self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 17:23:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/integration/integration_test.go

9036 lines
280 KiB
Go
Raw Normal View History

Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
/*
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Copyright 2016-2019 Gravitational, Inc.
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package integration
import (
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
"bufio"
Added ability to specify which console to use ...by teleport clients + servers, meaning: 1. Servers do not default to stdout when printing startup messages 2. Clients can use arbitrary input/output instead of stdin/stdout when doing SSH/join. This helps with integration testing.
2016-04-14 18:43:08 +00:00
"bytes"
Add context support to ProxyClient.ConnectToNode to be able to timeout the connection. The method is otherwise blocking and might hang upon establishing a connection if the other side closes the connection.
2016-12-23 19:50:32 +00:00
"context"
Integration test for UpdateHostCA.
2018-09-06 21:52:41 +00:00
"crypto/x509"
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
"encoding/json"
chore: Bump gravitational/trace to v1.3.0 (#30064) * chore: Bump gravitational/trace to v1.3.0 * Replace `trace.IsEOF` with `errors.Is` * Fix IsPermanentEmitError
2023-08-04 21:39:24 +00:00
"errors"
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
"fmt"
"io"
Fix tsh tctl do not load all CAS (#9357)
2022-01-31 12:35:15 +00:00
"io/fs"
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
"net"
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
"net/http"
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
"net/http/httptest"
"net/url"
Added ability to specify which console to use ...by teleport clients + servers, meaning: 1. Servers do not default to stdout when printing startup messages 2. Clients can use arbitrary input/output instead of stdin/stdout when doing SSH/join. This helps with integration testing.
2016-04-14 18:43:08 +00:00
"os"
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
"os/exec"
Prepared previous commits for merging into master - Fixed all tests - Removed "magic constants" in random places - Improved 'retry connecting to auth server' logic (it used to always fail on 1st attempt)
2016-04-11 23:30:58 +00:00
"os/user"
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
"path/filepath"
Implement an API for exporting session events (#7360)
2021-07-13 23:29:00 +00:00
"reflect"
Add support for NFS-friendly log protocol. * Session events are delivered in continuous batches in a guaranteed order with every event and print event ordered from session start. * Each auth server writes to a separate folder on disk to make sure that no two processes write to the same file at a time. * When retrieving sessions, auth servers fetch and merge results recorded by each auth server. * Migrations and compatibility modes are in place for older clients not aware of the new format, but compatibility mode is not NFS friendly. * On disk migrations are launched automatically during auth server upgrades.
2017-12-31 23:31:57 +00:00
"regexp"
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
"runtime/pprof"
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
"strconv"
Integration test for audit log
2016-05-04 23:49:59 +00:00
"strings"
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
"sync"
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
"sync/atomic"
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
"testing"
"time"
Embed auth.Cache in auth.Server (#14698) * Embed auth.Cache in auth.Server * Hit the backend during Auth initialization * Bypass the cache when rotating CAs * Services.UpsertTrustedCluster is different * Bypass the cache in waitForTunnelConnections * Fix infinite recursion * More cache bypassing during init and rotations * Rename Services to Uncached in auth.Server * Further cleanups * Don't start the auth cache immediately * Go back to Services rather than Uncached * Comments and a missing method
2022-07-27 21:05:53 +00:00
"github.com/google/uuid"
"github.com/gravitational/trace"
Allow Azure/IAM join over reverse tunnel (#30720) This change adds support for gRPC-based join methods (Azure and IAM) over the reverse tunnel port.
2023-08-24 18:35:26 +00:00
"github.com/gravitational/trace/trail"
Embed auth.Cache in auth.Server (#14698) * Embed auth.Cache in auth.Server * Hit the backend during Auth initialization * Bypass the cache when rotating CAs * Services.UpsertTrustedCluster is different * Bypass the cache in waitForTunnelConnections * Fix infinite recursion * More cache bypassing during init and rotations * Rename Services to Uncached in auth.Server * Further cleanups * Don't start the auth cache immediately * Go back to Services rather than Uncached * Comments and a missing method
2022-07-27 21:05:53 +00:00
"github.com/pkg/sftp"
log "github.com/sirupsen/logrus"
Adjust integration test timeouts (#18331) * Adjust integration test timeouts * Skip TestProxyTunnelStrategyProxyPeering
2022-11-24 18:47:49 +00:00
"github.com/stretchr/testify/assert"
Embed auth.Cache in auth.Server (#14698) * Embed auth.Cache in auth.Server * Hit the backend during Auth initialization * Bypass the cache when rotating CAs * Services.UpsertTrustedCluster is different * Bypass the cache in waitForTunnelConnections * Fix infinite recursion * More cache bypassing during init and rotations * Rename Services to Uncached in auth.Server * Further cleanups * Don't start the auth cache immediately * Go back to Services rather than Uncached * Comments and a missing method
2022-07-27 21:05:53 +00:00
"github.com/stretchr/testify/require"
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
"golang.org/x/crypto/ssh"
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
"golang.org/x/crypto/ssh/agent"
Use x/exp/slices instead of home grown utilities (#18524) We were inconsistent throughout the codebase and would sometimes use the slices package and other times use our own equivalents in api/. This removes our versions in favor of the golang.org/x package that does the same, which has the added benefit of reducing the surface area of the public API module. Note: despite existing uses of the slices package, for some reason it didn't show up in go.mod or go.sum. Fixed that too.
2022-11-17 15:25:46 +00:00
"golang.org/x/exp/slices"
Multiplex Proxy SSH port (#19813)
2023-01-06 16:54:05 +00:00
"google.golang.org/grpc"
"google.golang.org/grpc/connectivity"
"google.golang.org/grpc/credentials"
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
integration test
2017-05-20 02:03:28 +00:00
"github.com/gravitational/teleport"
Add manual tracing instrumentation to tsh (#13204) Create spans for all public facing TeleportClient, ProxyClient, and NodeClient methods. This makes correlating spans easier to reason about when looking at `tsh` traces. As a result of creating spans, some additional context propagation is required as well to ensure that spans are linked properly. This also removes the unused `quiet` argument from `ConnectToCluster`. It's usage was not consistent by existing callers, and it was ignored, so in order to avoid confusion in future calls, it was removed. #12241
2022-06-11 15:34:40 +00:00
"github.com/gravitational/teleport/api/breaker"
Allow Azure/IAM join over reverse tunnel (#30720) This change adds support for gRPC-based join methods (Azure and IAM) over the reverse tunnel port.
2023-08-24 18:35:26 +00:00
apiclient "github.com/gravitational/teleport/api/client"
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
"github.com/gravitational/teleport/api/client/proto"
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
"github.com/gravitational/teleport/api/constants"
fix peer addr for in-memory control stream
2022-07-27 16:30:56 +00:00
"github.com/gravitational/teleport/api/defaults"
Allow Azure/IAM join over reverse tunnel (#30720) This change adds support for gRPC-based join methods (Azure and IAM) over the reverse tunnel port.
2023-08-24 18:35:26 +00:00
"github.com/gravitational/teleport/api/metadata"
Add tracing instrumentation for ssh clients/servers (#12434) * Add tracing instrumentation for ssh clients/servers Add tracing context to the existing ProxyHelloSignature to provide span information across ssh connections. To add span context per ssh session on top of new connections, the same tracing context is passed in the first global request of the session. In order to ensure that tracing context is pulled from and inserted into the proper context.Context, some interfaces and methods were changed to take one as the first argument.
2022-05-25 12:24:02 +00:00
tracessh "github.com/gravitational/teleport/api/observability/tracing/ssh"
rollback - Upgrade api version. (#7751)
2021-07-30 22:34:19 +00:00
"github.com/gravitational/teleport/api/profile"
"github.com/gravitational/teleport/api/types"
apievents "github.com/gravitational/teleport/api/types/events"
apiutils "github.com/gravitational/teleport/api/utils"
"github.com/gravitational/teleport/api/utils/keypaths"
Move `lib/utils/prompt` to `api/utils/prompt` (#32334) * Move /lib/utils/prompt to /api/utils/prompt. * Replace uses of lib/utils/prompt with api/utils/prompt and delete pacakge. * go mod tidy.
2023-09-25 19:31:37 +00:00
"github.com/gravitational/teleport/api/utils/prompt"
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
apisshutils "github.com/gravitational/teleport/api/utils/sshutils"
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
"github.com/gravitational/teleport/integration/helpers"
Better handling of "development mode" Instead of quietly changing behavior because `DEBUG` envar was set to true, Teleport now explicitly requires scary --insecure flag to enable this behavior.
2017-09-10 03:59:38 +00:00
"github.com/gravitational/teleport/lib"
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
"github.com/gravitational/teleport/lib/auth"
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
"github.com/gravitational/teleport/lib/auth/mocku2f"
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
"github.com/gravitational/teleport/lib/auth/native"
Prepared previous commits for merging into master - Fixed all tests - Removed "magic constants" in random places - Improved 'retry connecting to auth server' logic (it used to always fail on 1st attempt)
2016-04-11 23:30:58 +00:00
"github.com/gravitational/teleport/lib/auth/testauthority"
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
wancli "github.com/gravitational/teleport/lib/auth/webauthncli"
Remove `lib/auth/webauthn` dependency from `webauthncli` (#30377) * Alias `api/types/webauthn` imports to `wanpb` * Use `webauthnpb` as the default package name * Move messages.go to webauthntypes/ * Move extensions.go to webauthntypes/ * Move proto.go to webauthntypes/ * nit: Use consistent license style * Use the `wantypes` alias for webauthntypes * Use the `wanwin` alias for webauthnwin * nit: Move winwebauthn.go to webauthnwin.go * Document package webauthntypes * Alias types required by e/ * Appease linter * Add all main types/method to compat.go * Reinstate spaces on proxy_test.go * Alias newly-added usages
2023-08-14 21:24:37 +00:00
wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
"github.com/gravitational/teleport/lib/bpf"
Client profiles for TSH
2016-10-22 02:11:13 +00:00
"github.com/gravitational/teleport/lib/client"
Fix `Too many requests` error in github actions test (#19606)
2022-12-23 03:47:02 +00:00
"github.com/gravitational/teleport/lib/cloud"
Brought back all uncommented tests
2016-05-01 08:36:21 +00:00
"github.com/gravitational/teleport/lib/events"
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
"github.com/gravitational/teleport/lib/events/eventstest"
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
"github.com/gravitational/teleport/lib/events/filesessions"
Make source IP-pinning an enterprise feature (#14141)
2022-07-06 17:25:31 +00:00
"github.com/gravitational/teleport/lib/modules"
Change 'proxy_protocol' default mode and behavior (#31622) * Change 'proxy_protocol' default mode and behavior Now by default `proxy_protocol` is unspecified and in that mode we don't allow IP pinned connections and mark incoming conection with setting source port = 0. 'on' mode now requires PROXY header. * Don't require PROXY headers for connection to itself. There cases when Telelport will call itself and it can go directly, avoiding load balancer, so connection will not have unsigned PROXY header. * Refactor validation of 'proxy_protocol' input * Clarify PROXY protocol modes description * Tweak unexpected PROXY protocol line error message * Add comments about setting port to 0 * Return an error if we get unsigned PROXY line after signed * Improve wording for error when IP pinning is now allowed when source port = 0 * Add test for checking unspecified PROXY protocol mode on multiplexer * Fix the test * Refactor tracking of receiving of unsigned PROXY line. It makes sure we don't allow multiple PROXY lines with LOCAL command. * Improve comment wording. * Fix typo and improve wording. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Clarify PROXYProtocolMode description * Add comment about self connections * Set correct PROXYProtocolMode for multiplexers that don't need unsigned PROXY support * Fix typo. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add comment about PROXY protocol mode on kube service. * Clarify comment for starting auth service in unspecified PROXY protocol mode * Add dedicated error for rejecting IP pinning on connection with port=0 * Improve error message * Rate limit logging error about unexpected PROXY line. * Tweak error message. --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2023-09-12 21:41:20 +00:00
"github.com/gravitational/teleport/lib/multiplexer"
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
"github.com/gravitational/teleport/lib/pam"
Fix tsh windows builds (#28357) #24864 added a dependency of lib/web into tsh which broke windows tsh builds because lib/web transiently depends on lib/srv which has linux specific code. This shuffles around a few things so that lib/web is no longer importing lib/srv at all by: - Indirectly using the srv.SessionController to apply session control for web ssh sessions - Moving the common reversetunnel interfaces into reversetunnelclient since lib/reversetunnel imports lib/srv/forward which imports lib/srv. - Directly converting mysql client errors in the connection tester instead of calling a common function.
2023-06-30 17:12:12 +00:00
"github.com/gravitational/teleport/lib/reversetunnelclient"
fix and complete tests
2017-05-20 19:52:03 +00:00
"github.com/gravitational/teleport/lib/service"
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
"github.com/gravitational/teleport/lib/service/servicecfg"
integration test
2017-05-20 02:03:28 +00:00
"github.com/gravitational/teleport/lib/services"
Brought back all uncommented tests
2016-05-01 08:36:21 +00:00
"github.com/gravitational/teleport/lib/session"
Multiplex Proxy SSH port (#19813)
2023-01-06 16:54:05 +00:00
"github.com/gravitational/teleport/lib/srv/alpnproxy/common"
Provide proxy address when beginning a node session (#18579)
2022-12-02 01:56:22 +00:00
"github.com/gravitational/teleport/lib/sshutils"
Added the ability to supply Access Request TTLs Added the ability to specify two CLI flags for Access Requests: "--request-ttl" and "--session-ttl". Updated "CreateAccessRequest" to adhere to the following rules. If an Access Request does not have a TTL set (expiration time types.AccessRequest resource itself), a default of 1 hour is used. Next, the request value is truncated by the lifetime of the certificate, requested expiration, and then strictest session TTL on all roles requested. Similar logic is followed for the expiration time of the elevated certificate that will be issued if the Access Request is approved. First the requested value is truncated by the lifetime of the certificate, requested expiration, and then strictest session TTL on all roles requested. The output of "tsh requests ls" and "tctl requests ls" has been updated to display the TTL values.
2022-10-12 21:07:09 +00:00
"github.com/gravitational/teleport/lib/tlsca"
Added endurance integration test
2016-04-08 02:01:31 +00:00
"github.com/gravitational/teleport/lib/utils"
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
"github.com/gravitational/teleport/lib/web"
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
type integrationTestSuite struct {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
helpers.Fixture
Incorporated GetFreeTCPPorts() into integration testign
2016-04-08 17:38:19 +00:00
}
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func newSuite(t *testing.T) *integrationTestSuite {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
return &integrationTestSuite{*helpers.NewFixture(t)}
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
type integrationTest func(t *testing.T, suite *integrationTestSuite)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func (s *integrationTestSuite) bind(test integrationTest) func(t *testing.T) {
return func(t *testing.T) {
Attempts to make CI integration test logs more useful (#9626) Actually tracking down the cause of a failure in the integration tests can be hard: * It's hard to get an overall summary of what failed * The tests sometimes emit no output before timing out, meaning any diagnostic info is lost * The emitted logs are too voluminous for a human to parse * The emitted logs can present information out of order * It's often hard to tell where the output from one test ends and the next one begins This patch attempts to address these concerns without attempting to rewrite any of the underlying teleport logging. * It improves the render-tests script to (optionally) report progress per- test, rather than on a per-package basis. My working hypothesis on the tests that time out with no output is that go test ./integration is waiting for the entire set of integration tests tests to be complete before reporting success or failure. Reporting on a per-test cycle gives faster feedback and means that any timed-out builds should give at least some idea of where they are stuck. * Adds the render-tests filter to the integration and integration-root make targets. This will show an overall summary of test results, as well as - Discarding log output from passing tests to increase signal-to-noise ratio, and - Strongly delimiting the output from each failed test, making failures easier to find. * Removes the notion of a failure-only logger in favour of post-processing the log events with render-tests. The failure-only logger catches log output from the tests and only forwards it to the console if the test fails. Unfortunately, not all log output is guaranteed to pass through this logger (some teleport packages do not honour the configured logger, and reports from the go race detector certainly don't), meaning some output is presented at the time it happens, and other output is batched and displayed at the end of the test. This makes working out what happened where harder than it need be. In addition, this patch also promotes the render-tests script into a fully- fledged program, with appropriate makefile targets, make clean support, etc. It is now also more robust in the face on non-JSON output from go test (which happens if a package fails to compile).
2022-01-04 23:42:07 +00:00
// Attempt to set a logger for the test. Be warned that parts of the
Configure linter to catch British 🇬🇧 spellings 🇺🇸 🦅 📖 (#14363) * configure golangci-lint misspell to check for anglicized spellings * Americanize spellings * fix aws constant value with british spelling 🇬🇧 * update api types with americanized spellings * use american spellings .cloudbuild/scripts
2022-07-14 10:51:23 +00:00
// Teleport codebase do not honor the logger passed in via config and
Attempts to make CI integration test logs more useful (#9626) Actually tracking down the cause of a failure in the integration tests can be hard: * It's hard to get an overall summary of what failed * The tests sometimes emit no output before timing out, meaning any diagnostic info is lost * The emitted logs are too voluminous for a human to parse * The emitted logs can present information out of order * It's often hard to tell where the output from one test ends and the next one begins This patch attempts to address these concerns without attempting to rewrite any of the underlying teleport logging. * It improves the render-tests script to (optionally) report progress per- test, rather than on a per-package basis. My working hypothesis on the tests that time out with no output is that go test ./integration is waiting for the entire set of integration tests tests to be complete before reporting success or failure. Reporting on a per-test cycle gives faster feedback and means that any timed-out builds should give at least some idea of where they are stuck. * Adds the render-tests filter to the integration and integration-root make targets. This will show an overall summary of test results, as well as - Discarding log output from passing tests to increase signal-to-noise ratio, and - Strongly delimiting the output from each failed test, making failures easier to find. * Removes the notion of a failure-only logger in favour of post-processing the log events with render-tests. The failure-only logger catches log output from the tests and only forwards it to the console if the test fails. Unfortunately, not all log output is guaranteed to pass through this logger (some teleport packages do not honour the configured logger, and reports from the go race detector certainly don't), meaning some output is presented at the time it happens, and other output is batched and displayed at the end of the test. This makes working out what happened where harder than it need be. In addition, this patch also promotes the render-tests script into a fully- fledged program, with appropriate makefile targets, make clean support, etc. It is now also more robust in the face on non-JSON output from go test (which happens if a package fails to compile).
2022-01-04 23:42:07 +00:00
// will create their own. Do not expect to catch _all_ output with this.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
s.Log = utils.NewLoggerForTests()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
os.RemoveAll(profile.FullProfilePath(""))
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
t.Cleanup(func() { s.Log = nil })
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
test(t, s)
Integration test for audit log
2016-05-04 23:49:59 +00:00
}
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// TestIntegrations acts as the master test suite for all integration tests
Configure linter to catch British 🇬🇧 spellings 🇺🇸 🦅 📖 (#14363) * configure golangci-lint misspell to check for anglicized spellings * Americanize spellings * fix aws constant value with british spelling 🇬🇧 * update api types with americanized spellings * use american spellings .cloudbuild/scripts
2022-07-14 10:51:23 +00:00
// requiring standardized setup and teardown.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func TestIntegrations(t *testing.T) {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// TODO: break all of these subtests out into individual tests so that we get
// better progress reporting, rather than have to wait for the entire
// suite to complete
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
suite := newSuite(t)
t.Run("AuditOff", suite.bind(testAuditOff))
t.Run("AuditOn", suite.bind(testAuditOn))
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
t.Run("BPFExec", suite.bind(testBPFExec))
t.Run("BPFInteractive", suite.bind(testBPFInteractive))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("BPFSessionDifferentiation", suite.bind(testBPFSessionDifferentiation))
Respect client idle timeout setting (#27484) Client connections were never using the `srv.TrackingReadConn` created by the `srv.ConnectionMonitor` which caused all connections to appear idle and be disconnected whenever the client idle timeout was reached. `(srv.ConnectionMonitor) MonitorConn` now returns the provided connection which is wrapped in the tracking connection. Callers must ensure that the returned connection is used instead of the connection passed in to `MonitorConn`. Fixes #27392
2023-06-23 15:01:33 +00:00
t.Run("ClientIdleConnection", suite.bind(testClientIdleConnection))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("CmdLabels", suite.bind(testCmdLabels))
t.Run("ControlMaster", suite.bind(testControlMaster))
t.Run("CustomReverseTunnel", suite.bind(testCustomReverseTunnel))
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
t.Run("DataTransfer", suite.bind(testDataTransfer))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("Disconnection", suite.bind(testDisconnectScenarios))
t.Run("Discovery", suite.bind(testDiscovery))
t.Run("DiscoveryNode", suite.bind(testDiscoveryNode))
t.Run("DiscoveryRecovers", suite.bind(testDiscoveryRecovers))
t.Run("EnvironmentVars", suite.bind(testEnvironmentVariables))
t.Run("ExecEvents", suite.bind(testExecEvents))
t.Run("ExternalClient", suite.bind(testExternalClient))
t.Run("HA", suite.bind(testHA))
t.Run("Interactive (Regular)", suite.bind(testInteractiveRegular))
t.Run("Interactive (Reverse Tunnel)", suite.bind(testInteractiveReverseTunnel))
t.Run("Interoperability", suite.bind(testInteroperability))
t.Run("InvalidLogin", suite.bind(testInvalidLogins))
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
t.Run("IP Propagation", suite.bind(testIPPropagation))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("JumpTrustedClusters", suite.bind(testJumpTrustedClusters))
t.Run("JumpTrustedClustersWithLabels", suite.bind(testJumpTrustedClustersWithLabels))
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
t.Run("LeafSessionRecording", suite.bind(testLeafProxySessionRecording))
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
t.Run("List", suite.bind(testList))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("MapRoles", suite.bind(testMapRoles))
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
t.Run("ModeratedSessions", suite.bind(testModeratedSessions))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("MultiplexingTrustedClusters", suite.bind(testMultiplexingTrustedClusters))
t.Run("PAM", suite.bind(testPAM))
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
t.Run("PortForwarding", suite.bind(testPortForwarding))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("ProxyHostKeyCheck", suite.bind(testProxyHostKeyCheck))
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
t.Run("ReverseTunnelCollapse", suite.bind(testReverseTunnelCollapse))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("RotateRollback", suite.bind(testRotateRollback))
t.Run("RotateSuccess", suite.bind(testRotateSuccess))
t.Run("RotateTrustedClusters", suite.bind(testRotateTrustedClusters))
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
t.Run("SessionStartContainsAccessRequest", suite.bind(testSessionStartContainsAccessRequest))
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
t.Run("SessionStreaming", suite.bind(testSessionStreaming))
t.Run("SSHExitCode", suite.bind(testSSHExitCode))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("Shutdown", suite.bind(testShutdown))
t.Run("TrustedClusters", suite.bind(testTrustedClusters))
Allow updating of trusted cluster role maps (#18168)
2023-01-13 19:06:17 +00:00
t.Run("TrustedDisabledClusters", suite.bind(testDisabledTrustedClusters))
t.Run("TrustedClustersRoleMapChanges", suite.bind(testTrustedClustersRoleMapChanges))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run("TrustedClustersWithLabels", suite.bind(testTrustedClustersWithLabels))
t.Run("TrustedTunnelNode", suite.bind(testTrustedTunnelNode))
t.Run("TwoClustersProxy", suite.bind(testTwoClustersProxy))
t.Run("TwoClustersTunnel", suite.bind(testTwoClustersTunnel))
t.Run("UUIDBasedProxy", suite.bind(testUUIDBasedProxy))
t.Run("WindowChange", suite.bind(testWindowChange))
Moderated Sessions improvements (#10991)
2022-03-10 23:04:12 +00:00
t.Run("SSHTracker", suite.bind(testSSHTracker))
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
t.Run("ListResourcesAcrossClusters", suite.bind(testListResourcesAcrossClusters))
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
t.Run("SessionRecordingModes", suite.bind(testSessionRecordingModes))
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
t.Run("DifferentPinnedIP", suite.bind(testDifferentPinnedIP))
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
t.Run("JoinOverReverseTunnelOnly", suite.bind(testJoinOverReverseTunnelOnly))
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
t.Run("SFTP", suite.bind(testSFTP))
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
t.Run("EscapeSequenceTriggers", suite.bind(testEscapeSequenceTriggers))
fix peer addr for in-memory control stream
2022-07-27 16:30:56 +00:00
t.Run("AuthLocalNodeControlStream", suite.bind(testAuthLocalNodeControlStream))
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
t.Run("AgentlessConnection", suite.bind(testAgentlessConnection))
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
t.Run("LeafAgentlessConnection", suite.bind(testTrustedClusterAgentless))
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
}
// testDifferentPinnedIP tests connection is rejected when source IP doesn't match the pinned one
func testDifferentPinnedIP(t *testing.T, suite *integrationTestSuite) {
Make source IP-pinning an enterprise feature (#14141)
2022-07-06 17:25:31 +00:00
modules.SetTestModules(t, &modules.TestModules{TestBuildType: modules.BuildEnterprise})
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = true
tconf.SSH.DisableCreateHostUser = true
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
teleInstance := suite.NewTeleportInstance(t)
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
role := services.NewImplicitRole()
ro := role.GetOptions()
ro.PinSourceIP = true
role.SetOptions(ro)
role.SetName("x")
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
role.SetLogins(types.Allow, []string{suite.Me.Username})
teleInstance.AddUserWithRole(suite.Me.Username, role)
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
require.NoError(t, teleInstance.CreateEx(t, nil, tconf))
require.NoError(t, teleInstance.Start())
defer teleInstance.StopAll()
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
site := teleInstance.GetSiteAPI(helpers.Site)
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
require.NotNil(t, site)
Removes support for legacy ssh connections to the Proxy (#30043) In preparation for v14 we can remove support for SSH connections to the Proxy from the `api/proxy.Client` since all supported instances should all be serving the TransportService.
2023-08-09 02:10:44 +00:00
connectionProblem := func(t require.TestingT, err error, i ...interface{}) {
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
require.Error(t, err, i...)
Removes support for legacy ssh connections to the Proxy (#30043) In preparation for v14 we can remove support for SSH connections to the Proxy from the `api/proxy.Client` since all supported instances should all be serving the TransportService.
2023-08-09 02:10:44 +00:00
require.True(t, trace.IsConnectionProblem(err), "expected a connection problem error, got: %v", err)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
}
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
testCases := []struct {
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
desc string
ip string
errAssertion require.ErrorAssertionFunc
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
}{
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
desc: "Correct connecting IP",
ip: "127.0.0.1",
errAssertion: require.NoError,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
desc: "Wrong connecting IPv4",
ip: "1.2.3.4",
Removes support for legacy ssh connections to the Proxy (#30043) In preparation for v14 we can remove support for SSH connections to the Proxy from the `api/proxy.Client` since all supported instances should all be serving the TransportService.
2023-08-09 02:10:44 +00:00
errAssertion: connectionProblem,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
desc: "Wrong connecting IPv6",
ip: "1843:4545::12",
Removes support for legacy ssh connections to the Proxy (#30043) In preparation for v14 we can remove support for SSH connections to the Proxy from the `api/proxy.Client` since all supported instances should all be serving the TransportService.
2023-08-09 02:10:44 +00:00
errAssertion: connectionProblem,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
}
for _, test := range testCases {
t.Run(test.desc, func(t *testing.T) {
cl, err := teleInstance.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
Removes support for legacy ssh connections to the Proxy (#30043) In preparation for v14 we can remove support for SSH connections to the Proxy from the `api/proxy.Client` since all supported instances should all be serving the TransportService.
2023-08-09 02:10:44 +00:00
Port: helpers.Port(t, teleInstance.SSH),
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
SourceIP: test.ip,
})
require.NoError(t, err)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
defer cancel()
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
test.errAssertion(t, cl.SSH(ctx, []string{"echo hi"}, false))
IP-based validation for SSH (#13243) This change adds IP-based validation for SSH certificates. There's new option in role definition: kind: role metadata: name: dev spec: options: pin_source_ip: true When that is set to true client IP must be the same when generating certificates and using them. It uses source_address critical option that should be supported by both teleport and sshd and only applies to certificates we send to user (like in tsh login), we don't pin IP in certificates issued for web UI as they can't leak. This change also omits machine ID (it uses different code path) - it will be added in separate PR. Most of the lines changed are from regenerating types.proto, change itself is not that big Relates #11719
2022-06-08 22:49:37 +00:00
})
}
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Integration test for audit log
2016-05-04 23:49:59 +00:00
fix peer addr for in-memory control stream
2022-07-27 16:30:56 +00:00
// testAuthLocalNodeControlStream verifies some basic expected behaviors for auth-local
// node control streams (requires separate checks because auth-local nodes use a special
// in-memory control stream).
func testAuthLocalNodeControlStream(t *testing.T, suite *integrationTestSuite) {
const clusterName = "control-stream-test"
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = true
tconf.SSH.DisableCreateHostUser = true
// deliberately create a teleport instance that will end up binding
// unspecified addr (`0.0.0.0`/`::`). we use this further down to confirm
// that in-memory control stream can approximate peer-addr substitution.
teleport := suite.newNamedTeleportInstance(t, clusterName,
WithNodeName(""),
WithListeners(helpers.StandardListenerSetupOn("")),
)
require.NoError(t, teleport.CreateEx(t, nil, tconf))
require.NoError(t, teleport.Start())
Skip building webassets in CI (#22549) * Skip building webassets in CI Building webassets is not always needed and many of our CI build just builds them and ends up not using them after. This PR skips building the webassets for all pipelines where they are not needed. This should save us some time and $$. * Make some changes to trigger CI * Create the missing directory
2023-03-03 15:14:25 +00:00
t.Cleanup(func() { teleport.StopAll() })
fix peer addr for in-memory control stream
2022-07-27 16:30:56 +00:00
rework instance hbs to be more scalable and to track upgraders (#27895)
2023-07-08 02:15:56 +00:00
clt := teleport.Process.GetAuthServer()
fix peer addr for in-memory control stream
2022-07-27 16:30:56 +00:00
require.NotNil(t, clt)
var nodeID string
// verify node control stream registers, extracting the id.
require.Eventually(t, func() bool {
status, err := clt.GetInventoryStatus(context.Background(), proto.InventoryStatusRequest{
Connected: true,
})
require.NoError(t, err)
for _, hello := range status.Connected {
for _, s := range hello.Services {
if s != types.RoleNode {
continue
}
nodeID = hello.ServerID
return true
}
}
return false
}, time.Second*10, time.Millisecond*200)
var nodeAddr string
// verify node heartbeat was successful, extracting the addr.
require.Eventually(t, func() bool {
node, err := clt.GetNode(context.Background(), defaults.Namespace, nodeID)
if trace.IsNotFound(err) {
return false
}
require.NoError(t, err)
nodeAddr = node.GetAddr()
return true
}, time.Second*10, time.Millisecond*200)
addr, err := utils.ParseAddr(nodeAddr)
require.NoError(t, err)
// verify that we've replaced the unspecified host.
require.False(t, addr.IsHostUnspecified())
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testAuditOn creates a live session, records a bunch of data through it
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// and then reads it back and compares against simulated reality.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testAuditOn(t *testing.T, suite *integrationTestSuite) {
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
comment string
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
inRecordLocation string
inForwardAgent bool
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
auditSessionsURI string
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}{
{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
comment: "normal teleport",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtNode,
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
inForwardAgent: false,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
comment: "recording proxy",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtProxy,
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
inForwardAgent: true,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
comment: "normal teleport with upload to file server",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtNode,
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
inForwardAgent: false,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
auditSessionsURI: t.TempDir(),
Removes deprecated `KindKubeService` objects (#22663) This PR removes the `types.KindKubeService` objects that were deprecated in Teleport 11. Teleport 12 removed the double heartbeat and for Teleport 13 we can safely drop the support of the old hearbeat based on `types.Server` objects. Clients older than Teleport 12 connecting to a Teleport 13 server will fail since they cannot heartbeat using the old mechanism.
2023-03-13 10:55:39 +00:00
},
{
Fix flaky test - TestAuditOn (#12101)
2022-04-21 01:20:26 +00:00
comment: "recording proxy with upload to file server",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtProxy,
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
inForwardAgent: false,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
auditSessionsURI: t.TempDir(),
Removes deprecated `KindKubeService` objects (#22663) This PR removes the `types.KindKubeService` objects that were deprecated in Teleport 11. Teleport 12 removed the double heartbeat and for Teleport 13 we can safely drop the support of the old hearbeat based on `types.Server` objects. Clients older than Teleport 12 connecting to a Teleport 13 server will fail since they cannot heartbeat using the old mechanism.
2023-03-13 10:55:39 +00:00
},
{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
comment: "normal teleport, sync recording",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtNodeSync,
Session streaming This commit introduces GRPC API for streaming sessions. It adds structured events and sync streaming that avoids storing events on disk. You can find design in rfd/0002-streaming.md RFD.
2020-07-15 00:15:01 +00:00
inForwardAgent: false,
Removes deprecated `KindKubeService` objects (#22663) This PR removes the `types.KindKubeService` objects that were deprecated in Teleport 11. Teleport 12 removed the double heartbeat and for Teleport 13 we can safely drop the support of the old hearbeat based on `types.Server` objects. Clients older than Teleport 12 connecting to a Teleport 13 server will fail since they cannot heartbeat using the old mechanism.
2023-03-13 10:55:39 +00:00
},
{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
comment: "recording proxy, sync recording",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtProxySync,
Session streaming This commit introduces GRPC API for streaming sessions. It adds structured events and sync streaming that avoids storing events on disk. You can find design in rfd/0002-streaming.md RFD.
2020-07-15 00:15:01 +00:00
inForwardAgent: true,
},
Integration test for audit log
2016-05-04 23:49:59 +00:00
}
TunClient changes TunClient always tries to dial the statically configured auth server first, before trying "discovered" ones. The rationale is that --auth flag must override whatever dynamic auth servers have been discovered (because sometimes their IPs are wrong, if advertise-ip was misconfigured) Closes #416 Fixes #416
2016-05-21 02:35:16 +00:00
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
for _, tt := range tests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.comment, func(t *testing.T) {
Enable and fix AuditOn. (#17687) This change re-enables the AuditOn system test and fixes the TTY connection between the Teleport parent and child process. It should allow the child to send the error code to the parent, which should fix the test.
2022-11-14 23:07:58 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
t.Cleanup(func() {
tr.Stop()
})
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Turn AuditConfig into a standalone resource (#6997)
2021-06-14 20:49:22 +00:00
auditConfig, err := types.NewClusterAuditConfig(types.ClusterAuditConfigSpecV2{
AuditSessionsURI: tt.auditSessionsURI,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
})
require.NoError(t, err)
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Mode: tt.inRecordLocation,
})
require.NoError(t, err)
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
Turn AuditConfig into a standalone resource (#6997)
2021-06-14 20:49:22 +00:00
tconf.Auth.AuditConfig = auditConfig
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf.Auth.SessionRecordingConfig = recConfig
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = true
return t, nil, nil, tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
teleport := suite.NewTeleportWithConfig(makeConfig())
Enable and fix AuditOn. (#17687) This change re-enables the AuditOn system test and fixes the TTY connection between the Teleport parent and child process. It should allow the child to send the error code to the parent, which should fix the test.
2022-11-14 23:07:58 +00:00
t.Cleanup(func() {
err := teleport.StopAll()
require.NoError(t, err)
})
Replaced weg sockets with HTTP POST/GET chunks
2016-05-06 06:51:56 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Start a node.
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
nodeConf := suite.defaultServiceConfig()
nodeConf.HostUUID = "node"
nodeConf.Hostname = "node"
nodeConf.SSH.Enabled = true
nodeConf.SSH.Addr.Addr = helpers.NewListener(t, service.ListenerNodeSSH, &nodeConf.FileDescriptors)
Correctly propagate information about the target during forwarding (#14564)
2022-07-28 11:05:45 +00:00
_, err := teleport.StartNode(nodeConf)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
// get access to a authClient for the cluster
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
site := teleport.GetSiteAPI(helpers.Site)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NotNil(t, site)
Enable and fix AuditOn. (#17687) This change re-enables the AuditOn system test and fixes the TTY connection between the Teleport parent and child process. It should allow the child to send the error code to the parent, which should fix the test.
2022-11-14 23:07:58 +00:00
ctx := context.Background()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// wait 10 seconds for both nodes to show up, otherwise
// we'll have trouble connecting to the node below.
waitForNodes := func(site auth.ClientI, count int) error {
tickCh := time.Tick(500 * time.Millisecond)
stopCh := time.After(10 * time.Second)
for {
select {
case <-tickCh:
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
nodesInSite, err := site.GetNodes(ctx, defaults.Namespace)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
if err != nil && !trace.IsNotFound(err) {
return trace.Wrap(err)
}
if got, want := len(nodesInSite), count; got == want {
return nil
}
case <-stopCh:
return trace.BadParameter("waited 10s, did find %v nodes", count)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
}
err = waitForNodes(site, 2)
require.NoError(t, err)
// should have no sessions:
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
sessions, err := site.GetActiveSessionTrackers(ctx)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Empty(t, sessions)
// create interactive session (this goroutine is this user's terminal time)
endC := make(chan error)
myTerm := NewTerminal(250)
go func() {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, nodeConf.SSH.Addr.Addr),
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
ForwardAgent: tt.inForwardAgent,
})
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
if err != nil {
endC <- err
return
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
cl.Stdout = myTerm
cl.Stdin = myTerm
err = cl.SSH(context.TODO(), []string{}, false)
endC <- err
}()
// wait until we've found the session in the audit log
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
getSession := func(site auth.ClientI) (types.SessionTracker, error) {
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
timeout, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
sessions, err := waitForSessionToBeEstablished(timeout, defaults.Namespace, site)
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
if err != nil {
return nil, trace.Wrap(err)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
return sessions[0], nil
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
tracker, err := getSession(site)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
sessionID := tracker.GetSessionID()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// wait for the user to join this session:
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
for len(tracker.GetParticipants()) == 0 {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
time.Sleep(time.Millisecond * 5)
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
tracker, err = site.GetSessionTracker(ctx, tracker.GetSessionID())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
}
// make sure it's us who joined! :)
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
require.Equal(t, suite.Me.Username, tracker.GetParticipants()[0].User)
Integration test for audit log
2016-05-04 23:49:59 +00:00
Enable and fix AuditOn. (#17687) This change re-enables the AuditOn system test and fixes the TTY connection between the Teleport parent and child process. It should allow the child to send the error code to the parent, which should fix the test.
