Merge branch 'master' into strideynet/workload-identity-resource-docu…

…mentation

.github/ISSUE_TEMPLATE/testplan.md

@@ -1644,6 +1644,35 @@ Verify SAML IdP service provider resource management.
   - [ ] Verify that when a SAML resource is created with preset value `preset: gcp-workforce`, Teleport adds
         relay state `relay_state: https://console.cloud.google/` value in the resulting resource spec.
 
+## SSO MFA
+
+Verify SSO MFA core functionality. The tests below should be performed once
+with OIDC and once with SAML.
+
+Configure both an OIDC connector and a SAML connector following the [Quick GitHub/SAML/OIDC Setup Tips]
+and [enable MFA on them](https://goteleport.com/docs/ver/17.x/admin-guides/access-controls/sso/#configuring-sso-for-mfa-checks).
+
+For simplicity, you can use the same IdP App (client id/secret or entity descriptor)
+for both login and MFA. This way, each Teleport MFA check will make you re-login via SSO.
+
+Ensure [SSO is allowed as a second factor](https://goteleport.com/docs/ver/17.x/admin-guides/access-controls/sso/#allowing-sso-as-an-mfa-method-in-your-cluster).
+e.g. `cap.second_factors: ['webauthn', 'sso']`.
+
+The following should work with SSO MFA, automatically opening the SSO MFA redirect URL:
+
+- [ ] `tsh mfa ls` should display the SSO MFA device.
+  - [ ] SSO MFA device cannot be deleted or added
+- [ ] Add another MFA device (`tsh mfa add`)
+- [ ] Delete the other MFA device (`tsh --mfa-mode=sso mfa rm`)
+- [ ] Moderated Sessions
+- [ ] Admin Actions (e.g. `tctl tokens ls`)
+- [ ] Per-session MFA
+  - [ ] Server Access
+  - [ ] File Transfers
+  - [ ] Kubernetes Access
+  - [ ] App Access
+  - [ ] Database Access
+  - [ ] Desktop Access
 
 ## Resources
 
@@ -1652,4 +1681,4 @@ Verify SAML IdP service provider resource management.
 <!---
 reference style links
 -->
-[Quick GitHub/SAML/OIDC Setup Tips]: https://gravitational.slab.com/posts/quick-git-hub-saml-oidc-setup-6dfp292a
+[Quick GitHub/SAML/OIDC Setup Tips]: https://www.notion.so/goteleport/Quick-SSO-setup-fb1a64504115414ca50a965390105bee

.github/ISSUE_TEMPLATE/webtestplan.md

@@ -823,7 +823,7 @@ Add the following to enable read access to trusted clusters
     - [Authentication connectors](https://goteleport.com/docs/setup/reference/authentication/#authentication-connectors):
       - For those you might want to use clusters that are deployed on the web, specified in
         parens. Or set up the connectors on a local enterprise cluster following [the guide from
-        our wiki](https://gravitational.slab.com/posts/quick-git-hub-saml-oidc-setup-6dfp292a).
+        our wiki](https://www.notion.so/goteleport/Quick-SSO-setup-fb1a64504115414ca50a965390105bee).
       - [ ] GitHub (asteroid)
       - [ ] SAML (platform cluster)
       - [ ] OIDC (e-demo)

.github/dependabot.yml

@@ -21,8 +21,6 @@ updates:
       - dependency-name: github.com/microsoft/go-mssqldb
       - dependency-name: github.com/redis/go-redis/v9
       - dependency-name: github.com/vulcand/predicate
-      # Ignore until kube libs are upgraded. See https://github.com/kubernetes-sigs/controller-runtime/issues/2788.
-      - dependency-name: k8s.io/*
     open-pull-requests-limit: 20
     groups:
       go:

.github/workflows/build-centos7-assets.yaml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           driver: docker
 

.github/workflows/build-ci-buildbox-images.yaml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           driver: docker
 
@@ -60,7 +60,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           driver: docker
 
@@ -89,7 +89,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           driver: docker
 
@@ -118,7 +118,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           driver: docker
 
@@ -146,7 +146,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           driver: docker
 

.github/workflows/build-ci-service-images.yaml

@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Login to registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -44,7 +44,7 @@ jobs:
 
       - name: Build etcd image
         id: docker_build
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
         with:
           context: ${{ github.workspace }}
           file: .github/services/Dockerfile.etcd

.github/workflows/build-usage-image.yaml

@@ -15,7 +15,7 @@ jobs:
         run: |
           echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
       - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.TELEPORT_USAGE_IAM_ROLE_ARN }}
@@ -24,7 +24,7 @@ jobs:
         with:
           registry-type: public
       # Build and publish container image on ECR.
-      - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+      - uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
         with:
           context: "examples/teleport-usage"
           tags: public.ecr.aws/gravitational/teleport-usage:${{ steps.version.outputs.version }}

