Merge branch 'master' into stevenGravy/event-handler-ssl

.github/workflows/os-compatibility-test.yaml

@@ -50,7 +50,7 @@ jobs:
 
       - name: Run make
         run: |
-          make -j"$(nproc)" binaries
+          make -j"$(nproc)" binaries FIDO2=static
 
       - name: Upload binaries
         uses: actions/upload-artifact@v3

CHANGELOG.md

@@ -14,7 +14,10 @@ for setup instructions.
 
 #### Teleport Assist has been removed
 
-Teleport Assist chat has been removed from Teleport 16.
+Teleport Assist chat has been removed from Teleport 16. `auth_service.assist` and `proxy_service.assist`
+options have been removed from the configuration. Teleport will not start if these options are present.
+
+During the migration from v15 to v16, the options mentioned above should be removed from the configuration.
 
 #### DynamoDB permission requirements have changed
 

Makefile

@@ -148,6 +148,10 @@ export C_ARCH
 # Eagerly enable if we detect the package, we want to test as much as possible.
 ifeq ("$(shell pkg-config libfido2 2>/dev/null; echo $$?)", "0")
 LIBFIDO2_TEST_TAG := libfido2
+ifeq ($(FIDO2),)
+$(info libfido2 found, setting FIDO2=dynamic)
+FIDO2 ?= dynamic
+endif
 endif
 
 # Build tsh against libfido2?
@@ -275,6 +279,14 @@ CGOFLAG = CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++
 BUILDFLAGS = $(ADDFLAGS) -ldflags '-w -s $(KUBECTL_SETVERSION)' -trimpath -buildmode=pie
 endif
 
+ifeq ("$(OS)","darwin")
+# Note the minimum version for Apple silicon (ARM64) is 11.0 and will be automatically
+# clamped to the value for builds of that architecture
+MINIMUM_SUPPORTED_MACOS_VERSION = 10.15
+MACOSX_VERSION_MIN_FLAG = -mmacosx-version-min=$(MINIMUM_SUPPORTED_MACOS_VERSION)
+CGOFLAG = CGO_ENABLED=1 CGO_CFLAGS=$(MACOSX_VERSION_MIN_FLAG) CGO_LDFLAGS=$(MACOSX_VERSION_MIN_FLAG)
+endif
+
 CGOFLAG_TSH ?= $(CGOFLAG)
 
 # Map ARCH into the architecture flag for electron-builder if they
@@ -308,6 +320,9 @@ binaries:
 # until we can use this Makefile for native Windows builds.
 .PHONY: $(BUILDDIR)/tctl
 $(BUILDDIR)/tctl:
+	@if [[ -z "$(LIBFIDO2_BUILD_TAG)" ]]; then \
+		echo 'Warning: Building tctl without libfido2. Install libfido2 to have access to MFA.' >&2; \
+	fi
 	GOOS=$(OS) GOARCH=$(ARCH) $(CGOFLAG) go build -tags "$(PAM_TAG) $(FIPS_TAG) $(LIBFIDO2_BUILD_TAG) $(PIV_BUILD_TAG) $(KUSTOMIZE_NO_DYNAMIC_PLUGIN)" -o $(BUILDDIR)/tctl $(BUILDFLAGS) ./tool/tctl
 
 .PHONY: $(BUILDDIR)/teleport
@@ -326,6 +341,9 @@ $(BUILDDIR)/teleport: ensure-webassets bpf-bytecode rdpclient
 $(BUILDDIR)/tsh: KUBECTL_VERSION ?= $(shell go run ./build.assets/kubectl-version/main.go)
 $(BUILDDIR)/tsh: KUBECTL_SETVERSION ?= -X k8s.io/component-base/version.gitVersion=$(KUBECTL_VERSION)
 $(BUILDDIR)/tsh:
+	@if [[ -z "$(LIBFIDO2_BUILD_TAG)" ]]; then \
+		echo 'Warning: Building tsh without libfido2. Install libfido2 to have access to MFA.' >&2; \
+	fi
 	GOOS=$(OS) GOARCH=$(ARCH) $(CGOFLAG_TSH) go build -tags "$(FIPS_TAG) $(LIBFIDO2_BUILD_TAG) $(TOUCHID_TAG) $(PIV_BUILD_TAG) $(KUSTOMIZE_NO_DYNAMIC_PLUGIN)" -o $(BUILDDIR)/tsh $(BUILDFLAGS) ./tool/tsh
 
