The trasa from seknox

[FEATURE] Implement rate limiting

Describe the feature:

Implement rate limiting in dashboard login and ssh proxy login.

Describe why this feature is needed:

Scope of feature:

Typo in your readme!

In the "Getting started" section on your readme you have a typo

Concepts : Basic Cocnepts <--- Should be "concepts" ?

[FEATURE] Store SSH CA private key in secret store

SSH CA private keys are very sensitive and should be stored in TsxVault.

[FEATURE] Encrypted tfa account export

Describe the feature:

TFA account export feature should generate encrypted file

Describe why this feature is needed:

Encrypted export will ensure secrecy of TFA account backup file.

Scope of feature:

[FEATURE] database connection retry and auto reconnect

Describe the feature:

The trasa server should wait and try to reconnect the database server instead of panic during startup. Also, it should try to reconnect if connection is disrupted during execution.

Describe why this feature is needed:
It is needed to run trasa-server in docker-compose where the database might not be ready when trasa server tries to connect to it.
We do not want to restart trasa server if database connection is disrupted.
Also, it will close #157

Scope of feature:

[REF] change session log directory name

session log directory name is "minio" even if minio is not used. It should be changed.

[FEATURE] Ability to control access to services hosted in external private networks

Describe the feature:

Suppose services are hosted in an external network; otherwise not directly accessible by TRASA. In such case, there is no current built-in way to control access to those services (since not reachable by TRASA). This can be solved if TCP proxy is managed outside of TRASA server that can proxy (or brigdge) the connection. This feature request is to add capability in TRASA itself to proxy (or bridge) connections in such scenarios.

Describe why this feature is needed:
This feature will ease protecting services in two or more different private networks.

Scope of feature:

[REF] set default database type to "postgres"

If dbtype in config is not set, the default dbtype should be postgres instead of cockroachdb.

[BUG] password submit button is disabled when password is generated from password manager

Describe the bug:

Password submit button in "password set form" is disabled when password is generated from password manager.
It becomes active when edited manually.

Expected behavior:

We should be able to submit the password generated by password manager.

Log file / Code snippet / Screenshots:

Scope of issue:

Versions:

TRASA version: master

Additional context:

I have tried it in firefox lockwise.

[FEATURE] Extend secret storage provider API and integrations

Describe the feature:

Implement internal secret provider API to work with other secret storage providers (like Hashicorp vault or Passbolt or km services)

Note: we already have a clear API for secret providers but currently only default TsxVault is supported.

Scope of the feature:

[FEATURE] Auto init tsxVault during first time root account login

Describe the feature:

Currently, tsxVault requires manual init. This becomes "another required step" to be performed to properly use TRASA and thus creates friction for first time users.

Can we automate this process and present keys to root user during first time login?

Scope of the feature:

[FEATURE] Default policies during installation

Describe the feature:

Create default policies during installation.

Describe why this feature is needed:
This will remove friction of creating default test policies for first time users.

Scope of the feature:

[REF] Change name "Control" to "Policy" in dashboard nav menu and url path.

As suggested by @patatman in community chat, I think it makes sense to change the nav menu and URL path from Control to Policy.

Currently, Control groups ui menu's related to policy and rules. It makes sense to group them under the name Policy. Also, we already refer to the name Policy in every docs rather than Control.

[FEATURE] use BuildWithFlavor function to generate SQL

Describe the feature:

utils.SqlReplacer is being used to replace ? by $ in stat aggration queries.
Use sqlbuilder.BuildWithFlavor instead of default sqlbuilder.Build with Postgres flavour and remove utils.SqlReplacer.

Describe why this feature is needed:

Scope of feature:

[FEATURE] Support TOTP secret export for iOS

Describe the feature:

Support TOTP secret export for iOS

Describe why this feature is needed:

Scope of the feature:

[BUG] Dashboard fails to fetch recorded session log if client(dashboard) is in different timezone from server

Describe the bug:

Recorded sessions are stored in year/month/day directory structure in server where date and time is calculated in unix timestamp with UTC. When fetching recorded sessions from dashboard, desired date is calculated from session log value loginTime along with client(browsers) timezone. If user and trasa server are in different timezone, time calculated by dashboard and time stored in server for logs do not match and trasa will fail to serve recorded logs.

Expected behavior:

both client and server should use same time zone or better calculate in UTC?

