Merge branch 'branch/v17' into bot/backport-48046-branch/v17

.github/workflows/lint.yaml

@@ -63,7 +63,6 @@ jobs:
               - 'docs/pages/admin-guides/**'
               - 'docs/pages/enroll-resources/**'
               - 'docs/pages/reference/operator-resources/**'
-              - 'docs/pages/reference/terraform-provider.mdx'
               - 'docs/pages/reference/terraform-provider/**'
               - 'examples/chart/teleport-cluster/charts/teleport-operator/operator-crds'
 

api/client/client.go

@@ -664,6 +664,9 @@ type Config struct {
 	// MFAPromptConstructor is used to create MFA prompts when needed.
 	// If nil, the client will not prompt for MFA.
 	MFAPromptConstructor mfa.PromptConstructor
+	// SSOMFACeremonyConstructor is used to handle SSO MFA when needed.
+	// If nil, the client will not prompt for MFA.
+	SSOMFACeremonyConstructor mfa.SSOMFACeremonyConstructor
 }
 
 // CheckAndSetDefaults checks and sets default config values.
@@ -730,6 +733,11 @@ func (c *Client) SetMFAPromptConstructor(pc mfa.PromptConstructor) {
 	c.c.MFAPromptConstructor = pc
 }
 
+// SetSSOMFACeremonyConstructor sets the SSO MFA ceremony constructor for this client.
+func (c *Client) SetSSOMFACeremonyConstructor(scc mfa.SSOMFACeremonyConstructor) {
+	c.c.SSOMFACeremonyConstructor = scc
+}
+
 // Close closes the Client connection to the auth server.
 func (c *Client) Close() error {
 	if c.setClosed() && c.conn != nil {

api/client/mfa.go

@@ -30,6 +30,7 @@ func (c *Client) PerformMFACeremony(ctx context.Context, challengeRequest *proto
 	mfaCeremony := &mfa.Ceremony{
 		CreateAuthenticateChallenge: c.CreateAuthenticateChallenge,
 		PromptConstructor:           c.c.MFAPromptConstructor,
+		SSOMFACeremonyConstructor:   c.c.SSOMFACeremonyConstructor,
 	}
 	return mfaCeremony.Run(ctx, challengeRequest, promptOpts...)
 }

api/mfa/ceremony.go

@@ -32,8 +32,21 @@ type Ceremony struct {
 	CreateAuthenticateChallenge CreateAuthenticateChallengeFunc
 	// PromptConstructor creates a prompt to prompt the user to solve an authentication challenge.
 	PromptConstructor PromptConstructor
+	// SSOMFACeremonyConstructor is an optional SSO MFA ceremony constructor. If provided,
+	// the MFA ceremony will also attempt to retrieve an SSO MFA challenge.
+	SSOMFACeremonyConstructor SSOMFACeremonyConstructor
 }
 
+// SSOMFACeremony is an SSO MFA ceremony.
+type SSOMFACeremony interface {
+	GetClientCallbackURL() string
+	Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
+	Close()
+}
+
+// SSOMFACeremonyConstructor constructs a new SSO MFA ceremony.
+type SSOMFACeremonyConstructor func(ctx context.Context) (SSOMFACeremony, error)
+
 // CreateAuthenticateChallengeFunc is a function that creates an authentication challenge.
 type CreateAuthenticateChallengeFunc func(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
 
@@ -54,6 +67,19 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
 		return nil, trace.BadParameter("mfa challenge scope must be specified")
 	}
 
