Merge branch 'master' into joerger/app-access-mfa-cloud

.github/ISSUE_TEMPLATE/testplan.md

@@ -962,11 +962,15 @@ tsh bench web sessions --max=5000 --web user ls
   - [ ] Verify `Add Application` links to documentation.
 
 ## Database Access
+Some tests are marked with "coverved by E2E test" and automatically completed
+by default. In cases the E2E test is flaky or disabled, deselect the task for
+manualy testing.
 
 - [ ] Connect to a database within a local cluster.
   - [ ] Self-hosted Postgres.
     - [ ] verify that cancelling a Postgres request works. (`select pg_sleep(10)` followed by ctrl-c is a good query to test.)
   - [ ] Self-hosted MySQL.
+    - [ ] MySQL server version reported by Teleport is correct.
   - [ ] Self-hosted MariaDB.
   - [ ] Self-hosted MongoDB.
   - [ ] Self-hosted CockroachDB.
@@ -976,6 +980,7 @@ tsh bench web sessions --max=5000 --web user ls
   - [ ] Self-hosted MSSQL with PKINIT authentication.
   - [ ] AWS Aurora Postgres.
   - [ ] AWS Aurora MySQL.
+    - [ ] MySQL server version reported by Teleport is correct.
   - [ ] AWS RDS Proxy (MySQL, Postgres, MariaDB, or SQL Server)
   - [ ] AWS Redshift.
   - [ ] AWS Redshift Serverless.
@@ -987,7 +992,7 @@ tsh bench web sessions --max=5000 --web user ls
   - [ ] GCP Cloud Spanner.
   - [ ] Snowflake.
   - [ ] Azure Cache for Redis.
-  - [ ] Azure single-server MySQL and Postgres (EOL Sep 2024 and Mar 2025, use CLI to create)
+  - [x] Azure single-server MySQL and Postgres (EOL Sep 2024 and Mar 2025, skip)
   - [ ] Azure flexible-server MySQL and Postgres
   - [ ] Elasticsearch.
   - [ ] OpenSearch.
@@ -1020,7 +1025,7 @@ tsh bench web sessions --max=5000 --web user ls
   - [ ] GCP Cloud Spanner.
   - [ ] Snowflake.
   - [ ] Azure Cache for Redis.
-  - [ ] Azure single-server MySQL and Postgres
+  - [x] Azure single-server MySQL and Postgres (EOL Sep 2024 and Mar 2025, skip)
   - [ ] Azure flexible-server MySQL and Postgres
   - [ ] Elasticsearch.
   - [ ] OpenSearch.
@@ -1035,9 +1040,12 @@ tsh bench web sessions --max=5000 --web user ls
   - [ ] Self-hosted MySQL.
   - [ ] Self-hosted MariaDB.
   - [ ] Self-hosted MongoDB.
-  - [ ] AWS RDS Postgres.
-  - [ ] AWS RDS MySQL.
+  - [x] AWS RDS Postgres. (covered by E2E test)
+  - [x] AWS RDS MySQL. (coverved by E2E test)
   - [ ] AWS RDS MariaDB.
+  - [x] AWS Redshift (coverved by E2E test).
+- [ ] Verify Database Access Control
+  - [ ] Postgres (tables)
 - [ ] Verify audit events.
   - [ ] `db.session.start` is emitted when you connect.
   - [ ] `db.session.end` is emitted when you disconnect.
@@ -1060,13 +1068,14 @@ tsh bench web sessions --max=5000 --web user ls
 - [ ] Verify discovery.
   Please configure discovery in Discovery Service instead of Database Service.
     - [ ] AWS
-      - [ ] Can detect and register RDS instances.
-        - [ ] Can detect and register RDS instances in an external AWS account when `assume_role_arn` and `external_id` is set.
+      - [x] Can detect and register RDS instances. (covered by E2E test)
+        - [x] Can detect and register RDS instances in an external AWS account when `assume_role_arn` and `external_id` is set.
       - [ ] Can detect and register RDS proxies, and their custom endpoints.
+        - [ ] Can detect and register RDS instances in an external AWS account when `assume_role_arn` and `external_id` is set.
       - [ ] Can detect and register Aurora clusters, and their reader and custom endpoints.
       - [ ] Can detect and register RDS proxies, and their custom endpoints.
-      - [ ] Can detect and register Redshift clusters.
-      - [ ] Can detect and register Redshift serverless workgroups, and their VPC endpoints.
+      - [x] Can detect and register Redshift clusters. (covered by E2E test)
+      - [x] Can detect and register Redshift serverless workgroups, and their VPC endpoints. (covered by E2E test)
       - [ ] Can detect and register ElastiCache Redis clusters.
       - [ ] Can detect and register MemoryDB clusters.
       - [ ] Can detect and register OpenSearch domains.
@@ -1083,8 +1092,7 @@ tsh bench web sessions --max=5000 --web user ls
   - [ ] Verify that clicking on a rows connect button renders a dialogue on manual instructions with `Step 2` login value matching the rows `name` column
   - [ ] Verify searching for all columns in the search bar works
   - [ ] Verify you can sort by all columns except `labels`
-- [ ] Other
-  - [ ] MySQL server version reported by Teleport is correct.
+- [ ] `tsh bench` load tests (instructions on Notion -> Database Access -> Load test)
 
