Merge branch 'bl-nero/role-editor-7' into bl-nero/role-editor-8

api/client/client.go

@@ -3899,6 +3899,8 @@ func convertEnrichedResource(resource *proto.PaginatedResource) (*types.Enriched
 		return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins, RequiresRequest: resource.RequiresRequest}, nil
 	} else if r := resource.GetSAMLIdPServiceProvider(); r != nil {
 		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
+	} else if r := resource.GetGitServer(); r != nil {
+		return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", resource.Resource)
 	}

api/client/webclient/webclient.go

@@ -47,6 +47,15 @@ import (
 	"github.com/gravitational/teleport/api/utils/keys"
 )
 
+const (
+	// AgentUpdateGroupParameter is the parameter used to specify the updater
+	// group when doing a Ping() or Find() query.
+	// The proxy server will modulate the auto_update part of the PingResponse
+	// based on the specified group. e.g. some groups might need to update
+	// before others.
+	AgentUpdateGroupParameter = "group"
+)
+
 // Config specifies information when building requests with the
 // webclient.
 type Config struct {
@@ -183,7 +192,7 @@ func findWithClient(cfg *Config, clt *http.Client) (*PingResponse, error) {
 	}
 	if cfg.UpdateGroup != "" {
 		endpoint.RawQuery = url.Values{
-			"group": []string{cfg.UpdateGroup},
+			AgentUpdateGroupParameter: []string{cfg.UpdateGroup},
 		}.Encode()
 	}
 
@@ -232,7 +241,7 @@ func pingWithClient(cfg *Config, clt *http.Client) (*PingResponse, error) {
 	}
 	if cfg.UpdateGroup != "" {
 		endpoint.RawQuery = url.Values{
-			"group": []string{cfg.UpdateGroup},
+			AgentUpdateGroupParameter: []string{cfg.UpdateGroup},
 		}.Encode()
 	}
 	if cfg.ConnectorName != "" {

api/proto/teleport/legacy/client/proto/authservice.proto

@@ -1968,6 +1968,8 @@ message PaginatedResource {
     types.AppServerOrSAMLIdPServiceProviderV1 AppServerOrSAMLIdPServiceProvider = 11 [deprecated = true];
     // SAMLIdPServiceProvider represents a SAML IdP service provider resource.
     types.SAMLIdPServiceProviderV1 SAMLIdPServiceProvider = 12 [(gogoproto.jsontag) = "saml_idp_service_provider,omitempty"];
+    // GitServer represents a Git server resource.
+    types.ServerV2 git_server = 15;
   }
 
   // Logins allowed for the included resource. Only to be populated for SSH and Desktops.

api/types/appserver.go

@@ -86,13 +86,15 @@ func NewAppServerV3FromApp(app *AppV3, hostname, hostID string) (*AppServerV3, e
 
 // NewAppServerForAWSOIDCIntegration creates a new AppServer that will be used to grant AWS App Access
 // using the AWSOIDC credentials.
-func NewAppServerForAWSOIDCIntegration(integrationName, hostID, publicAddr string) (*AppServerV3, error) {
+func NewAppServerForAWSOIDCIntegration(integrationName, hostID, publicAddr string, labels map[string]string) (*AppServerV3, error) {
 	return NewAppServerV3(Metadata{
-		Name: integrationName,
+		Name:   integrationName,
+		Labels: labels,
 	}, AppServerSpecV3{
 		HostID: hostID,
 		App: &AppV3{Metadata: Metadata{
-			Name: integrationName,
+			Name:   integrationName,
+			Labels: labels,
 		}, Spec: AppSpecV3{
 			URI:         constants.AWSConsoleURL,
 			Integration: integrationName,

