,7 @@ GITTAG=v$(VERSION) GITREF ?= $(shell git describe --dirty --long --tags --match '*discord*') ADDFLAGS ?= BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)" -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) diff --git a/access/discord/README.md b/access/discord/README.md index ee95c4589..f169bc4a6 100644 --- a/access/discord/README.md +++ b/access/discord/README.md @@ -1,162 +1,5 @@ -# Teleport Discord Plugin +# Teleport Discord access request plugin -This package implements a simple Discord plugin using the Teleport Access API. A discord channel receives an alert when an access request is created. +The Teleport Access API provides a simple Discord access request plugin that sends an alert to a Discord channel when an access request is created. You can find the Teleport Access API in the main Teleport repository and the Discord access request plugin in `github.com/gravitational/teleport/api/integrations/access/discord`. -## Setup - -[See setup instructions on Teleport's docs website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/) - -## Install the plugin - -There are several methods to installing and using the Teleport Discord Plugin: - -1. Use a [precompiled binary](#precompiled-binary) - -2. Use a [docker image](#docker-image) - -3. Install from [source](#building-from-source) - -### Precompiled Binary - -Get the plugin distribution. - -```bash -$ curl -L https://get.gravitational.com/teleport-access-discord-v7.0.2-linux-amd64-bin.tar.gz -$ tar -xzf teleport-access-discord-v11.1.0-linux-amd64-bin.tar.gz -$ cd teleport-access-discord -$ ./install -``` - -### Docker Image -```bash -$ docker pull public.ecr.aws/gravitational/teleport-plugin-discord:11.1.0 -``` - -```bash -$ docker run public.ecr.aws/gravitational/teleport-plugin-discord:11.1.0 version -teleport-discord v11.1.0 git:teleport-discord-v11.1.0-0-g9e149895 go1.19.1 -``` - -For a list of available tags, visit [Amazon ECR Public Gallery](https://gallery.ecr.aws/gravitational/teleport-plugin-discord) - -### Building from source - -To build the plugin from source you need [Go](https://go.dev/) and `make`. - -```bash -$ git clone https://github.com/gravitational/teleport-plugins.git -$ cd teleport-plugins/access/discord -$ make -$ ./build/teleport-discord start -``` - -## Teleport User and Role - -Using Web UI or `tctl` CLI utility, create the role `access-discord` and the user `access-discord` belonging to the role `access-discord`. You may use the following YAML declarations. - -### Role - -```yaml -kind: role -metadata: - name: access-discord -spec: - allow: - rules: - - resources: ['access_request'] - verbs: ['list', 'read', 'update'] -version: v6 -``` - -### User - -```yaml -kind: user -metadata: - name: access-discord -spec: - roles: ['access-discord'] -version: v2 -``` - -## Generate the certificate - -For the plugin to connect to Auth Server, it needs an identity file containing TLS/SSH certificates. This can be obtained with tctl: - -```bash -$ tctl auth sign --auth-server=AUTH-SERVER:PORT --format=file --user=access-discord --out=/var/lib/teleport/plugins/discord/auth_id --ttl=8760h -``` - -Here, `AUTH-SERVER:PORT` could be `localhost:3025`, `your-in-cluster-auth.example.com:3025`, `your-remote-proxy.example.com:3080` or `your-teleport-cloud.teleport.sh:443`. For non-localhost connections, you might want to pass the `--identity=...` option to authenticate yourself to Auth Server. - -## Configuring Discord Plugin - -Discord Plugin uses a config file in TOML format. Generate a boilerplate config -by running the following command: - -``` -$ teleport-discord configure > /etc/teleport-discord.yml -``` - -Then, edit the config as needed. - -```TOML -# Example discord plugin configuration TOML file - -[teleport] -# Teleport Auth/Proxy Server address. -# addr = "example.com:3025" -# -# Should be port 3025 for Auth Server and 3080 or 443 for Proxy. -# For Teleport Cloud, should be in the form "your-account.teleport.sh:443". - -# Credentials generated with `tctl auth sign`. -# -# When using --format=file: -# identity = "/var/lib/teleport/plugins/discord/auth_id" # Identity file -# -# When using --format=tls: -# client_key = "/var/lib/teleport/plugins/discord/auth.key" # Teleport TLS secret key -# client_crt = "/var/lib/teleport/plugins/discord/auth.crt" # Teleport