 .PHONY: $(BUILDDIR)/tbot
@@ -378,17 +396,18 @@ else
 bpf-bytecode:
 endif
 
-ifeq ("$(with_rdpclient)", "yes")
-.PHONY: rdpclient
-rdpclient:
-ifneq ("$(FIPS)","")
-	cargo build -p rdp-client --features=fips --release --locked $(CARGO_TARGET)
-else
-	cargo build -p rdp-client --release --locked $(CARGO_TARGET)
+ifeq ("$(OS)-$(with_rdpclient)", "darwin-yes")
+# Set the minimum version linker flag for the rust build of rdpclient (and only rdpclient,
+# as the flag is invalid for building ironrdp to wasm in the web UI). Also set an env
+# var so any C libraries built by this build also target the correct min version.
+rdpclient: export RUSTFLAGS = -C link-arg=$(MACOSX_VERSION_MIN_FLAG)
+rdpclient: export MACOSX_DEPLOYMENT_TARGET = $(MINIMUM_SUPPORTED_MACOS_VERSION)
 endif
-else
+
 .PHONY: rdpclient
 rdpclient:
+ifeq ("$(with_rdpclient)", "yes")
+	cargo build -p rdp-client $(if $(FIPS),--features=fips) --release --locked $(CARGO_TARGET)
 endif
 
 # Build libfido2 and dependencies for MacOS. Uses exported C_ARCH variable defined earlier.

README.md

@@ -147,7 +147,8 @@ Ensure you have installed correct versions of necessary dependencies:
   `Rust` and `Cargo` versions in
   [build.assets/Makefile](https://github.com/gravitational/teleport/blob/master/build.assets/Makefile#L21)
   (search for `RUST_VERSION`)
-* For `tsh` version > `10.x` with FIDO support, you will need `libfido` and `openssl 1.1` installed locally
+* For `tsh` version > `10.x` with FIDO2 support, you will need `libfido2` and
+  `pkg-config` installed locally
 * To build the web UI:
   * [`yarn`](https://classic.yarnpkg.com/en/docs/install)(< 2.0.0) is required.
   * If you prefer not to install/use yarn, but have docker available, you can run `make docker-ui` instead.
@@ -195,18 +196,26 @@ maintainer, ask the team for access.
 make build/tsh TOUCHID=yes
 ```
 
-To build `tsh` with `libfido`:
+`tsh` dynamically links against libfido2 by default, to support development
+environments, as long as the library itself can be found:
 
-  ```shell
-  make build/tsh FIDO2=dynamic
-  ```
+```shell
+$ brew install libfido2 pkg-config  # Replace with your package manager of choice
 
-  * On a Mac, with `libfido` and `openssl 3` installed via `homebrew`
+$ make build/tsh
+> libfido2 found, setting FIDO2=dynamic
+> (...)
+```
 
