Add Env0 join method (#60386)

* Add Env0 method

This adds a new `env0` join method to support joining from env0
workflows, and especially the embedded tbot in the Terraform provider
when running on env0.

This is the first OIDC join method on the new join service, and will
not support legacy joining. As such, it won't be backported beyond
v18.

Closes #53798

changelog: Add new `env0` join method to support joining within Env0 workflows

* Fix imports

* Fix failing test

* Add env0 token source

* Fix missing env0 join method in tbot

* Fix env0 validation

This fixes some issues in env0 token validation:
- azp check is disabled since it's set to a random (ish) value
- Use correct audience URL (their docs specified the wrong value)

* Fix incorrect date in new file copyright header

* Fix generated tfschema

* Fix failing test after adding the token source

* First round of code review

* Add example token claims in comment

* Move common OIDC handling logic into a separate handler

Specific validation logic is now separate and the validator is passed
as an argument to a generic `handleOIDCJoin()` handler.

* Fix imports

* Rename joinclient/join_env0.go to join_oidc.go

Author: timothyb89

api/gen/proto/go/teleport/join/v1/joinservice.pb.go

@@ -107,6 +107,20 @@ message TokenInit {
   ClientParams client_params = 1;
 }
 
+// OIDCInit holds the OIDC identity token used for all OIDC-based join methods.
+//
+// The join flow for all OIDC-based join methods is:
+// 1. client->server: ClientInit
+// 2. server->client: ServerInit
+// 3. client->server: OIDCInit
+// 4. server->client: Result
+message OIDCInit {
+  // ClientParams holds parameters for the specific type of client trying to join.
+  ClientParams client_params = 1;
+  // IdToken is the OIDC identity token.
+  bytes id_token = 2;
+}
+
 // BoundKeypairInit is sent from the client in response to the ServerInit
 // message for the bound keypair join method.
 // The server is expected to respond with a BoundKeypairChallenge.
@@ -233,12 +247,16 @@ message ChallengeSolution {
 
 // JoinRequest is the message type sent from the joining client to the server.
 message JoinRequest {
+  reserved 6, 7;
+
   oneof payload {
     ClientInit client_init = 1;
     TokenInit token_init = 2;
     BoundKeypairInit bound_keypair_init = 3;
     ChallengeSolution solution = 4;
     IAMInit iam_init = 5;
+    // 6, 7 reserved pending backport
+    OIDCInit oidc_init = 8;
   }
 }
 

api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go

@@ -1540,6 +1540,8 @@ message ProvisionTokenSpecV2 {
   ProvisionTokenSpecV2BoundKeypair BoundKeypair = 19 [(gogoproto.jsontag) = "bound_keypair,omitempty"];
   // AzureDevops allows the configuration of options specific to the "azure_devops" join method.
   ProvisionTokenSpecV2AzureDevops AzureDevops = 20 [(gogoproto.jsontag) = "azure_devops,omitempty"];
+  // Env0 allows the configuration of options specific to the "env0" join method.
+  ProvisionTokenSpecV2Env0 Env0 = 21 [(gogoproto.jsontag) = "env0,omitempty"];
 }
 
 // ProvisionTokenSpecV2AzureDevops contains the Azure Devops-specific
@@ -2029,6 +2031,51 @@ message ProvisionTokenSpecV2Oracle {
   repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
 }
 
+// ProvisionTokenSpecV2Env0 contains env0-specific parts of the
+// ProvisionTokenSpecV2.
+message ProvisionTokenSpecV2Env0 {
+  // Rule is a set of properties the env0 environment might have to be allowed
+  // to use this provision token.
+  message Rule {
+    // OrganizationID is the unique organization identifier, corresponding to
+    // `organizationId` in an Env0 OIDC token.
+    string OrganizationID = 1 [(gogoproto.jsontag) = "organization_id,omitempty"];
+    // ProjectID is a unique project identifier, corresponding to `projectId` in
+    // an Env0 OIDC token.
+    string ProjectID = 2 [(gogoproto.jsontag) = "project_id,omitempty"];
+    // ProjectName is the name of the project under which the job was run
+    // corresponding to `projectName` in an Env0 OIDC token.
+    string ProjectName = 3 [(gogoproto.jsontag) = "project_name,omitempty"];
+    // TemplateID is the unique identifier of the Env0 template, corresponding
+    // to `templateId` in an Env0 OIDC token.
+    string TemplateID = 4 [(gogoproto.jsontag) = "template_id,omitempty"];
+    // TemplateName is the name of the Env0 template, corresponding to
+    // `templateName` in an Env0 OIDC token.
+    string TemplateName = 5 [(gogoproto.jsontag) = "template_name,omitempty"];
+    // EnvironmentID is the unique identifier of the Env0 environment,
+    // corresponding to `environmentId` in an Env0 OIDC token.
+    string EnvironmentID = 6 [(gogoproto.jsontag) = "environment_id,omitempty"];
+    // EnvironmentName is the name of the Env0 environment, corresponding to
+    // `environmentName` in an Env0 OIDC token.
+    string EnvironmentName = 7 [(gogoproto.jsontag) = "environment_name,omitempty"];
+    // WorkspaceName is the name of the Env0 workspace, corresponding to
+    // `workspaceName` in an Env0 OIDC token.
+    string WorkspaceName = 8 [(gogoproto.jsontag) = "workspace_name,omitempty"];
+    // DeploymentType is the env0 deployment type, such as "deploy", "destroy",
+    // etc. Corresponds to `deploymentType` in an Env0 OIDC token.
+    string DeploymentType = 9 [(gogoproto.jsontag) = "deployment_type,omitempty"];
+    // DeployerEmail is the email of the person that triggered the deployment,
+    // corresponding to `deployerEmail` in an Env0 OIDC token.
+    string DeployerEmail = 10 [(gogoproto.jsontag) = "deployer_email,omitempty"];
+    // Env0Tag is a custom tag value corresponding to `env0Tag` when
+    // `ENV0_OIDC_TAG` is set.
+    string Env0Tag = 11 [(gogoproto.jsontag) = "env0_tag,omitempty"];
+  }
+  // Allow is a list of Rules, jobs using this token must match at least one
+  // allow rule to use this token.
+  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
+}
+
 // ProvisionTokenSpecV2BoundKeypair contains configuration for bound_keypair
 // type join tokens.
 message ProvisionTokenSpecV2BoundKeypair {