Merge branch 'master' into edwarddowling/msteams-refactor

.golangci.yml

@@ -99,10 +99,6 @@ linters-settings:
             desc: 'use "github.com/google/uuid" instead'
           - pkg: github.com/pborman/uuid
             desc: 'use "github.com/google/uuid" instead'
-          - pkg: github.com/siddontang/go-log/log
-            desc: 'use "github.com/sirupsen/logrus" instead'
-          - pkg: github.com/siddontang/go/log
-            desc: 'use "github.com/sirupsen/logrus" instead'
           - pkg: github.com/tj/assert
             desc: 'use "github.com/stretchr/testify/assert" instead'
           - pkg: go.uber.org/atomic
@@ -117,16 +113,29 @@ linters-settings:
             desc: 'use "github.com/gravitational/teleport/lib/msgraph" instead'
           - pkg: github.com/cloudflare/cfssl
             desc: 'use "crypto" or "x/crypto" instead'
-      # Prevent logrus from being imported by api and e. Once everything in teleport has been converted
-      # to use log/slog this should be moved into the main block above.
-      logrus:
+      # Prevent importing any additional logging libraries.
+      logging:
         files:
-          - '**/api/**'
-          - '**/e/**'
-          - '**/lib/srv/**'
+          # Integrations are still allowed to use logrus becuase they haven't
+          # been converted to slog yet. Once they use slog, remove this exception.
+          - '!**/integrations/**'
+          # The log package still contains the logrus formatter consumed by the integrations.
+          # Remove this exception when said formatter is deleted.
+          - '!**/lib/utils/log/**'
+          - '!**/lib/utils/cli.go'
         deny:
           - pkg: github.com/sirupsen/logrus
             desc: 'use "log/slog" instead'
+          - pkg: github.com/siddontang/go-log/log
+            desc: 'use "log/slog" instead'
+          - pkg: github.com/siddontang/go/log
+            desc: 'use "log/slog" instead'
+          - pkg: github.com/mailgun/log
+            desc: 'use "log/slog" instead'
+          - pkg: github.com/saferwall/pe/log
+            desc: 'use "log/slog" instead'
+          - pkg: golang.org/x/exp/slog
+            desc: 'use "log/slog" instead'
       # Prevent importing internal packages in client tools or packages containing
       # common interfaces consumed by them that are known to bloat binaries or break builds
       # because they only support a single platform.

api/types/resource_153.go

@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 	"time"
 
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
@@ -124,6 +126,10 @@ func (r *legacyToResource153Adapter) GetVersion() string {
 // [Resource] type. Implements [ResourceWithLabels] and CloneResource (where the)
 // wrapped resource supports cloning).
 //
+// Resources153 implemented by proto-generated structs should use ProtoResource153ToLegacy
+// instead as it will ensure the protobuf message is properly marshaled to JSON
+// with protojson.
+//
 // Note that CheckAndSetDefaults is a noop for the returned resource and
 // SetSubKind is not implemented and panics on use.
 func Resource153ToLegacy(r Resource153) Resource {
@@ -348,3 +354,36 @@ func (r *resource153ToUnifiedResourceAdapter) CloneResource() ResourceWithLabels
 	clone := r.inner.(ClonableResource153).CloneResource()
 	return Resource153ToUnifiedResource(clone)
 }
+
+// ProtoResource153 is a Resource153 implemented by a protobuf-generated struct.
+type ProtoResource153 interface {
+	Resource153
+	proto.Message
+}
+
+type protoResource153ToLegacyAdapter struct {
+	inner ProtoResource153
+	resource153ToLegacyAdapter
+}
+
+// MarshalJSON adds support for marshaling the wrapped resource (instead of
+// marshaling the adapter itself).
+func (r *protoResource153ToLegacyAdapter) MarshalJSON() ([]byte, error) {
+	return protojson.MarshalOptions{
+		UseProtoNames: true,
+	}.Marshal(r.inner)
+}
+
+// ProtoResource153ToLegacy transforms an RFD 153 style resource implemented by
+// a proto-generated struct into a legacy [Resource] type. Implements
+// [ResourceWithLabels] and CloneResource (where the wrapped resource supports
+// cloning).
+//
+// Note that CheckAndSetDefaults is a noop for the returned resource and
+// SetSubKind is not implemented and panics on use.
+func ProtoResource153ToLegacy(r ProtoResource153) Resource {
+	return &protoResource153ToLegacyAdapter{
+		r,
+		resource153ToLegacyAdapter{r},
+	}
+}

build.assets/tooling/cmd/protoc-gen-eventschema/debug.go

@@ -25,25 +25,26 @@ package main
 // inspect what is happening inside the plugin.
 
 import (
+	"context"
 	"io"
+	"log/slog"
 	"os"
 
