Merge branch 'master' into smallinsky/aws-ic-instal-plugin

Makefile

@@ -1360,7 +1360,7 @@ $(VERSRC): Makefile
 # 5. Make sure it all builds (`make release` or equivalent)
 # 6. Run `make update-tag` to tag repos with $(VERSION)
 # 7. Run `make tag-build` to build the tag on GitHub Actions
-# 8. Run `make tag-publish` after `make-build` tag has completed to
+# 8. Run `make tag-publish` after `make tag-build` tag has completed to
 #    publish the built artifacts.
 #
 # GHA tag builds: https://github.com/gravitational/teleport.e/actions/workflows/tag-build.yaml

api/client/webclient/webconfig.go

@@ -100,6 +100,11 @@ type WebConfig struct {
 	// IsPolicyEnabled is true if [Features.Policy] = true
 	// Deprecated, use entitlements
 	IsPolicyEnabled bool `json:"isPolicyEnabled"`
+	// TODO (avatus) delete in v18
+	// IsPolicyRoleVisualizerEnabled is the graph visualizer for diffs made
+	// when editing roles in the Web UI. This defaults to true, but has an environment
+	// variable to turn off if needed TELEPORT_UNSTABLE_DISABLE_ROLE_VISUALIZER=true
+	IsPolicyRoleVisualizerEnabled bool `json:"isPolicyRoleVisualizerEnabled"`
 	// featureLimits define limits for features.
 	// Typically used with feature teasers if feature is not enabled for the
 	// product type eg: Team product contains teasers to upgrade to Enterprise.

api/types/provisioning.go

@@ -921,6 +921,9 @@ func (a *ProvisionTokenSpecV2Bitbucket) checkAndSetDefaults() error {
 	return nil
 }
 
+// checkAndSetDefaults checks and sets defaults on the Oracle spec. This only
+// covers basics like the presence of required fields; more complex validation
+// (e.g. requiring the Oracle SDK) is in auth.validateOracleJoinToken.
 func (a *ProvisionTokenSpecV2Oracle) checkAndSetDefaults() error {
 	if len(a.Allow) == 0 {
 		return trace.BadParameter("the %q join method requires at least one allow rule", JoinMethodOracle)

docs/config.json

@@ -102,6 +102,10 @@
         {
           "title": "Database GUI Clients",
           "slug": "/connect-your-client/gui-clients/"
+        },
+        {
+          "title": "Notifications",
+          "slug": "/connect-your-client/notifications/"
         }
       ]
     },

docs/pages/connect-your-client/notifications.mdx

@@ -0,0 +1,50 @@
+---
+title: Notifications
+description: Provides a detailed breakdown of Teleport's notification system.
+---
+
+Teleport's notification system allows users to be notified of various events, updates, and warnings in real time.
+
+This guide explains how to interact with notifications in the Web UI and how cluster administrators can create custom notifications for their users.
+
+## Interacting with notifications in the Web UI
+
+In the Web UI, you can list all your notifications by clicking on the bell icon in the top right of the navigation bar.
+
+Clicking on a notification will redirect you to the relevant page, or in the case of a custom notification generated by an administrator, open a dialog containing its text content.
+You can mark the notification as read to acknowledge it, or hide it to have it never be shown to you again.
+
+Some notifications may include quick action buttons which allow you perform actions directly from the notification, such as assuming granted roles from an approved access request notification.
+
+![Notification in the WebUI](../../img/notification.png)
+
+## Creating and managing notifications
+
+Cluster administrators with `create` permissions for the `notification` resource can create and manage custom notifications using the `tctl notifications` command. These notifications
+contain custom text content and can be configured to target either all users, a specific user, or users with certain roles.
+
+Please note that custom notifications are stored in the backend in plaintext, and should therefore not include any sensitive information or be used for security-critical purposes.
+
+### Examples
+
+```code
+# Create a notification for a specific user.
+# Only user alice will see this notification.
+$ tctl notifications create --user=alice --title="Upcoming Database Maintenance" \
+  --content="We will be conducting a database upgrade tomorrow at 2AM UTC"
+
+# Create a notification for users with the `engineer` role that expires in 2 days
+$ tctl notifications create --roles=engineer --title="Reminder" \
+  --content="Please use access requests to request access to production servers" --ttl=2d
+
+# List notifications.
+$ tctl notifications ls
+ID                                   Created             Expires             Title                Labels
+------------------------------------ ------------------- ------------------- -------------------- ------
+0194d8b2-5a38-7858-88fe-5fcee3ff1ceb 06 Feb 25 00:39 UTC 08 Mar 25 00:39 UTC Example notification
+
+# Delete a notification.
+$ tctl notifications rm 3b8eb3d6-da9a-5353-aece-cbc885ecbf73
+```
+
+For more detailed information on this family of commands, please refer to the [CLI Reference](../reference/cli/tctl.mdx#tctl-notifications-create).

