Merge branch 'branch/v15' into zmb3/v15-backport-51250

gravitational · Feb 13, 2025 · eaa7fa5 · eaa7fa5
2 parents 1120852 + ddde5f6
commit eaa7fa5
Show file tree

Hide file tree

Showing 23 changed files with 87 additions and 67 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -31,10 +31,6 @@ issues:
     - path: lib/utils/aws/stsutils/sts_v1.go
       linters: [forbidigo]
       text: 'sts.New'
-    # TODO(codingllama): Remove once e/ is updated.
-    - path: e/lib/cloud/aws/aws.go
-      linters: [forbidigo]
-      text: 'sts.NewFromConfig'
   exclude-use-default: true
   max-same-issues: 0
   max-issues-per-linter: 0
@@ -166,6 +162,6 @@ linters-settings:
         msg: 'Use stsutils.NewV1'
 
 run:
-  go: '1.22'
+  go: '1.23'
   build-tags: []
   timeout: 15m
diff --git a/README.md b/README.md
@@ -54,12 +54,12 @@ Teleport includes an identity-aware access proxy, a CA that issues short-lived c
 
 We have implemented Teleport as a single Go binary that integrates with multiple protocols and cloud services:
 
-* [SSH nodes](https://goteleport.com/docs/server-access/introduction/).
-* [Kubernetes clusters](https://goteleport.com/docs/kubernetes-access/introduction/)
-* [PostgreSQL, MongoDB, CockroachDB and MySQL databases](https://goteleport.com/docs/database-access/introduction/).
-* [Internal Web apps](https://goteleport.com/docs/application-access/introduction/).
-* [Windows Hosts](https://goteleport.com/docs/desktop-access/introduction/).
-* [Networked servers](https://goteleport.com/docs/server-access/introduction/).
+* [SSH nodes](https://goteleport.com/docs/enroll-resources/server-access/).
+* [Kubernetes clusters](https://goteleport.com/docs/enroll-resources/kubernetes-access/)
+* [PostgreSQL, MongoDB, CockroachDB and MySQL databases](https://goteleport.com/docs/enroll-resources/database-access/).
+* [Internal Web apps](https://goteleport.com/docs/enroll-resources/application-access/).
+* [Windows Hosts](https://goteleport.com/docs/enroll-resources/desktop-access/).
+* [Networked servers](https://goteleport.com/docs/enroll-resources/server-access/).
 
 You can set up Teleport as a [Linux daemon](https://goteleport.com/docs/admin-guides/deploy-a-cluster/linux-demo) or a [Kubernetes deployment](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/).
 

diff --git a/build.assets/Dockerfile-grpcbox b/build.assets/Dockerfile-grpcbox
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM docker.io/golang:1.23
+FROM docker.io/golang:1.23.6
 
 # Image layers go from less likely to most likely to change.
 RUN apt-get update && \

diff --git a/build.assets/versions.mk b/build.assets/versions.mk
@@ -3,8 +3,8 @@
 # Keep versions in sync with devbox.json, when applicable.
 
 # Sync with devbox.json.
-GOLANG_VERSION ?= go1.22.12
-GOLANGCI_LINT_VERSION ?= v1.63.4
+GOLANG_VERSION ?= go1.23.6
+GOLANGCI_LINT_VERSION ?= v1.64.2
 
 NODE_VERSION ?= 20.18.0
 

diff --git a/docs/config.json b/docs/config.json
@@ -134,8 +134,8 @@
       "aws_secret_access_key": "zyxw9876-this-is-an-example"
     },
     "cloud": {
-      "version": "16.4.11",
-      "major_version": "16",
+      "version": "17.2.3",
+      "major_version": "17",
       "sla": {
         "monthly_percentage": "99.9%",
         "monthly_downtime": "44 minutes"

diff --git a/e b/e
diff --git a/e_imports.go b/e_imports.go
@@ -48,15 +48,17 @@ xargs go list -find -f '{{if (and
 