 	"github.com/gogo/protobuf/proto"
 	"github.com/gogo/protobuf/protoc-gen-gogo/generator"
 	plugin "github.com/gogo/protobuf/protoc-gen-gogo/plugin"
 	"github.com/gravitational/trace"
-	log "github.com/sirupsen/logrus"
 )
 
 const pluginInputPathEnvironment = "TELEPORT_PROTOC_READ_FILE"
 
 func readRequest() (*plugin.CodeGeneratorRequest, error) {
 	inputPath := os.Getenv(pluginInputPathEnvironment)
 	if inputPath == "" {
-		log.Error(trace.BadParameter("When built with the 'debug' tag, the input path must be set through the environment variable: %s", pluginInputPathEnvironment))
+		slog.ErrorContext(context.Background(), "When built with the 'debug' tag, the input path must be set through the TELEPORT_PROTOC_READ_FILE environment variable")
 		os.Exit(-1)
 	}
-	log.Infof("This is a debug build, the protoc request is read from the file: '%s'", inputPath)
+	slog.InfoContext(context.Background(), "This is a debug build, the protoc request is read from provided file", "file", inputPath)
 
 	req, err := readRequestFromFile(inputPath)
 	if err != nil {

build.assets/tooling/cmd/protoc-gen-eventschema/main.go

@@ -19,21 +19,23 @@
 package main
 
 import (
+	"context"
+	"log/slog"
 	"os"
-
-	log "github.com/sirupsen/logrus"
 )
 
 func main() {
-	log.SetLevel(log.DebugLevel)
-	log.SetOutput(os.Stderr)
+	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	slog.SetDefault(logger)
+
+	ctx := context.Background()
 	req, err := readRequest()
 	if err != nil {
-		log.WithError(err).Error("Failed to read request")
+		logger.ErrorContext(ctx, "Failed to read request", "error", err)
 		os.Exit(-1)
 	}
 	if err := handleRequest(req); err != nil {
-		log.WithError(err).Error("Failed to generate schema")
+		logger.ErrorContext(ctx, "Failed to generate schema", "error", err)
 		os.Exit(-1)
 	}
 }

build.assets/tooling/cmd/render-helm-ref/main.go

@@ -20,15 +20,16 @@ package main
 
 import (
 	"bufio"
+	"context"
 	"encoding/json"
 	"flag"
 	"fmt"
+	"log/slog"
 	"os"
 	"regexp"
 	"strings"
 
 	"github.com/gravitational/trace"
-	log "github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 	"helm.sh/helm/v3/pkg/chart/loader"
 )
@@ -52,14 +53,15 @@ func main() {
 	flag.StringVar(&outputPath, "output", "-", "Path of the generated markdown reference, '-' means stdout.")
 	flag.Parse()
 
+	ctx := context.Background()
 	if chartPath == "" {
-		log.Error(trace.BadParameter("chart path must be specified"))
+		slog.ErrorContext(ctx, "chart path must be specified")
 		os.Exit(1)
 	}
 
 	reference, err := parseAndRender(chartPath)
 	if err != nil {
-		log.Errorf("failed parsing chart and rendering reference: %s", err)
+		slog.ErrorContext(ctx, "failed parsing chart and rendering reference", "error", err)
 		os.Exit(1)
 	}
 
@@ -69,10 +71,10 @@ func main() {
 	}
 	err = os.WriteFile(outputPath, reference, 0o644)
 	if err != nil {
-		log.Errorf("failed writing file: %s", err)
+		slog.ErrorContext(ctx, "failed writing file", "error", err)
 		os.Exit(1)
 	}
-	log.Infof("File %s successfully written", outputPath)
+	slog.InfoContext(ctx, "File successfully written", "file_path", outputPath)
 }
 
 func parseAndRender(chartPath string) ([]byte, error) {
@@ -106,7 +108,10 @@ func parseAndRender(chartPath string) ([]byte, error) {
 		if value.Kind != "" && value.Default == "" {
 			defaultValue, err := getDefaultForValue(value.Name, chrt.Values)
 			if err != nil {
-				log.Warnf("failed to get default for value %s, error: %s", value.Name, err)
+				slog.WarnContext(context.Background(), "failed to look up default value",
+					"value", value.Name,
+					"error", err,
+				)
 			} else {
 				value.Default = string(defaultValue)
 			}
@@ -227,7 +232,7 @@ func cleanLine(line string) string {
 		return ""
 	}
 	if line2[0] != '#' {
-		log.Warnf("Misformatted line: %s", line)
+		slog.WarnContext(context.Background(), "Misformatted line", "line", line)
 		return ""
 	}
 	return line2[2:]

build.assets/tooling/go.mod

@@ -10,7 +10,6 @@ require (
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/go-github/v41 v41.0.0
 	github.com/gravitational/trace v1.4.0
-	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.10.0
 	github.com/waigani/diffparser v0.0.0-20190828052634-7391f219313d
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
@@ -48,7 +47,6 @@ require (
 	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

build.assets/tooling/go.sum

@@ -881,8 +881,6 @@ github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfF
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
@@ -1183,7 +1181,6 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1197,8 +1194,6 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=

docs/pages/admin-guides/access-controls/device-trust/device-management.mdx

@@ -13,9 +13,6 @@ token, and removing a trusted device.
 
 (!docs/pages/includes/device-trust/prereqs.mdx!)
 
