Merge branch 'master' of github.com:gravitational/teleport into STeve…

…/48762_integration

.github/ISSUE_TEMPLATE/testplan.md

@@ -20,6 +20,7 @@ as well as an upgrade of the previous version of Teleport.
 - [ ] Labels
   - [ ] Static Labels
   - [ ] Dynamic Labels
+  - [ ] [Resource-based Labels](https://goteleport.com/docs/admin-guides/management/admin/labels/#apply-resource-based-labels) using `server_info`
 
 - [ ] Trusted Clusters
   - [ ] Adding Trusted Cluster Valid Static Token
@@ -1186,21 +1187,20 @@ manualy testing.
 ## Desktop Access
 
 - Direct mode (set `listen_addr`):
-  - [ ] Can connect to AD desktop defined in static `hosts` section.
   - [ ] Can connect to AD desktop defined in static `static_hosts` section.
   - [ ] Can connect to non-AD desktop defined in static `static_hosts` section.
-  - [ ] Can connect to non-AD desktop defined in static `non_ad_hosts` section.
   - [ ] Can connect to desktop discovered via LDAP
 - IoT mode (reverse tunnel through proxy):
-  - [ ] Can connect to AD desktop defined in static `hosts` section.
   - [ ] Can connect to AD desktop defined in static `static_hosts` section.
   - [ ] Can connect to non-AD desktop defined in static `static_hosts` section.
-  - [ ] Can connect to non-AD desktop defined in static `non_ad_hosts` section.
   - [ ] Can connect to desktop discovered via LDAP
 - [ ] Connect multiple `windows_desktop_service`s to the same Teleport cluster,
   verify that connections to desktops on different AD domains works. (Attempt to
   connect several times to verify that you are routed to the correct
   `windows_desktop_service`)
+- [ ] Set `client_idle_timeout` to a small value and verify that idle sessions
+  are terminated (the session should end and an audit event will confirm it
+  was due to idle connection)
 - Verify user input
   - [ ] Download [Keyboard Key Info](https://dennisbabkin.com/kbdkeyinfo/) and
     verify all keys are processed correctly in each supported browser. Known
@@ -1216,11 +1216,8 @@ manualy testing.
   - [ ] Verify that placing a desktop lock terminates an active desktop session.
   - [ ] Verify that placing a role lock terminates an active desktop session.
 - Labeling
-  - [ ] Set `client_idle_timeout` to a small value and verify that idle sessions
-    are terminated (the session should end and an audit event will confirm it
-    was due to idle connection)
   - [ ] All desktops have `teleport.dev/origin` label.
-  - [ ] Dynamic desktops have additional `teleport.dev` labels for OS, OS
+  - [ ] Desktops discovered via LDAP have additional `teleport.dev` labels for OS, OS
     Version, DNS hostname.
   - [ ] Regexp-based host labeling applies across all desktops, regardless of
     origin.
@@ -1278,12 +1275,14 @@ manualy testing.
         - [ ] A file from inside the shared directory can be copy-pasted to another folder inside the shared directory
         - [ ] A folder from inside the shared directory can be copy-pasted to another folder inside shared directory (and its contents retained)
   - RBAC
-    - [ ] Give the user one role that explicitly disables directory sharing (`desktop_directory_sharing: false`) and confirm that the option to share a directory doesn't appear in the menu
+    - [ ] Give the user one role that explicitly disables directory sharing (`desktop_directory_sharing: false`)
+      and confirm that the option to share a directory doesn't appear in the menu and  that the directory sharing
+      icon is in a disabled state.
 - Per-Session MFA
-  - [ ] Attempting to start a session no keys registered shows an error message
-  - [ ] Attempting to start a session with a webauthn registered pops up the "Verify Your Identity" dialog
-    - [ ] Hitting "Cancel" shows an error message
-    - [ ] Hitting "Verify" causes your browser to prompt you for MFA
+  - [ ] Attempting to start a session with no keys registered shows an error message
+  - [ ] Attempting to start a session with a webauthn registered pops up the MFA dialog
+    - [ ] Canceling this dialog (clicking the X in the corner) shows an error
+    - [ ] Hitting "Passkey or MFA Device" causes your browser to prompt you for MFA
     - [ ] Cancelling that browser MFA prompt shows an error
     - [ ] Successful MFA verification allows you to connect
 - Session Recording
@@ -1292,8 +1291,8 @@ manualy testing.
   - [ ] Verify async recording (`mode: node` or `mode: proxy`)
   - [ ] Sessions show up in session recordings UI with desktop icon
   - [ ] Sessions can be played back, including play/pause functionality
-  - [ ] Sessions playback speed can be toggled while its playing
-  - [ ] Sessions playback speed can be toggled while its paused
+  - [ ] Sessions playback speed can be toggled while it's playing
+  - [ ] Sessions playback speed can be toggled while it's paused
   - [ ] A session that ends with a TDP error message can be played back, ends by displaying the error message,
         and the progress bar progresses to the end.
   - [ ] Attempting to play back a session that doesn't exist (i.e. by entering a non-existing session id in the url) shows
@@ -1338,8 +1337,6 @@ manualy testing.
 - Non-AD setup
   - [ ] Installer in GUI mode finishes successfully on instance that is not part of domain
   - [ ] Installer works correctly invoked from command line
-  - [ ] Non-AD instance can be added to `non_ad_hosts` section in config file and is visible in UI
-  - [ ] Non-AD can be added as dynamic resource and is visible in UI
   - [ ] Non-AD instance has label `teleport.dev/ad: false`
   - [ ] Connecting to non-AD instance works with OSS if there are no more than 5 non-AD desktops
   - [ ] Connecting to non-AD instance fails with OSS if there are more than 5 non-AD desktops
@@ -1353,7 +1350,7 @@ manualy testing.
   - [ ] `tctl get dynamic_windows_desktop` works with all supported formats
   - [ ] Adding dynamic Windows desktop that doesn't match labels for any Windows Desktop Service does not create any
       Windows desktop
-  - [ ] Adding dynamic Windows desktop that matches some `windows_desktop_services`s creates Windows desktops for each
+  - [ ] Adding dynamic Windows desktop that matches some `windows_desktop_service`s creates Windows desktops for each
       matching WDS
   - [ ] Updating dynamic Windows desktop updates corresponding Windows desktops
   - [ ] Updating dynamic Windows desktop's labels so it no longer matches `windows_desktop_services` deletes