TLS certificate -# root_cas = "/var/lib/teleport/plugins/discord/auth.cas" # Teleport CA certs - -[discord] -token = "my-token" - -[role_to_recipients] -# Map roles to recipients. -# -# Provide discord channelID recipients for access requests for specific roles. -# "*" must be provided to match non-specified roles. -# -# "dev" = ["1234567890","0987654321"] -# "*" = ["1234567890"] - -[log] -output = "stderr" # Logger output. Could be "stdout", "stderr" or "/var/lib/teleport/discord.log" -severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN". -``` - -## Running the plugin - -With the config above, you should be able to run the bot invoking - -```bash -$ teleport-discord start -``` - -or with docker: - -```bash -$ docker run -v :/etc/teleport-discord.toml public.ecr.aws/gravitational/teleport-plugin-discord:11.1.0 start -``` - -## Usage - -Once your Discord plugin has been configured, you can verify that it's working -correctly by using `tctl request create --roles=` to simulate an -access request. If everything is working as intended, a message should appear -in the channel specified under `discord.channel`. - -Select `Deny` and verify that the request was indeed denied using -`tctl request ls`. +If you have a self-hosted Teleport deployment, you can find information for configuring this access request plugin in [Access Requests with Discord](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/). diff --git a/access/email/Makefile b/access/email/Makefile index e1464eca5..25cb810f9 100644 --- a/access/email/Makefile +++ b/access/email/Makefile @@ -7,7 +7,7 @@ GITTAG=v$(VERSION) GITREF ?= $(shell git describe --dirty --long --tags --match '*email*') ADDFLAGS ?= BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)" -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) diff --git a/access/email/README.md b/access/email/README.md index e5203d213..0868faa54 100644 --- a/access/email/README.md +++ b/access/email/README.md @@ -1,137 +1,5 @@ -# Teleport Email Plugin +# Teleport email access request plugin -The plugin allows teams to receive email notifications about new access requests. - -## Setup - -[See setup instructions on Teleport's docs website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-email/) - -## Install the plugin - -There are several methods to installing and using the Teleport Email Plugin: - -1. Use a [precompiled binary](#precompiled-binary) - -2. Use a [docker image](#docker-image) - -3. Install from [source](#building-from-source) - -### Precompiled Binary - -```bash -$ curl -L https://get.gravitational.com/teleport-access-email-v7.1.0-linux-amd64-bin.tar.gz -$ tar -xzf teleport-access-email-v7.1.0-linux-amd64-bin.tar.gz -$ cd teleport-access-email -$ ./install -``` - -### Docker Image -```bash -$ docker pull public.ecr.aws/gravitational/teleport-plugin-email:9.0.2 -``` - -```bash -$ docker run public.ecr.aws/gravitational/teleport-plugin-email:9.0.2 version -teleport-email v9.0.2 git:teleport-email-v9.0.2-0-g9e149895 go1.17.8 -``` - -For a list of available tags, visit [Amazon ECR Public Gallery](https://gallery.ecr.aws/gravitational/teleport-plugin-email) - -### Building from source - -To build the plugin from source you need [Go](https://go.dev/) and `make`. - -```bash -$ git clone https://github.com/gravitational/teleport-plugins.git -$ cd teleport-plugins/access/email -$ make -$ ./build/teleport-email start -``` - -## Teleport User and Role - -Using Web UI or `tctl` CLI utility, create the role `access-email` and the user `access-email` belonging to the role `access-email`. You may use the following YAML declarations. - -### Role - -```yaml -kind: role -metadata: - name: access-email -spec: - allow: - rules: - - resources: ['access_request'] - verbs: ['list', 'read', 'update'] -version: v6 -``` - -### User - -```yaml -kind: user -metadata: - name: access-email -spec: - roles: ['access-email'] -version: v2 -``` - -## Generate the certificate - -For the plugin to connect to Auth Server, it needs an identity file containing TLS/SSH certificates. This can be obtained with tctl: - -```bash -$ tctl auth sign --auth-server=AUTH-SERVER:PORT --format=file --user=access-email --out=/var/lib/teleport/plugins/email/auth_id --ttl=8760h -``` - -Here, `AUTH-SERVER:PORT` could be `localhost:3025`, `your-in-cluster-auth.example.com:3025`, `your-remote-proxy.example.com:3080` or `your-teleport-cloud.teleport.sh:443`. For non-localhost connections, you might want to pass the `--identity=...