Log file / Code snippet / Screenshots:

// below is how time calculated. rowData[9] is value of loginTime which is unix timestamp
const d = Moment.unix(tableMeta.rowData[9] / 1000000000);
const month = d.month() + 1

// which is then passed as:
/monitor/sessions/view#type=ssh&year=${d.year()}&month=${month}&day=${d.date()}&sessionID=${value}`

Scope of issue:

Versions:

TRASA 1.0

[BUG] Network error alert when scanning qr image in process of enrolling mobile device

Describe the bug:

Received Network error (refer to image below) while trying to enroll mobile device.

Log file / Code snippet / Screenshots:

Scope of issue:

Versions:
Latest trasa mobile app on android

[FEATURE] Forced change password in first time admin login

Describe the feature:

Currently, we do not force the admin to change default password in first login. While they can change it manually from account menu at my page, we should enforce change password in first time login.

Describe why this feature is needed:
This feature will make root account password strong by default.

Scope of the feature:

[FEATURE] add a dropdown component in timezone input

Describe the feature:

timezone input field in the organization settings should be a dropdown component, not a text input field.

Scope of the feature:

[BUG] Unable to delete own device by selfUser

Describe the bug:

When a selfUser tries to delete his/her device, the server will respond with a 403 Unauthorised response.

Expected behavior:

selfUser should be able to remove his/her own devices.

Log file / Code snippet / Screenshots:

time="2020-10-22T10:24:35Z" level=trace msg="request validation. trying to elevate privilege??" func=github.com/seknox/trasa/server/middlewares.Authorization.func1 file="/Users/bhrg3se/seknox/trasa/code/trasa-server/server/middlewares/authorizations.go:134"

Scope of issue:

[BUG] TFA prompt appears even when TFA is disabled in policy

Describe the bug:

When accessing SSH from a browser, the TFA prompt is displayed after entering password.

Expected behavior:

If TFA is disabled in the policy, the TFA prompt should be skipped.

Scope of issue:

Versions:

TRASA version: master

[FEATURE] Device hygiene support when accessing SSH from trasacli

Describe the feature:

trasacli should integrate with the device agent to get device hygiene when accessing SSH.

Describe why this feature is needed:
This feature is needed to implement device policy when accessing SSH from ssh clients.

Scope of feature:

[BUG] "The SSH server is down" printed when service name is entered

Describe the bug:

While accessing SSH from ssh client, user should be able to choose a service with its name as well as IP address.
When the service name is entered, "The SSH server is down" message is printed.

Expected behavior:

user should be able to choose a service with its name as well as IP address.

Log file / Code snippet / Screenshots:

Scope of issue:

Versions:

TRASA version: master

[BUG] dashboard suddenly logs out

Describe the bug:

Dashboard suddenly logs out just after login. It usually works as usual if tried again.

Expected behavior:

It should not log out unexpectedly.

Log file / Code snippet / Screenshots:
dashboard /tfa response:

dashboard /my request just after login:

server:
INFO[2020-11-05T14:04:56+05:45]auth/hLogin.go:169 github.com/seknox/trasa/server/api/auth.LoginHandler afd9fd563f21c1a9f6c67fa076772f9a52db40c3ebc5f3fc381e954d80e9d323-

Scope of issue:

Versions:

TRASA version: master
Browser : Firefox 82.0.2 (Icognito mode)

Additional context:

This behavior also occurs when opening TRASA in a new tab. I am not sure if the underlying issue is the same.

[FEATURE] Use SSH certificate instead of private key to login to TRASA

Describe the feature:

While accessing SSH from an SSH client, email/password validation can be skipped using a private key.
We should be using an SSH certificate instead of that private key.

Describe why this feature is needed:
The certificate will be more secure than private key because we can add expiry time in the certificate.

Scope of feature:

please kindly switch github.com/phuslu/geoip to github.com/phuslu/iploc

Hi,

I'm repo owner of github.com/phuslu/geoip, I had to rename geoip to iploc for trademark issue.
see jpillora/ipfilter#14 for details, thanks a lot.

Regards,

[PERF] Setup benchmark and metrics to quantify server performance

Describe the issue:
We need to setup a benchmarking process related to performance and scalability of TRASA server.
Example of how many concurrent user access can TRASA support for X amount of RAM and CPU for SSH service, RDP service etc.

Why is this needed:
This will help operators to plan and provision servers and resources for TRASA deployments.

