Merge branch 'master' into justinas/entra-id-boilerplate2

gravitational · Apr 30, 2024 · 8f7a15f · 8f7a15f
2 parents c44c7c2 + 048d649
commit 8f7a15f
Show file tree

Hide file tree

Showing 224 changed files with 32,554 additions and 5,862 deletions.
diff --git a/.github/ISSUE_TEMPLATE/testplan.md b/.github/ISSUE_TEMPLATE/testplan.md
@@ -609,6 +609,9 @@ pre-release build (eg: `https://cdn.teleport.dev/teleport-ent-v16.0.0-alpha.2-li
 Client-side enrollment requires a signed `tsh` for macOS, make sure to use the
 `tsh` binary from `tsh.app`.
 
+Additionally, Device Trust Web requires Teleport Connect to be installed (device
+authentication for the Web is handled by Connect).
+
 A simple formula for testing device authorization is:
 
 ```shell
@@ -617,12 +620,8 @@ A simple formula for testing device authorization is:
 tsh ssh node-that-requires-device-trust
 > ERROR: ssh: rejected: administratively prohibited (unauthorized device)
 
-# Register the device.
-# Get the serial number from `tsh device asset-tag`.
-tctl devices add --os=macos --asset-tag=<SERIAL_NUMBER> --enroll
-
-# Enroll the device.
-tsh device enroll --token=<TOKEN_FROM_COMMAND_ABOVE>
+# Register/enroll the device.
+tsh device enroll --current-device
 tsh logout; tsh login
 
 # After enrollment
@@ -669,6 +668,22 @@ tsh ssh node-that-requires-device-trust
     teleport-device-id ...
     ```
 
+- [ ] Device authentication
+  - [ ] tsh or Connect
+    - [ ] SSH
+    - [ ] DB Access
+    - [ ] K8s Access
+  - [ ] Web UI (requires Connect)
+    - [ ] SSH
+    - [ ] App Access
+    - [ ] Desktop Access
+
+    Confirm that it works by failing first. Most protocols can be tested using
+    device_trust.mode="required". App Acess and Deskop Access require a custom
+    role (see [enforcing device trust][enforcing-device-trust]).
+
+[enforcing-device-trust]: https://goteleport.com/docs/access-controls/device-trust/enforcing-device-trust/#app-access-support).
+
 - [ ] Device authorization
   - [ ] device_trust.mode other than "off" or "" not allowed (OSS)
   - [ ] device_trust.mode="off" doesn't impede access (Enterprise and OSS)
@@ -679,6 +694,7 @@ tsh ssh node-that-requires-device-trust
     - [ ] DB Access
     - [ ] K8s Access
     - [ ] App Access NOT enforced in global mode
+    - [ ] Desktop Access NOT enforced in global mode
   - [ ] device_trust.mode="required" is enforced by processes and not only by
         Auth APIs
     - [ ] SSH
@@ -695,20 +711,25 @@ tsh ssh node-that-requires-device-trust
     - [ ] DB Access
     - [ ] K8s Access
     - [ ] App Access
+    - [ ] Desktop Access
   - [ ] Device authorization works correctly for both require_session_mfa=false
         and require_session_mfa=true
     - [ ] SSH
     - [ ] DB Access
     - [ ] K8s Access
+    - [ ] Desktop Access
   - [ ] Device authorization applies to Trusted Clusters
         (root with mode="optional" and leaf with mode="required")
-  - [ ] Device authorization __does not apply__ to Windows Desktop access
-        (both cluster-wide and role)
 
 - [ ] Device audit (see [lib/events/codes.go][device_event_codes])
   - [ ] Inventory management actions issue events (success only)
   - [ ] Device enrollment issues device event (any outcomes)
   - [ ] Device authorization issues device event (any outcomes)
+  - [ ] Device web authentication issues "Device Web Token Created" and "Device
+        Web Authentication Confirmed" events
+  - [ ] Device web authentication events have web_session_id set.
+        Corresponding "Device Authenticated" events have both
+        web_authentication=true and web_session_id set.
   - [ ] Events with [UserMetadata][event_trusted_device] contain TrustedDevice
         data (for certificates with device extensions)
 

diff --git a/.github/workflows/aws-e2e-tests-non-root.yaml b/.github/workflows/aws-e2e-tests-non-root.yaml
@@ -19,6 +19,11 @@ env:
   RDS_POSTGRES_INSTANCE_NAME: ci-database-e2e-tests-rds-postgres-instance-us-west-2-307493967395
   RDS_MYSQL_INSTANCE_NAME: ci-database-e2e-tests-rds-mysql-instance-us-west-2-307493967395
   RDS_MARIADB_INSTANCE_NAME: ci-database-e2e-tests-rds-mariadb-instance-us-west-2-307493967395
+  REDSHIFT_SERVERLESS_ACCESS_ROLE: arn:aws:iam::307493967395:role/ci-database-e2e-tests-redshift-serverless-access
