diff --git a/lib/config/configuration.go b/lib/config/configuration.go index 0f23047f64f74..5b7cdd96f491c 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -297,6 +297,9 @@ type IntegrationConfAzureOIDC struct { // When this is true, the integration script will produce // a cache file necessary for TAG synchronization. AccessGraphEnabled bool + + // SkipOIDCConfiguration is a flag indicating that OIDC configuration should be skipped. + SkipOIDCConfiguration bool } // IntegrationConfDeployServiceIAM contains the arguments of diff --git a/lib/integrations/azureoidc/enterprise_app.go b/lib/integrations/azureoidc/enterprise_app.go index e159470d0bb39..e7de09225ec58 100644 --- a/lib/integrations/azureoidc/enterprise_app.go +++ b/lib/integrations/azureoidc/enterprise_app.go @@ -52,7 +52,7 @@ var appRoles = []string{ // - Provides Teleport with OIDC authentication to Azure // - Is given the permissions to access certain Microsoft Graph API endpoints for this tenant. // - Provides SSO to the Teleport cluster via SAML. -func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string) (string, string, error) { +func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string, skipOIDCSetup bool) (string, string, error) { var appID, tenantID string tenantID, err := getTenantID() @@ -120,8 +120,12 @@ func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnect } } - if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil { - return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential") + // Skip OIDC setup if requested. + // This is useful for clusters that can't use OIDC because they are not reachable from the public internet. + if !skipOIDCSetup { + if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil { + return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential") + } } acsURL, err := url.Parse(proxyPublicAddr) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go new file mode 100644 index 0000000000000..476c46003336e --- /dev/null +++ b/tool/tctl/common/plugin/entraid.go @@ -0,0 +1,398 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package plugin + +import ( + "bufio" + "context" + "encoding/json" + "errors" + "fmt" + "io" + "os" + "path/filepath" + "strings" + + "github.com/alecthomas/kingpin/v2" + "github.com/google/safetext/shsprintf" + "github.com/google/uuid" + "github.com/gravitational/trace" + + pluginspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/plugins/v1" + "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/e/lib/entraid" + "github.com/gravitational/teleport/lib/integrations/azureoidc" + "github.com/gravitational/teleport/lib/utils/oidc" + "github.com/gravitational/teleport/lib/web/scripts/oneoff" +) + +type entraArgs struct { + cmd *kingpin.CmdClause + authConnectorName string + defaultOwners []string + useSystemCredentials bool + accessGraph bool + force bool +} + +func (p *PluginsCommand) initInstallEntra(parent *kingpin.CmdClause) { + p.install.entraID.cmd = parent.Command("entraid", "Install an EntraId integration.") + cmd := p.install.entraID.cmd + cmd. + Flag("name", "Name of the plugin resource to create"). + Default("entra-id"). + StringVar(&p.install.name) + + cmd. + Flag("auth-connector-name", "Name of the SAML connector resource to create"). + Default("entra-id-default"). + StringVar(&p.install.entraID.authConnectorName) + + cmd. + Flag("use-system-credentials", "Uses system credentials instead of OIDC."). + BoolVar(&p.install.entraID.useSystemCredentials) + + cmd.Flag("default-owner", "List of Teleport users that are default owners for the imported access lists. Multiple flags allowed."). + Required(). + StringsVar(&p.install.entraID.defaultOwners) + + cmd. + Flag("access-graph", "Enables Access Graph cache build."). + Default("true"). + BoolVar(&p.install.entraID.accessGraph) + + cmd. + Flag("force", "Proceed with installation