2022-11-14 23:07:58 +00:00
// let's type "echo hi" followed by "enter" and then "exit" + "enter":
myTerm.Type("echo hi\n\rexit\n\r")
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// wait for session to end:
select {
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
case err := <-endC:
require.NoError(t, err)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
case <-time.After(10 * time.Second):
t.Fatalf("%s: Timeout waiting for session to finish.", tt.comment)
}
// wait for the upload of the right session to complete
timeoutC := time.After(10 * time.Second)
loop:
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
for {
select {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
case event := <-teleport.UploadEventsC:
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
if event.SessionID != tracker.GetSessionID() {
t.Logf("Skipping mismatching session %v, expecting upload of %v.", event.SessionID, tracker.GetSessionID())
Use a discard session server and audit logger when the proxy is in recording mode and on a Teleport node.
2018-01-15 21:31:30 +00:00
continue
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
break loop
case <-timeoutC:
dumpGoroutineProfile()
t.Fatalf("%s: Timeout waiting for upload of session %v to complete to %v",
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
tt.comment, tracker.GetSessionID(), tt.auditSessionsURI)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// read back the entire session (we have to try several times until we get back
// everything because the session is closing)
var sessionStream []byte
for i := 0; i < 6; i++ {
Remove duplicate imports (#24736)
2023-04-18 19:08:26 +00:00
sessionStream, err = site.GetSessionChunk(defaults.Namespace, session.ID(tracker.GetSessionID()), 0, events.MaxChunkBytes)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
if strings.Contains(string(sessionStream), "exit") {
break
}
time.Sleep(time.Millisecond * 250)
if i >= 5 {
// session stream keeps coming back short
t.Fatalf("%s: Stream is not getting data: %q.", tt.comment, string(sessionStream))
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
}
Replaced weg sockets with HTTP POST/GET chunks
2016-05-06 06:51:56 +00:00
}
Create single instance of keygen per process. Use cache of precomputed certificates when using recording proxy.
2018-02-14 22:55:01 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// see what we got. It looks different based on bash settings, but here it is
// on Ev's machine (hostname is 'edsger'):
//
// edsger ~: echo hi
// hi
// edsger ~: exit
// logout
//
text := string(sessionStream)
require.Contains(t, text, "echo hi")
require.Contains(t, text, "exit")
// Wait until session.start, session.leave, and session.end events have arrived.
getSessions := func(site auth.ClientI) ([]events.EventFields, error) {
tickCh := time.Tick(500 * time.Millisecond)
stopCh := time.After(10 * time.Second)
for {
select {
case <-tickCh:
// Get all session events from the backend.
Remove duplicate imports (#24736)
2023-04-18 19:08:26 +00:00
sessionEvents, err := site.GetSessionEvents(defaults.Namespace, session.ID(tracker.GetSessionID()), 0)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
if err != nil {
return nil, trace.Wrap(err)
Create single instance of keygen per process. Use cache of precomputed certificates when using recording proxy.
2018-02-14 22:55:01 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Look through all session events for the three wanted.
var hasStart bool
var hasEnd bool
var hasLeave bool
for _, se := range sessionEvents {
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
var isAuditEvent bool
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
if se.GetType() == events.SessionStartEvent {
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
isAuditEvent = true
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
hasStart = true
}
if se.GetType() == events.SessionEndEvent {
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
isAuditEvent = true
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
hasEnd = true
}
if se.GetType() == events.SessionLeaveEvent {
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
isAuditEvent = true
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
hasLeave = true
}
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
// ensure session events are also in audit log
if !isAuditEvent {
continue
}
auditEvents, _, err := site.SearchEvents(ctx, events.SearchEventsRequest{
To: time.Now(),
EventTypes: []string{se.GetType()},
})
require.NoError(t, err)
found := slices.ContainsFunc(auditEvents, func(ae apievents.AuditEvent) bool {
return ae.GetID() == se.GetID()
})
require.True(t, found)
Create single instance of keygen per process. Use cache of precomputed certificates when using recording proxy.
2018-02-14 22:55:01 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Make sure all three events were found.
if hasStart && hasEnd && hasLeave {
return sessionEvents, nil
}
case <-stopCh:
return nil, trace.BadParameter("unable to find all session events after 10s (mode=%v)", tt.inRecordLocation)
Create single instance of keygen per process. Use cache of precomputed certificates when using recording proxy.
2018-02-14 22:55:01 +00:00
}
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
history, err := getSessions(site)
require.NoError(t, err)
getChunk := func(e events.EventFields, maxlen int) string {
offset := e.GetInt("offset")
length := e.GetInt("bytes")
if length == 0 {
return ""
}
if length > maxlen {
length = maxlen
}
return string(sessionStream[offset : offset+length])
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Replaced weg sockets with HTTP POST/GET chunks
2016-05-06 06:51:56 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
findByType := func(et string) events.EventFields {
for _, e := range history {
if e.GetType() == et {
return e
}
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
return nil
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Replaced weg sockets with HTTP POST/GET chunks
2016-05-06 06:51:56 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// there should always be 'session.start' event (and it must be first)
first := history[0]
start := findByType(events.SessionStartEvent)
require.Equal(t, first, start)
require.Equal(t, 0, start.GetInt("bytes"))
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
require.Equal(t, sessionID, start.GetString(events.SessionEventID))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NotEmpty(t, start.GetString(events.TerminalSize))
// make sure data is recorded properly
out := &bytes.Buffer{}
for _, e := range history {
out.WriteString(getChunk(e, 1000))
}
recorded := replaceNewlines(out.String())
require.Regexp(t, ".*exit.*", recorded)
require.Regexp(t, ".*echo hi.*", recorded)
// there should always be 'session.end' event
end := findByType(events.SessionEndEvent)
require.NotNil(t, end)
require.Equal(t, 0, end.GetInt("bytes"))
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
require.Equal(t, sessionID, end.GetString(events.SessionEventID))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// there should always be 'session.leave' event
leave := findByType(events.SessionLeaveEvent)
require.NotNil(t, leave)
require.Equal(t, 0, leave.GetInt("bytes"))
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
require.Equal(t, sessionID, leave.GetString(events.SessionEventID))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Emit the correct session ID for SessionLeave events Fixes #9574
2021-12-27 20:58:01 +00:00
// all of them should have a proper time
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
for _, e := range history {
require.False(t, e.GetTime("time").IsZero())
}
})
Integration test for audit log
2016-05-04 23:49:59 +00:00
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testInteroperability checks if Teleport and OpenSSH behave in the same way
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
// when executing commands.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testInteroperability(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tempdir := t.TempDir()
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
tempfile := filepath.Join(tempdir, "file.txt")
// create new teleport server that will be used by all tests
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleport := suite.newTeleport(t, nil, true)
defer teleport.StopAll()
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
inCommand string
inStdin string
outContains string
outFile bool
}{
// 0 - echo "1\n2\n" | ssh localhost "cat -"
// this command can be used to copy files by piping stdout to stdin over ssh.
{
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
inCommand: "cat -",
inStdin: "1\n2\n",
outContains: "1\n2\n",
outFile: false,
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
},
// 1 - ssh -tt locahost '/bin/sh -c "mkdir -p /tmp && echo a > /tmp/file.txt"'
// programs like ansible execute commands like this
{
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
inCommand: fmt.Sprintf(`/bin/sh -c "mkdir -p /tmp && echo a > %v"`, tempfile),
inStdin: "",
outContains: "a",
outFile: true,
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
},
// 2 - ssh localhost tty
// should print "not a tty"
{
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
inCommand: "tty",
inStdin: "",
outContains: "not a tty",
outFile: false,
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
},
}
integration: name our subtests Stop using t.Run("", ..), as it makes it impossible to tell which subtest failed.
2021-11-01 22:00:16 +00:00
for i, tt := range tests {
t.Run(fmt.Sprintf("Test %d: %s", i, strings.Fields(tt.inCommand)[0]), func(t *testing.T) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// create new teleport client
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
// hook up stdin and stdout to a buffer for reading and writing
inbuf := bytes.NewReader([]byte(tt.inStdin))
outbuf := utils.NewSyncBuffer()
cl.Stdin = inbuf
cl.Stdout = outbuf
cl.Stderr = outbuf
// run command and wait a maximum of 10 seconds for it to complete
sessionEndC := make(chan interface{})
go func() {
// don't check for err, because sometimes this process should fail
// with an error and that's what the test is checking for.
cl.SSH(context.TODO(), []string{tt.inCommand}, false)
sessionEndC <- true
}()
err = waitFor(sessionEndC, time.Second*10)
require.NoError(t, err)
// if we are looking for the output in a file, look in the file
// otherwise check stdout and stderr for the expected output
if tt.outFile {
Remove uses of deprecated ioutil package
2022-03-14 23:59:28 +00:00
bytes, err := os.ReadFile(tempfile)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Contains(t, string(bytes), tt.outContains)
} else {
require.Contains(t, outbuf.String(), tt.outContains)
}
})
}
}
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// newUnstartedTeleport helper returns a created but not started Teleport instance pre-configured
// with the current user os.user.Current().
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func (s *integrationTestSuite) newUnstartedTeleport(t *testing.T, logins []string, enableSSH bool) *helpers.TeleInstance {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
teleport := s.NewTeleportInstance(t)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// use passed logins, but use suite's default login if nothing was passed
if len(logins) == 0 {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
logins = []string{s.Me.Username}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
for _, login := range logins {
teleport.AddUser(login, []string{login})
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, teleport.Create(t, nil, enableSSH, nil))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
return teleport
}
// newTeleport helper returns a running Teleport instance pre-configured
// with the current user os.user.Current().
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func (s *integrationTestSuite) newTeleport(t *testing.T, logins []string, enableSSH bool) *helpers.TeleInstance {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleport := s.newUnstartedTeleport(t, logins, enableSSH)
require.NoError(t, teleport.Start())
return teleport
}
// newTeleportIoT helper returns a running Teleport instance with Host as a
// reversetunnel node.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func (s *integrationTestSuite) newTeleportIoT(t *testing.T, logins []string) *helpers.TeleInstance {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create a Teleport instance with Auth/Proxy.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
mainConfig := func() *servicecfg.Config {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := s.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = false
return tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
main := s.NewTeleportWithConfig(t, logins, nil, mainConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create a Teleport instance with a Node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
nodeConfig := func() *servicecfg.Config {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := s.defaultServiceConfig()
tconf.Hostname = Host
Use a getter/setter for reading the token value from the config (#14080)
2022-08-10 08:50:21 +00:00
tconf.SetToken("token")
Introduce config v3, add auth_server and proxy_server, remove auth_addresses (#15761)
2022-09-28 15:30:15 +00:00
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: main.Web,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf.Auth.Enabled = false
tconf.Proxy.Enabled = false
tconf.SSH.Enabled = true
return tconf
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
_, err := main.StartReverseTunnelNode(nodeConfig())
require.NoError(t, err)
return main
}
func replaceNewlines(in string) string {
return regexp.MustCompile(`\r?\n`).ReplaceAllString(in, `\n`)
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
}
test uuid based routing
2020-03-03 23:27:49 +00:00
// TestUUIDBasedProxy verifies that attempts to proxy to nodes using ambiguous
// hostnames fails with the correct error, and that proxying by UUID succeeds.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testUUIDBasedProxy(t *testing.T, suite *integrationTestSuite) {
gRPC conversions - Nodes (#6535)
2021-04-29 01:27:12 +00:00
ctx := context.Background()
test uuid based routing
2020-03-03 23:27:49 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleportSvr := suite.newTeleport(t, nil, true)
defer teleportSvr.StopAll()
test uuid based routing
2020-03-03 23:27:49 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
site := teleportSvr.GetSiteAPI(helpers.Site)
test uuid based routing
2020-03-03 23:27:49 +00:00
// addNode adds a node to the teleport instance, returning its uuid.
// All nodes added this way have the same hostname.
addNode := func() (string, error) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
test uuid based routing
2020-03-03 23:27:49 +00:00
tconf.Hostname = Host
tconf.SSH.Enabled = true
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
tconf.SSH.Addr.Addr = helpers.NewListenerOn(t, teleportSvr.Hostname, service.ListenerNodeSSH, &tconf.FileDescriptors)
test uuid based routing
2020-03-03 23:27:49 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
node, err := teleportSvr.StartNode(tconf)
test uuid based routing
2020-03-03 23:27:49 +00:00
if err != nil {
return "", trace.Wrap(err)
}
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
ident, err := node.GetIdentity(types.RoleNode)
test uuid based routing
2020-03-03 23:27:49 +00:00
if err != nil {
return "", trace.Wrap(err)
}
inventory control stream & certs
2022-06-01 00:37:31 +00:00
return ident.ID.HostID(), nil
test uuid based routing
2020-03-03 23:27:49 +00:00
}
// add two nodes with the same hostname.
uuid1, err := addNode()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
test uuid based routing
2020-03-03 23:27:49 +00:00
uuid2, err := addNode()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
test uuid based routing
2020-03-03 23:27:49 +00:00
// wait up to 10 seconds for supplied node names to show up.
waitForNodes := func(site auth.ClientI, nodes ...string) error {
tickCh := time.Tick(500 * time.Millisecond)
stopCh := time.After(10 * time.Second)
Outer:
for _, nodeName := range nodes {
for {
select {
case <-tickCh:
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
nodesInSite, err := site.GetNodes(ctx, defaults.Namespace)
test uuid based routing
2020-03-03 23:27:49 +00:00
if err != nil && !trace.IsNotFound(err) {
return trace.Wrap(err)
}
for _, node := range nodesInSite {
if node.GetName() == nodeName {
continue Outer
}
}
case <-stopCh:
return trace.BadParameter("waited 10s, did find node %s", nodeName)
}
}
}
return nil
}
err = waitForNodes(site, uuid1, uuid2)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
test uuid based routing
2020-03-03 23:27:49 +00:00
// attempting to run a command by hostname should generate NodeIsAmbiguous error.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
_, err = runCommand(t, teleportSvr, []string{"echo", "Hello there!"}, helpers.ClientConfig{Login: suite.Me.Username, Cluster: helpers.Site, Host: Host}, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Error(t, err)
test uuid based routing
2020-03-03 23:27:49 +00:00
if !strings.Contains(err.Error(), teleport.NodeIsAmbiguous) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.FailNowf(t, "Expected %s, got %s", teleport.NodeIsAmbiguous, err.Error())
test uuid based routing
2020-03-03 23:27:49 +00:00
}
// attempting to run a command by uuid should succeed.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
_, err = runCommand(t, teleportSvr, []string{"echo", "Hello there!"}, helpers.ClientConfig{Login: suite.Me.Username, Cluster: helpers.Site, Host: uuid1}, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
test uuid based routing
2020-03-03 23:27:49 +00:00
}
Moderated Sessions improvements (#10991)
2022-03-10 23:04:12 +00:00
// testSSHTracker verifies that an SSH session creates a tracker for sessions.
func testSSHTracker(t *testing.T, suite *integrationTestSuite) {
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
Moderated Sessions improvements (#10991)
2022-03-10 23:04:12 +00:00
teleport := suite.newTeleport(t, nil, true)
defer teleport.StopAll()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
site := teleport.GetSiteAPI(helpers.Site)
Moderated Sessions improvements (#10991)
2022-03-10 23:04:12 +00:00
require.NotNil(t, site)
personA := NewTerminal(250)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Moderated Sessions improvements (#10991)
2022-03-10 23:04:12 +00:00
Host: Host,
})
require.NoError(t, err)
cl.Stdout = personA
cl.Stdin = personA
personA.Type("\aecho hi\n\r")
go cl.SSH(ctx, []string{}, false)
condition := func() bool {
// verify that the tracker was created
trackers, err := site.GetActiveSessionTrackers(ctx)
require.NoError(t, err)
return len(trackers) == 1
}
// wait for the tracker to be created
require.Eventually(t, condition, time.Minute, time.Millisecond*100)
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testInteractive covers SSH into shell and joining the same session from another client
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
// against a standard teleport node.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testInteractiveRegular(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleport := suite.newTeleport(t, nil, true)
defer teleport.StopAll()
Intermediate commit
2016-04-13 01:44:09 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
verifySessionJoin(t, suite.Me.Username, teleport)
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
}
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
// TestInteractiveReverseTunnel covers SSH into shell and joining the same session from another client
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
// against a reversetunnel node.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testInteractiveReverseTunnel(t *testing.T, suite *integrationTestSuite) {
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
// InsecureDevMode needed for IoT node handshake
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleport := suite.newTeleportIoT(t, nil)
defer teleport.StopAll()
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
verifySessionJoin(t, suite.Me.Username, teleport)
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
}
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
func testSessionRecordingModes(t *testing.T, suite *integrationTestSuite) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Mode: types.RecordAtNode,
})
require.NoError(t, err)
// Enable session recording on node.
cfg := suite.defaultServiceConfig()
cfg.Auth.Enabled = true
cfg.Auth.SessionRecordingConfig = recConfig
cfg.Proxy.DisableWebService = true
cfg.Proxy.DisableWebInterface = true
cfg.Proxy.Enabled = true
cfg.SSH.Enabled = true
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
teleport := suite.NewTeleportWithConfig(t, nil, nil, cfg)
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
defer teleport.StopAll()
// startSession starts an interactive session, users must terminate the
// session by typing "exit" in the terminal.
startSession := func(username string) (*Terminal, chan error) {
term := NewTerminal(250)
errCh := make(chan error)
go func() {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
Login: username,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Cluster: helpers.Site,
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
Host: Host,
})
if err != nil {
errCh <- trace.Wrap(err)
return
}
cl.Stdout = term
cl.Stdin = term
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
errCh <- cl.SSH(ctx, []string{}, false)
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
}()
return term, errCh
}
Use `waitForError` instead of `require.Eventually` in SessionRecordingModes integration tests (#15212)
2022-08-04 20:51:34 +00:00
// waitSessionTermination wait until the errCh returns something and assert
// it with the provided function.
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
waitSessionTermination := func(t *testing.T, errCh chan error, errorAssertion require.ErrorAssertionFunc) {
Use `waitForError` instead of `require.Eventually` in SessionRecordingModes integration tests (#15212)
2022-08-04 20:51:34 +00:00
errorAssertion(t, waitForError(errCh, 10*time.Second))
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
}
// enableDiskFailure changes the OpenFileFunc on filesession package. The
// replace function will always return an error when called.
enableDiskFailure := func() {
filesessions.SetOpenFileFunc(func(path string, _ int, _ os.FileMode) (*os.File, error) {
return nil, fmt.Errorf("failed to open file %q", path)
})
}
// disableDiskFailure restore the OpenFileFunc.
disableDiskFailure := func() {
filesessions.SetOpenFileFunc(os.OpenFile)
}
for name, test := range map[string]struct {
recordingMode constants.SessionRecordingMode
expectSessionFailure bool
}{
"BestEffortMode": {
recordingMode: constants.SessionRecordingModeBestEffort,
expectSessionFailure: false,
},
"StrictMode": {
recordingMode: constants.SessionRecordingModeStrict,
expectSessionFailure: true,
},
} {
t.Run(name, func(t *testing.T) {
// Setup user and session recording mode.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err := types.NewRole("devs", types.RoleSpecV6{
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
},
Options: types.RoleOptions{
RecordSession: &types.RecordSession{
SSH: test.recordingMode,
},
},
})
require.NoError(t, err)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
require.NoError(t, helpers.SetupUser(teleport.Process, username, []types.Role{role}))
SSH Session recording modes (#12916)
2022-06-06 20:29:35 +00:00
t.Run("BeforeStartFailure", func(t *testing.T) {
// Enable disk failure.
enableDiskFailure()
defer disableDiskFailure()
// Start session.
term, errCh := startSession(username)
if test.expectSessionFailure {
waitSessionTermination(t, errCh, require.Error)
return
}
// Send stuff to the session.
term.Type("echo Hello\n\r")
// Guarantee the session hasn't stopped after typing.
select {
case <-errCh:
require.Fail(t, "session was closed before")
default:
}
// Wait for the session to terminate without error.
term.Type("exit\n\r")
waitSessionTermination(t, errCh, require.NoError)
})
t.Run("MidSessionFailure", func(t *testing.T) {
// Start session.
term, errCh := startSession(username)
// Guarantee the session started properly.
select {
case <-errCh:
require.Fail(t, "session was closed before")
default:
}
// Enable disk failure
enableDiskFailure()
defer disableDiskFailure()
// Send stuff to the session.
term.Type("echo Hello\n\r")
// Expect the session to fail
if test.expectSessionFailure {
waitSessionTermination(t, errCh, require.Error)
return
}
// Wait for the session to terminate without error.
term.Type("exit\n\r")
waitSessionTermination(t, errCh, require.NoError)
})
})
}
}
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
func testLeafProxySessionRecording(t *testing.T, suite *integrationTestSuite) {
tests := []struct {
rootRecordingMode string
leafRecordingMode string
rootHasSess bool
}{
{
rootRecordingMode: types.RecordAtNode,
leafRecordingMode: types.RecordAtProxy,
rootHasSess: true,
},
{
rootRecordingMode: types.RecordAtProxy,
leafRecordingMode: types.RecordAtNode,
rootHasSess: true,
},
{
rootRecordingMode: types.RecordAtNode,
leafRecordingMode: types.RecordAtNode,
rootHasSess: false,
},
{
rootRecordingMode: types.RecordAtProxy,
leafRecordingMode: types.RecordAtProxy,
rootHasSess: true,
},
}
for _, tt := range tests {
t.Run(fmt.Sprintf("root rec mode=%q leaf rec mode=%q",
tt.rootRecordingMode,
tt.leafRecordingMode,
), func(t *testing.T) {
// Create and start clusters
_, root, leaf := createTrustedClusterPair(t, suite, nil, func(cfg *servicecfg.Config, isRoot bool) {
auditConfig, err := types.NewClusterAuditConfig(types.ClusterAuditConfigSpecV2{
AuditSessionsURI: t.TempDir(),
})
require.NoError(t, err)
recMode := tt.leafRecordingMode
if isRoot {
recMode = tt.rootRecordingMode
}
recCfg, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Mode: recMode,
})
require.NoError(t, err)
cfg.Auth.Enabled = true
cfg.Auth.AuditConfig = auditConfig
cfg.Auth.SessionRecordingConfig = recCfg
cfg.Proxy.Enabled = true
cfg.SSH.Enabled = true
})
authSrv := root.Process.GetAuthServer()
uploadChan := root.UploadEventsC
if !tt.rootHasSess {
authSrv = leaf.Process.GetAuthServer()
uploadChan = leaf.UploadEventsC
}
tc, err := root.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: "leaf-test",
Host: "leaf-zero:0",
})
require.NoError(t, err)
ctx := context.Background()
clt, err := tc.ConnectToCluster(ctx)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, clt.Close())
})
// Create an interactive SSH session to start session recording
term := NewTerminal(250)
errCh := make(chan error)
tc.Stdout = term
tc.Stdin = term
go func() {
nodeClient, err := tc.ConnectToNode(
ctx,
clt,
client.NodeDetails{Addr: "leaf-zero:0", Namespace: tc.Namespace, Cluster: clt.ClusterName()},
tc.Config.HostLogin,
)
assert.NoError(t, err)
errCh <- nodeClient.RunInteractiveShell(ctx, types.SessionPeerMode, nil, nil)
assert.NoError(t, nodeClient.Close())
}()
var sessionID string
require.EventuallyWithT(t, func(c *assert.CollectT) {
trackers, err := authSrv.GetActiveSessionTrackers(ctx)
if !assert.NoError(c, err) {
return
}
if !assert.Len(c, trackers, 1) {
return
}
sessionID = trackers[0].GetSessionID()
}, time.Second*5, time.Millisecond*100)
// Send stuff to the session.
term.Type("echo Hello\n\r")
// Guarantee the session hasn't stopped after typing.
select {
case <-errCh:
require.Fail(t, "session was closed before")
default:
}
// Wait for the session to terminate without error.
term.Type("exit\n\r")
require.NoError(t, waitForError(errCh, 5*time.Second))
// Wait for the session recording to be uploaded and available
var uploaded bool
timeoutC := time.After(10 * time.Second)
for !uploaded {
select {
case event := <-uploadChan:
if event.SessionID == sessionID {
uploaded = true
}
case <-timeoutC:
require.Fail(t, "timeout waiting for session recording to be uploaded")
}
}
require.EventuallyWithT(t, func(t *assert.CollectT) {
events, err := authSrv.GetSessionEvents(defaults.Namespace, session.ID(sessionID), 0)
assert.NoError(t, err)
assert.NotEmpty(t, events)
}, 5*time.Second, 200*time.Millisecond)
})
}
}
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
// TestCustomReverseTunnel tests that the SSH node falls back to configured
// proxy address if it cannot connect via the proxy address from the reverse
// tunnel discovery query.
// See https://github.com/gravitational/teleport/issues/4141 for context.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testCustomReverseTunnel(t *testing.T, suite *integrationTestSuite) {
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
// InsecureDevMode needed for IoT node handshake
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
failingListener, err := net.Listen("tcp", "localhost:0")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
failingAddr := failingListener.Addr().String()
failingListener.Close()
// Create a Teleport instance with Auth/Proxy.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
conf := suite.defaultServiceConfig()
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
conf.Auth.Enabled = true
conf.Proxy.Enabled = true
conf.Proxy.DisableWebService = false
conf.Proxy.DisableWebInterface = true
conf.Proxy.DisableDatabaseProxy = true
conf.Proxy.TunnelPublicAddrs = []utils.NetAddr{
{
// Connect on the address that refuses connection on purpose
// to test address fallback behavior
Addr: failingAddr,
AddrNetwork: "tcp",
},
}
conf.SSH.Enabled = false
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
instanceConfig := suite.DefaultInstanceConfig(t)
instanceConfig.Listeners = helpers.WebReverseTunnelMuxPortSetup(t, &instanceConfig.Fds)
main := helpers.NewInstance(t, instanceConfig)
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, main.CreateEx(t, nil, conf))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.Start())
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
defer main.StopAll()
// Create a Teleport instance with a Node.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
nodeConf := suite.defaultServiceConfig()
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
nodeConf.Hostname = Host
Use a getter/setter for reading the token value from the config (#14080)
2022-08-10 08:50:21 +00:00
nodeConf.SetToken("token")
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
nodeConf.Auth.Enabled = false
nodeConf.Proxy.Enabled = false
nodeConf.SSH.Enabled = true
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
t.Setenv(defaults.TunnelPublicAddrEnvar, main.Web)
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
// verify the node is able to join the cluster
_, err = main.StartReverseTunnelNode(nodeConf)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Implement alternative reverse tunnel address support and add a test case. (#6056)
2021-04-15 19:11:48 +00:00
}
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// testEscapeSequenceTriggers asserts that both escape handling works, and that
// it can be reliably switched off via config.
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
func testEscapeSequenceTriggers(t *testing.T, suite *integrationTestSuite) {
type testCase struct {
name string
f func(t *testing.T, terminal *Terminal, sess <-chan error)
enableEscapeSequences bool
}
testCases := []testCase{
{
name: "yes",
f: testEscapeSequenceYesTrigger,
enableEscapeSequences: true,
},
{
name: "no",
f: testEscapeSequenceNoTrigger,
enableEscapeSequences: false,
},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
teleport := suite.newTeleport(t, nil, true)
defer teleport.StopAll()
site := teleport.GetSiteAPI(helpers.Site)
require.NotNil(t, site)
terminal := NewTerminal(250)
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
EnableEscapeSequences: testCase.enableEscapeSequences,
})
require.NoError(t, err)
cl.Stdout = terminal
cl.Stdin = terminal
sess := make(chan error)
go func() {
sess <- cl.SSH(ctx, []string{}, false)
}()
require.Eventually(t, func() bool {
trackers, err := site.GetActiveSessionTrackers(ctx)
require.NoError(t, err)
return len(trackers) == 1
}, time.Second*15, time.Millisecond*100)
select {
case err := <-sess:
require.FailNow(t, "session should not have ended", err)
default:
}
testCase.f(t, terminal, sess)
})
}
}
func testEscapeSequenceYesTrigger(t *testing.T, terminal *Terminal, sess <-chan error) {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// Given a running terminal connected to a remote shell via an active
// Teleport SSH session, where Teleport has escape sequence processing
// ENABLED...
// When I enter some text containing the SSH disconnect escape string
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
terminal.Type("\a~.\n\r")
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// Expect that the session will terminate shortly and without error
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
select {
case err := <-sess:
require.NoError(t, err)
case <-time.After(time.Second * 15):
require.FailNow(t, "session should have ended")
}
}
func testEscapeSequenceNoTrigger(t *testing.T, terminal *Terminal, sess <-chan error) {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// Given a running terminal connected to a remote shell via an active
// Teleport SSH session, where Teleport has escape sequence processing
// DISABLED...
// When I enter some text containing SSH escape string, followed by some
// arbitrary text....
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
terminal.Type("\a~.\n\r")
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
terminal.Type("\aecho made it to here!\n\r")
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// Expect that the session will NOT be disconnected by the escape sequence,
// and so the arbitrary text will eventually end up in the terminal buffer.
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
require.Eventually(t, func() bool {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
select {
case err := <-sess:
require.FailNow(t, "Session ended unexpectedly with %v", err)
return false
default:
// if the session didn't end, we should see the output of the last write
return strings.Contains(terminal.AllOutput(), "made it to here!")
}
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
}, time.Second*15, time.Millisecond*100)
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// When I issue an explicit `exit` command to clean up the remote shell
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
terminal.Type("\aexit 0\n\r")
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// Expect that the session will terminate shortly and without error
Honor --no-enable-escape-sequences in tsh (#13507)
2022-07-13 11:48:21 +00:00
select {
case err := <-sess:
require.NoError(t, err)
case <-time.After(time.Second * 15):
require.FailNow(t, "session should have ended")
}
}
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
type localAddr struct {
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
addr atomic.Pointer[net.Addr]
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
}
func (a *localAddr) set(addr net.Addr) {
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
a.addr.CompareAndSwap(nil, &addr)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
}
func (a *localAddr) get() net.Addr {
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
addr := a.addr.Load()
if addr != nil {
return *addr
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
}
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
return &utils.NetAddr{}
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
}
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
// testIPPropagation makes sure that we can correctly propagate initial client IP observed by proxy.
func testIPPropagation(t *testing.T, suite *integrationTestSuite) {
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
startNodes := func(t *testing.T, root, leaf *helpers.TeleInstance) {
rootNodes := []string{"root-one", "root-two"}
leafNodes := []string{"leaf-one", "leaf-two"}
var wg sync.WaitGroup
var nodesLock sync.Mutex
startNode := func(name string, i *helpers.TeleInstance) {
defer wg.Done()
conf := suite.defaultServiceConfig()
conf.Auth.Enabled = false
conf.Proxy.Enabled = false
conf.DataDir = t.TempDir()
conf.SetToken("token")
conf.UploadEventsC = i.UploadEventsC
conf.SetAuthServerAddress(*utils.MustParseAddr(net.JoinHostPort(i.Hostname, helpers.PortStr(t, i.Web))))
conf.HostUUID = name
conf.Hostname = name
conf.SSH.Enabled = true
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
conf.CachePolicy = servicecfg.CachePolicy{
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
Enabled: true,
}
conf.SSH.Addr = utils.NetAddr{
Addr: helpers.NewListenerOn(t, Host, service.ListenerNodeSSH, &conf.FileDescriptors),
}
conf.Proxy.Enabled = false
conf.Apps.Enabled = false
conf.Databases.Enabled = false
process, err := service.NewTeleport(conf)
require.NoError(t, err)
nodesLock.Lock()
i.Nodes = append(i.Nodes, process)
nodesLock.Unlock()
expectedEvents := []string{
service.NodeSSHReady,
service.TeleportReadyEvent,
}
receivedEvents, err := helpers.StartAndWait(process, expectedEvents)
require.NoError(t, err)
log.Debugf("Node (in instance %v) started: %v/%v events received.",
i.Secrets.SiteName, len(expectedEvents), len(receivedEvents))
}
wg.Add(len(rootNodes) + len(leafNodes))
for _, node := range rootNodes {
go startNode(node, root)
}
for _, node := range leafNodes {
go startNode(node, leaf)
}
wg.Wait()
}
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
testSSHNodeConnection := func(t *testing.T, instance *helpers.TeleInstance, clusterName, nodeName string) {
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
person := NewTerminal(250)
ctx := context.Background()
tc, err := instance.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: clusterName,
Host: nodeName,
})
require.NoError(t, err)
tc.Stdout = person
tc.Stdin = person
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
clt, err := tc.ConnectToProxy(ctx)
require.NoError(t, err)
defer clt.Close()
nodeClient, err := clt.ConnectToNode(
ctx,
client.NodeDetails{Addr: nodeName, Namespace: tc.Namespace, Cluster: tc.SiteName},
tc.Config.HostLogin,
sshutils.ClusterDetails{},
)
require.NoError(t, err)
defer nodeClient.Close()
err = nodeClient.RunCommand(ctx, []string{"echo $SSH_CLIENT"})
require.NoError(t, err)
require.Eventually(t, func() bool {
return getRemoteAddrString(person.Output(1000)) == clt.Client.LocalAddr().String()
}, time.Millisecond*100, time.Millisecond*10, "client IP:port that node sees doesn't match to real one")
}
testGRPCNodeConnection := func(t *testing.T, instance *helpers.TeleInstance, clusterName, nodeName string) {
person := NewTerminal(250)
ctx := context.Background()
tc, err := instance.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: clusterName,
Host: nodeName,
})
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
require.NoError(t, err)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
tc.Stdout = person
tc.Stdin = person
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
local := localAddr{}
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
tc.Config.DialOpts = []grpc.DialOption{
grpc.WithContextDialer(func(ctx context.Context, s string) (net.Conn, error) {
d := net.Dialer{Timeout: defaults.DefaultIOTimeout}
conn, err := d.DialContext(ctx, "tcp", s)
if err != nil {
return nil, trace.Wrap(err)
}
local.set(conn.LocalAddr())
return conn, nil
}),
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
}
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
clt, err := tc.ConnectToCluster(ctx)
require.NoError(t, err)
defer clt.Close()
nodeClient, err := tc.ConnectToNode(
ctx,
clt,
client.NodeDetails{Addr: nodeName, Namespace: tc.Namespace, Cluster: clt.ClusterName()},
tc.Config.HostLogin,
)
require.NoError(t, err)
defer nodeClient.Close()
err = nodeClient.RunCommand(ctx, []string{"echo $SSH_CLIENT"})
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
require.NoError(t, err)
require.Eventually(t, func() bool {
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
return getRemoteAddrString(person.Output(1000)) == local.get().String()
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
}, time.Millisecond*100, time.Millisecond*10, "client IP:port that node sees doesn't match to real one")
}
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
testGRPCAuthConnection := func(t *testing.T, instance *helpers.TeleInstance, clusterName string) {
ctx := context.Background()
tc, err := instance.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: clusterName,
Host: Host,
})
require.NoError(t, err)
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
local := localAddr{}
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
tc.Config.DialOpts = []grpc.DialOption{
grpc.WithContextDialer(func(ctx context.Context, s string) (net.Conn, error) {
d := net.Dialer{Timeout: defaults.DefaultIOTimeout}
conn, err := d.DialContext(ctx, "tcp", s)
if err != nil {
return nil, trace.Wrap(err)
}
local.set(conn.LocalAddr())
return conn, nil
}),
}
clt, err := tc.ConnectToCluster(ctx)
require.NoError(t, err)
defer clt.Close()
pingResp, err := clt.AuthClient.Ping(ctx)
require.NoError(t, err)
require.Equal(t, local.get().String(), pingResp.RemoteAddr, "client IP:port that auth server sees doesn't match the real one")
}
testSSHAuthConnection := func(t *testing.T, instance *helpers.TeleInstance, clusterName string) {
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
ctx := context.Background()
tc, err := instance.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: clusterName,
Host: Host,
})
require.NoError(t, err)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
clt, err := tc.ConnectToProxy(ctx)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
require.NoError(t, err)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
defer clt.Close()
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
site, err := clt.ConnectToCluster(ctx, clusterName)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
require.NoError(t, err)
pingResp, err := site.Ping(ctx)
require.NoError(t, err)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
expected := clt.Client.LocalAddr().String()
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
require.Equal(t, expected, pingResp.RemoteAddr, "client IP:port that auth server sees doesn't match the real one")
}
_, root, leaf := createTrustedClusterPair(t, suite, startNodes)
testAuthCases := []struct {
instance *helpers.TeleInstance
clusterName string
}{
{instance: root, clusterName: "root-test"},
{instance: root, clusterName: "leaf-test"},
{instance: leaf, clusterName: "leaf-test"},
}
testNodeCases := []struct {
instance *helpers.TeleInstance
clusterName string
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
nodeAddr string
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
}{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
{instance: root, clusterName: "root-test", nodeAddr: "root-zero:0"},
{instance: root, clusterName: "root-test", nodeAddr: "root-one:0"},
{instance: root, clusterName: "root-test", nodeAddr: "root-two:0"},
{instance: root, clusterName: "leaf-test", nodeAddr: "leaf-zero:0"},
{instance: root, clusterName: "leaf-test", nodeAddr: "leaf-one:0"},
{instance: root, clusterName: "leaf-test", nodeAddr: "leaf-two:0"},
{instance: leaf, clusterName: "leaf-test", nodeAddr: "leaf-zero:0"},
{instance: leaf, clusterName: "leaf-test", nodeAddr: "leaf-one:0"},
{instance: leaf, clusterName: "leaf-test", nodeAddr: "leaf-two:0"},
}
t.Run("Auth Connections", func(t *testing.T) {
for _, test := range testAuthCases {
t.Run(fmt.Sprintf("source cluster=%q target cluster=%q",
test.instance.Secrets.SiteName, test.clusterName), func(t *testing.T) {
t.Run("ssh connection", func(t *testing.T) {
testSSHAuthConnection(t, test.instance, test.clusterName)
})
t.Run("grpc connection", func(t *testing.T) {
testGRPCAuthConnection(t, test.instance, test.clusterName)
})
})
}
})
t.Run("Host Connections", func(t *testing.T) {
for _, test := range testNodeCases {
test := test
t.Run(fmt.Sprintf("target=%q source cluster=%q target cluster=%q",
test.nodeAddr, test.instance.Secrets.SiteName, test.clusterName), func(t *testing.T) {
t.Run("ssh connection", func(t *testing.T) {
testSSHNodeConnection(t, test.instance, test.clusterName, test.nodeAddr)
})
t.Run("grpc connection", func(t *testing.T) {
testGRPCNodeConnection(t, test.instance, test.clusterName, test.nodeAddr)
})
})
}
})
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
}
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// verifySessionJoin covers SSH into shell and joining the same session from another client
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func verifySessionJoin(t *testing.T, username string, teleport *helpers.TeleInstance) {
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
// get a reference to site obj:
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
site := teleport.GetSiteAPI(helpers.Site)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NotNil(t, site)
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
personA := NewTerminal(250)
personB := NewTerminal(250)
Integration test for audit log
2016-05-04 23:49:59 +00:00
// PersonA: SSH into the server, wait one second, then type some commands on stdin:
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
sessionA := make(chan error)
Integration test for audit log
2016-05-04 23:49:59 +00:00
openSession := func() {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Login: username,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Cluster: helpers.Site,
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Host: Host,
})
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
if err != nil {
sessionA <- trace.Wrap(err)
return
}
Fix a data race in integration.Terminal This type uses an inner bytes.Buffer to store terminal output. Terminal is used by concurrent goroutines as io.ReadWriter, so access to the buffer needs to be synchronized.
