seknox / trasa Goto Github PK
View Code? Open in Web Editor NEWZero Trust Service Access
Home Page: https://www.trasa.io
License: Mozilla Public License 2.0
Zero Trust Service Access
Home Page: https://www.trasa.io
License: Mozilla Public License 2.0
Describe the feature:
Implement rate limiting in dashboard login and ssh proxy login.
Describe why this feature is needed:
Scope of feature:
In the "Getting started" section on your readme you have a typo
Concepts : Basic Cocnepts <--- Should be "concepts" ?
SSH CA private keys are very sensitive and should be stored in TsxVault.
Describe the feature:
TFA account export feature should generate encrypted file
Describe why this feature is needed:
Encrypted export will ensure secrecy of TFA account backup file.
Scope of feature:
Describe the feature:
The trasa server should wait and try to reconnect the database server instead of panic during startup. Also, it should try to reconnect if connection is disrupted during execution.
Describe why this feature is needed:
It is needed to run trasa-server in docker-compose where the database might not be ready when trasa server tries to connect to it.
We do not want to restart trasa server if database connection is disrupted.
Also, it will close #157
Scope of feature:
session log directory name is "minio" even if minio is not used. It should be changed.
Describe the feature:
Suppose services are hosted in an external network; otherwise not directly accessible by TRASA. In such case, there is no current built-in way to control access to those services (since not reachable by TRASA). This can be solved if TCP proxy is managed outside of TRASA server that can proxy (or brigdge) the connection. This feature request is to add capability in TRASA itself to proxy (or bridge) connections in such scenarios.
Describe why this feature is needed:
This feature will ease protecting services in two or more different private networks.
Scope of feature:
If dbtype
in config is not set, the default dbtype
should be postgres instead of cockroachdb.
Describe the bug:
Password submit button in "password set form" is disabled when password is generated from password manager.
It becomes active when edited manually.
Expected behavior:
We should be able to submit the password generated by password manager.
Log file / Code snippet / Screenshots:
Scope of issue:
Versions:
Additional context:
I have tried it in firefox lockwise.
Describe the feature:
Implement internal secret provider API to work with other secret storage providers (like Hashicorp vault or Passbolt or km services)
Note: we already have a clear API for secret providers but currently only default TsxVault is supported.
Scope of the feature:
Describe the feature:
Currently, tsxVault requires manual init. This becomes "another required step" to be performed to properly use TRASA and thus creates friction for first time users.
Can we automate this process and present keys to root user during first time login?
Scope of the feature:
Describe the feature:
Create default policies during installation.
Describe why this feature is needed:
This will remove friction of creating default test policies for first time users.
Scope of the feature:
As suggested by @patatman in community chat, I think it makes sense to change the nav menu and URL path from Control
to Policy
.
Currently, Control
groups ui menu's related to policy and rules. It makes sense to group them under the name Policy
. Also, we already refer to the name Policy
in every docs rather than Control
.
Describe the feature:
utils.SqlReplacer
is being used to replace ? by $ in stat aggration queries.
Use sqlbuilder.BuildWithFlavor
instead of default sqlbuilder.Build
with Postgres flavour and remove utils.SqlReplacer
.
Describe why this feature is needed:
Scope of feature:
Describe the feature:
Support TOTP secret export for iOS
Describe why this feature is needed:
Scope of the feature:
Describe the bug:
Recorded sessions are stored in year/month/day directory structure in server where date and time is calculated in unix timestamp with UTC. When fetching recorded sessions from dashboard, desired date is calculated from session log value loginTime
along with client(browsers) timezone. If user and trasa server are in different timezone, time calculated by dashboard and time stored in server for logs do not match and trasa will fail to serve recorded logs.
Expected behavior:
both client and server should use same time zone or better calculate in UTC?
Log file / Code snippet / Screenshots:
// below is how time calculated. rowData[9] is value of loginTime which is unix timestamp
const d = Moment.unix(tableMeta.rowData[9] / 1000000000);
const month = d.month() + 1
// which is then passed as:
/monitor/sessions/view#type=ssh&year=${d.year()}&month=${month}&day=${d.date()}&sessionID=${value}`
Scope of issue:
Versions:
Describe the feature:
Currently, we do not force the admin to change default password in first login. While they can change it manually from account menu at my
page, we should enforce change password in first time login.
Describe why this feature is needed:
This feature will make root account password strong by default.
