Merge branch 'master' into STeve/redis_driver_update_fix

Makefile

@@ -316,9 +316,8 @@ endif
 
 ifeq ("$(OS)","darwin")
 # Set the minimum version for macOS builds for Go, Rust and Xcode builds.
-# Note the minimum version for Apple silicon (ARM64) is 11.0 and will be automatically
-# clamped to the value for builds of that architecture
-MINIMUM_SUPPORTED_MACOS_VERSION = 10.15
+# (as of Go 1.23 we require macOS 11)
+MINIMUM_SUPPORTED_MACOS_VERSION = 11.0
 MACOSX_VERSION_MIN_FLAG = -mmacosx-version-min=$(MINIMUM_SUPPORTED_MACOS_VERSION)
 
 # Go

api/proto/teleport/integration/v1/awsoidc_service.proto

@@ -214,6 +214,15 @@ message SecurityGroupRuleCIDR {
   string description = 2;
 }
 
+// SecurityGroupRuleGroupID has an allowed security group ID and a description
+// for the rule.
+message SecurityGroupRuleGroupID {
+  // GroupID is the allowed security group ID.
+  string group_id = 1;
+  // Description contains a small text describing the allowed security group.
+  string description = 2;
+}
+
 // SecurityGroupRule is a representation of a SecurityGroupRule.
 // Either for Inbound or Outbound rules.
 message SecurityGroupRule {
@@ -228,6 +237,9 @@ message SecurityGroupRule {
   int32 to_port = 3;
   // CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
   repeated SecurityGroupRuleCIDR cidrs = 4;
+  // GroupIds is a list of rules that allow another security group referenced
+  // by ID.
+  repeated SecurityGroupRuleGroupID group_ids = 5;
 }
 
 // SecurityGroup is a representation of a SecurityGroup

api/types/authentication.go

@@ -591,6 +591,8 @@ type SignatureAlgorithmSuiteParams struct {
 	// UsingHSMOrKMS should be true if the auth server is configured to
 	// use an HSM or KMS.
 	UsingHSMOrKMS bool
+	// Cloud should be true when running in Teleport Cloud.
+	Cloud bool
 }
 
 // SetDefaultSignatureAlgorithmSuite sets default signature algorithm suite
@@ -600,16 +602,19 @@ func (c *AuthPreferenceV2) SetDefaultSignatureAlgorithmSuite(params SignatureAlg
 	switch {
 	case params.FIPS:
 		c.SetSignatureAlgorithmSuite(SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_FIPS_V1)
-	case params.UsingHSMOrKMS:
+	case params.UsingHSMOrKMS || params.Cloud:
+		// Cloud may eventually migrate existing CA keys to a KMS, to keep
+		// this option open we default to hsm-v1 suite.
 		c.SetSignatureAlgorithmSuite(SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_HSM_V1)
 	default:
 		c.SetSignatureAlgorithmSuite(SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_BALANCED_V1)
 	}
 }
 
 var (
-	errNonFIPSSignatureAlgorithmSuite = &trace.BadParameterError{Message: `non-FIPS compliant authentication setting: "signature_algorithm_suite" must be "fips-v1" or "legacy"`}
-	errNonHSMSignatureAlgorithmSuite  = &trace.BadParameterError{Message: `configured "signature_algorithm_suite" is unsupported when "ca_key_params" configures an HSM or KMS, supported values: ["hsm-v1", "fips-v1", "legacy"]`}
+	errNonFIPSSignatureAlgorithmSuite  = &trace.BadParameterError{Message: `non-FIPS compliant authentication setting: "signature_algorithm_suite" must be "fips-v1" or "legacy"`}
+	errNonHSMSignatureAlgorithmSuite   = &trace.BadParameterError{Message: `configured "signature_algorithm_suite" is unsupported when "ca_key_params" configures an HSM or KMS, supported values: ["hsm-v1", "fips-v1", "legacy"]`}
+	errNonCloudSignatureAlgorithmSuite = &trace.BadParameterError{Message: `configured "signature_algorithm_suite" is unsupported in Teleport Cloud, supported values: ["hsm-v1", "fips-v1", "legacy"]`}
 )
 
