Merge branch 'master' into add-teleportbot-operator

gravitational · May 9, 2024 · 7a401dd · 7a401dd
2 parents b7d1b6f + bc115eb
commit 7a401dd
Show file tree

Hide file tree

Showing 2,163 changed files with 188,107 additions and 42,958 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,4 +1,4 @@
 # Merge rules are governed by logic in the Workflow Bot. Protect the
 # .github/workflows directory (and the merge logic) using CODEOWNERS.
-/.github/workflows/ @klizhentas @russjones @r0mant @zmb3 @fheinecke @camscale @tcsc
+/.github/workflows/ @klizhentas @russjones @r0mant @zmb3 @fheinecke @camscale @tcsc @rosstimothy @codingllama
 /build.assets/tooling/cmd/difftest/ @klizhentas @russjones @r0mant @zmb3
diff --git a/.github/ISSUE_TEMPLATE/testplan.md b/.github/ISSUE_TEMPLATE/testplan.md
@@ -609,6 +609,9 @@ pre-release build (eg: `https://cdn.teleport.dev/teleport-ent-v16.0.0-alpha.2-li
 Client-side enrollment requires a signed `tsh` for macOS, make sure to use the
 `tsh` binary from `tsh.app`.
 
+Additionally, Device Trust Web requires Teleport Connect to be installed (device
+authentication for the Web is handled by Connect).
+
 A simple formula for testing device authorization is:
 
 ```shell
@@ -617,12 +620,8 @@ A simple formula for testing device authorization is:
 tsh ssh node-that-requires-device-trust
 > ERROR: ssh: rejected: administratively prohibited (unauthorized device)
 
-# Register the device.
-# Get the serial number from `tsh device asset-tag`.
-tctl devices add --os=macos --asset-tag=<SERIAL_NUMBER> --enroll
-
-# Enroll the device.
-tsh device enroll --token=<TOKEN_FROM_COMMAND_ABOVE>
+# Register/enroll the device.
+tsh device enroll --current-device
 tsh logout; tsh login
 
 # After enrollment
@@ -669,6 +668,22 @@ tsh ssh node-that-requires-device-trust
     teleport-device-id ...
     ```
 
+- [ ] Device authentication
+  - [ ] tsh or Connect
+    - [ ] SSH
+    - [ ] DB Access
+    - [ ] K8s Access
+  - [ ] Web UI (requires Connect)
+    - [ ] SSH
+    - [ ] App Access
+    - [ ] Desktop Access
+
+    Confirm that it works by failing first. Most protocols can be tested using
+    device_trust.mode="required". App Acess and Deskop Access require a custom
+    role (see [enforcing device trust][enforcing-device-trust]).
+
+[enforcing-device-trust]: https://goteleport.com/docs/access-controls/device-trust/enforcing-device-trust/#app-access-support).
+
 - [ ] Device authorization
   - [ ] device_trust.mode other than "off" or "" not allowed (OSS)
   - [ ] device_trust.mode="off" doesn't impede access (Enterprise and OSS)
@@ -679,6 +694,7 @@ tsh ssh node-that-requires-device-trust
     - [ ] DB Access
     - [ ] K8s Access
     - [ ] App Access NOT enforced in global mode
+    - [ ] Desktop Access NOT enforced in global mode
   - [ ] device_trust.mode="required" is enforced by processes and not only by
         Auth APIs
     - [ ] SSH
@@ -695,20 +711,25 @@ tsh ssh node-that-requires-device-trust
     - [ ] DB Access
     - [ ] K8s Access
     - [ ] App Access
+    - [ ] Desktop Access
   - [ ] Device authorization works correctly for both require_session_mfa=false
         and require_session_mfa=true
     - [ ] SSH
     - [ ] DB Access
     - [ ] K8s Access
+    - [ ] Desktop Access
   - [ ] Device authorization applies to Trusted Clusters
         (root with mode="optional" and leaf with mode="required")
-  - [ ] Device authorization __does not apply__ to Windows Desktop access
-        (both cluster-wide and role)
 
 - [ ] Device audit (see [lib/events/codes.go][device_event_codes])
   - [ ] Inventory management actions issue events (success only)
   - [ ] Device enrollment issues device event (any outcomes)
   - [ ] Device authorization issues device event (any outcomes)
+  - [ ] Device web authentication issues "Device Web Token Created" and "Device
+        Web Authentication Confirmed" events
+  - [ ] Device web authentication events have web_session_id set.
+        Corresponding "Device Authenticated" events have both
+        web_authentication=true and web_session_id set.
   - [ ] Events with [UserMetadata][event_trusted_device] contain TrustedDevice
         data (for certificates with device extensions)
 
@@ -1504,17 +1525,6 @@ Assist test plan is in the core section instead of WebUI as most functionality i
   - [ ] Assist is enabled by default in the Cloud Team plan.
   - [ ] Assist is always disabled when etcd is used as a backend.
 
-- Conversations
-  - [ ] A new conversation can be started.
-  - [ ] SSH command can be executed on one server.
