Merge remote-tracking branch 'origin/master' into timothyb89/terrafor…

…m-joining-community-edition

api/client/credentials.go

@@ -424,7 +424,7 @@ func configureTLS(c *tls.Config) *tls.Config {
 	// This logic still appears to be necessary to force client to always send
 	// a certificate regardless of the server setting. Otherwise the client may pick
 	// not to send the client certificate by looking at certificate request.
-	if len(tlsConfig.Certificates) > 0 {
+	if len(tlsConfig.Certificates) > 0 && tlsConfig.GetClientCertificate == nil {
 		cert := tlsConfig.Certificates[0]
 		tlsConfig.Certificates = nil
 		tlsConfig.GetClientCertificate = func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {

api/proto/teleport/legacy/client/proto/authservice.proto

@@ -2464,6 +2464,8 @@ message InventoryHeartbeat {
   types.ServerV2 SSHServer = 1;
   // AppServer is a complete app server spec to be heartbeated.
   types.AppServerV3 AppServer = 2;
+  // DatabaseServer is a complete db server spec to be heartbeated.
+  types.DatabaseServerV3 DatabaseServer = 3;
 }
 
 // UpstreamInventoryGoodbye informs the upstream service that instance

api/proto/teleport/legacy/types/events/events.proto

@@ -3460,6 +3460,9 @@ message WindowsDesktopSessionStart {
   // AllowUserCreation indicates whether automatic local user creation
   // is allowed for this session.
   bool AllowUserCreation = 12 [(gogoproto.jsontag) = "allow_user_creation"];
+  // NLA indicates whether Teleport performed Network Level Authentication (NLA)
+  // when initiating this session.
+  bool NLA = 13 [(gogoproto.jsontag) = "nla"];
 }
 
 // DatabaseSessionEnd is emitted when a user ends the database session.

api/types/autoupdate/config.go

@@ -0,0 +1,63 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package autoupdate
+
+import (
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+// NewAutoUpdateConfig creates a new auto update configuration resource.
+func NewAutoUpdateConfig(spec *autoupdate.AutoUpdateConfigSpec) (*autoupdate.AutoUpdateConfig, error) {
+	config := &autoupdate.AutoUpdateConfig{
+		Kind:    types.KindAutoUpdateConfig,
+		Version: types.V1,
+		Metadata: &headerv1.Metadata{
+			Name: types.MetaNameAutoUpdateConfig,
+		},
+		Spec: spec,
+	}
+	if err := ValidateAutoUpdateConfig(config); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return config, nil
+}
+
+// ValidateAutoUpdateConfig checks that required parameters are set
+// for the specified AutoUpdateConfig.
+func ValidateAutoUpdateConfig(c *autoupdate.AutoUpdateConfig) error {
+	if c == nil {
+		return trace.BadParameter("AutoUpdateConfig is nil")
+	}
+	if c.Metadata == nil {
+		return trace.BadParameter("Metadata is nil")
+	}
+	if c.Metadata.Name != types.MetaNameAutoUpdateConfig {
+		return trace.BadParameter("Name is not valid")
+	}
+	if c.Spec == nil {
+		return trace.BadParameter("Spec is nil")
+	}
+
+	return nil
+}

api/types/autoupdate/config_test.go

@@ -0,0 +1,94 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package autoupdate
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/testing/protocmp"
+
+	"github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+// TestNewAutoUpdateConfig verifies validation for auto update config resource.
+func TestNewAutoUpdateConfig(t *testing.T) {
+	tests := []struct {
+		name      string
+		spec      *autoupdate.AutoUpdateConfigSpec
+		want      *autoupdate.AutoUpdateConfig
+		assertErr func(*testing.T, error, ...any)
+	}{
+		{
+			name: "success tools autoupdate disabled",
+			spec: &autoupdate.AutoUpdateConfigSpec{
+				ToolsAutoupdate: false,
+			},
+			assertErr: func(t *testing.T, err error, a ...any) {
+				require.NoError(t, err)
+			},
+			want: &autoupdate.AutoUpdateConfig{
+				Kind:    types.KindAutoUpdateConfig,
+				Version: types.V1,
+				Metadata: &headerv1.Metadata{
+					Name: types.MetaNameAutoUpdateConfig,
+				},
+				Spec: &autoupdate.AutoUpdateConfigSpec{
+					ToolsAutoupdate: false,
+				},
+			},
+		},
+		{
+			name: "success tools autoupdate enabled",
+			spec: &autoupdate.AutoUpdateConfigSpec{
+				ToolsAutoupdate: true,
+			},
+			assertErr: func(t *testing.T, err error, a ...any) {
+				require.NoError(t, err)
+			},
+			want: &autoupdate.AutoUpdateConfig{
+				Kind:    types.KindAutoUpdateConfig,
+				Version: types.V1,
+				Metadata: &headerv1.Metadata{
+					Name: types.MetaNameAutoUpdateConfig,
+				},
+				Spec: &autoupdate.AutoUpdateConfigSpec{
+					ToolsAutoupdate: true,
+				},
+			},
+		},
+		{
+			name: "invalid spec",
+			spec: nil,
+			assertErr: func(t *testing.T, err error, a ...any) {
+				require.ErrorContains(t, err, "Spec is nil")
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := NewAutoUpdateConfig(tt.spec)
+			tt.assertErr(t, err)
+			require.Empty(t, cmp.Diff(got, tt.want, protocmp.Transform()))
+		})
+	}
+}