 ## TLS Routing
 

.github/ISSUE_TEMPLATE/webtestplan.md

@@ -383,7 +383,7 @@ spec:
   allow:
     request:
       search_as_roles:
-      - searcheable resources
+      - searcheable-resources
       suggested_reviewers:
       - random-user-1
       - random-user-2
@@ -420,10 +420,10 @@ spec:
 ### Assuming Approved Requests (Role Based)
 
 - [ ] Verify that assuming `allow-roles-and-nodes` allows you to see roles screen and ssh into nodes
-- [ ] After assuming `allow-roles-and-nodes`, verify that assuming `allow-users-short-ttl` allows you to see users screen, and denies access to nodes
+- [ ] After assuming `allow-roles-and-nodes`, verify that assuming `allow-users-with-short-ttl` allows you to see users screen, and denies access to nodes
   - [ ] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
-  - [ ] Verify `switching back` goes back to your default static role
-  - [ ] Verify after re-assuming `allow-users-short-ttl` role, the user is automatically logged out after the expiry is met (4 minutes)
+  - [ ] Verify that you can access nodes after `Drop Request` on `allow-users-with-short-ttl` while `allow-roles-and-nodes` is still assumed
+  - [ ] Verify after re-assuming `allow-users-with-short-ttl` role that the next action (i.e. opening a new tab with unified resources) triggers a relogin modal after the expiry is met (4 minutes)
 
