Merge branch 'master' into strideynet/bot-resource-propagate-labels-a…

…nd-other-fixes

api/types/trust.go

@@ -21,7 +21,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/coreos/go-semver/semver"
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 
@@ -67,7 +66,7 @@ var CertAuthTypes = []CertAuthType{HostCA, UserCA, DatabaseCA, DatabaseClientCA,
 // major version, so that we can avoid erroring out when a potentially older
 // remote server doesn't know about them.
 func (c CertAuthType) NewlyAdded() bool {
-	return c.addedInMajorVer() >= semver.New(api.Version).Major
+	return c.addedInMajorVer() >= api.SemVersion.Major
 }
 
 // addedInVer return the major version in which given CA was added.

constants.go

@@ -19,11 +19,8 @@
 package teleport
 
 import (
-	"fmt"
 	"strings"
 	"time"
-
-	"github.com/coreos/go-semver/semver"
 )
 
 // WebAPIVersion is a current webapi version
@@ -684,16 +681,6 @@ const (
 	SystemAccessApproverUserName = "@teleport-access-approval-bot"
 )
 
-// MinClientVersion is the minimum client version required by the server.
-var MinClientVersion string
-
-func init() {
-	// Per https://github.com/gravitational/teleport/blob/master/rfd/0012-teleport-versioning.md,
-	// only one major version backwards is supported for clients.
-	ver := semver.New(Version)
-	MinClientVersion = fmt.Sprintf("%d.0.0", ver.Major-1)
-}
-
 const (
 	// RemoteClusterStatusOffline indicates that cluster is considered as
 	// offline, since it has missed a series of heartbeats

integrations/kube-agent-updater/version.go

@@ -1,7 +1,23 @@
-// Code generated by "make version". DO NOT EDIT.
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 package kubeversionupdater
 
-const Version = "16.0.0-dev"
+import "github.com/gravitational/teleport/api"
 
-// Gitref is set to the output of "git describe" during the build process.
-var Gitref string
+const Version = api.Version

lib/auth/join_iam.go

@@ -58,10 +58,6 @@ const (
 	challengeHeaderKey = "x-teleport-challenge"
 )
 
-var (
-	authTeleportVersion = semver.New(teleport.Version)
-)
-
 // validateSTSHost returns an error if the given stsHost is not a valid regional
 // endpoint for the AWS STS service, or nil if it is valid. If fips is true, the
 // endpoint must be a valid FIPS endpoint.
@@ -318,7 +314,7 @@ type iamRegisterConfig struct {
 
 func defaultIAMRegisterConfig(fips bool) *iamRegisterConfig {
 	return &iamRegisterConfig{
-		authVersion: authTeleportVersion,
+		authVersion: teleport.SemVersion,
 		fips:        fips,
 	}
 }

lib/auth/password.go

@@ -244,6 +244,9 @@ func (a *Server) checkOTP(user string, otpToken string) (*types.MFADevice, error
 		}
 		return dev, nil
 	}
+	// This message is relied upon by the Web UI in
+	// web/packages/teleport/src/Account/ManageDevices/AddAuthDeviceWizard/AddAuthDeviceWizard.tsx/RequthenticateStep().
+	// Please keep these in sync.
 	return nil, trace.AccessDenied("invalid totp token")
 }
 

lib/auth/session_access.go

@@ -24,7 +24,6 @@ import (
 	"slices"
 	"strings"
 
-	"github.com/coreos/go-semver/semver"
 	"github.com/gravitational/trace"
 	"github.com/vulcand/predicate"
 
@@ -33,8 +32,6 @@ import (
 	"github.com/gravitational/teleport/lib/utils"
 )
 
-var MinSupportedModeratedSessionsVersion = semver.New(utils.VersionBeforeAlpha("9.0.0"))
-
 // SessionAccessEvaluator takes a set of policies
 // and uses rules to evaluate them to determine when a session may start
 // and if a user can join a session.

version.go

@@ -1,7 +1,41 @@
-// Code generated by "make version". DO NOT EDIT.
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 package teleport
 