2020-04-17 15:55:48 +00:00
cl.Stdout = personA
cl.Stdin = personA
Integration test for audit log
2016-05-04 23:49:59 +00:00
// Person A types something into the terminal (including "exit")
personA.Type("\aecho hi\n\r\aexit\n\r\a")
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
sessionA <- cl.SSH(context.TODO(), []string{}, false)
Integration test for audit log
2016-05-04 23:49:59 +00:00
}
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
// PersonB: wait for a session to become available, then join:
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
sessionB := make(chan error)
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
joinSession := func() {
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
sessionTimeoutCtx, sessionTimeoutCancel := context.WithTimeout(context.Background(), 10*time.Second)
defer sessionTimeoutCancel()
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
sessions, err := waitForSessionToBeEstablished(sessionTimeoutCtx, defaults.Namespace, site)
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
if err != nil {
sessionB <- trace.Wrap(err)
return
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
}
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
sessionID := sessions[0].GetSessionID()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Login: username,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Cluster: helpers.Site,
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Host: Host,
})
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
if err != nil {
sessionB <- trace.Wrap(err)
return
}
timeoutCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
ticker := time.NewTicker(100 * time.Millisecond)
defer ticker.Stop()
for {
select {
case <-timeoutCtx.Done():
sessionB <- timeoutCtx.Err()
return
case <-ticker.C:
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
err := cl.Join(context.TODO(), types.SessionPeerMode, defaults.Namespace, session.ID(sessionID), personB)
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
if err == nil {
sessionB <- nil
return
}
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
}
}
}
go openSession()
go joinSession()
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
// wait for the sessions to end
err := waitForError(sessionA, time.Second*10)
require.NoError(t, err)
err = waitForError(sessionB, time.Second*10)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM
2016-09-10 04:44:04 +00:00
// make sure the output of B is mirrored in A
Remove unnecessary type conversions Caught by `unconvert` linter. No behavior changes here.
2020-05-06 17:13:05 +00:00
outputOfA := personA.Output(100)
outputOfB := personB.Output(100)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Contains(t, outputOfA, outputOfB)
Intermediate commit
2016-04-13 01:44:09 +00:00
}
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
// TestShutdown tests scenario with a graceful shutdown,
// that session will be working after
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testShutdown(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
sshErr := make(chan error)
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
tests := []struct {
name string
createSession func(t *testing.T, i *helpers.TeleInstance, term *Terminal, cfg helpers.ClientConfig)
}{
{
name: "cli sessions",
createSession: func(t *testing.T, i *helpers.TeleInstance, term *Terminal, cfg helpers.ClientConfig) {
tc, err := i.NewClient(cfg)
require.NoError(t, err)
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
tc.Stdin = term
tc.Stdout = term
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
sshCtx, sshCancel := context.WithCancel(context.Background())
t.Cleanup(sshCancel)
go func() {
sshErr <- tc.SSH(sshCtx, nil, false)
sshCancel()
}()
},
},
{
name: "web sessions",
createSession: func(t *testing.T, i *helpers.TeleInstance, term *Terminal, cfg helpers.ClientConfig) {
wc, err := i.NewWebClient(cfg)
require.NoError(t, err)
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
stream, err := wc.SSH(web.TerminalRequest{
Server: net.JoinHostPort(cfg.Host, strconv.Itoa(cfg.Port)),
Login: cfg.Login,
Term: session.TerminalParams{
W: 100,
H: 100,
},
})
require.NoError(t, err)
go func() {
err := utils.ProxyConn(context.Background(), term, stream)
sshErr <- err
}()
},
},
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
}
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
// Enable web service.
cfg := suite.defaultServiceConfig()
cfg.Auth.Enabled = true
cfg.Auth.Preference.SetSecondFactor("off")
cfg.Proxy.DisableWebService = false
cfg.Proxy.DisableWebInterface = true
cfg.Proxy.Enabled = true
cfg.SSH.Enabled = true
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
teleport := suite.NewTeleportWithConfig(t, []string{"test"}, nil, cfg)
Proxy restart fixes (#11802) * Remove unused backend wrapper from Cache * Remove double printShutdownStatus * Fix readyz race condition * Test coverage for the readyz.monitor fix * Close listeners immediately in proxy.shutdown * Use and handle net.ErrClosed correctly This adapts utils.IsUseOfClosedNetworkError to check for net.ErrClosed even inside trace.Aggregate errors, makes it so that we always return something that would pass errors.Is(err, net.ErrClosed) when returning from a (net.Listener).Accept(), and handles closed listeners within our various Serve() loops so that we don't hit spurious backoff waits while shutting down. * Close listeners early and emitters late * Test coverage for the proxy listener changes * Revert some errors back to trace.ConnectionProblem * Reduce PR scope to just the proxy, add comments * Improve error logging.
2022-05-06 16:12:11 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
password := uuid.NewString()
teleport.CreateWebUser(t, suite.Me.Username, password)
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
// get a reference to site obj:
site := teleport.GetSiteAPI(helpers.Site)
require.NotNil(t, site)
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
person := NewTerminal(250)
Proxy restart fixes (#11802) * Remove unused backend wrapper from Cache * Remove double printShutdownStatus * Fix readyz race condition * Test coverage for the readyz.monitor fix * Close listeners immediately in proxy.shutdown * Use and handle net.ErrClosed correctly This adapts utils.IsUseOfClosedNetworkError to check for net.ErrClosed even inside trace.Aggregate errors, makes it so that we always return something that would pass errors.Is(err, net.ErrClosed) when returning from a (net.Listener).Accept(), and handles closed listeners within our various Serve() loops so that we don't hit spurious backoff waits while shutting down. * Close listeners early and emitters late * Test coverage for the proxy listener changes * Revert some errors back to trace.ConnectionProblem * Reduce PR scope to just the proxy, add comments * Improve error logging.
2022-05-06 16:12:11 +00:00
Track active ssh sessions established via the web (#20231) * Track active ssh sessions established via the web Adds open session tracking in `web.Handler` and introduces a new `web.Server` to prevent closing the web `http.Server` during a graceful shutdown if there are still open sessions. From the `http.Server/Shutdown` docs: > Shutdown does not attempt to close nor wait for hijacked > connections such as WebSockets. The caller of Shutdown should > separately notify such long-lived connections of shutdown and wait > for them to close, if desired. Because the web sessions use WebSockets, `Shutdown` will not wait for them to be idle before terminating. This used to work due to the fact that web sessions dialed the Proxy SSH Port to establish the SSH session. Which meant that all accounting of active user connections by `sshutils/server.go` was accurate. But now that sessions are established directly via the `proxy.Router` the web sessions were unaccounted for. The `web.Server` now mimics the behavior of `sshutils/server.go` for Shutdown. Only once all the active web sessions have been terminated will the underlying http.Server be shutdown. Fixes #20227
2023-01-27 14:38:39 +00:00
test.createSession(t, teleport, person, helpers.ClientConfig{
Login: suite.Me.Username,
Password: password,
Cluster: helpers.Site,
Host: Loopback,
Port: helpers.Port(t, teleport.SSH),
})
person.Type("echo start \r\n")
require.Eventually(t, func() bool {
output := replaceNewlines(person.Output(1000))
matched, _ := regexp.MatchString(".*start.*", output)
return matched
}, 10*time.Second, 200*time.Millisecond)
// initiate shutdown
shutdownContext := teleport.Process.StartShutdown(context.Background())
require.Eventually(t, func() bool {
// TODO: check that we either get a connection that fully works or a connection refused error
c, err := net.DialTimeout("tcp", teleport.ReverseTunnel, 250*time.Millisecond)
if err != nil {
return utils.IsConnectionRefused(trace.Unwrap(err))
}
return c.Close() == nil
}, time.Second*5, time.Millisecond*500, "proxy should not accept new connections while shutting down")
// make sure that terminal still works
person.Type("echo howdy \r\n")
require.Eventually(t, func() bool {
output := replaceNewlines(person.Output(1000))
matched, _ := regexp.MatchString(".*howdy.*", output)
return matched
}, 10*time.Second, 200*time.Millisecond)
// now type exit and wait for shutdown to complete
person.Type("exit\n\r")
select {
case err := <-sshErr:
require.NoError(t, err)
case <-time.After(5 * time.Second):
require.FailNow(t, "failed to shutdown ssh session")
}
select {
case <-shutdownContext.Done():
case <-time.After(5 * time.Second):
require.FailNow(t, "Failed to shut down the server.")
}
})
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
}
}
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
// errorVerifier is a function type for functions that check that a given
// error is what was expected. Implementations are expected top return nil
// if the supplied error is as expected, or an descriptive error if is is
// not
type errorVerifier func(error) error
func errorContains(text string) errorVerifier {
return func(err error) error {
if err == nil || !strings.Contains(err.Error(), text) {
return fmt.Errorf("Expected error to contain %q, got: %v", text, err)
}
return nil
}
}
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
type disconnectTestCase struct {
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name string
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
recordingMode string
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
options types.RoleOptions
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
disconnectTimeout time.Duration
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
concurrentConns int
sessCtlTimeout time.Duration
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
postFunc func(context.Context, *testing.T, *helpers.TeleInstance)
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
// verifyError checks if `err` reflects the error expected by the test scenario.
// It returns nil if yes, non-nil otherwise.
// It is important for verifyError to not do assertions using `*testing.T`
// itself, as those assertions must run in the main test goroutine, but
// verifyError runs in a different goroutine.
verifyError errorVerifier
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
}
Respect client idle timeout setting (#27484) Client connections were never using the `srv.TrackingReadConn` created by the `srv.ConnectionMonitor` which caused all connections to appear idle and be disconnected whenever the client idle timeout was reached. `(srv.ConnectionMonitor) MonitorConn` now returns the provided connection which is wrapped in the tracking connection. Callers must ensure that the returned connection is used instead of the connection passed in to `MonitorConn`. Fixes #27392
2023-06-23 15:01:33 +00:00
// repeatingReader is an [io.ReadCloser] that produces the
// provided output at the configured interval until closed.
// For example, all calls to Read on the following reader will
// block for a minute and then return "hi" to the caller. Once
// Closed an `io.EOF` will be returned from Read
//
// r := repeatingReader{output: hi, interval:time.Minute}
// n, err := r.Read(out)
type repeatingReader struct {
output string
interval time.Duration
closed chan struct{}
}
func newRepeatingReader(output string, interval time.Duration) repeatingReader {
return repeatingReader{
interval: interval,
output: output,
closed: make(chan struct{}),
}
}
func (r repeatingReader) Read(p []byte) (int, error) {
if len(p) == 0 {
return 0, nil
}
select {
case <-time.After(r.interval):
case <-r.closed:
return 0, io.EOF
}
end := len(r.output)
if end > len(p) {
end = len(p)
}
n := copy(p, r.output[:end])
return n, nil
}
func (r repeatingReader) Close() error {
close(r.closed)
return nil
}
// testClientIdleConnection validates that if a user is active beyond
// the client idle timeout that the session is not terminated.
func testClientIdleConnection(t *testing.T, suite *integrationTestSuite) {
netConfig := types.DefaultClusterNetworkingConfig()
netConfig.SetClientIdleTimeout(time.Second)
tconf := servicecfg.MakeDefaultConfig()
tconf.SSH.Enabled = true
tconf.Log = utils.NewLoggerForTests()
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
tconf.Auth.NetworkingConfig = netConfig
tconf.CircuitBreakerConfig = breaker.NoopBreakerConfig()
tconf.InstanceMetadataClient = cloud.NewDisabledIMDSClient()
instance := suite.NewTeleportWithConfig(t, nil, nil, tconf)
t.Cleanup(func() { require.NoError(t, instance.StopAll()) })
var output bytes.Buffer
// SSH into the server, and stay active for longer than
// the client idle timeout.
sessionErr := make(chan error)
openSession := func() {
cl, err := instance.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
})
if err != nil {
sessionErr <- trace.Wrap(err)
return
}
cl.Stdout = &output
// Execute a command 10x faster than the idle timeout to stay active.
reader := newRepeatingReader("echo txlxport | sed 's/x/e/g'\n", netConfig.GetClientIdleTimeout()/10)
defer func() { reader.Close() }()
cl.Stdin = reader
// Terminate the session after 3x the idle timeout
ctx, cancel := context.WithTimeout(context.Background(), netConfig.GetClientIdleTimeout()*3)
defer cancel()
sessionErr <- cl.SSH(ctx, nil, false)
}
go openSession()
// Wait for the sessions to end - we expect an error
// since we are canceling the context.
err := waitForError(sessionErr, time.Second*10)
require.Error(t, err)
// Ensure that the session was alive beyond the idle timeout by
// counting the number of times "teleport" was output. If the session
// was alive past the idle timeout then there should be at least 11 occurrences
// since the command is run at 1/10 the idle timeout.
require.NotEmpty(t, output)
count := strings.Count(output.String(), "teleport")
require.Greater(t, count, 10)
}
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
// TestDisconnectScenarios tests multiple scenarios with client disconnects
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testDisconnectScenarios(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
testCases := []disconnectTestCase{
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name: "client idle timeout node recoding",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
recordingMode: types.RecordAtNode,
options: types.RoleOptions{
ClientIdleTimeout: types.NewDuration(500 * time.Millisecond),
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
},
disconnectTimeout: time.Second,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name: "client idle timeout proxy recording",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
recordingMode: types.RecordAtProxy,
options: types.RoleOptions{
ForwardAgent: types.NewBool(true),
ClientIdleTimeout: types.NewDuration(500 * time.Millisecond),
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
},
disconnectTimeout: time.Second,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name: "expired cert node recording",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
recordingMode: types.RecordAtNode,
options: types.RoleOptions{
DisconnectExpiredCert: types.NewBool(true),
MaxSessionTTL: types.NewDuration(2 * time.Second),
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
},
disconnectTimeout: 4 * time.Second,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name: "expired cert proxy recording",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
recordingMode: types.RecordAtProxy,
options: types.RoleOptions{
ForwardAgent: types.NewBool(true),
DisconnectExpiredCert: types.NewBool(true),
MaxSessionTTL: types.NewDuration(2 * time.Second),
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
},
disconnectTimeout: 4 * time.Second,
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name: "concurrent connection limits exceeded node recording",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
recordingMode: types.RecordAtNode,
options: types.RoleOptions{
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
MaxConnections: 1,
},
disconnectTimeout: 1 * time.Second,
concurrentConns: 2,
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
verifyError: errorContains("administratively prohibited"),
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name: "concurrent connection limits exceeded proxy recording",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
recordingMode: types.RecordAtProxy,
options: types.RoleOptions{
ForwardAgent: types.NewBool(true),
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
MaxConnections: 1,
},
disconnectTimeout: 1 * time.Second,
concurrentConns: 2,
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
verifyError: errorContains("administratively prohibited"),
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
},
{
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
name: "verify that lost connections to auth server terminate controlled connections",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
recordingMode: types.RecordAtNode,
options: types.RoleOptions{
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
MaxConnections: 1,
},
disconnectTimeout: time.Second,
sessCtlTimeout: 500 * time.Millisecond,
// use postFunc to wait for the semaphore to be acquired and a session
// to be started, then shut down the auth server.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
postFunc: func(ctx context.Context, t *testing.T, teleport *helpers.TeleInstance) {
site := teleport.GetSiteAPI(helpers.Site)
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
var sems []types.Semaphore
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
var err error
for i := 0; i < 6; i++ {
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
sems, err = site.GetSemaphores(ctx, types.SemaphoreFilter{
SemaphoreKind: types.SemaphoreKindConnection,
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
})
if err == nil && len(sems) > 0 {
break
}
select {
case <-time.After(time.Millisecond * 100):
case <-ctx.Done():
return
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Len(t, sems, 1)
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
timeoutCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
defer cancel()
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
ss, err := waitForSessionToBeEstablished(timeoutCtx, defaults.Namespace, site)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Len(t, ss, 1)
require.Nil(t, teleport.StopAuth(false))
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
},
},
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting
2023-04-04 21:31:39 +00:00
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
runDisconnectTest(t, suite, tc)
})
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func runDisconnectTest(t *testing.T, suite *integrationTestSuite, tc disconnectTestCase) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
teleport := suite.NewTeleportInstance(t)
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err := types.NewRole("devs", types.RoleSpecV6{
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
Options: tc.options,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
teleport.AddUserWithRole(username, role)
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
Make ClusterNetworkingConfig resource dynamically configurable (#7013)
2021-06-04 17:42:50 +00:00
netConfig, err := types.NewClusterNetworkingConfigFromConfigFile(types.ClusterNetworkingConfigSpecV2{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
SessionControlTimeout: types.Duration(tc.sessCtlTimeout),
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
Mode: tc.recordingMode,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
cfg := suite.defaultServiceConfig()
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
cfg.Auth.Enabled = true
Introduce ClusterNetworkingConfig extracting fields from ClusterConfig (#6638)
2021-05-07 11:54:08 +00:00
cfg.Auth.NetworkingConfig = netConfig
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
cfg.Auth.SessionRecordingConfig = recConfig
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
cfg.Proxy.DisableWebService = true
cfg.Proxy.DisableWebInterface = true
cfg.Proxy.Enabled = true
cfg.SSH.Enabled = true
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, teleport.CreateEx(t, nil, cfg))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, teleport.Start())
defer teleport.StopAll()
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
if tc.concurrentConns < 1 {
// test cases that don't specify concurrentConns are single-connection tests.
tc.concurrentConns = 1
}
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
Wait for nodes to be availble in disconnection tests (#33298)
2023-10-12 13:17:38 +00:00
require.EventuallyWithT(t, func(t *assert.CollectT) {
// once the tunnel is established we need to wait until we have a
// connection to the remote auth
site := teleport.GetSiteAPI(helpers.Site)
if !assert.NotNil(t, site) {
return
}
// we need to wait until we know about the node because direct dial to
// unregistered servers is no longer supported
_, err := site.GetNode(ctx, defaults.Namespace, teleport.Config.HostUUID)
assert.NoError(t, err)
}, time.Second*30, 250*time.Millisecond)
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
asyncErrors := make(chan error, 1)
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
for i := 0; i < tc.concurrentConns; i++ {
person := NewTerminal(250)
openSession := func() {
defer cancel()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Fixed TestDisconnection Integration tests were creating the users SSH and x509 certificates at the time of server creation, specifically at the time of the "TeleInstance" creation. If any component within the "TeleInstance" was slow to start, for example if the proxy watcher had to be reset as can be seen below, the users certificate would often be expired by the time the SSH request was issued which would lead to the SSH server rejecting the connection and the test failing with an unexpected error. For most tests this is not an issue, because test certificates are valid for 24 hours. However "TestDisconnection" scopes the TTL of certificates down (often times to about 2 seconds) to test different certificate lifetime disconnection scenarios which would lead to this test being flaky. Updated integration test logic to instead "issue" the users certificate at the time of client creation instead of server creation.
2022-02-06 22:06:04 +00:00
Login: username,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Cluster: helpers.Site,
Fixed TestDisconnection Integration tests were creating the users SSH and x509 certificates at the time of server creation, specifically at the time of the "TeleInstance" creation. If any component within the "TeleInstance" was slow to start, for example if the proxy watcher had to be reset as can be seen below, the users certificate would often be expired by the time the SSH request was issued which would lead to the SSH server rejecting the connection and the test failing with an unexpected error. For most tests this is not an issue, because test certificates are valid for 24 hours. However "TestDisconnection" scopes the TTL of certificates down (often times to about 2 seconds) to test different certificate lifetime disconnection scenarios which would lead to this test being flaky. Updated integration test logic to instead "issue" the users certificate at the time of client creation instead of server creation.
2022-02-06 22:06:04 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
Fixed TestDisconnection Integration tests were creating the users SSH and x509 certificates at the time of server creation, specifically at the time of the "TeleInstance" creation. If any component within the "TeleInstance" was slow to start, for example if the proxy watcher had to be reset as can be seen below, the users certificate would often be expired by the time the SSH request was issued which would lead to the SSH server rejecting the connection and the test failing with an unexpected error. For most tests this is not an issue, because test certificates are valid for 24 hours. However "TestDisconnection" scopes the TTL of certificates down (often times to about 2 seconds) to test different certificate lifetime disconnection scenarios which would lead to this test being flaky. Updated integration test logic to instead "issue" the users certificate at the time of client creation instead of server creation.
2022-02-06 22:06:04 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
cl.Stdout = person
cl.Stdin = person
err = cl.SSH(ctx, []string{}, false)
select {
case <-ctx.Done():
// either we timed out, or a different session
// triggered closure.
return
default:
}
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
if tc.verifyError != nil {
if badErrorErr := tc.verifyError(err); badErrorErr != nil {
asyncErrors <- badErrorErr
}
chore: Bump gravitational/trace to v1.3.0 (#30064) * chore: Bump gravitational/trace to v1.3.0 * Replace `trace.IsEOF` with `errors.Is` * Fix IsPermanentEmitError
2023-08-04 21:39:24 +00:00
} else if err != nil && !errors.Is(err, io.EOF) && !isSSHError(err) {
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
asyncErrors <- fmt.Errorf("expected EOF, ExitError, or nil, got %v instead", err)
return
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
}
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
}
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
go openSession()
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
go func() {
err := enterInput(ctx, person, "echo start \r\n", ".*start.*")
if err != nil {
asyncErrors <- err
}
}()
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
}
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
if tc.postFunc != nil {
// test case modifies the teleport instance after session start
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tc.postFunc(ctx, t, teleport)
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
}
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
select {
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
case <-time.After(tc.disconnectTimeout + time.Second):
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
dumpGoroutineProfile()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.FailNowf(t, "timeout", "%s timeout waiting for session to exit: %+v", timeNow(), tc)
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
case ae := <-asyncErrors:
require.FailNow(t, "Async error", ae.Error())
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
case <-ctx.Done():
// session closed. a test case is successful if the first
// session to close encountered the expected error variant.
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
}
}
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
func isSSHError(err error) bool {
switch trace.Unwrap(err).(type) {
case *ssh.ExitError, *ssh.ExitMissingError:
return true
default:
return false
}
}
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
func timeNow() string {
return time.Now().Format(time.StampMilli)
}
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
// enterInput simulates entering user input into a terminal and awaiting a
// response. Returns an error if the given response text doesn't match
// the supplied regexp string.
func enterInput(ctx context.Context, person *Terminal, command, pattern string) error {
Disconnect expired k8s clients, fixes #2618 This commit implements disconnects of kubernetes clients with expired certificates and terminates idle sessions, according to 'disconnect_expired_cert' and 'client_idle_timeout' existing settings making the behavior consistent with SSH sessions.
2019-03-24 20:14:34 +00:00
person.Type(command)
abortTime := time.Now().Add(10 * time.Second)
var matched bool
var output string
for {
Remove unnecessary type conversions Caught by `unconvert` linter. No behavior changes here.
2020-05-06 17:13:05 +00:00
output = replaceNewlines(person.Output(1000))
Disconnect expired k8s clients, fixes #2618 This commit implements disconnects of kubernetes clients with expired certificates and terminates idle sessions, according to 'disconnect_expired_cert' and 'client_idle_timeout' existing settings making the behavior consistent with SSH sessions.
2019-03-24 20:14:34 +00:00
matched, _ = regexp.MatchString(pattern, output)
if matched {
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
return nil
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
}
select {
case <-time.After(time.Millisecond * 50):
case <-ctx.Done():
// cancellation means that we don't care about the input being
// confirmed anymore; not equivalent to a timeout.
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
return nil
Disconnect expired k8s clients, fixes #2618 This commit implements disconnects of kubernetes clients with expired certificates and terminates idle sessions, according to 'disconnect_expired_cert' and 'client_idle_timeout' existing settings making the behavior consistent with SSH sessions.
2019-03-24 20:14:34 +00:00
}
if time.Now().After(abortTime) {
Fix race condition in PipeNetCon (#8643) The race condition detector is being tripped by a concurrent `Write` and `Close` in the `PipeNetCon` in several integration tests. This is a naive fix to serialize the write and close operations to resolve the race condition. The affected tests were also not handling asynchronous error reporting correctly (i.e. it's not legal to call `require.XYZ()` from a goroutine other than the one executing the test function.). This patch introduces some plumbing to marshal asynchronous errors back into the main test routine before failing the test.
2021-10-27 22:38:51 +00:00
return fmt.Errorf("failed to capture pattern %q in %q", pattern, output)
Disconnect expired k8s clients, fixes #2618 This commit implements disconnects of kubernetes clients with expired certificates and terminates idle sessions, according to 'disconnect_expired_cert' and 'client_idle_timeout' existing settings making the behavior consistent with SSH sessions.
2019-03-24 20:14:34 +00:00
}
}
}
Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions (#27842) Fixes a discrepancy in overwriting the environment value with the address observed for the Web UI for sessions not originating from the Web UI. All sessions will now use `tc.WebProxyAddr` as the default value and *only* update if an override is provided. `TestIntegrations/EnvironmentVars` was updated to ensure that the expected environment variables are present in both interactive and non-interactive sessions.
2023-06-14 19:47:32 +00:00
// testEnvironmentVariables validates that session specific environment
// variables set by Teleport are present.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testEnvironmentVariables(t *testing.T, suite *integrationTestSuite) {
Provide proxy address when beginning a node session (#18579)
2022-12-02 01:56:22 +00:00
ctx := context.Background()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Provide proxy address when beginning a node session (#18579)
2022-12-02 01:56:22 +00:00
s := suite.newTeleport(t, nil, true)
Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions (#27842) Fixes a discrepancy in overwriting the environment value with the address observed for the Web UI for sessions not originating from the Web UI. All sessions will now use `tc.WebProxyAddr` as the default value and *only* update if an override is provided. `TestIntegrations/EnvironmentVars` was updated to ensure that the expected environment variables are present in both interactive and non-interactive sessions.
2023-06-14 19:47:32 +00:00
t.Cleanup(func() { require.NoError(t, s.StopAll()) })
add support for passing env variables, fixes #451
2016-06-10 16:38:19 +00:00
// make sure sessions set run command
Provide proxy address when beginning a node session (#18579)
2022-12-02 01:56:22 +00:00
tc, err := s.NewClient(helpers.ClientConfig{
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Login: suite.Me.Username,
Cluster: helpers.Site,
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Host: Host,
Provide proxy address when beginning a node session (#18579)
2022-12-02 01:56:22 +00:00
Port: helpers.Port(t, s.SSH),
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM
2016-09-10 04:44:04 +00:00
Provide proxy address when beginning a node session (#18579)
2022-12-02 01:56:22 +00:00
tc.SessionID = uuid.NewString()
Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions (#27842) Fixes a discrepancy in overwriting the environment value with the address observed for the Web UI for sessions not originating from the Web UI. All sessions will now use `tc.WebProxyAddr` as the default value and *only* update if an override is provided. `TestIntegrations/EnvironmentVars` was updated to ensure that the expected environment variables are present in both interactive and non-interactive sessions.
2023-06-14 19:47:32 +00:00
// The SessionID and Web address should be set in the session env vars.
cmd := []string{"printenv", sshutils.SessionEnvVar, ";", "printenv", teleport.SSHSessionWebProxyAddr}
add support for passing env variables, fixes #451
2016-06-10 16:38:19 +00:00
out := &bytes.Buffer{}
tc.Stdout = out
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM
2016-09-10 04:44:04 +00:00
tc.Stdin = nil
Provide proxy address when beginning a node session (#18579)
2022-12-02 01:56:22 +00:00
err = tc.SSH(ctx, cmd, false /* runLocally */)
require.NoError(t, err)
Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions (#27842) Fixes a discrepancy in overwriting the environment value with the address observed for the Web UI for sessions not originating from the Web UI. All sessions will now use `tc.WebProxyAddr` as the default value and *only* update if an override is provided. `TestIntegrations/EnvironmentVars` was updated to ensure that the expected environment variables are present in both interactive and non-interactive sessions.
2023-06-14 19:47:32 +00:00
output := out.String()
require.Contains(t, output, tc.SessionID)
require.Contains(t, output, tc.WebProxyAddr)
term := NewTerminal(250)
tc.Stdout = term
tc.Stdin = strings.NewReader(strings.Join(cmd, " ") + "\r\nexit\r\n")
err = tc.SSH(ctx, nil, false /* runLocally */)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions (#27842) Fixes a discrepancy in overwriting the environment value with the address observed for the Web UI for sessions not originating from the Web UI. All sessions will now use `tc.WebProxyAddr` as the default value and *only* update if an override is provided. `TestIntegrations/EnvironmentVars` was updated to ensure that the expected environment variables are present in both interactive and non-interactive sessions.
2023-06-14 19:47:32 +00:00
output = term.AllOutput()
require.Contains(t, output, tc.SessionID)
require.Contains(t, output, tc.WebProxyAddr)
add support for passing env variables, fixes #451
2016-06-10 16:38:19 +00:00
}
Intermediate commit
2016-04-13 01:44:09 +00:00
// TestInvalidLogins validates that you can't login with invalid login or
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
// with invalid 'cluster' parameter
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testInvalidLogins(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Allow connections to nodes when Auth is offline (#18302) * Allow connections to nodes when Auth is offline `tsh ssh user@foo` currently fails if Auth is unreachable. Prior to connecting to the target, `tsh` sends a `proto.AuthService/IsMFARequired` request to determine if per-session MFA is required. If necessary, the MFA ceremony then occurs before `tsh` attempts to connect to the node. However, nodes ultimately makes the decision on whether the user has access. To both increase availability of nodes and reduce initial connection latency, `tsh` can first attempt to connect to a node and fallback to checking if per-session MFA is required and then performing the ceremony if necessary followed by attempting another connection to the node. The major tradeoff is now when per-session MFA is required, `tsh` will connect to the target **twice**. The added latency is likely to be minimized by the amount of time it takes to perform the MFA ceremony. ## Connection flows prior to this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: no tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ## Connection flows after this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ```
2022-11-17 21:10:57 +00:00
instance := suite.newTeleport(t, nil, true)
defer func() {
require.NoError(t, instance.StopAll())
}()
Intermediate commit
2016-04-13 01:44:09 +00:00
cmd := []string{"echo", "success"}
// try the wrong site:
Allow connections to nodes when Auth is offline (#18302) * Allow connections to nodes when Auth is offline `tsh ssh user@foo` currently fails if Auth is unreachable. Prior to connecting to the target, `tsh` sends a `proto.AuthService/IsMFARequired` request to determine if per-session MFA is required. If necessary, the MFA ceremony then occurs before `tsh` attempts to connect to the node. However, nodes ultimately makes the decision on whether the user has access. To both increase availability of nodes and reduce initial connection latency, `tsh` can first attempt to connect to a node and fallback to checking if per-session MFA is required and then performing the ceremony if necessary followed by attempting another connection to the node. The major tradeoff is now when per-session MFA is required, `tsh` will connect to the target **twice**. The added latency is likely to be minimized by the amount of time it takes to perform the MFA ceremony. ## Connection flows prior to this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: no tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ## Connection flows after this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ```
2022-11-17 21:10:57 +00:00
tc, err := instance.NewClient(helpers.ClientConfig{
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Login: suite.Me.Username,
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Cluster: "wrong-site",
Host: Host,
Allow connections to nodes when Auth is offline (#18302) * Allow connections to nodes when Auth is offline `tsh ssh user@foo` currently fails if Auth is unreachable. Prior to connecting to the target, `tsh` sends a `proto.AuthService/IsMFARequired` request to determine if per-session MFA is required. If necessary, the MFA ceremony then occurs before `tsh` attempts to connect to the node. However, nodes ultimately makes the decision on whether the user has access. To both increase availability of nodes and reduce initial connection latency, `tsh` can first attempt to connect to a node and fallback to checking if per-session MFA is required and then performing the ceremony if necessary followed by attempting another connection to the node. The major tradeoff is now when per-session MFA is required, `tsh` will connect to the target **twice**. The added latency is likely to be minimized by the amount of time it takes to perform the MFA ceremony. ## Connection flows prior to this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: no tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ## Connection flows after this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ```
2022-11-17 21:10:57 +00:00
Port: helpers.Port(t, instance.SSH),
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Allow connections to nodes when Auth is offline (#18302) * Allow connections to nodes when Auth is offline `tsh ssh user@foo` currently fails if Auth is unreachable. Prior to connecting to the target, `tsh` sends a `proto.AuthService/IsMFARequired` request to determine if per-session MFA is required. If necessary, the MFA ceremony then occurs before `tsh` attempts to connect to the node. However, nodes ultimately makes the decision on whether the user has access. To both increase availability of nodes and reduce initial connection latency, `tsh` can first attempt to connect to a node and fallback to checking if per-session MFA is required and then performing the ceremony if necessary followed by attempting another connection to the node. The major tradeoff is now when per-session MFA is required, `tsh` will connect to the target **twice**. The added latency is likely to be minimized by the amount of time it takes to perform the MFA ceremony. ## Connection flows prior to this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: no tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ## Connection flows after this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ```
2022-11-17 21:10:57 +00:00
err = tc.SSH(context.Background(), cmd, false)
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
require.ErrorIs(t, err, trace.NotFound("failed to dial target host\n\tcluster \"wrong-site\" is not found"))
Intermediate commit
2016-04-13 01:44:09 +00:00
}
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// TestTwoClustersTunnel creates two teleport clusters: "a" and "b" and creates a
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// tunnel from A to B.
//
// Two tests are run, first is when both A and B record sessions at nodes. It
// executes an SSH command on A by connecting directly to A and by connecting
// to B via B<->A tunnel. All sessions should end up in A.
Incorporated GetFreeTCPPorts() into integration testign
2016-04-08 17:38:19 +00:00
//
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// In the second test, sessions are recorded at B. All sessions still show up on
// A (they are Teleport nodes) but in addition, two show up on B when connecting
// over the B<->A tunnel because sessions are recorded at the proxy.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testTwoClustersTunnel(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
now := time.Now().In(time.UTC).Round(time.Second)
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
inRecordLocation string
outExecCountSiteA int
outExecCountSiteB int
}{
// normal teleport. since all events are recorded at the node, all events
// end up on site-a and none on site-b.
{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
types.RecordAtNode,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
3,
0,
},
// recording proxy. since events are recorded at the proxy, 3 events end up
// on site-a (because it's a teleport node so it still records at the node)
// and 2 events end up on site-b because it's recording.
{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
types.RecordAtProxy,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
3,
2,
},
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
}
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
for _, tt := range tests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.inRecordLocation, func(t *testing.T) {
twoClustersTunnel(t, suite, now, tt.inRecordLocation, tt.outExecCountSiteA, tt.outExecCountSiteB)
})
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
}
Google CloudBuild support (#9090) Part of this change is implementing a "no secrets" policy for CI. Given that we have to support CI for arbitrary external contributors, and it is easy to craft a malicious PR that exfiltrates secrets during a CI build any test that runs under CI must be able to do so without any injected secrets. This means that several of the test we currently run under Drone will not be run on GCB, at least as part of the regular CI. The plan is to create a separate task that periodically runs tests that require external credentials (e.g. Kube tests, various backend data stores, etc.) in a more secure way and report failures asynchronously. And while these tests will not run under CI, the should still be built under CI so that required changes are caught during review.
2021-11-30 01:12:16 +00:00
log.Info("Tests done. Cleaning up.")