 ### Assuming Approved Requests (Search Based)
 
@@ -887,7 +887,7 @@ Add the following to enable read access to trusted clusters
           progress.
 - Access Requests
   - **Creating Access Requests (Role Based)**
-    - To setup a test environment, follow the steps laid out in `Created Access Requests (Role Based)` from the Web UI testplan and then verify the tasks below.
+    - To setup a test environment, follow the steps laid out in `Creating Access Requests (Role Based)` from the Web UI testplan and then verify the tasks below.
     - [ ] Verify that under requestable roles, only `allow-roles-and-nodes` and
     `allow-users-with-short-ttl` are listed
     - [ ] Verify you can select/input/modify reviewers
@@ -897,7 +897,7 @@ Add the following to enable read access to trusted clusters
     suggested_reviewers wasn't defined)
     - [ ] Verify you can't review own requests
   - **Creating Access Requests (Search Based)**
-    - To setup a test environment, follow the steps laid out in `Created Access Requests (Search Based)` from the Web UI testplan and then verify the tasks below.
+    - To setup a test environment, follow the steps laid out in `Creating Access Requests (Resource Based)` from the Web UI testplan and then verify the tasks below.
     - [ ] Verify that a user can see resources based on the `searcheable-resources` rules
     - [ ] Verify you can select/input/modify reviewers
     - [ ] Verify you can view the request you created from request list (should be in a pending
@@ -908,7 +908,7 @@ Add the following to enable read access to trusted clusters
     - [ ] Verify that you can mix adding resources from the root and leaf clusters.
     - [ ] Verify that you can't mix roles and resources into the same request.
     - [ ] Verify that you can request resources from both the unified view and the search bar.
-    - Change `proxy_service.ui.show_resources` to `accessible_only`.
+    - Change `show_resources` to `accessible_only` in [the UI config](https://goteleport.com/docs/reference/resources/#ui-config) of the root cluster.
       - [ ] Verify that you can now only request resources from the new request tab.
   - **Viewing & Approving/Denying Requests**
     - To setup a test environment, follow the steps laid out in `Viewing & Approving/Denying Requests` from the Web UI testplan and then verify the tasks below.
@@ -921,12 +921,12 @@ Add the following to enable read access to trusted clusters
   - **Assuming Approved Requests (Role Based)**
     - [ ] Verify that assuming `allow-roles-and-nodes` allows you to see roles screen and ssh into
           nodes
-    - [ ] After assuming `allow-roles-and-nodes`, verify that assuming `allow-users-short-ttl`
+    - [ ] After assuming `allow-roles-and-nodes`, verify that assuming `allow-users-with-short-ttl`
           allows you to see users screen, and denies access to nodes
     - [ ] Verify a switchback banner is rendered with roles assumed, and count down of when it
           expires
     - [ ] Verify `switching back` goes back to your default static role
-    - [ ] Verify after re-assuming `allow-users-short-ttl` role, the user is automatically logged
+    - [ ] Verify after re-assuming `allow-users-with-short-ttl` role, the user is automatically logged
           out after the expiry is met (4 minutes)
   - **Assuming Approved Requests (Search Based)**
     - [ ] Verify that assuming approved request, allows you to see the resources you've requested.
@@ -963,10 +963,6 @@ Add the following to enable read access to trusted clusters
         second one after closing the modal for the first request.
   - [ ] Make two concurrent headless requests for two different clusters. Verify that Connect shows
         the second one after closing the modal for the first request.
-- tshd-initiated communication
-  - [ ] Create a db connection, wait for the cert to expire. Attempt to connect to the database
-        through CLI. While the login modal is shown, make a headless request. Verify that after logging
-        in again, the app shows the modal for the headless request.
 - Per-session MFA
   - The easiest way to test it is to enable [cluster-wide per-session
     MFA](https://goteleport.com/docs/access-controls/guides/per-session-mfa/#cluster-wide).
@@ -992,11 +988,44 @@ Add the following to enable read access to trusted clusters
     - [ ] macOS
     - [ ] Windows
     - [ ] Linux
-- [ ] Verify that logs are collected for all processes (main, renderer, shared, tshd) under
-      `~/Library/Application\ Support/Teleport\ Connect/logs`.
-- [ ] Verify that the password from the login form is not saved in the renderer log.
-- [ ] Log in to a cluster, then log out and log in again as a different user. Verify that the app
-      works properly after that.
-- [ ] Clean the Application Support dir for Connect. Start the latest stable version of the app.
-      Open every possible document. Close the app. Start the current alpha. Reopen the tabs. Verify that
-      the app was able to reopen the tabs without any errors.
+- VNet
+  - VNet doesn't work with local clusters made available under custom domains through entries in
+    `/etc/hosts`. It's best to use a "real" cluster. nip.io might work, but it hasn't been confirmed
+    yet.
+  - Verify that VNet works for TCP apps within:
+    - [ ] a root cluster
+    - [ ] [a custom DNS zone](https://goteleport.com/docs/application-access/guides/vnet/) of a root cluster
+    - [ ] a leaf cluster
+    - [ ] a custom DNS zone of a leaf cluster
+  - [ ] Verify that setting [a custom IPv4 CIDR range](https://goteleport.com/docs/application-access/guides/vnet/#configuring-ipv4-cidr-range) works.
+  - [ ] Verify that Connect asks for relogin when attempting to connect to an app after cert expires.
+    - Be mindful that you need to connect to the app at least once before the cert expires for
+      Connect to properly recognize it as a TCP app.
+  - Start the app with debug logs on and tail `tshd.log`. Verify that the UI works correctly in the
+    following scenarios:
+    - All buth the first point assume that you successfully go through the osascript prompt.
+    - Close the osascript prompt.
+      - [ ] The VNet panel shows info about the password prompt being closed.
+    - Start VNet, then stop it.
+      - [ ] The VNet panel doesn't show any errors related to VNet being stopped.
+    - Start VNet, then remove the socket file used for communication with the admin process. It's reported in
+      `tshd.log` as `Created unix socket for admin subcommand socket:<path>`.
+      - [ ] The VNet panel shows an unexpected shutdown of VNet and an in-app notification is shown.
+      - [ ] The admin process cleans up files in `/etc/resolver`.
+    - Start VNet. While its running, kill the admin process.
+      - The easiest way to find the PID of the admin process is to open Activity Monitor, View →
+        All Processes, Hierarchically, search for `tsh` and find tsh running under kernel_task →
+        authtrampoline → bash → tsh. Then just `sudo kill -s KILL <tsh pid>`.
+      - [ ] The VNet panel shows an unexpected shutdown of VNet and an in-app notification is shown.
+      - [ ] The admin process _leaves_ files in `/etc/resolver`. However, it's possible to start
+        VNet again, connect to a TCP app, then shut VNet down and it results in the files being
+        cleaned up.
+- Misc
+  - [ ] Verify that logs are collected for all processes (main, renderer, shared, tshd) under
+        `~/Library/Application\ Support/Teleport\ Connect/logs`.
+  - [ ] Verify that the password from the login form is not saved in the renderer log.
+  - [ ] Log in to a cluster, then log out and log in again as a different user. Verify that the app
+        works properly after that.
+  - [ ] Clean the Application Support dir for Connect. Start the latest stable version of the app.
+        Open every possible document. Close the app. Start the current alpha. Reopen the tabs. Verify that
+        the app was able to reopen the tabs without any errors.

