Merge branch 'master' into avatus/eslint

# Conflicts:
#	pnpm-lock.yaml

.golangci.yml

@@ -113,6 +113,8 @@ linters-settings:
             desc: 'use "golang.org/x/mod/semver" or "coreos/go-semver/semver" instead'
           - pkg: github.com/microsoftgraph/msgraph-sdk-go
             desc: 'use "github.com/gravitational/teleport/lib/msgraph" instead'
+          - pkg: github.com/cloudflare/cfssl
+            desc: 'use "crypto" or "x/crypto" instead'
       # Prevent logrus from being imported by api and e. Once everything in teleport has been converted
       # to use log/slog this should be moved into the main block above.
       logrus:

api/accessrequest/access_request.go

@@ -58,7 +58,7 @@ func GetResourceDetails(ctx context.Context, clusterName string, lister client.L
 	var resourceIDs []types.ResourceID
 	for _, resourceID := range ids {
 		// We're interested in hostname or friendly name details. These apply to
-		// nodes, app servers, and user groups.
+		// nodes, app servers, user groups and Identity Center resources.
 		switch resourceID.Kind {
 		case types.KindNode, types.KindApp, types.KindUserGroup, types.KindIdentityCenterAccount:
 			resourceIDs = append(resourceIDs, resourceID)

api/go.mod

@@ -22,10 +22,10 @@ require (
 	go.opentelemetry.io/otel/sdk v1.32.0
 	go.opentelemetry.io/otel/trace v1.32.0
 	go.opentelemetry.io/proto/otlp v1.4.0
-	golang.org/x/crypto v0.29.0
+	golang.org/x/crypto v0.31.0
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f
 	golang.org/x/net v0.31.0
-	golang.org/x/term v0.26.0
+	golang.org/x/term v0.27.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697
 	google.golang.org/grpc v1.68.0
 	google.golang.org/protobuf v1.35.2
@@ -45,8 +45,8 @@ require (
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russellhaering/goxmldsig v1.4.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

api/go.sum

@@ -938,8 +938,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1185,8 +1185,8 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -1197,8 +1197,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
-golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1217,8 +1217,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

api/proto/teleport/legacy/types/types.proto

@@ -1108,6 +1108,8 @@ message Header {
 // PortRange can be used to describe a single port in which case the Port field is the port and the
 // EndPort field is 0.
 message PortRange {
+  option (gogoproto.goproto_stringer) = false;
+  option (gogoproto.stringer) = false;
   // Port describes the start of the range. It must be between 1 and 65535.
   uint32 Port = 1 [(gogoproto.jsontag) = "port"];
   // EndPort describes the end of the range, inclusive. If set, it must be between 2 and 65535 and
@@ -3437,6 +3439,18 @@ message RoleConditions {
     (gogoproto.nullable) = false,
     (gogoproto.jsontag) = "github_permissions,omitempty"
   ];
+
+  // WorkloadIdentityLabels controls whether or not specific WorkloadIdentity
+  // resources can be invoked. Further authorization controls exist on the
+  // WorkloadIdentity resource itself.
+  wrappers.LabelValues WorkloadIdentityLabels = 44 [
+    (gogoproto.nullable) = false,
+    (gogoproto.jsontag) = "workload_identity_labels,omitempty",
+    (gogoproto.customtype) = "Labels"
+  ];
+  // WorkloadIdentityLabelsExpression is a predicate expression used to
+  // allow/deny access to issuing a WorkloadIdentity.
+  string WorkloadIdentityLabelsExpression = 45 [(gogoproto.jsontag) = "workload_identity_labels_expression,omitempty"];
 }
 
 // IdentityCenterAccountAssignment captures an AWS Identity Center account

api/proto/teleport/notifications/v1/notifications.proto

@@ -86,6 +86,9 @@ message GlobalNotificationSpec {
   bool match_all_conditions = 4;
   // notification is the notification itself.
   Notification notification = 5;
+  // exclude_users is a list of usernames of users who should never match this notification
+  // under any circumstances.
+  repeated string exclude_users = 6;
 }
 
 // ByPermissions represents the RoleConditions needed for a user to receive this notification.

api/proto/teleport/usertasks/v1/user_tasks.proto

@@ -37,6 +37,8 @@ message UserTask {
   teleport.header.v1.Metadata metadata = 4;
   // The configured properties of UserTask.
   UserTaskSpec spec = 5;
+  // The current status for this UserTask.
+  UserTaskStatus status = 6;
 }
 
 // UserTaskSpec contains the properties of the UserTask.
@@ -62,6 +64,12 @@ message UserTaskSpec {
   DiscoverEKS discover_eks = 6;
 }
 
