Address deprecation TODOs

api/proto/teleport/legacy/types/types.proto

@@ -780,11 +780,11 @@ message ServerV2 {
 
 // ServerSpecV2 is a specification for V2 Server
 message ServerSpecV2 {
+  reserved 2;
+  reserved "PublicAddr";
+
   // Addr is a host:port address where this server can be reached.
   string Addr = 1 [(gogoproto.jsontag) = "addr"];
-  // PublicAddr is the public address where this server can be reached.
-  // DELETE IN 15.0. (joerger) Deprecated in favor of public_addrs.
-  string PublicAddr = 2 [(gogoproto.jsontag) = "public_addr,omitempty"];
   // Hostname is server hostname
   string Hostname = 3 [(gogoproto.jsontag) = "hostname"];
   // CmdLabels is server dynamic labels

api/types/server.go

@@ -210,10 +210,6 @@ func (s *ServerV2) Expiry() time.Time {
 // SetPublicAddrs sets the public proxy addresses where this server can be reached.
 func (s *ServerV2) SetPublicAddrs(addrs []string) {
 	s.Spec.PublicAddrs = addrs
-	// DELETE IN 15.0. (Joerger) PublicAddr deprecated in favor of PublicAddrs
-	if len(addrs) != 0 {
-		s.Spec.PublicAddr = addrs[0]
-	}
 }
 
 // GetName returns server name
@@ -242,10 +238,6 @@ func (s *ServerV2) GetPublicAddr() string {
 
 // GetPublicAddrs returns a list of public addresses where this server can be reached.
 func (s *ServerV2) GetPublicAddrs() []string {
-	// DELETE IN 15.0. (Joerger) PublicAddr deprecated in favor of PublicAddrs
-	if len(s.Spec.PublicAddrs) == 0 && s.Spec.PublicAddr != "" {
-		return []string{s.Spec.PublicAddr}
-	}
 	return s.Spec.PublicAddrs
 }
 

api/utils/keys/hardwaresigner.go

@@ -45,11 +45,6 @@ func (k *PrivateKey) GetAttestationStatement() *AttestationStatement {
 	return nil
 }
 
-// TODO(Joerger): Delete in favor of method above once references in /e are replaced.
-func GetAttestationStatement(priv *PrivateKey) (*AttestationStatement, error) {
-	return priv.GetAttestationStatement(), nil
-}
-
 // GetPrivateKeyPolicy returns this key's PrivateKeyPolicy.
 func (k *PrivateKey) GetPrivateKeyPolicy() PrivateKeyPolicy {
 	if attestedPriv, ok := k.Signer.(HardwareSigner); ok {
@@ -58,11 +53,6 @@ func (k *PrivateKey) GetPrivateKeyPolicy() PrivateKeyPolicy {
 	return PrivateKeyPolicyNone
 }
 
-// TODO(Joerger): Delete in favor of method above once references in /e are replaced.
-func GetPrivateKeyPolicy(priv *PrivateKey) PrivateKeyPolicy {
-	return priv.GetPrivateKeyPolicy()
-}
-
 // AttestationStatement is an attestation statement for a hardware private key
 // that supports json marshaling through the standard json/encoding package.
 type AttestationStatement attestation.AttestationStatement

lib/services/local/users.go

@@ -38,7 +38,6 @@ import (
 	"github.com/jonboulle/clockwork"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/bcrypt"
-	"golang.org/x/crypto/ssh"
 
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/internalutils/stream"
@@ -1856,16 +1855,6 @@ func (s *IdentityService) GetKeyAttestationData(ctx context.Context, publicKey c
 	key := keyAttestationDataFingerprint(pubDER)
 	item, err := s.Get(ctx, backend.Key(attestationsPrefix, key))
 
-	// Fallback to old fingerprint (std base64 encoded ssh public key) for backwards compatibility.
-	// DELETE IN 13.0, old fingerprints not in use by then (Joerger).
-	if trace.IsNotFound(err) {
-		key, err = KeyAttestationDataFingerprintV11(publicKey)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		item, err = s.Get(ctx, backend.Key(attestationsPrefix, key))
-	}
-
 	if trace.IsNotFound(err) {
 		return nil, trace.NotFound("hardware key attestation not found")
 	} else if err != nil {
@@ -1885,18 +1874,6 @@ func keyAttestationDataFingerprint(pubDER []byte) string {
 	return encodedSHA
 }
 