-const Version = "16.0.0-dev"
+import (
+	"github.com/coreos/go-semver/semver"
+
+	"github.com/gravitational/teleport/api"
+)
+
+const Version = api.Version
+
+var (
+	// SemVersion is the Version represented as a [semver.Version].
+	SemVersion = api.SemVersion
+	// MinClientVersion is the minimum client version required by the server.
+	// Per https://github.com/gravitational/teleport/blob/master/rfd/0012-teleport-versioning.md,
+	// only one major version backwards is supported for clients.
+	MinClientVersion = MinClientSemVersion.String()
+	// MinClientSemVersion is the MinClientVersion represented as a [semver.Version].
+	MinClientSemVersion = semver.Version{Major: SemVersion.Major - 1}
+)
 
 // Gitref is set to the output of "git describe" during the build process.
 var Gitref string

version.mk

@@ -1,25 +1,11 @@
 GITREF=$(shell git describe --long --tags)
 
-# $(VERSION_GO) will be written to version.go
-VERSION_GO="// Code generated by \"make version\". DO NOT EDIT.\n\
-package teleport\n\n\
-const Version = \"$(VERSION)\"\n\n\
-// Gitref is set to the output of \"git describe\" during the build process.\n\
-var Gitref string\n"
-
 # $(API_VERSION_GO) will be written to api/version.go
 API_VERSION_GO="// Code generated by \"make version\". DO NOT EDIT.\n\
 package api\n\n\
+import \"github.com/coreos/go-semver/semver\"\n\n\
 const Version = \"$(VERSION)\"\n\n\
-// Gitref is set to the output of \"git describe\" during the build process.\n\
-var Gitref string\n"
-
-# $(UPDATER_VERSION_GO) will be written to api/version.go
-UPDATER_VERSION_GO="// Code generated by \"make version\". DO NOT EDIT.\n\
-package kubeversionupdater\n\n\
-const Version = \"$(VERSION)\"\n\n\
-// Gitref is set to the output of \"git describe\" during the build process.\n\
-var Gitref string\n"
+var SemVersion = semver.New(Version)\n\n"
 
 # $(GITREF_GO) will be written to gitref.go
 GITREF_GO="// Code generated by \"make version\". DO NOT EDIT.\n\
@@ -31,9 +17,7 @@ func init() { Gitref = \"$(GITREF)\" }\n"
 #
 .PHONY:setver
 setver: validate-semver helm-version tsh-version
-	@printf $(VERSION_GO) | gofmt > version.go
 	@printf $(API_VERSION_GO) | gofmt > ./api/version.go
-	@printf $(UPDATER_VERSION_GO) | gofmt > ./integrations/kube-agent-updater/version.go
 	@printf $(GITREF_GO) | gofmt > gitref.go
 
 # helm-version automatically updates the versions of Helm charts to match the version set in the Makefile,

web/packages/design/src/Alert/Alert.jsx

@@ -46,6 +46,14 @@ const kind = props => {
         background: theme.colors.success.main,
         color: theme.colors.text.primaryInverse,
       };
+    case 'outline-danger':
+      return {
+        background: fade(theme.colors.error.main, 0.1),
+        border: `${theme.radii[1]}px solid ${theme.colors.error.main}`,
+        borderRadius: `${theme.radii[3]}px`,
+        boxShadow: 'none',
+        justifyContent: 'normal',
+      };
     case 'outline-info':
       return {
         background: fade(theme.colors.link, 0.1),
@@ -90,6 +98,7 @@ Alert.propTypes = {
     'info',
     'warning',
     'success',
+    'outline-danger',
     'outline-info',
   ]),
   ...color.propTypes,
@@ -108,4 +117,7 @@ export const Danger = props => <Alert kind="danger" {...props} />;
 export const Info = props => <Alert kind="info" {...props} />;
 export const Warning = props => <Alert kind="warning" {...props} />;
 export const Success = props => <Alert kind="success" {...props} />;
+export const OutlineDanger = props => (
+  <Alert kind="outline-danger" {...props} />
+);
 export const OutlineInfo = props => <Alert kind="outline-info" {...props} />;