api/types/autoupdate/version.go

@@ -0,0 +1,71 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package autoupdate
+
+import (
+	"github.com/coreos/go-semver/semver"
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+// NewAutoUpdateVersion creates a new auto update version resource.
+func NewAutoUpdateVersion(spec *autoupdate.AutoUpdateVersionSpec) (*autoupdate.AutoUpdateVersion, error) {
+	version := &autoupdate.AutoUpdateVersion{
+		Kind:    types.KindAutoUpdateVersion,
+		Version: types.V1,
+		Metadata: &headerv1.Metadata{
+			Name: types.MetaNameAutoUpdateVersion,
+		},
+		Spec: spec,
+	}
+	if err := ValidateAutoUpdateVersion(version); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return version, nil
+}
+
+// ValidateAutoUpdateVersion checks that required parameters are set
+// for the specified AutoUpdateVersion.
+func ValidateAutoUpdateVersion(v *autoupdate.AutoUpdateVersion) error {
+	if v == nil {
+		return trace.BadParameter("AutoUpdateVersion is nil")
+	}
+	if v.Metadata == nil {
+		return trace.BadParameter("Metadata is nil")
+	}
+	if v.Metadata.Name != types.MetaNameAutoUpdateVersion {
+		return trace.BadParameter("Name is not valid")
+	}
+	if v.Spec == nil {
+		return trace.BadParameter("Spec is nil")
+	}
+
+	if v.Spec.ToolsVersion == "" {
+		return trace.BadParameter("ToolsVersion is unset")
+	}
+	if _, err := semver.NewVersion(v.Spec.ToolsVersion); err != nil {
+		return trace.BadParameter("ToolsVersion is not a valid semantic version")
+	}
+
+	return nil
+}

api/types/autoupdate/version_test.go

@@ -0,0 +1,93 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package autoupdate
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/testing/protocmp"
+
+	"github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+// TestNewAutoUpdateVersion verifies validation for auto update version resource.
+func TestNewAutoUpdateVersion(t *testing.T) {
+	tests := []struct {
+		name      string
+		spec      *autoupdate.AutoUpdateVersionSpec
+		want      *autoupdate.AutoUpdateVersion
+		assertErr func(*testing.T, error, ...any)
+	}{
+		{
+			name: "success tools autoupdate version",
+			spec: &autoupdate.AutoUpdateVersionSpec{
+				ToolsVersion: "1.2.3-dev",
+			},
+			assertErr: func(t *testing.T, err error, a ...any) {
+				require.NoError(t, err)
+			},
+			want: &autoupdate.AutoUpdateVersion{
+				Kind:    types.KindAutoUpdateVersion,
+				Version: types.V1,
+				Metadata: &headerv1.Metadata{
+					Name: types.MetaNameAutoUpdateVersion,
+				},
+				Spec: &autoupdate.AutoUpdateVersionSpec{
+					ToolsVersion: "1.2.3-dev",
+				},
+			},
+		},
+		{
+			name: "invalid empty tools version",
+			spec: &autoupdate.AutoUpdateVersionSpec{
+				ToolsVersion: "",
+			},
+			assertErr: func(t *testing.T, err error, a ...any) {
+				require.ErrorContains(t, err, "ToolsVersion is unset")
+			},
+		},
+		{
+			name: "invalid semantic tools version",
+			spec: &autoupdate.AutoUpdateVersionSpec{
+				ToolsVersion: "17-0-0",
+			},
+			assertErr: func(t *testing.T, err error, a ...any) {
+				require.ErrorContains(t, err, "ToolsVersion is not a valid semantic version")
+			},
+		},
+		{
+			name: "invalid spec",
+			spec: nil,
+			assertErr: func(t *testing.T, err error, a ...any) {
+				require.ErrorContains(t, err, "Spec is nil")
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := NewAutoUpdateVersion(tt.spec)
+			tt.assertErr(t, err)
+			require.Empty(t, cmp.Diff(got, tt.want, protocmp.Transform()))
+		})
+	}
+}

api/types/constants.go

@@ -320,6 +320,18 @@ const (
 	// alternative to their individual resource kinds.
 	KindClusterConfig = "cluster_config"
 
+	// KindAutoUpdateConfig is the resource with autoupdate configuration.
+	KindAutoUpdateConfig = "autoupdate_config"
+
+	// KindAutoUpdateVersion is the resource with autoupdate versions.
+	KindAutoUpdateVersion = "autoupdate_version"
+
+	// MetaNameAutoUpdateConfig is the name of a configuration resource for autoupdate config.
+	MetaNameAutoUpdateConfig = "autoupdate-config"
+
+	// MetaNameAutoUpdateVersion is the name of a resource for autoupdate version.
+	MetaNameAutoUpdateVersion = "autoupdate-version"
+
 	// KindClusterAuditConfig is the resource that holds cluster audit configuration.
 	KindClusterAuditConfig = "cluster_audit_config"
 
@@ -1301,6 +1313,9 @@ const (
 	// provisioning system get added to when provisioned in KEEP mode. This prevents
 	// already existing users from being tampered with or deleted.
 	TeleportKeepGroup = "teleport-keep"
+	// TeleportStaticGroup is a default group that static host users get added to. This
+	// prevents already existing users from being tampered with or deleted.
+	TeleportStaticGroup = "teleport-static"
 )
 
 const (

api/types/events/api.go

@@ -69,6 +69,14 @@ type AuditEvent interface {
 	GetClusterName() string
 	// SetClusterName sets the name of the teleport cluster on the event.
 	SetClusterName(string)
+
+	// TrimToMaxSize returns a copy of the event trimmed to a smaller
+	// size. The desired size may not be achievable so callers
+	// should always check the size of the returned event before
+	// using it. Generally fields that are unique to the event
+	// will be trimmed, other fields are not currently modified
+	// (ie *Metadata messages).
+	TrimToMaxSize(maxSizeBytes int) AuditEvent
 }
 
 // Emitter emits audit events.