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
}
Prepared previous commits for merging into master - Fixed all tests - Removed "magic constants" in random places - Improved 'retry connecting to auth server' logic (it used to always fail on 1st attempt)
2016-04-11 23:30:58 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func twoClustersTunnel(t *testing.T, suite *integrationTestSuite, now time.Time, proxyRecordMode string, execCountSiteA, execCountSiteB int) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// start the http proxy, we need to make sure this was not used
Fix http proxy basic auth (#13140) * Fix http proxy basic auth * Update docs about HTTP CONNECT env var formats
2022-06-23 00:27:29 +00:00
ph := &helpers.ProxyHandler{}
ts := httptest.NewServer(ph)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
defer ts.Close()
Added endurance integration test
2016-04-08 02:01:31 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// clear out any proxy environment variables
for _, v := range []string{"http_proxy", "https_proxy", "HTTP_PROXY", "HTTPS_PROXY"} {
Use t.Setenv in tests (#9154) This new feature in Go 1.17 automatically restores the environment variable to its previous value when a test ends, making it simpler to set up the environment for tests and less likely that we accidentally leave behind global state. Also convert some of the remaining uses of check to standard Go tests.
2021-12-01 17:43:12 +00:00
t.Setenv(v, "")
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
}
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
a := suite.newNamedTeleportInstance(t, "site-A")
b := suite.newNamedTeleportInstance(t, "site-B")
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
a.AddUser(username, []string{username})
b.AddUser(username, []string{username})
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
Mode: proxyRecordMode,
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
acfg := suite.defaultServiceConfig()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
acfg.Auth.Enabled = true
acfg.Proxy.Enabled = true
acfg.Proxy.DisableWebService = true
acfg.Proxy.DisableWebInterface = true
acfg.SSH.Enabled = true
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
bcfg := suite.defaultServiceConfig()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
bcfg.Auth.Enabled = true
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
bcfg.Auth.SessionRecordingConfig = recConfig
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
bcfg.Proxy.Enabled = true
bcfg.Proxy.DisableWebService = true
bcfg.Proxy.DisableWebInterface = true
bcfg.SSH.Enabled = false
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, b.CreateEx(t, a.Secrets.AsSlice(), bcfg))
Improve TestTwoClustersTunnel troubleshooting This PR likely won't fix any of the flakiness, but should help in debugging: - Wait for TeleInstance's process to close - Don't delete the data directory before the process is shut down - Include site name in logging to make it easier to distinguish which site is shutting down - Don't call StopAll twice (it was deferred and run manually) - Include cluster name in log output - Remove unused TestWrapper left over from the Check framework
2021-12-29 20:17:19 +00:00
t.Cleanup(func() { require.NoError(t, b.StopAll()) })
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, a.CreateEx(t, b.Secrets.AsSlice(), acfg))
Improve TestTwoClustersTunnel troubleshooting This PR likely won't fix any of the flakiness, but should help in debugging: - Wait for TeleInstance's process to close - Don't delete the data directory before the process is shut down - Include site name in logging to make it easier to distinguish which site is shutting down - Don't call StopAll twice (it was deferred and run manually) - Include cluster name in log output - Remove unused TestWrapper left over from the Check framework
2021-12-29 20:17:19 +00:00
t.Cleanup(func() { require.NoError(t, a.StopAll()) })
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, b.Start())
require.NoError(t, a.Start())
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// The Listener FDs injected into SiteA will be closed when SiteA restarts
// later in in the test, rendering them all invalid. This will make SiteA
// fail when it attempts to start back up again. We can't just inject a
// totally new listener config into SiteA when it restarts, or SiteB won't
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
// be able to find it.
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
//
// The least bad option is to duplicate all of SiteA's Listener FDs and
// inject those duplicates prior to restarting the SiteA cluster.
aFdCache, err := a.Process.ExportFileDescriptors()
require.NoError(t, err)
Fix.
2022-02-02 16:05:45 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(a.Tunnel, 2), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(b.Tunnel, 2), 10*time.Second, 1*time.Second,
Google CloudBuild support (#9090) Part of this change is implementing a "no secrets" policy for CI. Given that we have to support CI for arbitrary external contributors, and it is easy to craft a malicious PR that exfiltrates secrets during a CI build any test that runs under CI must be able to do so without any injected secrets. This means that several of the test we currently run under Drone will not be run on GCB, at least as part of the regular CI. The plan is to create a separate task that periodically runs tests that require external credentials (e.g. Kube tests, various backend data stores, etc.) in a more secure way and report failures asynchronously. And while these tests will not run under CI, the should still be built under CI so that required changes are caught during review.
2021-11-30 01:12:16 +00:00
"Two clusters do not see each other: tunnels are not working.")
Prepared previous commits for merging into master - Fixed all tests - Removed "magic constants" in random places - Improved 'retry connecting to auth server' logic (it used to always fail on 1st attempt)
2016-04-11 23:30:58 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
var (
outputA bytes.Buffer
outputB bytes.Buffer
)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// make sure the direct dialer was used and not the proxy dialer
Fix http proxy basic auth (#13140) * Fix http proxy basic auth * Update docs about HTTP CONNECT env var formats
2022-06-23 00:27:29 +00:00
require.Zero(t, ph.Count())
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// if we got here, it means two sites are cross-connected. lets execute SSH commands
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
sshPort := helpers.Port(t, a.SSH)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
cmd := []string{"echo", "hello world"}
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// directly:
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tc, err := a.NewClient(helpers.ClientConfig{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Login: username,
Cluster: a.Secrets.SiteName,
Host: Host,
Port: sshPort,
ForwardAgent: true,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
tc.Stdout = &outputA
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
err = tc.SSH(ctx, cmd, false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", outputA.String())
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// Update trusted CAs.
Reduce login latency (#28499) Reuse the root cluster auth client during the login process to reduce latency. Closes #26712. Partially addresses #26712.
2023-07-05 15:51:56 +00:00
err = tc.UpdateTrustedCA(ctx, a.GetSiteAPI(a.Secrets.SiteName))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Integration test for UpdateHostCA.
2018-09-06 21:52:41 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// The known_hosts file should have two certificates, the way bytes.Split
// works that means the output will be 3 (2 certs + 1 empty).
Remove uses of deprecated ioutil package
2022-03-14 23:59:28 +00:00
buffer, err := os.ReadFile(keypaths.KnownHostsPath(tc.KeysDir))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
parts := bytes.Split(buffer, []byte("\n"))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Len(t, parts, 3)
Integration test for UpdateHostCA.
2018-09-06 21:52:41 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
roots := x509.NewCertPool()
Fix tsh tctl do not load all CAS (#9357)
2022-01-31 12:35:15 +00:00
werr := filepath.Walk(keypaths.CAsDir(tc.KeysDir, Host), func(path string, info fs.FileInfo, err error) error {
require.NoError(t, err)
if info.IsDir() {
return nil
}
Remove uses of deprecated ioutil package
2022-03-14 23:59:28 +00:00
buffer, err = os.ReadFile(path)
Fix tsh tctl do not load all CAS (#9357)
2022-01-31 12:35:15 +00:00
require.NoError(t, err)
ok := roots.AppendCertsFromPEM(buffer)
require.True(t, ok)
return nil
})
require.NoError(t, werr)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
ok := roots.AppendCertsFromPEM(buffer)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.True(t, ok)
Added ability to specify which console to use ...by teleport clients + servers, meaning: 1. Servers do not default to stdout when printing startup messages 2. Clients can use arbitrary input/output instead of stdin/stdout when doing SSH/join. This helps with integration testing.
2016-04-14 18:43:08 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// wait for active tunnel connections to be established
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, b.Tunnel, a.Secrets.SiteName, 1)
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// via tunnel b->a:
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tc, err = b.NewClient(helpers.ClientConfig{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Login: username,
Cluster: a.Secrets.SiteName,
Host: Host,
Port: sshPort,
ForwardAgent: true,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
tc.Stdout = &outputB
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
err = tc.SSH(ctx, cmd, false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, outputA.String(), outputB.String())
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
Fix twoClustersTunnel flakiness (#26233)
2023-05-15 15:20:29 +00:00
clientHasEvents := func(site auth.ClientI, count int) func() bool {
// only look for exec events
eventTypes := []string{events.ExecEvent}
return func() bool {
auditlog - pass context and rework search params (#26433) * Rework audit log interface with ctx and req params * update codebase to new audit interface * rename FromUTC/ToUTC to From/To * Drop namespace from search_events params * go fmt * rename from to also in search session events
2023-05-19 08:07:38 +00:00
eventsInSite, _, err := site.SearchEvents(ctx, events.SearchEventsRequest{
From: now,
To: now.Add(1 * time.Hour),
EventTypes: eventTypes,
Order: types.EventOrderAscending,
})
Fix twoClustersTunnel flakiness (#26233)
2023-05-15 15:20:29 +00:00
require.NoError(t, err)
return len(eventsInSite) == count
}
}
siteA := a.GetSiteAPI(a.Secrets.SiteName)
// Wait for 2nd event before stopping auth.
require.Eventually(t, clientHasEvents(siteA, 2), 5*time.Second, 500*time.Millisecond,
"Failed to find %d events on helpers.Site A after 5s", execCountSiteA)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// Stop "site-A" and try to connect to it again via "site-A" (expect a connection error)
Google CloudBuild support (#9090) Part of this change is implementing a "no secrets" policy for CI. Given that we have to support CI for arbitrary external contributors, and it is easy to craft a malicious PR that exfiltrates secrets during a CI build any test that runs under CI must be able to do so without any injected secrets. This means that several of the test we currently run under Drone will not be run on GCB, at least as part of the regular CI. The plan is to create a separate task that periodically runs tests that require external credentials (e.g. Kube tests, various backend data stores, etc.) in a more secure way and report failures asynchronously. And while these tests will not run under CI, the should still be built under CI so that required changes are caught during review.
2021-11-30 01:12:16 +00:00
require.NoError(t, a.StopAuth(false))
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
err = tc.SSH(ctx, cmd, false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.IsType(t, err, trace.ConnectionProblem(nil, ""))
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// Reset and start "Site-A" again
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
a.Config.FileDescriptors = aFdCache
Google CloudBuild support (#9090) Part of this change is implementing a "no secrets" policy for CI. Given that we have to support CI for arbitrary external contributors, and it is easy to craft a malicious PR that exfiltrates secrets during a CI build any test that runs under CI must be able to do so without any injected secrets. This means that several of the test we currently run under Drone will not be run on GCB, at least as part of the regular CI. The plan is to create a separate task that periodically runs tests that require external credentials (e.g. Kube tests, various backend data stores, etc.) in a more secure way and report failures asynchronously. And while these tests will not run under CI, the should still be built under CI so that required changes are caught during review.
2021-11-30 01:12:16 +00:00
require.NoError(t, a.Reset())
require.NoError(t, a.Start())
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
// try to execute an SSH command using the same old client to helpers.Site-B
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// "site-A" and "site-B" reverse tunnels are supposed to reconnect,
// and 'tc' (client) is also supposed to reconnect
Improve TestTwoClustersTunnel troubleshooting This PR likely won't fix any of the flakiness, but should help in debugging: - Wait for TeleInstance's process to close - Don't delete the data directory before the process is shut down - Include site name in logging to make it easier to distinguish which site is shutting down - Don't call StopAll twice (it was deferred and run manually) - Include cluster name in log output - Remove unused TestWrapper left over from the Check framework
2021-12-29 20:17:19 +00:00
var sshErr error
Google CloudBuild support (#9090) Part of this change is implementing a "no secrets" policy for CI. Given that we have to support CI for arbitrary external contributors, and it is easy to craft a malicious PR that exfiltrates secrets during a CI build any test that runs under CI must be able to do so without any injected secrets. This means that several of the test we currently run under Drone will not be run on GCB, at least as part of the regular CI. The plan is to create a separate task that periodically runs tests that require external credentials (e.g. Kube tests, various backend data stores, etc.) in a more secure way and report failures asynchronously. And while these tests will not run under CI, the should still be built under CI so that required changes are caught during review.
2021-11-30 01:12:16 +00:00
tcHasReconnected := func() bool {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
sshErr = tc.SSH(ctx, cmd, false)
Improve TestTwoClustersTunnel troubleshooting This PR likely won't fix any of the flakiness, but should help in debugging: - Wait for TeleInstance's process to close - Don't delete the data directory before the process is shut down - Include site name in logging to make it easier to distinguish which site is shutting down - Don't call StopAll twice (it was deferred and run manually) - Include cluster name in log output - Remove unused TestWrapper left over from the Check framework
2021-12-29 20:17:19 +00:00
return sshErr == nil
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
}
tweak test timeout
2021-12-21 18:27:30 +00:00
require.Eventually(t, tcHasReconnected, 10*time.Second, 250*time.Millisecond,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
"Timed out waiting for helpers.Site A to restart: %v", sshErr)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Fix twoClustersTunnel flakiness (#26233)
2023-05-15 15:20:29 +00:00
siteA = a.GetSiteAPI(a.Secrets.SiteName)
Google CloudBuild support (#9090) Part of this change is implementing a "no secrets" policy for CI. Given that we have to support CI for arbitrary external contributors, and it is easy to craft a malicious PR that exfiltrates secrets during a CI build any test that runs under CI must be able to do so without any injected secrets. This means that several of the test we currently run under Drone will not be run on GCB, at least as part of the regular CI. The plan is to create a separate task that periodically runs tests that require external credentials (e.g. Kube tests, various backend data stores, etc.) in a more secure way and report failures asynchronously. And while these tests will not run under CI, the should still be built under CI so that required changes are caught during review.
2021-11-30 01:12:16 +00:00
require.Eventually(t, clientHasEvents(siteA, execCountSiteA), 5*time.Second, 500*time.Millisecond,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
"Failed to find %d events on helpers.Site A after 5s", execCountSiteA)
Started work on self-reconnecting reverse tunnels
2016-05-11 05:05:01 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
siteB := b.GetSiteAPI(b.Secrets.SiteName)
Google CloudBuild support (#9090) Part of this change is implementing a "no secrets" policy for CI. Given that we have to support CI for arbitrary external contributors, and it is easy to craft a malicious PR that exfiltrates secrets during a CI build any test that runs under CI must be able to do so without any injected secrets. This means that several of the test we currently run under Drone will not be run on GCB, at least as part of the regular CI. The plan is to create a separate task that periodically runs tests that require external credentials (e.g. Kube tests, various backend data stores, etc.) in a more secure way and report failures asynchronously. And while these tests will not run under CI, the should still be built under CI so that required changes are caught during review.
2021-11-30 01:12:16 +00:00
require.Eventually(t, clientHasEvents(siteB, execCountSiteB), 5*time.Second, 500*time.Millisecond,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
"Failed to find %d events on helpers.Site B after 5s", execCountSiteB)
Added new integration test (not turned on yet)
2016-04-08 01:13:13 +00:00
}
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
// TestTwoClustersProxy checks if the reverse tunnel uses a HTTP PROXY to
// establish a connection.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testTwoClustersProxy(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
// start the http proxy
Fix http proxy basic auth (#13140) * Fix http proxy basic auth * Update docs about HTTP CONNECT env var formats
2022-06-23 00:27:29 +00:00
ps := &helpers.ProxyHandler{}
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
ts := httptest.NewServer(ps)
defer ts.Close()
// set the http_proxy environment variable
u, err := url.Parse(ts.URL)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Use t.Setenv in tests (#9154) This new feature in Go 1.17 automatically restores the environment variable to its previous value when a test ends, making it simpler to set up the environment for tests and less likely that we accidentally leave behind global state. Also convert some of the remaining uses of check to standard Go tests.
2021-12-01 17:43:12 +00:00
t.Setenv("http_proxy", u.Host)
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
NO_PROXY port support + special case for proxying via localhost (#11403) This change updates NO_PROXY handling to allow blocking specific host:port combinations, rather than just the host. It also adds a special case for downgrading requests to plain HTTP when --insecure is true and the request goes through a plain HTTP proxy at localhost (i.e. HTTP_PROXY=http://localhost).
2022-04-04 21:23:50 +00:00
// httpproxy doesn't allow proxying when the target is localhost, so use
// this address instead.
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
addr, err := helpers.GetLocalIP()
NO_PROXY port support + special case for proxying via localhost (#11403) This change updates NO_PROXY handling to allow blocking specific host:port combinations, rather than just the host. It also adds a special case for downgrading requests to plain HTTP when --insecure is true and the request goes through a plain HTTP proxy at localhost (i.e. HTTP_PROXY=http://localhost).
2022-04-04 21:23:50 +00:00
require.NoError(t, err)
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
a := suite.newNamedTeleportInstance(t, "site-A",
WithNodeName(addr),
WithListeners(helpers.StandardListenerSetupOn(addr)),
)
b := suite.newNamedTeleportInstance(t, "site-B",
WithNodeName(addr),
WithListeners(helpers.StandardListenerSetupOn(addr)),
)
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
a.AddUser(username, []string{username})
b.AddUser(username, []string{username})
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, b.Create(t, a.Secrets.AsSlice(), false, nil))
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
defer b.StopAll()
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, a.Create(t, b.Secrets.AsSlice(), true, nil))
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
defer a.StopAll()
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, b.Start())
require.NoError(t, a.Start())
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(a.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(b.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
// make sure the reverse tunnel went through the proxy
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Greater(t, ps.Count(), 0, "proxy did not intercept any connection")
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
// stop both sites for real
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, b.StopAll())
require.NoError(t, a.StopAll())
Moved tests from lib/srv and lib/utils into integrations.
2017-05-31 18:48:20 +00:00
}
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// TestHA tests scenario when auth server for the cluster goes down
// and we switch to local persistent caches
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testHA(t *testing.T, suite *integrationTestSuite) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Sasha High Availability.
2017-04-07 23:51:31 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
a := suite.newNamedTeleportInstance(t, "cluster-a")
b := suite.newNamedTeleportInstance(t, "cluster-b")
Sasha High Availability.
2017-04-07 23:51:31 +00:00
a.AddUser(username, []string{username})
b.AddUser(username, []string{username})
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, b.Create(t, a.Secrets.AsSlice(), true, nil))
require.NoError(t, a.Create(t, b.Secrets.AsSlice(), true, nil))
Sasha High Availability.
2017-04-07 23:51:31 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, b.Start())
require.NoError(t, a.Start())
Sasha High Availability.
2017-04-07 23:51:31 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
// The Listener FDs injected into SiteA will be closed when SiteA restarts
// later in in the test, rendering them all invalid. This will make SiteA
// fail when it attempts to start back up again. We can't just inject a
// totally new listener config into SiteA when it restarts, or SiteB won't
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
// be able to find it.
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
//
// The least bad option is to duplicate all of SiteA's Listener FDs and
// inject those duplicates prior to restarting the SiteA cluster.
aFdCache, err := a.Process.ExportFileDescriptors()
require.NoError(t, err)
sshPort, _, _ := a.StartNodeAndProxy(t, "cluster-a-node")
Sasha High Availability.
2017-04-07 23:51:31 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(a.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(b.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Sasha High Availability.
2017-04-07 23:51:31 +00:00
cmd := []string{"echo", "hello world"}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tc, err := b.NewClient(helpers.ClientConfig{
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
Login: username,
Cluster: "cluster-a",
Host: Loopback,
Port: sshPort,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Sasha High Availability.
2017-04-07 23:51:31 +00:00
output := &bytes.Buffer{}
tc.Stdout = output
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
// try to execute an SSH command using the same old client to helpers.Site-B
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// "site-A" and "site-B" reverse tunnels are supposed to reconnect,
// and 'tc' (client) is also supposed to reconnect
for i := 0; i < 10; i++ {
time.Sleep(time.Millisecond * 50)
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
err = tc.SSH(ctx, cmd, false)
Sasha High Availability.
2017-04-07 23:51:31 +00:00
if err == nil {
break
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output.String())
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
mfa: per-session MFA certs for SSH and Kubernetes (#5564) * mfa: per-session MFA certs for SSH and Kubernetes This is client-side support for requesting single-use certs with an MFA check. The client doesn't know whether they need MFA check when accessing a resource, this is decided during an RBAC check on the server. So a client will always try to get a single-use cert, and the server will respond with NotNeeded if MFA is not required. This is an extra round-trip for every session which causes ~20% slowdown in SSH logins: ``` $ hyperfine '/tmp/tsh-old ssh talos date' '/tmp/tsh-new ssh talos date' Benchmark #1: /tmp/tsh-old ssh talos date Time (mean ± σ): 49.9 ms ± 1.0 ms [User: 15.1 ms, System: 7.4 ms] Range (min … max): 48.4 ms … 54.1 ms 59 runs Benchmark #2: /tmp/tsh-new ssh talos date Time (mean ± σ): 60.2 ms ± 1.6 ms [User: 19.1 ms, System: 8.3 ms] Range (min … max): 59.0 ms … 69.7 ms 50 runs Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet PC without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options. Summary '/tmp/tsh-old ssh talos date' ran 1.21 ± 0.04 times faster than '/tmp/tsh-new ssh talos date' ``` Another few other internal changes: - client.LocalKeyAgent will now always have a non-nil LocalKeyStore. Previously, it would be nil (e.g. in a web UI handler or when using an identity file) which easily causes panics. I added a noLocalKeyStore type instead that returns errors from all methods. - requesting a user cert with a TTL < 1min will now succeed and return a 1min cert instead of failing * Capture access approvals on MFA-issued certs * Address review feedback * Address review feedback * mfa: accept unknown nodes during short-term MFA cert creation An unknown node could be an OpenSSH node set up via https://goteleport.com/teleport/docs/openssh-teleport/ In this case, we shouldn't prevent the user from connecting. There's a small risk of authz bypass - an attacker might know a different name/IP for a registered node which Teleport doesn't know about. But a Teleport node will still check RBAC and reject the connection. * Validate username against unmapped user identity IssueUserCertsWithMFA is called on the leaf auth server in case of trusted clusters. Username in the request object will be that of the original unmapped caller. * mfa: add IsMFARequired RPC This RPC is ran before every connection to check whether MFA is required. If a connection is against the leaf cluster, this request is forwarded from root to leaf for evaluation. * Fix integration tests * Correctly treat "Username" as login name in IsMFARequired Also, move the logic into auth.Server out of ServerWithRoles. * Fix TestHA * Address review feedback
2021-03-10 23:42:16 +00:00
// Stop cluster "a" to force existing tunnels to close.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, a.StopAuth(true))
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
// Reset KeyPair set by the first start by ACME. After introducing the ALPN TLS listener TLS proxy
// certs are generated even if WebService and WebInterface was disabled and only DisableTLS
// flag skips the TLS cert initialization. the First start call creates the ACME certs
// where Resets() call deletes certs dir thus KeyPairs is no longer valid.
a.Config.Proxy.KeyPairs = nil
mfa: per-session MFA certs for SSH and Kubernetes (#5564) * mfa: per-session MFA certs for SSH and Kubernetes This is client-side support for requesting single-use certs with an MFA check. The client doesn't know whether they need MFA check when accessing a resource, this is decided during an RBAC check on the server. So a client will always try to get a single-use cert, and the server will respond with NotNeeded if MFA is not required. This is an extra round-trip for every session which causes ~20% slowdown in SSH logins: ``` $ hyperfine '/tmp/tsh-old ssh talos date' '/tmp/tsh-new ssh talos date' Benchmark #1: /tmp/tsh-old ssh talos date Time (mean ± σ): 49.9 ms ± 1.0 ms [User: 15.1 ms, System: 7.4 ms] Range (min … max): 48.4 ms … 54.1 ms 59 runs Benchmark #2: /tmp/tsh-new ssh talos date Time (mean ± σ): 60.2 ms ± 1.6 ms [User: 19.1 ms, System: 8.3 ms] Range (min … max): 59.0 ms … 69.7 ms 50 runs Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet PC without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options. Summary '/tmp/tsh-old ssh talos date' ran 1.21 ± 0.04 times faster than '/tmp/tsh-new ssh talos date' ``` Another few other internal changes: - client.LocalKeyAgent will now always have a non-nil LocalKeyStore. Previously, it would be nil (e.g. in a web UI handler or when using an identity file) which easily causes panics. I added a noLocalKeyStore type instead that returns errors from all methods. - requesting a user cert with a TTL < 1min will now succeed and return a 1min cert instead of failing * Capture access approvals on MFA-issued certs * Address review feedback * Address review feedback * mfa: accept unknown nodes during short-term MFA cert creation An unknown node could be an OpenSSH node set up via https://goteleport.com/teleport/docs/openssh-teleport/ In this case, we shouldn't prevent the user from connecting. There's a small risk of authz bypass - an attacker might know a different name/IP for a registered node which Teleport doesn't know about. But a Teleport node will still check RBAC and reject the connection. * Validate username against unmapped user identity IssueUserCertsWithMFA is called on the leaf auth server in case of trusted clusters. Username in the request object will be that of the original unmapped caller. * mfa: add IsMFARequired RPC This RPC is ran before every connection to check whether MFA is required. If a connection is against the leaf cluster, this request is forwarded from root to leaf for evaluation. * Fix integration tests * Correctly treat "Username" as login name in IsMFARequired Also, move the logic into auth.Server out of ServerWithRoles. * Fix TestHA * Address review feedback
2021-03-10 23:42:16 +00:00
// Restart cluster "a".
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
a.Config.FileDescriptors = aFdCache
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, a.Reset())
require.NoError(t, a.Start())
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(a.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(b.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Sasha High Availability.
2017-04-07 23:51:31 +00:00
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// try to execute an SSH command using the same old client to site-B
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// "site-A" and "site-B" reverse tunnels are supposed to reconnect,
// and 'tc' (client) is also supposed to reconnect
Attempt at test fix.
2019-05-07 21:00:47 +00:00
for i := 0; i < 30; i++ {
time.Sleep(1 * time.Second)
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
err = tc.SSH(ctx, cmd, false)
Sasha High Availability.
2017-04-07 23:51:31 +00:00
if err == nil {
break
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// stop cluster and remaining nodes
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, a.StopAll())
require.NoError(t, b.StopAll())
Sasha High Availability.
2017-04-07 23:51:31 +00:00
}
integration test
2017-05-20 02:03:28 +00:00
// TestMapRoles tests local to remote role mapping and access patterns
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testMapRoles(t *testing.T, suite *integrationTestSuite) {
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
ctx := context.Background()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
integration test
2017-05-20 02:03:28 +00:00
clusterMain := "cluster-main"
clusterAux := "cluster-aux"
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
main := suite.newNamedTeleportInstance(t, clusterMain)
aux := suite.newNamedTeleportInstance(t, clusterAux)
integration test
2017-05-20 02:03:28 +00:00
// main cluster has a local user and belongs to role "main-devs"
mainDevs := "main-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err := types.NewRole(mainDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Introduced and migrated to RoleV3.
2017-06-30 01:02:47 +00:00
},
integration test
2017-05-20 02:03:28 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
integration test
2017-05-20 02:03:28 +00:00
main.AddUserWithRole(username, role)
fix and complete tests
2017-05-20 19:52:03 +00:00
// for role mapping test we turn on Web API on the main cluster
// as it's used
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func(enableSSH bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
fix and complete tests
2017-05-20 19:52:03 +00:00
tconf.SSH.Enabled = enableSSH
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
return t, nil, tconf
fix and complete tests
2017-05-20 19:52:03 +00:00
}
Better handling of "development mode" Instead of quietly changing behavior because `DEBUG` envar was set to true, Teleport now explicitly requires scary --insecure flag to enable this behavior.
2017-09-10 03:59:38 +00:00
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
fix and complete tests
2017-05-20 19:52:03 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.CreateEx(makeConfig(false)))
require.NoError(t, aux.CreateEx(makeConfig(true)))
integration test
2017-05-20 02:03:28 +00:00
Correct various typos This was fixed running the `misspell` linter in fix mode using `gometalinter`. The exact command I ran was : ``` gometalinter --vendor --disable-all -E misspell --linter='misspell:misspell -w {path}:^(?P<path>.*?\.go):(?P<line>\d+):(?P<col>\d+):\s*(?P<message>.*)$' ./... ``` Some typo were fixed by hand on top of it.
2017-10-20 08:20:26 +00:00
// auxiliary cluster has a role aux-devs
integration test
2017-05-20 02:03:28 +00:00
// connect aux cluster to main cluster
// using trusted clusters, so remote user will be allowed to assume
// role specified by mapping remote role "devs" to local role "local-devs"
auxDevs := "aux-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err = types.NewRole(auxDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Introduced and migrated to RoleV3.
2017-06-30 01:02:47 +00:00
},
integration test
2017-05-20 02:03:28 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
err = aux.Process.GetAuthServer().UpsertRole(ctx, role)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
trustedClusterToken := "trusted-cluster-token"
Pass context through new gRPC converted endpoints. (#6118)
2021-03-24 01:26:52 +00:00
err = main.Process.GetAuthServer().UpsertToken(ctx,
Revert "Introduce ProvisionTokenV3 (#16361)" (#16934) This reverts commit 3fba50261fa473f1eb814be17e20a5c8de9bc33a.
2022-10-03 14:14:01 +00:00
services.MustCreateProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{}))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
trustedCluster := main.AsTrustedCluster(trustedClusterToken, types.RoleMap{
integration test
2017-05-20 02:03:28 +00:00
{Remote: mainDevs, Local: []string{auxDevs}},
})
add regression test for mismatching cluster name Modify integration test suite to catch cases when trusted cluster resource name is not equal to the cluster name
2017-10-18 23:10:32 +00:00
// modify trusted cluster resource name so it would not
// match the cluster name to check that it does not matter
trustedCluster.SetName(main.Secrets.SiteName + "-cluster")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.Start())
require.NoError(t, aux.Start())
integration test
2017-05-20 02:03:28 +00:00
err = trustedCluster.CheckAndSetDefaults()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
Allow enable or disable of a TrustedCluster without performing the exchange again.
2017-08-11 01:29:24 +00:00
// try and upsert a trusted cluster
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, main.Process.GetAuthServer(), clusterAux, 1)
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
sshPort, _, _ := aux.StartNodeAndProxy(t, "aux-node")
integration test
2017-05-20 02:03:28 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(aux.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
integration test
2017-05-20 02:03:28 +00:00
Include list of principal into x509 certificate. This allows the creating a remote user with valid logins (applied from traits) and roles.
2018-08-23 00:19:24 +00:00
// Make sure that GetNodes returns nodes in the remote site. This makes
// sure identity aware GetNodes works for remote clusters. Testing of the
// correct nodes that identity aware GetNodes is done in TestList.
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
var nodes []types.Server
Events and GRPC API This commit introduces several key changes to Teleport backend and API infrastructure in order to achieve scalability improvements on 10K+ node deployments. Events and plain keyspace -------------------------- New backend interface supports events, pagination and range queries and moves away from buckets to plain keyspace, what better aligns with DynamoDB and Etcd featuring similar interfaces. All backend implementations are exposing Events API, allowing multiple subscribers to consume the same event stream and avoid polling database. Replacing BoltDB, Dir with SQLite ------------------------------- BoltDB backend does not support having two processes access the database at the same time. This prevented Teleport using BoltDB backend to be live reloaded. SQLite supports reads/writes by multiple processes and makes Dir backend obsolete as SQLite is more efficient on larger collections, supports transactions and can detect data corruption. Teleport automatically migrates data from Bolt and Dir backends into SQLite. GRPC API and protobuf resources ------------------------------- GRPC API has been introduced for the auth server. The auth server now serves both GRPC and JSON-HTTP API on the same TLS socket and uses the same client certificate authentication. All future API methods should use GRPC and HTTP-JSON API is considered obsolete. In addition to that some resources like Server and CertificateAuthority are now generated from protobuf service specifications in a way that is fully backward compatible with original JSON spec and schema, so the same resource can be encoded and decoded from JSON, YAML and protobuf. All models should be refactored into new proto specification over time. Streaming presence service -------------------------- In order to cut bandwidth, nodes are sending full updates only when changes to labels or spec have occured, otherwise new light-weight GRPC keep alive updates are sent over to the presence service, reducing bandwidth usage on multi-node deployments. In addition to that nodes are no longer polling auth server for certificate authority rotation updates, instead they subscribe to event updates to detect updates as soon as they happen. This is a new API, so the errors are inevitable, that's why polling is still done, but on a way slower rate.
2018-11-07 23:33:38 +00:00
for i := 0; i < 10; i++ {
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
nodes, err = aux.Process.GetAuthServer().GetNodes(ctx, defaults.Namespace)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Events and GRPC API This commit introduces several key changes to Teleport backend and API infrastructure in order to achieve scalability improvements on 10K+ node deployments. Events and plain keyspace -------------------------- New backend interface supports events, pagination and range queries and moves away from buckets to plain keyspace, what better aligns with DynamoDB and Etcd featuring similar interfaces. All backend implementations are exposing Events API, allowing multiple subscribers to consume the same event stream and avoid polling database. Replacing BoltDB, Dir with SQLite ------------------------------- BoltDB backend does not support having two processes access the database at the same time. This prevented Teleport using BoltDB backend to be live reloaded. SQLite supports reads/writes by multiple processes and makes Dir backend obsolete as SQLite is more efficient on larger collections, supports transactions and can detect data corruption. Teleport automatically migrates data from Bolt and Dir backends into SQLite. GRPC API and protobuf resources ------------------------------- GRPC API has been introduced for the auth server. The auth server now serves both GRPC and JSON-HTTP API on the same TLS socket and uses the same client certificate authentication. All future API methods should use GRPC and HTTP-JSON API is considered obsolete. In addition to that some resources like Server and CertificateAuthority are now generated from protobuf service specifications in a way that is fully backward compatible with original JSON spec and schema, so the same resource can be encoded and decoded from JSON, YAML and protobuf. All models should be refactored into new proto specification over time. Streaming presence service -------------------------- In order to cut bandwidth, nodes are sending full updates only when changes to labels or spec have occured, otherwise new light-weight GRPC keep alive updates are sent over to the presence service, reducing bandwidth usage on multi-node deployments. In addition to that nodes are no longer polling auth server for certificate authority rotation updates, instead they subscribe to event updates to detect updates as soon as they happen. This is a new API, so the errors are inevitable, that's why polling is still done, but on a way slower rate.
2018-11-07 23:33:38 +00:00
if len(nodes) != 2 {
time.Sleep(100 * time.Millisecond)
continue
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Len(t, nodes, 2)
Include list of principal into x509 certificate. This allows the creating a remote user with valid logins (applied from traits) and roles.
2018-08-23 00:19:24 +00:00
integration test
2017-05-20 02:03:28 +00:00
cmd := []string{"echo", "hello world"}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tc, err := main.NewClient(helpers.ClientConfig{
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
Login: username,
Cluster: clusterAux,
Host: Loopback,
Port: sshPort,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
integration test
2017-05-20 02:03:28 +00:00
output := &bytes.Buffer{}
tc.Stdout = output
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
// try to execute an SSH command using the same old client to helpers.Site-B
integration test
2017-05-20 02:03:28 +00:00
// "site-A" and "site-B" reverse tunnels are supposed to reconnect,
// and 'tc' (client) is also supposed to reconnect
for i := 0; i < 10; i++ {
time.Sleep(time.Millisecond * 50)
err = tc.SSH(context.TODO(), cmd, false)
if err == nil {
break
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output.String())
integration test
2017-05-20 02:03:28 +00:00
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
// make sure both clusters have the right certificate authorities with the right signing keys.
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
name string
mainClusterName string
auxClusterName string
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
inCluster *helpers.TeleInstance
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
outChkMainUserCA require.ErrorAssertionFunc
outChkMainUserCAPrivateKey require.ValueAssertionFunc
outChkMainHostCA require.ErrorAssertionFunc
outChkMainHostCAPrivateKey require.ValueAssertionFunc
outChkAuxUserCA require.ErrorAssertionFunc
outChkAuxUserCAPrivateKey require.ValueAssertionFunc
outChkAuxHostCA require.ErrorAssertionFunc
outChkAuxHostCAPrivateKey require.ValueAssertionFunc
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
}{
// 0 - main
// * User CA for main has one signing key.
// * Host CA for main has one signing key.
// * User CA for aux does not exist.
// * Host CA for aux has no signing keys.
{
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
name: "main",
mainClusterName: main.Secrets.SiteName,
auxClusterName: aux.Secrets.SiteName,
inCluster: main,
outChkMainUserCA: require.NoError,
outChkMainUserCAPrivateKey: require.NotEmpty,
outChkMainHostCA: require.NoError,
outChkMainHostCAPrivateKey: require.NotEmpty,
outChkAuxUserCA: require.Error,
outChkAuxUserCAPrivateKey: require.Empty,
outChkAuxHostCA: require.NoError,
outChkAuxHostCAPrivateKey: require.Empty,
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
},
// 1 - aux
// * User CA for main has no signing keys.
// * Host CA for main has no signing keys.
// * User CA for aux has one signing key.
// * Host CA for aux has one signing key.
{
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
name: "aux",
mainClusterName: trustedCluster.GetName(),
auxClusterName: aux.Secrets.SiteName,
inCluster: aux,
outChkMainUserCA: require.NoError,
outChkMainUserCAPrivateKey: require.Empty,
outChkMainHostCA: require.NoError,
outChkMainHostCAPrivateKey: require.Empty,
outChkAuxUserCA: require.NoError,
outChkAuxUserCAPrivateKey: require.NotEmpty,
outChkAuxHostCA: require.NoError,
outChkAuxHostCAPrivateKey: require.NotEmpty,
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
},
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
cid := types.CertAuthID{Type: types.UserCA, DomainName: tt.mainClusterName}
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
mainUserCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(ctx, cid, true)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tt.outChkMainUserCA(t, err)
if err == nil {
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
tt.outChkMainUserCAPrivateKey(t, mainUserCAs.GetActiveKeys().SSH[0].PrivateKey)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
cid = types.CertAuthID{Type: types.HostCA, DomainName: tt.mainClusterName}
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
mainHostCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(ctx, cid, true)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tt.outChkMainHostCA(t, err)
if err == nil {
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
tt.outChkMainHostCAPrivateKey(t, mainHostCAs.GetActiveKeys().SSH[0].PrivateKey)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
cid = types.CertAuthID{Type: types.UserCA, DomainName: tt.auxClusterName}
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
auxUserCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(ctx, cid, true)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tt.outChkAuxUserCA(t, err)
if err == nil {
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
tt.outChkAuxUserCAPrivateKey(t, auxUserCAs.GetActiveKeys().SSH[0].PrivateKey)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
cid = types.CertAuthID{Type: types.HostCA, DomainName: tt.auxClusterName}
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
auxHostCAs, err := tt.inCluster.Process.GetAuthServer().GetCertAuthority(ctx, cid, true)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tt.outChkAuxHostCA(t, err)
if err == nil {
hsm: migrate CA storage schema (#7245) * hsm: migrate CA storage schema Migrate types.CertAuthorityV2 schema according to https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage Includes proto changes, types.CertAuthority wrapper changes and data migration. Note that we keep and update the old fields for backwards-compatibility. If a cluster is upgraded to v7 and then downgraded back to v6, everything should keep working. * Address review feedback
2021-06-16 17:17:03 +00:00
tt.outChkAuxHostCAPrivateKey(t, auxHostCAs.GetActiveKeys().SSH[0].PrivateKey)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
})
Remote clusters should only send their own CAs.