Scope of the feature:
Describe the feature:
timezone input field in the organization settings should be a dropdown component, not a text input field.
Scope of the feature:
Describe the bug:
When a selfUser
tries to delete his/her device, the server will respond with a 403 Unauthorised
response.
Expected behavior:
selfUser
should be able to remove his/her own devices.
Log file / Code snippet / Screenshots:
time="2020-10-22T10:24:35Z" level=trace msg="request validation. trying to elevate privilege??" func=github.com/seknox/trasa/server/middlewares.Authorization.func1 file="/Users/bhrg3se/seknox/trasa/code/trasa-server/server/middlewares/authorizations.go:134"
Scope of issue:
Describe the bug:
When accessing SSH from a browser, the TFA prompt is displayed after entering password.
Expected behavior:
If TFA is disabled in the policy, the TFA prompt should be skipped.
Scope of issue:
Versions:
Describe the feature:
trasacli should integrate with the device agent to get device hygiene when accessing SSH.
Describe why this feature is needed:
This feature is needed to implement device policy when accessing SSH from ssh clients.
Scope of feature:
Describe the bug:
While accessing SSH from ssh client, user should be able to choose a service with its name as well as IP address.
When the service name is entered, "The SSH server is down" message is printed.
Expected behavior:
user should be able to choose a service with its name as well as IP address.
Log file / Code snippet / Screenshots:
Scope of issue:
Versions:
Describe the bug:
Dashboard suddenly logs out just after login. It usually works as usual if tried again.
Expected behavior:
It should not log out unexpectedly.
Log file / Code snippet / Screenshots:
dashboard /tfa response:
dashboard /my request just after login:
server:
INFO[2020-11-05T14:04:56+05:45]auth/hLogin.go:169 github.com/seknox/trasa/server/api/auth.LoginHandler afd9fd563f21c1a9f6c67fa076772f9a52db40c3ebc5f3fc381e954d80e9d323-
Scope of issue:
Versions:
Additional context:
This behavior also occurs when opening TRASA in a new tab. I am not sure if the underlying issue is the same.
Describe the feature:
While accessing SSH from an SSH client, email/password validation can be skipped using a private key.
We should be using an SSH certificate instead of that private key.
Describe why this feature is needed:
The certificate will be more secure than private key because we can add expiry time in the certificate.
Scope of feature:
Hi,
I'm repo owner of github.com/phuslu/geoip, I had to rename geoip to iploc for trademark issue.
see jpillora/ipfilter#14 for details, thanks a lot.
Regards,
Describe the issue:
We need to setup a benchmarking process related to performance and scalability of TRASA server.
Example of how many concurrent user access can TRASA support for X amount of RAM and CPU for SSH service, RDP service etc.
Why is this needed:
This will help operators to plan and provision servers and resources for TRASA deployments.
Describe the feature:
Currently, there is no way to remove the previously saved upstream server ssh host key.
Only way to update it is by retreiving the updated host key from the ssh terminal client and updating it from the dashboard or create a new service profile with a server address that has an updated host key.
Describe why this feature is needed:
If administrators access ssh service only from TRASA dashboard, there is no way to retreive host key and update it from the dashboard. With this feature, the administrator can remove the previously saved host key from TRASA server and TRASA will save the updated host key in the next ssh session.
Scope of the feature:
Describe the feature:
When TRASA is first installed, a default root user is created with default password.
User should be enforced to change password in the first login.
Describe why this feature is needed:
Scope of feature:
Describe the feature:
We use userContext
struct to store user details that are passed through middleware SessionValidator
. Currently, server hits database in every api request to retreive this data. Refer to following code:
user, err := users.Store.GetFromID(userID, orgID)
if err != nil {
return userContext, errors.Errorf(`get user from db: %v`, err)
}
org, err := orgs.Store.Get(user.OrgID)
if err != nil {
return userContext, errors.Errorf("get org from db: %v", err)
}
This issue is a proposal to store user details in redis after successful auth so that server can retreive user detail from redis directly.
Describe why this feature is needed:
This will prevent database hit in every subsequent api requests and hence, less load in database.
Scope of the feature:
Describe the feature:
Support for enabling Web Application Firewall (WAF) in HTTP(s) access proxy.
Describe why this feature is needed:
WAF will further strengthen the protection of internal web applications.
Any suggestions on how can this be implemented?
