Merge branch 'master' into smallinsky/fix-k8-operator-okta-reconsier

.github/ISSUE_TEMPLATE/testplan.md

@@ -1526,7 +1526,7 @@ Verify that SSH works, and that resumable SSH is not interrupted across a contro
 
 ## Azure Discovery
 
-[Azure Discovery docs](https://goteleport.com/docs/server-access/guides/azure-discovery/)
+[Azure Discovery docs](https://goteleport.com/docs/enroll-resources/auto-discovery/servers/azure-discovery/)
 - Verify Azure VM discovery
   - [ ] Only Azure VMs matching given Azure tags have the installer executed on them
   - [ ] Only the IAM permissions mentioned in the discovery docs are required for operation

Makefile

@@ -364,7 +364,7 @@ $(BUILDDIR)/tctl:
 	@if [[ "$(OS)" != "windows" && -z "$(LIBFIDO2_BUILD_TAG)" ]]; then \
 		echo 'Warning: Building tctl without libfido2. Install libfido2 to have access to MFA.' >&2; \
 	fi
-	GOOS=$(OS) GOARCH=$(ARCH) $(CGOFLAG) go build -tags "$(PAM_TAG) $(FIPS_TAG) $(LIBFIDO2_BUILD_TAG) $(PIV_BUILD_TAG) $(KUSTOMIZE_NO_DYNAMIC_PLUGIN)" -o $(BUILDDIR)/tctl $(BUILDFLAGS) ./tool/tctl
+	GOOS=$(OS) GOARCH=$(ARCH) $(CGOFLAG) go build -tags "$(PAM_TAG) $(FIPS_TAG) $(LIBFIDO2_BUILD_TAG) $(TOUCHID_TAG) $(PIV_BUILD_TAG) $(KUSTOMIZE_NO_DYNAMIC_PLUGIN)" -o $(BUILDDIR)/tctl $(BUILDFLAGS) ./tool/tctl
 
 .PHONY: $(BUILDDIR)/teleport
 # Appending new conditional settings for community build type

api/proto/teleport/accesslist/v1/accesslist.proto

@@ -85,6 +85,10 @@ message AccessListOwner {
   // ineligible_status describes if this owner is eligible or not
   // and if not, describes how they're lacking eligibility.
   IneligibleStatus ineligible_status = 3;
+
+  // membership_kind describes the type of membership, either
+  // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
+  MembershipKind membership_kind = 4;
 }
 
 // AccessListAudit describes the audit configuration for an Access List.
@@ -197,6 +201,21 @@ message MemberSpec {
   // ineligible_status describes if this member is eligible or not
   // and if not, describes how they're lacking eligibility.
   IneligibleStatus ineligible_status = 7;
+
+  // membership_kind describes the type of membership, either
+  // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
+  MembershipKind membership_kind = 9;
+}
+
+// MembershipKind represents the different kinds of list membership
+enum MembershipKind {
+  // MEMBERSHIP_KIND_UNSPECIFIED represents list members that are of
+  // unknown membership kind, defaulting to being treated as type USER
+  MEMBERSHIP_KIND_UNSPECIFIED = 0;
+  // MEMBERSHIP_KIND_USER represents list members that are normal users
+  MEMBERSHIP_KIND_USER = 1;
+  // MEMBERSHIP_KIND_LIST represents list members that are nested Access Lists
+  MEMBERSHIP_KIND_LIST = 2;
 }
 
 // IneligibleStatus describes how the user is ineligible.
@@ -268,6 +287,12 @@ message ReviewChanges {
 
 // AccessListStatus contains dynamic fields calculated during retrieval.
 message AccessListStatus {
-  // member_count is the number of members in the in the Access List.
+  // member_count is the number of members in the Access List.
   optional uint32 member_count = 1;
+  // member_list_count is the number of nested list members in the Access List.
+  optional uint32 member_list_count = 2;
+  // owner_of describes Access Lists where this Access List is an explicit owner.
+  repeated string owner_of = 3;
+  // member_of describes Access Lists where this Access List is an explicit member.
+  repeated string member_of = 4;
 }

api/proto/teleport/legacy/types/events/events.proto

@@ -1892,6 +1892,54 @@ message SFTP {
   string Error = 12 [(gogoproto.jsontag) = "error,omitempty"];
 }
 