.github/workflows/cla-assistant.yaml

@@ -0,0 +1,67 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types:
+      - created # PR comments are considered issue_comments
+  pull_request_target:
+    types:
+      - opened
+      - synchronize # Run on any diff changes to the PR (e.g. code updates)
+# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
+permissions:
+  actions: read
+  contents: read # this can be 'read' if the signatures are in remote repository
+  pull-requests: write
+jobs:
+  cla-assistant:
+    # Only do job for pull requests. For issues this is skipped making workflow a no-op
+    if: ${{ github.event_name == 'pull_request_target' || github.event.issue.pull_request }} # triggers on pr updates and coments
+    name: "Check Contributor License Agreement Signed"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch installation token
+        id: fetch-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CLA_ASSISTANT_APP_ID }}
+          private-key: ${{ secrets.CLA_ASSISTANT_APP_PRIVATE_KEY }}
+          repositories: cla-signatures
+      - name: "Determine gravitational membership"
+        id: get-membership
+        env:
+          GITHUB_TOKEN: ${{ steps.fetch-token.outputs.token }}
+          USER: ${{ github.actor }}
+        continue-on-error: true
+        # Use the "Check Membership" API for user
+        # If the user is a member of the org expect a 204 HTTP Status Code
+        # If the above is success the process will exit 0
+        run: |
+          gh api "orgs/gravitational/members/${USER}" > /dev/null
+      # This step runs the CLA Assistant GHA
+      # If the creator of the PR is someone in the 'gravitational' org this step is skipped
+      # Otherwise for those out of the gravitational org:
+      # * CLA Assistant gathers authors from commits made to the PR
+      # * Will determine if authors have already signed the CLA
+      # 
+      # To sign the CLA a user can reply to the PR with the comment:
+      # * 'I have read the CLA Document and I hereby sign the CLA'
+      #
+      # The workflow will be rerun again to perform a recheck on:
+      # * Any code changes to the PR
+      # * PR comment with the body being 'recheck' - In the event of a transient failure
+      # * PR comment with body 'I have read the CLA Document and I hereby sign the CLA' 
+      - name: "CLA Assistant"
+        if: steps.get-membership.outcome != 'success' && ((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target')
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.fetch-token.outputs.token }}
+        with:
+          remote-organization-name: gravitational
+          remote-repository-name: cla-signatures
+          path-to-signatures: 'version1_signatures.json'
+          path-to-document: 'https://github.com/gravitational/teleport/blob/master/CLA.md'
+          # branch should not be protected
+          branch: 'main'
+          allowlist: '*[bot]'
+          lock-pullrequest-aftermerge: false