 import (
 	_ "connectrpc.com/connect"
+	_ "github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
+	_ "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	_ "github.com/alecthomas/kingpin/v2"
 	_ "github.com/aws/aws-sdk-go-v2/aws"
+	_ "github.com/aws/aws-sdk-go-v2/aws/arn"
 	_ "github.com/aws/aws-sdk-go-v2/config"
 	_ "github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	_ "github.com/aws/aws-sdk-go-v2/service/athena"
 	_ "github.com/aws/aws-sdk-go-v2/service/athena/types"
 	_ "github.com/aws/aws-sdk-go-v2/service/glue"
 	_ "github.com/aws/aws-sdk-go-v2/service/s3"
-	_ "github.com/aws/aws-sdk-go-v2/service/sts"
 	_ "github.com/aws/aws-sdk-go-v2/service/sts/types"
 	_ "github.com/beevik/etree"
 	_ "github.com/coreos/go-oidc/jose"
@@ -66,13 +68,14 @@ import (
 	_ "github.com/crewjam/saml"
 	_ "github.com/crewjam/saml/samlsp"
 	_ "github.com/elimity-com/scim/schema"
+	_ "github.com/ghodss/yaml"
 	_ "github.com/go-piv/piv-go/piv"
-	_ "github.com/gogo/protobuf/gogoproto"
 	_ "github.com/gogo/protobuf/proto"
 	_ "github.com/google/go-attestation/attest"
 	_ "github.com/google/go-cmp/cmp"
 	_ "github.com/google/go-cmp/cmp/cmpopts"
 	_ "github.com/google/go-tpm-tools/simulator"
+	_ "github.com/google/safetext/shsprintf"
 	_ "github.com/google/uuid"
 	_ "github.com/gravitational/license"
 	_ "github.com/gravitational/license/generate"
@@ -110,9 +113,13 @@ import (
 	_ "golang.org/x/exp/maps"
 	_ "golang.org/x/mod/semver"
 	_ "golang.org/x/net/html"
+	_ "golang.org/x/net/http/httpproxy"
+	_ "golang.org/x/net/http2"
 	_ "golang.org/x/oauth2"
 	_ "golang.org/x/oauth2/google"
 	_ "golang.org/x/sync/errgroup"
+	_ "golang.org/x/sync/semaphore"
+	_ "golang.org/x/sync/singleflight"
 	_ "golang.org/x/time/rate"
 	_ "google.golang.org/api/admin/directory/v1"
 	_ "google.golang.org/api/cloudidentity/v1"
@@ -124,10 +131,14 @@ import (
 	_ "google.golang.org/grpc/credentials"
 	_ "google.golang.org/grpc/credentials/insecure"
 	_ "google.golang.org/grpc/health"
+	_ "google.golang.org/grpc/health/grpc_health_v1"
 	_ "google.golang.org/grpc/metadata"
 	_ "google.golang.org/grpc/status"
 	_ "google.golang.org/grpc/test/bufconn"
+	_ "google.golang.org/protobuf/encoding/protojson"
 	_ "google.golang.org/protobuf/proto"
+	_ "google.golang.org/protobuf/reflect/protoreflect"
+	_ "google.golang.org/protobuf/runtime/protoimpl"
 	_ "google.golang.org/protobuf/testing/protocmp"
 	_ "google.golang.org/protobuf/types/known/emptypb"
 	_ "google.golang.org/protobuf/types/known/fieldmaskpb"
@@ -136,6 +147,7 @@ import (
 	_ "gopkg.in/check.v1"
 	_ "k8s.io/apimachinery/pkg/util/yaml"
 
