Merge branch 'master' into joerger/prxtpl-docs

.cloudbuild/scripts/cmd/integration-tests/main.go

@@ -26,13 +26,14 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/gravitational/trace"
+	log "github.com/sirupsen/logrus"
+
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/artifacts"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/changes"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/etcd"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/git"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/secrets"
-	"github.com/gravitational/trace"
-	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -86,8 +87,7 @@ func innerMain() error {
 		return trace.Wrap(err, "Failed analyzing code")
 	}
 
-	hasOnlyDocChanges := ch.Docs && (!ch.Code)
-	if hasOnlyDocChanges {
+	if !ch.Code {
 		log.Println("No code changes detected. Skipping tests.")
 		return nil
 	}

.cloudbuild/scripts/cmd/unit-tests/main.go

@@ -25,14 +25,15 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/gravitational/trace"
+	log "github.com/sirupsen/logrus"
+
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/artifacts"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/changes"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/customflag"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/etcd"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/git"
 	"github.com/gravitational/teleport/.cloudbuild/scripts/internal/secrets"
-	"github.com/gravitational/trace"
-	log "github.com/sirupsen/logrus"
 )
 
 // main is just a stub that prints out an error message and sets a nonzero exit
@@ -106,7 +107,7 @@ func parseCommandLine() (commandlineArgs, error) {
 	return args, nil
 }
 
-// run parses the command line, performs the highlevel docs change check
+// run parses the command line, performs the high level docs change check
 // and creates the marker file if necessary
 func run() error {
 	args, err := parseCommandLine()
@@ -140,8 +141,7 @@ func run() error {
 		return trace.Wrap(err, "Failed analyzing code")
 	}
 
-	hasOnlyDocChanges := ch.Docs && (!ch.Code)
-	if hasOnlyDocChanges {
+	if !ch.Code {
 		log.Println("No code changes detected. Skipping tests.")
 		return nil
 	}

.cloudbuild/scripts/internal/changes/changes.go

@@ -31,8 +31,9 @@ import (
 
 // Changes describes the kind of changes found in the analysed workspace.
 type Changes struct {
-	Docs bool
-	Code bool
+	Docs       bool
+	Code       bool
+	Enterprise bool
 }
 
 // Analyze examines the workspace for specific changes using its git history,
@@ -57,15 +58,18 @@ func Analyze(workspaceDir string, targetBranch string, commitSHA string) (Change
 		case path == "":
 			continue
 
+		case path == "e":
+			report.Enterprise = true
+
 		case isDocChange(path):
-			report.Docs = report.Docs || true
+			report.Docs = true
 
 		default:
-			report.Code = report.Code || true
+			report.Code = true
 		}
 
-		if report.Docs && report.Code {
-			// There's no sense in exhaustively listing all of the changes if
+		if report.Docs && report.Code && report.Enterprise {
+			// There's no sense in exhaustively listing all the changes if
 			// the answer won't change, so bail early.
 			break
 		}

.drone.yml

@@ -5102,7 +5102,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:133
+# Generated at dronegen/misc.go:145
 ################################################
 
 kind: pipeline
@@ -5130,7 +5130,7 @@ steps:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:157
+# Generated at dronegen/misc.go:169
 ################################################
 
 kind: pipeline
@@ -5159,10 +5159,16 @@ steps:
 - name: Check out code
   image: alpine/git:latest
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
+  - mkdir -p "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
   - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
   - git checkout "${DRONE_TAG}"
+- name: Check if tag is prerelease
+  image: golang:1.17-alpine
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> This is
+    a prerelease, not publishing ${DRONE_TAG} packages to APT repos' && exit 78)
 - name: Download artifacts for "${DRONE_TAG}"
   image: amazon/aws-cli
   commands:
@@ -5185,7 +5191,7 @@ steps:
   - chown -R root:root $GNUPGHOME
   - apt update
   - apt install aptly tree -y
-  - cd /go/src/github.com/gravitational/teleport/build.assets/tooling
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
   - export VERSION="${DRONE_TAG}"
   - export RELEASE_CHANNEL="stable"
   - go run ./cmd/build-apt-repos -bucket "$APT_S3_BUCKET" -local-bucket-path "$BUCKET_CACHE_PATH"
@@ -5608,6 +5614,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 8ba01d8a4566bb36fc2375c5a6eb4e5ea9d6f5d638c0be44028397b3c1720668
+hmac: 5acd82e991fc974378ec84b0265df412875f0c349000a6c92720b39287639ac8
 
 ...