even if plugin already exists."). + Short('f'). + Default("false"). + BoolVar(&p.install.scim.force) +} + +type entraSettings struct { + accessGraphCache *azureoidc.TAGInfoCache + clientID string + tenantID string +} + +var ( + errCancel = trace.BadParameter("operation canceled") +) + +func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, error) { + fileLoc, err := pathForFile(os.Stdout, os.Stdin) + if err != nil { + return entraSettings{}, trace.Wrap(err, "failed to get file location") + } + + buildScript, err := buildScript(proxyPublicAddr, p.install.entraID.authConnectorName, p.install.entraID.accessGraph, p.install.entraID.useSystemCredentials) + if err != nil { + return entraSettings{}, trace.Wrap(err, "failed to build script") + } + + if err := os.WriteFile(fileLoc, []byte(buildScript), 0644); err != nil { + return entraSettings{}, trace.Wrap(err, "failed to write script to file") + } + + tmpl := `Step 1: Run the Setup Script + +1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility. +2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar. +3. Once uploaded, execute the script by running the following command: + $ bash %s + +**Important Considerations**: +- You must have **Azure privileged administrator permissions** to complete the integration. +- Ensure you're using the **Bash** environment in Cloud Shell. +- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials. +- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. + +` + + fmt.Fprintf(os.Stdout, tmpl, filepath.Base(fileLoc)) + + op, err := readData(os.Stdin, os.Stdout, + "Once the script completes, type 'continue' to proceed, 'exit' to quit", + func(input string) bool { + return input == "continue" || input == "exit" + }, "Invalid input. Please enter 'continue' or 'exit'.") + if err != nil { + return entraSettings{}, trace.Wrap(err, "failed to read operation") + } + if op == "exit" { // User chose to exit + return entraSettings{}, errCancel + } + + validUUID := func(input string) bool { + _, err := uuid.Parse(input) + return err == nil + } + + tmpl = ` + +Step 2: Input Tenant ID and Client ID + +With the output of Step 1, please copy and paste the following information: +` + fmt.Fprint(os.Stdout, tmpl) + var settings entraSettings + settings.tenantID, err = readData(os.Stdin, os.Stdout, "Enter the Tenant ID", validUUID, "Invalid Tenant ID") + if err != nil { + return settings, trace.Wrap(err, "failed to read Tenant ID") + } + + settings.clientID, err = readData(os.Stdin, os.Stdout, "Enter the Client ID", validUUID, "Invalid Client ID") + if err != nil { + return settings, trace.Wrap(err, "failed to read Client ID") + } + + if p.install.entraID.accessGraph { + dataValidator := func(input string) bool { + settings.accessGraphCache, err = readTAGCache(input) + return err == nil + } + _, err = readData(os.Stdin, os.Stdout, "Enter the Access Graph Cache file location", dataValidator, "File does not exist or is invalid") + if err != nil { + return settings, trace.Wrap(err, "failed to read Access Graph Cache file") + } + } + return settings, nil +} + +func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArgs) error { + inputs := p.install + + proxyPublicAddr, err := getProxyPublicAddr(ctx, args.authClient) + if err != nil { + return trace.Wrap(err) + } + + settings, err := p.entraSetupGuide(proxyPublicAddr) + if err != nil { + if errors.Is(err, errCancel) { + return nil + } + return trace.Wrap(err) + } + + var tagSyncSettings *types.PluginEntraIDAccessGraphSettings + if settings.accessGraphCache != nil { + tagSyncSettings = &types.PluginEntraIDAccessGraphSettings{ + AppSsoSettingsCache: settings.accessGraphCache.AppSsoSettingsCache, + } + } + + saml, err := types.NewSAMLConnector(inputs.entraID.authConnectorName, types.SAMLConnectorSpecV2{ + AssertionConsumerService: proxyPublicAddr + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName, + AllowIDPInitiated: true, + // AttributesToRoles is required, but Entra ID does not by have a default group (like Okta's "Everyone"), + // so we add a dummy claim that will never be fulfilled with the default configuration instead, + // and expect the user to modify it per their requirements. + AttributesToRoles: []types.AttributeMapping{ + { + Name: "https://example.com/my_attribute", + Value: "my_value", + Roles: []string{"requester"}, + }, + }, + Display: "Entra ID", + EntityDescriptorURL: entraid.FederationMetadataURL(settings.tenantID, settings.clientID), + }) + if err != nil { + return trace.Wrap(err, "failed to create SAML connector") + } + + if _, err = args.authClient.CreateSAMLConnector(ctx, saml); err != nil { + if !trace.IsAlreadyExists(err) || !inputs.entraID.force { + return trace.Wrap(err, "failed to create SAML connector") + } + if _, err = args.authClient.UpsertSAMLConnector(ctx, saml); err != nil { + return trace.Wrap(err, "failed to upsert SAML connector") + } + } + + if !inputs.entraID.useSystemCredentials { + integrationSpec, err := types.NewIntegrationAzureOIDC( + types.Metadata{Name: inputs.name}, + &types.AzureOIDCIntegrationSpecV1{ + TenantID: settings.tenantID, + ClientID: settings.clientID, + }, + ) + if err != nil { + return trace.Wrap(err, "failed to create Azure OIDC integration") + } + + if _, err = args.authClient.CreateIntegration(ctx, integrationSpec); err != nil { + if !trace.IsAlreadyExists(err) || !inputs.entraID.force { + return trace.Wrap(err, "failed to create Azure OIDC integration") + } + if err = args.authClient.DeleteIntegration(ctx, integrationSpec.GetName()); err != nil { + return trace.Wrap(err, "failed to delete Azure OIDC integration") + } + if _, err = args.authClient.CreateIntegration(ctx, integrationSpec); err != nil { + return trace.Wrap(err, "failed to create Azure OIDC integration") + } + } + } + req := &pluginspb.CreatePluginRequest{ + Plugin: &types.PluginV1{ + Metadata: types.Metadata{ + Name: inputs.name, + Labels: map[string]string{ + "teleport.dev/hosted-plugin": "true", + }, + }, + Spec: types.PluginSpecV1{ + Settings: &types.PluginSpecV1_EntraId{ + EntraId: &types.PluginEntraIDSettings{ + SyncSettings: &types.PluginEntraIDSyncSettings{ + DefaultOwners: inputs.entraID.defaultOwners, + SsoConnectorId: inputs.entraID.authConnectorName, + UseSystemCredentials: inputs.entraID.useSystemCredentials, + TenantId: settings.tenantID, + }, + AccessGraphSettings: tagSyncSettings, + }, + }, + }, + }, + } + + _, err = args.plugins.CreatePlugin(ctx, req) + if err != nil { + if !trace.IsAlreadyExists(err) || !inputs.entraID.force { + return trace.Wrap(err) + } + if _, err = args.plugins.DeletePlugin(ctx, &pluginspb.DeletePluginRequest{ + Name: inputs.name, + }); err != nil { + return trace.Wrap(err) + } + if _, err = args.plugins.CreatePlugin(ctx, req); err != nil { + return trace.Wrap(err) + } + } + + fmt.Printf("Successfully created EntraID plugin %q\n\n", p.install.name) + + return nil +} + +func buildScript(proxyPublicAddr string, authConnectorName string, accessGraph, skipOIDCSetup bool) (string, error) { + + oidcIssuer, err := oidc.IssuerFromPublicAddress(proxyPublicAddr, "") + if err != nil { + return "", trace.Wrap(err) + } + + // The script must execute the following command: + argsList := []string{ + "integration", "configure", "azure-oidc", + fmt.Sprintf("--proxy-public-addr=%s", shsprintf.EscapeDefaultContext(oidcIssuer)), + fmt.Sprintf("--auth-connector-name=%s", shsprintf.EscapeDefaultContext(authConnectorName)), + } + + if accessGraph { + argsList = append(argsList, "--access-graph") + } + + if skipOIDCSetup { + argsList = append(argsList, "--skip-oidc-integration") + } + + script, err := oneoff.BuildScript(oneoff.OneOffScriptParams{ + TeleportArgs: strings.Join(argsList, " "), + SuccessMessage: "Success! You can now go back to the Teleport Web UI to use the integration with Azure.", + }) + if err != nil { + return "", trace.Wrap(err) + } + return script, nil +} + +func getProxyPublicAddr(ctx context.Context, authClient authClient) (string, error) { + pingResp, err := authClient.Ping(ctx) + if err != nil { + return "", trace.Wrap(err, "failed fetching cluster info") + } + proxyPublicAddr := pingResp.GetProxyPublicAddr() + return proxyPublicAddr, nil +} + +func pathForFile(w io.Writer, r io.Reader) (string, error) { + + pwd, err := os.Getwd() + if err != nil { + return "", trace.Wrap(err) + } + + const defaultFileName = "entraid.sh" + + file := filepath.Join(pwd, defaultFileName) + _, err = readData(r, w, fmt.Sprintf("Enter the path to write the script file [%s]", file), func(input string) bool { + if input != "" { + file = input + } + // Check if the directory exists + _, err = os.Stat(filepath.Dir(file)) + return err == nil + }, + "Invalid directory file location", + ) + + return file, trace.Wrap(err) +} + +var ( + errNoTAGCache = trace.BadParameter("no TAG cache file found") +) + +func readTAGCache(fileLoc string) (*azureoidc.TAGInfoCache, error) { + if fileLoc == "" { + return nil, trace.Wrap(errNoTAGCache) + } + + file, err := os.Open(fileLoc) + if err != nil { + return nil, trace.Wrap(err) + } + defer file.Close() + + var result azureoidc.TAGInfoCache + if err := json.NewDecoder(file).Decode(&result); err != nil { + return nil, trace.Wrap(err) + } + + return &result, nil +} + +func readData(r io.Reader, w io.Writer, message string, validate func(string) bool, errorMessage string) (string, error) { + reader := bufio.NewReader(r) + for { + fmt.Fprintf(w, "%s: ", message) + input, _ := reader.ReadString('\n') + input = strings.TrimSpace(input) // Clean up any extra newlines or spaces + + if !validate(input) { + fmt.Fprintf(w, "%s\n", errorMessage) + continue + } + return input, nil + } +} diff --git a/tool/tctl/common/plugin/plugins_command.go b/tool/tctl/common/plugin/plugins_command.go index ba6c92f7ae5a9..8d970da800ec0 100644 --- a/tool/tctl/common/plugin/plugins_command.go +++ b/tool/tctl/common/plugin/plugins_command.go @@ -49,10 +49,11 @@ func logErrorMessage(err error) slog.Attr { } type pluginInstallArgs struct { - cmd *kingpin.CmdClause - name string - okta oktaArgs - scim scimArgs + cmd *kingpin.CmdClause + name string + okta oktaArgs + scim scimArgs + entraID entraArgs } type scimArgs struct { @@ -98,6 +99,7 @@ func (p *PluginsCommand) initInstall(parent *kingpin.CmdClause, config *servicec p.initInstallOkta(p.install.cmd) p.initInstallSCIM(p.install.cmd) + p.initInstallEntra(p.install.cmd) } func (p *PluginsCommand) initInstallSCIM(parent *kingpin.CmdClause) { @@ -200,11 +202,16 @@ func (p *PluginsCommand) Cleanup(ctx context.Context, clusterAPI *authclient.Cli type authClient interface { GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error) + CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) + UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) + CreateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error) + DeleteIntegration(ctx context.Context, name string) error Ping(ctx context.Context) (proto.PingResponse, error) } type pluginsClient interface { CreatePlugin(ctx context.Context, in *pluginsv1.CreatePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) + DeletePlugin(ctx context.Context, in *pluginsv1.DeletePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) } type installPluginArgs struct { @@ -310,6 +317,9 @@ func (p *PluginsCommand) TryRun(ctx context.Context, cmd string, client *authcli err = p.InstallOkta(ctx, args) case p.install.scim.cmd.FullCommand(): err = p.InstallSCIM(ctx, client) + case p.install.entraID.cmd.FullCommand(): + args := installPluginArgs{authClient: client, plugins: client.PluginsClient()} + err = p.InstallEntra(ctx, args) case p.delete.cmd.FullCommand(): err = p.Delete(ctx, client) default: diff --git a/tool/tctl/common/plugin/plugins_command_test.go b/tool/tctl/common/plugin/plugins_command_test.go index e42f21e26310f..160401e64a989 100644 --- a/tool/tctl/common/plugin/plugins_command_test.go +++ b/tool/tctl/common/plugin/plugins_command_test.go @@ -449,6 +449,11 @@ func (m *mockPluginsClient) CreatePlugin(ctx context.Context, in *pluginsv1.Crea return result.Get(0).