From ecfa26a68e143880f0af18651362d7146d3cabab Mon Sep 17 00:00:00 2001 From: Lisa Kim Date: Fri, 19 Jul 2024 17:10:16 -0700 Subject: [PATCH] Web: remove s3 bucket option when creating/editing aws oidc integration (#44104) * Remove s3 related files * Remove s3 reference * Remove s3 fields when creating aws oidc * Remove ability to edit s3 fields, and suggest reconfiguring * Add a warning icon choice for ToolTip.tsx * Improve messaging * Address CRs * Address CRs --- .../shared/components/ToolTip/ToolTip.tsx | 18 +- .../EditAwsOidcIntegrationDialog.test.tsx | 176 ++++-------------- .../EditAwsOidcIntegrationDialog.tsx | 143 +++++++------- .../Enroll/AwsOidc/AwsOidc.story.tsx | 17 -- .../Integrations/Enroll/AwsOidc/AwsOidc.tsx | 80 +------- .../Enroll/AwsOidc/S3BucketConfiguration.tsx | 37 +--- .../Enroll/AwsOidc/S3BucketWarningBanner.tsx | 81 -------- .../Enroll/AwsOidc/Shared/Shared.tsx | 37 ---- .../Enroll/AwsOidc/Shared/utils.test.ts | 101 ---------- .../Enroll/AwsOidc/Shared/utils.ts | 145 --------------- .../src/Integrations/IntegrationList.test.tsx | 83 --------- .../src/Integrations/IntegrationList.tsx | 4 - .../src/Integrations/Integrations.story.tsx | 17 -- .../Operations/useIntegrationOperation.ts | 4 - .../Integrations/UpdateAwsOidcThumbprint.tsx | 129 ------------- .../teleport/src/Integrations/fixtures.ts | 11 -- web/packages/teleport/src/config.test.ts | 15 -- web/packages/teleport/src/config.ts | 5 +- .../src/services/integrations/types.ts | 6 +- 19 files changed, 141 insertions(+), 968 deletions(-) delete mode 100644 web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketWarningBanner.tsx delete mode 100644 web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/Shared.tsx delete mode 100644 web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.test.ts delete mode 100644 web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.ts delete mode 100644 web/packages/teleport/src/Integrations/IntegrationList.test.tsx delete mode 100644 web/packages/teleport/src/Integrations/UpdateAwsOidcThumbprint.tsx diff --git a/web/packages/shared/components/ToolTip/ToolTip.tsx b/web/packages/shared/components/ToolTip/ToolTip.tsx index 4b27754a06b9c..9b02ae9ab511f 100644 --- a/web/packages/shared/components/ToolTip/ToolTip.tsx +++ b/web/packages/shared/components/ToolTip/ToolTip.tsx @@ -28,6 +28,7 @@ export const ToolTipInfo: React.FC< muteIconColor?: boolean; sticky?: boolean; maxWidth?: number; + kind?: 'info' | 'warning'; }> > = ({ children, @@ -35,6 +36,7 @@ export const ToolTipInfo: React.FC< muteIconColor, sticky = false, maxWidth = 350, + kind = 'info', }) => { const [anchorEl, setAnchorEl] = useState(); const open = Boolean(anchorEl); @@ -71,7 +73,12 @@ export const ToolTipInfo: React.FC< height: 18px; `} > - + {kind === 'info' && ( + + )} + {kind === 'warning' && ( + + )} @@ -108,3 +115,12 @@ const InfoIcon = styled(Icons.Info)<{ $muteIconColor?: boolean }>` width: 18px; color: ${p => (p.$muteIconColor ? p.theme.colors.text.disabled : 'inherit')}; `; + +const WarningIcon = styled(Icons.Warning)<{ $muteIconColor?: boolean }>` + height: 18px; + width: 18px; + color: ${p => + p.$muteIconColor + ? p.theme.colors.text.disabled + : p.theme.colors.interactive.solid.alert.default.background}; +`; diff --git a/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.test.tsx b/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.test.tsx index ed6151770e7cb..0dc8135e747ef 100644 --- a/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.test.tsx +++ b/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.test.tsx @@ -26,7 +26,7 @@ import { import { EditAwsOidcIntegrationDialog } from './EditAwsOidcIntegrationDialog'; -test('user acknowledging script was ran when s3 bucket fields are edited', async () => { +test('user acknowledging script was ran when reconfiguring', async () => { render( null} @@ -37,8 +37,6 @@ test('user acknowledging script was ran when s3 bucket fields are edited', async name: 'some-integration-name', spec: { roleArn: 'arn:aws:iam::123456789012:role/johndoe', - issuerS3Bucket: 'test-value', - issuerS3Prefix: '', }, statusCode: IntegrationStatusCode.Running, }} @@ -49,31 +47,32 @@ test('user acknowledging script was ran when s3 bucket fields are edited', async expect(screen.queryByTestId('scriptbox')).not.toBeInTheDocument(); expect(screen.queryByLabelText(/I ran the command/i)).not.toBeInTheDocument(); expect( - screen.queryByRole('button', { name: /generate command/i }) + screen.queryByRole('button', { name: /reconfigure/i }) ).not.toBeInTheDocument(); expect(screen.getByRole('button', { name: /save/i })).toBeDisabled(); - // Fill in the s3 prefix field. - fireEvent.change(screen.getByPlaceholderText(/prefix/i), { - target: { value: 'test-value' }, + // Check s3 related fields are not rendered. + expect(screen.queryByText(/not recommended/)).not.toBeInTheDocument(); + expect(screen.queryByText('Amazon S3')).not.toBeInTheDocument(); + + // change role arn + fireEvent.change(screen.getByPlaceholderText(/arn:aws:iam:/i), { + target: { value: 'arn:aws:iam::123456789011:role/other' }, }); + await waitFor(() => - expect( - screen.getByRole('button', { name: /generate command/i }) - ).toBeEnabled() + expect(screen.getByRole('button', { name: /reconfigure/i })).toBeEnabled() ); - // When clicking on generate command: + // When clicking on reconfigure: // - script rendered // - checkbox to confirm user has ran command - // - edit button replaces generate command button + // - edit button replaces reconfigure button // - save button still disabled - await userEvent.click( - screen.getByRole('button', { name: /generate command/i }) - ); + await userEvent.click(screen.getByRole('button', { name: /reconfigure/i })); await screen.findByRole('button', { name: /edit/i }); expect(screen.getByRole('button', { name: /save/i })).toBeDisabled(); expect( - screen.queryByRole('button', { name: /generate command/i }) + screen.queryByRole('button', { name: /reconfigure/i }) ).not.toBeInTheDocument(); expect(screen.getByLabelText(/I ran the command/i)).toBeInTheDocument(); expect(screen.getByTestId('scriptbox')).toBeInTheDocument(); @@ -91,16 +90,14 @@ test('user acknowledging script was ran when s3 bucket fields are edited', async expect(screen.getByRole('button', { name: /save/i })).toBeDisabled() ); - // Click on edit, should replace it with generate command + // Click on edit, should replace it with reconfigure await userEvent.click(screen.getByRole('button', { name: /edit/i })); await waitFor(() => - expect( - screen.getByRole('button', { name: /generate command/i }) - ).toBeEnabled() + expect(screen.getByRole('button', { name: /reconfigure/i })).toBeEnabled() ); }); -test('render warning on save when leaving s3 fields empty', async () => { +test('render warning when s3 buckets are present', async () => { const edit = jest.fn(() => Promise.resolve()); render( { name: 'some-integration-name', spec: { roleArn: 'arn:aws:iam::123456789012:role/johndoe', - issuerS3Bucket: '', - issuerS3Prefix: '', + issuerS3Bucket: 'some-bucket', + issuerS3Prefix: 'some-prefix', }, statusCode: IntegrationStatusCode.Running, }} @@ -124,112 +121,25 @@ test('render warning on save when leaving s3 fields empty', async () => { expect(screen.queryByTestId('scriptbox')).not.toBeInTheDocument(); expect(screen.queryByLabelText(/I ran the command/i)).not.toBeInTheDocument(); expect(screen.getByRole('button', { name: /save/i })).toBeDisabled(); - expect( - screen.queryByRole('button', { name: /generate command/i }) - ).not.toBeInTheDocument(); - - // Enable the generate command button by changing a field. - fireEvent.change(screen.getByPlaceholderText(/arn:aws:iam:/i), { - target: { value: 'arn:aws:iam::123456789012:role/someonelse' }, - }); - await waitFor(() => - expect( - screen.getByRole('button', { name: /generate command/i }) - ).toBeEnabled() - ); - - expect(screen.queryByLabelText(/I ran the command/i)).not.toBeInTheDocument(); - expect(screen.getByRole('button', { name: /save/i })).toBeDisabled(); - - await userEvent.click( - screen.getByRole('button', { name: /generate command/i }) - ); - await screen.findByRole('button', { name: /edit/i }); - expect(screen.getByRole('button', { name: /save/i })).toBeDisabled(); - - await userEvent.click(screen.getByLabelText(/I ran the command/i)); - await waitFor(() => - expect(screen.getByRole('button', { name: /save/i })).toBeEnabled() - ); - - // Clicking on save without defining s3 fields, should render - // a warning. - await userEvent.click(screen.getByRole('button', { name: /save/i })); - await screen.findByText(/recommended to use an S3 bucket/i); - expect(edit).not.toHaveBeenCalled(); - - // Canceling and saving should re-render the warning. - await userEvent.click(screen.getByRole('button', { name: /cancel/i })); - await screen.findByRole('button', { name: /save/i }); - - await userEvent.click(screen.getByRole('button', { name: /save/i })); - await screen.findByText(/recommended to use an S3 bucket/i); - - await userEvent.click(screen.getByRole('button', { name: /continue/i })); - await waitFor(() => expect(edit).toHaveBeenCalledTimes(1)); -}); - -test('render warning on save when deleting existing s3 fields', async () => { - const edit = jest.fn(() => Promise.resolve()); - render( - null} - edit={edit} - integration={{ - resourceType: 'integration', - kind: IntegrationKind.AwsOidc, - name: 'some-integration-name', - spec: { - roleArn: 'arn:aws:iam::123456789012:role/johndoe', - issuerS3Bucket: 'delete-me', - issuerS3Prefix: 'delete-me', - }, - statusCode: IntegrationStatusCode.Running, - }} - /> - ); + // Check s3 related fields/warnings are rendered. expect( - screen.queryByRole('button', { name: /generate command/i }) - ).not.toBeInTheDocument(); - - // Delete the s3 fields. - fireEvent.change(screen.getByPlaceholderText(/bucket/i), { - target: { value: '' }, - }); - fireEvent.change(screen.getByPlaceholderText(/prefix/i), { - target: { value: '' }, - }); - await waitFor(() => - expect( - screen.getByRole('button', { name: /generate command/i }) - ).toBeEnabled() - ); - - expect(screen.queryByLabelText(/I ran the command/i)).not.toBeInTheDocument(); - expect(screen.getByRole('button', { name: /save/i })).toBeDisabled(); + screen.getByRole('button', { name: /reconfigure/i }) + ).toBeInTheDocument(); + expect(screen.getByText(/not recommended/)).toBeInTheDocument(); + expect(screen.getByText(/Amazon S3 Location/)).toBeInTheDocument(); - await userEvent.click( - screen.getByRole('button', { name: /generate command/i }) - ); - await screen.findByRole('button', { name: /edit/i }); - expect(screen.getByRole('button', { name: /save/i })).toBeDisabled(); + // Clicking on reconfigure should hide s3 fields. + await userEvent.click(screen.getByRole('button', { name: /reconfigure/i })); + await screen.findByText(/AWS CloudShell/); + expect(screen.queryByText(/not recommended/)).not.toBeInTheDocument(); + expect(screen.queryByText('/Amazon S3 Location/')).not.toBeInTheDocument(); - await userEvent.click(screen.getByLabelText(/I ran the command/i)); - await waitFor(() => - expect(screen.getByRole('button', { name: /save/i })).toBeEnabled() - ); - - // Test for warning render. - await userEvent.click(screen.getByRole('button', { name: /save/i })); - await screen.findByText(/recommended to use an S3 bucket/i); - expect(edit).not.toHaveBeenCalled(); - expect( - screen.getByText(/recommended to use an S3 bucket/i) - ).toBeInTheDocument(); + // Clicking on edit, should render it back. + await userEvent.click(screen.getByRole('button', { name: /edit/i })); - await userEvent.click(screen.getByRole('button', { name: /continue/i })); - await waitFor(() => expect(edit).toHaveBeenCalledTimes(1)); + await screen.findByText(/not recommended/); + await screen.findByText(/Amazon S3 Location/); }); test('edit invalid fields', async () => { @@ -249,14 +159,10 @@ test('edit invalid fields', async () => { }); await waitFor(() => - expect( - screen.getByRole('button', { name: /generate command/i }) - ).toBeEnabled() + expect(screen.getByRole('button', { name: /reconfigure/i })).toBeEnabled() ); - await userEvent.click( - screen.getByRole('button', { name: /generate command/i }) - ); + await userEvent.click(screen.getByRole('button', { name: /reconfigure/i })); await screen.findByText(/invalid role ARN format/i); }); @@ -286,14 +192,10 @@ test('edit submit called with proper fields', async () => { }); await waitFor(() => - expect( - screen.getByRole('button', { name: /generate command/i }) - ).toBeEnabled() + expect(screen.getByRole('button', { name: /reconfigure/i })).toBeEnabled() ); - await userEvent.click( - screen.getByRole('button', { name: /generate command/i }) - ); + await userEvent.click(screen.getByRole('button', { name: /reconfigure/i })); await screen.findByRole('button', { name: /edit/i }); await userEvent.click(screen.getByLabelText(/I ran the command/i)); @@ -305,8 +207,6 @@ test('edit submit called with proper fields', async () => { expect(mockEditFn).toHaveBeenCalledWith({ roleArn: 'arn:aws:iam::123456789011:role/other', - s3Bucket: 'other-bucket', - s3Prefix: 'other-prefix', }); }); diff --git a/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.tsx b/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.tsx index 35a3dfd1c0dec..3813f7381ef49 100644 --- a/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.tsx +++ b/web/packages/teleport/src/Integrations/EditAwsOidcIntegrationDialog.tsx @@ -33,6 +33,7 @@ import Dialog, { DialogContent, DialogFooter, } from 'design/DialogConfirmation'; +import { OutlineInfo, OutlineWarn } from 'design/Alert/Alert'; import useAttempt from 'shared/hooks/useAttemptNext'; import FieldInput from 'shared/components/FieldInput'; import Validation, { Validator } from 'shared/components/Validation'; @@ -47,7 +48,6 @@ import { splitAwsIamArn } from 'teleport/services/integrations/aws'; import { EditableIntegrationFields } from './Operations/useIntegrationOperation'; import { S3BucketConfiguration } from './Enroll/AwsOidc/S3BucketConfiguration'; -import { S3BucketWarningBanner } from './Enroll/AwsOidc/S3BucketWarningBanner'; type Props = { close(): void; @@ -59,15 +59,7 @@ export function EditAwsOidcIntegrationDialog(props: Props) { const { close, edit, integration } = props; const { attempt, run } = useAttempt(); - const [showS3BucketWarning, setShowS3BucketWarning] = useState(false); const [roleArn, setRoleArn] = useState(integration.spec.roleArn); - const [s3Bucket, setS3Bucket] = useState( - () => integration.spec.issuerS3Bucket - ); - const [s3Prefix, setS3Prefix] = useState( - () => integration.spec.issuerS3Prefix - ); - const [scriptUrl, setScriptUrl] = useState(''); const [confirmed, setConfirmed] = useState(false); @@ -76,7 +68,7 @@ export function EditAwsOidcIntegrationDialog(props: Props) { return; } - run(() => edit({ roleArn, s3Bucket, s3Prefix })); + run(() => edit({ roleArn })); } function generateAwsOidcConfigIdpScript(validator: Validator) { @@ -92,24 +84,20 @@ export function EditAwsOidcIntegrationDialog(props: Props) { const newScriptUrl = cfg.getAwsOidcConfigureIdpScriptUrl({ integrationName: integration.name, roleName: arnResourceName, - s3Bucket: s3Bucket, - s3Prefix: s3Prefix, }); setScriptUrl(newScriptUrl); } + const s3Bucket = integration.spec.issuerS3Bucket; + const s3Prefix = integration.spec.issuerS3Prefix; + const showReadonlyS3Fields = s3Bucket || s3Prefix; + const isProcessing = attempt.status === 'processing'; - const requiresS3BucketWarning = !s3Bucket && !s3Prefix; const showGenerateCommand = - integration.spec.issuerS3Bucket !