Merge remote-tracking branch 'origin/master' into vapopov/client-auto…

…-updates-for-tctl-tsh

.github/ISSUE_TEMPLATE/test-plan-docs.md

@@ -36,11 +36,15 @@ to determine the rollout date.
     git submodule add https://github.com/gravitational/teleport content/<VERSION>.x
     ```
 
-## Is the docs site up to date with the new release?
+## Is the docs site content up to date with the new release?
 
 - [ ] Verify that Teleport version variables are correct and reflect the upcoming
   release. Check `docs/config.json` for this.
 
+- [ ] Ensure that redirects (as configured in `docs/config.json`) only exist for
+  the default version of the docs site, and have been removed from other
+  versions.
+
 - [ ] Remove version warnings in the docs that mention a version we no longer
   support _except_ for the last EOL version. E.g., if we no longer support
   version 10, remove messages saying "You need at least version n to use this

.github/ISSUE_TEMPLATE/testplan.md

@@ -1335,6 +1335,17 @@ manualy testing.
   - [ ] Banner goes away if you reduce number of non-AD desktops to less or equal 5 (check occurs every 5 minutes so you may need to wait to confirm)
   - [ ] Installer in GUI mode successfully uninstalls Authentication Package (logging in is not possible)
   - [ ] Installer successfully uninstalls Authentication Package (logging in is not possible) when invoked from command line
+- Dynamic registration
+  - [ ] Dynamic Windows desktop resources can be added, removed, and updated using `tctl`
+  - [ ] `tctl get dynamic_windows_desktop` works with all supported formats
+  - [ ] Adding dynamic Windows desktop that doesn't match labels for any Windows Desktop Service does not create any
+      Windows desktop
+  - [ ] Adding dynamic Windows desktop that matches some `windows_desktop_services`s creates Windows desktops for each
+      matching WDS
+  - [ ] Updating dynamic Windows desktop updates corresponding Windows desktops
+  - [ ] Updating dynamic Windows desktop's labels so it no longer matches `windows_desktop_services` deletes
+      corresponding Windows desktops
+  - [ ] Deleting dynamic Windows desktop deletes corresponding Windows desktops
 
 ## Binaries / OS compatibility
 

.github/ISSUE_TEMPLATE/webtestplan.md

@@ -175,11 +175,14 @@ All actions should require re-authn with a webauthn device.
 
 Use Discover Wizard to enroll new resources and access them:
 
-- [ ] SSH Server (teleport service, singular EC2, SSM agent)
+- [ ] SSH Server using Teleport Service
 - [ ] Self-Hosted PostgreSQL and Mongo
-- [ ] AWS RDS (singular RDS, auto discover with ECS)
 - [ ] Kubernetes
-- [ ] AWS EKS cluster
+- [ ] Using an AWS OIDC Integration
+  - [ ] EC2 Auto Enrollment (SSM)
+  - [ ] RDS flow: single database
+  - [ ] RDS flow: Auto Enrollment (by VPC)
+  - [ ] EKS Clusters
 - [ ] Non-guided cards link out to correct docs
 
 #### Access Lists
@@ -259,6 +262,99 @@ spec:
 - [ ] Verify that root is marked with a `root` pill
 - [ ] Verify that cluster dropdown menu items goes to the correct route
 