(*emptypb.Empty), result.Error(1) } +func (m *mockPluginsClient) DeletePlugin(ctx context.Context, in *pluginsv1.DeletePluginRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) { + result := m.Called(ctx, in, opts) + return result.Get(0).(*emptypb.Empty), result.Error(1) +} + type mockAuthClient struct { mock.Mock } @@ -457,7 +462,22 @@ func (m *mockAuthClient) GetSAMLConnector(ctx context.Context, id string, withSe result := m.Called(ctx, id, withSecrets) return result.Get(0).(types.SAMLConnector), result.Error(1) } - +func (m *mockAuthClient) CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) { + result := m.Called(ctx, connector) + return result.Get(0).(types.SAMLConnector), result.Error(1) +} +func (m *mockAuthClient) UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error) { + result := m.Called(ctx, connector) + return result.Get(0).(types.SAMLConnector), result.Error(1) +} +func (m *mockAuthClient) CreateIntegration(ctx context.Context, ig types.Integration) (types.Integration, error) { + result := m.Called(ctx, ig) + return result.Get(0).(types.Integration), result.Error(1) +} +func (m *mockAuthClient) DeleteIntegration(ctx context.Context, name string) error { + result := m.Called(ctx, name) + return result.Error(0) +} func (m *mockAuthClient) Ping(ctx context.Context) (proto.PingResponse, error) { result := m.Called(ctx) return result.Get(0).(proto.PingResponse), result.Error(1) diff --git a/tool/teleport/common/integration_configure.go b/tool/teleport/common/integration_configure.go index bfd762d1322ec..97f531910e45e 100644 --- a/tool/teleport/common/integration_configure.go +++ b/tool/teleport/common/integration_configure.go @@ -251,7 +251,7 @@ func onIntegrationConfAzureOIDCCmd(ctx context.Context, params config.Integratio fmt.Println("Teleport is setting up the Azure integration. This may take a few minutes.") - appID, tenantID, err := azureoidc.SetupEnterpriseApp(ctx, params.ProxyPublicAddr, params.AuthConnectorName) + appID, tenantID, err := azureoidc.SetupEnterpriseApp(ctx, params.ProxyPublicAddr, params.AuthConnectorName, params.SkipOIDCConfiguration) if err != nil { return trace.Wrap(err) } diff --git a/tool/teleport/common/teleport.go b/tool/teleport/common/teleport.go index 3ccaa6ad1928a..9cd4436c68680 100644 --- a/tool/teleport/common/teleport.go +++ b/tool/teleport/common/teleport.go @@ -552,6 +552,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con integrationConfAzureOIDCCmd.Flag("proxy-public-addr", "The public address of Teleport Proxy Service").Required().StringVar(&ccf.IntegrationConfAzureOIDCArguments.ProxyPublicAddr) integrationConfAzureOIDCCmd.Flag("auth-connector-name", "The name of Entra ID SAML Auth connector in Teleport.").Required().StringVar(&ccf.IntegrationConfAzureOIDCArguments.AuthConnectorName) integrationConfAzureOIDCCmd.Flag("access-graph", "Enable Access Graph integration.").BoolVar(&ccf.IntegrationConfAzureOIDCArguments.AccessGraphEnabled) + integrationConfAzureOIDCCmd.Flag("skip-oidc-integration", "Skip OIDC integration.").BoolVar(&ccf.IntegrationConfAzureOIDCArguments.SkipOIDCConfiguration) integrationConfSAMLIdP := integrationConfigureCmd.Command("samlidp", "Manage SAML IdP integrations.") integrationSAMLIdPGCPWorkforce := integrationConfSAMLIdP.Command("gcp-workforce", "Configures GCP Workforce Identity Federation pool and SAML provider.")