Merge remote-tracking branch 'origin/master' into timothyb89/bound-keypair-audit-events

Author: timothyb89

.golangci.yml

@@ -113,6 +113,8 @@ linters:
           deny:
             - pkg: github.com/gravitational/teleport/integration
               desc: integration test should not be imported outside of intergation tests
+            - pkg: github.com/gravitational/teleport/lib/srv/db/cassandra/testing
+              desc: testing packages should not be imported outside of _test.go files
         logging:
           deny:
             - pkg: github.com/sirupsen/logrus
@@ -185,6 +187,10 @@ linters:
               desc: testing packages should not be imported outside of _test.go files
             - pkg: github.com/gravitational/teleport/tool/teleport/testenv
               desc: testing packages should not be imported outside of _test.go files
+            - pkg: github.com/gravitational/teleport/lib/srv/db/redis/testing
+              desc: testing packages should not be imported outside of _test.go files
+            - pkg: github.com/gravitational/teleport/lib/srv/db/spanner/testing
+              desc: testing packages should not be imported outside of _test.go files
         testify:
           files:
             - '!$test'

Makefile

@@ -917,10 +917,11 @@ test-go-prepare: ensure-webassets bpf-bytecode $(TEST_LOG_DIR) ensure-gotestsum
 
 # Runs base unit tests
 .PHONY: test-go-unit
+test-go-unit: rdpclient
 test-go-unit: FLAGS ?= -race -shuffle on
 test-go-unit: SUBJECT ?= $(shell go list ./... | grep -vE 'teleport/(e2e|integration|tool/tsh|integrations/operator|integrations/access|integrations/lib)')
 test-go-unit:
-	$(CGOFLAG) GOEXPERIMENT=synctest go test -cover -json -tags "enablesynctest $(PAM_TAG) $(FIPS_TAG) $(BPF_TAG) $(LIBFIDO2_TEST_TAG) $(TOUCHID_TAG) $(PIV_TEST_TAG) $(VNETDAEMON_TAG)" $(PACKAGES) $(SUBJECT) $(FLAGS) $(ADDFLAGS) \
+	$(CGOFLAG) GOEXPERIMENT=synctest go test -cover -json -tags "enablesynctest $(PAM_TAG) $(RDPCLIENT_TAG) $(FIPS_TAG) $$(BPF_TAG) $(LIBFIDO2_TEST_TAG) $(TOUCHID_TAG) $(PIV_TEST_TAG) $(VNETDAEMON_TAG)" $(PACKAGES) $(SUBJECT) $(FLAGS) $(ADDFLAGS) \
 		| tee $(TEST_LOG_DIR)/unit.json \
 		| gotestsum --raw-command -- cat
 
@@ -1080,9 +1081,10 @@ FLAKY_RUNS ?= 3
 FLAKY_TIMEOUT ?= 1h
 FLAKY_TOP_N ?= 20
 FLAKY_SUMMARY_FILE ?= /tmp/flaky-report.txt
+test-go-flaky: rdpclient
 test-go-flaky: FLAGS ?= -race -shuffle on
 test-go-flaky: SUBJECT ?= $(shell go list ./... | grep -v -e e2e -e integration -e tool/tsh -e integrations/operator -e integrations/access -e integrations/lib )
-test-go-flaky: GO_BUILD_TAGS ?= $(PAM_TAG) $(FIPS_TAG) $(BPF_TAG) $(TOUCHID_TAG) $(PIV_TEST_TAG) $(LIBFIDO2_TEST_TAG) $(VNETDAEMON_TAG)
+test-go-flaky: GO_BUILD_TAGS ?= $(PAM_TAG) $(FIPS_TAG) $(RDPCLIENT_TAG) $(BPF_TAG) $(TOUCHID_TAG) $(PIV_TEST_TAG) $(LIBFIDO2_TEST_TAG) $(VNETDAEMON_TAG)
 test-go-flaky: RENDER_FLAGS ?= -report-by flakiness -summary-file $(FLAKY_SUMMARY_FILE) -top $(FLAKY_TOP_N)
 test-go-flaky: test-go-prepare $(RENDER_TESTS) $(RERUN)
 	$(CGOFLAG) $(RERUN) -n $(FLAKY_RUNS) -t $(FLAKY_TIMEOUT) \

api/client/proto/inventory.pb.go

@@ -5,7 +5,7 @@ go 1.23.10
 require (
 	github.com/charlievieth/strcase v0.0.5
 	github.com/coreos/go-semver v0.3.1
-	github.com/go-piv/piv-go v1.11.0
+	github.com/go-piv/piv-go/v2 v2.3.0
 	github.com/gobwas/ws v1.4.0
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/go-cmp v0.7.0