-// KeyAttestationDataFingerprintV11 creates a "KeyAttestationData" fingerprint
-// compatible with older patches of Teleport v11.
-// Exposed for testing, do not use this function directly.
-// DELETE IN 13.0, old fingerprints not in use by then (Joerger).
-func KeyAttestationDataFingerprintV11(pub crypto.PublicKey) (string, error) {
-	sshPub, err := ssh.NewPublicKey(pub)
-	if err != nil {
-		return "", trace.Wrap(err)
-	}
-	return ssh.FingerprintSHA256(sshPub), nil
-}
-
 const (
 	webPrefix                   = "web"
 	usersPrefix                 = "users"

lib/services/local/users_test.go

@@ -23,7 +23,6 @@ import (
 	"crypto/x509"
 	"encoding/base32"
 	"encoding/base64"
-	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"slices"
@@ -44,7 +43,6 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	wanpb "github.com/gravitational/teleport/api/types/webauthn"
 	"github.com/gravitational/teleport/api/utils/keys"
-	"github.com/gravitational/teleport/lib/auth/native"
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/memory"
 	"github.com/gravitational/teleport/lib/services"
@@ -912,43 +910,6 @@ Tirv9LjajEBxUnuV+wIDAQAB
 	}
 }
 
-// DELETE IN 13.0, old fingerprints not in use by then (Joerger).
-func TestIdentityService_GetKeyAttestationDataV11Fingerprint(t *testing.T) {
-	t.Parallel()
-	identity := newIdentityService(t, clockwork.NewFakeClock())
-	ctx := context.Background()
-
-	key, err := native.GenerateRSAPrivateKey()
-	require.NoError(t, err)
-
-	pubDER, err := x509.MarshalPKIXPublicKey(key.Public())
-	require.NoError(t, err)
-
-	attestationData := &keys.AttestationData{
-		PrivateKeyPolicy: keys.PrivateKeyPolicyNone,
-		PublicKeyDER:     pubDER,
-	}
-
-	// manually insert attestation data with old style fingerprint.
-	value, err := json.Marshal(attestationData)
-	require.NoError(t, err)
-
-	backendKey, err := local.KeyAttestationDataFingerprintV11(key.Public())
-	require.NoError(t, err)
-
-	item := backend.Item{
-		Key:   backend.Key("key_attestations", backendKey),
-		Value: value,
-	}
-	_, err = identity.Put(ctx, item)
-	require.NoError(t, err)
-
-	// Should be able to retrieve attestation data despite old fingerprint.
-	retrievedAttestationData, err := identity.GetKeyAttestationData(ctx, key.Public())
-	require.NoError(t, err)
-	require.Equal(t, attestationData, retrievedAttestationData)
-}
-
 func TestIdentityService_UpdateAndSwapUser(t *testing.T) {
 	t.Parallel()
 	identity := newIdentityService(t, clockwork.NewFakeClock())

lib/utils/oidc/issuer_test.go

@@ -88,7 +88,7 @@ func TestIssuerForCluster(t *testing.T) {
 			name: "valid",
 			mockProxies: []types.Server{
 				&types.ServerV2{Spec: types.ServerSpecV2{
-					PublicAddr: "127.0.0.1.nip.io",
+					PublicAddrs: []string{"127.0.0.1.nip.io"},
 				}},
 			},
 			expectedIssuer: "https://127.0.0.1.nip.io",
@@ -97,10 +97,10 @@ func TestIssuerForCluster(t *testing.T) {
 			name: "only the second server has a valid public address",
 			mockProxies: []types.Server{
 				&types.ServerV2{Spec: types.ServerSpecV2{
-					PublicAddr: "",
+					PublicAddrs: []string{""},
 				}},
 				&types.ServerV2{Spec: types.ServerSpecV2{
-					PublicAddr: "127.0.0.1.nip.io",
+					PublicAddrs: []string{"127.0.0.1.nip.io"},
 				}},
 			},
 			expectedIssuer: "https://127.0.0.1.nip.io",

tool/tctl/common/auth_command_test.go

@@ -97,7 +97,7 @@ func TestAuthSignKubeconfig(t *testing.T) {
 						// This is the address that will be used by the client to call
 						// the proxy ping endpoint. This is not the address that will be
 						// used in the kubeconfig server address.
-						PublicAddr: mustGetHost(t, pingTestServer.URL),
+						PublicAddrs: []string{mustGetHost(t, pingTestServer.URL)},
 					},
 				},
 			},
@@ -132,7 +132,7 @@ func TestAuthSignKubeconfig(t *testing.T) {
 						Name: "proxy",
 					},
 					Spec: types.ServerSpecV2{
-						PublicAddr: "proxy-from-api.example.com:3080",
+						PublicAddrs: []string{"proxy-from-api.example.com:3080"},
 					},
 				},
 			},