Merge branch 'master' into bernard/upsert-trusted-cluster-v2

.golangci.yml

@@ -113,6 +113,8 @@ linters-settings:
             desc: 'use "golang.org/x/mod/semver" or "coreos/go-semver/semver" instead'
           - pkg: github.com/microsoftgraph/msgraph-sdk-go
             desc: 'use "github.com/gravitational/teleport/lib/msgraph" instead'
+          - pkg: github.com/cloudflare/cfssl
+            desc: 'use "crypto" or "x/crypto" instead'
       # Prevent logrus from being imported by api and e. Once everything in teleport has been converted
       # to use log/slog this should be moved into the main block above.
       logrus:

api/proto/teleport/integration/v1/awsoidc_service.proto

@@ -482,6 +482,8 @@ message EnrollEKSClustersRequest {
   // AgentVersion is version of agent Helm chart to install on the EKS cluster.
   // Required.
   string agent_version = 5;
+  // ExtraLabels added to the enrolled clusters.
+  map<string, string> extra_labels = 6;
 }
 
 // EnrollEKSClusterResult contains result for a single cluster enrollment.
@@ -492,6 +494,16 @@ message EnrollEKSClusterResult {
   string resource_id = 2;
   // Error show what error happened during enrollment. Empty if no error happened.
   string error = 3;
+  // IssueType contains the UserTask's issue type for well-known errors.
+  // Example of allowed values:
+  // - eks-status-not-active
+  // - eks-missing-endpoint-public-access
+  // - eks-authentication-mode-unsupported
+  // - eks-cluster-unreachable
+  // - eks-agent-not-connecting
+  // See usertasks.DiscoverEKSIssueTypes for a complete list of allowed values.
+  // Empty if no error happened, or the error is not yet handled.
+  string issue_type = 4;
 }
 
 // EnrollEKSClustersResponse is a response to enrolling EKS clusters.

api/proto/teleport/legacy/types/events/events.proto

@@ -4707,6 +4707,7 @@ message OneOf {
     events.WorkloadIdentityCreate WorkloadIdentityCreate = 194;
     events.WorkloadIdentityUpdate WorkloadIdentityUpdate = 195;
     events.WorkloadIdentityDelete WorkloadIdentityDelete = 196;
+    events.GitCommand GitCommand = 197;
   }
 }
 
@@ -7800,3 +7801,69 @@ message WorkloadIdentityDelete {
     (gogoproto.jsontag) = ""
   ];
 }
+
+// GitCommand is emitted when a user performs a Git fetch or push command.
+message GitCommand {
+  // Metadata is a common event metadata
+  Metadata Metadata = 1 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // User is a common user event metadata
+  UserMetadata User = 2 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // ConnectionMetadata holds information about the connection
+  ConnectionMetadata Connection = 3 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // SessionMetadata is a common event session metadata
+  SessionMetadata Session = 4 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // ServerMetadata is a common server metadata
+  ServerMetadata Server = 5 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // CommandMetadata is a common command metadata
+  CommandMetadata Command = 6 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
+
+  // Service is the type of the git request like git-upload-pack or
+  // git-receive-pack.
+  string service = 8 [(gogoproto.jsontag) = "service"];
+  // Path is the Git repo path, usually <org>/<repo>.
+  string path = 9 [(gogoproto.jsontag) = "path"];
+
+  // Actions defines details for a Git push.
+  repeated GitCommandAction actions = 10 [(gogoproto.jsontag) = "actions,omitempty"];
+}
+
+// GitCommandAction defines details for a Git push.
+message GitCommandAction {
+  // Action type like create or update.
+  string Action = 1 [(gogoproto.jsontag) = "action,omitempty"];
+  // Reference name like ref/main/my_branch.
+  string Reference = 2 [(gogoproto.jsontag) = "reference,omitempty"];
+  // Old is the old hash.
+  string Old = 3 [(gogoproto.jsontag) = "old,omitempty"];
+  // New is the new hash.
+  string New = 4 [(gogoproto.jsontag) = "new,omitempty"];
+}

api/proto/teleport/legacy/types/types.proto

@@ -1108,6 +1108,8 @@ message Header {
 // PortRange can be used to describe a single port in which case the Port field is the port and the
 // EndPort field is 0.
 message PortRange {
+  option (gogoproto.goproto_stringer) = false;
+  option (gogoproto.stringer) = false;
   // Port describes the start of the range. It must be between 1 and 65535.
   uint32 Port = 1 [(gogoproto.jsontag) = "port"];
   // EndPort describes the end of the range, inclusive. If set, it must be between 2 and 65535 and

api/proto/teleport/notifications/v1/notifications.proto

@@ -86,6 +86,9 @@ message GlobalNotificationSpec {
   bool match_all_conditions = 4;
   // notification is the notification itself.
   Notification notification = 5;
+  // exclude_users is a list of usernames of users who should never match this notification
+  // under any circumstances.
+  repeated string exclude_users = 6;
 }
 
 // ByPermissions represents the RoleConditions needed for a user to receive this notification.

api/proto/teleport/usertasks/v1/user_tasks.proto

@@ -57,6 +57,9 @@ message UserTaskSpec {
   // DiscoverEC2 contains the AWS EC2 instances that failed to auto enroll into the cluster.
   // Present when TaskType is discover-ec2.
   DiscoverEC2 discover_ec2 = 5;
+  // DiscoverEKS contains the AWS EKS clusters that failed to auto enroll into the cluster.
+  // Present when TaskType is discover-eks.
+  DiscoverEKS discover_eks = 6;
 }
 