+// SFTPSummary is emitted at the end of an SFTP transfer
+message SFTPSummary {
+  // Metadata is a common event metadata
+  Metadata Metadata = 1 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // User is a common user event metadata
+  UserMetadata User = 2 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // ConnectionMetadata holds information about the connection
+  ConnectionMetadata Connection = 3 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // SessionMetadata is a common event session metadata
+  SessionMetadata Session = 4 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // ServerMetadata is a common server metadata
+  ServerMetadata Server = 5 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // FileTransferStats contains statistics about transferred files
+  repeated FileTransferStat FileTransferStats = 6 [(gogoproto.jsontag) = "file_transfer_stats"];
+}
+
+// FileTransferStat is statistics about a transferred file
+message FileTransferStat {
+  string Path = 1 [(gogoproto.jsontag) = "path"];
+  uint64 BytesRead = 2 [(gogoproto.jsontag) = "bytes_read"];
+  uint64 BytesWritten = 3 [(gogoproto.jsontag) = "bytes_written"];
+}
+
 // Subsystem is emitted when a user requests a new subsystem.
 message Subsystem {
   // Metadata is a common event metadata
@@ -4615,6 +4663,7 @@ message OneOf {
     events.UserTaskCreate UserTaskCreate = 188;
     events.UserTaskUpdate UserTaskUpdate = 189;
     events.UserTaskDelete UserTaskDelete = 190;
+    events.SFTPSummary SFTPSummary = 191;
   }
 }
 

api/proto/teleport/legacy/types/types.proto

@@ -6236,6 +6236,8 @@ message PluginSpecV1 {
     PluginDatadogAccessSettings datadog = 15;
     // PluginAWSICSettings holds settings for AWSICSettings
     PluginAWSICSettings aws_ic = 16;
+    // Settings for the Email Access Request plugin
+    PluginEmailSettings email = 17;
   }
 
   // generation contains a unique ID that should:
@@ -6576,6 +6578,45 @@ message AWSICProvisioningSpec {
   string bearer_token = 2;
 }
 
+// PluginEmailSettings holds the settings for an Email Access Request plugin.
+message PluginEmailSettings {
+  option (gogoproto.equal) = true;
+
+  // Sender specifies the email sender.
+  string sender = 1;
+  // FallbackRecipient specifies the default recipient.
+  string fallback_recipient = 2;
+
+  // Spec configures the mail service settings.
+  oneof spec {
+    // MailgunSpec configures Mailgun service settings.
+    MailgunSpec mailgun_spec = 3;
+    // SmtpSpec configures generic SMTP service settings.
+    SMTPSpec smtp_spec = 4;
+  }
+}
+
+// MailgunSpec holds Mailgun-specific settings.
+message MailgunSpec {
+  option (gogoproto.equal) = true;
+
+  // Domain specifies the Mailgun sending domain.
+  string domain = 1;
+}
+
+// SMTPSpec holds a generic SMTP service specific settings.
+message SMTPSpec {
+  option (gogoproto.equal) = true;
+
+  // Host specifies the SMTP service host name.
+  string host = 1;
+  // Port specifies the SMTP service port number.
+  int32 port = 2;
+  // StartTLSPolicy specifies the SMTP start TLS policy used to send emails over
+  // SMTP.
+  string start_tls_policy = 3;
+}
+
 message PluginBootstrapCredentialsV1 {
   oneof credentials {
     PluginOAuth2AuthorizationCodeCredentials oauth2_authorization_code = 1;

api/types/accesslist/accesslist.go

@@ -24,6 +24,7 @@ import (
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 
+	accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/header"
 	"github.com/gravitational/teleport/api/types/header/convert/legacy"
@@ -75,6 +76,20 @@ func parseReviewFrequency(input string) ReviewFrequency {
 	return 0
 }
 
