Merge remote-tracking branch 'origin/branch/v17' into HEAD

gravitational · Nov 14, 2024 · 2b3abc5 · 2b3abc5
2 parents 76b73e8 + 8dbee6d
commit 2b3abc5
Show file tree

Hide file tree

Showing 94 changed files with 1,737 additions and 1,524 deletions.
diff --git a/api/breaker/breaker.go b/api/breaker/breaker.go
@@ -275,7 +275,7 @@ func (c *Config) CheckAndSetDefaults() error {
 		c.IsSuccessful = NonNilErrorIsSuccess
 	}
 
-	c.TrippedPeriod = retryutils.NewSeventhJitter()(c.TrippedPeriod)
+	c.TrippedPeriod = retryutils.SeventhJitter(c.TrippedPeriod)
 
 	return nil
 }

diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/gen/proto/go/teleport/notifications/v1/notifications_service.pb.go b/api/gen/proto/go/teleport/notifications/v1/notifications_service.pb.go
diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go
@@ -56,16 +56,8 @@ type CreateAuthenticateChallengeFunc func(ctx context.Context, req *proto.Create
 // req may be nil if ceremony.CreateAuthenticateChallenge does not require it, e.g. in
 // the moderated session mfa ceremony which uses a custom stream rpc to create challenges.
 func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error) {
-	switch {
-	case c.CreateAuthenticateChallenge == nil:
+	if c.CreateAuthenticateChallenge == nil {
 		return nil, trace.BadParameter("mfa ceremony must have CreateAuthenticateChallenge set in order to begin")
-	case req == nil:
-		// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
-		// its own req or uses a different rpc, e.g. moderated sessions.
-	case req.ChallengeExtensions == nil:
-		return nil, trace.BadParameter("missing challenge extensions")
-	case req.ChallengeExtensions.Scope == mfav1.ChallengeScope_CHALLENGE_SCOPE_UNSPECIFIED:
-		return nil, trace.BadParameter("mfa challenge scope must be specified")
 	}
 
 	// If available, prepare an SSO MFA ceremony and set the client redirect URL in the challenge
@@ -78,6 +70,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
 			slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods", "error", err)
 		} else {
 			defer ssoMFACeremony.Close()
+
+			// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
+			// its own req or uses a different e.g. login. We should still provide the sso client
+			// redirect URL in case the custom CreateAuthenticateChallenge handles it.
+			if req == nil {
+				req = new(proto.CreateAuthenticateChallengeRequest)
+			}
+
 			req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
 			promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
 		}

diff --git a/api/proto/teleport/legacy/client/proto/authservice.proto b/api/proto/teleport/legacy/client/proto/authservice.proto
@@ -2169,6 +2169,9 @@ message UpdateSessionTrackerRequest {
 message PresenceMFAChallengeRequest {
   // SessionID is unique identifier of the session you want to request presence for.
   string SessionID = 1 [(gogoproto.jsontag) = "session_id,omitempty"];
+  // SSOClientRedirectURL should be supplied If the client supports SSO MFA checks.
+  // If unset, the server will only return non-SSO challenges.
+  string SSOClientRedirectURL = 2 [(gogoproto.jsontag) = "sso_client_redirect_url,omitempty"];
 }
 
 // PresenceMFAChallengeSend is a presence challenge request or response.

diff --git a/api/proto/teleport/notifications/v1/notifications_service.proto b/api/proto/teleport/notifications/v1/notifications_service.proto
@@ -82,6 +82,8 @@ message NotificationFilters {
   bool global_only = 2;
   // user_created_only is whether to only list user-created notifications (ie. notifications created by an admin via the tctl interface).
   bool user_created_only = 3;
+  // labels is used to request only notifications with specific labels.
+  map<string, string> labels = 4;
 }
 
 // ListNotificationsResponse is the response from listing a user's notifications.