+	_ "github.com/gravitational/teleport/api"
 	_ "github.com/gravitational/teleport/api/accessrequest"
 	_ "github.com/gravitational/teleport/api/breaker"
 	_ "github.com/gravitational/teleport/api/client"
@@ -144,7 +156,11 @@ import (
 	_ "github.com/gravitational/teleport/api/constants"
 	_ "github.com/gravitational/teleport/api/defaults"
 	_ "github.com/gravitational/teleport/api/gen/proto/go/attestation/v1"
+	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1"
 	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1"
+	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
+	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
+	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1"
 	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1"
 	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/externalauditstorage/v1"
 	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
@@ -155,10 +171,13 @@ import (
 	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/scim/v1"
 	_ "github.com/gravitational/teleport/api/gen/proto/go/teleport/secreports/v1"
 	_ "github.com/gravitational/teleport/api/gen/proto/go/usageevents/v1"
+	_ "github.com/gravitational/teleport/api/metadata"
 	_ "github.com/gravitational/teleport/api/mfa"
 	_ "github.com/gravitational/teleport/api/types"
+	_ "github.com/gravitational/teleport/api/types/accessgraph"
 	_ "github.com/gravitational/teleport/api/types/accesslist"
 	_ "github.com/gravitational/teleport/api/types/accesslist/convert/v1"
+	_ "github.com/gravitational/teleport/api/types/discoveryconfig"
 	_ "github.com/gravitational/teleport/api/types/events"
 	_ "github.com/gravitational/teleport/api/types/externalauditstorage"
 	_ "github.com/gravitational/teleport/api/types/externalauditstorage/convert/v1"

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/gravitational/teleport
 
-go 1.22.12
+go 1.23.6
 
 require (
 	cloud.google.com/go/cloudsqlconn v1.9.0

diff --git a/integrations/event-handler/go.mod b/integrations/event-handler/go.mod
@@ -1,6 +1,6 @@
 module github.com/gravitational/teleport/integrations/event-handler
 
-go 1.22.12
+go 1.23.6
 
 require (
 	github.com/alecthomas/kong v0.9.0
@@ -162,6 +162,7 @@ require (
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
@@ -312,6 +313,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 	k8s.io/kubectl v0.29.0 // indirect
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect
+	mvdan.cc/sh/v3 v3.7.0 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/controller-runtime v0.16.1 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect

diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum
@@ -448,6 +448,8 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
+github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f h1:o2yGZLlsOj5H5uvtQNEdi6DeA0GbUP3lm0gWW5RvY0s=
+github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f/go.mod h1:H3K1Iu/utuCfa10JO+GsmKUYSWi7ug57Rk6GaDRHaaQ=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -1261,6 +1263,8 @@ k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCf
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 launchpad.net/gocheck v0.0.0-20140225173054-000000000087 h1:Izowp2XBH6Ya6rv+hqbceQyw/gSGoXfH/UPoTGduL54=
 launchpad.net/gocheck v0.0.0-20140225173054-000000000087/go.mod h1:hj7XX3B/0A+80Vse0e+BUHsHMTEhd0O4cpUHr/e/BUM=
+mvdan.cc/sh/v3 v3.7.0 h1:lSTjdP/1xsddtaKfGg7Myu7DnlHItd3/M2tomOcNNBg=
+mvdan.cc/sh/v3 v3.7.0/go.mod h1:K2gwkaesF/D7av7Kxl0HbF5kGOd2ArupNTX3X44+8l8=
 oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
 oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
 sigs.k8s.io/controller-runtime v0.16.1 h1:+15lzrmHsE0s2kNl0Dl8cTchI5Cs8qofo5PGcPrV9z0=

diff --git a/integrations/terraform/go.mod b/integrations/terraform/go.mod
@@ -1,6 +1,6 @@
 module github.com/gravitational/teleport/integrations/terraform
 
-go 1.22.12
+go 1.23.6
 
 require (
 	github.com/gogo/protobuf v1.3.2
@@ -167,6 +167,7 @@ require (
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
@@ -349,6 +350,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 	k8s.io/kubectl v0.29.0 // indirect
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect
+	mvdan.cc/sh/v3 v3.7.0 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/controller-runtime v0.16.1 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect

diff --git a/lib/srv/desktop/README.md b/lib/srv/desktop/README.md
@@ -63,7 +63,7 @@ Restart the VM after configuring AD CS.
 
 ## Follow The Docs
 
-Now follow the [Getting Started](https://goteleport.com/docs/desktop-access/introduction/) documentation on the Teleport website to complete the installation.
+Now follow the [Getting Started](https://goteleport.com/docs/enroll-resources/desktop-access/) documentation on the Teleport website to complete the installation.
 