-- For clusters created after v13.3.6, Teleport supports the preset `device-admin`
-  role to manage devices.
-
 ## Register a trusted device
 
 The `tctl` tool is used to manage the device inventory. A device admin is

docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx

@@ -35,11 +35,10 @@ by the `device_trust_mode` authentication setting:
 
 (!docs/pages/includes/device-trust/prereqs.mdx!)
 
-- We expect your Teleport cluster to be on version 13.3.6 and above, which has
-  the preset `require-trusted-device` role. The preset `require-trusted-device`
-  role does not enforce the use of a trusted device for
-  [Apps](#app-access-support) or [Desktops](#desktop-access-support).  Refer to
-  their corresponding sections for instructions.
+This guide makes use of the preset `require-trusted-device` role, which does not
+enforce the use of a trusted device for [Apps](#app-access-support) or
+[Desktops](#desktop-access-support). Refer to their corresponding sections for
+instructions.
 
 ## Role-based trusted device enforcement
 

docs/pages/admin-guides/access-controls/device-trust/guide.mdx

@@ -45,46 +45,6 @@ protected with Teleport.
   root@(=clusterDefaults.nodeIP=):~#
   ```
 
-<Details type="warning" title="Teleport v13.3.5 and Below">
-  The preset `require-trusted-device` role, as referenced in this guide, is only available
-  from Teleport version 13.3.6 and above. For older Teleport cluster, you will need to update
-  a role with `device_trust_mode: required`.
-
-  For simplicity, the example below updates the preset `access` role but you can update
-  any existing access granting role which the user is assigned with to enforce Device Trust.
-
-  First, fetch a role so you can update it locally:
-  ```code
-  $ tctl edit role/access
-  ```
-
-  Edit the role with Device Trust mode:
-  ```diff
-  kind: role
-  metadata:
-    labels:
-      teleport.internal/resource-type: preset
-    name: access
-  spec:
-    allow:
-      logins:
-      - '{{internal.logins}}'
-      ...
-    options:
-      # require authenticated device check for this role
-  +   device_trust_mode: "required" # add this line
-      ...
-    deny:
-      ...
-
-  ```
-
-  Save your edits.
-
-  Now that the `access` role is configured with device mode "required", users with
-  this role will be enforced with Device Trust.
-</Details>
-
 Once the above prerequisites are met, begin with the following step.
 
 ## Step 1/2. Update user profile to enforce Device Trust
@@ -145,12 +105,12 @@ $ tsh device enroll --current-device
 Device "(=devicetrust.asset_tag=)"/macOS registered and enrolled
 ```
 
-<Admonition type="tip" title="self enrollment: v13.3.5+">
-  The `--current-device` flag tells `tsh` to enroll current device. User must have the preset `editor`
+<Admonition type="tip" title="self enrollment">
+  The `--current-device` flag tells `tsh` to enroll the current device. The user must have the preset `editor`
   or `device-admin` role to be able to self-enroll their device. For users without the `editor` or
-  `device-admin` roles, an enrollment token must be generated by a device admin, which can then be
+  `device-admin` roles, a device admin must generate the an enrollment token, which can then be
   used to enroll the device. Learn more about manual device enrollment in the
-  [device management guide](./device-management.mdx#register-a-trusted-device)
+  [device management guide](./device-management.mdx#register-a-trusted-device).
 </Admonition>
 
 Relogin to fetch updated certificate with device extension:

docs/pages/admin-guides/access-controls/guides/headless.mdx

@@ -31,7 +31,7 @@ For example:
 - Machines for Headless WebAuthn activities have [Linux](../../../installation.mdx), [macOS](../../../installation.mdx) or [Windows](../../../installation.mdx) `tsh` binary installed.
 - Machines used to approve Headless WebAuthn requests have a Web browser with [WebAuthn support](
   https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/) or `tsh` binary installed.
-- Optional: Teleport Connect v13.3.1+ for [seamless Headless WebAuthn approval](#optional-teleport-connect).
+- Optional: Teleport Connect for [seamless Headless WebAuthn approval](#optional-teleport-connect).
 
 ## Step 1/3. Configuration
 
@@ -169,9 +169,9 @@ alice@server01 $
 
 ## Optional: Teleport Connect
 
-Teleport Connect v13.3.1+ can also be used to approve Headless WebAuthn logins.
-Teleport Connect will automatically detect the Headless WebAuthn login attempt
-and allow you to approve or cancel the request.
+Teleport Connect can also be used to approve Headless WebAuthn logins.  Teleport
+Connect will automatically detect the Headless WebAuthn login attempt and allow
+you to approve or cancel the request.
 
 <Figure width="700">
 ![Headless Confirmation](../../../../img/headless/confirmation.png)
@@ -183,10 +183,6 @@ You will be prompted to tap your MFA key to complete the approval process.
 ![Headless WebAuthn Approval](../../../../img/headless/approval.png)
 </Figure>
 
-<Notice type="note">
-  This also requires a v13.3.1+ Teleport Auth Service.
-</Notice>
-
 ## Troubleshooting
 
 ### "WARN: Failed to lock system memory for headless login: ..."