+// UserTaskStatus contains the current status for the UserTask.
+message UserTaskStatus {
+  // LastStateChange is the timestamp when the UserTask state was last modified.
+  google.protobuf.Timestamp last_state_change = 1;
+}
+
 // DiscoverEC2 contains the instances that failed to auto-enroll into the cluster.
 message DiscoverEC2 {
   // Instances maps an instance id to the result of enrolling that instance into teleport.

api/types/app.go

@@ -19,6 +19,8 @@ package types
 import (
 	"fmt"
 	"net/url"
+	"slices"
+	"strconv"
 	"strings"
 	"time"
 
@@ -88,7 +90,7 @@ type Application interface {
 	// GetCORS returns the CORS configuration for the app.
 	GetCORS() *CORSPolicy
 	// GetTCPPorts returns port ranges supported by the app to which connections can be forwarded to.
-	GetTCPPorts() []*PortRange
+	GetTCPPorts() PortRanges
 	// SetTCPPorts sets port ranges to which connections can be forwarded to.
 	SetTCPPorts([]*PortRange)
 	// GetIdentityCenter fetches identity center info for the app, if any.
@@ -314,7 +316,7 @@ func (a *AppV3) SetUserGroups(userGroups []string) {
 }
 
 // GetTCPPorts returns port ranges supported by the app to which connections can be forwarded to.
-func (a *AppV3) GetTCPPorts() []*PortRange {
+func (a *AppV3) GetTCPPorts() PortRanges {
 	return a.Spec.TCPPorts
 }
 
@@ -472,7 +474,7 @@ func (a *AppV3) GetDisplayName() string {
 	if a.Spec.IdentityCenter == nil {
 		return ""
 	}
-	return a.GetName()
+	return a.Metadata.Description
 }
 
 // IsEqual determines if two application resources are equivalent to one another.
@@ -537,3 +539,34 @@ func (a *AppIdentityCenter) GetPermissionSets() []*IdentityCenterPermissionSet {
 	}
 	return a.PermissionSets
 }
+
+// PortRanges is a list of port ranges.
+type PortRanges []*PortRange
+
+// Contains checks if targetPort is within any of the port ranges.
+func (p PortRanges) Contains(targetPort int) bool {
+	return slices.ContainsFunc(p, func(portRange *PortRange) bool {
+		return netutils.IsPortInRange(int(portRange.Port), int(portRange.EndPort), targetPort)
+	})
+}
+
+// String returns a string representation of port ranges.
+func (p PortRanges) String() string {
+	var builder strings.Builder
+	for i, portRange := range p {
+		if i > 0 {
+			builder.WriteString(", ")
+		}
+		builder.WriteString(portRange.String())
+	}
+	return builder.String()
+}
+
+// String returns a string representation of a port range.
+func (p *PortRange) String() string {
+	if p.EndPort == 0 {
+		return strconv.Itoa(int(p.Port))
+	} else {
+		return fmt.Sprintf("%d-%d", p.Port, p.EndPort)
+	}
+}

api/types/app_test.go

@@ -18,6 +18,7 @@ package types
 
 import (
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/gravitational/trace"
@@ -563,6 +564,31 @@ func TestNewAppV3(t *testing.T) {
 	}
 }
 
+func TestPortRangesContains(t *testing.T) {
+	portRanges := PortRanges([]*PortRange{
+		&PortRange{Port: 10, EndPort: 20},
+		&PortRange{Port: 42},
+	})
+
+	tests := []struct {
+		port int
+		want require.BoolAssertionFunc
+	}{
+		{port: 10, want: require.True},
+		{port: 20, want: require.True},
+		{port: 15, want: require.True},
+		{port: 42, want: require.True},
+		{port: 30, want: require.False},
+		{port: 0, want: require.False},
+	}
+
+	for _, tt := range tests {
+		t.Run(strconv.Itoa(tt.port), func(t *testing.T) {
+			tt.want(t, portRanges.Contains(tt.port))
+		})
+	}
+}
+
 func hasNoErr(t require.TestingT, err error, msgAndArgs ...interface{}) {
 	require.NoError(t, err, msgAndArgs...)
 }

api/types/constants.go

@@ -1304,6 +1304,8 @@ var RequestableResourceKinds = []string{
 	KindKubeCertificateSigningRequest,
 	KindKubeIngress,
 	KindSAMLIdPServiceProvider,
+	KindIdentityCenterAccount,
+	KindIdentityCenterAccountAssignment,
 }
 
 // The list below needs to be kept in sync with `kubernetesResourceKindOptions`

api/types/role.go

@@ -107,6 +107,13 @@ type Role interface {
 	// SetNodeLabels sets the map of node labels this role is allowed or denied access to.
 	SetNodeLabels(RoleConditionType, Labels)
 