api/types/appserver_test.go

@@ -63,6 +63,7 @@ func TestNewAppServerForAWSOIDCIntegration(t *testing.T) {
 		integratioName string
 		hostID         string
 		publicAddr     string
+		labels         map[string]string
 		expectedApp    *AppServerV3
 		errCheck       require.ErrorAssertionFunc
 	}{
@@ -71,12 +72,14 @@ func TestNewAppServerForAWSOIDCIntegration(t *testing.T) {
 			integratioName: "valid",
 			hostID:         "my-host-id",
 			publicAddr:     "valid.proxy.example.com",
+			labels:         map[string]string{"account_id": "123456789012"},
 			expectedApp: &AppServerV3{
 				Kind:    KindAppServer,
 				Version: V3,
 				Metadata: Metadata{
 					Name:      "valid",
 					Namespace: "default",
+					Labels:    map[string]string{"account_id": "123456789012"},
 				},
 				Spec: AppServerSpecV3{
 					Version: api.Version,
@@ -87,6 +90,7 @@ func TestNewAppServerForAWSOIDCIntegration(t *testing.T) {
 						Metadata: Metadata{
 							Name:      "valid",
 							Namespace: "default",
+							Labels:    map[string]string{"account_id": "123456789012"},
 						},
 						Spec: AppSpecV3{
 							URI:         "https://console.aws.amazon.com",
@@ -106,7 +110,7 @@ func TestNewAppServerForAWSOIDCIntegration(t *testing.T) {
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
-			app, err := NewAppServerForAWSOIDCIntegration(tt.integratioName, tt.hostID, tt.publicAddr)
+			app, err := NewAppServerForAWSOIDCIntegration(tt.integratioName, tt.hostID, tt.publicAddr, tt.labels)
 			if tt.errCheck != nil {
 				tt.errCheck(t, err)
 			}

api/types/kubernetes_test.go

@@ -30,7 +30,7 @@ func TestKubeClustersSorter(t *testing.T) {
 		servers := make([]KubeCluster, len(testVals))
 		for i := 0; i < len(testVals); i++ {
 			var err error
-			servers[i], err = NewKubernetesClusterV3FromLegacyCluster("_", &KubernetesCluster{
+			servers[i], err = NewKubernetesClusterV3FromLegacyCluster("", &KubernetesCluster{
 				Name: testVals[i],
 			})
 			require.NoError(t, err)

api/types/namespace.go

@@ -143,3 +143,17 @@ func IsValidNamespace(s string) bool {
 }
 
 var validNamespace = regexp.MustCompile(`^[A-Za-z0-9]+$`)
+
+// ValidateNamespaceDefault ensures that the namespace is the "default"
+// namespace.
+// This is a precursor to a hard-removal of namespaces.
+func ValidateNamespaceDefault(ns string) error {
+	if ns == defaults.Namespace {
+		return nil
+	}
+
+	const message = "" +
+		"namespace %q invalid, custom namespaces are deprecated; " +
+		"the namespace field should be omitted or set to %q"
+	return trace.BadParameter(message, ns, defaults.Namespace)
+}

api/types/presence.go

@@ -67,9 +67,13 @@ func (s *KeepAlive) CheckAndSetDefaults() error {
 	if s.IsEmpty() {
 		return trace.BadParameter("missing resource name")
 	}
+
 	if s.Namespace == "" {
 		s.Namespace = defaults.Namespace
 	}
+	if err := ValidateNamespaceDefault(s.Namespace); err != nil {
+		return trace.Wrap(err)
+	}
 
 	return nil
 }

api/types/resource.go

@@ -139,6 +139,20 @@ type EnrichedResource struct {
 	RequiresRequest bool
 }
 
+// EnrichedResources is a wrapper of []*EnrichedResource.
+// A EnrichedResource is a [ResourceWithLabels] wrapped with additional
+// user-specific information.
+type EnrichedResources []*EnrichedResource
+
+// ToResourcesWithLabels converts to ResourcesWithLabels.
+func (r EnrichedResources) ToResourcesWithLabels() ResourcesWithLabels {
+	ret := make(ResourcesWithLabels, 0, len(r))
+	for _, resource := range r {
+		ret = append(ret, resource.ResourceWithLabels)
+	}
+	return ret
+}
+
 // ResourcesWithLabels is a list of labeled resources.
 type ResourcesWithLabels []ResourceWithLabels
 
@@ -464,9 +478,13 @@ func (m *Metadata) CheckAndSetDefaults() error {
 	if m.Name == "" {
 		return trace.BadParameter("missing parameter Name")
 	}
+
 	if m.Namespace == "" {
 		m.Namespace = defaults.Namespace
 	}
+	if err := ValidateNamespaceDefault(m.Namespace); err != nil {
+		return trace.Wrap(err)
+	}
 