For a start, we can integrate ModSecurity. This will require binding using Cgo. Or make a provision of forwarding incoming web traffic to WAF.
Describe the bug:
Messages printed while connecting ssh (xterm) are not formatted correctly.
Expected behavior:
New messages should be displayed in a new line.
Log file / Code snippet / Screenshots:
Scope of issue:
Versions:
Describe the feature:
Add the capability to auto-discover services. Eg, the way traefik listens to providers and auto-update listeners and routing details.
To auto retrieve and update service profiles, we can integrate with etcd, or consul since they are commonly used as service catalog/discovery backend.
Describe why this feature is needed:
This will make it really easy to protect services without the need for manual integration and update.
Note: TRASA also connects with service identity providers (e.g., AWS, digital ocean) to auto-import server profiles. This feature request will enable similar features to auto-import applications hosted in those servers (instead of importing server profile only) enroll services hosted in microservice architecture where services are frequently created/deleted.
Scope of the feature:
Describe the feature:
TRASA currently only supports LDAP (Open ldap, freeIPA, Active Directory) and SAML (Okta) as identity providers.
This feature request is to integrate with more IDPs such as G suite, JumpCloud, Office365, and other popular solutions.
Scope of feature:
Describe the bug:
Assign multiple services to a user with different privilege (say service A and B ). Then go to /my page and search for a service B. The privilege(username) list of service B will be replaced by that of A.
Expected behavior:
The privilege list should be correct.
Log file / Code snippet / Screenshots:
The service "local" is assigned with privilege "bhrg3se" and the service "do-beta-test" is assigned with "root"
when you search for "local", the privilege of "do-beta-test" replaces that of "local"
Scope of issue:
Versions:
Describe the bug:
Value of "secrets" in service overview is 1 by default.
Expected behavior:
Value should be based on actual number of secrets stored in database as "managed accounts"
Log file / Code snippet / Screenshots:
Scope of issue:
Versions:
Describe the bug:
Xterm window size doesn't fit the whole browser window.
Expected behavior:
Xterm window size should be increased to fit the browser window for a better user experience.
Log file / Code snippet / Screenshots:
Scope of issue:
DB address of db:5432
is hardcoded in Dockerfile, preventing TRASA server from connecting to the database hosted in the other address.
Update Dockerfile to supply db address dynamically to wait-for-it.sh
.
Note: This is only related when running TRASA server in a containerized environment.
Describe the feature:
Implement file watch and auto-config reload feature. This is related to TRASA server configuration that is defined in config.toml
file.
Describe why this feature is needed:
Once this is implemented, administrators need not restart TRASA server manually to load with the latest configurations.
Scope of the feature:
Describe the bug:
When access is blocked due to day/time policy, failed reason is stored/displayed as UNKNOWN
Expected behavior:
The failed reason should be TIME_POLICY_FAILED
Scope of issue:
Versions:
Currently, TRASA requires user profiles in TRASA IDP because they are used for Access Mapping
, Auth and Session Logging
, Device Registration
. Even for currently support LDAP integration, admins need to import users from the LDAP server. Since I am now working on #122 , we will need to import users from those providers into TRASA.
But my concern is, do we need to import user profiles in TRASA. Why should we enforce user profile import?
network
group and configure this user to authenticate with TRASA.network
(exact name match with IDP group name) and assign that group to service along with the desired privilege.Scope of the feature:
Note: If we decide to import users, apart from LDAP import, we will only support SCIM integration.
Describe the feature:
Fetching TLS certificate from Let's Encrypt using autocert depends on config flag autocert
. This should be enabled by default.
Describe why this feature is needed:
This will enable Let's Encrypt issued TLS certificate by default.
Scope of the feature:
Describe the bug:
Old discussion site pointed to discuss.trasa.io
no longer works. update to new discussion site hosted at discuss.seknox.com
Scope of issue:
upload website docs video to youtube and change markdown files to fetch those videos from youtube. This will save bandwidth served from website server.
Describe the bug:
Password equality check is missing in the "password change" form.
Expected behavior:
You should not be able to submit the form with two different passwords.
