diff --git a/integration/integration_test.go b/integration/integration_test.go index 5798344875df8..3b7be9699b871 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -200,6 +200,7 @@ func TestIntegrations(t *testing.T) { t.Run("RotateRollback", suite.bind(testRotateRollback)) t.Run("RotateSuccess", suite.bind(testRotateSuccess)) t.Run("RotateTrustedClusters", suite.bind(testRotateTrustedClusters)) + t.Run("SessionStartContainsAccessRequest", suite.bind(testSessionStartContainsAccessRequest)) t.Run("Shutdown", suite.bind(testShutdown)) t.Run("TrustedClusters", suite.bind(testTrustedClusters)) t.Run("TrustedClustersWithLabels", suite.bind(testTrustedClustersWithLabels)) @@ -226,28 +227,28 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { }{ { comment: "normal teleport", - inRecordLocation: services.RecordAtNode, + inRecordLocation: types.RecordAtNode, inForwardAgent: false, }, { comment: "recording proxy", - inRecordLocation: services.RecordAtProxy, + inRecordLocation: types.RecordAtProxy, inForwardAgent: true, }, { comment: "normal teleport with upload to file server", - inRecordLocation: services.RecordAtNode, + inRecordLocation: types.RecordAtNode, inForwardAgent: false, auditSessionsURI: t.TempDir(), }, { - inRecordLocation: services.RecordAtProxy, + inRecordLocation: types.RecordAtProxy, inForwardAgent: false, auditSessionsURI: t.TempDir(), }, { comment: "normal teleport, sync recording", - inRecordLocation: services.RecordAtNodeSync, + inRecordLocation: types.RecordAtNodeSync, inForwardAgent: false, }, { comment: "recording proxy, sync recording", - inRecordLocation: services.RecordAtProxySync, + inRecordLocation: types.RecordAtProxySync, inForwardAgent: true, }, } @@ -255,13 +256,12 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { for _, tt := range tests { t.Run(tt.comment, func(t *testing.T) { makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - clusterConfig, err := services.NewClusterConfig(services.ClusterConfigSpecV3{ - Audit: services.AuditConfig{AuditSessionsURI: tt.auditSessionsURI}, - LocalAuth: services.NewBool(true), + clusterConfig, err := types.NewClusterConfig(types.ClusterConfigSpecV3{ + Audit: types.AuditConfig{AuditSessionsURI: tt.auditSessionsURI}, }) require.NoError(t, err) - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: tt.inRecordLocation, }) require.NoError(t, err) @@ -307,7 +307,7 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { for { select { case <-tickCh: - nodesInSite, err := site.GetNodes(ctx, defaults.Namespace, services.SkipValidation()) + nodesInSite, err := site.GetNodes(ctx, apidefaults.Namespace) if err != nil && !trace.IsNotFound(err) { return trace.Wrap(err) } @@ -323,7 +323,7 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) // should have no sessions: - sessions, err := site.GetSessions(defaults.Namespace) + sessions, err := site.GetSessions(apidefaults.Namespace) require.NoError(t, err) require.Empty(t, sessions) @@ -350,7 +350,7 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { getSession := func(site auth.ClientI) (*session.Session, error) { timeout, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() - sessions, err := waitForSessionToBeEstablished(timeout, defaults.Namespace, site) + sessions, err := waitForSessionToBeEstablished(timeout, apidefaults.Namespace, site) if err != nil { return nil, trace.Wrap(err) } @@ -363,7 +363,7 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { // wait for the user to join this session: for len(session.Parties) == 0 { time.Sleep(time.Millisecond * 5) - session, err = site.GetSession(defaults.Namespace, sessionID) + session, err = site.GetSession(apidefaults.Namespace, sessionID) require.NoError(t, err) } // make sure it's us who joined! :) @@ -402,7 +402,7 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { // everything because the session is closing) var sessionStream []byte for i := 0; i < 6; i++ { - sessionStream, err = site.GetSessionChunk(defaults.Namespace, session.ID, 0, events.MaxChunkBytes) + sessionStream, err = site.GetSessionChunk(apidefaults.Namespace, session.ID, 0, events.MaxChunkBytes) require.NoError(t, err) if strings.Contains(string(sessionStream), "exit") { break @@ -434,7 +434,7 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { select { case <-tickCh: // Get all session events from the backend. - sessionEvents, err := site.GetSessionEvents(defaults.Namespace, session.ID, 0, false) + sessionEvents, err := site.GetSessionEvents(apidefaults.Namespace, session.ID, 0, false) if err != nil { return nil, trace.Wrap(err) } @@ -732,7 +732,7 @@ func testUUIDBasedProxy(t *testing.T, suite *integrationTestSuite) { return "", trace.Wrap(err) } - ident, err := node.GetIdentity(teleport.RoleNode) + ident, err := node.GetIdentity(types.RoleNode) if err != nil { return "", trace.Wrap(err) } @@ -756,7 +756,7 @@ func testUUIDBasedProxy(t *testing.T, suite *integrationTestSuite) { for { select { case <-tickCh: - nodesInSite, err := site.GetNodes(ctx, defaults.Namespace, services.SkipValidation()) + nodesInSite, err := site.GetNodes(ctx, apidefaults.Namespace) if err != nil && !trace.IsNotFound(err) { return trace.Wrap(err) } @@ -906,7 +906,7 @@ func verifySessionJoin(t *testing.T, username string, teleport *TeleInstance) { joinSession := func() { sessionTimeoutCtx, sessionTimeoutCancel := context.WithTimeout(context.Background(), 10*time.Second) defer sessionTimeoutCancel() - sessions, err := waitForSessionToBeEstablished(sessionTimeoutCtx, defaults.Namespace, site) + sessions, err := waitForSessionToBeEstablished(sessionTimeoutCtx, apidefaults.Namespace, site) if err != nil { sessionB <- trace.Wrap(err) return @@ -931,7 +931,7 @@ func verifySessionJoin(t *testing.T, username string, teleport *TeleInstance) { return case <-ticker.C: - err := cl.Join(context.TODO(), defaults.Namespace, session.ID(sessionID), personB) + err := cl.Join(context.TODO(), apidefaults.Namespace, session.ID(sessionID), personB) if err == nil { sessionB <- nil return @@ -1035,7 +1035,7 @@ func testShutdown(t *testing.T, suite *integrationTestSuite) { type disconnectTestCase struct { recordingMode string - options services.RoleOptions + options types.RoleOptions disconnectTimeout time.Duration concurrentConns int sessCtlTimeout time.Duration @@ -1050,37 +1050,37 @@ func testDisconnectScenarios(t *testing.T, suite *integrationTestSuite) { testCases := []disconnectTestCase{ { - recordingMode: services.RecordAtNode, - options: services.RoleOptions{ - ClientIdleTimeout: services.NewDuration(500 * time.Millisecond), + recordingMode: types.RecordAtNode, + options: types.RoleOptions{ + ClientIdleTimeout: types.NewDuration(500 * time.Millisecond), }, disconnectTimeout: time.Second, }, { - recordingMode: services.RecordAtProxy, - options: services.RoleOptions{ - ForwardAgent: services.NewBool(true), - ClientIdleTimeout: services.NewDuration(500 * time.Millisecond), + recordingMode: types.RecordAtProxy, + options: types.RoleOptions{ + ForwardAgent: types.NewBool(true), + ClientIdleTimeout: types.NewDuration(500 * time.Millisecond), }, disconnectTimeout: time.Second, }, { - recordingMode: services.RecordAtNode, - options: services.RoleOptions{ - DisconnectExpiredCert: services.NewBool(true), - MaxSessionTTL: services.NewDuration(2 * time.Second), + recordingMode: types.RecordAtNode, + options: types.RoleOptions{ + DisconnectExpiredCert: types.NewBool(true), + MaxSessionTTL: types.NewDuration(2 * time.Second), }, disconnectTimeout: 4 * time.Second, }, { - recordingMode: services.RecordAtProxy, - options: services.RoleOptions{ - ForwardAgent: services.NewBool(true), - DisconnectExpiredCert: services.NewBool(true), - MaxSessionTTL: services.NewDuration(2 * time.Second), + recordingMode: types.RecordAtProxy, + options: types.RoleOptions{ + ForwardAgent: types.NewBool(true), + DisconnectExpiredCert: types.NewBool(true), + MaxSessionTTL: types.NewDuration(2 * time.Second), }, disconnectTimeout: 4 * time.Second, }, { //"verify that concurrent connection limits are applied when recording at node", - recordingMode: services.RecordAtNode, - options: services.RoleOptions{ + recordingMode: types.RecordAtNode, + options: types.RoleOptions{ MaxConnections: 1, }, disconnectTimeout: 1 * time.Second, @@ -1092,9 +1092,9 @@ func testDisconnectScenarios(t *testing.T, suite *integrationTestSuite) { }, }, { // "verify that concurrent connection limits are applied when recording at proxy", - recordingMode: services.RecordAtProxy, - options: services.RoleOptions{ - ForwardAgent: services.NewBool(true), + recordingMode: types.RecordAtProxy, + options: types.RoleOptions{ + ForwardAgent: types.NewBool(true), MaxConnections: 1, }, disconnectTimeout: 1 * time.Second, @@ -1106,8 +1106,8 @@ func testDisconnectScenarios(t *testing.T, suite *integrationTestSuite) { }, }, { // "verify that lost connections to auth server terminate controlled conns", - recordingMode: services.RecordAtNode, - options: services.RoleOptions{ + recordingMode: types.RecordAtNode, + options: types.RoleOptions{ MaxConnections: 1, }, disconnectTimeout: time.Second, @@ -1116,11 +1116,11 @@ func testDisconnectScenarios(t *testing.T, suite *integrationTestSuite) { // to be started, then shut down the auth server. postFunc: func(ctx context.Context, t *testing.T, teleport *TeleInstance) { site := teleport.GetSiteAPI(Site) - var sems []services.Semaphore + var sems []types.Semaphore var err error for i := 0; i < 6; i++ { - sems, err = site.GetSemaphores(ctx, services.SemaphoreFilter{ - SemaphoreKind: services.SemaphoreKindConnection, + sems, err = site.GetSemaphores(ctx, types.SemaphoreFilter{ + SemaphoreKind: types.SemaphoreKindConnection, }) if err == nil && len(sems) > 0 { break @@ -1137,7 +1137,7 @@ func testDisconnectScenarios(t *testing.T, suite *integrationTestSuite) { timeoutCtx, cancel := context.WithTimeout(ctx, 1*time.Second) defer cancel() - ss, err := waitForSessionToBeEstablished(timeoutCtx, defaults.Namespace, site) + ss, err := waitForSessionToBeEstablished(timeoutCtx, apidefaults.Namespace, site) require.NoError(t, err) require.Len(t, ss, 1) require.Nil(t, teleport.StopAuth(false)) @@ -1156,33 +1156,27 @@ func runDisconnectTest(t *testing.T, suite *integrationTestSuite, tc disconnectT teleport := suite.newTeleportInstance() username := suite.me.Username - role, err := services.NewRole("devs", services.RoleSpecV3{ + role, err := types.NewRole("devs", types.RoleSpecV3{ Options: tc.options, - Allow: services.RoleConditions{ + Allow: types.RoleConditions{ Logins: []string{username}, }, }) require.NoError(t, err) teleport.AddUserWithRole(username, role) - clusterConfig, err := services.NewClusterConfig(services.ClusterConfigSpecV3{ - LocalAuth: services.NewBool(true), + netConfig, err := types.NewClusterNetworkingConfigFromConfigFile(types.ClusterNetworkingConfigSpecV2{ + SessionControlTimeout: types.Duration(tc.sessCtlTimeout), }) require.NoError(t, err) - netConfig, err := types.NewClusterNetworkingConfig(types.ClusterNetworkingConfigSpecV2{ - SessionControlTimeout: services.Duration(tc.sessCtlTimeout), - }) - require.NoError(t, err) - - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: tc.recordingMode, }) require.NoError(t, err) cfg := suite.defaultServiceConfig() cfg.Auth.Enabled = true - cfg.Auth.ClusterConfig = clusterConfig cfg.Auth.NetworkingConfig = netConfig cfg.Auth.SessionRecordingConfig = recConfig cfg.Proxy.DisableWebService = true @@ -1347,7 +1341,7 @@ func testTwoClustersTunnel(t *testing.T, suite *integrationTestSuite) { // normal teleport. since all events are recorded at the node, all events // end up on site-a and none on site-b. { - services.RecordAtNode, + types.RecordAtNode, 3, 0, }, @@ -1355,7 +1349,7 @@ func testTwoClustersTunnel(t *testing.T, suite *integrationTestSuite) { // on site-a (because it's a teleport node so it still records at the node) // and 2 events end up on site-b because it's recording. { - services.RecordAtProxy, + types.RecordAtProxy, 3, 2, }, @@ -1387,7 +1381,7 @@ func twoClustersTunnel(t *testing.T, suite *integrationTestSuite, now time.Time, a.AddUser(username, []string{username}) b.AddUser(username, []string{username}) - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: proxyRecordMode, }) require.NoError(t, err) @@ -1519,7 +1513,7 @@ func twoClustersTunnel(t *testing.T, suite *integrationTestSuite, now time.Time, for { select { case <-tickCh: - eventsInSite, _, err := site.SearchEvents(now, now.Add(1*time.Hour), defaults.Namespace, eventTypes, 0, "") + eventsInSite, _, err := site.SearchEvents(now, now.Add(1*time.Hour), apidefaults.Namespace, eventTypes, 0, "") if err != nil { return trace.Wrap(err) } @@ -1695,8 +1689,8 @@ func testMapRoles(t *testing.T, suite *integrationTestSuite) { // main cluster has a local user and belongs to role "main-devs" mainDevs := "main-devs" - role, err := services.NewRole(mainDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + role, err := types.NewRole(mainDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{username}, }, }) @@ -1723,8 +1717,8 @@ func testMapRoles(t *testing.T, suite *integrationTestSuite) { // using trusted clusters, so remote user will be allowed to assume // role specified by mapping remote role "devs" to local role "local-devs" auxDevs := "aux-devs" - role, err = services.NewRole(auxDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + role, err = types.NewRole(auxDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{username}, }, }) @@ -1733,9 +1727,9 @@ func testMapRoles(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) trustedClusterToken := "trusted-cluster-token" err = main.Process.GetAuthServer().UpsertToken(ctx, - services.MustCreateProvisionToken(trustedClusterToken, []teleport.Role{teleport.RoleTrustedCluster}, time.Time{})) + services.MustCreateProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})) require.NoError(t, err) - trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, services.RoleMap{ + trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, types.RoleMap{ {Remote: mainDevs, Local: []string{auxDevs}}, }) @@ -1767,9 +1761,9 @@ func testMapRoles(t *testing.T, suite *integrationTestSuite) { // Make sure that GetNodes returns nodes in the remote site. This makes // sure identity aware GetNodes works for remote clusters. Testing of the // correct nodes that identity aware GetNodes is done in TestList. - var nodes []services.Server + var nodes []types.Server for i := 0; i < 10; i++ { - nodes, err = aux.Process.GetAuthServer().GetNodes(ctx, defaults.Namespace, services.SkipValidation()) + nodes, err = aux.Process.GetAuthServer().GetNodes(ctx, apidefaults.Namespace) require.NoError(t, err) if len(nodes) != 2 { time.Sleep(100 * time.Millisecond) @@ -1846,28 +1840,28 @@ func testMapRoles(t *testing.T, suite *integrationTestSuite) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cid := services.CertAuthID{Type: services.UserCA, DomainName: tt.mainClusterName} + cid := types.CertAuthID{Type: types.UserCA, DomainName: tt.mainClusterName} mainUserCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(cid, true) tt.outChkMainUserCA(t, err) if err == nil { require.Len(t, mainUserCAs.GetSigningKeys(), tt.outLenMainUserCA) } - cid = services.CertAuthID{Type: services.HostCA, DomainName: tt.mainClusterName} + cid = types.CertAuthID{Type: types.HostCA, DomainName: tt.mainClusterName} mainHostCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(cid, true) tt.outChkMainHostCA(t, err) if err == nil { require.Len(t, mainHostCAs.GetSigningKeys(), tt.outLenMainHostCA) } - cid = services.CertAuthID{Type: services.UserCA, DomainName: tt.auxClusterName} + cid = types.CertAuthID{Type: types.UserCA, DomainName: tt.auxClusterName} auxUserCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(cid, true) tt.outChkAuxUserCA(t, err) if err == nil { require.Len(t, auxUserCAs.GetSigningKeys(), tt.outLenAuxUserCA, "Aux User CA") } - cid = services.CertAuthID{Type: services.HostCA, DomainName: tt.auxClusterName} + cid = types.CertAuthID{Type: types.HostCA, DomainName: tt.auxClusterName} auxHostCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(cid, true) tt.outChkAuxHostCA(t, err) if err == nil { @@ -1884,7 +1878,7 @@ func testMapRoles(t *testing.T, suite *integrationTestSuite) { // tryCreateTrustedCluster performs several attempts to create a trusted cluster, // retries on connection problems and access denied errors to let caches // propagate and services to start -func tryCreateTrustedCluster(t *testing.T, authServer *auth.Server, trustedCluster services.TrustedCluster) { +func tryCreateTrustedCluster(t *testing.T, authServer *auth.Server, trustedCluster types.TrustedCluster) { ctx := context.TODO() for i := 0; i < 10; i++ { log.Debugf("Will create trusted cluster %v, attempt %v.", trustedCluster, i) @@ -1985,8 +1979,8 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus // main cluster has a local user and belongs to role "main-devs" and "main-admins" mainDevs := "main-devs" - devsRole, err := services.NewRole(mainDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + devsRole, err := types.NewRole(mainDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{username}, }, }) @@ -1995,13 +1989,13 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus // Otherwise, to preserve backwards-compatibility // roles with no labels will grant access to clusters with no labels. if test.useLabels { - devsRole.SetClusterLabels(services.Allow, services.Labels{"access": []string{"prod"}}) + devsRole.SetClusterLabels(services.Allow, types.Labels{"access": []string{"prod"}}) } require.NoError(t, err) mainAdmins := "main-admins" - adminsRole, err := services.NewRole(mainAdmins, services.RoleSpecV3{ - Allow: services.RoleConditions{ + adminsRole, err := types.NewRole(mainAdmins, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{"superuser"}, }, }) @@ -2011,10 +2005,10 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus // Ops users can only access remote clusters with label 'access': 'ops' mainOps := "main-ops" - mainOpsRole, err := services.NewRole(mainOps, services.RoleSpecV3{ - Allow: services.RoleConditions{ + mainOpsRole, err := types.NewRole(mainOps, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{username}, - ClusterLabels: services.Labels{"access": []string{"ops"}}, + ClusterLabels: types.Labels{"access": []string{"ops"}}, }, }) require.NoError(t, err) @@ -2040,8 +2034,8 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus // using trusted clusters, so remote user will be allowed to assume // role specified by mapping remote role "devs" to local role "local-devs" auxDevs := "aux-devs" - auxRole, err := services.NewRole(auxDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + auxRole, err := types.NewRole(auxDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{username}, }, }) @@ -2050,7 +2044,7 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus require.NoError(t, err) trustedClusterToken := "trusted-cluster-token" - tokenResource, err := services.NewProvisionToken(trustedClusterToken, []teleport.Role{teleport.RoleTrustedCluster}, time.Time{}) + tokenResource, err := types.NewProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{}) require.NoError(t, err) if test.useLabels { meta := tokenResource.GetMetadata() @@ -2061,7 +2055,7 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus require.NoError(t, err) // Note that the mapping omits admins role, this is to cover the scenario // when root cluster and leaf clusters have different role sets - trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, services.RoleMap{ + trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, types.RoleMap{ {Remote: mainDevs, Local: []string{auxDevs}}, {Remote: mainOps, Local: []string{auxDevs}}, }) @@ -2220,8 +2214,8 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) { // main cluster has a local user and belongs to role "main-devs" mainDevs := "main-devs" - role, err := services.NewRole(mainDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + role, err := types.NewRole(mainDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{username}, }, }) @@ -2248,8 +2242,8 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) { // using trusted clusters, so remote user will be allowed to assume // role specified by mapping remote role "devs" to local role "local-devs" auxDevs := "aux-devs" - role, err = services.NewRole(auxDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + role, err = types.NewRole(auxDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{username}, }, }) @@ -2258,9 +2252,9 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) trustedClusterToken := "trusted-cluster-token" err = main.Process.GetAuthServer().UpsertToken(ctx, - services.MustCreateProvisionToken(trustedClusterToken, []teleport.Role{teleport.RoleTrustedCluster}, time.Time{})) + services.MustCreateProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})) require.NoError(t, err) - trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, services.RoleMap{ + trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, types.RoleMap{ {Remote: mainDevs, Local: []string{auxDevs}}, }) @@ -2806,7 +2800,7 @@ func waitForNodeCount(ctx context.Context, t *TeleInstance, clusterName string, if err != nil { return trace.Wrap(err) } - nodes, err := accessPoint.GetNodes(ctx, defaults.Namespace) + nodes, err := accessPoint.GetNodes(ctx, apidefaults.Namespace) if err != nil { return trace.Wrap(err) } @@ -2821,7 +2815,7 @@ func waitForNodeCount(ctx context.Context, t *TeleInstance, clusterName string, // waitForTunnelConnections waits for remote tunnels connections func waitForTunnelConnections(t *testing.T, authServer *auth.Server, clusterName string, expectedCount int) { - var conns []services.TunnelConnection + var conns []types.TunnelConnection for i := 0; i < 30; i++ { conns, err := authServer.Presence.GetTunnelConnections(clusterName) require.NoError(t, err) @@ -2859,7 +2853,7 @@ func testExternalClient(t *testing.T, suite *integrationTestSuite) { // soft failure). { desc: "Record at Node with Agent Forwarding", - inRecordLocation: services.RecordAtNode, + inRecordLocation: types.RecordAtNode, inForwardAgent: true, inCommand: "echo hello", outError: false, @@ -2869,7 +2863,7 @@ func testExternalClient(t *testing.T, suite *integrationTestSuite) { // Teleport mode of operation. { desc: "Record at Node without Agent Forwarding", - inRecordLocation: services.RecordAtNode, + inRecordLocation: types.RecordAtNode, inForwardAgent: false, inCommand: "echo hello", outError: false, @@ -2878,7 +2872,7 @@ func testExternalClient(t *testing.T, suite *integrationTestSuite) { // Record at the proxy, forward agent. Will work. { desc: "Record at Proxy with Agent Forwarding", - inRecordLocation: services.RecordAtProxy, + inRecordLocation: types.RecordAtProxy, inForwardAgent: true, inCommand: "echo hello", outError: false, @@ -2888,7 +2882,7 @@ func testExternalClient(t *testing.T, suite *integrationTestSuite) { // recording proxy requires an agent. { desc: "Record at Proxy without Agent Forwarding", - inRecordLocation: services.RecordAtProxy, + inRecordLocation: types.RecordAtProxy, inForwardAgent: false, inCommand: "echo hello", outError: true, @@ -2900,7 +2894,7 @@ func testExternalClient(t *testing.T, suite *integrationTestSuite) { t.Run(tt.desc, func(t *testing.T) { // Create a Teleport instance with auth, proxy, and node. makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: tt.inRecordLocation, }) require.NoError(t, err) @@ -2976,11 +2970,11 @@ func testControlMaster(t *testing.T, suite *integrationTestSuite) { }{ // Run tests when Teleport is recording sessions at the node. { - inRecordLocation: services.RecordAtNode, + inRecordLocation: types.RecordAtNode, }, // Run tests when Teleport is recording sessions at the proxy. { - inRecordLocation: services.RecordAtProxy, + inRecordLocation: types.RecordAtProxy, }, } @@ -2992,7 +2986,7 @@ func testControlMaster(t *testing.T, suite *integrationTestSuite) { // Create a Teleport instance with auth, proxy, and node. makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: tt.inRecordLocation, }) require.NoError(t, err) @@ -3092,8 +3086,8 @@ func testProxyHostKeyCheck(t *testing.T, suite *integrationTestSuite) { // create a teleport instance with auth, proxy, and node makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ - Mode: services.RecordAtProxy, + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ + Mode: types.RecordAtProxy, ProxyChecksHostKeys: types.NewBoolOption(tt.inHostKeyCheck), }) require.NoError(t, err) @@ -3141,8 +3135,8 @@ func testAuditOff(t *testing.T, suite *integrationTestSuite) { // create a teleport instance with auth, proxy, and node makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ - Mode: services.RecordOff, + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ + Mode: types.RecordOff, }) require.NoError(t, err) @@ -3166,7 +3160,7 @@ func testAuditOff(t *testing.T, suite *integrationTestSuite) { require.NotNil(t, site) // should have no sessions in it to start with - sessions, _ := site.GetSessions(defaults.Namespace) + sessions, _ := site.GetSessions(apidefaults.Namespace) require.Len(t, sessions, 0) // create interactive session (this goroutine is this user's terminal time) @@ -3190,14 +3184,14 @@ func testAuditOff(t *testing.T, suite *integrationTestSuite) { // wait until there's a session in there: timeoutCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second) defer