Merge branch 'master' into bernard/email-plugin-docs

.golangci.yml

@@ -89,6 +89,8 @@ linters-settings:
         deny:
           - pkg: io/ioutil
             desc: 'use "io" or "os" packages instead'
+          - pkg: math/rand$
+            desc: 'use "math/rand/v2" or "crypto/rand" instead'
           - pkg: github.com/golang/protobuf
             desc: 'use "google.golang.org/protobuf"'
           - pkg: github.com/hashicorp/go-uuid

api/proto/teleport/legacy/types/types.proto

@@ -963,6 +963,26 @@ message CORSPolicy {
   repeated string exposed_headers = 6 [(gogoproto.jsontag) = "exposed_headers,omitempty"];
 }
 
+// IdentityCenterPermissionSet defines a permission set that is available on an
+// IdentityCenter account app
+message IdentityCenterPermissionSet {
+  // ARN is the fully-formed ARN of the Permission Set.
+  string ARN = 1 [(gogoproto.jsontag) = "arn,omitempty"];
+
+  // Name is the human-readable name of the Permission Set.
+  string Name = 2 [(gogoproto.jsontag) = "name,omitempty"];
+}
+
+// AppIdentityCenter encapsulates information about an AWS Identity Center
+// account application.
+message AppIdentityCenter {
+  // Account ID is the AWS-assigned ID of the account
+  string AccountID = 1 [(gogoproto.jsontag) = "account_id,omitempty"];
+
+  // PermissionSets lists the available permission sets on the given account
+  repeated IdentityCenterPermissionSet PermissionSets = 2 [(gogoproto.jsontag) = "permission_sets,omitempty"];
+}
+
 // AppSpecV3 is the AppV3 resource spec.
 message AppSpecV3 {
   // URI is the web app endpoint.
@@ -993,6 +1013,9 @@ message AppSpecV3 {
   repeated string RequiredAppNames = 10 [(gogoproto.jsontag) = "required_app_names,omitempty"];
   // CORSPolicy defines the Cross-Origin Resource Sharing settings for the app.
   CORSPolicy CORS = 11 [(gogoproto.jsontag) = "cors,omitempty"];
+  // IdentityCenter encasulates AWS identity-center specific information. Only
+  // valid for Identity Center account apps.
+  AppIdentityCenter IdentityCenter = 12 [(gogoproto.jsontag) = "identity_center,omitempty"];
 }
 
 // AppServerOrSAMLIdPServiceProviderV1 holds either an AppServerV3 or a SAMLIdPServiceProviderV1 resource (never both).
@@ -1321,6 +1344,8 @@ message ProvisionTokenSpecV2 {
   ProvisionTokenSpecV2TPM TPM = 15 [(gogoproto.jsontag) = "tpm,omitempty"];
   // TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method.
   ProvisionTokenSpecV2TerraformCloud TerraformCloud = 16 [(gogoproto.jsontag) = "terraform_cloud,omitempty"];
+  // Bitbucket allows the configuration of options specific to the "bitbucket" join method.
+  ProvisionTokenSpecV2Bitbucket Bitbucket = 17 [(gogoproto.jsontag) = "bitbucket,omitempty"];
 }
 
 // ProvisionTokenSpecV2TPM contains the TPM-specific part of the
@@ -1666,6 +1691,49 @@ message ProvisionTokenSpecV2TerraformCloud {
   string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"];
 }
 