2017-06-27 00:26:29 +00:00
}
integration test
2017-05-20 02:03:28 +00:00
// stop clusters and remaining nodes
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.StopAll())
require.NoError(t, aux.StopAll())
integration test
2017-05-20 02:03:28 +00:00
}
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
// trustedClusterTest is a test setup for trusted clusters tests
type trustedClusterTest struct {
// multiplex sets up multiplexing of the reversetunnel SSH
// socket and the proxy's web socket
multiplex bool
// useJumpHost turns on jump host mode for the access
// to the proxy instead of the proxy command
useJumpHost bool
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
// useLabels turns on trusted cluster labels and
// verifies RBAC
useLabels bool
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
}
Join address for web, reverse tunnel, fixes #1544 Support configuration for web and reverse tunnel proxies to listen on the same port. * Default config are not changed for backwards compatibility. * If administrator configures web and reverse tunnel addresses to be on the same port, multiplexing is turned on * In trusted clusters configuration reverse_tunnel_addr defaults to web_addr.
2018-01-06 00:20:56 +00:00
// TestTrustedClusters tests remote clusters scenarios
// using trusted clusters feature
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testTrustedClusters(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
trustedClusters(t, suite, trustedClusterTest{multiplex: false})
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
}
Allow updating of trusted cluster role maps (#18168)
2023-01-13 19:06:17 +00:00
// testDisabledTrustedClusters tests creation of disabled trusted cluster
func testDisabledTrustedClusters(t *testing.T, suite *integrationTestSuite) {
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
trustedDisabledCluster(t, suite, trustedClusterTest{multiplex: false})
}
// testTrustedClustersRoleMapChanges tests the changing of role maps for trusted clusters
func testTrustedClustersRoleMapChanges(t *testing.T, suite *integrationTestSuite) {
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
trustedClustersRoleMapChanges(t, suite, trustedClusterTest{multiplex: false})
}
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
// TestTrustedClustersWithLabels tests remote clusters scenarios
// using trusted clusters feature and access labels
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testTrustedClustersWithLabels(t *testing.T, suite *integrationTestSuite) {
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
trustedClusters(t, suite, trustedClusterTest{multiplex: false, useLabels: true})
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
}
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
// TestJumpTrustedClusters tests remote clusters scenarios
// using trusted clusters feature using jumphost connection
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testJumpTrustedClusters(t *testing.T, suite *integrationTestSuite) {
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
trustedClusters(t, suite, trustedClusterTest{multiplex: false, useJumpHost: true})
Join address for web, reverse tunnel, fixes #1544 Support configuration for web and reverse tunnel proxies to listen on the same port. * Default config are not changed for backwards compatibility. * If administrator configures web and reverse tunnel addresses to be on the same port, multiplexing is turned on * In trusted clusters configuration reverse_tunnel_addr defaults to web_addr.
2018-01-06 00:20:56 +00:00
}
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
// TestJumpTrustedClusters tests remote clusters scenarios
// using trusted clusters feature using jumphost connection
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testJumpTrustedClustersWithLabels(t *testing.T, suite *integrationTestSuite) {
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
trustedClusters(t, suite, trustedClusterTest{multiplex: false, useJumpHost: true, useLabels: true})
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
}
Join address for web, reverse tunnel, fixes #1544 Support configuration for web and reverse tunnel proxies to listen on the same port. * Default config are not changed for backwards compatibility. * If administrator configures web and reverse tunnel addresses to be on the same port, multiplexing is turned on * In trusted clusters configuration reverse_tunnel_addr defaults to web_addr.
2018-01-06 00:20:56 +00:00
// TestMultiplexingTrustedClusters tests remote clusters scenarios
// using trusted clusters feature
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testMultiplexingTrustedClusters(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
trustedClusters(t, suite, trustedClusterTest{multiplex: true})
Join address for web, reverse tunnel, fixes #1544 Support configuration for web and reverse tunnel proxies to listen on the same port. * Default config are not changed for backwards compatibility. * If administrator configures web and reverse tunnel addresses to be on the same port, multiplexing is turned on * In trusted clusters configuration reverse_tunnel_addr defaults to web_addr.
2018-01-06 00:20:56 +00:00
}
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
func standardPortsOrMuxSetup(t *testing.T, mux bool, fds *[]servicecfg.FileDescriptor) *helpers.InstanceListeners {
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
if mux {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
return helpers.WebReverseTunnelMuxPortSetup(t, fds)
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
}
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
return helpers.StandardListenerSetup(t, fds)
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClusterTest) {
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
ctx := context.Background()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
clusterMain := "cluster-main"
clusterAux := "cluster-aux"
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
mainCfg := helpers.InstanceConfig{
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
ClusterName: clusterMain,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
HostID: helpers.HostID,
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
NodeName: Host,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Priv: suite.Priv,
Pub: suite.Pub,
Log: suite.Log,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
}
mainCfg.Listeners = standardPortsOrMuxSetup(t, test.multiplex, &mainCfg.Fds)
main := helpers.NewInstance(t, mainCfg)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
aux := suite.newNamedTeleportInstance(t, clusterAux)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
// main cluster has a local user and belongs to role "main-devs" and "main-admins"
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
mainDevs := "main-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
devsRole, err := types.NewRole(mainDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
},
})
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
// If the test is using labels, the cluster will be labeled
// and user will be granted access if labels match.
// Otherwise, to preserve backwards-compatibility
// roles with no labels will grant access to clusters with no labels.
if test.useLabels {
Remove RoleConditions type alias from lib/services. (#8441)
2021-10-05 21:04:18 +00:00
devsRole.SetClusterLabels(types.Allow, types.Labels{"access": []string{"prod"}})
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
mainAdmins := "main-admins"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
adminsRole, err := types.NewRole(mainAdmins, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
Logins: []string{"superuser"},
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
main.AddUserWithRole(username, devsRole, adminsRole)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
// Ops users can only access remote clusters with label 'access': 'ops'
mainOps := "main-ops"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
mainOpsRole, err := types.NewRole(mainOps, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
Logins: []string{username},
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
ClusterLabels: types.Labels{"access": []string{"ops"}},
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
main.AddUserWithRole(mainOps, mainOpsRole, adminsRole)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// for role mapping test we turn on Web API on the main cluster
// as it's used
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func(enableSSH bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
tconf.SSH.Enabled = enableSSH
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
return t, nil, tconf
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
}
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.CreateEx(makeConfig(false)))
require.NoError(t, aux.CreateEx(makeConfig(true)))
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
// auxiliary cluster has only a role aux-devs
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// connect aux cluster to main cluster
// using trusted clusters, so remote user will be allowed to assume
// role specified by mapping remote role "devs" to local role "local-devs"
auxDevs := "aux-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
auxRole, err := types.NewRole(auxDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
err = aux.Process.GetAuthServer().UpsertRole(ctx, auxRole)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
trustedClusterToken := "trusted-cluster-token"
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
tokenResource, err := types.NewProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
if test.useLabels {
meta := tokenResource.GetMetadata()
meta.Labels = map[string]string{"access": "prod"}
tokenResource.SetMetadata(meta)
}
Pass context through new gRPC converted endpoints. (#6118)
2021-03-24 01:26:52 +00:00
err = main.Process.GetAuthServer().UpsertToken(ctx, tokenResource)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
// Note that the mapping omits admins role, this is to cover the scenario
// when root cluster and leaf clusters have different role sets
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
trustedCluster := main.AsTrustedCluster(trustedClusterToken, types.RoleMap{
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
{Remote: mainDevs, Local: []string{auxDevs}},
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
{Remote: mainOps, Local: []string{auxDevs}},
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
})
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
// modify trusted cluster resource name, so it would not
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// match the cluster name to check that it does not matter
trustedCluster.SetName(main.Secrets.SiteName + "-cluster")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.Start())
require.NoError(t, aux.Start())
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
err = trustedCluster.CheckAndSetDefaults()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// try and upsert a trusted cluster
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, main.Process.GetAuthServer(), clusterAux, 1)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
sshPort, _, _ := aux.StartNodeAndProxy(t, "aux-node")
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(aux.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
cmd := []string{"echo", "hello world"}
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// Try and connect to a node in the Aux cluster from the Main cluster using
// direct dialing.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
creds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
Process: main.Process,
Username: username,
RouteToCluster: clusterAux,
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tc, err := main.NewClientWithCreds(helpers.ClientConfig{
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
Login: username,
Cluster: clusterAux,
Host: Loopback,
Port: sshPort,
JumpHost: test.useJumpHost,
}, *creds)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
// tell the client to trust aux cluster CAs (from secrets). this is the
// equivalent of 'known hosts' in openssh
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
auxCAS, err := aux.Secrets.GetCAs()
require.NoError(t, err)
for _, auxCA := range auxCAS {
Add manual tracing instrumentation to tsh (#13204) Create spans for all public facing TeleportClient, ProxyClient, and NodeClient methods. This makes correlating spans easier to reason about when looking at `tsh` traces. As a result of creating spans, some additional context propagation is required as well to ensure that spans are linked properly. This also removes the unused `quiet` argument from `ConnectToCluster`. It's usage was not consistent by existing callers, and it was ignored, so in order to avoid confusion in future calls, it was removed. #12241
2022-06-11 15:34:40 +00:00
err = tc.AddTrustedCA(ctx, auxCA)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
}
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
output := &bytes.Buffer{}
tc.Stdout = output
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
for i := 0; i < 10; i++ {
time.Sleep(time.Millisecond * 50)
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
err = tc.SSH(ctx, cmd, false)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
if err == nil {
break
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output.String())
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Verify access to a remote cluster on GenerateUserCerts (#5593) Cluster labels were added in 5.0 to restrict access to trusted clusters. Enforce this restriction on `tsh login leafName` (aka `GenerateUserCerts`). Note: access check is already enforced on actual user connections (ssh/k8s/etc) and listing of trusted clusters (`tsh clusters`). You cannot bypass authz to actually connect to that cluster.
2021-02-18 00:13:32 +00:00
// Try and generate user creds for Aux cluster as ops user.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
_, err = helpers.GenerateUserCreds(helpers.UserCredsRequest{
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
Process: main.Process,
Username: mainOps,
RouteToCluster: clusterAux,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.True(t, trace.IsNotFound(err))
Add cluster labels Fixes #3604 This commit adds support for cluster_labels role parameter limiting access to remote clusters by label. New tctl update rc provides interface to set labels on remote clusters. Consider two clusers, `one` - root and `remote` - leaf. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online two online ``` Create the trusted cluster join token with labels: ```bash $ tctl tokens add --type=trusted_cluster --labels=env=prod ``` Every cluster joined using this token will inherit env:prod labels. Alternatively, update remote cluster labels by modifying `rc` command. Letting remote clusters to propagate their labels creates a problem of rogue clusters updating their labels to bad values. Instead, administrator of root cluster control the labels using remote clusters API without fear of override: ```bash $ tctl get rc kind: remote_cluster metadata: name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" version: v3 ``` ```bash $ tctl update rc/two --set-labels=env=prod cluster two has been updated ``` ```bash $ tctl get rc kind: remote_cluster metadata: labels: env: prod name: two status: connection: online last_heartbeat: "2020-09-14T03:13:59.35518164Z" ``` Update the role to deny access to prod env: ```yaml kind: role metadata: name: dev spec: allow: logins: [root] node_labels: '*': '*' # Cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. If no role in the role set is using labels and cluster is not labeled, # the cluster labels check is not applied. Otherwise, cluster labels are always enforced. # This makes the feature backwards-compatible. cluster_labels: 'env': 'staging' deny: # cluster labels control what clusters user can connect to. The wildcard ('*') means # any cluster. By default none is set in deny rules to preserve backwards compatibility cluster_labels: 'env': 'prod' ``` ```bash $ tctl create -f dev.yaml ``` Cluster two is now invisible to user with `dev` role. ```bash $ tsh clusters Cluster Name Status ------------ ------ one online ```
2020-09-14 02:48:13 +00:00
Improve performance of MFA ceremony (#24250) To date clients attempting to access a resource first have to call `proto.AuthService/IsMFARequired` to determine if an mfa ceremony is needed for access to a resource. In an effort to reduce an extra round trip to the Auth server this can can be bundled into `proto.AuthService/GenerateUserSingleUseCerts`. In order for RBAC to determine if mfa is required for SSH sessions the OS login of the session must be known. To accomodate this a new `SSHLogin` field was added to `proto.UserCertsRequest`. The response to the initial request of the stream now contains a `proto.MFARequired` enum which indicates whether mfa is required, not required, or it's unknown if mfa is required. The last variant should only be returned when the `SSHLogin` field is unset in the initial request. The `(auth.Server) isMFARequired` check was also modified for nodes to make use of `ListResources`. Instead of retrieving **all** nodes into memory and finding the matching ones, a request is made to `ListResources` with the `SearchKeywords` populated with the target from `proto.IsMFARequiredRequest_Node.Node.Node`. Care was taken to filter out any matches from labels to preserve the original matching behavior.
2023-04-14 19:08:28 +00:00
// check that we can list resources for the cluster.
Updates `tsh ls` for node/app/db/kube to accept new filter flags (#10980) * Also adds a search keyword parser that takes in different delimiters (comma is used for tsh, space is used for web UI) part of RFD 55
2022-03-09 23:56:55 +00:00
servers, err := tc.ListNodesWithFilters(ctx)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Len(t, servers, 2)
Fix role mapping for trusted clusters This commit fixes #3252 Security patches 4.2 introduced a regression - leaf clusters ignore role mapping and attempt to use role names coming from identity of the root cluster whenever GetNodes method was used. This commit reverts back the logic, however it ensures that the original fix is preserved - traits and groups are updated on the user object. Integration test has been extended to avoid the regression in the future.
2020-01-09 21:52:00 +00:00
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// check that remote cluster has been provisioned
remoteClusters, err := main.Process.GetAuthServer().GetRemoteClusters()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Len(t, remoteClusters, 1)
require.Equal(t, clusterAux, remoteClusters[0].GetName())
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Allow connections to nodes when Auth is offline (#18302) * Allow connections to nodes when Auth is offline `tsh ssh user@foo` currently fails if Auth is unreachable. Prior to connecting to the target, `tsh` sends a `proto.AuthService/IsMFARequired` request to determine if per-session MFA is required. If necessary, the MFA ceremony then occurs before `tsh` attempts to connect to the node. However, nodes ultimately makes the decision on whether the user has access. To both increase availability of nodes and reduce initial connection latency, `tsh` can first attempt to connect to a node and fallback to checking if per-session MFA is required and then performing the ceremony if necessary followed by attempting another connection to the node. The major tradeoff is now when per-session MFA is required, `tsh` will connect to the target **twice**. The added latency is likely to be minimized by the amount of time it takes to perform the MFA ceremony. ## Connection flows prior to this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: no tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ## Connection flows after this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ```
2022-11-17 21:10:57 +00:00
// after removing the remote cluster and trusted cluster, the connection will start failing
Migrate the delete ca api to gRPC (#23070) Adds `DeleteCertAuthority` to the trust grpc service and deprecates the legacy HTTP api. Additionally the `DeleteCertAuthority` method in the `services.Trust` interface now takes a `context.Context` as the first parameter. In order to plumb the context through from all the call sites `DeleteRemoteCluster` from `services.Presence` was also modified to take a `context.Context` as the first parameter.
2023-03-15 13:11:37 +00:00
require.NoError(t, main.Process.GetAuthServer().DeleteRemoteCluster(ctx, clusterAux))
Allow connections to nodes when Auth is offline (#18302) * Allow connections to nodes when Auth is offline `tsh ssh user@foo` currently fails if Auth is unreachable. Prior to connecting to the target, `tsh` sends a `proto.AuthService/IsMFARequired` request to determine if per-session MFA is required. If necessary, the MFA ceremony then occurs before `tsh` attempts to connect to the node. However, nodes ultimately makes the decision on whether the user has access. To both increase availability of nodes and reduce initial connection latency, `tsh` can first attempt to connect to a node and fallback to checking if per-session MFA is required and then performing the ceremony if necessary followed by attempting another connection to the node. The major tradeoff is now when per-session MFA is required, `tsh` will connect to the target **twice**. The added latency is likely to be minimized by the amount of time it takes to perform the MFA ceremony. ## Connection flows prior to this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: no tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ## Connection flows after this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ```
2022-11-17 21:10:57 +00:00
require.NoError(t, aux.Process.GetAuthServer().DeleteTrustedCluster(ctx, trustedCluster.GetName()))
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
for i := 0; i < 10; i++ {
time.Sleep(time.Millisecond * 50)
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
err = tc.SSH(ctx, cmd, false)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
if err != nil {
break
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Error(t, err, "expected tunnel to close and SSH client to start failing")
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Allow connections to nodes when Auth is offline (#18302) * Allow connections to nodes when Auth is offline `tsh ssh user@foo` currently fails if Auth is unreachable. Prior to connecting to the target, `tsh` sends a `proto.AuthService/IsMFARequired` request to determine if per-session MFA is required. If necessary, the MFA ceremony then occurs before `tsh` attempts to connect to the node. However, nodes ultimately makes the decision on whether the user has access. To both increase availability of nodes and reduce initial connection latency, `tsh` can first attempt to connect to a node and fallback to checking if per-session MFA is required and then performing the ceremony if necessary followed by attempting another connection to the node. The major tradeoff is now when per-session MFA is required, `tsh` will connect to the target **twice**. The added latency is likely to be minimized by the amount of time it takes to perform the MFA ceremony. ## Connection flows prior to this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: no tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ``` ## Connection flows after this change: ### Auth online and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: yes tsh->>+Auth: perform mfa ceremony Auth-->>+tsh: issue challenge tsh-->>+Auth: challenge response Auth-->>+tsh: issue certificates tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth online and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA not required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Success ``` ### Auth offline and per-session MFA required ```mermaid sequenceDiagram participant tsh participant Auth participant Node tsh->>+Node: Connect Node-->>+tsh: Access Denied tsh->>+Auth: IsMFARequired Auth-->>-tsh: Error ```
2022-11-17 21:10:57 +00:00
// recreating the trusted cluster should re-establish connection
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
_, err = aux.Process.GetAuthServer().UpsertTrustedCluster(ctx, trustedCluster)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// check that remote cluster has been re-provisioned
remoteClusters, err = main.Process.GetAuthServer().GetRemoteClusters()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Len(t, remoteClusters, 1)
require.Equal(t, clusterAux, remoteClusters[0].GetName())
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// connection and client should recover and work again
output = &bytes.Buffer{}
tc.Stdout = output
for i := 0; i < 10; i++ {
time.Sleep(time.Millisecond * 50)
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
err = tc.SSH(ctx, cmd, false)
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
if err == nil {
break
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output.String())
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
// stop clusters and remaining nodes
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.StopAll())
require.NoError(t, aux.StopAll())
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
}
Allow updating of trusted cluster role maps (#18168)
2023-01-13 19:06:17 +00:00
func trustedDisabledCluster(t *testing.T, suite *integrationTestSuite, test trustedClusterTest) {
ctx := context.Background()
username := suite.Me.Username
clusterMain := "cluster-main"
clusterAux := "cluster-aux"
mainCfg := helpers.InstanceConfig{
ClusterName: clusterMain,
HostID: helpers.HostID,
NodeName: Host,
Priv: suite.Priv,
Pub: suite.Pub,
Log: suite.Log,
}
mainCfg.Listeners = standardPortsOrMuxSetup(t, test.multiplex, &mainCfg.Fds)
main := helpers.NewInstance(t, mainCfg)
aux := suite.newNamedTeleportInstance(t, clusterAux)
// main cluster has a local user and belongs to role "main-devs" and "main-admins"
mainDevs := "main-devs"
devsRole, err := types.NewRole(mainDevs, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
// If the test is using labels, the cluster will be labeled
// and user will be granted access if labels match.
// Otherwise, to preserve backwards-compatibility
// roles with no labels will grant access to clusters with no labels.
if test.useLabels {
devsRole.SetClusterLabels(types.Allow, types.Labels{"access": []string{"prod"}})
}
require.NoError(t, err)
mainAdmins := "main-admins"
adminsRole, err := types.NewRole(mainAdmins, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{"superuser"},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
require.NoError(t, err)
main.AddUserWithRole(username, devsRole, adminsRole)
// Ops users can only access remote clusters with label 'access': 'ops'
mainOps := "main-ops"
mainOpsRole, err := types.NewRole(mainOps, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{username},
ClusterLabels: types.Labels{"access": []string{"ops"}},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
require.NoError(t, err)
main.AddUserWithRole(mainOps, mainOpsRole, adminsRole)
// for role mapping test we turn on Web API on the main cluster
// as it's used
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func(instance *helpers.TeleInstance, enableSSH bool) (*testing.T, *servicecfg.Config) {
Allow updating of trusted cluster role maps (#18168)
2023-01-13 19:06:17 +00:00
tconf := suite.defaultServiceConfig()
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = enableSSH
tconf, err := instance.GenerateConfig(t, nil, tconf)
require.NoError(t, err)
tconf.CachePolicy.Enabled = false
return t, tconf
}
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
require.NoError(t, main.CreateWithConf(makeConfig(main, false)))
require.NoError(t, aux.CreateWithConf(makeConfig(aux, true)))
// auxiliary cluster has only a role aux-devs
// connect aux cluster to main cluster
// using trusted clusters, so remote user will be allowed to assume
// role specified by mapping remote role "devs" to local role "local-devs"
auxDevs := "aux-devs"
auxRole, err := types.NewRole(auxDevs, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
require.NoError(t, err)
err = aux.Process.GetAuthServer().UpsertRole(ctx, auxRole)
require.NoError(t, err)
trustedClusterToken := "trusted-cluster-token"
tokenResource, err := types.NewProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})
require.NoError(t, err)
if test.useLabels {
meta := tokenResource.GetMetadata()
meta.Labels = map[string]string{"access": "prod"}
tokenResource.SetMetadata(meta)
}
err = main.Process.GetAuthServer().UpsertToken(ctx, tokenResource)
require.NoError(t, err)
// Note that the mapping omits admins role, this is to cover the scenario
// when root cluster and leaf clusters have different role sets
trustedCluster := main.AsTrustedCluster(trustedClusterToken, types.RoleMap{
{Remote: mainDevs, Local: []string{auxDevs}},
{Remote: mainOps, Local: []string{auxDevs}},
})
// modify trusted cluster resource name, so it would not
// match the cluster name to check that it does not matter
trustedCluster.SetName(main.Secrets.SiteName + "-cluster")
// disable cluster
trustedCluster.SetEnabled(false)
require.NoError(t, main.Start())
require.NoError(t, aux.Start())
err = trustedCluster.CheckAndSetDefaults()
require.NoError(t, err)
// try and upsert a trusted cluster while disabled
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
// try to enable disabled cluster
trustedCluster.SetEnabled(true)
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, main.Process.GetAuthServer(), clusterAux, 1)
helpers.CheckTrustedClustersCanConnect(ctx, t, helpers.TrustedClusterSetup{
Aux: aux,
Main: main,
Username: username,
ClusterAux: clusterAux,
UseJumpHost: test.useJumpHost,
})
// stop clusters and remaining nodes
require.NoError(t, main.StopAll())
require.NoError(t, aux.StopAll())
}
func trustedClustersRoleMapChanges(t *testing.T, suite *integrationTestSuite, test trustedClusterTest) {
ctx := context.Background()
username := suite.Me.Username
clusterMain := "cluster-main"
clusterAux := "cluster-aux"
mainCfg := helpers.InstanceConfig{
ClusterName: clusterMain,
HostID: helpers.HostID,
NodeName: Host,
Priv: suite.Priv,
Pub: suite.Pub,
Log: suite.Log,
}
mainCfg.Listeners = standardPortsOrMuxSetup(t, test.multiplex, &mainCfg.Fds)
main := helpers.NewInstance(t, mainCfg)
aux := suite.newNamedTeleportInstance(t, clusterAux)
// main cluster has a local user and belongs to role "main-devs" and "main-admins"
mainDevs := "main-devs"
devsRole, err := types.NewRole(mainDevs, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
// If the test is using labels, the cluster will be labeled
// and user will be granted access if labels match.
// Otherwise, to preserve backwards-compatibility
// roles with no labels will grant access to clusters with no labels.
if test.useLabels {
devsRole.SetClusterLabels(types.Allow, types.Labels{"access": []string{"prod"}})
}
require.NoError(t, err)
mainAdmins := "main-admins"
adminsRole, err := types.NewRole(mainAdmins, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{"superuser"},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
require.NoError(t, err)
main.AddUserWithRole(username, devsRole, adminsRole)
// Ops users can only access remote clusters with label 'access': 'ops'
mainOps := "main-ops"
mainOpsRole, err := types.NewRole(mainOps, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{username},
ClusterLabels: types.Labels{"access": []string{"ops"}},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
require.NoError(t, err)
main.AddUserWithRole(mainOps, mainOpsRole, adminsRole)
// for role mapping test we turn on Web API on the main cluster
// as it's used
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func(instance *helpers.TeleInstance, enableSSH bool) (*testing.T, *servicecfg.Config) {
Allow updating of trusted cluster role maps (#18168)
2023-01-13 19:06:17 +00:00
tconf := suite.defaultServiceConfig()
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = enableSSH
tconf, err := instance.GenerateConfig(t, nil, tconf)
require.NoError(t, err)
tconf.CachePolicy.Enabled = false
return t, tconf
}
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
require.NoError(t, main.CreateWithConf(makeConfig(main, false)))
require.NoError(t, aux.CreateWithConf(makeConfig(aux, true)))
// auxiliary cluster has only a role aux-devs
// connect aux cluster to main cluster
// using trusted clusters, so remote user will be allowed to assume
// role specified by mapping remote role "devs" to local role "local-devs"
auxDevs := "aux-devs"
auxRole, err := types.NewRole(auxDevs, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
require.NoError(t, err)
err = aux.Process.GetAuthServer().UpsertRole(ctx, auxRole)
require.NoError(t, err)
trustedClusterToken := "trusted-cluster-token"
tokenResource, err := types.NewProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})
require.NoError(t, err)
if test.useLabels {
meta := tokenResource.GetMetadata()
meta.Labels = map[string]string{"access": "prod"}
tokenResource.SetMetadata(meta)
}
err = main.Process.GetAuthServer().UpsertToken(ctx, tokenResource)
require.NoError(t, err)
// Note that the mapping omits admins role, this is to cover the scenario
// when root cluster and leaf clusters have different role sets
trustedCluster := main.AsTrustedCluster(trustedClusterToken, types.RoleMap{
{Remote: mainOps, Local: []string{auxDevs}},
})
// modify trusted cluster resource name, so it would not
// match the cluster name to check that it does not matter
trustedCluster.SetName(main.Secrets.SiteName + "-cluster")
require.NoError(t, main.Start())
require.NoError(t, aux.Start())
err = trustedCluster.CheckAndSetDefaults()
require.NoError(t, err)
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, main.Process.GetAuthServer(), clusterAux, 1)
// change role mapping to ensure updating works
trustedCluster.SetRoleMap(types.RoleMap{
{Remote: mainDevs, Local: []string{auxDevs}},
})
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, main.Process.GetAuthServer(), clusterAux, 1)
helpers.CheckTrustedClustersCanConnect(ctx, t, helpers.TrustedClusterSetup{
Aux: aux,
Main: main,
Username: username,
ClusterAux: clusterAux,
UseJumpHost: test.useJumpHost,
})
// disable the enabled trusted cluster and ensure it no longer works
trustedCluster.SetEnabled(false)
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
// Wait for both cluster to no longer see each other via reverse tunnels.
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 0), 10*time.Second, 1*time.Second,
"Two clusters still see eachother after being disabled.")
require.Eventually(t, helpers.WaitForClusters(aux.Tunnel, 0), 10*time.Second, 1*time.Second,
"Two clusters still see eachother after being disabled.")
// stop clusters and remaining nodes
require.NoError(t, main.StopAll())
require.NoError(t, aux.StopAll())
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) {
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
ctx := context.Background()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
clusterMain := "cluster-main"
clusterAux := "cluster-aux"
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
main := suite.newNamedTeleportInstance(t, clusterMain)
aux := suite.newNamedTeleportInstance(t, clusterAux)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// main cluster has a local user and belongs to role "main-devs"
mainDevs := "main-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err := types.NewRole(mainDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
main.AddUserWithRole(username, role)
// for role mapping test we turn on Web API on the main cluster
// as it's used
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func(enableSSH bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = enableSSH
Add MaxRetryPeriod for cachePolicy config to use in tests (#22656) This fixes couple of flaky tests that surfaced after recent changes to the retry logic/timeouts.
2023-03-06 19:00:17 +00:00
tconf.CachePolicy.MaxRetryPeriod = time.Millisecond * 500
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
return t, nil, tconf
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
}
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.CreateEx(makeConfig(false)))
require.NoError(t, aux.CreateEx(makeConfig(true)))
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// auxiliary cluster has a role aux-devs
// connect aux cluster to main cluster
// using trusted clusters, so remote user will be allowed to assume
// role specified by mapping remote role "devs" to local role "local-devs"
auxDevs := "aux-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err = types.NewRole(auxDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
err = aux.Process.GetAuthServer().UpsertRole(ctx, role)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
trustedClusterToken := "trusted-cluster-token"
Pass context through new gRPC converted endpoints. (#6118)
2021-03-24 01:26:52 +00:00
err = main.Process.GetAuthServer().UpsertToken(ctx,
Revert "Introduce ProvisionTokenV3 (#16361)" (#16934) This reverts commit 3fba50261fa473f1eb814be17e20a5c8de9bc33a.
2022-10-03 14:14:01 +00:00
services.MustCreateProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{}))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
trustedCluster := main.AsTrustedCluster(trustedClusterToken, types.RoleMap{
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
{Remote: mainDevs, Local: []string{auxDevs}},
})
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
// modify trusted cluster resource name, so it would not
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// match the cluster name to check that it does not matter
trustedCluster.SetName(main.Secrets.SiteName + "-cluster")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.Start())
require.NoError(t, aux.Start())
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
err = trustedCluster.CheckAndSetDefaults()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// try and upsert a trusted cluster
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, main.Process.GetAuthServer(), clusterAux, 1)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// Create a Teleport instance with a node that dials back to the aux cluster.
tunnelNodeHostname := "cluster-aux-node"
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
nodeConfig := func() *servicecfg.Config {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
tconf.Hostname = tunnelNodeHostname
Use a getter/setter for reading the token value from the config (#14080)
2022-08-10 08:50:21 +00:00
tconf.SetToken("token")
Introduce config v3, add auth_server and proxy_server, remove auth_addresses (#15761)
2022-09-28 15:30:15 +00:00
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: aux.Web,
})
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
tconf.Auth.Enabled = false
tconf.Proxy.Enabled = false
tconf.SSH.Enabled = true
return tconf
}
_, err = aux.StartNode(nodeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(aux.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// Wait for both nodes to show up before attempting to dial to them.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
err = helpers.WaitForNodeCount(ctx, main, clusterAux, 2)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
cmd := []string{"echo", "hello world"}
// Try and connect to a node in the Aux cluster from the Main cluster using
// direct dialing.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tc, err := main.NewClient(helpers.ClientConfig{
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
Login: username,
Cluster: clusterAux,
Host: Loopback,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, aux.SSH),
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
output := &bytes.Buffer{}
tc.Stdout = output
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
for i := 0; i < 10; i++ {
time.Sleep(time.Millisecond * 50)
err = tc.SSH(context.TODO(), cmd, false)
if err == nil {
break
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output.String())
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// Try and connect to a node in the Aux cluster from the Main cluster using
// tunnel dialing.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tunnelClient, err := main.NewClient(helpers.ClientConfig{
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
Login: username,
Cluster: clusterAux,
Host: tunnelNodeHostname,
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
tunnelOutput := &bytes.Buffer{}
tunnelClient.Stdout = tunnelOutput
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Adjust integration test timeouts (#18331) * Adjust integration test timeouts * Skip TestProxyTunnelStrategyProxyPeering
2022-11-24 18:47:49 +00:00
// Use assert package to get access to the returned error. In this way we can log it.
if !assert.Eventually(t, func() bool {
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
err = tunnelClient.SSH(context.Background(), cmd, false)
Adjust integration test timeouts (#18331) * Adjust integration test timeouts * Skip TestProxyTunnelStrategyProxyPeering
2022-11-24 18:47:49 +00:00
return err == nil
}, 10*time.Second, 200*time.Millisecond) {
require.FailNow(t, "Failed to established SSH connection", err)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
}
Adjust integration test timeouts (#18331) * Adjust integration test timeouts * Skip TestProxyTunnelStrategyProxyPeering
2022-11-24 18:47:49 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Equal(t, "hello world\n", tunnelOutput.String())
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// Stop clusters and remaining nodes.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.StopAll())
require.NoError(t, aux.StopAll())
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
}
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
func testTrustedClusterAgentless(t *testing.T, suite *integrationTestSuite) {
ctx := context.Background()
username := suite.Me.Username
clusterMain := "cluster-main"
clusterAux := "cluster-aux"
mainCfg := helpers.InstanceConfig{
ClusterName: clusterMain,
HostID: helpers.HostID,
NodeName: Host,
Priv: suite.Priv,
Pub: suite.Pub,
Log: suite.Log,
}
mainCfg.Listeners = standardPortsOrMuxSetup(t, false, &mainCfg.Fds)
main := helpers.NewInstance(t, mainCfg)
aux := suite.newNamedTeleportInstance(t, clusterAux)
// main cluster has a local user and belongs to role "main-devs" and "main-admins"
mainDevs := "main-devs"
devsRole, err := types.NewRole(mainDevs, types.RoleSpecV6{
Options: types.RoleOptions{
ForwardAgent: types.NewBool(true),
},
Allow: types.RoleConditions{
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
// If the test is using labels, the cluster will be labeled
// and user will be granted access if labels match.
// Otherwise, to preserve backwards-compatibility
// roles with no labels will grant access to clusters with no labels.
devsRole.SetClusterLabels(types.Allow, types.Labels{"access": []string{"prod"}})
require.NoError(t, err)
mainAdmins := "main-admins"
adminsRole, err := types.NewRole(mainAdmins, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{"superuser"},
},
})
require.NoError(t, err)
main.AddUserWithRole(username, devsRole, adminsRole)
// for role mapping test we turn on Web API on the main cluster
// as it's used
makeConfig := func(enableSSH bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) {
tconf := suite.defaultServiceConfig()
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = enableSSH
return t, nil, tconf
}
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
require.NoError(t, main.CreateEx(makeConfig(false)))
require.NoError(t, aux.CreateEx(makeConfig(false)))
// auxiliary cluster has only a role aux-devs
// connect aux cluster to main cluster
// using trusted clusters, so remote user will be allowed to assume
// role specified by mapping remote role "devs" to local role "local-devs"
auxDevs := "aux-devs"
auxRole, err := types.NewRole(auxDevs, types.RoleSpecV6{
Allow: types.RoleConditions{
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
},
})
require.NoError(t, err)
err = aux.Process.GetAuthServer().UpsertRole(ctx, auxRole)
require.NoError(t, err)
trustedClusterToken := "trusted-cluster-token"
tokenResource, err := types.NewProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})
require.NoError(t, err)
meta := tokenResource.GetMetadata()
meta.Labels = map[string]string{"access": "prod"}
tokenResource.SetMetadata(meta)
err = main.Process.GetAuthServer().UpsertToken(ctx, tokenResource)
require.NoError(t, err)
// Note that the mapping omits admins role, this is to cover the scenario
// when root cluster and leaf clusters have different role sets
trustedCluster := main.AsTrustedCluster(trustedClusterToken, types.RoleMap{
{Remote: mainDevs, Local: []string{auxDevs}},
})
// modify trusted cluster resource name, so it would not
// match the cluster name to check that it does not matter
trustedCluster.SetName(main.Secrets.SiteName + "-cluster")
require.NoError(t, main.Start())
require.NoError(t, aux.Start())
// create user in backend
err = main.Process.GetAuthServer().UpsertRole(ctx, devsRole)
require.NoError(t, err)
err = main.Process.GetAuthServer().UpsertRole(ctx, adminsRole)
require.NoError(t, err)
Update users interface (#32987) services.UsersService now takes a context and returns the user from write operations as shown in the diff below. The bulk of the changes are from modifying code to account for the additional parameter and/or return value. Functional changes to better make use of the new API will come in follow up PRs. ```diff // UserGetter is responsible for getting users type UserGetter interface { // GetUser returns a user by name - GetUser(user string, withSecrets bool) (types.User, error) + GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error) } // UsersService is responsible for basic user management type UsersService interface { UserGetter // CreateUser creates user, only if the user entry does not exist - CreateUser(user types.User) error + CreateUser(ctx context.Context, user types.User) (types.User, error) // UpdateUser updates an existing user. - UpdateUser(ctx context.Context, user types.User) error + UpdateUser(ctx context.Context, user types.User) (types.User, error) // UpdateAndSwapUser reads an existing user, runs `fn` against it and writes // the result to storage. Return `false` from `fn` to avoid storage changes. // Roughly equivalent to [GetUser] followed by [CompareAndSwapUser]. // Returns the storage user. UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error) // UpsertUser updates parameters about user - UpsertUser(user types.User) error + UpsertUser(ctx context.Context, user types.User) (types.User, error) // CompareAndSwapUser updates an existing user, but fails if the user does // not match an expected backend value. CompareAndSwapUser(ctx context.Context, new, existing types.User) error // DeleteUser deletes a user with all the keys from the backend DeleteUser(ctx context.Context, user string) error // GetUsers returns a list of users registered with the local auth server - GetUsers(withSecrets bool) ([]types.User, error) + GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error) // DeleteAllUsers deletes all users - DeleteAllUsers() error + DeleteAllUsers(ctx context.Context) error } ``` Depends on gravitational/teleport.e#2346 Implements step 3 of #32949
2023-10-10 14:07:46 +00:00
_, err = main.Process.GetAuthServer().UpsertUser(ctx, &types.UserV2{
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
Kind: types.KindUser,
Metadata: types.Metadata{
Name: username,
},
Spec: types.UserSpecV2{
Roles: []string{mainDevs, mainAdmins},
},
})
require.NoError(t, err)
err = trustedCluster.CheckAndSetDefaults()
require.NoError(t, err)
// try and upsert a trusted cluster
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, main.Process.GetAuthServer(), clusterAux, 1)
// Wait for both cluster to see each other via reverse tunnels.
