Merge branch 'master' into yassine/redesign-help-support

.github/ISSUE_TEMPLATE/test-plan-docs.md

@@ -5,11 +5,16 @@ title: "Teleport X Docs Test Plan"
 labels: testplan
 ---
 
-Perform the following checks on the Teleport documentation whenever we release a
-new major version of Teleport:
+Perform the following checks on the Teleport documentation whenever we roll out
+a new major version of Teleport on Teleport Cloud. Use `/docs/upcoming-releases`
+to determine the rollout date.
 
 ## Is the docs site configuration accurate?
 
+> [!IMPORTANT] 
+> **Do not merge the new docs site configuration** before we roll out a new
+> major version to Teleport Enterprise (Cloud).
+
 - [ ] Verify the latest version in `gravitational/docs/config.json`
 
 - [ ] Verify that `gravitational/docs/.gitmodules` contains the latest release

.github/workflows/build-ci-service-images.yaml

@@ -44,7 +44,7 @@ jobs:
 
       - name: Build etcd image
         id: docker_build
-        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: ${{ github.workspace }}
           file: .github/services/Dockerfile.etcd

.github/workflows/build-usage-image.yaml

@@ -24,7 +24,7 @@ jobs:
         with:
           registry-type: public
       # Build and publish container image on ECR.
-      - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+      - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: "examples/teleport-usage"
           tags: public.ecr.aws/gravitational/teleport-usage:${{ steps.version.outputs.version }}

.github/workflows/lint-ui.yaml

@@ -53,3 +53,6 @@ jobs:
 
       - name: Run Storybook smoke test
         run: pnpm storybook-smoke-test
+
+      - name: Lint licenses
+        run: make lint-license

.github/workflows/lint.yaml

@@ -204,7 +204,7 @@ jobs:
       - name: Print linter versions
         run: |
           echo "BUF_VERSION=$BUF_VERSION"
-      - uses: bufbuild/buf-setup-action@54abbed4fe8d8d45173eca4798b0c39a53a7b658 # v1.39.0
+      - uses: bufbuild/buf-setup-action@62ee92603c244ad0da98bab36a834a999a5329e6 # v1.43.0
         with:
           github_token: ${{ github.token }}
           version: ${{ env.BUF_VERSION }}

Makefile

@@ -1293,23 +1293,25 @@ ADDLICENSE_COMMON_ARGS := -c 'Gravitational, Inc.' \
 		-ignore '**/*.js' \
 		-ignore '**/*.py' \
 		-ignore '**/*.sh' \
+		-ignore '**/*.sql' \
 		-ignore '**/*.tf' \
 		-ignore '**/*.yaml' \
 		-ignore '**/*.yml' \
-		-ignore '**/*.sql' \
+		-ignore '**/.terraform.lock.hcl' \
 		-ignore '**/Dockerfile' \
+		-ignore '**/node_modules/**' \
 		-ignore 'api/version.go' \
 		-ignore 'docs/pages/includes/**/*.go' \
 		-ignore 'e/**' \
 		-ignore 'gen/**' \
 		-ignore 'gitref.go' \
 		-ignore 'lib/srv/desktop/rdp/rdpclient/target/**' \
 		-ignore 'lib/web/build/**' \
+		-ignore 'target/**' \
 		-ignore 'version.go' \
-		-ignore 'webassets/**' \
-		-ignore '**/node_modules/**' \
 		-ignore 'web/packages/design/src/assets/icomoon/style.css' \
-		-ignore '**/.terraform.lock.hcl' \
+		-ignore 'web/packages/teleport/src/ironrdp/**' \
+		-ignore 'webassets/**' \
 		-ignore 'ignoreme'
 ADDLICENSE_AGPL3_ARGS := $(ADDLICENSE_COMMON_ARGS) \
 		-ignore 'api/**' \

api/client/client.go

@@ -4122,6 +4122,7 @@ func GetResourcesWithFilters(ctx context.Context, clt ListResourcesClient, req p
 			SearchKeywords:      req.SearchKeywords,
 			PredicateExpression: req.PredicateExpression,
 			UseSearchAsRoles:    req.UseSearchAsRoles,
+			UsePreviewAsRoles:   req.UsePreviewAsRoles,
 		})
 		if err != nil {
 			if trace.IsLimitExceeded(err) {
@@ -5084,6 +5085,45 @@ func (c *Client) GetRemoteCluster(ctx context.Context, name string) (types.Remot
 	return rc, trace.Wrap(err)
 }
 