api/go.mod

@@ -16,8 +16,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg=
-github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
+github.com/go-piv/piv-go/v2 v2.3.0 h1:kKkrYlgLQTMPA6BiSL25A7/x4CEh2YCG7rtb/aTkx+g=
+github.com/go-piv/piv-go/v2 v2.3.0/go.mod h1:ShZi74nnrWNQEdWzRUd/3cSig3uNOcEZp+EWl0oewnI=
 github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=

api/go.sum

@@ -317,19 +317,26 @@ func FullProfilePath(dir string) string {
 
 // defaultProfilePath retrieves the default path of the TSH profile.
 func defaultProfilePath() string {
-	// start with UserHomeDir, which is the fastest option as it
-	// relies only on environment variables and does not perform
-	// a user lookup (which can be very slow on large AD environments)
-	home, err := os.UserHomeDir()
-	if err == nil && home != "" {
-		return filepath.Join(home, profileDir)
+	home, ok := UserHomeDir()
+	if !ok {
+		home = os.TempDir()
 	}
+	return filepath.Join(home, profileDir)
+}
 
-	home = os.TempDir()
+// UserHomeDir returns the current user's home directory if it can be found.
+func UserHomeDir() (string, bool) {
+	// Start with os.UserHomeDir, which is the fastest option as it relies only
+	// on environment variables and does not perform a user lookup (which can be
+	// very slow on large AD environments).
+	if home, err := os.UserHomeDir(); err == nil && home != "" {
+		return home, true
+	}
+	// Fall back to the user lookup.
 	if u, err := user.Current(); err == nil && u.HomeDir != "" {
-		home = u.HomeDir
+		return u.HomeDir, true
 	}
-	return filepath.Join(home, profileDir)
+	return "", false
 }
 
 // FromDir reads the user profile from a given directory. If dir is empty,

api/profile/profile.go

@@ -20,6 +20,7 @@ package proto;
 
 import "google/protobuf/timestamp.proto";
 import "teleport/legacy/types/types.proto";
+import "teleport/presence/v1/relay_server.proto";
 
 option go_package = "github.com/gravitational/teleport/api/client/proto";
 
@@ -166,6 +167,8 @@ message DownstreamInventoryHello {
     bool KubernetesHeartbeats = 17;
     // KubernetesCleanup indicates the ICS supports deleting kubernetes clusters when UpstreamInventoryGoodbye.DeleteResources is set.
     bool KubernetesCleanup = 18;
+    // Indicates that the ICS supports heartbeating relay_server entries as well as deleting them on disconnect if UpstreamInventoryGoodbye.DeleteResources is set.
+    bool relay_server_heartbeats_cleanup = 19;
   }
 
   // SupportedCapabilities advertises the supported features of the auth server.
@@ -217,6 +220,8 @@ message InventoryHeartbeat {
   types.DatabaseServerV3 DatabaseServer = 3;
   // KubeServer is a complete kube server spec to be heartbeated.
   types.KubernetesServerV3 KubernetesServer = 4;
+  // A relay_server to be heartbeated.
+  teleport.presence.v1.RelayServer relay_server = 5;
 }
 
 // UpstreamInventoryGoodbye informs the upstream service that instance

api/proto/teleport/legacy/client/proto/inventory.proto

@@ -1440,6 +1440,15 @@ var KubernetesResourcesKinds = []string{
 	KindKubeIngress,
 }
 
+// KubernetesResourceSelfSubjectAccessReview is a Kubernetes resource that
+// represents a self-subject access review. This gets injected in the allow section in the roles.
+var KubernetesResourceSelfSubjectAccessReview = KubernetesResource{
+	Kind:     "selfsubjectaccessreviews",
+	Name:     Wildcard,
+	Verbs:    []string{"create"},
+	APIGroup: "authorization.k8s.io",
+}
+
 // KubernetesResourcesV7KindGroups maps the legacy Teleport kube kinds
 // to their kubernetes group.
 // Used for validation in role >=v8 to check whether an older value has