+// MaxAllowedDepth is the maximum allowed depth for nested access lists.
+const MaxAllowedDepth = 10
+
+var (
+	// MembershipKindUnspecified is the default membership kind (treated as 'user').
+	MembershipKindUnspecified = accesslistv1.MembershipKind_MEMBERSHIP_KIND_UNSPECIFIED.String()
+
+	// MembershipKindUser is the user membership kind.
+	MembershipKindUser = accesslistv1.MembershipKind_MEMBERSHIP_KIND_USER.String()
+
+	// MembershipKindList is the list membership kind.
+	MembershipKindList = accesslistv1.MembershipKind_MEMBERSHIP_KIND_LIST.String()
+)
+
 // ReviewDayOfMonth is the day of month the review should be repeated on.
 type ReviewDayOfMonth int
 
@@ -123,7 +138,7 @@ type AccessList struct {
 	Spec Spec `json:"spec" yaml:"spec"`
 
 	// Status contains dynamically calculated fields.
-	Status Status `json:"-" yaml:"-"`
+	Status Status `json:"status" yaml:"status"`
 }
 
 // Spec is the specification for an access list.
@@ -167,6 +182,10 @@ type Owner struct {
 
 	// IneligibleStatus describes the reason why this owner is not eligible.
 	IneligibleStatus string `json:"ineligible_status" yaml:"ineligible_status"`
+
+	// MembershipKind describes the kind of ownership,
+	// either "MEMBERSHIP_KIND_USER" or "MEMBERSHIP_KIND_LIST".
+	MembershipKind string `json:"membership_kind" yaml:"membership_kind"`
 }
 
 // Audit describes the audit configuration for an access list.
@@ -224,7 +243,14 @@ type Grants struct {
 // Status contains dynamic fields calculated during retrieval.
 type Status struct {
 	// MemberCount is the number of members in the access list.
-	MemberCount *uint32
+	MemberCount *uint32 `json:"-" yaml:"-"`
+	// MemberListCount is the number of members in the access list that are lists themselves.
+	MemberListCount *uint32 `json:"-" yaml:"-"`
+
+	// OwnerOf is a list of Access List UUIDs where this access list is an explicit owner.
+	OwnerOf []string `json:"owner_of" yaml:"owner_of"`
+	// MemberOf is a list of Access List UUIDs where this access list is an explicit member.
+	MemberOf []string `json:"member_of" yaml:"member_of"`
 }
 
 // NewAccessList will create a new access list.
@@ -286,10 +312,6 @@ func (a *AccessList) CheckAndSetDefaults() error {
 		a.Spec.Audit.Notifications.Start = twoWeeks
 	}
 
-	if len(a.Spec.Grants.Roles) == 0 && len(a.Spec.Grants.Traits) == 0 {
-		return trace.BadParameter("grants must specify at least one role or trait")
-	}
-
 	// Deduplicate owners. The backend will currently prevent this, but it's possible that access lists
 	// were created with duplicated owners before the backend checked for duplicate owners. In order to
 	// ensure that these access lists are backwards compatible, we'll deduplicate them here.
@@ -299,6 +321,9 @@ func (a *AccessList) CheckAndSetDefaults() error {
 		if owner.Name == "" {
 			return trace.BadParameter("owner name is missing")
 		}
+		if owner.MembershipKind == "" {
+			owner.MembershipKind = MembershipKindUser
+		}
 
 		if _, ok := ownerMap[owner.Name]; ok {
 			continue
@@ -317,7 +342,7 @@ func (a *AccessList) GetOwners() []Owner {
 	return a.Spec.Owners
 }
 
-// GetOwners returns the list of owners from the access list.
+// SetOwners sets the owners of the access list.
 func (a *AccessList) SetOwners(owners []Owner) {
 	a.Spec.Owners = owners
 }
@@ -337,6 +362,11 @@ func (a *AccessList) GetGrants() Grants {
 	return a.Spec.Grants
 }
 
+// GetOwnerGrants returns the owner grants from the access list.
+func (a *AccessList) GetOwnerGrants() Grants {
+	return a.Spec.OwnerGrants
+}
+
 // GetMetadata returns metadata. This is specifically for conforming to the Resource interface,
 // and should be removed when possible.
 func (a *AccessList) GetMetadata() types.Metadata {