.github/workflows/dependency-review.yaml

@@ -18,13 +18,21 @@ jobs:
       allow-ghsas: 'GHSA-6xf3-5hp7-xqqg'
       # IronRDP uses MIT/Apache-2.0 but slashes are not recognized by dependency review action
       allow-dependencies-licenses: >-
+        pkg:cargo/ironrdp-cliprdr,
         pkg:cargo/ironrdp-core,
         pkg:cargo/ironrdp-async,
         pkg:cargo/ironrdp-connector,
+        pkg:cargo/ironrdp-displaycontrol,
+        pkg:cargo/ironrdp-dvc,
+        pkg:cargo/ironrdp-error,
+        pkg:cargo/ironrdp-graphics,
         pkg:cargo/ironrdp-pdu,
+        pkg:cargo/ironrdp-rdpdr,
+        pkg:cargo/ironrdp-rdpsnd,
         pkg:cargo/ironrdp-session,
         pkg:cargo/ironrdp-svc,
         pkg:cargo/ironrdp-tokio,
+        pkg:cargo/ironrdp-tls,
         pkg:cargo/asn1-rs,
         pkg:cargo/asn1-rs-derive,
         pkg:cargo/asn1-rs-impl,

.github/workflows/kube-integration-tests-non-root.yaml

@@ -69,7 +69,7 @@ jobs:
         continue-on-error: true
 
       - name: Create KinD cluster
-        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           cluster_name: kind
           config: fixtures/kind/config.yaml

.github/workflows/lint.yaml

@@ -108,41 +108,41 @@ jobs:
       # Run various golangci-lint checks.
       # TODO(codingllama): Using go.work could save a bunch of repetition here.
       - name: golangci-lint (api)
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           working-directory: api
           args: --out-format=colored-line-number
           skip-cache: true
       - name: golangci-lint (teleport)
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           args: --out-format=colored-line-number --build-tags libfido2,piv
           skip-cache: true
       - name: golangci-lint (assets/backport)
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           working-directory: assets/backport
           args: --out-format=colored-line-number
           skip-cache: true
       - name: golangci-lint (build.assets/tooling)
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           working-directory: build.assets/tooling
           args: --out-format=colored-line-number
           skip-cache: true
       - name: golangci-lint (integrations/terraform)
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           working-directory: integrations/terraform
           args: --out-format=colored-line-number
           skip-cache: true
       - name: golangci-lint (integrations/event-handler)
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           working-directory: integrations/event-handler
@@ -208,7 +208,7 @@ jobs:
       - name: Print linter versions
         run: |
           echo "BUF_VERSION=$BUF_VERSION"
-      - uses: bufbuild/buf-setup-action@9672cee01808979ea1249f81d6d321217b9a10f6 # v1.47.2
+      - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
         with:
           github_token: ${{ github.token }}
           version: ${{ env.BUF_VERSION }}

.github/workflows/post-release.yaml

@@ -122,4 +122,6 @@ jobs:
           gh pr create --fill "--base=${BASE_BRANCH}" \
              --label=automated --label=documentation --label=no-changelog \
              "--reviewer=${REVIEWER}"
-           echo "Docs PR: $(gh pr view --json url --jq .url)" >> "$GITHUB_STEP_SUMMARY"
+          # enable auto-merge
+          gh pr merge --auto --squash
+          echo "Docs PR: $(gh pr view --json url --jq .url)" >> "$GITHUB_STEP_SUMMARY"