+  REDSHIFT_SERVERLESS_DISCOVERY_ROLE: arn:aws:iam::307493967395:role/ci-database-e2e-tests-redshift-serverless-discovery
+  REDSHIFT_SERVERLESS_ENDPOINT_NAME: ci-database-e2e-tests-redshift-serverless-workgroup-rss-access-us-west-2-307493967395
+  REDSHIFT_SERVERLESS_IAM_DB_USER: ci-database-e2e-tests-redshift-serverless-user
+  REDSHIFT_SERVERLESS_WORKGROUP_NAME: ci-database-e2e-tests-redshift-serverless-workgroup-us-west-2-307493967395
   DISCOVERY_MATCHER_LABELS: "*=*"
 jobs:
   changes:

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,16 +23,15 @@ codegen-units = 1
 [workspace.dependencies]
 # Note: To use a local IronRDP repository as a crate (for example, ironrdp-cliprdr), define the dependency as follows:
 # ironrdp-cliprdr = { path = "/path/to/local/IronRDP/crates/ironrdp-cliprdr" }
-# This rev hash corresponds to https://github.com/Devolutions/IronRDP/pull/436. It is being merged while that PR is
-# still open in IronRDP in order to get these changes into a release, however it should be updated once that PR is
-# merged. In the meantime, no other IronRDP hash's (without these changes) should be used.
-ironrdp-cliprdr = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-connector = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-graphics = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-pdu = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-rdpdr = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-rdpsnd = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-session = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-svc = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
-ironrdp-tls = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275", features = ["rustls"]}
-ironrdp-tokio = { git = "https://github.com/Devolutions/IronRDP", rev = "49dab7d8df4bd785bf17fce97ac02beaba0b0275" }
+ironrdp-cliprdr = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-connector = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-displaycontrol = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-dvc = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-graphics = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-pdu = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-rdpdr = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-rdpsnd = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-session = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-svc = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
+ironrdp-tls = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2", features = ["rustls"]}
+ironrdp-tokio = { git = "https://github.com/Devolutions/IronRDP", rev = "fd105e4b56647ab2f54aa23954aec4aaeef118e2" }
diff --git a/Makefile b/Makefile
@@ -319,6 +319,8 @@ teleport-hot-reload:
 		--exclude-dir="node_modules" \
 		--exclude-dir="target" \
 		--exclude-dir="web/packages/*/node_modules" \
+		--color \
+		--log-prefix=false \
 		--build="make $(BUILDDIR)/teleport" \
 		--command="$(BUILDDIR)/teleport $(TELEPORT_ARGS)"
 

diff --git a/api/client/client.go b/api/client/client.go
@@ -3805,27 +3805,27 @@ type ResourcePage[T types.ResourceWithLabels] struct {
 // PaginatedResource returned from the rpc ListUnifiedResources.
 func convertEnrichedResource(resource *proto.PaginatedResource) (*types.EnrichedResource, error) {
 	if r := resource.GetNode(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetDatabaseServer(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetDatabaseService(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetAppServerOrSAMLIdPServiceProvider(); r != nil { //nolint:staticcheck // SA1019. TODO(sshah) DELETE IN 17.0
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetWindowsDesktop(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetWindowsDesktopService(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetKubeCluster(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetKubernetesServer(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetUserGroup(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetAppServer(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetSAMLIdPServiceProvider(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", resource.Resource)
 	}