+// ListReverseTunnels returns a page of remote clusters.
+func (c *Client) ListReverseTunnels(ctx context.Context, pageSize int, nextToken string) ([]types.ReverseTunnel, string, error) {
+	res, err := c.PresenceServiceClient().ListReverseTunnels(ctx, &presencepb.ListReverseTunnelsRequest{
+		PageSize:  int32(pageSize),
+		PageToken: nextToken,
+	})
+	if err != nil {
+		return nil, "", trace.Wrap(err)
+	}
+	rcs := make([]types.ReverseTunnel, 0, len(res.ReverseTunnels))
+	for _, rc := range res.ReverseTunnels {
+		rcs = append(rcs, rc)
+	}
+	return rcs, res.NextPageToken, nil
+}
+
+// DeleteReverseTunnel deletes a reverse tunnel resource
+func (c *Client) DeleteReverseTunnel(ctx context.Context, name string) error {
+	_, err := c.PresenceServiceClient().DeleteReverseTunnel(ctx, &presencepb.DeleteReverseTunnelRequest{
+		Name: name,
+	})
+	return trace.Wrap(err)
+}
+
+// UpsertReverseTunnel creates or updates reverse tunnel resource
+func (c *Client) UpsertReverseTunnel(ctx context.Context, rt types.ReverseTunnel) (types.ReverseTunnel, error) {
+	rtV3, ok := rt.(*types.ReverseTunnelV2)
+	if !ok {
+		return nil, trace.BadParameter("unsupported reverse tunnel type %T", rt)
+	}
+	res, err := c.PresenceServiceClient().UpsertReverseTunnel(ctx, &presencepb.UpsertReverseTunnelRequest{
+		ReverseTunnel: rtV3,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return res, nil
+}
+
 // GetRemoteClusters returns all remote clusters.
 // Deprecated: use ListRemoteClusters instead.
 func (c *Client) GetRemoteClusters(ctx context.Context) ([]types.RemoteCluster, error) {

api/client/credentials_test.go

@@ -27,7 +27,6 @@ import (
 	"log"
 	"math/big"
 	"os"
-	"path"
 	"path/filepath"
 	"testing"
 	"time"
@@ -445,7 +444,7 @@ Private-MAC: 8951bbe929e0714a61df01bc8fbc5223e3688f174aee29339931984fb9224c7d`)
 
 func TestDynamicIdentityFileCreds(t *testing.T) {
 	dir := t.TempDir()
-	identityPath := path.Join(dir, "identity")
+	identityPath := filepath.Join(dir, "identity")
 
 	idFile := &identityfile.IdentityFile{
 		PrivateKey: keyPEM,

api/client/mfa.go

@@ -19,8 +19,6 @@ package client
 import (
 	"context"
 
-	"github.com/gravitational/trace"
-
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/mfa"
 )
@@ -29,19 +27,9 @@ import (
 // and prompts the user to answer the challenge with the given promptOpts, and ultimately returning
 // an MFA challenge response for the user.
 func (c *Client) PerformMFACeremony(ctx context.Context, challengeRequest *proto.CreateAuthenticateChallengeRequest, promptOpts ...mfa.PromptOpt) (*proto.MFAAuthenticateResponse, error) {
-	// Don't attempt the MFA ceremony if we can't prompt for a response.
-	if c.c.MFAPromptConstructor == nil {
-		return nil, trace.Wrap(&mfa.ErrMFANotSupported, "missing MFAPromptConstructor field, client cannot perform MFA ceremony")
-	}
-
-	return mfa.PerformMFACeremony(ctx, c, challengeRequest, promptOpts...)
-}
-
-// PromptMFA prompts the user for MFA. Implements [mfa.MFACeremonyClient].
-func (c *Client) PromptMFA(ctx context.Context, chal *proto.MFAAuthenticateChallenge, promptOpts ...mfa.PromptOpt) (*proto.MFAAuthenticateResponse, error) {
-	if c.c.MFAPromptConstructor == nil {
-		return nil, trace.Wrap(&mfa.ErrMFANotSupported, "missing MFAPromptConstructor field, client cannot prompt for MFA")
+	mfaCeremony := &mfa.Ceremony{
+		CreateAuthenticateChallenge: c.CreateAuthenticateChallenge,
+		PromptConstructor:           c.c.MFAPromptConstructor,
 	}
-
-	return c.c.MFAPromptConstructor(promptOpts...).Run(ctx, chal)
+	return mfaCeremony.Run(ctx, challengeRequest, promptOpts...)
 }