-  - [ ] SSH command can be executed on multiple servers.
-  - [ ] SSH command can be executed on a node with per session MFA enabled.
-  - [ ] Execution output is explained when it fits the context window.
-  - [ ] Assist can list all nodes/execute a command on all nodes (using embeddings).
-  - [ ] Access request can be created.
-  - [ ] Access request is created when approved.
-  - [ ] Conversation title is set after the first message.
-
 - SSH integration
   - [ ] Assist icon is visible in WebUI's Terminal
   - [ ] A Bash command can be generated in the above window.

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,7 +3,7 @@ updates:
   - package-ecosystem: gomod
     directory: "/"
     schedule:
-      interval: weekly
+      interval: monthly
       day: "sunday"
       time: "09:00" # 9am UTC
     ignore:
@@ -21,6 +21,8 @@ updates:
       - dependency-name: github.com/microsoft/go-mssqldb
       - dependency-name: github.com/redis/go-redis/v9
       - dependency-name: github.com/vulcand/predicate
+      # Ignore until kube libs are upgraded. See https://github.com/kubernetes-sigs/controller-runtime/issues/2788.
+      - dependency-name: k8s.io/*
     open-pull-requests-limit: 20
     groups:
       go:
@@ -29,9 +31,9 @@ updates:
           - "patch"
     reviewers:
       - codingllama
-      - jentfoo
       - rosstimothy
       - zmb3
+      - hugoshaka
     labels:
       - "dependencies"
       - "go"
@@ -40,7 +42,7 @@ updates:
   - package-ecosystem: gomod
     directory: "/api"
     schedule:
-      interval: weekly
+      interval: monthly
       day: "sunday"
       time: "09:00" # 9am UTC
     open-pull-requests-limit: 20
@@ -51,9 +53,9 @@ updates:
           - "patch"
     reviewers:
       - codingllama
-      - jentfoo
       - rosstimothy
       - zmb3
+      - hugoshaka
     labels:
       - "dependencies"
       - "go"
@@ -62,7 +64,7 @@ updates:
   - package-ecosystem: gomod
     directory: "/assets/aws"
     schedule:
-      interval: weekly
+      interval: monthly
       day: "sunday"
       time: "09:00" # 9am UTC
     ignore:
@@ -76,7 +78,6 @@ updates:
           - "patch"
     reviewers:
       - codingllama
-      - jentfoo
       - rosstimothy
       - tcsc
       - zmb3
@@ -88,7 +89,7 @@ updates:
   - package-ecosystem: gomod
     directory: "/assets/backport"
     schedule:
-      interval: weekly
+      interval: monthly
       day: "sunday"
       time: "09:00" # 9am UTC
     open-pull-requests-limit: 20
@@ -99,7 +100,6 @@ updates:
           - "patch"
     reviewers:
       - codingllama
-      - jentfoo
       - rosstimothy
       - zmb3
     labels:
@@ -110,7 +110,7 @@ updates:
   - package-ecosystem: gomod
     directory: "/build.assets/tooling"
     schedule:
-      interval: weekly
+      interval: monthly
       day: "sunday"
       time: "09:00" # 9am UTC
     ignore:
@@ -125,18 +125,69 @@ updates:
     reviewers:
       - codingllama
       - fheinecke
-      - jentfoo
       - rosstimothy
       - zmb3
     labels:
       - "dependencies"
       - "go"
       - "no-changelog"
 
+  - package-ecosystem: gomod
+    directory: "/integrations/terraform"
+    schedule:
+      interval: monthly
+      day: "sunday"
+      time: "09:00" # 9am UTC
+    ignore:
+      # breaks compatibility
+      - dependency-name: github.com/hashicorp/terraform-plugin-framework
+      - dependency-name: github.com/hashicorp/terraform-plugin-go
+      - dependency-name: github.com/hashicorp/terraform-plugin-sdk/v2
+    open-pull-requests-limit: 20
+    groups:
+      go:
+        update-types:
+          - "minor"
+          - "patch"
+    reviewers:
+      - codingllama
+      - rosstimothy
+      - hugoshaka
+      - tigrato
+      - marcoandredinis
+    labels:
+      - "dependencies"
+      - "go"
+      - "no-changelog"
+
+  - package-ecosystem: gomod
+    directory: "/integrations/event-handler"
+    schedule:
+      interval: monthly
+      day: "sunday"
+      time: "09:00" # 9am UTC
+    open-pull-requests-limit: 20
+    groups:
+      go:
+        update-types:
+          - "minor"
+          - "patch"
+    reviewers:
+      - codingllama
+      - rosstimothy
+      - hugoshaka
+      - tigrato
+      - marcoandredinis
+    labels:
+      - "dependencies"
+      - "go"
+      - "no-changelog"
+
+
   - package-ecosystem: cargo
     directory: "/"
     schedule:
-      interval: weekly
+      interval: monthly
       day: "sunday"
       time: "09:00" # 9am UTC
     open-pull-requests-limit: 20
@@ -148,7 +199,6 @@ updates:
     reviewers:
       - codingllama
       - ibeckermayer
-      - jentfoo
       - rosstimothy
       - zmb3
     labels:
@@ -159,7 +209,7 @@ updates:
   - package-ecosystem: cargo
     directory: "/lib/srv/desktop/rdp/rdpclient"
     schedule:
-      interval: weekly
+      interval: monthly
       day: "sunday"
       time: "09:00" # 9am UTC
     open-pull-requests-limit: 20
@@ -171,7 +221,6 @@ updates:
     reviewers:
       - codingllama
       - ibeckermayer
-      - jentfoo
       - rosstimothy
       - zmb3
     labels:
@@ -182,13 +231,11 @@ updates:
   - package-ecosystem: github-actions
     directory: "/.github/workflows"
     schedule:
-      interval: weekly
+      interval: monthly
       day: monday
       time: "09:00"
       timezone: "America/Los_Angeles"
     reviewers:
-      - wadells
-      - jentfoo
       - fheinecke
       - camscale
     labels:
@@ -199,13 +246,11 @@ updates:
   - package-ecosystem: github-actions
     directory: "/.github/actions"
     schedule:
-      interval: weekly
+      interval: monthly
       day: monday
       time: "09:00"
       timezone: "America/Los_Angeles"
     reviewers:
-      - wadells
-      - jentfoo
       - fheinecke
       - camscale
     labels:

diff --git a/...-styles/messaging/capitalize-services.yml → .../vale-styles/messaging/capitalization.yml b/...-styles/messaging/capitalize-services.yml → .../vale-styles/messaging/capitalization.yml
@@ -4,18 +4,21 @@ scope:
   - table
   - list
   - paragraph
-message: "Capitalize the names of Teleport services (%s is incorrect). See the Core Concepts page (https://goteleport.com/docs/core-concepts/) for service names."
+message: "Capitalize the names of Teleport services and features (%s is incorrect). See the Core Concepts page (https://goteleport.com/docs/core-concepts/) for a reference."
 level: error
 ignorecase: false
 tokens:
-  - machine id
-  - db service
-  - database service
+  # Allow for mentions of a local proxy service, but not "proxy service".
+  - '(?<!local )proxy service'
+  - 'access lists?'
+  - 'access requests?'
+  - access graph
   - 'app(lication) service'
+  - auth service
+  - database service
+  - db service
   - desktop service
+  - discovery service
   - kubernetes service
+  - machine id
   - ssh service
-  - discovery service
-  - auth service
-  # Allow for mentions of a local proxy service, but not "proxy service".
-  - '(?<!local )proxy service'
diff --git a/.github/vale-styles/messaging/edition-names.yml b/.github/vale-styles/messaging/edition-names.yml
@@ -0,0 +1,13 @@
+extends: existence
+scope:
+  # Using the raw scope so we can catch instances in TabItem labels.
+  - raw
+message: '"%s" is no longer a recognized Teleport edition. Use "Teleport Enterprise" instead, and clarify the hosting type in parentheses rather than including it in the name of the product, e.g., "Teleport Enterprise (self-hosted)" or "Teleport Enterprise (cloud-hosted)".'
+level: error
+ignorecase: false
+tokens:
+  # Adding the pattern '[ \t]*\n?[ \t]*' between each word since we are using the raw
+  # scope. This lets use catch violations that span two lines (i.e., that occupy
+  # the same paragraph).
+  - 'Teleport[ \t]*\n?[ \t]*Cloud'
+  - 'Teleport[ \t]*\n?[ \t]*Enterprise[ \t]*\n?[ \t]*Cloud'
diff --git a/.github/vale-styles/messaging/protocol-products.yml b/.github/vale-styles/messaging/protocol-products.yml
@@ -0,0 +1,12 @@
+extends: existence
+message: Avoid the impression that Teleport consists of multiple products for secure access, e.g., "Database Access" or "Server Access". Instead, talk about enrolling resources in your Teleport cluster, protecting resources with Teleport, or the ability for Teleport to proxy various protocols.
+level: error
+ignorecase: false
+tokens:
+  - 'Server Access'
+  - 'Application Access'
+  - 'Kubernetes Access'
+  - 'Desktop Access'
+  # Ignore "Database Access Controls" since it's a Teleport feature, but catch
+  # "Database Access" without "Controls".
+  - 'Database Access(?!\s*Controls)'
diff --git a/.github/vale-styles/messaging/subjective-terms.yml b/.github/vale-styles/messaging/subjective-terms.yml
@@ -0,0 +1,14 @@
+extends: existence
+link: "https://github.com/gravitational/docs/blob/main/docs-contributors/style-guide.md#voice"
+message: "Avoid using '%s' as a qualifier, since it is subject to interpretation. Use more technically precise terms instead."
+level: error
+ignorecase: true
+tokens:
+  - "powerful(ly)?"
+  - "seamless(ly)?"
+  - "simpl(e|ly)"
+  - "smooth(ly)?"
+  - "quick(ly)?"
+  - "fast"
+  - "eas(y|ily)"
+  - "rich(ly)?"