` option to authenticate yourself to Auth Server. - -## Save configuration file - -By default, configuration file is expected to be at `/etc/teleport-email.toml`. - -```toml -# /etc/teleport-email.toml -[teleport] -auth_server = "example.com:3025" # Teleport Auth/Proxy/Tunnel Server Address - -# Identity file exported with tctl auth sign --format file -identity = "/var/lib/teleport/plugins/email/auth_id" # Identity file - -[mailgun] -domain = "sandboxbd81caddef744a69be0e5b544ab0c3bd.mailgun.org" # Mailgun domain name -private_key = "xoxb-11xx" # Mailgun private key - -# As an alternative, you can use SMTP server credentials: -# -# [smtp] -# host = "smtp.gmail.com" -# port = 587 -# username = "username@gmail.com" -# password = "" -# password_file = "/var/lib/teleport/plugins/email/smtp_password" - -[delivery] -sender = "noreply@example.com" # From: email address -recipients = ["all@example.com"] # These recipients will receive all review requests - -[log] -output = "stderr" # Logger output. Could be "stdout", "stderr" or "/var/lib/teleport/email.log" -severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN". -``` - -## Run the plugin - -```bash -$ teleport-email start -``` - -or with docker: - -```bash -$ docker run -v :/etc/teleport-email.toml public.ecr.aws/gravitational/teleport-plugin-email:9.0.2 start -``` - -If something bad happens, try to run it with `-d` option i.e. `teleport-email start -d` and attach the stdout output to the issue you are going to create. +The Teleport Access API provides a simple email access request plugin that sends email notifications to specified email addresses or distribution lists when an access request is created. You can find the Teleport Access API in the main Teleport repository and examples of access request plugins in `github.com/gravitational/teleport/api/integrations/access/`. +If you have a self-hosted Teleport deployment, you can find information for configuring this access request plugin in [Teleport Access Requests with Email](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-email/). \ No newline at end of file diff --git a/access/jira/Makefile b/access/jira/Makefile index 00bf4bdb4..43f07d94d 100644 --- a/access/jira/Makefile +++ b/access/jira/Makefile @@ -7,7 +7,7 @@ GITTAG=v$(VERSION) GITREF ?= $(shell git describe --dirty --long --tags --match '*jira*') ADDFLAGS ?= BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)" -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) diff --git a/access/mattermost/Makefile b/access/mattermost/Makefile index 308eeab1d..4c2373750 100644 --- a/access/mattermost/Makefile +++ b/access/mattermost/Makefile @@ -7,7 +7,7 @@ GITTAG=v$(VERSION) GITREF ?= $(shell git describe --dirty --long --tags --match '*mattermost*') ADDFLAGS ?= BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)" -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) diff --git a/access/mattermost/README.md b/access/mattermost/README.md index 3c41f8530..b5d8bf574 100644 --- a/access/mattermost/README.md +++ b/access/mattermost/README.md @@ -1,210 +1,5 @@ -# Teleport Mattermost Plugin +# Teleport Mattermost access request plugin -This package provides Teleport <-> Mattermost integration that allows teams to -get notified about new access requests in Mattermost. +The Teleport Access API provides a simple Mattermost access request plugin that sends an alert to a Mattermost channel when an access request is created. You can find the Teleport Access API in the main Teleport repository and the Mattermost access request plugin in `github.com/gravitational/teleport/api/integrations/access/mattermost`. -[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/) - -## Prerequisites - -This guide assumes that you have: - -- Teleport 6.1.0 or newer -- Admin privileges with access to `tctl` -- Mattermost account with admin privileges. - -## Install the plugin - -There are several methods to installing and using the Teleport Mattermost Plugin: - -1. Use a [precompiled binary](#precompiled-binary) - -2. Use a [docker image](#docker-image) - -3. Install from [source](#building-from-source) - -### Precompiled Binary - -Get