 	// adjust expires time to UTC if it's set
 	if m.Expires != nil {

api/types/resource_test.go

@@ -266,7 +266,7 @@ func TestMatchSearch_ResourceSpecific(t *testing.T) {
 			name:               "kube cluster",
 			matchingSearchVals: []string{"foo", "prod", "env"},
 			newResource: func(t *testing.T) ResourceWithLabels {
-				kc, err := NewKubernetesClusterV3FromLegacyCluster("_", &KubernetesCluster{
+				kc, err := NewKubernetesClusterV3FromLegacyCluster("", &KubernetesCluster{
 					Name:         "foo",
 					StaticLabels: labels,
 				})

api/types/role.go

@@ -1071,8 +1071,9 @@ func (r *RoleV6) CheckAndSetDefaults() error {
 	if len(r.Spec.Options.BPF) == 0 {
 		r.Spec.Options.BPF = defaults.EnhancedEvents()
 	}
-	if r.Spec.Allow.Namespaces == nil {
-		r.Spec.Allow.Namespaces = []string{defaults.Namespace}
+	if err := checkAndSetRoleConditionNamespaces(&r.Spec.Allow.Namespaces); err != nil {
+		// Using trace.BadParameter instead of trace.Wrap for a better error message.
+		return trace.BadParameter("allow: %s", err)
 	}
 	if r.Spec.Options.RecordSession == nil {
 		r.Spec.Options.RecordSession = &RecordSession{
@@ -1175,8 +1176,9 @@ func (r *RoleV6) CheckAndSetDefaults() error {
 		return trace.BadParameter("unrecognized role version: %v", r.Version)
 	}
 
-	if r.Spec.Deny.Namespaces == nil {
-		r.Spec.Deny.Namespaces = []string{defaults.Namespace}
+	if err := checkAndSetRoleConditionNamespaces(&r.Spec.Deny.Namespaces); err != nil {
+		// Using trace.BadParameter instead of trace.Wrap for a better error message.
+		return trace.BadParameter("deny: %s", err)
 	}
 
 	// Validate request.kubernetes_resources fields are all valid.
@@ -1322,6 +1324,27 @@ func (r *RoleV6) CheckAndSetDefaults() error {
 	return nil
 }
 
+func checkAndSetRoleConditionNamespaces(namespaces *[]string) error {
+	// If nil use the default.
+	// This distinguishes between nil and empty (in accordance to legacy code).
+	if *namespaces == nil {
+		*namespaces = []string{defaults.Namespace}
+		return nil
+	}
+
+	for i, ns := range *namespaces {
+		if ns == Wildcard {
+			continue // OK, wildcard is accepted.
+		}
+		if err := ValidateNamespaceDefault(ns); err != nil {
+			// Using trace.BadParameter instead of trace.Wrap for a better error message.
+			return trace.BadParameter("namespaces[%d]: %s", i, err)
+		}
+	}
+
+	return nil
+}
+
 // String returns the human readable representation of a role.
 func (r *RoleV6) String() string {
 	options, _ := json.Marshal(r.Spec.Options)

api/types/server.go

@@ -855,3 +855,12 @@ func GetGitHubOrgFromNodeAddr(addr string) (string, bool) {
 	}
 	return "", false
 }
+
+// GetOrganizationURL returns the URL to the GitHub organization.
+func (m *GitHubServerMetadata) GetOrganizationURL() string {
+	if m == nil {
+		return ""
+	}
+	// Public github.com for now.
+	return fmt.Sprintf("%s/%s", GithubURL, m.Organization)
+}

examples/teleport-usage/Dockerfile

@@ -1,6 +1,6 @@
 ARG BASE_IMAGE=gcr.io/distroless/static-debian12
 
-FROM golang:1.21-bookworm as builder
+FROM golang:1.22-bookworm as builder
 
 WORKDIR /go/src/github.com/gravitational/teleport/examples/teleport-usage
 

examples/teleport-usage/go.mod

@@ -1,6 +1,6 @@
 module usage-script
 
-go 1.19
+go 1.22
 
 require (
 	github.com/aws/aws-sdk-go v1.47.4