+	// GetWorkloadIdentityLabels gets the map of node labels this role is
+	// allowed or denied access to.
+	GetWorkloadIdentityLabels(RoleConditionType) Labels
+	// SetWorkloadIdentityLabels sets the map of WorkloadIdentity labels this
+	// role is allowed or denied access to.
+	SetWorkloadIdentityLabels(RoleConditionType, Labels)
+
 	// GetAppLabels gets the map of app labels this role is allowed or denied access to.
 	GetAppLabels(RoleConditionType) Labels
 	// SetAppLabels sets the map of app labels this role is allowed or denied access to.
@@ -616,6 +623,25 @@ func (r *RoleV6) SetNodeLabels(rct RoleConditionType, labels Labels) {
 	}
 }
 
+// GetWorkloadIdentityLabels gets the map of WorkloadIdentity labels for
+// allow or deny.
+func (r *RoleV6) GetWorkloadIdentityLabels(rct RoleConditionType) Labels {
+	if rct == Allow {
+		return r.Spec.Allow.WorkloadIdentityLabels
+	}
+	return r.Spec.Deny.WorkloadIdentityLabels
+}
+
+// SetWorkloadIdentityLabels sets the map of WorkloadIdentity labels this role
+// is allowed or denied access to.
+func (r *RoleV6) SetWorkloadIdentityLabels(rct RoleConditionType, labels Labels) {
+	if rct == Allow {
+		r.Spec.Allow.WorkloadIdentityLabels = labels.Clone()
+	} else {
+		r.Spec.Deny.WorkloadIdentityLabels = labels.Clone()
+	}
+}
+
 // GetAppLabels gets the map of app labels this role is allowed or denied access to.
 func (r *RoleV6) GetAppLabels(rct RoleConditionType) Labels {
 	if rct == Allow {
@@ -1255,6 +1281,7 @@ func (r *RoleV6) CheckAndSetDefaults() error {
 		r.Spec.Allow.DatabaseLabels,
 		r.Spec.Allow.WindowsDesktopLabels,
 		r.Spec.Allow.GroupLabels,
+		r.Spec.Allow.WorkloadIdentityLabels,
 	} {
 		if err := checkWildcardSelector(labels); err != nil {
 			return trace.Wrap(err)
@@ -1970,6 +1997,8 @@ func (r *RoleV6) GetLabelMatchers(rct RoleConditionType, kind string) (LabelMatc
 		return LabelMatchers{cond.GroupLabels, cond.GroupLabelsExpression}, nil
 	case KindGitServer:
 		return r.makeGitServerLabelMatchers(cond), nil
+	case KindWorkloadIdentity:
+		return LabelMatchers{cond.WorkloadIdentityLabels, cond.WorkloadIdentityLabelsExpression}, nil
 	}
 	return LabelMatchers{}, trace.BadParameter("can't get label matchers for resource kind %q", kind)
 }
@@ -2023,6 +2052,10 @@ func (r *RoleV6) SetLabelMatchers(rct RoleConditionType, kind string, labelMatch
 		cond.GroupLabels = labelMatchers.Labels
 		cond.GroupLabelsExpression = labelMatchers.Expression
 		return nil
+	case KindWorkloadIdentity:
+		cond.WorkloadIdentityLabels = labelMatchers.Labels
+		cond.WorkloadIdentityLabelsExpression = labelMatchers.Expression
+		return nil
 	}
 	return trace.BadParameter("can't set label matchers for resource kind %q", kind)
 }
@@ -2250,8 +2283,23 @@ func (h CreateDatabaseUserMode) encode() (string, error) {
 func (h *CreateDatabaseUserMode) decode(val any) error {
 	var str string
 	switch val := val.(type) {
+	case int32:
+		return trace.Wrap(h.setFromEnum(val))
+	case int64:
+		return trace.Wrap(h.setFromEnum(int32(val)))
+	case int:
+		return trace.Wrap(h.setFromEnum(int32(val)))
+	case float64:
+		return trace.Wrap(h.setFromEnum(int32(val)))
+	case float32:
+		return trace.Wrap(h.setFromEnum(int32(val)))
 	case string:
 		str = val
+	case bool:
+		if val {
+			return trace.BadParameter("create_database_user_mode cannot be true, got %v", val)
+		}
+		str = createHostUserModeOffString
 	default:
 		return trace.BadParameter("bad value type %T, expected string", val)
 	}
@@ -2272,6 +2320,15 @@ func (h *CreateDatabaseUserMode) decode(val any) error {
 	return nil
 }
 
+// setFromEnum sets the value from enum value as int32.
+func (h *CreateDatabaseUserMode) setFromEnum(val int32) error {
+	if _, ok := CreateDatabaseUserMode_name[val]; !ok {
+		return trace.BadParameter("invalid database user creation mode %v", val)
+	}
+	*h = CreateDatabaseUserMode(val)
+	return nil
+}
+
 // UnmarshalYAML supports parsing CreateDatabaseUserMode from string.
 func (h *CreateDatabaseUserMode) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	var val interface{}