+## Application Access
+
+### Required Applications
+
+Create two apps running locally, a frontend app and a backend app. The frontend app should
+make an API request to the backend app at its teleport public_addr
+
+<details>
+	<summary>You can use this example app if you don't have a frontend/backend setup</summary>
+
+  ```go
+  package main
+
+  import (
+    "encoding/json"
+    "fmt"
+    "log"
+    "net/http"
+  )
+
+  // change to your cluster addr
+  const clusterName = "avatus.sh"
+
+  func main() {
+    // handler for the html page. this is the "client".
+    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+      html := fmt.Sprintf(html, clusterName)
+      w.Header().Set("Content-Type", "text/html")
+      w.Write([]byte(html))
+    })
+
+    // Handler for the API endpoint
+    http.HandleFunc("/api/data", func(w http.ResponseWriter, r *http.Request) {
+      w.Header().Set("Access-Control-Allow-Origin", fmt.Sprintf("https://client.%s", clusterName))
+      w.Header().Set("Access-Control-Allow-Credentials", "true")
+      data := map[string]string{"hello": "world"}
+      w.Header().Set("Content-Type", "application/json")
+      json.NewEncoder(w).Encode(data)
+    })
+
+    log.Println("Server starting on http://localhost:8080")
+    log.Fatal(http.ListenAndServe(":8080", nil))
+  }
+
+  const html = `
+  <!DOCTYPE html>
+  <html lang="en">
+  <head>
+      <meta charset="UTF-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1.0">
+      <title>API Data Fetcher</title>
+  </head>
+  <body>
+      <div id="result"></div>
+      <div id="cors-result"></div>
+      <script>
+          fetch('https://api.%s/api/data', { credentials: 'include' })
+              .then(response => response.json())
+              .then(data => {
+                  document.getElementById('result').textContent = JSON.stringify(data);
+              })
+              .catch(error => console.error('Error:', error));
+      </script>
+  </body>
+  </html>
+  `
+```
+</details>
+
+Update your app service to serve the apps like this (update your public addr to what makes sense for your cluster)
+```
+app_service:
+  enabled: "yes"
+  debug_app: true
+  apps:
+    - name: client
+      uri: http://localhost:8080
+      public_addr: client.avatus.sh
+      required_apps:
+      - api
+    - name: api
+      uri: http://localhost:8080
+      public_addr: api.avatus.sh
+      cors:
+        allowed_origins:
+          - https://client.avatus.sh
+```
+
+Launch your cluster and make sure you are logged out of your api by going to `https://api.avatus.sh/teleport-logout`
+
+- [ ] Launch the client app and you should see `{"hello":"world"}` response
+- [ ] You should see no CORS issues in the console
+
 ## Access Requests
 
 Not available for OSS

.golangci.yml

@@ -80,6 +80,7 @@ linters:
     - testifylint
     - unconvert
     - unused
+    - forbidigo
 
 linters-settings:
   depguard:
@@ -184,6 +185,36 @@ linters-settings:
             desc: '"lib/system/signal" requires CGO'
           - pkg: github.com/gravitational/teleport/lib/vnet/daemon
             desc: '"vnet/daemon" requires CGO'
+      # Prevent importing go-cmp into production code. From the go-cmp docs:
+      # > It is intended to only be used in tests, as performance is not a goal
+      # > and it may panic if it cannot compare the values. Its propensity towards
+      # > panicking means that its unsuitable for production environments where a
+      # > spurious panic may be fatal.
+      go-cmp:
+        files:
+          # Tests can do anything
+          - '!$test'
+          # Various test helpers defined outside _test.go files are allowed
+          - '!**/integration/helpers/**'
+          - '!**/integrations/operator/controllers/resources/testlib/**'
+          - '!**/lib/auth/test/**'
+          - '!**/lib/services/suite/**'
+          # Non-compliant legacy code. These should be converted to compare by another mechanism
+          # and be removed from this list in the future. Use caution before adding any additional
+          # exclusions to this list.
+          - '!**/e/lib/accesslist/equal.go'
+          - '!**/e/lib/auth/saml.go'
+          - '!**lib/services/authority.go'
+          - '!**lib/services/compare.go'
+          - '!**/lib/services/local/access_list.go'
+          - '!**/lib/services/local/users.go'
+          - '!**/lib/services/server.go'
+          - '!**/lib/services/user.go'
+        deny:
+          - pkg: github.com/google/go-cmp/cmp
+            desc: '"github.com/google/go-cmp/cmp" should only be used in tests'
+          - pkg: github.com/google/go-cmp/cmp/cmpopts
+            desc: '"github.com/google/go-cmp/cmp/cmpopts" should only be used in tests'
   errorlint:
     comparison: true
     asserts: true
@@ -228,6 +259,10 @@ linters-settings:
       - len
       - suite-extra-assert-call
       - suite-thelper
+  forbidigo:
+    forbid:
+      - p: '^rsa\.GenerateKey$'
+        msg: 'generating RSA keys is slow, use lib/cryptosuites to generate an appropriate key type'
 
 output:
   uniq-by-line: false

CHANGELOG.md

@@ -386,7 +386,7 @@ applications in Kubernetes clusters. When connected to a Kubernetes cluster (or
 deployed as a Helm chart), the Teleport Discovery Service will automatically find
 and enroll web applications with your Teleport cluster.
 
-See documentation [here](docs/pages/enroll-resources/auto-discovery/kubernetes-applications.mdx).
+See documentation [here](docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx).
 