api/types/constants.go

@@ -470,7 +470,12 @@ func (r *RoleV6) SetKubeGroups(rct RoleConditionType, groups []string) {
 // access to.
 func (r *RoleV6) GetKubeResources(rct RoleConditionType) []KubernetesResource {
 	if rct == Allow {
-		return r.convertAllowKubernetesResourcesBetweenRoleVersions(r.Spec.Allow.KubernetesResources)
+		out := r.convertAllowKubernetesResourcesBetweenRoleVersions(r.Spec.Allow.KubernetesResources)
+		// We need to support `kubectl auth can-i` as we prompt the user to use this when they get an access denied error.
+		// Inject a selfsubjectaccessreviews resource to allow for it. It can still be explicitly denied by the role if
+		// set in the `deny` section.
+		out = append(out, KubernetesResourceSelfSubjectAccessReview)
+		return out
 	}
 	return r.convertKubernetesResourcesBetweenRoleVersions(r.Spec.Deny.KubernetesResources)
 }

api/types/role.go

@@ -661,6 +661,7 @@ func TestRole_GetKubeResources(t *testing.T) {
 			}
 			if tt.wantDeny == nil {
 				got := r.GetKubeResources(Allow)
+				tt.wantAllow = append(tt.wantAllow, KubernetesResourceSelfSubjectAccessReview)
 				require.Equal(t, tt.wantAllow, got)
 			}
 			got := r.GetKubeResources(Deny)

api/types/role_test.go

@@ -39,6 +39,8 @@ const (
 	RoleProxy SystemRole = "Proxy"
 	// RoleAdmin is admin role
 	RoleAdmin SystemRole = "Admin"
+	// RoleRelay is the system role for a relay in the cluster.
+	RoleRelay SystemRole = "Relay"
 	// RoleProvisionToken is a role for nodes authenticated using provisioning tokens
 	RoleProvisionToken SystemRole = "ProvisionToken"
 	// RoleTrustedCluster is a role needed for tokens used to add trusted clusters.
@@ -90,6 +92,7 @@ var roleMappings = map[string]SystemRole{
 	"node":              RoleNode,
 	"proxy":             RoleProxy,
 	"admin":             RoleAdmin,
+	"relay":             RoleRelay,
 	"provisiontoken":    RoleProvisionToken,
 	"trusted_cluster":   RoleTrustedCluster,
 	"trustedcluster":    RoleTrustedCluster,
@@ -132,6 +135,7 @@ var localServiceMappings = map[SystemRole]struct{}{
 	RoleAuth:              {},
 	RoleNode:              {},
 	RoleProxy:             {},
+	RoleRelay:             {},
 	RoleKube:              {},
 	RoleApp:               {},
 	RoleDatabase:          {},

api/types/system_role.go

@@ -95,7 +95,9 @@ func (c CertAuthType) NewlyAdded() bool {
 	return c.addedInMajorVer() >= api.VersionMajor
 }
 
-// addedInVer return the major version in which given CA was added.
+// addedInMajorVer returns the major version in which given CA was added.
+// The returned version must be the X.0.0 release in which the CA first
+// existed.
 func (c CertAuthType) addedInMajorVer() int64 {
 	switch c {
 	case DatabaseCA:
@@ -107,7 +109,7 @@ func (c CertAuthType) addedInMajorVer() int64 {
 	case SPIFFECA:
 		return 15
 	case OktaCA:
-		return 16
+		return 17
 	case AWSRACA, BoundKeypairCA:
 		return 18
 	default:

api/types/trust.go

@@ -82,9 +82,9 @@ const (
 	// vnetKnownHosts is the file name of the known_hosts file trusted by
 	// third-party SSH clients connecting to VNet SSH.
 	vnetKnownHosts = "vnet_known_hosts"
-	// vnetSSHConfig is the file name of the generated OpenSSH-compatible config
+	// VNetSSHConfig is the file name of the generated OpenSSH-compatible config
 	// file to be used by third-party SSH clients connecting to VNet SSH.
-	vnetSSHConfig = "vnet_ssh_config"
+	VNetSSHConfig = "vnet_ssh_config"
 )
 
 // Here's the file layout of all these keypaths.
@@ -463,7 +463,7 @@ func VNetKnownHostsPath(baseDir string) string {
 // VNetSSHConfigPath returns the path to VNet's generated OpenSSH-compatible
 // config file.
 func VNetSSHConfigPath(baseDir string) string {
-	return filepath.Join(baseDir, vnetSSHConfig)
+	return filepath.Join(baseDir, VNetSSHConfig)
 }
 
 // TrimKeyPathSuffix returns the given path with any key suffix/extension trimmed off.

api/utils/keypaths/keypaths.go

@@ -25,7 +25,7 @@ import (
 	"io"
 	"sync"
 
-	"github.com/go-piv/piv-go/piv"
+	"github.com/go-piv/piv-go/v2/piv"
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport/api/utils/keys/hardwarekey"