Merge branch 'master' into edwarddowling/discord-plugin-amr

gravitational · Jul 29, 2024 · 9da97e8 · 9da97e8
2 parents 36a06c7 + be520a3
commit 9da97e8
Show file tree

Hide file tree

Showing 305 changed files with 13,808 additions and 6,690 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -58,6 +58,8 @@ jobs:
               - 'integrations/terraform/Makefile'
               - 'integrations/terraform/examples/**'
               - 'integrations/terraform/templates/**'
+              # rendered doc changes
+              - 'docs/pages/reference/terraform-provider/**'
 
   lint-go:
     name: Lint (Go)

diff --git a/.prettierignore b/.prettierignore
@@ -8,4 +8,4 @@
 # Ignore WASM generated files:
 web/packages/teleport/src/ironrdp/pkg
 # Ignore generated mockServiceWorker file
-web/.storybook/public/mockServiceWorker.js
+web/.storybook/public/mockServiceWorker.js
diff --git a/api/client/client.go b/api/client/client.go
@@ -3670,7 +3670,7 @@ func convertEnrichedResource(resource *proto.PaginatedResource) (*types.Enriched
 	} else if r := resource.GetUserGroup(); r != nil {
 		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetAppServer(); r != nil {
-		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
+		return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetSAMLIdPServiceProvider(); r != nil {
 		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else {

diff --git a/api/client/client_test.go b/api/client/client_test.go
@@ -46,7 +46,7 @@ func TestMain(m *testing.M) {
 }
 
 type pingService struct {
-	*proto.UnimplementedAuthServiceServer
+	proto.UnimplementedAuthServiceServer
 	userAgentFromLastCallValue atomic.Value
 }
 
@@ -192,7 +192,7 @@ func TestWaitForConnectionReady(t *testing.T) {
 }
 
 type listResourcesService struct {
-	*proto.UnimplementedAuthServiceServer
+	proto.UnimplementedAuthServiceServer
 }
 
 func (s *listResourcesService) ListResources(ctx context.Context, req *proto.ListResourcesRequest) (*proto.ListResourcesResponse, error) {
@@ -732,6 +732,10 @@ func TestGetUnifiedResourcesWithLogins(t *testing.T) {
 					Resource: &proto.PaginatedResource_WindowsDesktop{WindowsDesktop: &types.WindowsDesktopV3{}},
 					Logins:   []string{"llama"},
 				},
+				{
+					Resource: &proto.PaginatedResource_AppServer{AppServer: &types.AppServerV3{}},
+					Logins:   []string{"llama"},
+				},
 			},
 		},
 	}
@@ -753,6 +757,8 @@ func TestGetUnifiedResourcesWithLogins(t *testing.T) {
 			assert.Equal(t, enriched.Logins, clt.resp.Resources[0].Logins)
 		case *types.WindowsDesktopV3:
 			assert.Equal(t, enriched.Logins, clt.resp.Resources[1].Logins)
+		case *types.AppServerV3:
+			assert.Equal(t, enriched.Logins, clt.resp.Resources[2].Logins)
 		}
 	}
 }
diff --git a/api/client/credentials.go b/api/client/credentials.go
@@ -639,3 +639,62 @@ func (d *DynamicIdentityFileCreds) Expiry() (time.Time, bool) {
 
 	return x509Cert.NotAfter, true
 }
+
+// KeyPair returns a Credential give a TLS key, certificate and CA certificates PEM-encoded.
+// It behaves live LoadKeyPair except it doesn't read the TLS material from a file.
+// This is useful when key and certs are not on the disk (e.g. environment variables).
+// This should be preferred over manually building a tls.Config and calling LoadTLS
+// as Credentials returned by KeyPair can report their expiry, which allows to warn
+// the user in case of expired certificates.
+func KeyPair(certPEM, keyPEM, caPEM []byte) (Credentials, error) {
+	if len(certPEM) == 0 {
+		return nil, trace.BadParameter("missing certificate PEM data")
+	}
+	if len(keyPEM) == 0 {
+		return nil, trace.BadParameter("missing private key PEM data")
+	}
+	return &staticKeypairCreds{
+		certPEM: certPEM,
+		keyPEM:  keyPEM,
+		caPEM:   caPEM,
+	}, nil
+}
+
+// staticKeypairCreds uses keypair certificates to provide client credentials.
+type staticKeypairCreds struct {
+	certPEM []byte
+	keyPEM  []byte
+	caPEM   []byte
+}
+
+// TLSConfig returns TLS configuration.
+func (c *staticKeypairCreds) TLSConfig() (*tls.Config, error) {
+	cert, err := keys.X509KeyPair(c.certPEM, c.keyPEM)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	pool := x509.NewCertPool()
+	if ok := pool.AppendCertsFromPEM(c.caPEM); !ok {
+		return nil, trace.BadParameter("invalid TLS CA cert PEM")
+	}
+
+	return configureTLS(&tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      pool,
+	}), nil
+}
+
+// SSHClientConfig returns SSH configuration.
+func (c *staticKeypairCreds) SSHClientConfig() (*ssh.ClientConfig, error) {
+	return nil, trace.NotImplemented("no ssh config")
+}
+
+// Expiry returns the credential expiry.
+func (c *staticKeypairCreds) Expiry() (time.Time, bool) {
+	cert, _, err := keys.X509Certificate(c.certPEM)
+	if err != nil {
+		return time.Time{}, false
+	}
+	return cert.NotAfter, true
+}
diff --git a/api/client/credentials_test.go b/api/client/credentials_test.go
@@ -203,6 +203,32 @@ func TestLoadKeyPair(t *testing.T) {
 	require.False(t, ok, "expiry should be unknown on a broken credential")
 }
 