-    ```shell
-    export PKG_CONFIG_PATH="$(brew --prefix openssl@3)/lib/pkgconfig"
-    make build/tsh FIDO2=dynamic
-    ```
+Release binaries are linked statically against libfido2. You may switch the
+linking mode using the FIDO2 variable:
+
+```shell
+make build/tsh FIDO2=dynamic # dynamic linking
+make build/tsh FIDO2=static  # static linking, for an easy setup use `make enter`
+                             # or `build.assets/macos/build-fido2-macos.sh`.
+make build/tsh FIDO2=off     # doesn't link libfido2 in any way
+```
 
 #### Build output and run locally
 
@@ -405,4 +414,4 @@ The remainder of the source code in this repository is available under the
 from source must comply with the terms of this license.
 
 Teleport Community Edition builds distributed on http://goteleport.com/download
-are available under a [modified Apache 2.0 license](./LICENSE-community).
+are available under a [modified Apache 2.0 license](./LICENSE-community).

api/utils/route.go

@@ -19,6 +19,7 @@ import (
 	"errors"
 	"net"
 	"slices"
+	"strings"
 	"unicode/utf8"
 
 	"github.com/google/uuid"
@@ -49,6 +50,8 @@ type SSHRouteMatcherConfig struct {
 	Resolver HostResolver
 	// CaseInsensitive enabled case insensitive routing when true.
 	CaseInsensitive bool
+	// DisableUnqualifiedLookups disables lookups for unqualified hostnames.
+	DisableUnqualifiedLookups bool
 }
 
 // HostResolver provides an interface matching the net.Resolver.LookupHost method. Typically
@@ -88,7 +91,12 @@ func newSSHRouteMatcher(cfg SSHRouteMatcherConfig) SSHRouteMatcher {
 	_, err := uuid.Parse(cfg.Host)
 	dialByID := err == nil || aws.IsEC2NodeID(cfg.Host)
 
-	ips, _ := cfg.Resolver.LookupHost(context.Background(), cfg.Host)
+	var ips []string
+	if !(cfg.DisableUnqualifiedLookups && !strings.Contains(cfg.Host, ".")) {
+		// unqualified lookups are still on by default, but future versions of teleport may disable them as they tend
+		// to be responsible for the majority of all lookups generated by a teleport cluster and are of questionable utility.
+		ips, _ = cfg.Resolver.LookupHost(context.Background(), cfg.Host)
+	}
 
 	return SSHRouteMatcher{
 		cfg:            cfg,

api/utils/route_test.go

@@ -323,3 +323,66 @@ func TestSSHRouteMatcherScoring(t *testing.T) {
 		})
 	}
 }
+
+type recordingHostResolver struct {
+	didLookup bool
+}
+
+func (r *recordingHostResolver) LookupHost(ctx context.Context, host string) (addrs []string, err error) {
+	r.didLookup = true
+	return nil, nil
+}
+
+// TestDisableUnqualifiedLookups verifies that unqualified lookups being disabled results
+// in single-element/tld style hostname targets not being resolved.
+func TestDisableUnqualifiedLookups(t *testing.T) {
+	tts := []struct {
+		desc   string
+		target string
+		lookup bool
+	}{
+		{
+			desc:   "qualified hostname",
+			target: "example.com",
+			lookup: true,
+		},
+		{
+			desc:   "unqualified hostname",
+			target: "example",
+			lookup: false,
+		},
+		{
+			desc:   "localhost",
+			target: "localhost",
+			lookup: false,
+		},
+		{
+			desc:   "foo.localhost",
+			target: "foo.localhost",
+			lookup: true,
+		},
+		{
+			desc:   "uuid",
+			target: uuid.NewString(),
+			lookup: false,
+		},
+		{
+			desc:   "qualified uuid",
+			target: "foo." + uuid.NewString(),
+			lookup: true,
+		},
+	}
+
+	for _, tt := range tts {
+		t.Run(tt.desc, func(t *testing.T) {
+			resolver := &recordingHostResolver{}
+			_, err := NewSSHRouteMatcherFromConfig(SSHRouteMatcherConfig{
+				Host:                      tt.target,
+				Resolver:                  resolver,
+				DisableUnqualifiedLookups: true,
+			})
+			require.NoError(t, err)
+			require.Equal(t, tt.lookup, resolver.didLookup)
+		})
+	}
+}

assets/aws/files/system/teleport-acm.service

@@ -15,3 +15,6 @@ ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --diag-addr=
 ExecReload=/bin/sh -c "exec pkill -HUP -L -F /run/teleport/teleport.pid"
 PIDFile=/run/teleport/teleport.pid
 LimitNOFILE=524288
+
+[Install]
+WantedBy=multi-user.target

build.assets/Dockerfile-centos7

@@ -278,15 +278,15 @@ COPY --from=libfido2 \
     /usr/local/lib64/libcrypto.a \
     /usr/local/lib64/libcrypto.so.3 \
     /usr/local/lib64/libfido2.a \
-    /usr/local/lib64/libfido2.so.1.14.0 \
+    /usr/local/lib64/libfido2.so.1.15.0 \
     /usr/local/lib64/libssl.a \
     /usr/local/lib64/libssl.so.3 \
     /usr/local/lib64/libudev.a \
     /usr/local/lib64/
 # Re-create usual lib64 links.
 RUN cd /usr/local/lib64 && \
     ln -s libcrypto.so.3 libcrypto.so && \
-    ln -s libfido2.so.1.14.0 libfido2.so.1 && \
+    ln -s libfido2.so.1.15.0 libfido2.so.1 && \
     ln -s libfido2.so.1 libfido2.so && \
     ln -s libssl.so.3 libssl.so && \
 # Update ld.

docs/config.json

@@ -1272,7 +1272,7 @@