Log file / Code snippet / Screenshots:
Scope of issue:
Versions:
Description:
The default server run command does not reveal the state of the server (listening on IP, domain), which might cause the administrator to think that server start hanged or failed to run correctly. Refer to actual server logs below:
sudo docker run --link db:db --link redis:redis -p 443:443 -p 80:80 -p 8022:8022 -e TRASA.LISTENADDR=<IP address> -e TRASA.AUTOCERT="false" -v /tmp/trasa/accessproxy/guac:/tmp/trasa/accessproxy/guac seknox/trasa:v1.1.1
wait-for-it.sh: waiting 15 seconds for db:5432
wait-for-it.sh: db:5432 is available after 0 seconds
db_version migrated
org migrated
users migrated
services migrated
devices migrated
browsers migrated
browser_ext migrated
groups migrated
user_group_maps migrated
service_group_maps migrated
policies migrated
user_accessmaps migrated
usergroup_accessmaps migrated
inapp_notifs migrated
gateway_http migrated
global_settings migrated
policy_enforcer migrated
security_rules migrated
password_state migrated
auth_logs migrated
inapp_trails migrated
signup_logs migrated
service_keyvault migrated
cert_holder migrated
idp migrated
key_holder migrated
cloudiaas_sync migrated
keylog migrated
adhoc_perms migrated
backups migrated
time="2020-10-27T17:05:01Z" level=error msg="cannot encrypt ca key: encryption key is not retrieved yet" func=github.com/seknox/trasa/server/initdb.initSystemCA file="/go/src/seknox/trasa/server/initdb/init.go:220"
2020/10/27 17:05:01 written cert.pem
2020/10/27 17:05:01 written key.pem
Solution:
After a successful server start, print appropriate messages to indicate the healthy start of the server along with the next steps to perform.
Describe the bug:
when signing up trough the on-boarding URL, and using a weak password. The password is visible in plain text in the URL
Expected behavior:
No visible text of the value that's being inputted in the form.
Log file / Code snippet / Screenshots:
For example:
https://trasa.domain.org/woa/verify#token=6d1821638cf3f2246xxxxxx
After selecting a password, (which isn't strong enough), you'll get a error and the password you've tried to use is visible in the URL in plain text.
After using a password which is strong enough, it disappears.
To reproduce:
Create new user -> Open Signup URL -> Use weak password (e.g. 123) -> Get error, and click continue -> URL should include weak password used like this:
https://trasa.domain.org/woa/verify?password=123&cpassword=123&submit=#token=2c9ee66xxxxxx
Scope of issue:
Versions:
Additional context:
As discussed in the Discord app.
Describe the bug:
When you try to change pasword, password and tfa validation works fine. But in the 3rd step i.e submitting the new password, you get "failed to verify token" error message and redirected to login page.
Expected behavior:
Password should be changed
Log file / Code snippet / Screenshots:
Response from /api/v1/my/changepass API:
{"status":"failed","reason":"failed to verify token","intent":"SessionValidator","data":[null,null]}
trasa.log content:
time="2020-09-27T04:21:14Z" level=trace msg="Not Found URL: serving Index File : /my" func=main.CoreAPIRouter.func5 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:288"
time="2020-09-27T04:21:15Z" level=trace msg="Found static URL: serving STATIC : /static/css/7.7df41cd5.chunk.css.map" func=main.CoreAPIRouter.func3 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:276"
time="2020-09-27T04:21:25Z" level=info msg=32af44127e338addef183c9ac2ad2f62d3704599b14e4e31a998b4c0b0895209- func=github.com/seknox/trasa/server/api/auth.LoginHandler file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/api/auth/hLogin.go:150"
time="2020-09-27T04:22:14Z" level=error msg="no session token" func=github.com/seknox/trasa/server/middlewares.SessionValidator.func1 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/middlewares/session.go:35"
time="2020-09-27T04:22:14Z" level=trace msg="Not Found URL: serving Index File : /login" func=main.CoreAPIRouter.func5 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:288"
time="2020-09-27T04:22:15Z" level=trace msg="Found static URL: serving STATIC : /static/css/7.7df41cd5.chunk.css.map" func=main.CoreAPIRouter.func3 file="/Users/bhrg3se/seknox/code/trasa/trasa-oss/server/server.go:276"
Scope of issue:
Versions:
Additional context:
N/A
Describe the bug:
Export secrets feature is not working.
Expected behavior:
tfa accounts should be exported to the desired location.
Log file / Code snippet / Screenshots:
Scope of issue:
Versions:
Describe the bug:
The video player size in the "recorded session" is bigger than the browser window itself.
Expected behavior:
It should fit the window size.
Scope of issue:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.