[v17] GitHub proxy (#51086)

* GitHub Proxy part 1: github integration resource (#48999) * github integration resource * fix lib/web * revert withSecrets * use static credentials * address review comments * fix ut * GitHub Proxy part 2: git_server resource, service, and RBAC (#49393) * git_server resource and role.allow.github_permissions * implicit RO on KindGitServer * review comments * fix ut * make -C integrations/operator crd * fix ut again * make crds-up-to-date and make -C integrations/terraform docs * GitHub proxy part 1.5: integration in web ui (#49561) * GitHub proxy part 1.5: integration in web ui * fix lint * GitHub Proxy part 3.5: caching PluginStaticCredentials (#49472) * GitHub Proxy part 3.5: caching PluginStaticCredentials * fix lint * GitHub proxy part 2.5: git_server cache (#49564) * GitHub proxy part 2.5: git_server cache * revert event * fix getAll * review comments * GitHub Proxy part 3: gen github user cert and export CA (#49396) * GitHub Proxy part 3: gen github user cert and export CA * address pr comment * minor refactor * use cache * fix build and cache * GitHub proxy part 4: `tsh git ls` with unified resource (#49596) * GitHub proxy part 4: tsh git ls * fix ut * update username note * fix * GitHub proxy part 5: OAuth flow to retrieve GitHub identity (#49849) * GitHub proxy part 5: OAuth flow to retrieve GitHub identity * review comments round1 * review comments round 2 and update tsh git list * make -C integrations/operator crd * make -C integrations/terraform docs * fix flaky test * GitHub proxy part 6.5: tsh git ssh/clone/config (#50044) * GitHub proxy part 6.5: tsh git ssh/clone/config * review comments * fix test * fix ut for lookpath * fix logger and update dependency version * go mod tidy for integrations * GitHub proxy part 7: audit events (#49923) * GitHub proxy part 7: audit events * make Git Command consistent * fix typo * GitHub proxy: git command recorder (#50505) * GitHub proxy: recording git command * address review * review comments * allow flags after repository for git-upload-pack * GitHub proxy part 6: proxing Git using SSH transport (#49980) * GitHub proxy part 6: proxing Git using SSH transport * better command parsing and update suite * refactor * revert unnecearrty files * address review comments * ut fix * revert localsite_test.go * change special suffix to teleport-github-org for routing * fix routing ut * minor typo edit * fix ut after sshca change * add UT to sshutils * minor review comments * fix api ut because of special suffix change * GitServerReadOnlyClient * downgrade error to warning * run go mod tidy. not sure why it's needed * rename mock.go to mock_test.go * GitHub Proxy: complete audit event flow and add an enterprise guard (#51049) * fix lint and remove accidently checked-in binary * Fix flaky git.TestForwardServer test (#51112)
gravitational · Jan 16, 2025 · 7ca4e53 · 7ca4e53
1 parent cf7a14b
commit 7ca4e53
Show file tree

Hide file tree

Showing 189 changed files with 20,096 additions and 5,567 deletions.
diff --git a/api/client/client.go b/api/client/client.go
@@ -55,6 +55,7 @@ import (
 	"github.com/gravitational/teleport/api/client/discoveryconfig"
 	"github.com/gravitational/teleport/api/client/dynamicwindows"
 	"github.com/gravitational/teleport/api/client/externalauditstorage"
+	gitserverclient "github.com/gravitational/teleport/api/client/gitserver"
 	kubewaitingcontainerclient "github.com/gravitational/teleport/api/client/kubewaitingcontainer"
 	"github.com/gravitational/teleport/api/client/okta"
 	"github.com/gravitational/teleport/api/client/proto"
@@ -77,6 +78,7 @@ import (
 	discoveryconfigv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1"
 	dynamicwindowsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dynamicwindows/v1"
 	externalauditstoragev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/externalauditstorage/v1"
+	gitserverpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
 	identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
 	integrationpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
 	kubeproto "github.com/gravitational/teleport/api/gen/proto/go/teleport/kube/v1"
@@ -3958,6 +3960,8 @@ func convertEnrichedResource(resource *proto.PaginatedResource) (*types.Enriched
 		return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetSAMLIdPServiceProvider(); r != nil {
 		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
+	} else if r := resource.GetGitServer(); r != nil {
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", resource.Resource)
 	}
@@ -4937,6 +4941,16 @@ func (c *Client) UserTasksServiceClient() *usertaskapi.Client {
 	return usertaskapi.NewClient(usertaskv1.NewUserTaskServiceClient(c.conn))
 }
 