+	// If available, prepare an SSO MFA ceremony and set the client redirect URL in the challenge
+	// request to request an SSO challenge in addition to other challenges.
+	if c.SSOMFACeremonyConstructor != nil {
+		ssoMFACeremony, err := c.SSOMFACeremonyConstructor(ctx)
+		if err != nil {
+			return nil, trace.Wrap(err, "failed to handle SSO MFA ceremony")
+		}
+		defer ssoMFACeremony.Close()
+
+		req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
+		promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
+	}
+
 	chal, err := c.CreateAuthenticateChallenge(ctx, req)
 	if err != nil {
 		// CreateAuthenticateChallenge returns a bad parameter error when the client

api/mfa/ceremony_test.go

@@ -23,13 +23,14 @@ import (
 
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport/api/client/proto"
 	mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
 	"github.com/gravitational/teleport/api/mfa"
 )
 
-func TestPerformMFACeremony(t *testing.T) {
+func TestMFACeremony(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
@@ -128,3 +129,77 @@ func TestPerformMFACeremony(t *testing.T) {
 		})
 	}
 }
+
+func TestMFACeremony_SSO(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	testMFAChallenge := &proto.MFAAuthenticateChallenge{
+		SSOChallenge: &proto.SSOChallenge{
+			RedirectUrl: "redirect",
+			RequestId:   "request-id",
+		},
+	}
+	testMFAResponse := &proto.MFAAuthenticateResponse{
+		Response: &proto.MFAAuthenticateResponse_SSO{
+			SSO: &proto.SSOResponse{
+				Token:     "token",
+				RequestId: "request-id",
+			},
+		},
+	}
+
+	ssoMFACeremony := &mfa.Ceremony{
+		CreateAuthenticateChallenge: func(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) {
+			return testMFAChallenge, nil
+		},
+		PromptConstructor: func(opts ...mfa.PromptOpt) mfa.Prompt {
+			cfg := new(mfa.PromptConfig)
+			for _, opt := range opts {
+				opt(cfg)
+			}
+
+			return mfa.PromptFunc(func(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error) {
+				if cfg.SSOMFACeremony == nil {
+					return nil, trace.BadParameter("expected sso mfa ceremony")
+				}
+
+				return cfg.SSOMFACeremony.Run(ctx, chal)
+			})
+		},
+		SSOMFACeremonyConstructor: func(ctx context.Context) (mfa.SSOMFACeremony, error) {
+			return &mockSSOMFACeremony{
+				clientCallbackURL: "client-redirect",
+				prompt: func(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error) {
+					return testMFAResponse, nil
+				},
+			}, nil
+		},
+	}
+
+	resp, err := ssoMFACeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{
+		ChallengeExtensions: &mfav1.ChallengeExtensions{
+			Scope: mfav1.ChallengeScope_CHALLENGE_SCOPE_ADMIN_ACTION,
+		},
+		MFARequiredCheck: &proto.IsMFARequiredRequest{},
+	})
+	require.NoError(t, err)
+	require.Equal(t, testMFAResponse, resp)
+}
+
+type mockSSOMFACeremony struct {
+	clientCallbackURL string
+	prompt            mfa.PromptFunc
+}
+
+// GetClientCallbackURL returns the client callback URL.
+func (m *mockSSOMFACeremony) GetClientCallbackURL() string {
+	return m.clientCallbackURL
+}
+
+// Run the SSO MFA ceremony.
+func (m *mockSSOMFACeremony) Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error) {
+	return m.prompt(ctx, chal)
+}
+
+func (m *mockSSOMFACeremony) Close() {}

api/mfa/prompt.go

@@ -54,6 +54,8 @@ type PromptConfig struct {
 	// Extensions are the challenge extensions used to create the prompt's challenge.
 	// Used to enrich certain prompts.
 	Extensions *mfav1.ChallengeExtensions
+	// SSOMFACeremony is an SSO MFA ceremony.
+	SSOMFACeremony SSOMFACeremony
 }
 