[FEATURE] Ability to remove previously saved ssh hostkey for upstream server

Describe the feature:

Currently, there is no way to remove the previously saved upstream server ssh host key.
Only way to update it is by retreiving the updated host key from the ssh terminal client and updating it from the dashboard or create a new service profile with a server address that has an updated host key.

Describe why this feature is needed:

If administrators access ssh service only from TRASA dashboard, there is no way to retreive host key and update it from the dashboard. With this feature, the administrator can remove the previously saved host key from TRASA server and TRASA will save the updated host key in the next ssh session.

Scope of the feature:

[FEATURE] Enforce password change after first root login

Describe the feature:

When TRASA is first installed, a default root user is created with default password.
User should be enforced to change password in the first login.

Describe why this feature is needed:

Scope of feature:

[FEATURE] Use redis to store user and org details after user auth

Describe the feature:

We use userContext struct to store user details that are passed through middleware SessionValidator. Currently, server hits database in every api request to retreive this data. Refer to following code:

	user, err := users.Store.GetFromID(userID, orgID)
	if err != nil {
		return userContext, errors.Errorf(`get user  from db: %v`, err)
	}

	org, err := orgs.Store.Get(user.OrgID)
	if err != nil {
		return userContext, errors.Errorf("get org from db: %v", err)

	}

This issue is a proposal to store user details in redis after successful auth so that server can retreive user detail from redis directly.

Describe why this feature is needed:
This will prevent database hit in every subsequent api requests and hence, less load in database.

Scope of the feature:

[FEATURE] WAF in HTTP(s) access proxy

Describe the feature:
Support for enabling Web Application Firewall (WAF) in HTTP(s) access proxy.

Describe why this feature is needed:
WAF will further strengthen the protection of internal web applications.

Any suggestions on how can this be implemented?
For a start, we can integrate ModSecurity. This will require binding using Cgo. Or make a provision of forwarding incoming web traffic to WAF.

[BUG] fix ssh console message formatting

Describe the bug:

Messages printed while connecting ssh (xterm) are not formatted correctly.

Expected behavior:

New messages should be displayed in a new line.

Log file / Code snippet / Screenshots:

Scope of issue:

Versions:

TRASA version : master

[FEATURE] Auto-discovery and auto-update integration details of services (different than service IDP integration)

Describe the feature:

Add the capability to auto-discover services. Eg, the way traefik listens to providers and auto-update listeners and routing details.

To auto retrieve and update service profiles, we can integrate with etcd, or consul since they are commonly used as service catalog/discovery backend.

Describe why this feature is needed:
This will make it really easy to protect services without the need for manual integration and update.

Note: TRASA also connects with service identity providers (e.g., AWS, digital ocean) to auto-import server profiles. This feature request will enable similar features to auto-import applications hosted in those servers (instead of importing server profile only) enroll services hosted in microservice architecture where services are frequently created/deleted.

Scope of the feature:

[FEATURE] Add more user identity and SSO providers.

Describe the feature:

TRASA currently only supports LDAP (Open ldap, freeIPA, Active Directory) and SAML (Okta) as identity providers.
This feature request is to integrate with more IDPs such as G suite, JumpCloud, Office365, and other popular solutions.

Scope of feature:

[BUG] assigned privilege list gets messed up while using search in /my page

Describe the bug:
Assign multiple services to a user with different privilege (say service A and B ). Then go to /my page and search for a service B. The privilege(username) list of service B will be replaced by that of A.

Expected behavior:

The privilege list should be correct.

Log file / Code snippet / Screenshots:

The service "local" is assigned with privilege "bhrg3se" and the service "do-beta-test" is assigned with "root"

when you search for "local", the privilege of "do-beta-test" replaces that of "local"

Scope of issue:

Versions:

TRASA version : master
OS (in which TRASA is installed): ubuntu

[BUG] Value of "secrets" in service overview is 1 by default

Describe the bug:

Value of "secrets" in service overview is 1 by default.

Expected behavior:

Value should be based on actual number of secrets stored in database as "managed accounts"

Log file / Code snippet / Screenshots:

Scope of issue:

Versions:

v1.0

[BUG] Increase size of xterm view in recorded session

Describe the bug:

Xterm window size doesn't fit the whole browser window.

Expected behavior:

Xterm window size should be increased to fit the browser window for a better user experience.

