Merge branch 'branch/v17' into r7s/v17/backport-multi-port-backend

.github/workflows/lint.yaml

@@ -88,7 +88,7 @@ jobs:
           find . -path ./e -prune -o -name go.mod -print | while read f; do
             echo "checking $f"
             pushd $(dirname "$f") > /dev/null;
-            go mod tidy -diff;
+            go mod tidy -diff || (echo "Run 'make go-mod-tidy-all' to resolve" && exit 1);
             popd > /dev/null;
           done
 

Makefile

@@ -13,7 +13,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=17.0.6
+VERSION=17.1.0-rc.1
 
 DOCKER_IMAGE ?= teleport
 
@@ -1828,3 +1828,7 @@ create-github-release:
 	--latest=$(LATEST) \
 	--verify-tag \
 	-F - <<< "$$NOTES"
+
+.PHONY: go-mod-tidy-all
+go-mod-tidy-all:
+	find . -type "f" -name "go.mod" -execdir go mod tidy \;

api/proto/teleport/legacy/types/events/events.proto

@@ -4697,6 +4697,7 @@ message OneOf {
     events.WorkloadIdentityCreate WorkloadIdentityCreate = 194;
     events.WorkloadIdentityUpdate WorkloadIdentityUpdate = 195;
     events.WorkloadIdentityDelete WorkloadIdentityDelete = 196;
+    events.UserLoginAccessListInvalid UserLoginAccessListInvalid = 198;
   }
 }
 
@@ -7695,3 +7696,39 @@ message WorkloadIdentityDelete {
     (gogoproto.jsontag) = ""
   ];
 }
+
+// AccessListInvalidMetadata contains metadata about invalid access lists.
+message AccessListInvalidMetadata {
+  // AccessListName is the name of the invalid access list.
+  string AccessListName = 1 [(gogoproto.jsontag) = "access_list_name, omitempty"];
+  // User is the username of the access list member who attempted to log in.
+  string User = 2 [(gogoproto.jsontag) = "user,omitempty"];
+  // MissingRoles are the names of the non-existent roles being referenced by the access list, causing it to be invalid.
+  repeated string MissingRoles = 3 [(gogoproto.jsontag) = "missing_roles,omitempty"];
+}
+
+// UserLoginAccessListInvalid is emitted when a user who is a member of an invalid
+// access list logs in. It is used to indicate that the access list could not be
+// applied to the user's session.
+message UserLoginAccessListInvalid {
+  // Metadata is common event metadata
+  Metadata Metadata = 1 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // AccessListInvalidMetadata is the metadata for this access list invalid event.
+  AccessListInvalidMetadata AccessListInvalidMetadata = 2 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // Status contains fields to indicate whether attempt was successful or not.
+  Status Status = 3 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+}

api/types/events/events.go

@@ -1962,6 +1962,25 @@ func (m *AccessListMemberDeleteAllForAccessList) TrimToMaxSize(maxSize int) Audi
 	return out
 }
 
+func (m *UserLoginAccessListInvalid) TrimToMaxSize(maxSize int) AuditEvent {
+	size := m.Size()
+	if size <= maxSize {
+		return m
+	}
+
+	out := utils.CloneProtoMsg(m)
+	out.Status = Status{}
+
+	maxSize = adjustedMaxSize(out, maxSize)
+
+	customFieldsCount := m.Status.nonEmptyStrs()
+	maxFieldsSize := maxSizePerField(maxSize, customFieldsCount)
+
+	out.Status = m.Status.trimToMaxSize(maxFieldsSize)
+
+	return out
+}
+
 func (m *AuditQueryRun) TrimToMaxSize(maxSize int) AuditEvent {
 	size := m.Size()
 	if size <= maxSize {

api/types/events/oneof.go

@@ -604,6 +604,10 @@ func ToOneOf(in AuditEvent) (*OneOf, error) {
 		out.Event = &OneOf_AccessListMemberDeleteAllForAccessList{
 			AccessListMemberDeleteAllForAccessList: e,
 		}
+	case *UserLoginAccessListInvalid:
+		out.Event = &OneOf_UserLoginAccessListInvalid{
+			UserLoginAccessListInvalid: e,
+		}
 	case *AuditQueryRun:
 		out.Event = &OneOf_AuditQueryRun{
 			AuditQueryRun: e,

api/types/role.go

@@ -290,6 +290,9 @@ type Role interface {
 	// GetIdentityCenterAccountAssignments fetches the allow or deny Account
 	// Assignments for the role
 	GetIdentityCenterAccountAssignments(RoleConditionType) []IdentityCenterAccountAssignment
+	// GetIdentityCenterAccountAssignments sets the allow or deny Account
+	// Assignments for the role
+	SetIdentityCenterAccountAssignments(RoleConditionType, []IdentityCenterAccountAssignment)
 }
 