== s3Bucket || - integration.spec.issuerS3Prefix !== s3Prefix || - integration.spec.roleArn !== roleArn; + integration.spec.roleArn !== roleArn || showReadonlyS3Fields; - const changeDetected = - integration.spec.issuerS3Bucket !== s3Bucket || - integration.spec.issuerS3Prefix !== s3Prefix || - integration.spec.roleArn !== roleArn; + const changeDetected = integration.spec.roleArn !== roleArn; return ( @@ -135,7 +123,7 @@ export function EditAwsOidcIntegrationDialog(props: Props) { value={integration.name} readonly={true} /> - + - + {showReadonlyS3Fields && !scriptUrl && ( + <> + + + Using an S3 bucket to store the OpenID Configuration is not + recommended. Reconfiguring this integration is suggested + (this will not break existing features). + + + )} {scriptUrl && ( - Configure the required permission in your AWS account. Open{' '} + {showReadonlyS3Fields && ( + + + After running the command, delete the previous{' '} + + identity provider + {' '} + along with its{' '} + + S3 bucket + {' '} + from your AWS console. + + + )} )} @@ -192,16 +206,13 @@ export function EditAwsOidcIntegrationDialog(props: Props) { Edit )} - {showGenerateCommand && !scriptUrl && ( + {!scriptUrl && showGenerateCommand && ( generateAwsOidcConfigIdpScript(validator)} - disabled={ - (!requiresS3BucketWarning && (!s3Bucket || !s3Prefix)) || - !roleArn - } + disabled={!roleArn} > - Generate Command + Reconfigure )} @@ -217,40 +228,20 @@ export function EditAwsOidcIntegrationDialog(props: Props) { }} /> )} - - {requiresS3BucketWarning && showS3BucketWarning ? ( - setShowS3BucketWarning(false)} - onContinue={() => { - setShowS3BucketWarning(false); - handleEdit(validator); - }} - btnFlexWrap={true} - /> - ) : ( - <> - { - if (requiresS3BucketWarning) { - setShowS3BucketWarning(true); - } else { - handleEdit(validator); - } - }} - > - Save - - - Cancel - - - )} + handleEdit(validator)} + > + Save + + + Cancel + )} @@ -263,3 +254,17 @@ const EditableBox = styled(Box)` border: 2px solid ${p => p.theme.colors.spotBackground[1]}; background-color: ${p => p.theme.colors.spotBackground[0]}; `; + +function getIdpArn({ + s3Bucket, + s3Prefix, + roleArn, +}: { + s3Bucket: string; + s3Prefix: string; + roleArn: string; +}) { + const { awsAccountId } = splitAwsIamArn(roleArn); + const arn = `arn:aws:iam::${awsAccountId}:oidc-provider/${s3Bucket}.s3.amazonaws.com/${s3Prefix}`; + return encodeURIComponent(arn); +} diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.story.tsx b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.story.tsx index c7bf533f841b5..a00a102207ddd 100644 --- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.story.tsx +++ b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.story.tsx @@ -20,26 +20,9 @@ import React from 'react'; import { MemoryRouter } from 'react-router'; import { AwsOidc } from './AwsOidc'; -import { S3BucketWarningBanner } from './S3BucketWarningBanner'; - -export default { - title: 'Teleport/Integrations/Enroll/AwsOidc', -}; export const Flow = () => ( ); - -export const SBucketWarning = () => ( - null} onContinue={() => null} /> -); - -export const SBucketWarningWithReview = () => ( - null} - onContinue={() => null} - reviewing={true} - /> -); diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx index 79d7dac8e0b45..4415fb646d5b2 100644 --- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx +++ b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx @@ -20,15 +20,7 @@ import React, { useEffect, useState } from 'react'; import { Link as InternalRouteLink } from 'react-router-dom'; import { useLocation } from 'react-router'; import styled from 'styled-components'; -import { - Box, - ButtonSecondary, - Text, - Link, - Flex, - ButtonPrimary, - ButtonText, -} from 'design'; +import { Box, ButtonSecondary, Text, Link, Flex, ButtonPrimary } from 'design'; import * as Icons from 'design/Icon'; import FieldInput from 'shared/components/FieldInput'; import { requiredIamRoleName } from 'shared/components/Validation/rules'; @@ -53,24 +45,12 @@ import { import cfg from 'teleport/config'; import { FinishDialog } from './FinishDialog'; -import { S3BucketConfiguration } from './S3BucketConfiguration'; -import { - getDefaultS3BucketName, - requiredPrefixName, - validPrefixNameToolTipContent, -} from './Shared/utils'; -import { S3BucketWarningBanner } from './S3BucketWarningBanner'; export function AwsOidc() { const [integrationName, setIntegrationName] = useState(''); const [roleArn, setRoleArn] = useState(''); const [roleName, setRoleName] = useState(''); const [scriptUrl, setScriptUrl] = useState(''); - const [s3Bucket, setS3Bucket] = useState(() => getDefaultS3BucketName()); - const [s3Prefix, setS3Prefix] = useState(''); - const [showS3BucketWarning, setShowS3BucketWarning] = useState(false); - const [confirmedS3BucketWarning, setConfirmedS3BucketWarning] = - useState(false); const [createdIntegration, setCreatedIntegration] = useState(); const { attempt, run } = useAttempt(''); @@ -81,8 +61,6 @@ export function AwsOidc() { kind: IntegrationEnrollKind.AwsOidc, }); - const requiresS3BucketWarning = !s3Bucket && !s3Prefix; - useEffect(() => { // If a user came from the discover wizard, // discover wizard will send of appropriate events. @@ -107,8 +85,6 @@ export function AwsOidc() { subKind: IntegrationKind.AwsOidc, awsoidc: { roleArn, - issuerS3Bucket: s3Bucket, - issuerS3Prefix: s3Prefix, }, }) .then(res => { @@ -139,8 +115,6 @@ export function AwsOidc() { const newScriptUrl = cfg.getAwsOidcConfigureIdpScriptUrl({ integrationName, roleName, - s3Bucket, - s3Prefix, }); setScriptUrl(newScriptUrl); @@ -182,23 +156,12 @@ export function AwsOidc() { Step 1 setIntegrationName(e.target.value)} disabled={!!scriptUrl} - onBlur={() => { - // s3Bucket by default is defined. - // If empty user intentionally cleared it. - if (!integrationName || (!s3Bucket && !s3Prefix)) return; - // Help come up with a default prefix name for user. - if (!s3Prefix) { - setS3Prefix(`${integrationName}-oidc-idp`); - } - }} - toolTipContent={validPrefixNameToolTipContent('Integration')} /> setRoleName(e.target.value)} disabled={!!scriptUrl} /> - - {confirmedS3BucketWarning && ( - - setShowS3BucketWarning(true)} - alignItems="center" - > - - Click to view S3 Bucket Warning - - - )} - {showS3BucketWarning ? ( - setShowS3BucketWarning(false)} - onContinue={() => { - setShowS3BucketWarning(false); - setConfirmedS3BucketWarning(true); - generateAwsOidcConfigIdpScript(validator); - }} - reviewing={confirmedS3BucketWarning} - /> - ) : scriptUrl ? ( + {scriptUrl ? ( { setScriptUrl(''); - setConfirmedS3BucketWarning(false); }} > Edit @@ -252,13 +184,7 @@ export function AwsOidc() { ) : ( { - if (requiresS3BucketWarning) { - setShowS3BucketWarning(true); - } else { - generateAwsOidcConfigIdpScript(validator); - } - }} + onClick={() => generateAwsOidcConfigIdpScript(validator)} > Generate Command diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketConfiguration.tsx b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketConfiguration.tsx index 874564aa1a4f6..a225196d65dfc 100644 --- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketConfiguration.tsx +++ b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketConfiguration.tsx @@ -21,62 +21,37 @@ import { Text, Flex } from 'design'; import FieldInput from 'shared/components/FieldInput'; import { ToolTipInfo } from 'shared/components/ToolTip'; -import { - requiredBucketName, - requiredPrefixName, - validPrefixNameToolTipContent, -} from './Shared/utils'; - export function S3BucketConfiguration({ s3Bucket, - setS3Bucket, s3Prefix, - setS3Prefix, - disabled, }: { s3Bucket: string; - setS3Bucket(s: string): void; s3Prefix: string; - setS3Prefix(s: string): void; - disabled: boolean; }) { return ( <> Amazon S3 Location - - Teleport will create and use Amazon S3 Bucket as this integration's - issuer and will publicly host two files: one for the OpenID - configuration and another one for the public key. + + Deprecated. Amazon is now validating the IdP certificate against a + list of root CAs. Storing the OpenID Configuration in S3 is no longer + required, and should be removed to improve security. setS3Bucket(e.target.value.trim())} - disabled={disabled} - toolTipContent={ - - Bucket name can consist only of lowercase letters and numbers. - Hyphens (-) are allowed in between letters and numbers. An - existing bucket might be used, but it must have Access Control - Lists (ACL) enabled. - - } + readonly={true} /> setS3Prefix(e.target.value.trim())} - disabled={disabled} - toolTipContent={validPrefixNameToolTipContent('Prefix')} + readonly={true} /> diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketWarningBanner.tsx b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketWarningBanner.tsx deleted file mode 100644 index e90ef71b4cf7d..0000000000000 --- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/S3BucketWarningBanner.tsx +++ /dev/null @@ -1,81 +0,0 @@ -/** - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -import { ButtonText, Box, Text, Flex, ButtonBorder } from 'design'; -import { OutlineWarn } from 'design/Alert/Alert'; -import { Notification } from 'design/Icon'; -import styled from 'styled-components'; - -export const S3BucketWarningBanner = ({ - onClose, - onContinue, - reviewing = false, - btnFlexWrap = false, -}: { - onClose(): void; - onContinue(): void; - reviewing?: boolean; - btnFlexWrap?: boolean; -}) => { - return ( - - - - - - - - It is recommended to use an S3 bucket to host the public keys. - - - Without an S3 bucket, you will be required to append the new - certificate's thumbprint in the AWS IAM/Identity Provider section - after you have renewed and started using the new certificate. - - - - {reviewing ? ( - - Ok - - ) : ( - <> - Continue - Cancel - - )} - - - - ); -}; - -const BellIcon = styled(Notification)` - background-color: ${p => p.theme.colors.warning.hover}; - border-radius: 100px; - height: 32px; - width: 32px; - color: ${p => p.theme.colors.text.primaryInverse}; - margin-right: ${p => p.theme.space[3]}px; -`; diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/Shared.tsx b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/Shared.tsx deleted file mode 100644 index 82f059ddbc15b..0000000000000 --- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/Shared.tsx +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -import { Validator } from 'shared/components/Validation'; - -import cfg, { UrlAwsOidcConfigureIdp } from 'teleport/config'; - -export function generateAwsOidcConfigIdpScript( - validator: Validator, - setScriptUrl: (s: string) => void, - params: UrlAwsOidcConfigureIdp -) { - if (!validator.validate()) { - return; - } - - validator.reset(); - - const newScriptUrl = cfg.getAwsOidcConfigureIdpScriptUrl(params); - - setScriptUrl(newScriptUrl); -} diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.test.ts b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.test.ts deleted file mode 100644 index f65e9294cc6bc..0000000000000 --- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.test.ts +++ /dev/null @@ -1,101 +0,0 @@ -/** - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -import cfg from 'teleport/config'; - -import { - getDefaultS3BucketName, - getDefaultS3PrefixName, - requiredPrefixName, - requiredBucketName, -} from './utils'; - -const defaultProxyCluster = cfg.proxyCluster; - -afterEach(() => { - cfg.proxyCluster = defaultProxyCluster; -}); - -test('getDefaultS3BucketName', () => { - cfg.proxyCluster = 'llama#42.slkej'; - expect(getDefaultS3BucketName()).toBe(''); - - cfg.proxyCluster = 'llama.cloud.gravitational-io'; - expect(getDefaultS3BucketName()).toBe('llama-cloud-gravitational-io'); -}); - -test('getDefaultS3PrefixName', () => { - expect(getDefaultS3PrefixName('')).toBe(''); - expect(getDefaultS3PrefixName('sdf@$@#sdf')).toBe(''); - - cfg.proxyCluster = 'llama.cloud.gravitational-io'; - expect(getDefaultS3PrefixName('int-name')).toBe('int-name-oidc-idp'); -}); - -describe('requiredPrefixName', () => { - const requiredField = true; - test.each` - input | valid - ${''} | ${false} - ${Array.from('x'.repeat(64))} | ${false} - ${'-sdf'} | ${false} - ${'sdfs-'} | ${false} - ${'_sdf'} | ${false} - ${'sdfd_'} | ${false} - ${'..sdf'} | ${false} - ${'sdf.'} | ${false} - ${'sdlfkjs/dfsd'} | ${false} - ${'Asd09f-_.sdfDFs1'} | ${true} - `('validity of input($input) should be ($valid)', ({ input, valid }) => { - const result = requiredPrefixName(requiredField)(input)(); - expect(result.valid).toEqual(valid); - }); - - test('empty prefix name is valid if not a required field', () => { - const requiredField = false; - expect(requiredPrefixName(requiredField)('')().valid).toBeTruthy(); - }); -}); - -describe('requiredBucketName', () => { - test.each` - input | valid - ${''} | ${false} - ${Array.from('x'.repeat(64))} | ${false} - ${Array.from('x'.repeat(2))} | ${false} - ${'-sdf'} | ${false} - ${'sdfs-'} | ${false} - ${'sdfds_sdf'} | ${false} - ${'xn--sdf'} | ${false} - ${'sthree-sdf'} | ${false} - ${'sthree-configurator-dfs'} | ${false} - ${'sdf-s3alias'} | ${false} - ${'sdf--ol-s3'} | ${false} - ${'Asd09f-sdfDFs1'} | ${false} - ${'sdf0-dfs0'} | ${true} - `('validity of input($input) should be ($valid)', ({ input, valid }) => { - const requiredField = true; - const result = requiredBucketName(requiredField)(input)(); - expect(result.valid).toEqual(valid); - }); - - test('empty bucket name is valid if not a required field', () => { - const requiredField = false; - expect(requiredBucketName(requiredField)('')().valid).toBeTruthy(); - }); -}); diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.ts b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.ts deleted file mode 100644 index 28e8e20a0fac1..0000000000000 --- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/Shared/utils.ts +++ /dev/null @@ -1,145 +0,0 @@ -/** - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -import { Rule } from 'shared/components/Validation/rules'; - -import cfg from 'teleport/config'; - -// Must start and end with lowercase letters or numbers. -// Can have hyphens in between start and end. -const bucketNameRegex = new RegExp(/^[a-z0-9][a-z0-9-]*[a-z0-9]$/); -export const requiredBucketName = - (required): Rule => - inputVal => - () => { - if (!inputVal) { - return { - valid: !required, - message: required ? 