.github/dependabot.yml

@@ -228,6 +228,30 @@ updates:
       - "rust"
       - "no-changelog"
 
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: monthly
+      day: "sunday"
+      time: "09:00" # 9am UTC
+    labels:
+      - "dependencies"
+      - "ui"
+      - "no-changelog"
+    groups:
+      ui:
+        update-types:
+          - "minor"
+          - "patch"
+    open-pull-requests-limit: 20
+    reviewers:
+      - avatus
+      - kimlisa
+      - rudream
+      - bl-nero
+      - gzdnunek
+      - ravicious
+      - ryanclark
   - package-ecosystem: github-actions
     directory: "/.github/workflows"
     schedule:

.github/workflows/build-ci-service-images.yaml

@@ -44,7 +44,7 @@ jobs:
 
       - name: Build etcd image
         id: docker_build
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: ${{ github.workspace }}
           file: .github/services/Dockerfile.etcd

.github/workflows/build-usage-image.yaml

@@ -24,7 +24,7 @@ jobs:
         with:
           registry-type: public
       # Build and publish container image on ECR.
-      - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+      - uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: "examples/teleport-usage"
           tags: public.ecr.aws/gravitational/teleport-usage:${{ steps.version.outputs.version }}

.github/workflows/doc-tests.yaml

@@ -27,6 +27,7 @@ jobs:
           filters: |
             changed:
               - '.github/workflows/doc-tests.yaml'
+              - 'CHANGELOG.md'
               - 'docs/**'
               - 'examples/**'
 

.github/workflows/lint.yaml

@@ -118,7 +118,7 @@ jobs:
           args: --out-format=colored-line-number
           skip-cache: true
 
-      - uses: bufbuild/buf-setup-action@dde0b9351db90fbf78e345f41a57de8514bf1091 # v1.32.2
+      - uses: bufbuild/buf-setup-action@59e8ac0671772e5ffef08a41b3aec11d39fc1165 # v1.33.0
         with:
           github_token: ${{ github.token }}
           version: ${{ env.BUF_VERSION }}

.golangci.yml

@@ -128,6 +128,7 @@ linters-settings:
           - '**/lib/service/servicecfg/**'
           - '**/lib/reversetunnelclient/**'
           - '**/lib/auth/authclient/**'
+          - '**/lib/cloud/imds/**'
         allow:
           - github.com/gravitational/teleport/lib/cloud/imds
         deny:

CHANGELOG.md

@@ -19,8 +19,7 @@ Teleport Assist chat has been removed from Teleport 16.
 #### DynamoDB permission requirements have changed
 
 Teleport clusters using the dynamodb backend must now have the `dynamodb:ConditionCheckItem`
-permission. For a full list of all required permissions see the dynamo backend iam
-policy [example](docs/pages/includes/dynamodb-iam-policy.mdx).
+permission. For a full list of all required permissions see the Teleport [Backend Reference](docs/pages/reference/backends.mdx#dynamodb).
 
 #### Disabling second factor authentication_type
 
@@ -128,7 +127,7 @@ Remote Desktop Services > Remote Desktop Session Host, enable:
 1. Remote Session Environment > Limit maximum color depth
 
 Detailed instructions are available in the
-[setup guide](docs/pages/desktop-access/active-directory-manual.mdx#enable-remotefx).
+[setup guide](docs/pages/desktop-access/active-directory.mdx#enable-remotefx).
 A reboot may be required for these changes to take effect.
 
 #### `tsh ssh`