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 1), 10*time.Second, 1*time.Second,
"Two clusters do not see each other: tunnels are not working.")
require.Eventually(t, helpers.WaitForClusters(aux.Tunnel, 1), 10*time.Second, 1*time.Second,
"Two clusters do not see each other: tunnels are not working.")
// create agentless node in leaf cluster
node := createAgentlessNode(t, aux.Process.GetAuthServer(), clusterAux, "leaf-agentless-node")
// connect to leaf agentless node
creds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{
Process: main.Process,
Username: username,
RouteToCluster: clusterAux,
})
require.NoError(t, err)
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
// create client for leaf cluster through root cluster
leafTC, err := main.NewClientWithCreds(helpers.ClientConfig{
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
Login: username,
Cluster: clusterAux,
Host: aux.InstanceListeners.ReverseTunnel,
}, *creds)
require.NoError(t, err)
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
// create client for root cluster
tc, err := main.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: clusterMain,
Host: main.InstanceListeners.ReverseTunnel,
})
require.NoError(t, err)
testAgentlessConn(t, leafTC, tc, node)
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
// Stop clusters and remaining nodes.
require.NoError(t, main.StopAll())
require.NoError(t, aux.StopAll())
}
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
// TestDiscoveryRecovers ensures that discovery protocol recovers from a bad discovery
// state (all known proxies are offline).
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testDiscoveryRecovers(t *testing.T, suite *integrationTestSuite) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
// create load balancer for main cluster proxies
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
frontend := *utils.MustParseAddr(net.JoinHostPort(Loopback, "0"))
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
lb, err := utils.NewLoadBalancer(ctx, frontend)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.NoError(t, lb.Listen())
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
go lb.Serve()
defer lb.Close()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
remote := suite.newNamedTeleportInstance(t, "cluster-remote")
main := suite.newNamedTeleportInstance(t, "cluster-main")
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
remote.AddUser(username, []string{username})
main.AddUser(username, []string{username})
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, main.Create(t, remote.Secrets.AsSlice(), false, nil))
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
mainSecrets := main.Secrets
// switch listen address of the main cluster to load balancer
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
mainProxyAddr := *utils.MustParseAddr(mainSecrets.TunnelAddr)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
lb.AddBackend(mainProxyAddr)
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
mainSecrets.TunnelAddr = lb.Addr().String()
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, remote.Create(t, mainSecrets.AsSlice(), true, nil))
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.Start())
require.NoError(t, remote.Start())
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(remote.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
var reverseTunnelAddr string
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
// Helper function for adding a new proxy to "main".
Fix tsh windows builds (#28357) #24864 added a dependency of lib/web into tsh which broke windows tsh builds because lib/web transiently depends on lib/srv which has linux specific code. This shuffles around a few things so that lib/web is no longer importing lib/srv at all by: - Indirectly using the srv.SessionController to apply session control for web ssh sessions - Moving the common reversetunnel interfaces into reversetunnelclient since lib/reversetunnel imports lib/srv/forward which imports lib/srv. - Directly converting mysql client errors in the connection tester instead of calling a common function.
2023-06-30 17:12:12 +00:00
addNewMainProxy := func(name string) (reversetunnelclient.Server, helpers.ProxyConfig) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Logf("adding main proxy %q...", name)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
newConfig := helpers.ProxyConfig{
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
Name: name,
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
DisableWebService: true,
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
}
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
newConfig.SSHAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerNodeSSH, &newConfig.FileDescriptors)
newConfig.WebAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerProxyWeb, &newConfig.FileDescriptors)
newConfig.ReverseTunnelAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerProxyTunnel, &newConfig.FileDescriptors)
reverseTunnelAddr = newConfig.ReverseTunnelAddr
newProxy, _, err := main.StartProxy(newConfig)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
// add proxy as a backend to the load balancer
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
lb.AddBackend(*utils.MustParseAddr(newConfig.ReverseTunnelAddr))
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
return newProxy, newConfig
}
killMainProxy := func(name string) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Logf("killing main proxy %q...", name)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
for _, p := range main.Nodes {
if !p.Config.Proxy.Enabled {
continue
}
if p.Config.Hostname == name {
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
require.NoError(t, lb.RemoveBackend(*utils.MustParseAddr(reverseTunnelAddr)))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, p.Close())
require.NoError(t, p.Wait())
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
return
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Errorf("cannot close proxy %q (not found)", name)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
}
// Helper function for testing that a proxy in main has been discovered by
// (and is able to use reverse tunnel into) remote. If conf is nil, main's
// first/default proxy will be called.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
testProxyConn := func(conf *helpers.ProxyConfig, shouldFail bool) {
clientConf := helpers.ClientConfig{
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
Login: username,
Cluster: "cluster-remote",
Host: Loopback,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, remote.SSH),
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
Proxy: conf,
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err := runCommand(t, main, []string{"echo", "hello world"}, clientConf, 10)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
if shouldFail {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Error(t, err)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
} else {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
}
}
// ensure that initial proxy's tunnel has been established
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, "cluster-remote", 1)
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
// execute the connection via initial proxy; should not fail
testProxyConn(nil, false)
// helper funcion for making numbered proxy names
pname := func(n int) string {
return fmt.Sprintf("cluster-main-proxy-%d", n)
}
// create first numbered proxy
_, c0 := addNewMainProxy(pname(0))
// check that we now have two tunnel connections
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
require.NoError(t, helpers.WaitForProxyCount(remote, "cluster-main", 2))
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
// check that first numbered proxy is OK.
testProxyConn(&c0, false)
// remove the initial proxy.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, lb.RemoveBackend(mainProxyAddr))
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
require.NoError(t, helpers.WaitForProxyCount(remote, "cluster-main", 1))
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
// force bad state by iteratively removing previous proxy before
// adding next proxy; this ensures that discovery protocol's list of
// known proxies is all invalid.
for i := 0; i < 6; i++ {
prev, next := pname(i), pname(i+1)
killMainProxy(prev)
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
require.NoError(t, helpers.WaitForProxyCount(remote, "cluster-main", 0))
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
_, cn := addNewMainProxy(next)
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
require.NoError(t, helpers.WaitForProxyCount(remote, "cluster-main", 1))
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
testProxyConn(&cn, false)
}
// Stop both clusters and remaining nodes.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, remote.StopAll())
require.NoError(t, main.StopAll())
Add isolated proxy-seeking state machine (#2946) This commit introduces a new iteration of the proxy discovery algorithm implemented as a separate component from the main reversetunnel agent/agentpool system. This isolation is intended to improve our ability to test and reason about the algorithm in isolation from IO and other implementation details.
2019-09-06 17:37:12 +00:00
}
start working on integration testing
2017-10-11 23:36:25 +00:00
// TestDiscovery tests case for multiple proxies and a reverse tunnel
// agent that eventually connnects to the the right proxy
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testDiscovery(t *testing.T, suite *integrationTestSuite) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
start working on integration testing
2017-10-11 23:36:25 +00:00
integration tests for proxies
2017-10-12 17:35:46 +00:00
// create load balancer for main cluster proxies
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
frontend := *utils.MustParseAddr(net.JoinHostPort(Loopback, "0"))
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
lb, err := utils.NewLoadBalancer(ctx, frontend)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.NoError(t, lb.Listen())
fix tests
2017-10-12 23:51:18 +00:00
go lb.Serve()
integration tests for proxies
2017-10-12 17:35:46 +00:00
defer lb.Close()
start working on integration testing
2017-10-11 23:36:25 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
remote := suite.newNamedTeleportInstance(t, "cluster-remote")
main := suite.newNamedTeleportInstance(t, "cluster-main")
start working on integration testing
2017-10-11 23:36:25 +00:00
integration tests for proxies
2017-10-12 17:35:46 +00:00
remote.AddUser(username, []string{username})
main.AddUser(username, []string{username})
start working on integration testing
2017-10-11 23:36:25 +00:00
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, main.Create(t, remote.Secrets.AsSlice(), false, nil))
integration tests for proxies
2017-10-12 17:35:46 +00:00
mainSecrets := main.Secrets
// switch listen address of the main cluster to load balancer
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
mainProxyAddr := *utils.MustParseAddr(mainSecrets.TunnelAddr)
fix tests
2017-10-12 23:51:18 +00:00
lb.AddBackend(mainProxyAddr)
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
mainSecrets.TunnelAddr = lb.Addr().String()
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, remote.Create(t, mainSecrets.AsSlice(), true, nil))
integration tests for proxies
2017-10-12 17:35:46 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, main.Start())
require.NoError(t, remote.Start())
start working on integration testing
2017-10-11 23:36:25 +00:00
Removed `TestProxyReverseTunnel`. `TestProxyReverseTunnel` has been consistently failing with the following errors. --- FAIL: TestProxyReverseTunnel (11.76s) sshserver_test.go:1127: Error Trace: sshserver_test.go:1127 Error: Received unexpected error: timeout waiting for announce to be sent Test: TestProxyReverseTunnel FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 68.907s --- FAIL: TestProxyReverseTunnel (23.43s) assertion_compare.go:332: Error Trace: sshserver_test.go:1144 Error: "5.775333527" is not less than "5" Test: TestProxyReverseTunnel Messages: [] FAIL FAIL github.com/gravitational/teleport/lib/srv/regular 96.861s These both appear to be timing related. By removing `t.Parallel()` or increasing the timeouts it was possible to stabilize this test and have it consistently pass. However, looking at what `TestProxyReverseTunnel` actually tested, I don't think it can actually be removed completely. I've outlined what it tested and why this is no longer necessary and why we should remove it. * Reverse tunnels can be established This test was written prior to integration tests existing. Teleport now has integration tests that are more extensive, robust, and stable which cover reverse tunnel functionality like `TwoClustersProxy`, `TwoClustersTunnel`, and `TrustedTunnelNode`. The only thing they were missing that `TestProxyReverseTunnel` had was checking `LastConnected` time. This PR has been updated to add that to integration tests. * Connectivity can be established over reverse tunnels Similar to the above, we have more extensive, robust, and stable integration test coverage for establishing connectivity over a reverse tunnel now. The only bit of functionality that integration don't appear to have is connecting by DNS name _and_ IP address at sshserver_test.go#L1066-L1067. However, we do now have a dedicated unit test for this in `TestProxySubsys_getMatchingServer`. * Labels are synchronized While this test does schenonize dynamic labels, it never actually checks if they were synchronized correctly. That functionality was removed many years ago in https://github.com/gravitational/teleport/pull/250. We do now have unit test coverage for dynamic labels at lib/labels/labels_test.go.
2022-01-30 18:38:29 +00:00
// Wait for both cluster to see each other via reverse tunnels.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(main.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(remote.Tunnel, 1), 10*time.Second, 1*time.Second,
Fix.
2022-02-02 16:05:45 +00:00
"Two clusters do not see each other: tunnels are not working.")
start working on integration testing
2017-10-11 23:36:25 +00:00
integration tests for proxies
2017-10-12 17:35:46 +00:00
// start second proxy
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
proxyConfig := helpers.ProxyConfig{
integration tests for proxies
2017-10-12 17:35:46 +00:00
Name: "cluster-main-proxy",
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
DisableWebService: true,
fix tests
2017-10-12 23:51:18 +00:00
}
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
proxyConfig.SSHAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerNodeSSH, &proxyConfig.FileDescriptors)
proxyConfig.WebAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerProxyWeb, &proxyConfig.FileDescriptors)
proxyConfig.ReverseTunnelAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerProxyTunnel, &proxyConfig.FileDescriptors)
secondProxy, _, err := main.StartProxy(proxyConfig)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
integration tests for proxies
2017-10-12 17:35:46 +00:00
// add second proxy as a backend to the load balancer
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
lb.AddBackend(*utils.MustParseAddr(proxyConfig.ReverseTunnelAddr))
integration tests for proxies
2017-10-12 17:35:46 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// At this point the main cluster should observe two tunnels
// connected to it from remote cluster
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, "cluster-remote", 1)
helpers.WaitForActiveTunnelConnections(t, secondProxy, "cluster-remote", 1)
Add ability to detect when a proxy has been removed forever to discovery protocol.
2018-06-15 22:35:02 +00:00
integration tests for proxies
2017-10-12 17:35:46 +00:00
// execute the connection via first proxy
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Wait for *Ready events for all Start* functions for TeleInstance. Increase delay to 250 millisecond between runCommands.
2018-02-13 00:28:17 +00:00
Login: username,
Cluster: "cluster-remote",
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
Host: Loopback,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, remote.SSH),
Wait for *Ready events for all Start* functions for TeleInstance. Increase delay to 250 millisecond between runCommands.
2018-02-13 00:28:17 +00:00
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err := runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
fix tests
2017-10-12 23:51:18 +00:00
Wait for *Ready events for all Start* functions for TeleInstance. Increase delay to 250 millisecond between runCommands.
2018-02-13 00:28:17 +00:00
// Execute the connection via second proxy, should work. This command is
// tried 10 times with 250 millisecond delay between each attempt to allow
// the discovery request to be received and the connection added to the agent
// pool.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfgProxy := helpers.ClientConfig{
fix tests
2017-10-12 23:51:18 +00:00
Login: username,
Cluster: "cluster-remote",
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
Host: Loopback,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, remote.SSH),
fix tests
2017-10-12 23:51:18 +00:00
Proxy: &proxyConfig,
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfgProxy, 10)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
fix tests
2017-10-12 23:51:18 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Now disconnect the main proxy and make sure it will reconnect eventually.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, lb.RemoveBackend(mainProxyAddr))
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, secondProxy, "cluster-remote", 1)
fix tests
2017-10-12 23:51:18 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Requests going via main proxy should fail.
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
_, err = runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Error(t, err)
fix tests
2017-10-12 23:51:18 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Requests going via second proxy should succeed.
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfgProxy, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
fix tests
2017-10-12 23:51:18 +00:00
Wait for *Ready events for all Start* functions for TeleInstance. Increase delay to 250 millisecond between runCommands.
2018-02-13 00:28:17 +00:00
// Connect the main proxy back and make sure agents have reconnected over time.
// This command is tried 10 times with 250 millisecond delay between each
// attempt to allow the discovery request to be received and the connection
// added to the agent pool.
fix tests
2017-10-12 23:51:18 +00:00
lb.AddBackend(mainProxyAddr)
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Once the proxy is added a matching tunnel connection should be created.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, "cluster-remote", 1)
helpers.WaitForActiveTunnelConnections(t, secondProxy, "cluster-remote", 1)
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
Deflake `TestIntegrations/Discovery` (#31580) * Deflake TestIntegrations/Discovery * Shadow the testing.T in EventuallyWithT
2023-09-07 17:11:21 +00:00
require.EventuallyWithT(t, func(t *assert.CollectT) {
// once the tunnel is established we need to wait until we have a
// connection to the remote auth
site := main.GetSiteAPI("cluster-remote")
if !assert.NotNil(t, site) {
return
}
// we need to wait until we know about the node because direct dial to
// unregistered servers is no longer supported
Fix some lint warnings (#31740) Including redundant types in composite literals and duplicate imports in the same file.
2023-09-12 16:18:23 +00:00
_, err := site.GetNode(ctx, defaults.Namespace, main.Config.HostUUID)
Deflake `TestIntegrations/Discovery` (#31580) * Deflake TestIntegrations/Discovery * Shadow the testing.T in EventuallyWithT
2023-09-07 17:11:21 +00:00
assert.NoError(t, err)
}, time.Minute, 250*time.Millisecond)
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Requests going via main proxy should succeed.
Deflake `TestIntegrations/Discovery` (#31580) * Deflake TestIntegrations/Discovery * Shadow the testing.T in EventuallyWithT
2023-09-07 17:11:21 +00:00
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
start working on integration testing
2017-10-11 23:36:25 +00:00
Add ability to detect when a proxy has been removed forever to discovery protocol.
2018-06-15 22:35:02 +00:00
// Stop one of proxies on the main cluster.
err = main.StopProxy()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Add ability to detect when a proxy has been removed forever to discovery protocol.
2018-06-15 22:35:02 +00:00
// Wait for the remote cluster to detect the outbound connection is gone.
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
require.NoError(t, helpers.WaitForProxyCount(remote, "cluster-main", 1))
Add ability to detect when a proxy has been removed forever to discovery protocol.
2018-06-15 22:35:02 +00:00
// Stop both clusters and remaining nodes.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, remote.StopAll())
require.NoError(t, main.StopAll())
start working on integration testing
2017-10-11 23:36:25 +00:00
}
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
// TestReverseTunnelCollapse makes sure that when a reverse tunnel collapses
// nodes will reconnect when network connection between the proxy and node
// is restored.
func testReverseTunnelCollapse(t *testing.T, suite *integrationTestSuite) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
t.Cleanup(func() { tr.Stop() })
lib.SetInsecureDevMode(true)
t.Cleanup(func() { lib.SetInsecureDevMode(false) })
// Create and start load balancer for proxies.
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
frontend := *utils.MustParseAddr(net.JoinHostPort(Loopback, "0"))
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
lb, err := utils.NewLoadBalancer(ctx, frontend)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
require.NoError(t, err)
require.NoError(t, lb.Listen())
go lb.Serve()
t.Cleanup(func() { require.NoError(t, lb.Close()) })
// Create a Teleport instance with Auth/Proxy.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
mainConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Proxy.Enabled = true
tconf.Proxy.TunnelPublicAddrs = []utils.NetAddr{
{
AddrNetwork: "tcp",
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
Addr: lb.Addr().String(),
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
},
}
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.Proxy.DisableALPNSNIListener = true
tconf.SSH.Enabled = false
return t, nil, nil, tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
main := suite.NewTeleportWithConfig(mainConfig())
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
t.Cleanup(func() { require.NoError(t, main.StopAll()) })
// Create a Teleport instance with a Proxy.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
proxyConfig := helpers.ProxyConfig{
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
Name: "cluster-main-proxy",
DisableWebService: false,
DisableWebInterface: true,
DisableALPNSNIListener: true,
}
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
proxyConfig.SSHAddr = helpers.NewListener(t, service.ListenerNodeSSH, &proxyConfig.FileDescriptors)
proxyConfig.WebAddr = helpers.NewListener(t, service.ListenerProxyWeb, &proxyConfig.FileDescriptors)
proxyConfig.ReverseTunnelAddr = helpers.NewListener(t, service.ListenerProxyTunnel, &proxyConfig.FileDescriptors)
proxyTunnel, firstProxy, err := main.StartProxy(proxyConfig)
require.NoError(t, err)
// The Listener FDs injected into the first proxy instance will be closed
// when that instance is stopped later in in the test, rendering them all
// invalid. This will make the tunnel fail when it attempts to re-open once
// a second proxy is started. We can't just inject a totally new listener
// config into the second proxy when it starts, or the tunnel end points
// won't be able to find it.
//
// The least bad option is to duplicate all of the first proxy's Listener
// FDs and inject those duplicates prior to startiung the second proxy
// instance.
fdCache, err := firstProxy.ExportFileDescriptors()
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
require.NoError(t, err)
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
proxyOneBackend := utils.MustParseAddr(main.ReverseTunnel)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
lb.AddBackend(*proxyOneBackend)
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
proxyTwoBackend := utils.MustParseAddr(proxyConfig.ReverseTunnelAddr)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
lb.AddBackend(*proxyTwoBackend)
// Create a Teleport instance with a Node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
nodeConfig := func() *servicecfg.Config {
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
tconf := suite.defaultServiceConfig()
tconf.Hostname = "cluster-main-node"
Use a getter/setter for reading the token value from the config (#14080)
2022-08-10 08:50:21 +00:00
tconf.SetToken("token")
Introduce config v3, add auth_server and proxy_server, remove auth_addresses (#15761)
2022-09-28 15:30:15 +00:00
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: proxyConfig.WebAddr,
})
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
tconf.Auth.Enabled = false
tconf.Proxy.Enabled = false
tconf.SSH.Enabled = true
return tconf
}
node, err := main.StartNode(nodeConfig())
require.NoError(t, err)
// Wait for active tunnel connections to be established.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, helpers.Site, 0)
helpers.WaitForActiveTunnelConnections(t, proxyTunnel, helpers.Site, 1)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
// Execute the connection via first proxy.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
Host: "cluster-main-node",
}
_, err = runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
require.Error(t, err)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfgProxy := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
Host: "cluster-main-node",
Proxy: &proxyConfig,
}
output, err := runCommand(t, main, []string{"echo", "hello world"}, cfgProxy, 10)
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
// stop the proxy to collapse the tunnel
require.NoError(t, main.StopProxy())
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, helpers.Site, 0)
helpers.WaitForActiveTunnelConnections(t, proxyTunnel, helpers.Site, 0)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
// Requests going via both proxy will fail.
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
timeoutCtx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
defer invoke(cancel)
_, err = runCommandWithContext(timeoutCtx, t, main, []string{"echo", "hello world"}, cfg, 1)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
require.Error(t, err)
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
timeoutCtx, cancel = context.WithTimeout(context.Background(), 1*time.Second)
defer invoke(cancel)
_, err = runCommandWithContext(timeoutCtx, t, main, []string{"echo", "hello world"}, cfgProxy, 1)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
require.Error(t, err)
// wait for the node to reach a degraded state
Refactor `Supervisor.WaitForEvent` (#14940)
2022-07-28 13:34:27 +00:00
_, err = node.WaitForEventTimeout(5*time.Minute, service.TeleportDegradedEvent)
require.NoError(t, err, "timed out waiting for node to become degraded")
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
// start the proxy again and ensure the tunnel is re-established
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
proxyConfig.FileDescriptors = fdCache
proxyTunnel, _, err = main.StartProxy(proxyConfig)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
require.NoError(t, err)
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, helpers.Site, 0)
helpers.WaitForActiveTunnelConnections(t, proxyTunnel, helpers.Site, 1)
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
// Requests going to the connected proxy should succeed.
_, err = runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
require.Error(t, err)
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfgProxy, 40)
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
// Stop everything.
err = proxyTunnel.Shutdown(context.Background())
require.NoError(t, err)
}
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// TestDiscoveryNode makes sure the discovery protocol works with nodes.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testDiscoveryNode(t *testing.T, suite *integrationTestSuite) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
// Create and start load balancer for proxies.
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
frontend := *utils.MustParseAddr(net.JoinHostPort(Loopback, "0"))
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
lb, err := utils.NewLoadBalancer(ctx, frontend)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
err = lb.Listen()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
go lb.Serve()
defer lb.Close()
// Create a Teleport instance with Auth/Proxy.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
mainConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
tconf.Auth.Enabled = true
tconf.Proxy.Enabled = true
tconf.Proxy.TunnelPublicAddrs = []utils.NetAddr{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
{
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
AddrNetwork: "tcp",
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
Addr: lb.Addr().String(),
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
},
}
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
tconf.Proxy.DisableALPNSNIListener = true
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
tconf.SSH.Enabled = false
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
return t, nil, nil, tconf
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
main := suite.NewTeleportWithConfig(mainConfig())
Ensure that all integration.TeleInstance processes get cleaned up TeleInstance manages an auth server and a set of proxies/nodes. TeleInstance.Stop only stops the auth server. A bunch of tests used it assuming it also cleans up any running nodes. This has caused a lot of log spam from failing heartbeats and generally wasted CPU cycles. Rename it to Stop to StopAuth to make it's purpose more obvious. Add TeleInstance.StopAll that cleans up everything, suitable for deferring in tests.
2020-04-17 16:27:34 +00:00
defer main.StopAll()
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Create a Teleport instance with a Proxy.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
proxyConfig := helpers.ProxyConfig{
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
Name: "cluster-main-proxy",
Fix Reverse Tunnels Not Properly reconnecting (#10368) * Fix Reverse Tunnels Not Properly reconnecting Nodes were not generating new agents which prevented reverse tunnels from being re-established after a collapse. Ensuring we always release the lease if the agent pool is unable to add a new agent. * add tunnel collapse reconnect test
2022-02-15 23:11:08 +00:00
DisableWebService: true,
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
}
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
proxyConfig.SSHAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerNodeSSH, &proxyConfig.FileDescriptors)
proxyConfig.WebAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerProxyWeb, &proxyConfig.FileDescriptors)
proxyConfig.ReverseTunnelAddr = helpers.NewListenerOn(t, main.Hostname, service.ListenerProxyTunnel, &proxyConfig.FileDescriptors)
proxyTunnel, _, err := main.StartProxy(proxyConfig)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
proxyOneBackend := utils.MustParseAddr(main.ReverseTunnel)
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
lb.AddBackend(*proxyOneBackend)
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
proxyTwoBackend := utils.MustParseAddr(proxyConfig.ReverseTunnelAddr)
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
lb.AddBackend(*proxyTwoBackend)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// Create a Teleport instance with a Node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
nodeConfig := func() *servicecfg.Config {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
tconf.Hostname = "cluster-main-node"
Use a getter/setter for reading the token value from the config (#14080)
2022-08-10 08:50:21 +00:00
tconf.SetToken("token")
Introduce config v3, add auth_server and proxy_server, remove auth_addresses (#15761)
2022-09-28 15:30:15 +00:00
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: main.Web,
})
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
tconf.Auth.Enabled = false
tconf.Proxy.Enabled = false
tconf.SSH.Enabled = true
return tconf
}
_, err = main.StartNode(nodeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Wait for active tunnel connections to be established.
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, helpers.Site, 1)
helpers.WaitForActiveTunnelConnections(t, proxyTunnel, helpers.Site, 1)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// Execute the connection via first proxy.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
Host: "cluster-main-node",
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err := runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// Execute the connection via second proxy, should work. This command is
// tried 10 times with 250 millisecond delay between each attempt to allow
// the discovery request to be received and the connection added to the agent
// pool.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfgProxy := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
Host: "cluster-main-node",
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
Proxy: &proxyConfig,
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
}
Fixes for integration tests and discovery protocol.
2019-05-14 22:16:27 +00:00
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfgProxy, 10)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Remove second proxy from LB.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, lb.RemoveBackend(*proxyTwoBackend))
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, helpers.Site, 1)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Requests going via main proxy will succeed. Requests going via second
// proxy will fail.
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
_, err = runCommand(t, main, []string{"echo", "hello world"}, cfgProxy, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Error(t, err)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
Fixes for integration tests and discovery protocol.
2019-05-14 22:16:27 +00:00
// Add second proxy to LB, both should have a connection.
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
lb.AddBackend(*proxyTwoBackend)
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.WaitForActiveTunnelConnections(t, main.Tunnel, helpers.Site, 1)
helpers.WaitForActiveTunnelConnections(t, proxyTunnel, helpers.Site, 1)
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Requests going via both proxies will succeed.
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfg, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err = runCommand(t, main, []string{"echo", "hello world"}, cfgProxy, 40)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, "hello world\n", output)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
Make integration tests more stable.
2019-05-09 00:41:52 +00:00
// Stop everything.
err = proxyTunnel.Shutdown(context.Background())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Ensure that all integration.TeleInstance processes get cleaned up TeleInstance manages an auth server and a set of proxies/nodes. TeleInstance.Stop only stops the auth server. A bunch of tests used it assuming it also cleans up any running nodes. This has caused a lot of log spam from failing heartbeats and generally wasted CPU cycles. Rename it to Stop to StopAuth to make it's purpose more obvious. Add TeleInstance.StopAll that cleans up everything, suitable for deferring in tests.
2020-04-17 16:27:34 +00:00
err = main.StopAll()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
}
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// TestExternalClient tests if we can connect to a node in a Teleport
// cluster. Both normal and recording proxies are tested.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testExternalClient(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// Only run this test if we have access to the external SSH binary.
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
_, err := exec.LookPath("ssh")
if err != nil {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Skip("Skipping TestExternalClient, no external SSH binary found.")
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
return
}
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc string
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
inRecordLocation string
inForwardAgent bool
inCommand string
outError bool
outExecOutput string
}{
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// Record at the node, forward agent. Will still work even though the agent
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// will be rejected by the proxy (agent forwarding request rejection is a
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// soft failure).
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Record at Node with Agent Forwarding",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtNode,
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
inForwardAgent: true,
inCommand: "echo hello",
outError: false,
outExecOutput: "hello",
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
},
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// Record at the node, don't forward agent, will work. This is the normal
// Teleport mode of operation.
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Record at Node without Agent Forwarding",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtNode,
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
inForwardAgent: false,
inCommand: "echo hello",
outError: false,
outExecOutput: "hello",
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
},
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// Record at the proxy, forward agent. Will work.
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Record at Proxy with Agent Forwarding",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtProxy,
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
inForwardAgent: true,
inCommand: "echo hello",
outError: false,
outExecOutput: "hello",
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
},
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// Record at the proxy, don't forward agent, request will fail because
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// recording proxy requires an agent.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Record at Proxy without Agent Forwarding",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtProxy,
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
inForwardAgent: false,
inCommand: "echo hello",
outError: true,
outExecOutput: "",
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
},
}
for _, tt := range tests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.desc, func(t *testing.T) {
// Create a Teleport instance with auth, proxy, and node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Mode: tt.inRecordLocation,
})
require.NoError(t, err)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Auth.SessionRecordingConfig = recConfig
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf.SSH.Enabled = true
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
return t, nil, nil, tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
teleport := suite.NewTeleportWithConfig(makeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer teleport.StopAll()
Fixed TestDisconnection Integration tests were creating the users SSH and x509 certificates at the time of server creation, specifically at the time of the "TeleInstance" creation. If any component within the "TeleInstance" was slow to start, for example if the proxy watcher had to be reset as can be seen below, the users certificate would often be expired by the time the SSH request was issued which would lead to the SSH server rejecting the connection and the test failing with an unexpected error. For most tests this is not an issue, because test certificates are valid for 24 hours. However "TestDisconnection" scopes the TTL of certificates down (often times to about 2 seconds) to test different certificate lifetime disconnection scenarios which would lead to this test being flaky. Updated integration test logic to instead "issue" the users certificate at the time of client creation instead of server creation.
2022-02-06 22:06:04 +00:00
// Generate certificates for the user simulating login.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
creds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{
Fixed TestDisconnection Integration tests were creating the users SSH and x509 certificates at the time of server creation, specifically at the time of the "TeleInstance" creation. If any component within the "TeleInstance" was slow to start, for example if the proxy watcher had to be reset as can be seen below, the users certificate would often be expired by the time the SSH request was issued which would lead to the SSH server rejecting the connection and the test failing with an unexpected error. For most tests this is not an issue, because test certificates are valid for 24 hours. However "TestDisconnection" scopes the TTL of certificates down (often times to about 2 seconds) to test different certificate lifetime disconnection scenarios which would lead to this test being flaky. Updated integration test logic to instead "issue" the users certificate at the time of client creation instead of server creation.
2022-02-06 22:06:04 +00:00
Process: teleport.Process,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Username: suite.Me.Username,
Fixed TestDisconnection Integration tests were creating the users SSH and x509 certificates at the time of server creation, specifically at the time of the "TeleInstance" creation. If any component within the "TeleInstance" was slow to start, for example if the proxy watcher had to be reset as can be seen below, the users certificate would often be expired by the time the SSH request was issued which would lead to the SSH server rejecting the connection and the test failing with an unexpected error. For most tests this is not an issue, because test certificates are valid for 24 hours. However "TestDisconnection" scopes the TTL of certificates down (often times to about 2 seconds) to test different certificate lifetime disconnection scenarios which would lead to this test being flaky. Updated integration test logic to instead "issue" the users certificate at the time of client creation instead of server creation.
2022-02-06 22:06:04 +00:00
})
require.NoError(t, err)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Start (and defer close) a agent that runs during this integration test.
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(suite.Me, &creds.Key)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
defer helpers.CloseAgent(teleAgent, socketDirPath)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create a *exec.Cmd that will execute the external SSH command.
Break DB integration tests out into their own package (#16133) Making all of our integration tests run in entirely parallel requires a large engineering effort to enforce test isolation and remove all race conditions between tests. A lower-effort alternative may be to split apart the various test suites into their own Go packages, and test those packages in parallel, even if the tests inside are still executed serially. Auditing the test suites for races on system-level resources (e.g. files, ports) is much easier than chasing down every p[ossible race in the testing system. This patch acts as a trial run, breaking a fairly well-defined and self-contained test suite out into its own package. Note that the goal of this change is not necessarily to shave minutes off the build (although that would be nice), but to act as an illustration of how other, less well-formed test suites might be broken apart. See-Also: #12421 See-Also: #14408
2022-09-07 01:04:35 +00:00
execCmd, err := helpers.ExternalSSHCommand(helpers.CommandOptions{
ForwardAgent: tt.inForwardAgent,
SocketPath: socketPath,
ProxyPort: helpers.PortStr(t, teleport.SSHProxy),
NodePort: helpers.PortStr(t, teleport.SSH),
Command: tt.inCommand,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
})
require.NoError(t, err)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Execute SSH command and check the output is what we expect.
output, err := execCmd.Output()
if tt.outError {
require.Error(t, err)
} else {
improve ControlMaster error reporting (#30631)
2023-08-18 15:21:18 +00:00
// ensure stderr is printed as a string rather than bytes
var stderr string
if e, ok := err.(*exec.ExitError); ok {
stderr = string(e.Stderr)
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
}
improve ControlMaster error reporting (#30631)
2023-08-18 15:21:18 +00:00
require.NoError(t, err, "stderr=%q", stderr)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Equal(t, tt.outExecOutput, strings.TrimSpace(string(output)))
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
})
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
}
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// TestControlMaster checks if multiple SSH channels can be created over the
// same connection. This is frequently used by tools like Ansible.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testControlMaster(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
// Only run this test if we have access to the external SSH binary.
_, err := exec.LookPath("ssh")
if err != nil {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Skip("Skipping TestControlMaster, no external SSH binary found.")
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
return
}
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
inRecordLocation string
}{
// Run tests when Teleport is recording sessions at the node.
{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inRecordLocation: types.RecordAtNode,
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
},
Disable ControlMaster test for proxy recording mode (#16720) Control master functionality is currently broken in proxy recording mode. We're aware of the issue and will disable the test until we are able to fix the underlying issue. Updates #16224
2022-09-26 18:05:53 +00:00
// Run tests when Teleport is recording sessions at the proxy
// (temporarily disabled, see https://github.com/gravitational/teleport/issues/16224)
// {
// inRecordLocation: types.RecordAtProxy,
// },
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
}
for _, tt := range tests {
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
t.Run(fmt.Sprintf("recording_mode=%s", tt.inRecordLocation), func(t *testing.T) {
controlDir, err := os.MkdirTemp("", "teleport-")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
defer os.RemoveAll(controlDir)
controlPath := filepath.Join(controlDir, "control-path")
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
// Create a Teleport instance with auth, proxy, and node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Mode: tt.inRecordLocation,
})
require.NoError(t, err)
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Auth.SessionRecordingConfig = recConfig
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
tconf.SSH.Enabled = true
Fixed TestDisconnection Integration tests were creating the users SSH and x509 certificates at the time of server creation, specifically at the time of the "TeleInstance" creation. If any component within the "TeleInstance" was slow to start, for example if the proxy watcher had to be reset as can be seen below, the users certificate would often be expired by the time the SSH request was issued which would lead to the SSH server rejecting the connection and the test failing with an unexpected error. For most tests this is not an issue, because test certificates are valid for 24 hours. However "TestDisconnection" scopes the TTL of certificates down (often times to about 2 seconds) to test different certificate lifetime disconnection scenarios which would lead to this test being flaky. Updated integration test logic to instead "issue" the users certificate at the time of client creation instead of server creation.
2022-02-06 22:06:04 +00:00
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
return t, nil, nil, tconf
}
teleport := suite.NewTeleportWithConfig(makeConfig())
defer teleport.StopAll()
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
// Generate certificates for the user simulating login.
creds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{
Process: teleport.Process,
Username: suite.Me.Username,
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
// Start (and defer close) a agent that runs during this integration test.