'required' : '', - }; - } - - if (inputVal.length < 3 || inputVal.length > 63) { - return { - valid: false, - message: 'name should be 3-63 characters', - }; - } - - if (!bucketNameRegex.test(inputVal)) { - return { - valid: false, - message: 'name is in a invalid format', - }; - } - - if (inputVal.startsWith('xn--')) { - return { - valid: false, - message: 'cannot start with "xn--"', - }; - } - - if (inputVal.startsWith('sthree-')) { - return { - valid: false, - message: 'cannot start with "sthree-"', - }; - } - - if (inputVal.startsWith('sthree-configurator')) { - return { - valid: false, - message: 'cannot start with "sthree-configurator"', - }; - } - - if (inputVal.endsWith('-s3alias')) { - return { - valid: false, - message: 'cannot end with "-s3alias"', - }; - } - - if (inputVal.endsWith('--ol-s3')) { - return { - valid: false, - message: 'cannot end with "--ol-s3"', - }; - } - - return { - valid: true, - }; - }; - -// Must start and end with letters or numbers. -// Can have hyphens, underscores, and periods in between start and end. -const prefixNameRegex = new RegExp(/^[a-zA-Z0-9][a-zA-Z0-9-_.]*[a-zA-Z0-9]$/); -export const requiredPrefixName = - (required): Rule => - inputVal => - () => { - if (!inputVal) { - return { - valid: !required, - message: required ? 'required' : '', - }; - } - - // Just a random hard cap. - if (inputVal.length > 63) { - return { - valid: false, - message: 'name can be max 63 characters long', - }; - } - - if (!prefixNameRegex.test(inputVal)) { - return { - valid: false, - message: 'name is in a invalid format', - }; - } - - return { - valid: true, - }; - }; - -export function getDefaultS3BucketName() { - const modifiedClusterName = cfg.proxyCluster.replaceAll('.', '-'); - if (bucketNameRegex.test(modifiedClusterName)) { - return modifiedClusterName; - } - - return ''; -} - -export function getDefaultS3PrefixName(integrationName: string) { - if (!integrationName || !prefixNameRegex.test(integrationName)) { - return ''; - } - - return `${integrationName}-oidc-idp`; -} - -export function validPrefixNameToolTipContent(fieldName: string) { - return `${fieldName} name can consist only of letters and numbers. \ - Hyphens (-), dots (.), and underscores (_) are allowed in between letters and numbers.`; -} diff --git a/web/packages/teleport/src/Integrations/IntegrationList.test.tsx b/web/packages/teleport/src/Integrations/IntegrationList.test.tsx deleted file mode 100644 index 5dce1329ae977..0000000000000 --- a/web/packages/teleport/src/Integrations/IntegrationList.test.tsx +++ /dev/null @@ -1,83 +0,0 @@ -/** - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -import { render, screen, userEvent } from 'design/utils/testing'; - -import { - IntegrationKind, - integrationService, - IntegrationStatusCode, -} from 'teleport/services/integrations'; - -import { IntegrationList } from './IntegrationList'; - -test('aws oidc row without s3 fields should render tooltip', async () => { - jest - .spyOn(integrationService, 'fetchThumbprint') - .mockResolvedValue('some-thumbprint'); - - render( - - ); - - expect(screen.getByText('aws')).toBeInTheDocument(); - expect(screen.getByText(/running/i)).toBeInTheDocument(); - await userEvent.hover(screen.getByRole('icon')); - expect(screen.queryByTestId('btn-copy')).not.toBeInTheDocument(); - - await userEvent.click(screen.getByText(/generate a new thumbprint/i)); - expect(screen.getByText(/some-thumbprint/i)).toBeInTheDocument(); -}); - -test('aws oidc row with s3 fields should NOT render tooltip', async () => { - jest - .spyOn(integrationService, 'fetchThumbprint') - .mockResolvedValue('some-thumbprint'); - - render( - - ); - - expect(screen.getByText('aws')).toBeInTheDocument(); - expect(screen.getByText(/running/i)).toBeInTheDocument(); - expect(screen.queryByRole('icon')).not.toBeInTheDocument(); -}); diff --git a/web/packages/teleport/src/Integrations/IntegrationList.tsx b/web/packages/teleport/src/Integrations/IntegrationList.tsx index cfe00ae717398..a7a41ccbbafa9 100644 --- a/web/packages/teleport/src/Integrations/IntegrationList.tsx +++ b/web/packages/teleport/src/Integrations/IntegrationList.tsx @@ -51,7 +51,6 @@ import { import cfg from 'teleport/config'; import { ExternalAuditStorageOpType } from './Operations/useIntegrationOperation'; -import { UpdateAwsOidcThumbprint } from './UpdateAwsOidcThumbprint'; type Props = { list: IntegrationLike[]; @@ -197,9 +196,6 @@ const StatusCell = ({ item }: { item: IntegrationLike }) => { {getStatusCodeTitle(item.statusCode)} - - - ); diff --git a/web/packages/teleport/src/Integrations/Integrations.story.tsx b/web/packages/teleport/src/Integrations/Integrations.story.tsx index c47261b869aef..aa6c697ec525c 100644 --- a/web/packages/teleport/src/Integrations/Integrations.story.tsx +++ b/web/packages/teleport/src/Integrations/Integrations.story.tsx @@ -26,7 +26,6 @@ import { import { IntegrationList } from './IntegrationList'; import { DeleteIntegrationDialog } from './RemoveIntegrationDialog'; import { EditAwsOidcIntegrationDialog } from './EditAwsOidcIntegrationDialog'; -import { UpdateAwsOidcThumbprint } from './UpdateAwsOidcThumbprint'; import { plugins, integrations } from './fixtures'; export default { @@ -37,20 +36,6 @@ export function List() { return ; } -export function UpdateAwsOidcThumbprintHoverTooltip() { - return ( - - ); -} - export function DeleteDialog() { return ( . - */ - -import { useState } from 'react'; -import styled from 'styled-components'; -import { - Text, - Link as ExternalLink, - Flex, - Box, - ButtonPrimary, - Mark, -} from 'design'; -import { TextSelectCopyMulti } from 'shared/components/TextSelectCopy'; -import { ToolTipInfo } from 'shared/components/ToolTip'; -import useAttempt from 'shared/hooks/useAttemptNext'; -import * as Icons from 'design/Icon'; - -import { - Integration, - integrationService, -} from 'teleport/services/integrations'; -import { splitAwsIamArn } from 'teleport/services/integrations/aws'; -import cfg from 'teleport/config'; - -export function UpdateAwsOidcThumbprint({ - integration, -}: { - integration: Integration; -}) { - const { attempt, run } = useAttempt(); - - const [thumbprint, setThumbprint] = useState(''); - - function getThumbprint() { - run(() => integrationService.fetchThumbprint().then(setThumbprint)); - } - - const { awsAccountId, arnStartingPart } = splitAwsIamArn( - integration.spec.roleArn - ); - - const encodedOidcProviderArn = encodeURIComponent( - `${arnStartingPart}${awsAccountId}:oidc-provider/${cfg.proxyCluster}` - ); - - return ( - - - - - This integration has no S3 bucket configured. When renewing your - HTTPS certificate, if it has a different CA, a manual update of this - integration's thumbprint is required. - - You may run into issues when the thumbprint is stale. - - - - Generate a New Thumbprint - - - {thumbprint && ( - - )} - {attempt.status === 'failed' && ( - - Error - fetching thumbprint: some kind of error - - )} - - - -
    - To update thumbprint: -
  • - - Go to your{' '} - - IAM Identity Provider - {' '} - dashboard -
  • -
  • - - On Thumbprints section click on Manage{' '} - then click on Add Thumbprint -
  • -
  • - Copy and paste the generated thumbprint
  • -
-
-
- ); -} - -const Ul = styled.ul` - margin-left: 0; - padding-left: 0; - list-style: none; -`; diff --git a/web/packages/teleport/src/Integrations/fixtures.ts b/web/packages/teleport/src/Integrations/fixtures.ts index 029fca37725d9..b4422fa01da7e 100644 --- a/web/packages/teleport/src/Integrations/fixtures.ts +++ b/web/packages/teleport/src/Integrations/fixtures.ts @@ -150,17 +150,6 @@ export const integrations: Integration[] = [ statusCode: IntegrationStatusCode.Running, spec: { roleArn: '', issuerS3Prefix: '', issuerS3Bucket: '' }, }, - { - resourceType: 'integration', - name: 'aws', - kind: IntegrationKind.AwsOidc, - statusCode: IntegrationStatusCode.Running, - spec: { - roleArn: 'some-role-arn', - issuerS3Prefix: 'some-prefix', - issuerS3Bucket: 'some-bucket', - }, - }, ]; export const externalAuditStorage: ExternalAuditStorage = { diff --git a/web/packages/teleport/src/config.test.ts b/web/packages/teleport/src/config.test.ts index ac1cacaefe3c2..462e1610cf1ea 100644 --- a/web/packages/teleport/src/config.test.ts +++ b/web/packages/teleport/src/config.test.ts @@ -37,21 +37,6 @@ test('getDeployServiceIamConfigureScriptPath formatting', async () => { ); }); -test('getAwsOidcConfigureIdpScriptUrl formatting with s3 fields', async () => { - const params: UrlAwsOidcConfigureIdp = { - integrationName: 'int-name', - roleName: 'role-arn', - s3Bucket: 's3-bucket', - s3Prefix: 's3-prefix', - }; - const base = - 'http://localhost/v1/webapi/scripts/integrations/configure/awsoidc-idp.sh?'; - const expected = `integrationName=int-name&role=role-arn&s3Bucket=s3-bucket&s3Prefix=s3-prefix`; - expect(cfg.getAwsOidcConfigureIdpScriptUrl(params)).toBe( - `${base}${expected}` - ); -}); - test('getAwsOidcConfigureIdpScriptUrl formatting, without s3 fields', async () => { const params: UrlAwsOidcConfigureIdp = { integrationName: 'int-name', diff --git a/web/packages/teleport/src/config.ts b/web/packages/teleport/src/config.ts index b84b154a46b8d..226e7faa619bd 100644 --- a/web/packages/teleport/src/config.ts +++ b/web/packages/teleport/src/config.ts @@ -532,10 +532,7 @@ const cfg = { }, getAwsOidcConfigureIdpScriptUrl(p: UrlAwsOidcConfigureIdp) { - let path = cfg.api.awsConfigureIamScriptOidcIdpPath; - if (p.s3Bucket && p.s3Prefix) { - path += '&s3Bucket=:s3Bucket&s3Prefix=:s3Prefix'; - } + const path = cfg.api.awsConfigureIamScriptOidcIdpPath; return cfg.baseUrl + generatePath(path, { ...p }); }, diff --git a/web/packages/teleport/src/services/integrations/types.ts b/web/packages/teleport/src/services/integrations/types.ts index 6d55ea28d279a..025472b22bc90 100644 --- a/web/packages/teleport/src/services/integrations/types.ts +++ b/web/packages/teleport/src/services/integrations/types.ts @@ -56,8 +56,8 @@ export enum IntegrationKind { } export type IntegrationSpecAwsOidc = { roleArn: string; - issuerS3Prefix: string; - issuerS3Bucket: string; + issuerS3Prefix?: string; + issuerS3Bucket?: string; }; export enum IntegrationStatusCode { @@ -293,8 +293,6 @@ export type ListAwsRdsDatabaseResponse = { export type IntegrationUpdateRequest = { awsoidc: { roleArn: string; - issuerS3Bucket: string; - issuerS3Prefix: string; }; };