 // CheckSignatureAlgorithmSuite returns an error if the current signature
@@ -631,6 +636,11 @@ func (c *AuthPreferenceV2) CheckSignatureAlgorithmSuite(params SignatureAlgorith
 		if params.UsingHSMOrKMS {
 			return trace.Wrap(errNonHSMSignatureAlgorithmSuite)
 		}
+		if params.Cloud {
+			// Cloud may eventually migrate existing CA keys to a KMS, to keep
+			// this option open we prevent the balanced-v1 suite.
+			return trace.Wrap(errNonCloudSignatureAlgorithmSuite)
+		}
 	default:
 		return trace.Errorf("unhandled signature_algorithm_suite %q: this is a bug", c.GetSignatureAlgorithmSuite())
 	}

build.assets/build-fido2-macos.sh

@@ -11,7 +11,7 @@
 # Written mainly for macOS builders.
 set -eu
 
-readonly MACOS_VERSION_MIN=10.15
+readonly MACOS_VERSION_MIN=11.0
 
 # Cross-architecture building
 # Set C_ARCH to $(uname -m) if unset, and validate supported architecture

build.assets/macos/tctl/tctl.app/Contents/Info.plist

@@ -43,7 +43,7 @@
 		<key>DTXcodeBuild</key>
 		<string>13C100</string>
 		<key>LSMinimumSystemVersion</key>
-		<string>10.15.0</string>
+		<string>11.0.0</string>
 		<key>NSHumanReadableCopyright</key>
 		<string/>
 		<key>NSMainStoryboardFile</key>

build.assets/macos/tctldev/tctl.app/Contents/Info.plist

@@ -41,7 +41,7 @@
 		<key>DTXcodeBuild</key>
 		<string>13C100</string>
 		<key>LSMinimumSystemVersion</key>
-		<string>10.15.0</string>
+		<string>11.0.0</string>
 		<key>NSHumanReadableCopyright</key>
 		<string/>
 		<key>NSMainStoryboardFile</key>

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -43,7 +43,7 @@
 		<key>DTXcodeBuild</key>
 		<string>13C100</string>
 		<key>LSMinimumSystemVersion</key>
-		<string>10.15.0</string>
+		<string>11.0.0</string>
 		<key>NSHumanReadableCopyright</key>
 		<string/>
 		<key>NSMainStoryboardFile</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -41,7 +41,7 @@
 		<key>DTXcodeBuild</key>
 		<string>13C100</string>
 		<key>LSMinimumSystemVersion</key>
-		<string>10.15.0</string>
+		<string>11.0.0</string>
 		<key>NSHumanReadableCopyright</key>
 		<string/>
 		<key>NSMainStoryboardFile</key>

docs/pages/admin-guides/access-controls/guides/passwordless.mdx

@@ -224,8 +224,7 @@ necessary udev rules.
 If you are having trouble with Touch ID, make sure that you are using the latest
 standalone version of `tsh`. [Download the macOS tsh installer](../../../installation.mdx).
 
-Touch ID support requires Macs with a Touch ID sensor and Secure Enclave. It also
-requires macOS >= 10.15 (macOS Catalina).
+Touch ID support requires Macs with a Touch ID sensor and Secure Enclave.
 
 You can run the `tsh touchid diag` command to verify requirements. A capable
 device and `tsh` binary should show an output similar to the one below:

docs/pages/connect-your-client/tsh.mdx

@@ -942,13 +942,14 @@ the session recording backend. This requires either a self-hosted Teleport
 cluster or [external audit
 storage](../admin-guides/management/external-audit-storage.mdx).
 
-The `tsh play` command can print recordings in three formats, depending on the
+The `tsh play` command can print recordings in several formats, depending on the
 kind of resource the recorded session interacts with. To choose a format, use
 the `--format` flag of `tsh play`:
 
 | `--format` value | Supported resources | Description |
 |------------------|---------------------|-------------|
 | `pty` (default)  | Servers, Kubernetes clusters | `tsh` opens a pseudo-terminal to play each command executed in the session. |
+| `text` | Servers, Kubernetes clusters | `tsh` dumps the entire recording directly to standard out. Timing data is ignored. |
 | `json` | Servers, Kubernetes clusters, applications, databases | `tsh` prints a JSON-serialized list of audit events, separated by newlines. |
 | `yaml` | Servers, Kubernetes clusters, applications, databases | `tsh` prints a YAML-serialized list of audit events, separated by `---` characters. |
 

docs/pages/installation.mdx

@@ -34,7 +34,7 @@ running Teleport on UNIX variants other than Linux \[1].
 | Operating System | `teleport` Daemon | `tctl` Admin Tool | `tsh` and Teleport Connect User Clients [2] | Web UI (via the browser) | `tbot` Daemon |
 | - | - | - | - | - | - |
 | Linux v2.6.23+ (RHEL/CentOS 7+, Amazon Linux 2+, Amazon Linux 2023+, Ubuntu 16.04+, Debian 9+, SLES 12 SP 5+, and SLES 15 SP 5+) \[3] | yes | yes | yes | yes | yes |
-| macOS v10.15+  (Catalina)| yes | yes | yes | yes | yes |
+| macOS 11+  (Big Sur)| yes | yes | yes | yes | yes |
 | Windows 10+ (rev. 1607) \[4] | no | yes | yes | yes | no |
 
 \[1] *Teleport is written in Go and many of these system requirements are due to the requirements
@@ -854,4 +854,3 @@ infrastructure. Get started with:
 - [Application Access](enroll-resources/application-access/introduction.mdx)
 - [Desktop Access](enroll-resources/desktop-access/introduction.mdx)
 - [Machine ID](enroll-resources/machine-id/introduction.mdx)
-

docs/pages/reference/cli/tsh.mdx

@@ -499,22 +499,23 @@ $ tsh mfa rm <device-name>
 Plays back a prior session:
 
 ```code
-$ tsh play [<flags>] <session-id>
+$ tsh play [<flags>] <id-or-file>
 ```
 