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(suite.Me, &creds.Key)
require.NoError(t, err)
defer helpers.CloseAgent(teleAgent, socketDirPath)
// Create and run an exec command twice with the passed in ControlPath. This
// will cause re-use of the connection and creation of two sessions within
// the connection.
for i := 0; i < 2; i++ {
execCmd, err := helpers.ExternalSSHCommand(helpers.CommandOptions{
ForcePTY: true,
ForwardAgent: true,
ControlPath: controlPath,
SocketPath: socketPath,
ProxyPort: helpers.PortStr(t, teleport.SSHProxy),
NodePort: helpers.PortStr(t, teleport.SSH),
Command: "echo hello",
})
require.NoError(t, err)
// Execute SSH command and check the output is what we expect.
output, err := execCmd.Output()
improve ControlMaster error reporting (#31296)
2023-09-01 21:07:53 +00:00
// ensure stderr is printed as a string rather than bytes
var stderr string
if e, ok := err.(*exec.ExitError); ok {
stderr = string(e.Stderr)
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
}
improve ControlMaster error reporting (#31296)
2023-09-01 21:07:53 +00:00
require.NoError(t, err, "stderr=%q", stderr)
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
require.True(t, strings.HasSuffix(strings.TrimSpace(string(output)), "hello"))
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
}
Reduce number of auth dials for tsh commands (#16367) * Reduce number of auth dials for tsh commands One of the major areas of latency for `tsh ssh` is creating multiple auth clients. Since the auth client is lazy and only actually performs the dial on first use we can create an auth client once and simply reuse it. This is done by adding an `auth.ClientI` to `ProxyClient` which is created via `connectToProxy`. All attempts to connect to the current auth server via the `ProxyClient` will be given the cached `auth.ClientI`. The new method of retrieving the current auth client also allowed to remove a number of calls to `GetSites` which were used to obtain the current cluster name. The local profile already contains the name of the cluster and calls to `GetSites` were unnecessary. All instances which relied on the site name now retrieve from information that the `ProxyClient` already has. In an effort to reduce ambiguity and confusion `CurrentClusterAccessPoint` and `ClusterAccessPoint` were also removed. AccessPoint denotes that you are connecting to a cache, but the `ProxyClient` is always going to be hitting the auth server directly. The two have been replaced with `CurrentCluster` and `ConnectToCluster`, which they were merely wrappers for anyhow.
2022-09-27 15:37:51 +00:00
})
Create context once either "session" or "direct-tcpip" channel has been opened in the forwarding server.
2018-03-30 21:42:08 +00:00
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testProxyHostKeyCheck uses the forwarding proxy to connect to a server that
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// presents a host key instead of a certificate in different configurations
// for the host key checking parameter in services.ClusterConfig.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testProxyHostKeyCheck(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc string
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
inHostKeyCheck bool
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
outError bool
}{
// disable host key checking, should be able to connect
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Disabled",
inHostKeyCheck: false,
outError: false,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
},
// enable host key checking, should NOT be able to connect
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled",
inHostKeyCheck: true,
outError: true,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
},
}
for _, tt := range tests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.desc, func(t *testing.T) {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
hostSigner, err := ssh.ParsePrivateKey(suite.Priv)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
// start a ssh server that presents a host key instead of a certificate
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
nodePort := newPortValue()
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// create a teleport instance with auth, proxy, and node
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Mode: types.RecordAtProxy,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
ProxyChecksHostKeys: types.NewBoolOption(tt.inHostKeyCheck),
})
require.NoError(t, err)
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Auth.SessionRecordingConfig = recConfig
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
return t, nil, nil, tconf
}
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
instance := suite.NewTeleportWithConfig(makeConfig())
defer instance.StopAll()
Allow node to handle old and new way of client IP propagation on the same listener (#22572) * Allow node to handle old and new way of client IP propagation on same listener With addition of signed PROXY headers, node was listening on multiplexer, but because of that it couldn't processing incoming connection from older proxies when ProxyHelloSignature was used, because both ends were waiting for the other side to send data first. Here we integrate ability to handle PROXY headers into connection itself, so we can start ssh server without waiting for multiplexer to detect connection * Remove unneeded code * Improve comment's wording Co-authored-by: Michael Wilson <mike@mdwn.dev> * Improve comment's wording Co-authored-by: Michael Wilson <mike@mdwn.dev> * Fix imports * Unexport function * Add godoc * Remove unneeded comment * Move ProxyHelloSignature to constants * Check that proxyline is verified * Use Warn() instead of Warnf() * Move ProxyHelloSignature to api/constants * Add timeout for getting host CA during proxyline verification. * Rearrange conditions Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Clarify comment. --------- Co-authored-by: Michael Wilson <mike@mdwn.dev> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
2023-03-07 13:55:02 +00:00
caGetter := func(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error) {
return instance.Process.GetAuthServer().Cache.GetCertAuthority(ctx, id, loadKeys)
}
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
proxyEnabledListener, err := helpers.CreatePROXYEnabledListener(context.Background(), t, net.JoinHostPort(Host, strconv.Itoa(nodePort)),
Allow node to handle old and new way of client IP propagation on the same listener (#22572) * Allow node to handle old and new way of client IP propagation on same listener With addition of signed PROXY headers, node was listening on multiplexer, but because of that it couldn't processing incoming connection from older proxies when ProxyHelloSignature was used, because both ends were waiting for the other side to send data first. Here we integrate ability to handle PROXY headers into connection itself, so we can start ssh server without waiting for multiplexer to detect connection * Remove unneeded code * Improve comment's wording Co-authored-by: Michael Wilson <mike@mdwn.dev> * Improve comment's wording Co-authored-by: Michael Wilson <mike@mdwn.dev> * Fix imports * Unexport function * Add godoc * Remove unneeded comment * Move ProxyHelloSignature to constants * Check that proxyline is verified * Use Warn() instead of Warnf() * Move ProxyHelloSignature to api/constants * Add timeout for getting host CA during proxyline verification. * Rearrange conditions Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Clarify comment. --------- Co-authored-by: Michael Wilson <mike@mdwn.dev> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
2023-03-07 13:55:02 +00:00
caGetter, instance.Secrets.SiteName)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
require.NoError(t, err)
sshNode, err := helpers.NewDiscardServer(hostSigner, proxyEnabledListener)
require.NoError(t, err)
err = sshNode.Start()
require.NoError(t, err)
defer sshNode.Stop()
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// create a teleport client and exec a command
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
clientConfig := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Host: Host,
Port: nodePort,
ForwardAgent: true,
}
Dont allow directly dialing to servers not in inventory (#30323) * Dont allow directly dialing to servers not in inventory add direct dial escape hatch * Fix failing unit test * Fix TestProxySSH * Fix TestTraitsPropagation * resolve comment * fix non-multiplexed trusted cluster setup in tsh test suite * Fix TestProxySSH * wait on nodes * Skip the flaky check for TestSSHLoadAllCAs --------- Co-authored-by: Forrest Marshall <forrest@goteleport.com>
2023-08-29 11:52:55 +00:00
// Create the node
clt := instance.Process.GetAuthServer()
server, err := types.NewServer("name", types.KindNode, types.ServerSpecV2{
Addr: net.JoinHostPort(Host, strconv.Itoa(nodePort)),
Hostname: "localhost",
})
require.NoError(t, err)
server.SetSubKind(types.SubKindOpenSSHNode)
_, err = clt.UpsertNode(context.Background(), server)
require.NoError(t, err)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
_, err = runCommand(t, instance, []string{"echo hello"}, clientConfig, 1)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// check if we were able to exec the command or not
if tt.outError {
require.Error(t, err)
} else {
require.NoError(t, err)
}
})
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testAuditOff checks that when session recording has been turned off,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// sessions are not recorded.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testAuditOff(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Add context.Context to session.Service inteface (#14668) * Add context.Context to session.Service interface Updates GetSessions, GetSession, CreateSession, UpdateSesion, and DeleteSession to take a context.Context. All call paths are updated to properly pass along a real context instead of relying on a to eliminate context.TODOs.
2022-07-25 22:05:09 +00:00
ctx := context.Background()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
var err error
// create a teleport instance with auth, proxy, and node
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
sessionsDir := t.TempDir()
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
auditConfig, err := types.NewClusterAuditConfig(types.ClusterAuditConfigSpecV2{
AuditSessionsURI: sessionsDir,
})
require.NoError(t, err)
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Mode: types.RecordOff,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
tconf.Auth.Enabled = true
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
tconf.Auth.AuditConfig = auditConfig
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
tconf.Auth.SessionRecordingConfig = recConfig
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = true
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
return t, nil, nil, tconf
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
teleport := suite.NewTeleportWithConfig(makeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer teleport.StopAll()
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// get access to a authClient for the cluster
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
site := teleport.GetSiteAPI(helpers.Site)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NotNil(t, site)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// should have no sessions in it to start with
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
sessions, _ := site.GetActiveSessionTrackers(ctx)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Len(t, sessions, 0)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
beforeSession := time.Now()
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// create interactive session (this goroutine is this user's terminal time)
endCh := make(chan error, 1)
myTerm := NewTerminal(250)
go func() {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
})
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
if err != nil {
endCh <- err
return
}
Fix a data race in integration.Terminal This type uses an inner bytes.Buffer to store terminal output. Terminal is used by concurrent goroutines as io.ReadWriter, so access to the buffer needs to be synchronized.
2020-04-17 15:55:48 +00:00
cl.Stdout = myTerm
cl.Stdin = myTerm
Add context.Context to session.Service inteface (#14668) * Add context.Context to session.Service interface Updates GetSessions, GetSession, CreateSession, UpdateSesion, and DeleteSession to take a context.Context. All call paths are updated to properly pass along a real context instead of relying on a to eliminate context.TODOs.
2022-07-25 22:05:09 +00:00
err = cl.SSH(ctx, []string{}, false)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
endCh <- err
}()
// wait until there's a session in there:
Add context.Context to session.Service inteface (#14668) * Add context.Context to session.Service interface Updates GetSessions, GetSession, CreateSession, UpdateSesion, and DeleteSession to take a context.Context. All call paths are updated to properly pass along a real context instead of relying on a to eliminate context.TODOs.
2022-07-25 22:05:09 +00:00
timeoutCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
defer cancel()
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
sessions, err = waitForSessionToBeEstablished(timeoutCtx, defaults.Namespace, site)
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
require.NoError(t, err)
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
tracker := sessions[0]
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// wait for the user to join this session
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
for len(tracker.GetParticipants()) == 0 {
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
time.Sleep(time.Millisecond * 5)
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
tracker, err = site.GetSessionTracker(ctx, sessions[0].GetSessionID())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
// make sure it's us who joined! :)
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
require.Equal(t, suite.Me.Username, tracker.GetParticipants()[0].User)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// lets type "echo hi" followed by "enter" and then "exit" + "enter":
myTerm.Type("\aecho hi\n\r\aexit\n\r\a")
// wait for session to end
select {
case <-time.After(1 * time.Minute):
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Fatalf("Timed out waiting for session to end.")
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
case err := <-endCh:
require.NoError(t, err)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
spelling cleanup
2018-11-15 19:14:20 +00:00
// audit log should have the fact that the session occurred recorded in it
Clear terminal when auth server is in FIPS mode (#10095) This change clears the terminal at the end of a session when the auth server is in FIPS mode, even if tsh isn't.
2022-02-17 18:16:36 +00:00
// but the session could have been garbage collected at this point.
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
// however, attempts to read the actual sessions should fail because it was
// not actually recorded
Remove duplicate imports (#24736)
2023-04-18 19:08:26 +00:00
_, err = site.GetSessionChunk(defaults.Namespace, session.ID(tracker.GetSessionID()), 0, events.MaxChunkBytes)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Error(t, err)
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
// ensure that session related events were emitted to audit log
var auditEvents []apievents.AuditEvent
require.Eventually(t, func() bool {
ae, _, err := site.SearchEvents(ctx, events.SearchEventsRequest{
From: beforeSession,
To: time.Now(),
EventTypes: []string{
events.SessionStartEvent,
events.SessionLeaveEvent,
events.SessionEndEvent,
},
})
assert.NoError(t, err)
if len(ae) < 3 {
return false
}
auditEvents = ae
return true
}, 10*time.Second, 500*time.Millisecond)
var hasStart bool
var hasLeave bool
var hasEnd bool
for _, ae := range auditEvents {
switch ae.(type) {
case *apievents.SessionStart:
hasStart = true
case *apievents.SessionLeave:
hasLeave = true
case *apievents.SessionEnd:
hasEnd = true
default:
continue
}
}
require.True(t, hasStart, "session start event not found")
require.True(t, hasLeave, "session leave event not found")
require.True(t, hasEnd, "session end event not found")
// ensure session upload directory is empty
fi, err := os.ReadDir(sessionsDir)
require.NoError(t, err)
require.Empty(t, fi)
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testPAM checks that Teleport PAM integration works correctly. In this case
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
// that means if the account and session modules return success, the user
// should be allowed to log in. If either the account or session module does
// not return success, the user should not be able to log in.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testPAM(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
pam: trigger pam_authenticate on login (#3966) * pam: trigger pam_authenticate on login This will trigger any "auth" PAM modules configured on the system for teleport. For example, Duo 2FA prompt on each connection. The module will be able to interact with the user (e.g. print prompts). Also, make PAM env var propagation consistent for port forwarding sessions. Fixes https://github.com/gravitational/teleport/issues/3929 * Revamp PAM testing stack - update PAM policies and module for "auth" step - use pam_teleport.so from the repo directory instead of guessing OS-specific global path - add tests covering all failure scenarios and generally refactor PAM tests * Build pam_teleport.so during buildbox build inside docker This removes the need for libpam-devel on the host and reliably compiles pam_teleport.so in our CI pipeline. As part of this, combine build.assets/pam/ and modules/pam_teleport to avoid the need to sync them.
2020-07-10 20:28:33 +00:00
// Check if TestPAM can run. For PAM tests to run, the binary must have
// been built with PAM support and the system running the tests must have
// libpam installed, and have the policy files installed. This test is
// always run in a container as part of the CI/CD pipeline. To run this
// test locally, install the pam_teleport.so module by running 'sudo make
// install' from the build.assets/pam/ directory. This will install the PAM
// module as well as the policy files.
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
if !pam.BuildHasPAM() || !pam.SystemHasPAM() || !hasPAMPolicy() {
skipMessage := "Skipping TestPAM: no policy found. To run PAM tests run " +
pam: trigger pam_authenticate on login (#3966) * pam: trigger pam_authenticate on login This will trigger any "auth" PAM modules configured on the system for teleport. For example, Duo 2FA prompt on each connection. The module will be able to interact with the user (e.g. print prompts). Also, make PAM env var propagation consistent for port forwarding sessions. Fixes https://github.com/gravitational/teleport/issues/3929 * Revamp PAM testing stack - update PAM policies and module for "auth" step - use pam_teleport.so from the repo directory instead of guessing OS-specific global path - add tests covering all failure scenarios and generally refactor PAM tests * Build pam_teleport.so during buildbox build inside docker This removes the need for libpam-devel on the host and reliably compiles pam_teleport.so in our CI pipeline. As part of this, combine build.assets/pam/ and modules/pam_teleport to avoid the need to sync them.
2020-07-10 20:28:33 +00:00
"'sudo make install' from the build.assets/pam/ directory."
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Skip(skipMessage)
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
}
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc string
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
inEnabled bool
inServiceName string
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
inUsePAMAuth bool
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
outContains []string
add PAM environment with interpolation support
2021-03-30 15:30:34 +00:00
environment map[string]string
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
}{
// 0 - No PAM support, session should work but no PAM related output.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Disabled",
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
inEnabled: false,
inServiceName: "",
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
inUsePAMAuth: true,
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
outContains: []string{},
},
// 1 - PAM enabled, module account and session functions return success.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled with Module Account & Session functions succeeding",
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
inEnabled: true,
inServiceName: "teleport-success",
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
inUsePAMAuth: true,
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
outContains: []string{
pam: trigger pam_authenticate on login (#3966) * pam: trigger pam_authenticate on login This will trigger any "auth" PAM modules configured on the system for teleport. For example, Duo 2FA prompt on each connection. The module will be able to interact with the user (e.g. print prompts). Also, make PAM env var propagation consistent for port forwarding sessions. Fixes https://github.com/gravitational/teleport/issues/3929 * Revamp PAM testing stack - update PAM policies and module for "auth" step - use pam_teleport.so from the repo directory instead of guessing OS-specific global path - add tests covering all failure scenarios and generally refactor PAM tests * Build pam_teleport.so during buildbox build inside docker This removes the need for libpam-devel on the host and reliably compiles pam_teleport.so in our CI pipeline. As part of this, combine build.assets/pam/ and modules/pam_teleport to avoid the need to sync them.
2020-07-10 20:28:33 +00:00
"pam_sm_acct_mgmt OK",
"pam_sm_authenticate OK",
"pam_sm_open_session OK",
"pam_sm_close_session OK",
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
},
},
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
// 2 - PAM enabled, module account and session functions return success.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled with Module & Session functions succeeding",
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
inEnabled: true,
inServiceName: "teleport-success",
inUsePAMAuth: false,
outContains: []string{
"pam_sm_acct_mgmt OK",
"pam_sm_open_session OK",
"pam_sm_close_session OK",
},
},
// 3 - PAM enabled, module account functions fail.
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled with all functions failing",
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
inEnabled: true,
inServiceName: "teleport-acct-failure",
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
inUsePAMAuth: true,
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
outContains: []string{},
},
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
// 4 - PAM enabled, module session functions fail.
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled with Module & Session functions failing",
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
inEnabled: true,
inServiceName: "teleport-session-failure",
Fixed PAM integration tests.
2020-10-16 20:54:51 +00:00
inUsePAMAuth: true,
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
outContains: []string{},
},
add PAM environment with interpolation support
2021-03-30 15:30:34 +00:00
// 5 - PAM enabled, custom environment variables are passed.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled with custom environment",
add PAM environment with interpolation support
2021-03-30 15:30:34 +00:00
inEnabled: true,
inServiceName: "teleport-custom-env",
inUsePAMAuth: false,
outContains: []string{
"pam_sm_acct_mgmt OK",
"pam_sm_open_session OK",
"pam_sm_close_session OK",
"pam_custom_envs OK",
},
environment: map[string]string{
"FIRST_NAME": "JOHN",
"LAST_NAME": "DOE",
"OTHER": "{{ external.testing }}",
},
},
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
}
for _, tt := range tests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.desc, func(t *testing.T) {
// Create a teleport instance with auth, proxy, and node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
tconf.Auth.Enabled = true
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = true
tconf.SSH.PAM.Enabled = tt.inEnabled
tconf.SSH.PAM.ServiceName = tt.inServiceName
tconf.SSH.PAM.UsePAMAuth = tt.inUsePAMAuth
tconf.SSH.PAM.Environment = tt.environment
return t, nil, nil, tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
teleport := suite.NewTeleportWithConfig(makeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer teleport.StopAll()
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
termSession := NewTerminal(250)
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
errCh := make(chan error)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create an interactive session and write something to the terminal.
go func() {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
})
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
if err != nil {
errCh <- err
return
}
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
cl.Stdout = termSession
cl.Stdin = termSession
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
termSession.Type("\aecho hi\n\r\aexit\n\r\a")
err = cl.SSH(context.TODO(), []string{}, false)
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
if !isSSHError(err) {
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
errCh <- err
return
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
}
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
errCh <- nil
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}()
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Wait for the session to end or timeout after 10 seconds.
select {
case <-time.After(10 * time.Second):
dumpGoroutineProfile()
t.Fatalf("Timeout exceeded waiting for session to complete.")
Fix uses of require in goroutines (#16953) The require checks from testify call (*testing.T).Fail, which should only be called from the test goroutine.
2022-10-05 19:14:30 +00:00
case err := <-errCh:
require.NoError(t, err)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// If any output is expected, check to make sure it was output.
if len(tt.outContains) > 0 {
for _, expectedOutput := range tt.outContains {
output := termSession.Output(1024)
t.Logf("got output: %q; want output to contain: %q", output, expectedOutput)
require.Contains(t, output, expectedOutput)
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
})
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testRotateSuccess tests full cycle cert authority rotation
func testRotateSuccess(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
teleport := suite.NewTeleportInstance(t)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer teleport.StopAll()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
logins := []string{suite.Me.Username}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
for _, login := range logins {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleport.AddUser(login, []string{login})
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.rotationConfig(true)
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
config, err := teleport.GenerateConfig(t, nil, tconf)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Ensure that the WindowsDesktopReady event is emitted (#14804) When desktop access is enabled, the TeleportReady event will not be emitted until the WindowsDesktopReadyEvent is emitted, and it turns out we have *never* emitted a WindowsDesktopReadyEvent. This is likely due to desktop access being copied from kube access since the very beginning. The same issue was recently fixed for kube access in #9418.
2022-07-22 20:41:36 +00:00
// Enable Kubernetes/Desktop services to test that the ready event is propagated.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
helpers.EnableKubernetesService(t, config)
Ensure that the WindowsDesktopReady event is emitted (#14804) When desktop access is enabled, the TeleportReady event will not be emitted until the WindowsDesktopReadyEvent is emitted, and it turns out we have *never* emitted a WindowsDesktopReadyEvent. This is likely due to desktop access being copied from kube access since the very beginning. The same issue was recently fixed for kube access in #9418.
2022-07-22 20:41:36 +00:00
helpers.EnableDesktopService(config)
Fix initKube: broadcast KubeReady event (#9418)
2021-12-20 19:42:43 +00:00
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
serviceC := make(chan *service.TeleportProcess, 20)
errcheck: add missing error handling in integration tests
2020-06-02 00:06:46 +00:00
runErrCh := make(chan error, 1)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
go func() {
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
runErrCh <- service.Run(ctx, *config, func(cfg *servicecfg.Config) (service.Process, error) {
Fix `Too many requests` error in github actions test (#19606)
2022-12-23 03:47:02 +00:00
svc, err := service.NewTeleport(cfg)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
if err == nil {
serviceC <- svc
}
return svc, err
})
}()
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
svc, err := waitForProcessStart(serviceC)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
require.Eventually(t, func() bool {
_, err := svc.GetIdentity(types.RoleNode)
return err == nil
}, 5*time.Second, 500*time.Millisecond)
checkSSHPrincipals := func(svc *service.TeleportProcess) {
id, err := svc.GetIdentity(types.RoleNode)
require.NoError(t, err)
require.Contains(t, id.Cert.ValidPrincipals, svc.Config.Hostname)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
require.Contains(t, id.Cert.ValidPrincipals, svc.Config.Hostname+"."+helpers.Site)
require.Contains(t, id.Cert.ValidPrincipals, helpers.HostID)
require.Contains(t, id.Cert.ValidPrincipals, helpers.HostID+"."+helpers.Site)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
}
checkSSHPrincipals(svc)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// Setup user in the cluster
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
err = helpers.SetupUser(svc, suite.Me.Username, nil)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// capture credentials before reload started to simulate old client
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
initialCreds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{Process: svc, Username: suite.Me.Username})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service started. Setting rotation state to %v", types.RotationPhaseUpdateClients)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// start rotation
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseInit,
Mode: types.RotationModeManual,
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
hostCA, err := svc.GetAuthServer().GetCertAuthority(ctx, types.CertAuthID{Type: types.HostCA, DomainName: helpers.Site}, false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
t.Logf("Cert authority: %v", auth.CertAuthorityInfo(hostCA))
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
// wait until service phase update to be broadcasted (init phase does not trigger reload)
err = waitForProcessEvent(svc, service.TeleportPhaseChangeEvent, 10*time.Second)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
// update clients
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseUpdateClients,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reload
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Cache per-cluster SSH certificates under ~/.tsh (#5938) ```diff ~/.tsh/ └── keys ├── one.example.com --> Proxy hostname │ ├── certs.pem --> TLS CA certs for the Teleport CA │ ├── foo --> RSA Private Key for user "foo" │ ├── foo.pub --> Public Key - │ ├── foo-cert.pub --> SSH certificate for proxies and nodes │ ├── foo-x509.pem --> TLS client certificate for Auth Server + │ ├── foo-ssh --> SSH certs for user "foo" + │ │ ├── root-cert.pub --> SSH cert for Teleport cluster "root" + │ │ └── leaf-cert.pub --> SSH cert for Teleport cluster "leaf" ``` When `-J` is provided, this also loads/reissues the SSH cert for the cluster associated with the jumphost's certificate. Fixes #5637.
2021-03-29 21:14:31 +00:00
Host: Loopback,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
clt, err := teleport.NewClientWithCreds(cfg, *initialCreds)
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// client works as is before servers have been rotated
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
checkSSHPrincipals(svc)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service reloaded. Setting rotation state to %v", types.RotationPhaseUpdateServers)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// move to the next phase
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseUpdateServers,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
hostCA, err = svc.GetAuthServer().GetCertAuthority(ctx, types.CertAuthID{Type: types.HostCA, DomainName: helpers.Site}, false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
t.Logf("Cert authority: %v", auth.CertAuthorityInfo(hostCA))
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reloaded
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// new credentials will work from this phase to others
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
newCreds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{Process: svc, Username: suite.Me.Username})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
clt, err = teleport.NewClientWithCreds(cfg, *newCreds)
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// new client works
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
checkSSHPrincipals(svc)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service reloaded. Setting rotation state to %v.", types.RotationPhaseStandby)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// complete rotation
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseStandby,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
hostCA, err = svc.GetAuthServer().GetCertAuthority(ctx, types.CertAuthID{Type: types.HostCA, DomainName: helpers.Site}, false)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
t.Logf("Cert authority: %v", auth.CertAuthorityInfo(hostCA))
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reloaded
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// new client still works
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
checkSSHPrincipals(svc)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Logf("Service reloaded. Rotation has completed. Shutting down service.")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// shut down the service
cancel()
// close the service without waiting for the connections to drain
Add client side circuit breaker to auth clients (#10282) * Add client side circuit breaker to auth clients In order to apply back pressure we can utilize a circuit breaker that monitors error responses from auth server. When tripped it will prevent all outbound requests to auth for a period of time. This can also help prevent a potential thundering heard when auth is in an unhealthy state. By default the circuit breaker will only be tripped if 90% of the requests made in the monitoring interval fail.
2022-06-03 15:55:56 +00:00
require.NoError(t, svc.Close())
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
select {
errcheck: add missing error handling in integration tests
2020-06-02 00:06:46 +00:00
case err := <-runErrCh:
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
case <-time.After(20 * time.Second):
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Fatalf("failed to shut down the server")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
}
// TestRotateRollback tests cert authority rollback
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testRotateRollback(t *testing.T, s *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
tconf := s.rotationConfig(true)
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
teleport := s.NewTeleportInstance(t)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
defer teleport.StopAll()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
logins := []string{s.Me.Username}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
for _, login := range logins {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleport.AddUser(login, []string{login})
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
config, err := teleport.GenerateConfig(t, nil, tconf)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
serviceC := make(chan *service.TeleportProcess, 20)
errcheck: add missing error handling in integration tests
2020-06-02 00:06:46 +00:00
runErrCh := make(chan error, 1)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
go func() {
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
runErrCh <- service.Run(ctx, *config, func(cfg *servicecfg.Config) (service.Process, error) {
Fix `Too many requests` error in github actions test (#19606)
2022-12-23 03:47:02 +00:00
svc, err := service.NewTeleport(cfg)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
if err == nil {
serviceC <- svc
}
return svc, err
})
}()
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
svc, err := waitForProcessStart(serviceC)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
require.Eventually(t, func() bool {
_, err := svc.GetIdentity(types.RoleNode)
return err == nil
}, 5*time.Second, 500*time.Millisecond)
checkSSHPrincipals := func(svc *service.TeleportProcess) {
id, err := svc.GetIdentity(types.RoleNode)
require.NoError(t, err)
require.Contains(t, id.Cert.ValidPrincipals, svc.Config.Hostname)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
require.Contains(t, id.Cert.ValidPrincipals, svc.Config.Hostname+"."+helpers.Site)
require.Contains(t, id.Cert.ValidPrincipals, helpers.HostID)
require.Contains(t, id.Cert.ValidPrincipals, helpers.HostID+"."+helpers.Site)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
}
checkSSHPrincipals(svc)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// Setup user in the cluster
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
err = helpers.SetupUser(svc, s.Me.Username, nil)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// capture credentials before reload started to simulate old client
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
initialCreds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{Process: svc, Username: s.Me.Username})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service started. Setting rotation state to %q.", types.RotationPhaseInit)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
// start rotation
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseInit,
Mode: types.RotationModeManual,
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
err = waitForProcessEvent(svc, service.TeleportPhaseChangeEvent, 10*time.Second)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Setting rotation state to %q.", types.RotationPhaseUpdateClients)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// start rotation
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseUpdateClients,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reload
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Login: s.Me.Username,
Cluster: helpers.Site,
Cache per-cluster SSH certificates under ~/.tsh (#5938) ```diff ~/.tsh/ └── keys ├── one.example.com --> Proxy hostname │ ├── certs.pem --> TLS CA certs for the Teleport CA │ ├── foo --> RSA Private Key for user "foo" │ ├── foo.pub --> Public Key - │ ├── foo-cert.pub --> SSH certificate for proxies and nodes │ ├── foo-x509.pem --> TLS client certificate for Auth Server + │ ├── foo-ssh --> SSH certs for user "foo" + │ │ ├── root-cert.pub --> SSH cert for Teleport cluster "root" + │ │ └── leaf-cert.pub --> SSH cert for Teleport cluster "leaf" ``` When `-J` is provided, this also loads/reissues the SSH cert for the cluster associated with the jumphost's certificate. Fixes #5637.
2021-03-29 21:14:31 +00:00
Host: Loopback,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
clt, err := teleport.NewClientWithCreds(cfg, *initialCreds)
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// client works as is before servers have been rotated
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
checkSSHPrincipals(svc)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service reloaded. Setting rotation state to %q.", types.RotationPhaseUpdateServers)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// move to the next phase
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseUpdateServers,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reloaded
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service reloaded. Setting rotation state to %q.", types.RotationPhaseRollback)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// complete rotation
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseRollback,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reloaded
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// old client works
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Specify the `NodeName` in `auth.ReRegister` (#12272) * Specify the NodeName in auth.ReRegister * Make cleanup consistent
2022-04-29 18:05:08 +00:00
checkSSHPrincipals(svc)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
spell fixes (#18545)
2022-11-17 16:28:05 +00:00
t.Log("Service reloaded. Rotation has completed. Shutting down service.")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// shut down the service
cancel()
// close the service without waiting for the connections to drain
svc.Close()
select {
errcheck: add missing error handling in integration tests
2020-06-02 00:06:46 +00:00
case err := <-runErrCh:
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
case <-time.After(20 * time.Second):
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Fatalf("failed to shut down the server")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
}
// TestRotateTrustedClusters tests CA rotation support for trusted clusters
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
t.Cleanup(func() { tr.Stop() })
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ctx, cancel := context.WithCancel(context.Background())
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
t.Cleanup(cancel)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
clusterMain := "rotate-main"
clusterAux := "rotate-aux"
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.rotationConfig(false)
main := suite.newNamedTeleportInstance(t, clusterMain)
aux := suite.newNamedTeleportInstance(t, clusterAux)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
logins := []string{suite.Me.Username}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
for _, login := range logins {
main.AddUser(login, []string{login})
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
config, err := main.GenerateConfig(t, nil, tconf)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
serviceC := make(chan *service.TeleportProcess, 20)
errcheck: add missing error handling in integration tests
2020-06-02 00:06:46 +00:00
runErrCh := make(chan error, 1)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
go func() {
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
runErrCh <- service.Run(ctx, *config, func(cfg *servicecfg.Config) (service.Process, error) {
Fix `Too many requests` error in github actions test (#19606)
2022-12-23 03:47:02 +00:00
svc, err := service.NewTeleport(cfg)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
if err == nil {
serviceC <- svc
}
return svc, err
})
}()
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
svc, err := waitForProcessStart(serviceC)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// main cluster has a local user and belongs to role "main-devs"
mainDevs := "main-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err := types.NewRole(mainDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{suite.Me.Username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
err = helpers.SetupUser(svc, suite.Me.Username, []types.Role{role})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
spelling cleanup
2018-11-15 19:14:20 +00:00
// create auxiliary cluster and setup trust
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
require.NoError(t, aux.CreateEx(t, nil, suite.rotationConfig(false)))
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// auxiliary cluster has a role aux-devs
// connect aux cluster to main cluster
// using trusted clusters, so remote user will be allowed to assume
// role specified by mapping remote role "devs" to local role "local-devs"
auxDevs := "aux-devs"
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err = types.NewRole(auxDevs, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{suite.Me.Username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Plumb caller username for CRUD events via contexts Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816
2020-06-15 21:24:34 +00:00
err = aux.Process.GetAuthServer().UpsertRole(ctx, role)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
trustedClusterToken := "trusted-cluster-token"
Pass context through new gRPC converted endpoints. (#6118)
2021-03-24 01:26:52 +00:00
err = svc.GetAuthServer().UpsertToken(ctx,
Revert "Introduce ProvisionTokenV3 (#16361)" (#16934) This reverts commit 3fba50261fa473f1eb814be17e20a5c8de9bc33a.
2022-10-03 14:14:01 +00:00
services.MustCreateProvisionToken(trustedClusterToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{}))
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
trustedCluster := main.AsTrustedCluster(trustedClusterToken, types.RoleMap{
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
{Remote: mainDevs, Local: []string{auxDevs}},
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, aux.Start())
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// try and upsert a trusted cluster
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.TryCreateTrustedCluster(t, aux.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, svc.GetAuthServer(), aux.Secrets.SiteName, 1)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
// capture credentials before reload has started to simulate old client
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
initialCreds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
Process: svc,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Username: suite.Me.Username,
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// credentials should work
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Login: suite.Me.Username,
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
Host: Loopback,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Cluster: clusterAux,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, aux.SSH),
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
clt, err := main.NewClientWithCreds(cfg, *initialCreds)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Setting rotation state to %v", types.RotationPhaseInit)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// start rotation
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseInit,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
// wait until service phase update to be broadcast (init phase does not trigger reload)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
err = waitForProcessEvent(svc, service.TeleportPhaseChangeEvent, 10*time.Second)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Improve CertAuthorityWatcher (#10403) * Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
2022-05-17 19:06:41 +00:00
// waitForPhase waits until aux cluster detects the rotation
waitForPhase := func(phase string) {
require.Eventually(t, func() bool {
ca, err := aux.Process.GetAuthServer().GetCertAuthority(
ctx,
types.CertAuthID{
Type: types.HostCA,
DomainName: clusterMain,
}, false)
if err != nil {
return false
}
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
Improve CertAuthorityWatcher (#10403) * Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
2022-05-17 19:06:41 +00:00
if ca.GetRotation().Phase == phase {
return true
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
Improve CertAuthorityWatcher (#10403) * Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
2022-05-17 19:06:41 +00:00
return false
Add client side circuit breaker to auth clients (#10282) * Add client side circuit breaker to auth clients In order to apply back pressure we can utilize a circuit breaker that monitors error responses from auth server. When tripped it will prevent all outbound requests to auth for a period of time. This can also help prevent a potential thundering heard when auth is in an unhealthy state. By default the circuit breaker will only be tripped if 90% of the requests made in the monitoring interval fail.
2022-06-03 15:55:56 +00:00
}, 30*time.Second, 250*time.Millisecond, "failed to converge to phase %q", phase)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
Improve CertAuthorityWatcher (#10403) * Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
2022-05-17 19:06:41 +00:00
waitForPhase(types.RotationPhaseInit)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
// update clients
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseUpdateClients,
Mode: types.RotationModeManual,
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
// wait until service reloaded
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
Improve CertAuthorityWatcher (#10403) * Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
2022-05-17 19:06:41 +00:00
waitForPhase(types.RotationPhaseUpdateClients)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// old client should work as is
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service reloaded. Setting rotation state to %v", types.RotationPhaseUpdateServers)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// move to the next phase
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseUpdateServers,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reloaded
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Improve CertAuthorityWatcher (#10403) * Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
2022-05-17 19:06:41 +00:00
waitForPhase(types.RotationPhaseUpdateServers)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// new credentials will work from this phase to others
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
newCreds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{Process: svc, Username: suite.Me.Username})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
clt, err = main.NewClientWithCreds(cfg, *newCreds)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// new client works
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
t.Logf("Service reloaded. Setting rotation state to %v.", types.RotationPhaseStandby)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// complete rotation
Fix goroutine and memory leak in watchCertAuthorities (#10871) * Fix goroutine and memory leak in watchCertAuthorities The CA Watcher was blocking both on writing to a channel when the watcher was closed and on HTTP calls that had no request timeout or context passed to cause cancellation. All resourceWatcher implementations that had a bug which may cause them to block on writing to a channel forever were fixed by selecting on the write and ctx.Done. Adding context.Context to all Get/Put/Post/Delete methods on the auth HTTPClient to force callers to propagate context. Prior all calls used context.TODO which prevents requests from being properly cancelled. Add context propagation to RotateCertAuthority, RotateExternalCertAuthority, GetCertAuthority, GetCertAuthorities. This is needed to get the correct ctx from the CertAtuhorityWatcher all the way down to the HTTPClient that makes the call. Closes #10648
2022-03-10 16:05:39 +00:00
err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
Remove deprecated `CertAuthTypeAll` (#23608)
2023-03-27 18:19:38 +00:00
Type: types.HostCA,
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
TargetPhase: types.RotationPhaseStandby,
Mode: types.RotationModeManual,
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// wait until service reloaded
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Log("Waiting for service reload.")