+func TestKeyPair(t *testing.T) {
+	t.Parallel()
+
+	// Load expected tls.Config.
+	expectedTLSConfig := getExpectedTLSConfig(t)
+
+	// Load key pair from disk.
+	creds, err := KeyPair(tlsCert, keyPEM, tlsCACert)
+	require.NoError(t, err)
+
+	// Build tls.Config and compare to expected tls.Config.
+	tlsConfig, err := creds.TLSConfig()
+	require.NoError(t, err)
+	requireEqualTLSConfig(t, expectedTLSConfig, tlsConfig)
+
+	// Load invalid keypairs.
+	invalidIdentityCreds, err := KeyPair([]byte("invalid_cert"), []byte("invalid_key"), []byte("invalid_ca_cert"))
+	require.NoError(t, err)
+	_, err = invalidIdentityCreds.TLSConfig()
+	require.Error(t, err)
+
+	// Load missing keypairs
+	_, err = KeyPair(nil, nil, nil)
+	require.Error(t, err)
+}
+
 func TestLoadProfile(t *testing.T) {
 	t.Parallel()
 	profileName := "proxy.example.com"

diff --git a/api/client/joinservice_test.go b/api/client/joinservice_test.go
@@ -34,7 +34,7 @@ import (
 )
 
 type mockJoinServiceServer struct {
-	*proto.UnimplementedJoinServiceServer
+	proto.UnimplementedJoinServiceServer
 	registerUsingTPMMethod func(srv proto.JoinService_RegisterUsingTPMMethodServer) error
 }
 

diff --git a/api/client/proxy/client_test.go b/api/client/proxy/client_test.go
@@ -114,16 +114,15 @@ type fakeGRPCServer struct {
 }
 
 type fakeAuthServer struct {
-	*proto.UnimplementedAuthServiceServer
+	proto.UnimplementedAuthServiceServer
 	listener net.Listener
 	srv      *grpc.Server
 }
 
 func newFakeAuthServer(t *testing.T, conn net.Conn) *fakeAuthServer {
 	f := &fakeAuthServer{
-		listener:                       newOneShotListener(conn),
-		UnimplementedAuthServiceServer: &proto.UnimplementedAuthServiceServer{},
-		srv:                            grpc.NewServer(),
+		listener: newOneShotListener(conn),
+		srv:      grpc.NewServer(),
 	}
 
 	t.Cleanup(f.Stop)

diff --git a/api/constants/constants.go b/api/constants/constants.go
@@ -500,4 +500,8 @@ const (
 	EnvVarTerraformRetryMaxTries = "TF_TELEPORT_RETRY_MAX_TRIES"
 	// EnvVarTerraformDialTimeoutDuration is the environment variable configuring the Terraform provider dial timeout.
 	EnvVarTerraformDialTimeoutDuration = "TF_TELEPORT_DIAL_TIMEOUT_DURATION"
+	// EnvVarTerraformJoinMethod is the environment variable configuring the Terraform provider native MachineID join method.
+	EnvVarTerraformJoinMethod = "TF_TELEPORT_JOIN_METHOD"
+	// EnvVarTerraformJoinToken is the environment variable configuring the Terraform provider native MachineID join token.
+	EnvVarTerraformJoinToken = "TF_TELEPORT_JOIN_TOKEN"
 )