 ### Arguments
 
-`<session-id>`
+`<id-or-file>`
 
-- `session-id` The UUID of a past Teleport Session obtained by `teleport status` within
-  the session or from the Web UI.
+- `id-or-file` The UUID of a past Teleport session, or the path to a local recording file.
 
 ### Flags
 
 | Name | Default Value(s) | Allowed Value(s) | Description |
 | - | - | - | - |
-| `--cluster` | none | a cluster_name | Specify the cluster to connect |
-| `--format`  | `pty`  | json, pty | Format for playback |
+| `--cluster` | none   | a cluster_name                 | Specify the cluster to connect |
+| `--format`  | `pty`  | `json`, `yaml`, `pty`, `text`  | Format for playback |
+| `--speed`   | `1x`   | `0.5x`, `1x`, `2x`, `4x`, `8x` | Playback speed |
+| `--skip-idle-time` | `false` | `true, `false` | Skip idle time during playback |
 
 ### Global flags
 
@@ -526,11 +527,17 @@ Run `tsh help <subcommand>` or see the [Global Flags section](#tsh-global-flags)
 ```code
 $ tsh --proxy proxy.example.com play <session-id>
 
-# Playing back a session using pty format using a downloaded session recording.
-$ tsh play --format=pty 1fe153d1-ce8b-4ef4-9908-6539457ba4ad.tar
+# Playing back a session streamed from the server.
+$ tsh play 1fe153d1-ce8b-4ef4-9908-6539457ba4ad
 
-# Playing back a session in json format using jq to filter on events
+# Playing back a local session in JSON format using jq to filter on events
 $ tsh play --format=json ~/play/0c0b81ed-91a9-4a2a-8d7c-7495891a6ca0.tar | jq '.event
+
+# Playing back a session at 2x speed while also skipping idle time
+$ tsh play --speed=2x --skip-idle-time 1fe153d1-ce8b-4ef4-9908-6539457ba4ad
+
+# Dump an SSH session recording to standard out, without respecting timing data.
+$ tsh play --format=text 1fe153d1-ce8b-4ef4-9908-6539457ba4ad
 ```
 