 // NewRole constructs new standard V7 role.
@@ -2068,6 +2071,16 @@ func (r *RoleV6) GetIdentityCenterAccountAssignments(rct RoleConditionType) []Id
 	return r.Spec.Deny.AccountAssignments
 }
 
+// SetIdentityCenterAccountAssignments sets the allow or deny Identity Center
+// Account Assignments for the role
+func (r *RoleV6) SetIdentityCenterAccountAssignments(rct RoleConditionType, assignments []IdentityCenterAccountAssignment) {
+	cond := &r.Spec.Deny
+	if rct == Allow {
+		cond = &r.Spec.Allow
+	}
+	cond.AccountAssignments = assignments
+}
+
 // LabelMatcherKinds is the complete list of resource kinds that support label
 // matchers.
 var LabelMatcherKinds = []string{

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>17.0.6</string>
+		<string>1.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>17.0.6</string>
+		<string>1.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>17.0.6</string>
+		<string>1.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>17.0.6</string>
+		<string>1.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

constants.go

@@ -698,6 +698,11 @@ const (
 	// access to Okta resources. This will be used by the Okta requester role to
 	// search for Okta resources.
 	SystemOktaAccessRoleName = "okta-access"
+
+	// SystemIdentityCenterAccessRoleName specifies the name of a system role
+	// that grants a user access to AWS Identity Center resources via
+	// Access Requests.
+	SystemIdentityCenterAccessRoleName = "aws-ic-access"
 )
 
 var PresetRoles = []string{PresetEditorRoleName, PresetAccessRoleName, PresetAuditorRoleName}

docs/pages/enroll-resources/workload-identity/workload-attestation.mdx

@@ -37,11 +37,26 @@ available to be used when configuring rules for `tbot`'s Workload API service:
 
 | Field             | Description                                                                  |
 |-------------------|------------------------------------------------------------------------------|
-| `unix.attested` | Indicates that the workload has been attested by the Unix Workload Attestor. |
+| `unix.attested`   | Indicates that the workload has been attested by the Unix Workload Attestor. |
 | `unix.pid`        | The process ID of the attested workload.                                     |
 | `unix.uid`        | The effective user ID of the attested workload.                              |
 | `unix.gid`        | The effective primary group ID of the attested workload.                     |
 
+### Support for non-standard procfs mounting
+
+To resolve information about a process from the PID, the Unix Workload Attestor
+reads information from the procfs filesystem. By default, it expects procfs to
+be mounted at `/proc`.
+
+If procfs is mounted at a different location, you must configure the Unix
+Workload Attestor to read from that alternative location by setting the
+`HOST_PROC` environment variable.
+
+This is a sensitive configuration option, and you should ensure that it is
+set correctly or not set at all. If misconfigured, an attacker could provide
+falsified information about processes, and this could lead to the issuance of
+SVIDs to unauthorized workloads.
+
 ## Kubernetes
 
 The Kubernetes Workload Attestor allows you to restrict the issuance of SVIDs

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.6"
+.version: &version "17.1.0-rc.1"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-datadog-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-datadog-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-datadog-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-datadog-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 17.0.6
-            helm.sh/chart: teleport-plugin-datadog-17.0.6
+            app.kubernetes.io/version: 17.1.0-rc.1
+            helm.sh/chart: teleport-plugin-datadog-17.1.0-rc.1
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.6"
+.version: &version "17.1.0-rc.1"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-discord-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-discord-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-discord-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-discord-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 17.0.6
-            helm.sh/chart: teleport-plugin-discord-17.0.6
+            app.kubernetes.io/version: 17.1.0-rc.1
+            helm.sh/chart: teleport-plugin-discord-17.1.0-rc.1
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.6"
+.version: &version "17.1.0-rc.1"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-email-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-email-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-email-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-email-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-email-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-email-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-email-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-email-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-email-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-email-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.6
-        helm.sh/chart: teleport-plugin-email-17.0.6
+        app.kubernetes.io/version: 17.1.0-rc.1
+        helm.sh/chart: teleport-plugin-email-17.1.0-rc.1
       name: RELEASE-NAME-teleport-plugin-email