 // DiscoverEC2 contains the instances that failed to auto-enroll into the cluster.
@@ -96,3 +99,27 @@ message DiscoverEC2Instance {
   // SyncTime is the timestamp when the error was produced.
   google.protobuf.Timestamp sync_time = 8;
 }
+
+// DiscoverEKS contains the clusters that failed to auto-enroll into the cluster.
+message DiscoverEKS {
+  // Clusters maps a cluster name to the result of enrolling that cluster into teleport.
+  map<string, DiscoverEKSCluster> clusters = 1;
+  // AccountID is the AWS Account ID for the cluster.
+  string account_id = 2;
+  // Region is the AWS Region where Teleport failed to enroll EKS Clusters.
+  string region = 3;
+  // AppAutoDiscover indicates whether the Kubernetes agent should auto enroll HTTP services as Teleport Apps.
+  bool app_auto_discover = 4;
+}
+
+// DiscoverEKSCluster contains the result of enrolling an AWS EKS Cluster.
+message DiscoverEKSCluster {
+  // Name is the cluster Name.
+  string name = 1;
+  // DiscoveryConfig is the discovery config name that originated this cluster enrollment.
+  string discovery_config = 2;
+  // DiscoveryGroup is the DiscoveryGroup name that originated this task.
+  string discovery_group = 3;
+  // SyncTime is the timestamp when the error was produced.
+  google.protobuf.Timestamp sync_time = 4;
+}

api/types/app.go

@@ -19,6 +19,8 @@ package types
 import (
 	"fmt"
 	"net/url"
+	"slices"
+	"strconv"
 	"strings"
 	"time"
 
@@ -88,7 +90,7 @@ type Application interface {
 	// GetCORS returns the CORS configuration for the app.
 	GetCORS() *CORSPolicy
 	// GetTCPPorts returns port ranges supported by the app to which connections can be forwarded to.
-	GetTCPPorts() []*PortRange
+	GetTCPPorts() PortRanges
 	// SetTCPPorts sets port ranges to which connections can be forwarded to.
 	SetTCPPorts([]*PortRange)
 	// GetIdentityCenter fetches identity center info for the app, if any.
@@ -314,7 +316,7 @@ func (a *AppV3) SetUserGroups(userGroups []string) {
 }
 
 // GetTCPPorts returns port ranges supported by the app to which connections can be forwarded to.
-func (a *AppV3) GetTCPPorts() []*PortRange {
+func (a *AppV3) GetTCPPorts() PortRanges {
 	return a.Spec.TCPPorts
 }
 
@@ -537,3 +539,34 @@ func (a *AppIdentityCenter) GetPermissionSets() []*IdentityCenterPermissionSet {
 	}
 	return a.PermissionSets
 }
+
+// PortRanges is a list of port ranges.
+type PortRanges []*PortRange
+
+// Contains checks if targetPort is within any of the port ranges.
+func (p PortRanges) Contains(targetPort int) bool {
+	return slices.ContainsFunc(p, func(portRange *PortRange) bool {
+		return netutils.IsPortInRange(int(portRange.Port), int(portRange.EndPort), targetPort)
+	})
+}
+
+// String returns a string representation of port ranges.
+func (p PortRanges) String() string {
+	var builder strings.Builder
+	for i, portRange := range p {
+		if i > 0 {
+			builder.WriteString(", ")
+		}
+		builder.WriteString(portRange.String())
+	}
+	return builder.String()
+}
+
+// String returns a string representation of a port range.
+func (p *PortRange) String() string {
+	if p.EndPort == 0 {
+		return strconv.Itoa(int(p.Port))
+	} else {
+		return fmt.Sprintf("%d-%d", p.Port, p.EndPort)
+	}
+}

api/types/app_test.go

@@ -18,6 +18,7 @@ package types
 
 import (
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/gravitational/trace"
@@ -563,6 +564,31 @@ func TestNewAppV3(t *testing.T) {
 	}
 }
 
+func TestPortRangesContains(t *testing.T) {
+	portRanges := PortRanges([]*PortRange{
+		&PortRange{Port: 10, EndPort: 20},
+		&PortRange{Port: 42},
+	})
+
+	tests := []struct {
+		port int
+		want require.BoolAssertionFunc
+	}{
+		{port: 10, want: require.True},
+		{port: 20, want: require.True},
+		{port: 15, want: require.True},
+		{port: 42, want: require.True},
+		{port: 30, want: require.False},
+		{port: 0, want: require.False},
+	}
+
+	for _, tt := range tests {
+		t.Run(strconv.Itoa(tt.port), func(t *testing.T) {
+			tt.want(t, portRanges.Contains(tt.port))
+		})
+	}
+}
+
 func hasNoErr(t require.TestingT, err error, msgAndArgs ...interface{}) {
 	require.NoError(t, err, msgAndArgs...)
 }

api/types/events/events.go

@@ -2402,3 +2402,7 @@ func (m *WorkloadIdentityUpdate) TrimToMaxSize(maxSize int) AuditEvent {
 func (m *WorkloadIdentityDelete) TrimToMaxSize(_ int) AuditEvent {
 	return m
 }
+
+func (m *GitCommand) TrimToMaxSize(_ int) AuditEvent {
+	return m
+}