Merge branch 'branch/v17' into bot/backport-49433-branch/v17

gravitational · Nov 29, 2024 · c94bea8 · c94bea8
2 parents e9e6f31 + 6edb02b
commit c94bea8
Show file tree

Hide file tree

Showing 92 changed files with 5,529 additions and 2,796 deletions.
diff --git a/README.md b/README.md
@@ -403,4 +403,4 @@ The remainder of the source code in this repository is available under the
 from source must comply with the terms of this license.
 
 Teleport Community Edition builds distributed on http://goteleport.com/download
-are available under a [modified Apache 2.0 license](./LICENSE-community).
+are available under a [modified Apache 2.0 license](./build.assets/LICENSE-community).
diff --git a/api/proto/teleport/legacy/types/trusted_device_requirement.proto b/api/proto/teleport/legacy/types/trusted_device_requirement.proto
@@ -0,0 +1,37 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package types;
+
+import "gogoproto/gogo.proto";
+
+option go_package = "github.com/gravitational/teleport/api/types";
+option (gogoproto.goproto_getters_all) = false;
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+// TrustedDeviceRequirement indicates whether access may be hindered by the lack
+// of a trusted device.
+enum TrustedDeviceRequirement {
+  // Device requirement not determined.
+  // Does not mean that a device is not required, only that the necessary data
+  // was not considered.
+  TRUSTED_DEVICE_REQUIREMENT_UNSPECIFIED = 0;
+  // Trusted device not required.
+  TRUSTED_DEVICE_REQUIREMENT_NOT_REQUIRED = 1;
+  // Trusted device required by either cluster mode or user roles.
+  TRUSTED_DEVICE_REQUIREMENT_REQUIRED = 2;
+}
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -21,6 +21,7 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/timestamp.proto";
 import "google/protobuf/wrappers.proto";
 import "teleport/attestation/v1/attestation.proto";
+import "teleport/legacy/types/trusted_device_requirement.proto";
 import "teleport/legacy/types/wrappers/wrappers.proto";
 
 option go_package = "github.com/gravitational/teleport/api/types";
@@ -3485,6 +3486,22 @@ message AccessRequestConditions {
     (gogoproto.nullable) = false,
     (gogoproto.jsontag) = "kubernetes_resources,omitempty"
   ];
+
+  // Reason defines settings for the reason for the access provided by the user.
+  AccessRequestConditionsReason Reason = 9 [(gogoproto.jsontag) = "reason,omitempty"];
+}
+
+// AccessRequestConditionsReason defines settings for the reason for the access provided by the
+// user.
+message AccessRequestConditionsReason {
+  // Mode can be either "required" or "optional". Empty string is treated as "optional". If a role
+  // has the request reason mode set to "required", then reason is required for all Access Requests
+  // requesting roles or resources allowed by this role. It applies only to users who have this
+  // role assigned.
+  string Mode = 1 [
+    (gogoproto.jsontag) = "mode,omitempty",
+    (gogoproto.casttype) = "RequestReasonMode"
+  ];
 }
 
 // AccessReviewConditions is a matcher for allow/deny restrictions on
@@ -4171,19 +4188,6 @@ message WebSessionSpecV2 {
   bytes TLSPriv = 15 [(gogoproto.jsontag) = "tls_priv,omitempty"];
 }
 
-// TrustedDeviceRequirement indicates whether access may be hindered by the lack
-// of a trusted device.
-enum TrustedDeviceRequirement {
-  // Device requirement not determined.
-  // Does not mean that a device is not required, only that the necessary data
-  // was not considered.
-  TRUSTED_DEVICE_REQUIREMENT_UNSPECIFIED = 0;
-  // Trusted device not required.
-  TRUSTED_DEVICE_REQUIREMENT_NOT_REQUIRED = 1;
-  // Trusted device required by either cluster mode or user roles.
-  TRUSTED_DEVICE_REQUIREMENT_REQUIRED = 2;
-}
-
 // Web-focused view of teleport.devicetrust.v1.DeviceWebToken.
 message DeviceWebToken {
   // Opaque token identifier.