cancel() - sessions, err = waitForSessionToBeEstablished(timeoutCtx, defaults.Namespace, site) + sessions, err = waitForSessionToBeEstablished(timeoutCtx, apidefaults.Namespace, site) require.NoError(t, err) session := &sessions[0] // wait for the user to join this session for len(session.Parties) == 0 { time.Sleep(time.Millisecond * 5) - session, err = site.GetSession(defaults.Namespace, sessions[0].ID) + session, err = site.GetSession(apidefaults.Namespace, sessions[0].ID) require.NoError(t, err) } // make sure it's us who joined! :) @@ -3214,13 +3208,13 @@ func testAuditOff(t *testing.T, suite *integrationTestSuite) { } // audit log should have the fact that the session occurred recorded in it - sessions, err = site.GetSessions(defaults.Namespace) + sessions, err = site.GetSessions(apidefaults.Namespace) require.NoError(t, err) require.Len(t, sessions, 1) // however, attempts to read the actual sessions should fail because it was // not actually recorded - _, err = site.GetSessionChunk(defaults.Namespace, session.ID, 0, events.MaxChunkBytes) + _, err = site.GetSessionChunk(apidefaults.Namespace, session.ID, 0, events.MaxChunkBytes) require.Error(t, err) } @@ -3433,16 +3427,16 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { initialCreds, err := GenerateUserCreds(UserCredsRequest{Process: svc, Username: suite.me.Username}) require.NoError(t, err) - t.Logf("Service started. Setting rotation state to %v", services.RotationPhaseUpdateClients) + t.Logf("Service started. Setting rotation state to %v", types.RotationPhaseUpdateClients) // start rotation err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseInit, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseInit, + Mode: types.RotationModeManual, }) require.NoError(t, err) - hostCA, err := svc.GetAuthServer().GetCertAuthority(services.CertAuthID{Type: services.HostCA, DomainName: Site}, false) + hostCA, err := svc.GetAuthServer().GetCertAuthority(types.CertAuthID{Type: types.HostCA, DomainName: Site}, false) require.NoError(t, err) t.Logf("Cert authority: %v", auth.CertAuthorityInfo(hostCA)) @@ -3452,8 +3446,8 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { // update clients err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateClients, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseUpdateClients, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3475,16 +3469,16 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*") require.NoError(t, err) - t.Logf("Service reloaded. Setting rotation state to %v", services.RotationPhaseUpdateServers) + t.Logf("Service reloaded. Setting rotation state to %v", types.RotationPhaseUpdateServers) // move to the next phase err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateServers, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseUpdateServers, + Mode: types.RotationModeManual, }) require.NoError(t, err) - hostCA, err = svc.GetAuthServer().GetCertAuthority(services.CertAuthID{Type: services.HostCA, DomainName: Site}, false) + hostCA, err = svc.GetAuthServer().GetCertAuthority(types.CertAuthID{Type: types.HostCA, DomainName: Site}, false) require.NoError(t, err) t.Logf("Cert authority: %v", auth.CertAuthorityInfo(hostCA)) @@ -3504,16 +3498,16 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*") require.NoError(t, err) - t.Logf("Service reloaded. Setting rotation state to %v.", services.RotationPhaseStandby) + t.Logf("Service reloaded. Setting rotation state to %v.", types.RotationPhaseStandby) // complete rotation err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseStandby, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseStandby, + Mode: types.RotationModeManual, }) require.NoError(t, err) - hostCA, err = svc.GetAuthServer().GetCertAuthority(services.CertAuthID{Type: services.HostCA, DomainName: Site}, false) + hostCA, err = svc.GetAuthServer().GetCertAuthority(types.CertAuthID{Type: types.HostCA, DomainName: Site}, false) require.NoError(t, err) t.Logf("Cert authority: %v", auth.CertAuthorityInfo(hostCA)) @@ -3582,24 +3576,24 @@ func testRotateRollback(t *testing.T, s *integrationTestSuite) { initialCreds, err := GenerateUserCreds(UserCredsRequest{Process: svc, Username: s.me.Username}) require.NoError(t, err) - t.Logf("Service started. Setting rotation state to %q.", services.RotationPhaseInit) + t.Logf("Service started. Setting rotation state to %q.", types.RotationPhaseInit) // start rotation err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseInit, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseInit, + Mode: types.RotationModeManual, }) require.NoError(t, err) err = waitForProcessEvent(svc, service.TeleportPhaseChangeEvent, 10*time.Second) require.NoError(t, err) - t.Logf("Setting rotation state to %q.", services.RotationPhaseUpdateClients) + t.Logf("Setting rotation state to %q.", types.RotationPhaseUpdateClients) // start rotation err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateClients, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseUpdateClients, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3620,12 +3614,12 @@ func testRotateRollback(t *testing.T, s *integrationTestSuite) { err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*") require.NoError(t, err) - t.Logf("Service reloaded. Setting rotation state to %q.", services.RotationPhaseUpdateServers) + t.Logf("Service reloaded. Setting rotation state to %q.", types.RotationPhaseUpdateServers) // move to the next phase err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateServers, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseUpdateServers, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3633,12 +3627,12 @@ func testRotateRollback(t *testing.T, s *integrationTestSuite) { svc, err = s.waitForReload(serviceC, svc) require.NoError(t, err) - t.Logf("Service reloaded. Setting rotation state to %q.", services.RotationPhaseRollback) + t.Logf("Service reloaded. Setting rotation state to %q.", types.RotationPhaseRollback) // complete rotation err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseRollback, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseRollback, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3704,14 +3698,14 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { // main cluster has a local user and belongs to role "main-devs" mainDevs := "main-devs" - role, err := services.NewRole(mainDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + role, err := types.NewRole(mainDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{suite.me.Username}, }, }) require.NoError(t, err) - err = SetupUser(svc, suite.me.Username, []services.Role{role}) + err = SetupUser(svc, suite.me.Username, []types.Role{role}) require.NoError(t, err) // create auxiliary cluster and setup trust @@ -3722,8 +3716,8 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { // using trusted clusters, so remote user will be allowed to assume // role specified by mapping remote role "devs" to local role "local-devs" auxDevs := "aux-devs" - role, err = services.NewRole(auxDevs, services.RoleSpecV3{ - Allow: services.RoleConditions{ + role, err = types.NewRole(auxDevs, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{suite.me.Username}, }, }) @@ -3732,9 +3726,9 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) trustedClusterToken := "trusted-clsuter-token" err = svc.GetAuthServer().UpsertToken(ctx, - services.MustCreateProvisionToken(trustedClusterToken, []teleport.Role{teleport.RoleTrustedCluster}, time.Time{})) + services.MustCreateProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})) require.NoError(t, err) - trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, services.RoleMap{ + trustedCluster := main.Secrets.AsTrustedCluster(trustedClusterToken, types.RoleMap{ {Remote: mainDevs, Local: []string{auxDevs}}, }) require.NoError(t, aux.Start()) @@ -3766,12 +3760,12 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*") require.NoError(t, err) - t.Logf("Setting rotation state to %v", services.RotationPhaseInit) + t.Logf("Setting rotation state to %v", types.RotationPhaseInit) // start rotation err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseInit, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseInit, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3783,8 +3777,8 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { waitForPhase := func(phase string) error { var lastPhase string for i := 0; i < 10; i++ { - ca, err := aux.Process.GetAuthServer().GetCertAuthority(services.CertAuthID{ - Type: services.HostCA, + ca, err := aux.Process.GetAuthServer().GetCertAuthority(types.CertAuthID{ + Type: types.HostCA, DomainName: clusterMain, }, false) require.NoError(t, err) @@ -3797,13 +3791,13 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { return trace.CompareFailed("failed to converge to phase %q, last phase %q", phase, lastPhase) } - err = waitForPhase(services.RotationPhaseInit) + err = waitForPhase(types.RotationPhaseInit) require.NoError(t, err) // update clients err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateClients, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseUpdateClients, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3811,19 +3805,19 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { svc, err = suite.waitForReload(serviceC, svc) require.NoError(t, err) - err = waitForPhase(services.RotationPhaseUpdateClients) + err = waitForPhase(types.RotationPhaseUpdateClients) require.NoError(t, err) // old client should work as is err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*") require.NoError(t, err) - t.Logf("Service reloaded. Setting rotation state to %v", services.RotationPhaseUpdateServers) + t.Logf("Service reloaded. Setting rotation state to %v", types.RotationPhaseUpdateServers) // move to the next phase err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateServers, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseUpdateServers, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3831,7 +3825,7 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { svc, err = suite.waitForReload(serviceC, svc) require.NoError(t, err) - err = waitForPhase(services.RotationPhaseUpdateServers) + err = waitForPhase(types.RotationPhaseUpdateServers) require.NoError(t, err) // new credentials will work from this phase to others @@ -3845,12 +3839,12 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*") require.NoError(t, err) - t.Logf("Service reloaded. Setting rotation state to %v.", services.RotationPhaseStandby) + t.Logf("Service reloaded. Setting rotation state to %v.", types.RotationPhaseStandby) // complete rotation err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseStandby, - Mode: services.RotationModeManual, + TargetPhase: types.RotationPhaseStandby, + Mode: types.RotationModeManual, }) require.NoError(t, err) @@ -3860,7 +3854,7 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) t.Log("Service reload completed, waiting for phase.") - err = waitForPhase(services.RotationPhaseStandby) + err = waitForPhase(types.RotationPhaseStandby) require.NoError(t, err) t.Log("Phase completed.") @@ -3934,19 +3928,19 @@ func testRotateChangeSigningAlg(t *testing.T, suite *integrationTestSuite) { } assertSigningAlg := func(svc *service.TeleportProcess, alg string) { - hostCA, err := svc.GetAuthServer().GetCertAuthority(services.CertAuthID{Type: services.HostCA, DomainName: Site}, false) + hostCA, err := svc.GetAuthServer().GetCertAuthority(types.CertAuthID{Type: types.HostCA, DomainName: Site}, false) require.NoError(t, err) require.Equal(t, alg, sshutils.GetSigningAlgName(hostCA)) - userCA, err := svc.GetAuthServer().GetCertAuthority(services.CertAuthID{Type: services.UserCA, DomainName: Site}, false) + userCA, err := svc.GetAuthServer().GetCertAuthority(types.CertAuthID{Type: types.UserCA, DomainName: Site}, false) require.NoError(t, err) require.Equal(t, alg, sshutils.GetSigningAlgName(userCA)) } rotate := func(svc *service.TeleportProcess, mode string) *service.TeleportProcess { - t.Logf("Rotation phase: %q.", services.RotationPhaseInit) + t.Logf("Rotation phase: %q.", types.RotationPhaseInit) err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseInit, + TargetPhase: types.RotationPhaseInit, Mode: mode, }) require.NoError(t, err) @@ -3955,9 +3949,9 @@ func testRotateChangeSigningAlg(t *testing.T, suite *integrationTestSuite) { err = waitForProcessEvent(svc, service.TeleportPhaseChangeEvent, 10*time.Second) require.NoError(t, err) - t.Logf("Rotation phase: %q.", services.RotationPhaseUpdateClients) + t.Logf("Rotation phase: %q.", types.RotationPhaseUpdateClients) err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateClients, + TargetPhase: types.RotationPhaseUpdateClients, Mode: mode, }) require.NoError(t, err) @@ -3966,9 +3960,9 @@ func testRotateChangeSigningAlg(t *testing.T, suite *integrationTestSuite) { svc, err = suite.waitForReload(serviceC, svc) require.NoError(t, err) - t.Logf("Rotation phase: %q.", services.RotationPhaseUpdateServers) + t.Logf("Rotation phase: %q.", types.RotationPhaseUpdateServers) err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseUpdateServers, + TargetPhase: types.RotationPhaseUpdateServers, Mode: mode, }) require.NoError(t, err) @@ -3977,9 +3971,9 @@ func testRotateChangeSigningAlg(t *testing.T, suite *integrationTestSuite) { svc, err = suite.waitForReload(serviceC, svc) require.NoError(t, err) - t.Logf("rotation phase: %q", services.RotationPhaseStandby) + t.Logf("rotation phase: %q", types.RotationPhaseStandby) err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{ - TargetPhase: services.RotationPhaseStandby, + TargetPhase: types.RotationPhaseStandby, Mode: mode, }) require.NoError(t, err) @@ -4004,7 +3998,7 @@ func testRotateChangeSigningAlg(t *testing.T, suite *integrationTestSuite) { config.CASignatureAlgorithm = &signingAlg svc, cancel = restart(svc, cancel) // Do a manual rotation - this should change the signing algorithm. - svc = rotate(svc, services.RotationModeManual) + svc = rotate(svc, types.RotationModeManual) assertSigningAlg(svc, ssh.SigAlgoRSA) t.Log("preserve signature algorithm with empty config value and manual rotation") @@ -4014,7 +4008,7 @@ func testRotateChangeSigningAlg(t *testing.T, suite *integrationTestSuite) { // Do a manual rotation - this should leave the signing algorithm // unaffected because config value is not set. - svc = rotate(svc, services.RotationModeManual) + svc = rotate(svc, types.RotationModeManual) assertSigningAlg(svc, ssh.SigAlgoRSA) // shut down the service @@ -4169,7 +4163,7 @@ func testWindowChange(t *testing.T, suite *integrationTestSuite) { // Find the existing session in the backend. timeoutCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() - sessions, err := waitForSessionToBeEstablished(timeoutCtx, defaults.Namespace, site) + sessions, err := waitForSessionToBeEstablished(timeoutCtx, apidefaults.Namespace, site) require.NoError(t, err) sessionID := string(sessions[0].ID) @@ -4194,7 +4188,7 @@ func testWindowChange(t *testing.T, suite *integrationTestSuite) { } for i := 0; i < 10; i++ { - err = cl.Join(context.TODO(), defaults.Namespace, session.ID(sessionID), personB) + err = cl.Join(context.TODO(), apidefaults.Namespace, session.ID(sessionID), personB) if err == nil { break } @@ -4257,8 +4251,8 @@ func testList(t *testing.T, suite *integrationTestSuite) { // Create and start a Teleport cluster with auth, proxy, and node. makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ - Mode: services.RecordOff, + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ + Mode: types.RecordOff, }) require.NoError(t, err) @@ -4307,7 +4301,7 @@ func testList(t *testing.T, suite *integrationTestSuite) { for { select { case <-tickCh: - nodesInCluster, err := clt.GetNodes(ctx, defaults.Namespace, services.SkipValidation()) + nodesInCluster, err := clt.GetNodes(ctx, apidefaults.Namespace) if err != nil && !trace.IsNotFound(err) { return trace.Wrap(err) } @@ -4324,7 +4318,7 @@ func testList(t *testing.T, suite *integrationTestSuite) { var tests = []struct { inRoleName string - inLabels services.Labels + inLabels types.Labels inLogin string outNodes []string }{ @@ -4332,21 +4326,21 @@ func testList(t *testing.T, suite *integrationTestSuite) { { inRoleName: "worker-only", inLogin: "foo", - inLabels: services.Labels{"role": []string{"worker"}}, + inLabels: types.Labels{"role": []string{"worker"}}, outNodes: []string{"server-01"}, }, // 1 - Role has label "role:database", only server-02 is returned. { inRoleName: "database-only", inLogin: "bar", - inLabels: services.Labels{"role": []string{"database"}}, + inLabels: types.Labels{"role": []string{"database"}}, outNodes: []string{"server-02"}, }, // 2 - Role has wildcard label, all nodes are returned server-01 and server-2. { inRoleName: "worker-and-database", inLogin: "baz", - inLabels: services.Labels{services.Wildcard: []string{services.Wildcard}}, + inLabels: types.Labels{types.Wildcard: []string{types.Wildcard}}, outNodes: []string{"server-01", "server-02"}, }, } @@ -4354,8 +4348,8 @@ func testList(t *testing.T, suite *integrationTestSuite) { for _, tt := range tests { t.Run(tt.inRoleName, func(t *testing.T) { // Create role with logins and labels for this test. - role, err := services.NewRole(tt.inRoleName, services.RoleSpecV3{ - Allow: services.RoleConditions{ + role, err := types.NewRole(tt.inRoleName, types.RoleSpecV3{ + Allow: types.RoleConditions{ Logins: []string{tt.inLogin}, NodeLabels: tt.inLabels, }, @@ -4363,7 +4357,7 @@ func testList(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) // Create user, role, and generate credentials. - err = SetupUser(teleport.Process, tt.inLogin, []services.Role{role}) + err = SetupUser(teleport.Process, tt.inLogin, []types.Role{role}) require.NoError(t, err) initialCreds, err := GenerateUserCreds(UserCredsRequest{Process: teleport.Process, Username: tt.inLogin}) require.NoError(t, err) @@ -4382,7 +4376,7 @@ func testList(t *testing.T, suite *integrationTestSuite) { nodes, err := userClt.ListNodes(context.Background()) require.NoError(t, err) for _, node := range nodes { - ok := utils.SliceContainsStr(tt.outNodes, node.GetHostname()) + ok := apiutils.SliceContainsStr(tt.outNodes, node.GetHostname()) if !ok { t.Fatalf("Got nodes: %v, want: %v.", nodes, tt.outNodes) } @@ -4403,8 +4397,8 @@ func testCmdLabels(t *testing.T, suite *integrationTestSuite) { // Create and start a Teleport cluster with auth, proxy, and node. makeConfig := func() *service.Config { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ - Mode: services.RecordOff, + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ + Mode: types.RecordOff, }) require.NoError(t, err) @@ -4545,7 +4539,7 @@ func testBPFInteractive(t *testing.T, suite *integrationTestSuite) { // For session recorded at the node, enhanced events should be found. { desc: "Enabled and Recorded At Node", - inSessionRecording: services.RecordAtNode, + inSessionRecording: types.RecordAtNode, inBPFEnabled: true, outFound: true, }, @@ -4553,7 +4547,7 @@ func