 // DeviceDescriptor is a descriptor for a device, such as "registered".
@@ -117,3 +119,10 @@ func WithPromptChallengeExtensions(exts *mfav1.ChallengeExtensions) PromptOpt {
 		cfg.Extensions = exts
 	}
 }
+
+// withSSOMFACeremony sets the SSO MFA ceremony for the MFA prompt.
+func withSSOMFACeremony(ssoMFACeremony SSOMFACeremony) PromptOpt {
+	return func(cfg *PromptConfig) {
+		cfg.SSOMFACeremony = ssoMFACeremony
+	}
+}

docs/pages/admin-guides/infrastructure-as-code/managing-resources/import-existing-resources.mdx

@@ -83,5 +83,6 @@ cluster configuration matches your expectations.
 - Follow [the user and role IaC guide](user-and-role.mdx) to use the Terraform
   Provider to create Teleport users and grant them roles.
 - Explore the full list of supported [Terraform provider
-  resources](../../../reference/terraform-provider.mdx).
-- See [the list of supported Teleport Terraform setups](../terraform-provider/terraform-provider.mdx):
+  resources](../../../reference/terraform-provider/terraform-provider.mdx).
+- See [the list of supported Teleport Terraform
+  setups](../terraform-provider/terraform-provider.mdx):

docs/pages/admin-guides/infrastructure-as-code/terraform-provider/dedicated-server.mdx

@@ -159,7 +159,7 @@ $ tctl get role/terraform-test
 ## Next steps
 
 - Explore the
-  [Terraform provider resource reference](../../../reference/terraform-provider.mdx)
+  [Terraform provider resource reference](../../../reference/terraform-provider/terraform-provider.mdx)
   to discover what can be configured with the Teleport Terraform provider.
 - Read the [tbot configuration reference](../../../reference/machine-id/configuration.mdx) to explore
   all the available `tbot` configuration options.

docs/pages/admin-guides/infrastructure-as-code/terraform-provider/local.mdx

@@ -159,8 +159,10 @@ Do not forget to obtain new temporary credentials every hour by re-running `eval
 - Follow [the user and role IaC guide](../managing-resources/user-and-role.mdx) to use the Terraform
   Provider to create Teleport users and grant them roles.
 - Consult the list of Terraform-supported
-  resources [in the Terraform reference](../../../reference/terraform-provider.mdx).
-- Once you have working Terraform code that configures your Teleport cluster, you might want to run it in the CI or
-  from a bastion instead of running it locally. To do this, please follow the dedicated guides:
+  resources [in the Terraform
+  reference](../../../reference/terraform-provider/terraform-provider.mdx).
+- Once you have working Terraform code that configures your Teleport cluster,
+  you might want to run it in the CI or from a bastion instead of running it
+  locally. To do this, please follow the dedicated guides:
   - [Run the Terraform Provider in CI or cloud VMs](./ci-or-cloud.mdx)
   - [Run the Terraform Provider on a dedicated server](./dedicated-server.mdx)

docs/pages/admin-guides/infrastructure-as-code/terraform-provider/long-lived-credentials.mdx

@@ -199,6 +199,9 @@ To apply the configuration:
 
 ## Next steps
 
-- Explore the full list of supported [Terraform provider resources](../../../reference/terraform-provider.mdx).
-- Learn [how to manage users and roles with IaC](../managing-resources/user-and-role.mdx)
-- Read more about [impersonation](../../access-controls/guides/impersonation.mdx).
+- Explore the full list of supported [Terraform provider
+  resources](../../../reference/terraform-provider/terraform-provider.mdx).
+- Learn [how to manage users and roles with
+  IaC](../managing-resources/user-and-role.mdx)
+- Read more about
+  [impersonation](../../access-controls/guides/impersonation.mdx).

docs/pages/admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx

@@ -260,8 +260,8 @@ $ tctl get users/terraform-test
 
 - Now that you know how to manage Teleport configuration resources with
   Terraform and Spacelift, read the [Terraform resource
-  reference](../../../reference/terraform-provider.mdx) so you can flesh out your
-  configuration.
+  reference](../../../reference/terraform-provider/terraform-provider.mdx) so
+  you can flesh out your configuration.
 - To find out more about Spacelift's OIDC implementation, which Machine ID uses
   to authenticate to your Teleport cluster, read [the Spacelift
   documentation](https://docs.spacelift.io/integrations/cloud-providers/oidc/).

docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx

@@ -28,8 +28,8 @@ is executed. You must pick the correct guide for your setup:
 
 Once you have a functional Teleport Terraform provider, you will want to configure your resources with it.
 