web/packages/design/src/StepSlider/StepSlider.tsx

@@ -161,6 +161,8 @@ export function StepSlider<T>(props: Props<T>) {
           rootRef.current.style.height = `${height}px`;
         }}
         hasTransitionEnded={hasTransitionEnded}
+        stepIndex={step}
+        flowLength={flows[currFlow].length}
         {...stepProps}
       />
     );
@@ -329,6 +331,8 @@ export type StepComponentProps = {
   // prev goes back a step in the flow.
   prev(): void;
   hasTransitionEnded: boolean;
+  stepIndex: number;
+  flowLength: number;
 };
 
 // NewFlow defines fields for a new flow.

web/packages/teleport/src/Account/Account.story.tsx

@@ -161,4 +161,9 @@ const props: AccountProps = {
       residentKey: false,
     },
   ],
+  onAddPasskey: () => {},
+  onPasskeyAdded: () => {},
+  isReauthenticationRequired: false,
+  passkeyWizardVisible: false,
+  closePasskeyWizard: () => {},
 };

web/packages/teleport/src/Account/Account.tsx

@@ -34,13 +34,19 @@ import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import cfg from 'teleport/config';
 
+import { storageService } from 'teleport/services/storageService';
+
 import { AuthDeviceList } from './ManageDevices/AuthDeviceList/AuthDeviceList';
 import useManageDevices, {
   State as ManageDevicesState,
 } from './ManageDevices/useManageDevices';
 import AddDevice from './ManageDevices/AddDevice';
 import { ActionButton, Header } from './Header';
 import { PasswordBox } from './PasswordBox';
+import { AddAuthDeviceWizard } from './ManageDevices/AddAuthDeviceWizard';
+
+const useNewAddAuthDeviceDialog =
+  storageService.isNewAddAuthDeviceDialogEnabled();
 
 export interface EnterpriseComponentProps {
   // TODO(bl-nero): Consider moving the notifications to its own store and
@@ -104,6 +110,8 @@ export function Account({
   setToken,
   onAddDevice,
   onRemoveDevice,
+  onAddPasskey,
+  onPasskeyAdded,
   deviceToRemove,
   fetchDevices,
   removeDevice,
@@ -112,9 +120,11 @@ export function Account({
   isReAuthenticateVisible,
   isAddDeviceVisible,
   isRemoveDeviceVisible,
+  passkeyWizardVisible,
   hideReAuthenticate,
   hideAddDevice,
   hideRemoveDevice,
+  closePasskeyWizard,
   isSso,
   canAddMFA,
   canAddPasskeys,
@@ -170,6 +180,11 @@ export function Account({
     addNotification('info', 'Your password has been changed.');
   }
 
+  function onAddPasskeySuccess() {
+    addNotification('info', 'Passkey successfully saved.');
+    onPasskeyAdded();
+  }
+
   return (
     <Relative>
       <FeatureBox gap={4} mt={4}>
@@ -191,7 +206,11 @@ export function Account({
                         ? 'Passwordless authentication is disabled'
                         : ''
                     }
-                    onClick={() => onAddDevice('passwordless')}
+                    onClick={() =>
+                      useNewAddAuthDeviceDialog
+                        ? onAddPasskey()
+                        : onAddDevice('passwordless')
+                    }
                   >
                     <Icon.Add size={20} />
                     Add a Passkey
@@ -272,6 +291,14 @@ export function Account({
         />
       )}
 
+      {passkeyWizardVisible && (
+        <AddAuthDeviceWizard
+          privilegeToken={token}
+          onClose={closePasskeyWizard}
+          onSuccess={onAddPasskeySuccess}
+        />
+      )}
+
       {/* Note: Although notifications appear on top, we deliberately place the
           container on the bottom to avoid manipulating z-index. The stacking
           context from one of the buttons appears on top otherwise.