Log file / Code snippet / Screenshots:

Scope of issue:

Remove hardcoded db:5432 value in wait-for-it.sh

DB address of db:5432 is hardcoded in Dockerfile, preventing TRASA server from connecting to the database hosted in the other address.
Update Dockerfile to supply db address dynamically to wait-for-it.sh .

Note: This is only related when running TRASA server in a containerized environment.

[FEATURE] Config file watch and auto reload

Describe the feature:

Implement file watch and auto-config reload feature. This is related to TRASA server configuration that is defined in config.toml file.

Describe why this feature is needed:
Once this is implemented, administrators need not restart TRASA server manually to load with the latest configurations.

Scope of the feature:

[BUG] failed reason is "UNKNOWN" when day/time policy fails

Describe the bug:

When access is blocked due to day/time policy, failed reason is stored/displayed as UNKNOWN

Expected behavior:

The failed reason should be TIME_POLICY_FAILED

Scope of issue:

Versions:

TRASA version: master

[FEATURE] Do we need to implement account imports from external user IDP?

Describe the feature:

Currently, TRASA requires user profiles in TRASA IDP because they are used for Access Mapping, Auth and Session Logging, Device Registration. Even for currently support LDAP integration, admins need to import users from the LDAP server. Since I am now working on #122 , we will need to import users from those providers into TRASA.

But my concern is, do we need to import user profiles in TRASA. Why should we enforce user profile import?

Without this feature, how can access mapping be accomplished?

In IDP:

Admins will assign users to network group and configure this user to authenticate with TRASA.

In TRASA:

Admin will create a group named network (exact name match with IDP group name) and assign that group to service along with the desired privilege.
When we validate the user's authentication via IDP, we will also check groups returned by IDP. If that group is assigned to service (via step 1 above), then we allow access.
We can maybe even skip policy validation in TRASA and depend 100% on IDP for authentication and policy or enforce policy validation in tandem.

Pros of not implementing:

Codebase will be small (no need to implement user import via SCIM and LDAP import features).
Remove "another thing" to do in TRASA. This means less friction for admins.

Cons of not implementing:

Will current auth and session logging logics work seamlessly ? or do we need to re-implement those codes?
TRASA is designed to answer admins on questions like "who access what, with which privilege?". Without user profiles, can we still show this?
What will happen to device registration features?

Scope of the feature:

Note: If we decide to import users, apart from LDAP import, we will only support SCIM integration.

[FEATURE] Enable autocert by default

Describe the feature:

Fetching TLS certificate from Let's Encrypt using autocert depends on config flag autocert. This should be enabled by default.

Describe why this feature is needed:

This will enable Let's Encrypt issued TLS certificate by default.

Scope of the feature:

[BUG] Update discussion site address in docs and website

Describe the bug:

Old discussion site pointed to discuss.trasa.io no longer works. update to new discussion site hosted at discuss.seknox.com

Scope of issue:

upload website docs videos to youtube

upload website docs video to youtube and change markdown files to fetch those videos from youtube. This will save bandwidth served from website server.

[BUG] missing password equality check

Describe the bug:

Password equality check is missing in the "password change" form.

Expected behavior:

You should not be able to submit the form with two different passwords.

Log file / Code snippet / Screenshots:

Scope of issue:

Versions:

TRASA version: master

Print server status in default server run log message

Description:
The default server run command does not reveal the state of the server (listening on IP, domain), which might cause the administrator to think that server start hanged or failed to run correctly. Refer to actual server logs below:

sudo docker run --link db:db --link redis:redis -p 443:443 -p 80:80 -p 8022:8022 -e TRASA.LISTENADDR=<IP address> -e TRASA.AUTOCERT="false" -v /tmp/trasa/accessproxy/guac:/tmp/trasa/accessproxy/guac seknox/trasa:v1.1.1
wait-for-it.sh: waiting 15 seconds for db:5432
wait-for-it.sh: db:5432 is available after 0 seconds
db_version migrated
org migrated
users migrated
services migrated
devices migrated
browsers migrated
browser_ext migrated
groups migrated
user_group_maps migrated
service_group_maps migrated
policies migrated
user_accessmaps migrated
usergroup_accessmaps migrated
inapp_notifs migrated
gateway_http migrated
global_settings migrated
policy_enforcer migrated
security_rules migrated
password_state migrated
auth_logs migrated
inapp_trails migrated
signup_logs migrated
service_keyvault migrated
cert_holder migrated
idp migrated
key_holder migrated
cloudiaas_sync migrated
keylog migrated
adhoc_perms migrated
backups migrated
time="2020-10-27T17:05:01Z" level=error msg="cannot encrypt ca key: encryption key is not retrieved yet" func=github.com/seknox/trasa/server/initdb.initSystemCA file="/go/src/seknox/trasa/server/initdb/init.go:220"
2020/10/27 17:05:01 written cert.pem
2020/10/27 17:05:01 written key.pem