.golangci.yml

@@ -128,6 +128,123 @@ linters-settings:
             desc: 'use "log/slog" instead'
           - pkg: golang.org/x/exp/slog
             desc: 'use "log/slog" instead'
+      # Prevent importing testify in production code.
+      testify:
+        files:
+          # Tests can import testify
+          - '!$test'
+          # Exceptions
+          # Remove these once they are complaint.
+          - '!**/api/testhelpers/**'
+          - '!**/e/lib/auth/ssotestlib.go'
+          - '!**/e/lib/aws/identitycenter/test/**'
+          - '!**/e/lib/idp/saml/testenv/**'
+          - '!**/e/lib/operatortest/**'
+          - '!**/e/tests/**'
+          - '!**/lib/automaticupgrades/basichttp/servermock.go'
+          - '!**/lib/auth/helpers.go'
+          - '!**/lib/auth/keystore/testhelpers.go'
+          - '!**/lib/auth/test/**'
+          - '!**/lib/backend/test/**'
+          - '!**/lib/events/athena/test.go'
+          - '!**/lib/events/test/**'
+          - '!**/lib/kube/proxy/utils_testing.go'
+          - '!**/lib/services/suite/**'
+          - '!**/lib/srv/mock.go'
+          - '!**/lib/srv/db/redis/test.go'
+          - '!**/lib/teleterm/gatewaytest/**'
+          - '!**/lib/utils/testhelpers.go'
+          - '!**/lib/utils/testutils/**'
+          - '!**/integration/appaccess/fixtures.go'
+          - '!**/integration/appaccess/jwt.go'
+          - '!**/integration/appaccess/pack.go'
+          - '!**/integration/db/fixture.go'
+          - '!**/integration/hsm/helpers.go'
+          - '!**/integration/helpers/**'
+          - '!**/integration/proxy/proxy_helpers.go'
+          - '!**/integrations/access/email/testlib/**'
+          - '!**/integrations/access/datadog/testlib/**'
+          - '!**/integrations/access/discord/testlib/**'
+          - '!**/integrations/access/jira/testlib/**'
+          - '!**/integrations/access/mattermost/testlib/**'
+          - '!**/integrations/access/msteams/testlib/**'
+          - '!**/integrations/access/opsgenie/testlib/**'
+          - '!**/integrations/access/pagerduty/testlib/**'
+          - '!**/integrations/access/servicenow/testlib/**'
+          - '!**/integrations/access/slack/testlib/**'
+          - '!**/integrations/lib/testing/integration/accessrequestsuite.go'
+          - '!**/integrations/lib/testing/integration/app.go'
+          - '!**/integrations/lib/testing/integration/authhelper.go'
+          - '!**/integrations/lib/testing/integration/suite.go'
+          - '!**/integrations/operator/controllers/resources/testlib/**'
+          - '!**/tool/teleport/testenv/**'
+        deny:
+          - pkg: github.com/stretchr/testify
+            desc: 'testify should not be imported outside of test code'
+      # Prevent importing integration test helpers in production code.
+      integration:
+        files:
+          # Tests can do anything
+          - '!$test'
+          - '!**/integration/**'
+          - '!**/e/tests/**'
+          - '!**/integrations/operator/controllers/resources/testlib/**'
+        deny:
+          - pkg: github.com/gravitational/teleport/integration
+            desc: 'integration test should not be imported outside of intergation tests'
+        allow:
+          # integrations is explicitly allowed becuase the deny rule above
+          # will match both integration and integrations, however only
+          # integration should be denied.
+          - github.com/gravitational/teleport/integrations
+        list-mode: lax
+      # Prevent importing testing in production code.
+      testing:
+        files:
+          # Tests can do anything
+          - '!$test'
+          # Exceptions
+          # Remove these once they are complaint.
+          - '!**/api/testhelpers/**'
+          - '!**/e/lib/auth/ssotestlib.go'
+          - '!**/e/lib/aws/identitycenter/test/**'
+          - '!**/e/lib/devicetrust/testenv/**'
+          - '!**/e/lib/devicetrust/storage/storage.go'
+          - '!**/e/lib/idp/saml/testenv/**'
+          - '!**/e/lib/jamf/testenv/**'
+          - '!**/e/lib/okta/api/oktaapitest/**'
+          - '!**/e/lib/operatortest/**'
+          - '!**/e/tests/**'
+          - '!**/integration/**'
+          - '!**/integrations/access/email/testlib/**'
+          - '!**/integrations/access/msteams/testlib/**'
+          - '!**/integrations/access/slack/testlib/**'
+          - '!**/integrations/operator/controllers/resources/testlib/**'
+          - '!**/lib/auth/helpers.go'
+          - '!**/lib/auth/keystore/testhelpers.go'
+          - '!**/lib/auth/test/**'
+          - '!**/lib/automaticupgrades/basichttp/servermock.go'
+          - '!**/lib/backend/test/**'
+          - '!**/lib/cryptosuites/precompute.go'
+          - '!**/lib/cryptosuites/internal/rsa/rsa.go'
+          - '!**/lib/events/test/**'
+          - '!**/lib/events/athena/test.go'
+          - '!**/lib/fixtures/**'
+          - '!**/lib/kube/proxy/utils_testing.go'
+          - '!**/lib/modules/test.go'
+          - '!**/lib/service/service.go'
+          - '!**/lib/services/local/users.go'
+          - '!**/lib/services/suite/**'
+          - '!**/lib/srv/mock.go'
+          - '!**/lib/srv/db/redis/test.go'
+          - '!**/lib/teleterm/gatewaytest/**'
+          - '!**/lib/utils/cli.go'
+          - '!**/lib/utils/testhelpers.go'
+          - '!**/lib/utils/testutils/**'
+          - '!**/tool/teleport/testenv/**'
+        deny:
+          - pkg: testing
+            desc: 'testing should not be imported outside of tests'
       # Prevent importing internal packages in client tools or packages containing
       # common interfaces consumed by them that are known to bloat binaries or break builds
       # because they only support a single platform.