testBPFInteractive(t *testing.T, suite *integrationTestSuite) { // should be found. { desc: "Disabled and Recorded At Node", - inSessionRecording: services.RecordAtNode, + inSessionRecording: types.RecordAtNode, inBPFEnabled: false, outFound: false, }, @@ -4561,7 +4555,7 @@ func testBPFInteractive(t *testing.T, suite *integrationTestSuite) { // BPF turned off simulates an OpenSSH node. { desc: "Disabled and Recorded At Proxy", - inSessionRecording: services.RecordAtProxy, + inSessionRecording: types.RecordAtProxy, inBPFEnabled: false, outFound: false, }, @@ -4573,7 +4567,7 @@ func testBPFInteractive(t *testing.T, suite *integrationTestSuite) { // Create and start a Teleport cluster. makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: tt.inSessionRecording, }) require.NoError(t, err) @@ -4673,7 +4667,7 @@ func testBPFExec(t *testing.T, suite *integrationTestSuite) { // For session recorded at the node, enhanced events should be found. { desc: "Enabled and recorded at node", - inSessionRecording: services.RecordAtNode, + inSessionRecording: types.RecordAtNode, inBPFEnabled: true, outFound: true, }, @@ -4681,7 +4675,7 @@ func testBPFExec(t *testing.T, suite *integrationTestSuite) { // should be found. { desc: "Disabled and recorded at node", - inSessionRecording: services.RecordAtNode, + inSessionRecording: types.RecordAtNode, inBPFEnabled: false, outFound: false, }, @@ -4689,7 +4683,7 @@ func testBPFExec(t *testing.T, suite *integrationTestSuite) { // BPF turned off simulates an OpenSSH node. { desc: "Disabled and recorded at proxy", - inSessionRecording: services.RecordAtProxy, + inSessionRecording: types.RecordAtProxy, inBPFEnabled: false, outFound: false, }, @@ -4701,7 +4695,7 @@ func testBPFExec(t *testing.T, suite *integrationTestSuite) { // Create and start a Teleport cluster. makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: tt.inSessionRecording, }) require.NoError(t, err) @@ -4778,8 +4772,8 @@ func testBPFSessionDifferentiation(t *testing.T, suite *integrationTestSuite) { // Create and start a Teleport cluster. makeConfig := func() (*testing.T, []string, []*InstanceSecrets, *service.Config) { - recConfig, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ - Mode: services.RecordAtNode, + recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ + Mode: types.RecordAtNode, }) require.NoError(t, err) @@ -5065,7 +5059,6 @@ func WaitForResource(t *testing.T, watcher types.Watcher, kind, name string) { } } - // findEventInLog polls the event log looking for an event of a particular type. func findEventInLog(t *TeleInstance, eventName string) (events.EventFields, error) { for i := 0; i < 10; i++ { @@ -5144,6 +5137,28 @@ func eventsInLog(path string, eventName string) ([]events.EventFields, error) { return ret, nil } +// runCommandWithCertReissue runs an SSH command and generates certificates for the user +func runCommandWithCertReissue(instance *TeleInstance, cmd []string, reissueParams client.ReissueParams, cachePolicy client.CertCachePolicy, cfg ClientConfig) error { + tc, err := instance.NewClient(cfg) + if err != nil { + return trace.Wrap(err) + } + + err = tc.ReissueUserCerts(context.Background(), cachePolicy, reissueParams) + if err != nil { + return trace.Wrap(err) + } + + out := &bytes.Buffer{} + tc.Stdout = out + + err = tc.SSH(context.TODO(), cmd, false) + if err != nil { + return trace.Wrap(err) + } + return nil +} + // runCommand is a shortcut for running SSH command, it creates a client // connected to proxy of the passed in instance, runs the command, and returns // the result. If multiple attempts are requested, a 250 millisecond delay is @@ -5382,7 +5397,7 @@ func TestTraitsPropagation(t *testing.T) { role.SetName("test") role.SetLogins(services.Allow, []string{me.Username}) // Users created by CreateEx have "testing: integration" trait. - role.SetNodeLabels(services.Allow, map[string]utils.Strings{"env": []string{"{{external.testing}}"}}) + role.SetNodeLabels(services.Allow, map[string]apiutils.Strings{"env": []string{"{{external.testing}}"}}) rc.AddUserWithRole(me.Username, role) lc.AddUserWithRole(me.Username, role) @@ -5404,13 +5419,13 @@ func TestTraitsPropagation(t *testing.T) { }) // Update root's certificate authority on leaf to configure role mapping. - ca, err := lc.Process.GetAuthServer().GetCertAuthority(services.CertAuthID{ - Type: services.UserCA, + ca, err := lc.Process.GetAuthServer().GetCertAuthority(types.CertAuthID{ + Type: types.UserCA, DomainName: rc.Secrets.SiteName, }, false) require.NoError(t, err) ca.SetRoles(nil) // Reset roles, otherwise they will take precedence. - ca.SetRoleMap(services.RoleMap{{Remote: role.GetName(), Local: []string{role.GetName()}}}) + ca.SetRoleMap(types.RoleMap{{Remote: role.GetName(), Local: []string{role.GetName()}}}) err = lc.Process.GetAuthServer().UpsertCertAuthority(ca) require.NoError(t, err) diff --git a/integration/port_forwarding_test.go b/integration/port_forwarding_test.go index b2951a719bc84..d549d4781c51c 100644 --- a/integration/port_forwarding_test.go +++ b/integration/port_forwarding_test.go @@ -26,11 +26,10 @@ import ( "testing" "time" + apidefaults "github.com/gravitational/teleport/api/defaults" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/auth" "github.com/gravitational/teleport/lib/client" - "github.com/gravitational/teleport/lib/defaults" - "github.com/gravitational/teleport/lib/services" "github.com/gravitational/teleport/lib/session" "github.com/gravitational/teleport/lib/srv/regular" "github.com/gravitational/trace" @@ -97,8 +96,8 @@ func testPortForwarding(t *testing.T, suite *integrationTestSuite) { // Given a running teleport instance with port forwarding // permissions set per the test case - recCfg, err := types.NewSessionRecordingConfig(types.SessionRecordingConfigSpecV2{ - Mode: services.RecordOff, + recCfg, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ + Mode: types.RecordOff, }) require.NoError(t, err) @@ -156,7 +155,7 @@ func testPortForwarding(t *testing.T, suite *integrationTestSuite) { timeout, cancel := context.WithTimeout(context.Background(), 5*time.Second) defer cancel() - _, err = waitForSessionToBeEstablished(timeout, defaults.Namespace, site) + _, err = waitForSessionToBeEstablished(timeout, apidefaults.Namespace, site) require.NoError(t, err) // When everything is *finally* set up, and I attempt to use the