the plugin distribution. - -```bash -$ curl -L https://get.gravitational.com/teleport-access-mattermost-v7.0.2-linux-amd64-bin.tar.gz -$ tar -xzf teleport-access-mattermost-v7.0.2-linux-amd64-bin.tar.gz -$ cd teleport-access-mattermost -$ ./install -``` - -### Docker Image -```bash -$ docker pull public.ecr.aws/gravitational/teleport-plugin-mattermost:9.0.2 -``` - -```bash -$ docker run public.ecr.aws/gravitational/teleport-plugin-mattermost:9.0.2 version -teleport-mattermost v9.0.2 git:teleport-mattermost-v9.0.2-0-g9e149895 go1.17.8 -``` - -For a list of available tags, visit [Amazon ECR Public Gallery](https://gallery.ecr.aws/gravitational/teleport-plugin-mattermost) - -### Building from source - -To build the plugin from source you need [Go](https://go.dev/) and `make`. - -```bash -$ git clone https://github.com/gravitational/teleport-plugins.git -$ cd teleport-plugins/access/mattermost -$ make -$ ./build/teleport-mattermost start -``` - -## Setting up a sandbox Mattermost instance for testing - -If you want to build the plugin and test it with Mattermost, the easiest way to -get Mattermost running is with the docker image: - -```bash -docker run --name mattermost-preview -d --publish 8065:8065 --add-host dockerhost:127.0.0.1 mattermost/mattermost-preview -``` - -Check out -[more documentation on running Mattermost](https://docs.mattermost.com/install/docker-local-machine.html). - -### Setting up Mattermost to work with the plugin - -In Mattermost, go to System Console -> Integrations -> Enable Bot Account -Creation -> Set to True. This will allow us to create a new bot account that the -Teleport plugin will use. - -Go back to your team, then Integrations -> Bot Accounts -> Add Bot Account. - -The new bot account will need Post All permission. - -The confirmation screen after you've created the bot will give you the access -token. We'll use this in the config later. - -## Teleport User and Role - -Using Web UI or `tctl` CLI utility, create the role `access-mattermost` and the user `access-mattermost` belonging to the role `access-mattermost`. You may use the following YAML declarations. - -### Role - -```yaml -kind: role -metadata: - name: access-mattermost -spec: - allow: - rules: - - resources: ['access_request'] - verbs: ['list', 'read', 'update'] -version: v6 -``` - -### User - -```yaml -kind: user -metadata: - name: access-mattermost -spec: - roles: ['access-mattermost'] -version: v2 -``` - -## Generate the certificate - -For the plugin to connect to Auth Server, it needs an identity file containing TLS/SSH certificates. This can be obtained with tctl: - -```bash -$ tctl auth sign --auth-server=AUTH-SERVER:PORT --format=file --user=access-mattermost --out=/var/lib/teleport/plugins/mattermost/auth_id --ttl=8760h -``` - -Here, `AUTH-SERVER:PORT` could be `localhost:3025`, `your-in-cluster-auth.example.com:3025`, `your-remote-proxy.example.com:3080` or `your-teleport-cloud.teleport.sh:443`. For non-localhost connections, you might want to pass the `--identity=...` option to authenticate yourself to Auth Server. - -## Configuring Mattermost Plugin - -Mattermost Plugin uses a config file in TOML format. Generate a boilerplate config -by running the following command: - -``` -$ teleport-mattermost configure > /etc/teleport-mattermost.yml -``` - -Then, edit the config as needed. - -```TOML -# example mattermost configuration TOML file -[teleport] -# Teleport Auth/Proxy Server address. -# -# Should be port 3025 for Auth Server and 3080 or 443 for Proxy. -# For Teleport Cloud, should be in the form "your-account.teleport.sh:443". -addr = "example.com:3025" - -# Credentials. -# -# When using --format=file: -# identity = "/var/lib/teleport/plugins/mattermost/auth_id" # Identity file -# -# When using --format=tls: -# client_key = "/var/lib/teleport/plugins/mattermost/auth.key" # Teleport TLS secret key -# client_crt = "/var/lib/teleport/plugins/mattermost/auth.crt" # Teleport TLS certificate -# root_cas = "/var/lib/teleport/plugins/mattermost/auth.cas" # Teleport CA certs - -[mattermost] -url = "https://mattermost.example.com" # Mattermost Server URL -token = "api-token" # Mattermost Bot OAuth token - -[log] -output = "stderr" # Logger output. Could be "stdout", "stderr" or "/var/lib/teleport/mattermost.log" -severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN". -``` - -## Running