 #### Extended Kubernetes per-resource RBAC
 
@@ -1909,7 +1909,7 @@ is more than one major version behind them. You can use the `--skip-version-chec
 bypass the version check.
 
 Take a look at component compatibility guarantees in the
-[documentation](docs/pages/upgrading.mdx).
+[documentation](docs/pages/upgrading/upgrading.mdx).
 
 #### HTTP_PROXY for reverse tunnels
 
@@ -2898,7 +2898,7 @@ if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil {
 
 ### Upgrade Notes
 
-Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin.mdx) to upgrade your cluster.
+Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin/admin.mdx) to upgrade your cluster.
 
 Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected.
 
@@ -3149,7 +3149,7 @@ Other updates:
 
 * We now provide local user management via `https://[cluster-url]/web/users`, providing the ability to edit, reset and delete local users.
 * Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an 'auto-magic' installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above.
-* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins.mdx)
+* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx)
 
 ##### Signed RPM and Releases
 
@@ -3183,7 +3183,7 @@ We've added an [API Guide](docs/pages/admin-guides/api/api.mdx) to simply develo
 
 #### Upgrade Notes
 
-Please follow our [standard upgrade procedure](./docs/pages/upgrading.mdx).
+Please follow our [standard upgrade procedure](docs/pages/upgrading/upgrading.mdx).
 
 * Optional: Consider updating `https_key_file` & `https_cert_file` to our new `https_keypairs:` format.
 * Optional: Consider migrating Kubernetes access from `proxy_service` to `kubernetes_service` after the upgrade.
@@ -3327,7 +3327,7 @@ auth_service:
 #### Upgrade Notes
 
 Please follow our [standard upgrade
-procedure](docs/pages/upgrading.mdx).
+procedure](docs/pages/upgrading/upgrading.mdx).
 
 ## 4.3.9
 
@@ -3412,7 +3412,7 @@ Teleport's Web UI now exposes Teleport’s Audit log, letting auditors and admin
 
 ##### Teleport Plugins
 
-Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.
+Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.
 
 *   [PagerDuty](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx)
 *   [Jira](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-jira.mdx)
@@ -3448,7 +3448,7 @@ Teleport 4.3 introduces four new plugins that work out of the box with [Approval
 #### Upgrade Notes
 
 Always follow the [recommended upgrade
-procedure](./docs/pages/upgrading.mdx) to upgrade to this version.
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version.
 
 ##### New Signing Algorithm
 
@@ -3489,7 +3489,7 @@ permissions](./docs/pages/enroll-resources/kubernetes-access/controls.mdx).
 The [etcd backend](docs/pages/reference/backends.mdx#etcd) now correctly uses
 the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will
 migrate the data as needed at startup. Make sure you follow our Teleport
-[upgrade guidance](docs/pages/upgrading.mdx).
+[upgrade guidance](docs/pages/upgrading/upgrading.mdx).
 
 **Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should [backup Teleport data and restore it](docs/pages/admin-guides/management/operations/backup-restore.mdx) into the downgraded cluster.**
 
@@ -3612,7 +3612,7 @@ This is a minor Teleport release with a focus on new features and bug fixes.
 ### Improvements
 
 * Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948)
-* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006)
+* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006)
 * Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](docs/pages/admin-guides/deploy-a-cluster/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821)
 * Remote tctl execution is now possible. [Read the docs](./docs/pages/reference/cli/tctl.mdx). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991)
 
@@ -3868,7 +3868,7 @@ The lists of improvements and bug fixes above mention only the significant chang
 
 ### Upgrading
 
-Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading.mdx)
+Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading/upgrading.mdx)
 
 Note that due to substantial changes between Teleport 3.2 and 4.0, we recommend creating a backup of the backend datastore (DynamoDB, etcd, or dir) before upgrading a cluster to Teleport 4.0 to allow downgrades.
 
@@ -4136,7 +4136,7 @@ on Github for more.
 #### Upgrading to 3.0
 
 Follow the [recommended upgrade
-procedure](docs/pages/upgrading.mdx) to upgrade to this
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
 version.
 
 **WARNING:** if you are using Teleport with the etcd back-end, make sure your
@@ -4242,7 +4242,7 @@ As always, this release contains several bug fixes. The full list can be seen [h
 #### Upgrading
 
 Follow the [recommended upgrade
-procedure](docs/pages/upgrading.mdx) to upgrade to this
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
 version.
 
 ## 2.6.9
@@ -4372,7 +4372,7 @@ You can see the full list of 2.6.0 changes [here](https://github.com/gravitation
 #### Upgrading
 
 Follow the [recommended upgrade
-procedure](docs/pages/upgrading.mdx) to upgrade to this
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
 version.
 
 ## 2.5.7
@@ -4459,7 +4459,7 @@ release, which includes:
 
 * The Teleport daemon now implements built-in connection draining which allows
   zero-downtime upgrades.  [See
-  documentation](docs/pages/upgrading.mdx).
+  documentation](docs/pages/upgrading/upgrading.mdx).
 
 * Dynamic join tokens for new nodes can now be explicitly set via `tctl node add --token`.
   This allows Teleport admins to use an external mechanism for generating