 ## tsh proxy app
@@ -1192,4 +1199,3 @@ Only display the `tsh` binary version:
 $ tsh version --client
 Teleport v(=teleport.version=) git: go(=teleport.golang=)
 ```
-

lib/auth/auth_with_roles.go

@@ -4670,6 +4670,7 @@ func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref typ
 	if err := newAuthPref.CheckSignatureAlgorithmSuite(types.SignatureAlgorithmSuiteParams{
 		FIPS:          a.authServer.fips,
 		UsingHSMOrKMS: a.authServer.keyStore.UsingHSMOrKMS(),
+		Cloud:         modules.GetModules().Features().Cloud,
 	}); err != nil {
 		return trace.Wrap(err)
 	}

lib/auth/grpcserver.go

@@ -104,6 +104,7 @@ import (
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/httplib"
 	"github.com/gravitational/teleport/lib/joinserver"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/observability/metrics"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/services/local"
@@ -5363,6 +5364,7 @@ func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error) {
 		SignatureAlgorithmSuiteParams: types.SignatureAlgorithmSuiteParams{
 			FIPS:          cfg.AuthServer.fips,
 			UsingHSMOrKMS: cfg.AuthServer.keyStore.UsingHSMOrKMS(),
+			Cloud:         modules.GetModules().Features().Cloud,
 		},
 	})
 	if err != nil {

lib/auth/init.go

@@ -790,6 +790,7 @@ func initializeAuthPreference(ctx context.Context, asrv *Server, newAuthPref typ
 				newAuthPref.SetDefaultSignatureAlgorithmSuite(types.SignatureAlgorithmSuiteParams{
 					FIPS:          asrv.fips,
 					UsingHSMOrKMS: asrv.keyStore.UsingHSMOrKMS(),
+					Cloud:         modules.GetModules().Features().Cloud,
 				})
 			}
 

lib/auth/init_test.go

@@ -197,6 +197,7 @@ func TestSignatureAlgorithmSuite(t *testing.T) {
 	testCases := map[string]struct {
 		fips                  bool
 		hsm                   bool
+		cloud                 bool
 		expectDefaultSuite    types.SignatureAlgorithmSuite
 		expectUnallowedSuites []types.SignatureAlgorithmSuite
 	}{
@@ -227,15 +228,31 @@ func TestSignatureAlgorithmSuite(t *testing.T) {
 				types.SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_HSM_V1,
 			},
 		},
+		"cloud": {
+			cloud:              true,
+			expectDefaultSuite: types.SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_HSM_V1,
+			expectUnallowedSuites: []types.SignatureAlgorithmSuite{
+				types.SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_BALANCED_V1,
+			},
+		},
 	}
 
 	// Test the behavior of auth server init. A default signature algorithm
 	// suite should never overwrite a persisted signature algorithm suite for an
 	// existing cluster, even if that was also a default.
 	t.Run("init", func(t *testing.T) {
-		t.Parallel()
 		for desc, tc := range testCases {
 			t.Run(desc, func(t *testing.T) {
+				if tc.cloud {
+					modules.SetTestModules(t, &modules.TestModules{
+						TestFeatures: modules.Features{
+							Cloud: true,
+							Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
+								entitlements.HSM: {Enabled: true},
+							},
+						},
+					})
+				}
 				// Assert that a fresh cluster gets expected default suite.
 				cfg := setupInitConfig(t, tc.fips, tc.hsm)
 				authServer, err := Init(ctx, cfg)
@@ -294,13 +311,28 @@ func TestSignatureAlgorithmSuite(t *testing.T) {
 	// Test that the auth preference cannot be upserted with a signature
 	// algorithm suite incompatible with the cluster FIPS and HSM settings.
 	t.Run("upsert", func(t *testing.T) {
-		t.Parallel()
 		for desc, tc := range testCases {
 			t.Run(desc, func(t *testing.T) {
-				t.Parallel()
+				if tc.cloud {
+					modules.SetTestModules(t, &modules.TestModules{
+						TestFeatures: modules.Features{
+							Cloud: true,
+							Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
+								entitlements.HSM: {Enabled: true},
+							},
+						},
+					})
+				}
 				cfg := TestAuthServerConfig{
 					Dir:  t.TempDir(),
 					FIPS: tc.fips,
+					AuthPreferenceSpec: &types.AuthPreferenceSpecV2{
+						// Cloud requires second factor enabled.
+						SecondFactor: constants.SecondFactorOn,
+						Webauthn: &types.Webauthn{
+							RPID: "teleport.example.com",
+						},
+					},
 				}
 				if tc.hsm {
 					cfg.KeystoreConfig = keystore.HSMTestConfig(t)

lib/auth/integration/integrationv1/awsoidc.go

@@ -395,18 +395,33 @@ func (s *AWSOIDCService) ListSecurityGroups(ctx context.Context, req *integratio
 func convertSecurityGroupRulesToProto(inRules []awsoidc.SecurityGroupRule) []*integrationpb.SecurityGroupRule {
 	out := make([]*integrationpb.SecurityGroupRule, 0, len(inRules))
 	for _, r := range inRules {
-		cidrs := make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
+		var cidrs []*integrationpb.SecurityGroupRuleCIDR
+		if len(r.CIDRs) > 0 {
+			cidrs = make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
+		}
 		for _, cidr := range r.CIDRs {
 			cidrs = append(cidrs, &integrationpb.SecurityGroupRuleCIDR{
 				Cidr:        cidr.CIDR,
 				Description: cidr.Description,
 			})
 		}
+
+		var groupIDs []*integrationpb.SecurityGroupRuleGroupID
+		if len(r.Groups) > 0 {
+			groupIDs = make([]*integrationpb.SecurityGroupRuleGroupID, 0, len(r.Groups))
+		}
+		for _, group := range r.Groups {
+			groupIDs = append(groupIDs, &integrationpb.SecurityGroupRuleGroupID{
+				GroupId:     group.GroupId,
+				Description: group.Description,
+			})
+		}
 		out = append(out, &integrationpb.SecurityGroupRule{
 			IpProtocol: r.IPProtocol,
 			FromPort:   int32(r.FromPort),
 			ToPort:     int32(r.ToPort),
 			Cidrs:      cidrs,
+			GroupIds:   groupIDs,
 		})
 	}
 	return out

lib/auth/touchid/api_darwin.go

@@ -21,7 +21,7 @@
 
 package touchid
 
-// #cgo CFLAGS: -Wall -xobjective-c -fblocks -fobjc-arc -mmacosx-version-min=10.15
+// #cgo CFLAGS: -Wall -xobjective-c -fblocks -fobjc-arc -mmacosx-version-min=11.0
 // #cgo LDFLAGS: -framework CoreFoundation -framework Foundation -framework LocalAuthentication -framework Security
 // #include <stdlib.h>
 // #include "authenticate.h"