.github/workflows/doc-tests.yaml

@@ -44,8 +44,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          repository: "gravitational/docs"
-          path: "docs"
+          repository: 'gravitational/teleport'
+          path: 'teleport'
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          repository: 'gravitational/docs'
+          path: 'docs'
 
       # Cache node_modules. Unlike the example in the actions/cache repo, this
       # caches the node_modules directory instead of the yarn cache. This is
@@ -69,6 +75,7 @@ jobs:
         run: yarn install
 
       - name: Prepare docs site configuration
+        working-directory: docs
         # The environment we use for linting the docs differs from the one we
         # use for the live docs site in that we only test a single version of
         # the content.
@@ -83,34 +90,24 @@ jobs:
         # of gravitational/teleport. We override this in order to build only a
         # single version of the docs.
         run: |
-          if [ $GITHUB_EVENT_NAME = "pull_request" ]; then
-            BRANCH=$GITHUB_HEAD_REF;
-          elif [ $GITHUB_EVENT_NAME = "merge_group" ]; then
-            # GitHub populates $GITHUB_REF with:
-            # refs/heads/gh-readonly-queue/<base branch>/pr-<PR number>-<SHA>
-            #
-            # We strip the "refs/heads/" prefix so we can check out the branch.
-            BRANCH=$(echo $GITHUB_REF | sed -E "s|refs/heads/(.*)|\1|")
-          else
-            echo "Unexpected event name: $GITHUB_EVENT_NAME";
-            exit 1;
-          fi
-
-          cd $GITHUB_WORKSPACE/docs
           echo "" > .gitmodules
           rm -rf content/*
           cd content
-          # Add a submodule at docs/content/teleport
-          git submodule add --force -b $BRANCH -- https://github.com/gravitational/teleport
+          # Rather than using a submodule, copy the teleport source into the
+          # content directory.
+          cp -r $GITHUB_WORKSPACE/teleport $GITHUB_WORKSPACE/docs/content
           cd $GITHUB_WORKSPACE/docs
-          echo "{\"versions\": [{\"name\": \"teleport\", \"branch\": \"$BRANCH\", \"deprecated\": false}]}" > $GITHUB_WORKSPACE/docs/config.json
+          echo "{\"versions\": [{\"name\": \"teleport\", \"branch\": \"teleport\", \"deprecated\": false}]}" > $GITHUB_WORKSPACE/docs/config.json
+          cat <<< "$(jq '.scripts."git-update" = "echo Skipping submodule update"' package.json)" > package.json
           yarn build-node
 
       - name: Check spelling
-        run: cd $GITHUB_WORKSPACE/docs && yarn spellcheck content/teleport
+        working-directory: 'docs'
+        run: yarn spellcheck content/teleport
 
-      - name: Lint the docs
-        run: cd $GITHUB_WORKSPACE/docs && yarn markdown-lint
+      - name: Lint docs formatting
+        working-directory: 'docs'
+        run: yarn markdown-lint
 
       - name: Test the docs build
         working-directory: docs

.github/workflows/post-release.yaml

@@ -94,12 +94,17 @@ jobs:
           git config --global user.email "[email protected]"
           git config --global user.name "GitHub"
 
+          # get Go version from go.mod
+          GO_VERSION=$(go mod edit -json | jq -r .Go)
+
           # update versions in docs/config.json
           # for docker images replace version number after <docker image name>:
           jq --arg major "${MAJOR_VERSION}" \
              --arg version "${FULL_VERSION}" \
+             --arg go_version "${GO_VERSION}" \
              '.variables.teleport.major_version |= $major |
               .variables.teleport.version |= $version |
+              .variables.teleport.golang |= $go_version |
               .variables.teleport.plugin.version |= $version |
               .variables.teleport.latest_oss_docker_image |= sub(":.*";":")+$version |
               .variables.teleport.latest_oss_debug_docker_image |= sub(":.*";":")+$version |

.github/workflows/vercel-preview.yaml

@@ -61,5 +61,5 @@ jobs:
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `🤖 Vercel preview here: ${previewUrl}/docs/ver/preview`
+              body: `🤖 Vercel preview here: ${previewUrl}/docs`
             })