.github/ISSUE_TEMPLATE/testplan.md

@@ -1,3 +1,9 @@
+---
+name: Test Plan
+about: Manual test plan for Teleport major releases
+labels: testplan
+---
+
 ## Manual Testing Plan
 
 Below are the items that should be manually tested with each release of Teleport.
@@ -1094,27 +1100,50 @@ With a default Postgres DB instance, a Teleport instance configured with DB acce
 
 ## Teleport Connect
 
-- Shell 
+- Shell
   - [ ] Verify that shell is pinned to correct cluster (for root clusters and leaf clusters)
   - [ ] Verify that local shell is opened with the correct env vars
   - [ ] Verify that working directory in the tab title is updated when you change the directory (only for local terminals)
 - State restoration
   - [ ] Verify that app asks about restoring the previous tabs when launched
-  - [ ] Verify that app opens with the cluster that was active when you closed it previously 
-  - [ ] Verify that app remembers size & position after restart 
+  - [ ] Verify that app opens with the cluster that was active when you closed it previously
+  - [ ] Verify that app remembers size & position after restart
   - [ ] Verify if [reopening a cluster that has no workspace assigned](https://github.com/gravitational/webapps.e/issues/275#issuecomment-1131663575) works
 - Connections picker
   - [ ] Verify that connections picker shows new connections when ssh & db tabs are opened
   - [ ] Check if these connections are available after the app restart
-  - [ ] Check that these connections are removed when the cluster to which they belong is removed 
+  - [ ] Check that these connections are removed when the cluster to which they belong is removed
 - Cluster resources (servers/databases)
   - [ ] Verify that the app shows the same resources as WebUI
   - [ ] Verify that search is working for the resources lists
   - [ ] Verify that you can connect to these resources
-- [ ] Verify if adding a cluster adds it to the clusters list and activates automatically 
+- [ ] Verify if adding a cluster adds it to the clusters list and activates automatically
 - [ ] Verify that state of the current workspace is preserved when you change it (by switching to another cluster) and return
 - [ ] Verify that autocomplete works in the command bar
-- [ ] Verify that the keyboard shortcuts work (opening connections list, cluster & porfile selectors, switching tabs, etc.) 
-- [ ] Verify that app doesn’t crash when there is no internet connection or some cluster is unavailable 
+- [ ] Verify that the keyboard shortcuts work (opening connections list, cluster & porfile selectors, switching tabs, etc.)
+- [ ] Verify that app doesn’t crash when there is no internet connection or some cluster is unavailable
 - [ ] Verify that logs are collected for all processes
 - [ ] Verify that the login modal is displayed when a user tries to make a request after the certificate has expired
+
+## Host users creation
+
+[Host users creation docs](https://github.com/gravitational/teleport/pull/13056)
+[Host users creation RFD](https://github.com/gravitational/teleport/pull/11077)
+<!---
+TODO(lxea): replace links with actual docs once merged
+
+[Host users creation docs](../../docs/pages/server-access/guides/host-user-creation.mdx)
+[Host users creation RFD](../../rfd/0057-automatic-user-provisioning.md)
+-->
+
+- Verify host users creation functionality
+  - [ ] non-existing users are created automatically
+  - [ ] users are added to groups
+    - [ ] non existing configured groups are created
+	- [ ] created users are added to the `teleport-system` group
+  - [ ] users are cleaned up after their session ends
+	- [ ] cleanup occurs if a program was left running after session ends
+  - [ ] sudoers file creation is successful
+	- [ ] Invalid sudoers files are _not_ created
+  - [ ] existing host users are not modified
+  - [ ] setting `disable_create_host_user: true` stops user creation from occurring

api/client/client.go

@@ -501,6 +501,8 @@ type Config struct {
 	ALPNSNIAuthDialClusterName string
 	// CircuitBreakerConfig defines how the circuit breaker should behave.
 	CircuitBreakerConfig breaker.Config
+	// Context is the base context to use for dialing. If not provided context.Background is used
+	Context context.Context
 }
 
 // CheckAndSetDefaults checks and sets default config values.
@@ -522,6 +524,10 @@ func (c *Config) CheckAndSetDefaults() error {
 		c.CircuitBreakerConfig = breaker.DefaultBreakerConfig(clockwork.NewRealClock())
 	}
 
+	if c.Context == nil {
+		c.Context = context.Background()
+	}
+
 	c.DialOpts = append(c.DialOpts, grpc.WithKeepaliveParams(keepalive.ClientParameters{
 		Time:                c.KeepAlivePeriod,
 		Timeout:             c.KeepAlivePeriod * time.Duration(c.KeepAliveCount),
@@ -783,7 +789,12 @@ func (c *Client) GetBotUsers(ctx context.Context) ([]types.User, error) {
 func (c *Client) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error) {
 	stream, err := c.grpc.GetAccessRequestsV2(ctx, &filter, c.callOpts...)
 	if err != nil {
-		return nil, trail.FromGRPC(err)
+		err := trail.FromGRPC(err)
+		if trace.IsNotImplemented(err) {
+			return c.getAccessRequestsLegacy(ctx, filter)
+		}
+
+		return nil, err
 	}
 	var reqs []types.AccessRequest
 	for {
@@ -800,6 +811,23 @@ func (c *Client) GetAccessRequests(ctx context.Context, filter types.AccessReque
 	return reqs, nil
 }
 