+// GitServerClient returns a client for managing Git servers
+func (c *Client) GitServerClient() *gitserverclient.Client {
+	return gitserverclient.NewClient(gitserverpb.NewGitServerServiceClient(c.conn))
+}
+
+// GitServerReadOnlyClient returns the read-only client for Git servers.
+func (c *Client) GitServerReadOnlyClient() gitserverclient.ReadOnlyClient {
+	return c.GitServerClient()
+}
+
 // GetCertAuthority retrieves a CA by type and domain.
 func (c *Client) GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error) {
 	ca, err := c.TrustClient().GetCertAuthority(ctx, &trustpb.GetCertAuthorityRequest{
@@ -5299,3 +5313,8 @@ func (c *Client) IdentityCenterClient() identitycenterv1.IdentityCenterServiceCl
 func (c *Client) ProvisioningServiceClient() provisioningv1.ProvisioningServiceClient {
 	return provisioningv1.NewProvisioningServiceClient(c.conn)
 }
+
+// IntegrationsClient returns integrations client.
+func (c *Client) IntegrationsClient() integrationpb.IntegrationServiceClient {
+	return c.integrationsClient()
+}
diff --git a/api/client/events.go b/api/client/events.go
@@ -348,6 +348,10 @@ func EventToGRPC(in types.Event) (*proto.Event, error) {
 		out.Resource = &proto.Event_AccessListReview{
 			AccessListReview: accesslistv1conv.ToReviewProto(r),
 		}
+	case *types.PluginStaticCredentialsV1:
+		out.Resource = &proto.Event_PluginStaticCredentials{
+			PluginStaticCredentials: r,
+		}
 	default:
 		return nil, trace.BadParameter("resource type %T is not supported", in.Resource)
 	}
@@ -617,6 +621,9 @@ func EventFromGRPC(in *proto.Event) (*types.Event, error) {
 	} else if r := in.GetWorkloadIdentity(); r != nil {
 		out.Resource = types.Resource153ToLegacy(r)
 		return &out, nil
+	} else if r := in.GetPluginStaticCredentials(); r != nil {
+		out.Resource = r
+		return &out, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", in.Resource)
 	}

diff --git a/api/client/gitserver/gitserver.go b/api/client/gitserver/gitserver.go
@@ -0,0 +1,142 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package gitserver
+
+import (
+	"context"
+
+	"github.com/gravitational/trace"
+
+	gitserverv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+// ReadOnlyClient defines getter functions for Git servers.
+type ReadOnlyClient interface {
+	// ListGitServers returns a paginated list of Git servers.
+	ListGitServers(ctx context.Context, pageSize int, pageToken string) ([]types.Server, string, error)
+	// GetGitServer returns a Git server by name.
+	GetGitServer(ctx context.Context, name string) (types.Server, error)
+}
+
+// Client is an Git servers client.
+type Client struct {
+	grpcClient gitserverv1.GitServerServiceClient
+}
+
+// NewClient creates a new Git servers client.
+func NewClient(grpcClient gitserverv1.GitServerServiceClient) *Client {
+	return &Client{
+		grpcClient: grpcClient,
+	}
+}
+
+// GetGitServer returns Git servers by name.
+func (c *Client) GetGitServer(ctx context.Context, name string) (types.Server, error) {
+	server, err := c.grpcClient.GetGitServer(ctx, &gitserverv1.GetGitServerRequest{Name: name})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return server, nil
+}
+
+// ListGitServers returns all Git servers matching filter.
+func (c *Client) ListGitServers(ctx context.Context, pageSize int, pageToken string) ([]types.Server, string, error) {
+	resp, err := c.grpcClient.ListGitServers(ctx, &gitserverv1.ListGitServersRequest{
+		PageSize:  int32(pageSize),
+		PageToken: pageToken,
+	})
+	if err != nil {
+		return nil, "", trace.Wrap(err)
+	}
+
+	servers := make([]types.Server, 0, len(resp.Servers))
+	for _, server := range resp.Servers {
+		servers = append(servers, server)
+	}
+	return servers, resp.NextPageToken, nil
+}
+
+func toServerV2(server types.Server) (*types.ServerV2, error) {
+	serverV2, ok := server.(*types.ServerV2)
+	if !ok {
+		return nil, trace.Errorf("encountered unexpected server type: %T", serverV2)
+	}
+	return serverV2, nil
+}
+
+// CreateGitServer creates a Git server resource.
+func (c *Client) CreateGitServer(ctx context.Context, item types.Server) (types.Server, error) {
+	serverV2, err := toServerV2(item)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	resp, err := c.grpcClient.CreateGitServer(ctx, &gitserverv1.CreateGitServerRequest{
+		Server: serverV2,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// UpdateGitServer updates a Git server resource.
+func (c *Client) UpdateGitServer(ctx context.Context, item types.Server) (types.Server, error) {
+	serverV2, err := toServerV2(item)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	resp, err := c.grpcClient.UpdateGitServer(ctx, &gitserverv1.UpdateGitServerRequest{
+		Server: serverV2,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// UpsertGitServer updates a Git server resource, creating it if it doesn't exist.
+func (c *Client) UpsertGitServer(ctx context.Context, item types.Server) (types.Server, error) {
+	serverV2, err := toServerV2(item)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	resp, err := c.grpcClient.UpsertGitServer(ctx, &gitserverv1.UpsertGitServerRequest{
+		Server: serverV2,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// DeleteGitServer removes the specified Git server resource.
+func (c *Client) DeleteGitServer(ctx context.Context, name string) error {
+	_, err := c.grpcClient.DeleteGitServer(ctx, &gitserverv1.DeleteGitServerRequest{Name: name})
+	return trace.Wrap(err)
+}
+
+// DeleteAllGitServers removes all Git server resources.
+func (c *Client) DeleteAllGitServers(ctx context.Context) error {
+	return trace.NotImplemented("DeleteAllGitServers servers not implemented")
+}
+
+// CreateGitHubAuthRequest starts GitHub OAuth flow for authenticated user.
+func (c *Client) CreateGitHubAuthRequest(ctx context.Context, req *types.GithubAuthRequest, org string) (*types.GithubAuthRequest, error) {
+	resp, err := c.grpcClient.CreateGitHubAuthRequest(ctx, &gitserverv1.CreateGitHubAuthRequestRequest{
+		Request:      req,
+		Organization: org,
+	})
+	return resp, trace.Wrap(err)
+}