-You can find the list of supported resources and their fields is
-available [in the Terraform reference](../../../reference/terraform-provider.mdx).
+The list of supported resources and their fields is available [in the Terraform
+reference](../../../reference/terraform-provider/terraform-provider.mdx).
 
 Some resources have their dedicated Infrastructure-as-Code (IaC) step-by step guides such as:
 - [Managing Users And Roles With IaC](../managing-resources/user-and-role.mdx)

docs/pages/admin-guides/infrastructure-as-code/terraform-starter/enroll-resources.mdx

@@ -623,7 +623,7 @@ edit your Terraform module to:
 1. **Change the userdata script** to enable additional Agent services additional
    infrastructure resources for your Agents to proxy.
 1. **Deploy dynamic resources:** Consult the [Terraform provider
-   reference](../../../reference/terraform-provider.mdx) for Terraform resources
-   that you can apply in order to enroll dynamic resources in your
-   infrastructure.
+   reference](../../../reference/terraform-provider/terraform-provider.mdx) for
+   Terraform resources that you can apply in order to enroll dynamic resources
+   in your infrastructure.
 

docs/pages/admin-guides/infrastructure-as-code/terraform-starter/rbac.mdx

@@ -563,4 +563,4 @@ troubleshoot the single sign-on provider.
 
 Now that you have configured RBAC in your Terraform demo cluster, fine-tune your
 setup by reading the comprehensive [Terraform provider
-reference](../../../reference/terraform-provider.mdx).
+reference](../../../reference/terraform-provider/terraform-provider.mdx).

docs/pages/reference/terraform-provider/data-sources/data-sources.mdx

@@ -0,0 +1,35 @@
+---
+title: "Terraform data-sources index"
+description: "Index of all the data-sources supported by the Teleport Terraform Provider"
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/terraform and run `make docs`.*/}
+
+{/*
+    This file will be renamed data-sources.mdx during build time.
+    The template name is reserved by tfplugindocs so we suffix with -index.
+*/}
+
+The Teleport Terraform provider supports the following data-sources:
+
+  - [`teleport_access_list`](./access_list.mdx)
+  - [`teleport_access_monitoring_rule`](./access_monitoring_rule.mdx)
+  - [`teleport_app`](./app.mdx)
+  - [`teleport_auth_preference`](./auth_preference.mdx)
+  - [`teleport_cluster_maintenance_config`](./cluster_maintenance_config.mdx)
+  - [`teleport_cluster_networking_config`](./cluster_networking_config.mdx)
+  - [`teleport_database`](./database.mdx)
+  - [`teleport_github_connector`](./github_connector.mdx)
+  - [`teleport_installer`](./installer.mdx)
+  - [`teleport_login_rule`](./login_rule.mdx)
+  - [`teleport_oidc_connector`](./oidc_connector.mdx)
+  - [`teleport_okta_import_rule`](./okta_import_rule.mdx)
+  - [`teleport_provision_token`](./provision_token.mdx)
+  - [`teleport_role`](./role.mdx)
+  - [`teleport_saml_connector`](./saml_connector.mdx)
+  - [`teleport_session_recording_config`](./session_recording_config.mdx)
+  - [`teleport_static_host_user`](./static_host_user.mdx)
+  - [`teleport_trusted_cluster`](./trusted_cluster.mdx)
+  - [`teleport_trusted_device`](./trusted_device.mdx)
+  - [`teleport_user`](./user.mdx)