 ## Appendix: VirtualBox notes
 

diff --git a/lib/srv/reexec.go b/lib/srv/reexec.go
@@ -696,6 +696,12 @@ func handleRemotePortForward(ctx context.Context, addr string, file *os.File) er
 // runForward reads in the command to run from the parent process (over a
 // pipe) then port forwards.
 func runForward(handler forwardHandler) (errw io.Writer, code int, err error) {
+	// SIGQUIT is used by teleport to initiate graceful shutdown, waiting for
+	// existing exec sessions to close before ending the process. For this to
+	// work when closing the entire teleport process group, exec sessions must
+	// ignore SIGQUIT signals.
+	signal.Ignore(syscall.SIGQUIT)
+
 	// errorWriter is used to return any error message back to the client.
 	// Use stderr so that it's not forwarded to the remote client.
 	errorWriter := os.Stderr

diff --git a/lib/tbot/config/migrate_test.go b/lib/tbot/config/migrate_test.go
@@ -342,7 +342,7 @@ destinations:
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/databases/",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id/access-guides/databases/",
 			input: `
 auth_server: "teleport.example.com:443"
 onboarding:
@@ -388,7 +388,7 @@ destinations:
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/databases/ - mongo",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id/access-guides/databases/ - mongo",
 			input: `
 auth_server: "teleport.example.com:443"
 onboarding:
@@ -439,7 +439,7 @@ destinations:
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/databases/ - cockroach",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id/access-guides/databases/ - cockroach",
 			input: `
 auth_server: "teleport.example.com:443"
 onboarding:
@@ -489,7 +489,7 @@ destinations:
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/databases/ - tls",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id/access-guides/databases/ - tls",
 			input: `
 auth_server: "teleport.example.com:443"
 onboarding:
@@ -539,7 +539,7 @@ destinations:
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/host-certificate/",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id - host-certificate",
 			input: `
 onboarding:
   token: "1234abcd5678efgh9"
@@ -594,7 +594,7 @@ oneshot: false
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/applications/",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id/access-guides/applications/",
 			input: `
 auth_server: "teleport.example.com:443"
 onboarding:
@@ -634,7 +634,7 @@ destinations:
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/applications/ - with tls config",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id/access-guides/applications/ - with tls config",
 			input: `
 auth_server: "teleport.example.com:443"
 onboarding:
@@ -678,7 +678,7 @@ destinations:
 			},
 		},
 		{
-			name: "backwards compat with https://goteleport.com/docs/machine-id/guides/kubernetes/",
+			name: "backwards compat with https://goteleport.com/docs/enroll-resources/machine-id/access-guides/kubernetes/",
 			input: `
 auth_server: "teleport.example.com:443"
 onboarding:

diff --git a/lib/utils/certs.go b/lib/utils/certs.go
@@ -196,25 +196,15 @@ func VerifyCertificateChain(certificateChain []*x509.Certificate) error {
 	return nil
 }
 
-// IsSelfSigned checks if the certificate is a self-signed certificate. To
-// check if a certificate is self-signed, we make sure that only one
-// certificate is in the chain and that the SubjectKeyId and AuthorityKeyId
-// match.
-//
-// From RFC5280: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
-//
-//	The signature on a self-signed certificate is generated with the private
-//	key associated with the certificate's subject public key. (This
-//	proves that the issuer possesses both the public and private keys.)
-//	In this case, the subject and authority key identifiers would be
-//	identical, but only the subject key identifier is needed for
-//	certification path building.
+// IsSelfSigned checks if the certificate is a self-signed certificate. To check
+// if a certificate is self-signed, we make sure that only one certificate is in
+// the chain and that its Subject and Issuer match.
 func IsSelfSigned(certificateChain []*x509.Certificate) bool {
 	if len(certificateChain) != 1 {
 		return false
 	}
 
-	return bytes.Equal(certificateChain[0].SubjectKeyId, certificateChain[0].AuthorityKeyId)
+	return bytes.Equal(certificateChain[0].RawSubject, certificateChain[0].RawIssuer)
 }
 
 // ReadCertificates parses PEM encoded bytes that can contain one or