diff --git a/api/types/access_request.go b/api/types/access_request.go
@@ -642,6 +642,47 @@ func (u *AccessRequestUpdate) Check() error {
 	return nil
 }
 
+// RequestReasonMode can be either "required" or "optional". Empty-string is treated as "optional".
+// If a role has the request reason mode set to "required", then reason is required for all Access
+// Requests requesting roles or resources allowed by this role. It applies only to users who have
+// this role assigned.
+type RequestReasonMode string
+
+const (
+	// RequestReasonModeRequired indicates required mode. See [[RequestReasonMode]] godoc for
+	// more details.
+	RequestReasonModeRequired RequestReasonMode = "required"
+	// RequestReasonModeRequired indicates optional mode. See [[RequestReasonMode]] godoc for
+	// more details.
+	RequestReasonModeOptional RequestReasonMode = "optional"
+)
+
+var allRequestReasonModes = []RequestReasonMode{
+	RequestReasonModeRequired,
+	RequestReasonModeOptional,
+}
+
+// Required checks if this mode is "required". Empty mode is treated as "optional".
+func (m RequestReasonMode) Required() bool {
+	switch m {
+	case RequestReasonModeRequired:
+		return true
+	default:
+		return false
+	}
+}
+
+// Check validates this mode value. Note that an empty value is considered invalid.
+func (m RequestReasonMode) Check() error {
+	for _, x := range allRequestReasonModes {
+		if m == x {
+			return nil
+		}
+	}
+	return trace.BadParameter("unrecognized request reason mode %q, must be one of: %v",
+		m, allRequestReasonModes)
+}
+
 // RequestStrategy is an indicator of how access requests
 // should be handled for holders of a given role.
 type RequestStrategy string

diff --git a/api/types/role.go b/api/types/role.go
@@ -92,6 +92,9 @@ type Role interface {
 	// GetRoleConditions gets the RoleConditions for the RoleConditionType.
 	GetRoleConditions(rct RoleConditionType) RoleConditions
 
+	// GetRequestReasonMode gets the RequestReasonMode for the RoleConditionType.
+	GetRequestReasonMode(RoleConditionType) RequestReasonMode
+
 	// GetLabelMatchers gets the LabelMatchers that match labels of resources of
 	// type [kind] this role is allowed or denied access to.
 	GetLabelMatchers(rct RoleConditionType, kind string) (LabelMatchers, error)
@@ -1715,10 +1718,7 @@ func (r *RoleV6) SetSearchAsRoles(rct RoleConditionType, roles []string) {
 // purposes of viewing details such as the hostname and labels of requested
 // resources.
 func (r *RoleV6) GetPreviewAsRoles(rct RoleConditionType) []string {
-	roleConditions := &r.Spec.Allow
-	if rct == Deny {
-		roleConditions = &r.Spec.Deny
-	}
+	roleConditions := r.GetRoleConditions(rct)
 	if roleConditions.ReviewRequests == nil {
 		return nil
 	}
@@ -1735,6 +1735,15 @@ func (r *RoleV6) GetRoleConditions(rct RoleConditionType) RoleConditions {
 	return roleConditions
 }
 
+// GetRoleConditions returns the role conditions for the role.
+func (r *RoleV6) GetRequestReasonMode(rct RoleConditionType) RequestReasonMode {
+	roleConditions := r.GetRoleConditions(rct)
+	if roleConditions.Request == nil || roleConditions.Request.Reason == nil {
+		return ""
+	}
+	return roleConditions.Request.Reason.Mode
+}
+
 // SetPreviewAsRoles sets the list of extra roles which should apply to a
 // reviewer while they are viewing a Resource Access Request for the
 // purposes of viewing details such as the hostname and labels of requested

diff --git a/api/types/trusted_device_requirement.pb.go b/api/types/trusted_device_requirement.pb.go