+// getAccessRequestsLegacy retrieves a list of all access requests matching the provided filter using the old access request API.
+//
+// DELETE IN: 11.0.0. Used for compatibility with old auth servers that don't support the GetAccessRequestsV2 RPC.
+func (c *Client) getAccessRequestsLegacy(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error) {
+	requests, err := c.grpc.GetAccessRequests(ctx, &filter, c.callOpts...)
+	if err != nil {
+		return nil, trail.FromGRPC(err)
+	}
+
+	reqs := make([]types.AccessRequest, len(requests.AccessRequests))
+	for i, request := range requests.AccessRequests {
+		reqs[i] = request
+	}
+
+	return reqs, nil
+}
+
 // CreateAccessRequest registers a new access request with the auth server.
 func (c *Client) CreateAccessRequest(ctx context.Context, req types.AccessRequest) error {
 	r, ok := req.(*types.AccessRequestV3)

api/client/proto/authservice.proto

@@ -1526,6 +1526,14 @@ message PaginatedResource {
 
 // ListResourcesRequest defines a request to retrieve resources paginated. Only
 // one type of resource can be retrieved per request.
+//
+// NOTE: There are two paths this request can take:
+//  1. ListResources: the more efficient path that retrieves resources by subset
+//  at a time defined by field 'Limit'. Does NOT de-duplicate matches.
+//  2. listResourcesWithSort: the less efficient path that retrieves all resources
+//  upfront by falling back to the traditional GetXXX calls. Used when sorting (SortBy),
+//  total count of resources (NeedTotalCount), or ResourceType `KindKubernetesCluster`
+//  is requested. Matches are de-duplicated.
 message ListResourcesRequest {
     // ResourceType is the resource that is going to be retrieved.
     // This only needs to be set explicitly for the `ListResources` rpc.

api/types/access_request.go

@@ -94,6 +94,10 @@ type AccessRequest interface {
 	GetRequestedResourceIDs() []ResourceID
 	// SetRequestedResourceIDs sets the resource IDs to which access is being requested.
 	SetRequestedResourceIDs([]ResourceID)
+	// GetLoginHint gets the requested login hint.
+	GetLoginHint() string
+	// SetLoginHint sets the requested login hint.
+	SetLoginHint(string)
 }
 
 // NewAccessRequest assembles an AccessRequest resource.
@@ -382,6 +386,16 @@ func (r *AccessRequestV3) SetRequestedResourceIDs(ids []ResourceID) {
 	r.Spec.RequestedResourceIDs = append([]ResourceID{}, ids...)
 }
 
+// GetLoginHint gets the requested login hint.
+func (r *AccessRequestV3) GetLoginHint() string {
+	return r.Spec.LoginHint
+}
+
+// SetLoginHint sets the requested login hint.
+func (r *AccessRequestV3) SetLoginHint(login string) {
+	r.Spec.LoginHint = login
+}
+
 // String returns a text representation of this AccessRequest
 func (r *AccessRequestV3) String() string {
 	return fmt.Sprintf("AccessRequest(user=%v,roles=%+v)", r.Spec.User, r.Spec.Roles)

api/types/app.go

@@ -301,14 +301,17 @@ func (a *AppV3) CheckAndSetDefaults() error {
 	return nil
 }
 
-// DeduplicateApps deduplicates apps by name.
+// DeduplicateApps deduplicates apps by combination of app name and public address.
+// Apps can have the same name but also could have different addresses.
 func DeduplicateApps(apps []Application) (result []Application) {
-	seen := make(map[string]struct{})
+	type key struct{ name, addr string }
+	seen := make(map[key]struct{})
 	for _, app := range apps {
-		if _, ok := seen[app.GetName()]; ok {
+		key := key{app.GetName(), app.GetPublicAddr()}
+		if _, ok := seen[key]; ok {
 			continue
 		}
-		seen[app.GetName()] = struct{}{}
+		seen[key] = struct{}{}
 		result = append(result, app)
 	}
 	return result

api/types/desktop.go

@@ -345,5 +345,4 @@ type ListWindowsDesktopsRequest struct {
 	StartKey, PredicateExpression string
 	Labels                        map[string]string
 	SearchKeywords                []string
-	SortBy                        SortBy
 }