           "slug": "/database-access/auto-user-provisioning/",
           "entries": [
             {
-              "title": "AWS Redshift",
+              "title": "Amazon Redshift",
               "slug": "/database-access/auto-user-provisioning/aws-redshift/"
             },
             {
@@ -2561,16 +2561,6 @@
       "destination": "/access-controls/device-trust/device-management/",
       "permanent": true
     },
-    {
-      "source": "/management/guides/teleport-operator/",
-      "destination": "/management/dynamic-resources/teleport-operator/",
-      "permanent": true
-    },
-    {
-      "source": "/management/guides/terraform-provider/",
-      "destination": "/management/dynamic-resources/terraform-provider/",
-      "permanent": true
-    },
     {
       "source": "/get-started/",
       "destination": "/",
@@ -2623,7 +2613,7 @@
     },
     {
       "source": "/machine-id/guides/",
-      "destination": "/machine-id/",
+      "destination": "/machine-id/introduction/",
       "permanent": true
     },
     {
@@ -2661,11 +2651,6 @@
       "destination": "/machine-id/deployment/gitlab/",
       "permanent": true
     },
-    {
-      "source": "/machine-id/guides/gitlab/",
-      "destination": "/machine-id/deployment/github-actions/",
-      "permanent": true
-    },
     {
       "source": "/server-access/guides/openssh/",
       "destination": "/server-access/openssh/",

docs/pages/access-controls/access-request-plugins/servicenow.mdx

@@ -62,7 +62,7 @@ To retrieve the ServiceNow rotation ID, navigate to the group record
 of the ServiceNow group the rotation belongs to and right click on
 header, then click 'Select copy sys_id' to copy the ID.
 
-Then using the ServiceNow endpoint '/api/now/on_call_rota/workbench/group/{groupSysId}'
+Then using the ServiceNow endpoint `/api/now/on_call_rota/workbench/group/{groupSysId}`
 retrieve the group's on-call rota information.
 Select the value of the desired 'rota' from the response.
 

docs/pages/access-controls/idps/saml-gcp-workforce-identity-federation.mdx

@@ -27,6 +27,8 @@ SAML IdP, so users can sign in into GCP web console by authenticating with Telep
 Reference](./saml-reference.mdx) before proceeding.
 - User with permission to create service provider resource. The preset `editor` role has this permission.
 - Access to GCP IAM API, with permission to create workforce identity pool, pool provider and an IAM policy.
+At a minimum, both the "IAM Workforce Pool Admin" and "Organization Viewer" [GCP roles](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation#required-roles)
+are required (assigned at the GCP organization level) to configure GCP Workforce Identity Federation.
 
 
 Teleport Web UI offers both the guided and manual configuration flow for GCP Workforce Identity
@@ -47,15 +49,15 @@ Now follow the steps listed below.
 ## Step 1/3. Configure workforce pool
 As a first step, provide the following information to the script generator.
 
-![Test the IdP](../../../img/access-controls/saml-idp/gcp-workforce/generate-script.png)
+![Test the IdP](../../../img/access-controls/saml-idp/gcp-workforce/generate-command.png)
 - **Organization ID:** Organization ID of GCP account. The ID is required to create a workforce pool.
-- **Pool Name:** Name of the workforce pool to be created. Name should follow [GCP resource naming
+- **Workforce pool name:** Name of the workforce pool to be created. Name should follow [GCP resource naming
 convention](https://cloud.google.com/compute/docs/naming-resources#resource-name-format).
-- **Pool Provider Name:** Name of the workforce pool provider to be created. Pool provider name
-will also be used as SAML service provider name in the next step. Name should follow
+- **App name - Workforce pool provider name:** SAML app name. The name
+will also be used as a workforce pool provider name in the GCP. Name should follow
 [GCP resource naming convention](https://cloud.google.com/compute/docs/naming-resources#resource-name-format).
 
-Click on **Generate Script** button. Teleport Web UI will now show you a copyable bash script.
+Click on the **Generate Command** button. The Teleport Web UI will now show you a copyable bash script.
 
 Open GCP [Cloud Shell](https://shell.cloud.google.com/?show=terminal) and inside the Cloud Shell terminal,
 paste the bash script you copied above.

docs/pages/access-controls/login-rules/guide.mdx

@@ -17,7 +17,7 @@ cluster on version `11.3.1` or greater.
 
 Login Rules only operate on SSO logins, so make sure you have
 configured an OIDC, SAML, or GitHub connector before you begin.
-Check the [Single Sign-On](../sso/) docs to learn how to set this up.
+Check the [Single Sign-On](../sso.mdx) docs to learn how to set this up.
 
 ## Step 1/5. Configure RBAC