the plugin - -With the config above, you should be able to run the bot invoking - -```bash -$ teleport-mattermost start -``` - -or with docker: - -```bash -$ docker run -v :/etc/teleport-mattermost.toml public.ecr.aws/gravitational/teleport-plugin-mattermost:9.0.2 start -``` - -## The Workflow - -### Create an access request - -You can create an access request using Web UI going to -`https://your-proxy.example.com/web/requests/new` where your-proxy.example.com -is your Teleport Proxy public address. There you should specify the reviewers -whose usernames *must match the emails of Mattermost users* which you want to be notified. -Check that you see a request message on Mattermost. - -It should look like this: %image% - -### Review the request - -Open the Link in message and choose to either approve or deny the request. The messages should automatically get updated to reflect the action you just did. - -## Teleport OSS edition - -Currently, Teleport OSS edition does not have an "Access Requests" page at Web UI. Alternatively, you can create an access request using tsh: - -```bash -tsh request create --roles=foo --reviewers=some-user@example.com - -98afcb7d-9c6d-4a8f-8a03-9124fbbcb059 -``` - -*Note:* There must be a user with an email `some-user@example.com` registered in your Mattermost team. - -To approve or deny the request: - -```bash -tsh request review --approve 98afcb7d-9c6d-4a8f-8a03-9124fbbcb059 -tsh request review --deny 98afcb7d-9c6d-4a8f-8a03-9124fbbcb059 -``` +If you have a self-hosted Teleport deployment, you can find information for configuring this access request plugin in [Access Requests with Mattermost](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/). diff --git a/access/msteams/Makefile b/access/msteams/Makefile index 040496054..add449617 100644 --- a/access/msteams/Makefile +++ b/access/msteams/Makefile @@ -7,7 +7,7 @@ GITTAG=v$(VERSION) GITREF ?= $(shell git describe --dirty --long --tags --match '*msteams*') ADDFLAGS ?= BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)" -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) diff --git a/access/pagerduty/Makefile b/access/pagerduty/Makefile index 5244b31ff..2a0f294bc 100644 --- a/access/pagerduty/Makefile +++ b/access/pagerduty/Makefile @@ -7,7 +7,7 @@ GITTAG=v$(VERSION) GITREF ?= $(shell git describe --dirty --long --tags --match '*pagerduty*') ADDFLAGS ?= BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)" -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) diff --git a/access/slack/Makefile b/access/slack/Makefile index 639724c29..e96cd2efc 100644 --- a/access/slack/Makefile +++ b/access/slack/Makefile @@ -7,7 +7,7 @@ GITTAG=v$(VERSION) GITREF ?= $(shell git describe --dirty --long --tags --match '*slack*') ADDFLAGS ?= BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)" -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) diff --git a/event-handler/build.assets/Dockerfile b/event-handler/build.assets/Dockerfile index 8142d3cc9..30f5b0a0f 100644 --- a/event-handler/build.assets/Dockerfile +++ b/event-handler/build.assets/Dockerfile @@ -1,5 +1,5 @@ -ARG GO_VER -FROM golang:${GO_VER}-bookworm +ARG GO_VERSION +FROM golang:${GO_VERSION}-bookworm ARG UID ARG GID diff --git a/event-handler/build.assets/Makefile b/event-handler/build.assets/Makefile index 282d99920..3b209d1e2 100644 --- a/event-handler/build.assets/Makefile +++ b/event-handler/build.assets/Makefile @@ -2,7 +2,7 @@ LOCALDIR := $(dir $(CURDIR)/$(word $(words $(MAKEFILE_LIST)),$(MAKEFILE_LIST))) TOP ?= $(abspath $(LOCALDIR)/../..) SRCDIR=/go/src/github.com/gravitational/teleport-plugins/event-handler VERSION=0.0.1 -CGOFLAG ?= CGO_ENABLED=1 +CGOFLAG ?= CGO_ENABLED=0 BUILDDIR=$(TOP)/build OS ?= $(shell go env GOOS) ARCH ?= $(shell go env GOARCH) @@ -19,10 +19,10 @@ DOCKERFLAGS := --rm \ BUILDFORHOST := -e OS=$(OS) \ -e ARCH=$(ARCH) \ - -e CGOFLAG="CGO_ENABLED=0" + -e CGOFLAG=$(CGOFLAG) DOCKERPULLFLAGS ?= --pull -GO_VER = 1.18 +GO_VERSION = 1.21.1 NOROOT=-u $$(id -u):$$(id -g) BINDIR=/usr/local/bin @@ -30,7 +30,7 @@ BINDIR=/usr/local/bin .PHONY: buildbox buildbox: docker build \ - --build-arg GO_VER=$(GO_VER) \ + --build-arg GO_VERSION=$(GO_VERSION) \ --build-arg UID=$(shell id -u) \ --build-arg GID=$(shell id -g) \ --build-arg ARCH=$(ARCH) \