docs/pages/reference/architecture/device-trust.mdx

@@ -0,0 +1,54 @@
+---
+title: Device Trust
+description: How Teleport Device Trust works.
+---
+
+Device Trust leverages the macOS Secure Enclave, or TPM 2.0 on Linux and Windows
+devices, to establish and validate device identity.
+
+There are three main steps in a device's lifecycle: registration, enrollment and
+authentication.
+
+**Registration** informs Teleport about a known device. At this stage the device
+is not yet trusted, but is part of the **device inventory**. For example, a
+device created using `tctl devices add` or synced via Jamf is registered.
+
+**Enrollment** transforms a registered device into a trusted device by creating
+and verifying a secure private key.
+
+![macOS enrollment](../../../img/architecture/device-trust-enrollment-macos.png)
+
+The collected device data above includes the serial number, model, OS
+information, etc. (You can inspect it by running `tsh device collect`).
+
+A safe enrollment ceremony is paramount, as the identity established here
+(through the device's key) is the basis for future authentications. Options
+range from [auto-enrollment][] to manually distributed [device enrollment
+tokens][].
+
+**Authentication** follows a similar pattern. It challenges the device to prove
+itself using the previously established device key and, if successful, issues
+new user certificates augmented with device extensions. The presence of device
+extensions is what unlocks [device enforcement][]
+
+Device authentication happens after the initial user authentication, requiring
+the user to be authenticated beforehand.
+
+![device authentication](../../../img/architecture/device-trust-authentication.png)
+
+These are the basics of device trust. TPM ceremonies are slightly different in
+implementation but equivalent in functionality and security properties
+(enrollment attests the EKCert, EK and AK; authentication verifies possession of
+the AK).
+
+Web UI support is underpinned by the same ceremonies described above, which are
+delegated to Teleport Connect for technical reasons. Our [device trust for the
+web][] blog post describes the implementation challenges in detail.
+
+For practical use see the [device trust section][].
+
+[auto-enrollment]: ../../admin-guides/access-controls/device-trust/device-management.mdx#auto-enrollment
+[device enrollment tokens]: ../../admin-guides/access-controls/device-trust/device-management.mdx#create-a-device-enrollment-token
+[device enforcement]: ../../admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
+[device trust for the web]: https://goteleport.com/blog/device-trust-for-web-challenges-and-solutions/
+[device trust section]: ../../admin-guides/access-controls/device-trust/device-trust.mdx