.golangci.yml

@@ -89,6 +89,8 @@ linters-settings:
         deny:
           - pkg: io/ioutil
             desc: 'use "io" or "os" packages instead'
+          - pkg: math/rand$
+            desc: 'use "math/rand/v2" or "crypto/rand" instead'
           - pkg: github.com/golang/protobuf
             desc: 'use "google.golang.org/protobuf"'
           - pkg: github.com/hashicorp/go-uuid

CLA.md

@@ -0,0 +1,21 @@
+TELEPORT CONTRIBUTOR LICENSE AGREEMENT (v1)
+
+This Contributor License Agreement (“Agreement” or “CLA”) is entered into between Gravitational, Inc., a Delaware corporation (“Teleport,” “we,” or “us” etc.) and You (as defined and further identified below). Accordingly, You hereby agree to and accept the following terms for your present and future Contributions (as defined and further identified below) submitted to Teleport: 
+
+1. Definitions: (a) “You” (or “Your”) shall mean the copyright owner (whether an individual or organization) or legal entity authorized by the copyright owner that is making this Agreement with Teleport.  (b) “Contribution(s)” shall mean the code, documentation, or other original works of authorship, including any modifications or additions to an existing work, submitted by You to Teleport for inclusion in, or documentation of, any of the products or projects owned or managed by Teleport (the “Work(s)”). For the purposes of this definition, “Submitted” means any form of electronic, verbal, or written communication sent to Teleport or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Teleport for the purpose of discussing and/or improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as “Not a Contribution.”
+
+2. Grant of Copyright License. Subject to the terms of the Agreement, You hereby grant to Teleport and to recipients of software distributed by Teleport a perpetual, worldwide, non-exclusive, sublicensable, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute Your Contributions and such derivative works.
+
+3. Grant of Patent License. With respect to any patents You own, or that You can license without payment to any third party, subject to the terms of the Agreement, You hereby grant Teleport and to recipients of software distributed by Teleport a perpetual, irrevocable, non-exclusive, worldwide, no-charge, royalty-free irrevocable (except as stated in this Section) patent license to: (i) make, have made, use, sell, offer to sell, import, transfer, and otherwise distribute and exploit Your Contributions in whole or in part, alone or in combination with or included in any product, work or materials arising out of or relating to the Works to which Your Contributions were Submitted; and (ii) sublicense these same rights to third parties through multiple levels of sublicensees or other licensing arrangements.  If any entity institutes patent litigation against You or any other entity (including a crossclaim or counterclaim in a lawsuit) alleging that Your Contribution, or the Work to which You have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+
+4. Except as set out above, You keep all right, title, and interest in Your Contribution. The rights that You grant to us under this Agreement are effective on the date You first Submitted a Contribution to us, even if Your submission took place before the date, You entered this Agreement.
+
+5. You represent and warrant that: (i) each Contributions is Your original work and that You can legally grant the license and rights set out in this Agreement; (iii) the Contributions and Teleport’s exercise of any license rights granted hereunder, does not and will not, infringe the rights of any third party; (iv) You are not aware of any pending or threatened claims, suits, actions, or charges pertaining to the Contributions, including without limitation any claims or allegations that any or all of the Contributions infringes, violates, or misappropriate the intellectual property rights of any third party (You further agree that You will notify Teleport immediately if You become aware of any such actual or potential claims, suits, actions, allegations or charges).
+
+6. If Your employer(s) has rights to intellectual property that You create that includes Your Contributions, You represent and warrant that (a) Your employer(s) has waived such rights for  Your Contributions to Teleport, or (b) that You have received permission to make Your Contributions on behalf of that employer, and that You are authorized to execute this Agreement on behalf of Your employer.
+
+7. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Except as set forth herein, and unless required by applicable law or agreed to in writing, You provide Your Contributions on an “as is” basis, without warranties or conditions of any kind.
+
+8. You will notify Teleport of any facts or circumstances of which You become aware that would make Your representations in this Agreement inaccurate in any respect.
+
+9. The failure of either party to enforce its rights under this Agreement for any period shall not be construed as a waiver of such rights. No changes or modifications or waivers to this Agreement will be effective unless in writing and signed by both parties. In the event that any provision of this Agreement shall be determined to be illegal or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable. This Agreement may be assigned by Teleport.   In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.