+message ProvisionTokenSpecV2Bitbucket {
+  // Rule is a set of properties the Bitbucket-issued token might have to be
+  // allowed to use this ProvisionToken.
+  message Rule {
+    // WorkspaceUUID is the UUID of the workspace for which this token was
+    // issued. Bitbucket UUIDs must begin and end with braces, e.g. `{...}`.
+    // This value may be found in the Pipelines -> OpenID Connect section of the
+    // repository settings.
+    string WorkspaceUUID = 1 [(gogoproto.jsontag) = "workspace_uuid,omitempty"];
+
+    // RepositoryUUID is the UUID of the repository for which this token was
+    // issued. Bitbucket UUIDs must begin and end with braces, e.g. `{...}`.
+    // This value may be found in the Pipelines -> OpenID Connect section of the
+    // repository settings.
+    string RepositoryUUID = 2 [(gogoproto.jsontag) = "repository_uuid,omitempty"];
+
+    // DeploymentEnvironmentUUID is the UUID of the deployment environment
+    // targeted by this pipelines run, if any. These values may be found in the
+    // "Pipelines -> OpenID Connect -> Deployment environments" section of the
+    // repository settings.
+    string DeploymentEnvironmentUUID = 3 [(gogoproto.jsontag) = "deployment_environment_uuid,omitempty"];
+
+    // BranchName is the name of the branch on which this pipeline executed.
+    string BranchName = 4 [(gogoproto.jsontag) = "branch_name,omitempty"];
+  }
+
+  // Allow is a list of Rules, nodes using this token must match one
+  // allow rule to use this token.
+  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
+
+  // Audience is a Bitbucket-specified audience value for this token. It is
+  // unique to each Bitbucket repository, and must be set to the value as
+  // written in the Pipelines -> OpenID Connect section of the repository
+  // settings.
+  string Audience = 2 [(gogoproto.jsontag) = "audience,omitempty"];
+
+  // IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC
+  // tokens. It is unique to each Bitbucket repository, and must be set to the
+  // value as written in the Pipelines -> OpenID Connect section of the
+  // repository settings.
+  string IdentityProviderURL = 3 [(gogoproto.jsontag) = "identity_provider_url,omitempty"];
+}
+
 // StaticTokensV2 implements the StaticTokens interface.
 message StaticTokensV2 {
   option (gogoproto.goproto_stringer) = false;
@@ -3440,6 +3508,22 @@ message AccessRequestConditions {
     (gogoproto.nullable) = false,
     (gogoproto.jsontag) = "kubernetes_resources,omitempty"
   ];
+
+  // Reason defines settings for the reason for the access provided by the user.
+  AccessRequestConditionsReason Reason = 9 [(gogoproto.jsontag) = "reason,omitempty"];
+}
+
+// AccessRequestConditionsReason defines settings for the reason for the access provided by the
+// user.
+message AccessRequestConditionsReason {
+  // Mode can be either "required" or "optional". Empty string is treated as "optional". If a role
+  // has the request reason mode set to "required", then reason is required for all Access Requests
+  // requesting roles or resources allowed by this role. It applies only to users who have this
+  // role assigned.
+  string Mode = 1 [
+    (gogoproto.jsontag) = "mode,omitempty",
+    (gogoproto.casttype) = "RequestReasonMode"
+  ];
 }
 
 // AccessReviewConditions is a matcher for allow/deny restrictions on

api/types/access_request.go

@@ -642,6 +642,47 @@ func (u *AccessRequestUpdate) Check() error {
 	return nil
 }
 
+// RequestReasonMode can be either "required" or "optional". Empty-string is treated as "optional".
+// If a role has the request reason mode set to "required", then reason is required for all Access
+// Requests requesting roles or resources allowed by this role. It applies only to users who have
+// this role assigned.
+type RequestReasonMode string
+
+const (
+	// RequestReasonModeRequired indicates required mode. See [[RequestReasonMode]] godoc for
+	// more details.
+	RequestReasonModeRequired RequestReasonMode = "required"
+	// RequestReasonModeRequired indicates optional mode. See [[RequestReasonMode]] godoc for
+	// more details.
+	RequestReasonModeOptional RequestReasonMode = "optional"
+)
+
+var allRequestReasonModes = []RequestReasonMode{
+	RequestReasonModeRequired,
+	RequestReasonModeOptional,
+}
+
+// Required checks if this mode is "required". Empty mode is treated as "optional".
+func (m RequestReasonMode) Required() bool {
+	switch m {
+	case RequestReasonModeRequired:
+		return true
+	default:
+		return false
+	}
+}
+
+// Check validates this mode value. Note that an empty value is considered invalid.
+func (m RequestReasonMode) Check() error {
+	for _, x := range allRequestReasonModes {
+		if m == x {
+			return nil
+		}
+	}
+	return trace.BadParameter("unrecognized request reason mode %q, must be one of: %v",
+		m, allRequestReasonModes)
+}
+
 // RequestStrategy is an indicator of how access requests
 // should be handled for holders of a given role.
 type RequestStrategy string