docs/pages/reference/cli/tctl.mdx

@@ -145,6 +145,99 @@ Removes a user from an Access List.
 $ tctl acl users rm <access-list-name> <user>
 ```
 
+## tctl notifications create
+
+Create a new notification for users in the cluster:
+
+```code
+$ tctl notifications create [<flags>]
+```
+
+There are several ways to specify which users see the notification. To target a specific user, use the `--user` flag. To target
+all users with a particular role (or set of roles), use the `--roles` flag. If you specify multiple roles, all users with at least
+one of the roles will see the notification, in order to require users to have all of the roles specified, add the `--require-all-roles` flag.
+If neither `--user` nor `--roles` are provided, the notification will default to targeting all users in the cluster, regardless of their roles.
+
+### Flags
+
+| Name                  | Default Value(s) | Allowed Value(s)        | Description                                                                                                                                                                        |
+| --------------------- | ---------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `-t, --title`         | none             | **string**              | Required. Sets the notification's title                                                                                                                                            |
+| `--content`           | none             | **string**              | Required. Sets the notification's text content, this is the text that will be displayed when a user clicks on the notification.                                                    |
+| `--user`              | none             | **string**              | If user-specific, the username of the specific user this notification will target.                                                                                                 |
+| `--roles`             | none             | Comma-separated strings | If role-specific, the set of roles users must have to receive this notification.                                                                                                   |
+| `--require-all-roles` | `false`          | `true`,`false`          | If role-specific, setting this to `true` will only targets users who have _all_ of the roles specified in `--roles`. If `false`, users only need to have one or more of the roles. |
+| `--ttl`               | `30d`            | Any duration            | Time duration after which the notification will expire and be deleted.                                                                                                             |
+| `--warning`           | `false`          | `true`,`false`          | Whether this notification should be displayed as a warning.                                                                                                                        |
+| `--labels`            | none             | Comma-separated strings | Custom labels to attach to the notification's metadata. Note that these will have no effect on the native behavior of the notification.                                            |
+
+### Examples
+
+```code
+# Create a notification for a specific user
+$ tctl notifications create --user=alice --title="Upcoming Database Maintenance" --content="We will be conducting a database upgrade tomorrow at 2AM UTC"
+
+# Create a warning notification for all users
+$ tctl notifications create --warning --title="Enroll an MFA device" --content="We will soon be enforcing MFA in this cluster, please enroll a device to avoid being locked out of your account."
+
+# Create a notification for users with the `engineer` role that expires in 2 days
+$ tctl notifications create --roles=engineer --title="Reminder" --content="Please use access requests to request access to production servers" --ttl=2d
+```
+
+## tctl notifications ls
+
+List notifications:
+
+```code
+$ tctl notifications ls [<flags>]
+```
+
+### Flags
+
+| Name       | Default Value(s) | Allowed Value(s)        | Description                                                                                                                                        |
+| ---------- | ---------------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--user`   | none             | **string**              | List only a specific user's notifications.                                                                                                         |
+| `--format` | `text`           | `text`,`yaml`,`json`    | The format of the output.                                                                                                                          |
+| `--all`    | `false`          | `true`,`false`          | If `true`, notifications generated by Teleport will also be returned, as opposed to only notifications created by admins via the `tctl` interface. |
+| `--labels` | none             | Comma-separated strings | Filter notifications by labels.                                                                                                                    |
+
+### Examples
+
+```code
+$ tctl notifications ls
+ID                                   Created             Expires             Title                Labels
+------------------------------------ ------------------- ------------------- -------------------- ------
+0194d8b2-5a38-7858-88fe-5fcee3ff1ceb 06 Feb 25 00:39 UTC 08 Mar 25 00:39 UTC Example notification
+```
+
+## tctl notifications rm
+
+Delete a notification:
+
+```code
+$ tctl notifications rm [<flags>] <id>
+```
+
+### Arguments
+
+- `<id>`: the ID of the notification to delete. This can be retrieved from the output of `tctl notifications ls`.
+
+### Flags
+
+| Name     | Default Value(s) | Allowed Value(s) | Description                                                                                  |
+| -------- | ---------------- | ---------------- | -------------------------------------------------------------------------------------------- |
+| `--user` | none             | string           | The username of the user this notification belongs to, if the notification is user-specific. |
+
+### Examples
+
+```code
+# Delete a notification which was either for all users, or role-based.
+$ tctl notifications rm 3b8eb3d6-da9a-5353-aece-cbc885ecbf73
+
+# Delete a notification which was specific to a user.
+$ tctl notifications rm --user=alice 4f548918-c853-52a6-b98b-5718b79d0e96
+```
+
 ## tctl alerts ack
 
 Temporarily acknowledges a cluster alert, preventing the alert from being

docs/pages/reference/config.mdx

@@ -69,6 +69,7 @@ Teleport supports the following services:
 |SSH Service|`ssh_service`|✅|
 |Desktop Service|`windows_desktop_service`|❌|
 |Jamf Service|`jamf_service`|❌|
+|Debug Service|`debug_service`|✅|
 
 Teleport Cloud manages the Auth Service and Proxy Service for you. Instances of
 Teleport services (e.g., the Application Service and Database Service) should

integrations/event-handler/go.mod

@@ -236,6 +236,7 @@ require (
 	github.com/okta/okta-sdk-golang/v2 v2.20.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.81.0 // indirect
 	github.com/patrickmn/go-cache v2.1.1-0.20191004192108-46f407853014+incompatible // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
@@ -257,6 +258,7 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sijms/go-ora/v2 v2.8.23 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sony/gobreaker v0.5.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect

integrations/event-handler/go.sum

@@ -373,6 +373,7 @@ github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs=
 github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc=
+github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
@@ -758,6 +759,8 @@ github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8W
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@@ -766,6 +769,9 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=

integrations/event-handler/legacy_events_watcher.go

@@ -120,11 +120,14 @@ func (t *LegacyEventsWatcher) GetCursorValues() LegacyCursorValues {
 }
 
 // flipPage flips the current page
-func (t *LegacyEventsWatcher) flipPage() bool {
+func (t *LegacyEventsWatcher) flipPage(ctx context.Context) bool {
 	if t.nextCursor == "" {
+		t.log.DebugContext(ctx, "not flipping page (no next cursor)")
 		return false
 	}
 
+	t.log.DebugContext(ctx, "flipping page", "cursor", t.cursor, "next", t.nextCursor)
+
 	t.cursor = t.nextCursor
 	t.pos = -1
 	t.batch = make([]*LegacyTeleportEvent, 0)
@@ -174,7 +177,11 @@ func (t *LegacyEventsWatcher) fetch(ctx context.Context) error {
 	// Set the position of the last known event
 	t.pos = pos
 
-	t.log.DebugContext(ctx, "Skipped last known event", "id", t.id, "pos", t.pos)
+	if pos == 0 {
+		t.log.DebugContext(ctx, "starting from first event in fetch", "id", t.id, "pos", pos)
+	} else {
+		t.log.DebugContext(ctx, "advancing past last known event in fetch", "id", t.id, "pos", pos)
+	}
 
 	return nil
 }
@@ -317,6 +324,7 @@ func (t *LegacyEventsWatcher) ExportEvents(ctx context.Context) error {
 		for {
 			// If there is nothing in the batch, request
 			if len(t.batch) == 0 {
+				t.log.DebugContext(ctx, "fetching due to empty batch...")
 				err := t.fetch(ctx)
 				if err != nil {
 					e <- trace.Wrap(err)
@@ -343,7 +351,7 @@ func (t *LegacyEventsWatcher) ExportEvents(ctx context.Context) error {
 			// If we processed the last event on a page
 			if t.pos >= len(t.batch) {
 				// If there is next page, flip page
-				if t.flipPage() {
+				if t.flipPage(ctx) {
 					continue
 				}