Solution:
After a successful server start, print appropriate messages to indicate the healthy start of the server along with the next steps to perform.

[BUG] Plain text in URL during onboarding

Describe the bug:

when signing up trough the on-boarding URL, and using a weak password. The password is visible in plain text in the URL

Expected behavior:

No visible text of the value that's being inputted in the form.

Log file / Code snippet / Screenshots:

For example:
https://trasa.domain.org/woa/verify#token=6d1821638cf3f2246xxxxxx
After selecting a password, (which isn't strong enough), you'll get a error and the password you've tried to use is visible in the URL in plain text.
After using a password which is strong enough, it disappears.
To reproduce:
Create new user -> Open Signup URL -> Use weak password (e.g. 123) -> Get error, and click continue -> URL should include weak password used like this:
https://trasa.domain.org/woa/verify?password=123&cpassword=123&submit=#token=2c9ee66xxxxxx

Scope of issue:

Versions:

TRASA version = 1.1.2
OS (in which TRASA is installed): Ubuntu 20.04
Browser (if issue is in certain browser) Chrome

Additional context:

As discussed in the Discord app.

[BUG] "Change Password" does not work

Describe the bug:
When you try to change pasword, password and tfa validation works fine. But in the 3rd step i.e submitting the new password, you get "failed to verify token" error message and redirected to login page.

Expected behavior:
Password should be changed

Log file / Code snippet / Screenshots:

Response from /api/v1/my/changepass API:
{"status":"failed","reason":"failed to verify token","intent":"SessionValidator","data":[null,null]}

trasa.log content:

time="2020-09-27T04:21:14Z" level=trace msg="Not Found URL: serving Index File : /my" func=main.CoreAPIRouter.func5 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:288"
time="2020-09-27T04:21:15Z" level=trace msg="Found static URL: serving STATIC : /static/css/7.7df41cd5.chunk.css.map" func=main.CoreAPIRouter.func3 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:276"
time="2020-09-27T04:21:25Z" level=info msg=32af44127e338addef183c9ac2ad2f62d3704599b14e4e31a998b4c0b0895209- func=github.com/seknox/trasa/server/api/auth.LoginHandler file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/api/auth/hLogin.go:150"
time="2020-09-27T04:22:14Z" level=error msg="no session token" func=github.com/seknox/trasa/server/middlewares.SessionValidator.func1 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/middlewares/session.go:35"
time="2020-09-27T04:22:14Z" level=trace msg="Not Found URL: serving Index File : /login" func=main.CoreAPIRouter.func5 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:288"
time="2020-09-27T04:22:15Z" level=trace msg="Found static URL: serving STATIC : /static/css/7.7df41cd5.chunk.css.map" func=main.CoreAPIRouter.func3 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:276"

Scope of issue:

[ x ] TRASA codebase
[ x ] dashboard
[ x ] server
mobile app
browser extension
device agent
website/docs

Versions:

TRASA version : 1.0.0
OS (in which TRASA is installed): ubuntu 20.04

Additional context:

N/A

[BUG] Failed to export tfa accounts

Describe the bug:

Export secrets feature is not working.

Expected behavior:
tfa accounts should be exported to the desired location.

Log file / Code snippet / Screenshots:

Scope of issue:

Versions:

OS (in which TRASA is installed): android

[BUG] Fix video player size in recorded session

Describe the bug:

The video player size in the "recorded session" is bigger than the browser window itself.

Expected behavior:

It should fit the window size.

Scope of issue:

seknox / trasa Goto Github PK

trasa's People

Contributors

Stargazers

Watchers

Forkers

trasa's Issues

Describe the feature:

Without this feature, how can access mapping be accomplished?

In IDP:

In TRASA:

Pros of not implementing:

Cons of not implementing:

Recommend Projects

Recommend Topics

Recommend Org