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
svc, err = waitForReload(serviceC, svc)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
t.Log("Service reload completed, waiting for phase.")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Improve CertAuthorityWatcher (#10403) * Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
2022-05-17 19:06:41 +00:00
waitForPhase(types.RotationPhaseStandby)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Log("Phase completed.")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// new client still works
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
err = runAndMatch(clt, 8, []string{"echo", "hello world"}, ".*hello world.*")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Log("Service reloaded. Rotation has completed. Shutting down service.")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// shut down the service
cancel()
// close the service without waiting for the connections to drain
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
require.NoError(t, svc.Close())
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
select {
errcheck: add missing error handling in integration tests
2020-06-02 00:06:46 +00:00
case err := <-runErrCh:
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
case <-time.After(20 * time.Second):
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Fatalf("failed to shut down the server")
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
}
// rotationConfig sets up default config used for CA rotation tests
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
func (s *integrationTestSuite) rotationConfig(disableWebService bool) *servicecfg.Config {
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
tconf := s.defaultServiceConfig()
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
tconf.SSH.Enabled = true
tconf.Proxy.DisableWebService = disableWebService
tconf.Proxy.DisableWebInterface = true
Add client side circuit breaker to auth clients (#10282) * Add client side circuit breaker to auth clients In order to apply back pressure we can utilize a circuit breaker that monitors error responses from auth server. When tripped it will prevent all outbound requests to auth for a period of time. This can also help prevent a potential thundering heard when auth is in an unhealthy state. By default the circuit breaker will only be tripped if 90% of the requests made in the monitoring interval fail.
2022-06-03 15:55:56 +00:00
tconf.Proxy.DisableDatabaseProxy = true
tconf.Proxy.DisableALPNSNIListener = true
Fix HSM flaky integration tests (#10390)
2022-02-17 09:10:21 +00:00
tconf.PollingPeriod = time.Second
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
tconf.ClientTimeout = time.Second
tconf.ShutdownTimeout = 2 * tconf.ClientTimeout
Replace cluster periodics with watchers (#9609) * Replace cluster periodics with watchers Remove periodically sending locks and certificate authorities to leaf clusters. Instead we can rely on the watcher system to only deliver resources to leaf clusters when changes occur. Fixes #8817
2022-01-19 21:53:45 +00:00
tconf.MaxRetryPeriod = time.Second
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
return tconf
}
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
// waitForProcessEvent waits for process event to occur or timeout
func waitForProcessEvent(svc *service.TeleportProcess, event string, timeout time.Duration) error {
Refactor `Supervisor.WaitForEvent` (#14940)
2022-07-28 13:34:27 +00:00
if _, err := svc.WaitForEventTimeout(timeout, event); err != nil {
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
return trace.BadParameter("timeout waiting for service to broadcast event %v", event)
}
Refactor `Supervisor.WaitForEvent` (#14940)
2022-07-28 13:34:27 +00:00
return nil
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
}
// waitForProcessStart is waiting for the process to start
func waitForProcessStart(serviceC chan *service.TeleportProcess) (*service.TeleportProcess, error) {
var svc *service.TeleportProcess
select {
case svc = <-serviceC:
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
case <-time.After(1 * time.Minute):
dumpGoroutineProfile()
Introduce additional phase to CA rotation. Flaky tests in teleport integration suite uncovered a problem. It is possible that main cluster rotates certificate authority, and will try to dial to the remote cluster with new credentials before the remote cluster could fetch the new CA to trust. To fix this, phase "update_clients" was split in two phases: * Init and Update clients Init phase does nothing on the main cluster except generating new certificate authorities, that are trusted but not used in the cluster. This phase exists to give remote clusters opporunity to update the list of trusted certificate authorities of the main cluster, before main cluster reconnects with new clients in "Update clients" phase.
2018-05-07 21:44:46 +00:00
return nil, trace.BadParameter("timeout waiting for service to start")
}
return svc, nil
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// waitForReload waits for multiple events to happen:
//
// 1. new service to be created and started
// 2. old service, if present to shut down
//
// this helper function allows to serialize tests for reloads.
Create Database CA (#9593) Introduce Database Certificate Authority. New CA is used by Database Access to sign database certificates making them independent from Host CA. Co-authored-by: Marek Smoliński <marek@goteleport.com>
2022-04-05 19:44:46 +00:00
func waitForReload(serviceC chan *service.TeleportProcess, old *service.TeleportProcess) (*service.TeleportProcess, error) {
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
var svc *service.TeleportProcess
select {
case svc = <-serviceC:
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
case <-time.After(1 * time.Minute):
dumpGoroutineProfile()
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
return nil, trace.BadParameter("timeout waiting for service to start")
}
Refactor `Supervisor.WaitForEvent` (#14940)
2022-07-28 13:34:27 +00:00
if _, err := svc.WaitForEventTimeout(20*time.Second, service.TeleportReadyEvent); err != nil {
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
dumpGoroutineProfile()
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
return nil, trace.BadParameter("timeout waiting for service to broadcast ready status")
}
// if old service is present, wait for it to complete shut down procedure
if old != nil {
Skip deleting server heartbeats during in-process restart (#21648) * Skip deleting server heartbeats during in-process restart * context.TODO() -> context.Background() * fix lint
2023-02-14 14:10:31 +00:00
if err := waitForProcessReloadEvent(old); err != nil {
return nil, trace.Wrap(err)
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ctx, cancel := context.WithCancel(context.TODO())
go func() {
defer cancel()
old.Supervisor.Wait()
}()
select {
case <-ctx.Done():
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
case <-time.After(1 * time.Minute):
dumpGoroutineProfile()
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
return nil, trace.BadParameter("timeout waiting for old service to stop")
}
}
return svc, nil
}
Skip deleting server heartbeats during in-process restart (#21648) * Skip deleting server heartbeats during in-process restart * context.TODO() -> context.Background() * fix lint
2023-02-14 14:10:31 +00:00
// waitForProcessReloadEvent waits for the old process to receive a TeleportExitEvent
// and verifies the event payload indicates the process is reloading.
func waitForProcessReloadEvent(old *service.TeleportProcess) error {
event, err := old.WaitForEventTimeout(20*time.Second, service.TeleportExitEvent)
if err != nil {
return trace.WrapWithMessage(err, "timeout waiting for old service to broadcast exit event")
}
ctx, ok := event.Payload.(context.Context)
if !ok {
return trace.BadParameter("payload of the exit event is not a context.Context")
}
if !services.IsProcessReloading(ctx) {
return trace.BadParameter("payload of the exit event is not a ProcessReloadContext")
}
return nil
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// runAndMatch runs command and makes sure it matches the pattern
func runAndMatch(tc *client.TeleportClient, attempts int, command []string, pattern string) error {
output := &bytes.Buffer{}
tc.Stdout = output
var err error
for i := 0; i < attempts; i++ {
err = tc.SSH(context.TODO(), command, false)
if err != nil {
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
time.Sleep(500 * time.Millisecond)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
continue
}
out := output.String()
Remove unnecessary type conversions Caught by `unconvert` linter. No behavior changes here.
2020-05-06 17:13:05 +00:00
out = replaceNewlines(out)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
matched, _ := regexp.MatchString(pattern, out)
if matched {
return nil
}
err = trace.CompareFailed("output %q did not match pattern %q", out, pattern)
cache event fanout & reversetunnel improvements - cache now perforams in-memory fanout of events, eliminating spurious event generation due to cache init/reset. - removed old unused logic from reversetunnel agents. - replaced seekpool with simpler ttl-cache and semaphore-like lease system. - add jittered backoff to agent connection attempts to reduce "thundering herd" effect. - improved reversetunnel logging. - improved LB usage in tests.
2020-04-07 19:05:19 +00:00
time.Sleep(500 * time.Millisecond)
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
}
return err
}
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
// TestWindowChange checks if custom Teleport window change requests are sent
// when the server side PTY changes its size.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testWindowChange(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Trace ssh sessions (#14966) Adds a wrapper around `ssh.Session` which injects tracing context in a similar manner to the `ssh.Client` wrapper. All usages of `ssh.Session` have now been replaced and have the appropriate `context.Context` passed along Part of #12241
2022-08-04 22:14:37 +00:00
ctx := context.Background()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
teleport := suite.newTeleport(t, nil, true)
defer teleport.StopAll()
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
site := teleport.GetSiteAPI(helpers.Site)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NotNil(t, site)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
personA := NewTerminal(250)
personB := NewTerminal(250)
// openSession will open a new session on a server.
openSession := func() {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
Fix a data race in integration.Terminal This type uses an inner bytes.Buffer to store terminal output. Terminal is used by concurrent goroutines as io.ReadWriter, so access to the buffer needs to be synchronized.
2020-04-17 15:55:48 +00:00
cl.Stdout = personA
cl.Stdin = personA
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
Trace ssh sessions (#14966) Adds a wrapper around `ssh.Session` which injects tracing context in a similar manner to the `ssh.Client` wrapper. All usages of `ssh.Session` have now been replaced and have the appropriate `context.Context` passed along Part of #12241
2022-08-04 22:14:37 +00:00
err = cl.SSH(ctx, []string{}, false)
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
if !isSSHError(err) {
require.NoError(t, err)
}
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
}
// joinSession will join the existing session on a server.
joinSession := func() {
// Find the existing session in the backend.
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
timeoutCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
sessions, err := waitForSessionToBeEstablished(timeoutCtx, defaults.Namespace, site)
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
require.NoError(t, err)
Remove legacy session service (#15155)
2022-08-12 16:39:45 +00:00
sessionID := sessions[0].GetSessionID()
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cl, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
Fix a data race in integration.Terminal This type uses an inner bytes.Buffer to store terminal output. Terminal is used by concurrent goroutines as io.ReadWriter, so access to the buffer needs to be synchronized.
2020-04-17 15:55:48 +00:00
cl.Stdout = personB
cl.Stdin = personB
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
// Change the size of the window immediately after it is created.
Trace ssh sessions (#14966) Adds a wrapper around `ssh.Session` which injects tracing context in a similar manner to the `ssh.Client` wrapper. All usages of `ssh.Session` have now been replaced and have the appropriate `context.Context` passed along Part of #12241
2022-08-04 22:14:37 +00:00
cl.OnShellCreated = func(s *tracessh.Session, c *tracessh.Client, terminal io.ReadWriteCloser) (exit bool, err error) {
err = s.WindowChange(ctx, 48, 160)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
if err != nil {
return true, trace.Wrap(err)
}
return false, nil
}
for i := 0; i < 10; i++ {
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
err = cl.Join(ctx, types.SessionPeerMode, defaults.Namespace, session.ID(sessionID), personB)
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
if err == nil || isSSHError(err) {
err = nil
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
break
}
}
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
}
Make TestWindowChange work on non-standard shells Some unusual shells like [fish](https://fishshell.com/) don't support `$(cmd)` nested command syntax. Print window size as two separate commands separated by newline instead. Also, scan more of the output, in case the prompt is very long.
2020-04-17 16:12:54 +00:00
// waitForOutput checks that the output of the passed in terminal contains
// one of the strings in `outputs` until some timeout has occurred.
waitForOutput := func(t *Terminal, outputs ...string) error {
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
tickerCh := time.Tick(500 * time.Millisecond)
timeoutCh := time.After(30 * time.Second)
for {
select {
case <-tickerCh:
Make TestWindowChange work on non-standard shells Some unusual shells like [fish](https://fishshell.com/) don't support `$(cmd)` nested command syntax. Print window size as two separate commands separated by newline instead. Also, scan more of the output, in case the prompt is very long.
2020-04-17 16:12:54 +00:00
out := t.Output(5000)
for _, s := range outputs {
if strings.Contains(out, s) {
return nil
}
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
}
case <-timeoutCh:
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
dumpGoroutineProfile()
Make TestWindowChange work on non-standard shells Some unusual shells like [fish](https://fishshell.com/) don't support `$(cmd)` nested command syntax. Print window size as two separate commands separated by newline instead. Also, scan more of the output, in case the prompt is very long.
2020-04-17 16:12:54 +00:00
return trace.BadParameter("timed out waiting for output, last output: %q doesn't contain any of the expected substrings: %q", t.Output(5000), outputs)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
}
}
}
// Open session, the initial size will be 80x24.
go openSession()
// Use the "printf" command to print the terminal size on the screen and
// make sure it is 80x25.
Make TestWindowChange work on non-standard shells Some unusual shells like [fish](https://fishshell.com/) don't support `$(cmd)` nested command syntax. Print window size as two separate commands separated by newline instead. Also, scan more of the output, in case the prompt is very long.
2020-04-17 16:12:54 +00:00
personA.Type("\atput cols; tput lines\n\r\a")
err := waitForOutput(personA, "80\r\n25", "80\n\r25", "80\n25")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
// As soon as person B joins the session, the terminal is resized to 160x48.
// Have another user join the session. As soon as the second shell is
// created, the window is resized to 160x48 (see joinSession implementation).
go joinSession()
// Use the "printf" command to print the window size again and make sure it's
// 160x48.
Make TestWindowChange work on non-standard shells Some unusual shells like [fish](https://fishshell.com/) don't support `$(cmd)` nested command syntax. Print window size as two separate commands separated by newline instead. Also, scan more of the output, in case the prompt is very long.
2020-04-17 16:12:54 +00:00
personA.Type("\atput cols; tput lines\n\r\a")
err = waitForOutput(personA, "160\r\n48", "160\n\r48", "160\n48")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
// Close the session.
personA.Type("\aexit\r\n\a")
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testList checks that the list of servers returned is identity aware.
func testList(t *testing.T, suite *integrationTestSuite) {
gRPC conversions - Nodes (#6535)
2021-04-29 01:27:12 +00:00
ctx := context.Background()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
// Create and start a Teleport cluster with auth, proxy, and node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Mode: types.RecordOff,
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
tconf.Hostname = "server-01"
tconf.Auth.Enabled = true
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
tconf.Auth.SessionRecordingConfig = recConfig
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = true
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = true
tconf.SSH.Labels = map[string]string{
"role": "worker",
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
return t, nil, nil, tconf
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
teleport := suite.NewTeleportWithConfig(makeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer teleport.StopAll()
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
// Create and start a Teleport node.
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
nodeSSHPort := newPortValue()
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
nodeConfig := func() *servicecfg.Config {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
tconf.Hostname = "server-02"
tconf.SSH.Enabled = true
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf.SSH.Addr.Addr = net.JoinHostPort(teleport.Hostname, fmt.Sprintf("%v", nodeSSHPort))
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
tconf.SSH.Labels = map[string]string{
"role": "database",
}
return tconf
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
_, err := teleport.StartNode(nodeConfig())
require.NoError(t, err)
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
// Get an auth client to the cluster.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
clt := teleport.GetSiteAPI(helpers.Site)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NotNil(t, clt)
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
// Wait 10 seconds for both nodes to show up to make sure they both have
// registered themselves.
waitForNodes := func(clt auth.ClientI, count int) error {
tickCh := time.Tick(500 * time.Millisecond)
stopCh := time.After(10 * time.Second)
for {
select {
case <-tickCh:
Fix lint warnings (#15312) Mostly duplicated imports and redundant types in struct literals.
2022-08-08 20:20:29 +00:00
nodesInCluster, err := clt.GetNodes(ctx, defaults.Namespace)
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
if err != nil && !trace.IsNotFound(err) {
return trace.Wrap(err)
}
if got, want := len(nodesInCluster), count; got == want {
return nil
}
case <-stopCh:
return trace.BadParameter("waited 10s, did find %v nodes", count)
}
}
}
err = waitForNodes(clt, 2)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
inRoleName string
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inLabels types.Labels
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
inLogin string
outNodes []string
}{
// 0 - Role has label "role:worker", only server-01 is returned.
{
inRoleName: "worker-only",
inLogin: "foo",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inLabels: types.Labels{"role": []string{"worker"}},
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
outNodes: []string{"server-01"},
},
// 1 - Role has label "role:database", only server-02 is returned.
{
inRoleName: "database-only",
inLogin: "bar",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inLabels: types.Labels{"role": []string{"database"}},
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
outNodes: []string{"server-02"},
},
// 2 - Role has wildcard label, all nodes are returned server-01 and server-2.
{
inRoleName: "worker-and-database",
inLogin: "baz",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
outNodes: []string{"server-01", "server-02"},
},
}
for _, tt := range tests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.inRoleName, func(t *testing.T) {
// Create role with logins and labels for this test.
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err := types.NewRole(tt.inRoleName, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Allow: types.RoleConditions{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Logins: []string{tt.inLogin},
NodeLabels: tt.inLabels,
},
})
require.NoError(t, err)
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create user, role, and generate credentials.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
err = helpers.SetupUser(teleport.Process, tt.inLogin, []types.Role{role})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
initialCreds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{Process: teleport.Process, Username: tt.inLogin})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create a Teleport client.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Login: tt.inLogin,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Cluster: helpers.Site,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, teleport.SSH),
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
userClt, err := teleport.NewClientWithCreds(cfg, *initialCreds)
require.NoError(t, err)
// Get list of nodes and check that the returned nodes match the
// expected nodes.
Updates `tsh ls` for node/app/db/kube to accept new filter flags (#10980) * Also adds a search keyword parser that takes in different delimiters (comma is used for tsh, space is used for web UI) part of RFD 55
2022-03-09 23:56:55 +00:00
nodes, err := userClt.ListNodesWithFilters(context.Background())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
for _, node := range nodes {
Use x/exp/slices instead of home grown utilities (#18524) We were inconsistent throughout the codebase and would sometimes use the slices package and other times use our own equivalents in api/. This removes our versions in favor of the golang.org/x package that does the same, which has the added benefit of reducing the surface area of the public API module. Note: despite existing uses of the slices package, for some reason it didn't show up in go.mod or go.sum. Fixed that too.
2022-11-17 15:25:46 +00:00
ok := slices.Contains(tt.outNodes, node.GetHostname())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
if !ok {
t.Fatalf("Got nodes: %v, want: %v.", nodes, tt.outNodes)
}
}
})
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
}
}
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
// TestCmdLabels verifies the behavior of running commands via labels
// with a mixture of regular and reversetunnel nodes.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testCmdLabels(t *testing.T, suite *integrationTestSuite) {
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
// InsecureDevMode needed for IoT node handshake
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
// Create and start a Teleport cluster with auth, proxy, and node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() *servicecfg.Config {
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Mode: types.RecordOff,
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
tconf.Hostname = "server-01"
tconf.Auth.Enabled = true
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
tconf.Auth.SessionRecordingConfig = recConfig
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = true
tconf.SSH.Labels = map[string]string{
"role": "worker",
"spam": "eggs",
}
return tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
teleport := suite.NewTeleportWithConfig(t, nil, nil, makeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer teleport.StopAll()
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
// Create and start a reversetunnel node.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
nodeConfig := func() *servicecfg.Config {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
tconf.Hostname = "server-02"
tconf.SSH.Enabled = true
tconf.SSH.Labels = map[string]string{
"role": "database",
"spam": "eggs",
}
return tconf
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
_, err := teleport.StartReverseTunnelNode(nodeConfig())
require.NoError(t, err)
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
// test label patterns that match both nodes, and each
// node individually.
tts := []struct {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc string
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
command []string
labels map[string]string
expect string
}{
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Both",
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
command: []string{"echo", "two"},
labels: map[string]string{"spam": "eggs"},
expect: "two\ntwo\n",
},
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Worker only",
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
command: []string{"echo", "worker"},
labels: map[string]string{"role": "worker"},
expect: "worker\n",
},
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Database only",
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
command: []string{"echo", "database"},
labels: map[string]string{"role": "database"},
expect: "database\n",
},
}
for _, tt := range tts {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.desc, func(t *testing.T) {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Labels: tt.labels,
}
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err := runCommand(t, teleport, tt.command, cfg, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
require.Equal(t, tt.expect, output)
})
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
}
}
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
// TestDataTransfer makes sure that a "session.data" event is emitted at the
// end of a session that matches the amount of data that was transferred.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testDataTransfer(t *testing.T, suite *integrationTestSuite) {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
KB := 1024
MB := 1048576
// Create a Teleport cluster.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
main := suite.newTeleport(t, nil, true)
Ensure that all integration.TeleInstance processes get cleaned up TeleInstance manages an auth server and a set of proxies/nodes. TeleInstance.Stop only stops the auth server. A bunch of tests used it assuming it also cleans up any running nodes. This has caused a lot of log spam from failing heartbeats and generally wasted CPU cycles. Rename it to Stop to StopAuth to make it's purpose more obvious. Add TeleInstance.StopAll that cleans up everything, suitable for deferring in tests.
2020-04-17 16:27:34 +00:00
defer main.StopAll()
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
// Create a client to the above Teleport cluster.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
clientConfig := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, main.SSH),
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
}
// Write 1 MB to stdout.
command := []string{"dd", "if=/dev/zero", "bs=1024", "count=1024"}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
output, err := runCommand(t, main, command, clientConfig, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
// Make sure exactly 1 MB was written to output.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Len(t, output, MB)
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
// Make sure the session.data event was emitted to the audit log.
eventFields, err := findEventInLog(main, events.SessionDataEvent)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
// Make sure the audit event shows that 1 MB was written to the output.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Greater(t, eventFields.GetInt(events.DataReceived), MB)
require.Greater(t, eventFields.GetInt(events.DataTransmitted), KB)
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testBPFInteractive(t *testing.T, suite *integrationTestSuite) {
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
// Check if BPF tests can be run on this host.
err := canTestBPF()
if err != nil {
Fix linter after Go 1.18 upgrade (#12585) * Update golangci-lint To accomodate the recent Go 1.18 upgrade * Fix new lint warnings as a result of linter upgrade * Set golangci-lint to Go 1.18 mode golangci-lint will automatically skip linters that don't have support for Go 1.18. See: https://github.com/golangci/golangci-lint/issues/2649
2022-05-11 21:53:37 +00:00
t.Skipf("Tests for BPF functionality can not be run: %v.", err)
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
return
}
lsPath, err := exec.LookPath("ls")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc string
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inSessionRecording string
inBPFEnabled bool
outFound bool
}{
// For session recorded at the node, enhanced events should be found.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled and Recorded At Node",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inSessionRecording: types.RecordAtNode,
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inBPFEnabled: true,
outFound: true,
},
// For session recorded at the node, but BPF is turned off, no events
// should be found.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Disabled and Recorded At Node",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inSessionRecording: types.RecordAtNode,
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inBPFEnabled: false,
outFound: false,
},
// For session recorded at the proxy, enhanced events should not be found.
// BPF turned off simulates an OpenSSH node.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Disabled and Recorded At Proxy",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inSessionRecording: types.RecordAtProxy,
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inBPFEnabled: false,
outFound: false,
},
}
for _, tt := range tests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.desc, func(t *testing.T) {
// Create temporary directory where cgroup2 hierarchy will be mounted.
dir := t.TempDir()
// Create and start a Teleport cluster.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Mode: tt.inSessionRecording,
})
require.NoError(t, err)
// Create default config.
tconf := suite.defaultServiceConfig()
// Configure Auth.
tconf.Auth.Preference.SetSecondFactor("off")
tconf.Auth.Enabled = true
tconf.Auth.SessionRecordingConfig = recConfig
// Configure Proxy.
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
// Configure Node. If session are being recorded at the proxy, don't enable
// BPF to simulate an OpenSSH node.
tconf.SSH.Enabled = true
if tt.inBPFEnabled {
tconf.SSH.BPF.Enabled = true
tconf.SSH.BPF.CgroupPath = dir
}
return t, nil, nil, tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
main := suite.NewTeleportWithConfig(makeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer main.StopAll()
// Create a client terminal and context to signal when the client is done
// with the terminal.
term := NewTerminal(250)
doneContext, doneCancel := context.WithCancel(context.Background())
func() {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
client, err := main.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, main.SSH),
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
})
require.NoError(t, err)
// Connect terminal to std{in,out} of client.
client.Stdout = term
client.Stdin = term
// "Type" a command into the terminal.
term.Type(fmt.Sprintf("\a%v\n\r\aexit\n\r\a", lsPath))
err = client.SSH(context.TODO(), []string{}, false)
require.NoError(t, err)
// Signal that the client has finished the interactive session.
doneCancel()
}()
// Wait 10 seconds for the client to finish up the interactive session.
select {
case <-time.After(10 * time.Second):
t.Fatalf("Timed out waiting for client to finish interactive session.")
case <-doneContext.Done():
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Enhanced events should show up for session recorded at the node but not
// at the proxy.
if tt.outFound {
_, err = findCommandEventInLog(main, events.SessionCommandEvent, lsPath)
require.NoError(t, err)
} else {
_, err = findCommandEventInLog(main, events.SessionCommandEvent, lsPath)
require.Error(t, err)
}
})
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testBPFExec(t *testing.T, suite *integrationTestSuite) {
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
// Check if BPF tests can be run on this host.
err := canTestBPF()
if err != nil {
Fix linter after Go 1.18 upgrade (#12585) * Update golangci-lint To accomodate the recent Go 1.18 upgrade * Fix new lint warnings as a result of linter upgrade * Set golangci-lint to Go 1.18 mode golangci-lint will automatically skip linters that don't have support for Go 1.18. See: https://github.com/golangci/golangci-lint/issues/2649
2022-05-11 21:53:37 +00:00
t.Skipf("Tests for BPF functionality can not be run: %v.", err)
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
return
}
lsPath, err := exec.LookPath("ls")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
tests := []struct {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc string
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inSessionRecording string
inBPFEnabled bool
outFound bool
}{
// For session recorded at the node, enhanced events should be found.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Enabled and recorded at node",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inSessionRecording: types.RecordAtNode,
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inBPFEnabled: true,
outFound: true,
},
// For session recorded at the node, but BPF is turned off, no events
// should be found.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Disabled and recorded at node",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inSessionRecording: types.RecordAtNode,
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inBPFEnabled: false,
outFound: false,
},
// For session recorded at the proxy, enhanced events should not be found.
// BPF turned off simulates an OpenSSH node.
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
desc: "Disabled and recorded at proxy",
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
inSessionRecording: types.RecordAtProxy,
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
inBPFEnabled: false,
outFound: false,
},
}
for _, tt := range tests {
integration: name our subtests Stop using t.Run("", ..), as it makes it impossible to tell which subtest failed.
2021-11-01 22:00:16 +00:00
t.Run(tt.desc, func(t *testing.T) {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create temporary directory where cgroup2 hierarchy will be mounted.
dir := t.TempDir()
// Create and start a Teleport cluster.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Mode: tt.inSessionRecording,
})
require.NoError(t, err)
// Create default config.
tconf := suite.defaultServiceConfig()
// Configure Auth.
tconf.Auth.Preference.SetSecondFactor("off")
tconf.Auth.Enabled = true
tconf.Auth.SessionRecordingConfig = recConfig
// Configure Proxy.
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
// Configure Node. If session are being recorded at the proxy, don't enable
// BPF to simulate an OpenSSH node.
tconf.SSH.Enabled = true
if tt.inBPFEnabled {
tconf.SSH.BPF.Enabled = true
tconf.SSH.BPF.CgroupPath = dir
}
return t, nil, nil, tconf
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
main := suite.NewTeleportWithConfig(makeConfig())
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
defer main.StopAll()
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Create a client to the above Teleport cluster.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
clientConfig := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, main.SSH),
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// Run exec command.
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
_, err = runCommand(t, main, []string{lsPath}, clientConfig, 1)
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
// Enhanced events should show up for session recorded at the node but not
// at the proxy.
if tt.outFound {
_, err = findCommandEventInLog(main, events.SessionCommandEvent, lsPath)
require.NoError(t, err)
} else {
_, err = findCommandEventInLog(main, events.SessionCommandEvent, lsPath)
require.Error(t, err)
}
})
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
}
}
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
func testSSHExitCode(t *testing.T, suite *integrationTestSuite) {
lsPath, err := exec.LookPath("ls")
require.NoError(t, err)
Updates `tsh ls` for node/app/db/kube to accept new filter flags (#10980) * Also adds a search keyword parser that takes in different delimiters (comma is used for tsh, space is used for web UI) part of RFD 55
2022-03-09 23:56:55 +00:00
tests := []struct {
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
desc string
command []string
input string
interactive bool
errorAssertion require.ErrorAssertionFunc
statusCode int
}{
// A successful noninteractive session should have a zero status code
{
desc: "Run Command and Exit Successfully",
command: []string{lsPath},
interactive: false,
errorAssertion: require.NoError,
},
// A failed noninteractive session should have a non-zero status code
{
desc: "Run Command and Fail With Code 2",
command: []string{"exit 2"},
interactive: false,
errorAssertion: require.Error,
statusCode: 2,
},
// A failed interactive session should have a non-zero status code
{
desc: "Run Command Interactively and Fail With Code 2",
command: []string{"exit 2"},
interactive: true,
errorAssertion: require.Error,
statusCode: 2,
},
// A failed interactive session should have a non-zero status code
{
desc: "Interactively Fail With Code 3",
input: "exit 3\n\r",
interactive: true,
errorAssertion: require.Error,
statusCode: 3,
},
// A failed interactive session should have a non-zero status code
{
desc: "Interactively Fail With Code 3",
input: fmt.Sprintf("%v\n\rexit 3\n\r", lsPath),
interactive: true,
errorAssertion: require.Error,
statusCode: 3,
},
// A successful interactive session should have a zero status code
{
desc: "Interactively Run Command and Exit Successfully",
input: fmt.Sprintf("%v\n\rexit\n\r", lsPath),
interactive: true,
errorAssertion: require.NoError,
},
// A successful interactive session should have a zero status code
{
desc: "Interactively Exit",
input: "exit\n\r",
interactive: true,
errorAssertion: require.NoError,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
// Create and start a Teleport cluster.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
// Create default config.
tconf := suite.defaultServiceConfig()
// Configure Auth.
tconf.Auth.Preference.SetSecondFactor("off")
tconf.Auth.Enabled = true
tconf.Auth.NoAudit = true
// Configure Proxy.
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
// Configure Node.
tconf.SSH.Enabled = true
return t, nil, nil, tconf
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
main := suite.NewTeleportWithConfig(makeConfig())
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
t.Cleanup(func() { main.StopAll() })
// context to signal when the client is done with the terminal.
doneContext, doneCancel := context.WithTimeout(context.Background(), time.Second*10)
defer doneCancel()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cli, err := main.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, main.SSH),
Fix interactive sessions always exiting with code 0 (#8081) * propogate error codes from interactive ssh sessions correctly (#3202)
2021-09-13 17:41:59 +00:00
Interactive: tt.interactive,
})
require.NoError(t, err)
if tt.interactive {
// Create a new terminal and connect it to std{in,out} of client.
term := NewTerminal(250)
cli.Stdout = term
cli.Stdin = term
term.Type(tt.input)
}
// run the ssh command
err = cli.SSH(doneContext, tt.command, false)
tt.errorAssertion(t, err)
// check that the exit code of the session matches the expected one
if err != nil {
var exitError *ssh.ExitError
require.ErrorAs(t, trace.Unwrap(err), &exitError)
require.Equal(t, tt.statusCode, exitError.ExitStatus())
}
})
}
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testBPFSessionDifferentiation verifies that the bpf package can
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// differentiate events from two different sessions. This test in turn also
// verifies the cgroup package.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
func testBPFSessionDifferentiation(t *testing.T, suite *integrationTestSuite) {
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
// Check if BPF tests can be run on this host.
err := canTestBPF()
if err != nil {
Fix linter after Go 1.18 upgrade (#12585) * Update golangci-lint To accomodate the recent Go 1.18 upgrade * Fix new lint warnings as a result of linter upgrade * Set golangci-lint to Go 1.18 mode golangci-lint will automatically skip linters that don't have support for Go 1.18. See: https://github.com/golangci/golangci-lint/issues/2649
2022-05-11 21:53:37 +00:00
t.Skipf("Tests for BPF functionality can not be run: %v.", err)
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
return
}
lsPath, err := exec.LookPath("ls")
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Create temporary directory where cgroup2 hierarchy will be mounted.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
dir := t.TempDir()
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Create and start a Teleport cluster.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
makeConfig := func() (*testing.T, []string, []*helpers.InstanceSecrets, *servicecfg.Config) {
Make SessionRecordingConfig resource dynamically configurable (#7054)
2021-06-08 15:30:44 +00:00
recConfig, err := types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Mode: types.RecordAtNode,
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Create default config.
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
tconf := suite.defaultServiceConfig()
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Configure Auth.
tconf.Auth.Preference.SetSecondFactor("off")
tconf.Auth.Enabled = true
Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708)
2021-05-19 19:01:37 +00:00
tconf.Auth.SessionRecordingConfig = recConfig
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Configure Proxy.
tconf.Proxy.Enabled = true
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
// Configure Node. If session are being recorded at the proxy, don't enable
// BPF to simulate an OpenSSH node.
tconf.SSH.Enabled = true
tconf.SSH.BPF.Enabled = true
tconf.SSH.BPF.CgroupPath = dir
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
return t, nil, nil, tconf
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
main := suite.NewTeleportWithConfig(makeConfig())
Ensure that all integration.TeleInstance processes get cleaned up TeleInstance manages an auth server and a set of proxies/nodes. TeleInstance.Stop only stops the auth server. A bunch of tests used it assuming it also cleans up any running nodes. This has caused a lot of log spam from failing heartbeats and generally wasted CPU cycles. Rename it to Stop to StopAuth to make it's purpose more obvious. Add TeleInstance.StopAll that cleans up everything, suitable for deferring in tests.
2020-04-17 16:27:34 +00:00
defer main.StopAll()
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Create two client terminals and channel to signal when the clients are
// done with the terminals.
termA := NewTerminal(250)
termB := NewTerminal(250)
doneCh := make(chan bool, 2)
// Open a terminal and type "ls" into both and exit.
Fix a data race in integration.Terminal This type uses an inner bytes.Buffer to store terminal output. Terminal is used by concurrent goroutines as io.ReadWriter, so access to the buffer needs to be synchronized.
2020-04-17 15:55:48 +00:00
writeTerm := func(term *Terminal) {
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
client, err := main.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, main.SSH),
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
})
Fix ineffective timeout break in integration test (#10130)
2022-02-25 17:12:33 +00:00
if err != nil {
t.Errorf("Failed to create client: %v.", err)
}
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Connect terminal to std{in,out} of client.
Fix a data race in integration.Terminal This type uses an inner bytes.Buffer to store terminal output. Terminal is used by concurrent goroutines as io.ReadWriter, so access to the buffer needs to be synchronized.
2020-04-17 15:55:48 +00:00
client.Stdout = term
client.Stdin = term
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// "Type" a command into the terminal.
term.Type(fmt.Sprintf("\a%v\n\r\aexit\n\r\a", lsPath))
err = client.SSH(context.Background(), []string{}, false)
Fix ineffective timeout break in integration test (#10130)
2022-02-25 17:12:33 +00:00
if err != nil {
t.Errorf("Failed to start SSH session: %v.", err)
}
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Signal that the client has finished the interactive session.
doneCh <- true
}
Fix ineffective timeout break in integration test (#10130)
2022-02-25 17:12:33 +00:00
// It's possible to run this test sequentially but it should
// be run in parallel to amortize the time since the two tasks can be run in parallel.
//
// This is also important because it ensures the tests faults if some part of the SSH code
// hangs unexpectedly instead of timing out silently.
go writeTerm(termA)
go writeTerm(termB)
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
// Wait 10 seconds for both events to arrive, otherwise timeout.
timeout := time.After(10 * time.Second)
Fix ineffective timeout break in integration test (#10130)
2022-02-25 17:12:33 +00:00
gotEvents := 0
for {
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
select {
case <-doneCh:
Fix ineffective timeout break in integration test (#10130)
2022-02-25 17:12:33 +00:00
gotEvents++
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
case <-timeout:
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.FailNow(t, "Timed out waiting for client to finish interactive session.")
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
}
Fix ineffective timeout break in integration test (#10130)
2022-02-25 17:12:33 +00:00
if gotEvents == 2 {
break
}
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
}
// Try to find two command events from different sessions. Timeout after
// 10 seconds.
for i := 0; i < 10; i++ {
sessionIDs := map[string]bool{}
eventFields, err := eventsInLog(main.Config.DataDir+"/log/events.log", events.SessionCommandEvent)
if err != nil {
time.Sleep(1 * time.Second)
continue
}
for _, fields := range eventFields {
if fields.GetString(events.EventType) == events.SessionCommandEvent &&
fields.GetString(events.Path) == lsPath {
sessionIDs[fields.GetString(events.SessionEventID)] = true
}
}
// If two command events for "ls" from different sessions, return right
// away, test was successful.
if len(sessionIDs) == 2 {
return
}
time.Sleep(1 * time.Second)
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.Fail(t, "Failed to find command events from two different sessions.")
Added BPF integration test. Added BPF integration test that verifies BPF code and differentiate sessions.
2019-12-07 00:17:50 +00:00
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// testExecEvents tests if exec events were emitted with and without PTY allocated
func testExecEvents(t *testing.T, suite *integrationTestSuite) {
add test for exec events
2021-02-18 13:51:43 +00:00
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
// Creates new teleport cluster
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
main := suite.newTeleport(t, nil, true)
add test for exec events
2021-02-18 13:51:43 +00:00
defer main.StopAll()
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
// Max event size for file log (bufio.MaxScanTokenSize) should be 64k, make
// a command much larger than that.
lotsOfBytes := bytes.Repeat([]byte{'a'}, 100*1024)
Require that public TLS and SSH keys are provided to register via token (#8135) * Require that public TLS and SSH keys are provided to register via token The original behavior attempted to make providing public keys optional, and would generate keys if they were not provided. This had several problems: - The auth server is generating private keys for nodes and is potentially able to share them over the network. - The return value for keys.Key would sometimes be set and sometimes be empty (the key is only set if the auth server generated it and knows what the key is) - We only ever relied on this behavior as a shortcut in test code. In the production code this behavior was never used (and actually never worked due to a bug that would overwrite and discard the generated private key) This commit requires that public keys are always provided, ensuring that the private key is generated locally and never known by the auth server. It also results in a cleaner error message when either or both of the public keys are missing from the request. * Address review comments * Fix tests that relied on certs being generated
2021-09-08 17:17:37 +00:00
execTests := []struct {
add test for exec events
2021-02-18 13:51:43 +00:00
name string
isInteractive bool
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
command string
add test for exec events
2021-02-18 13:51:43 +00:00
}{
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
name: "PTY allocated",
add test for exec events
2021-02-18 13:51:43 +00:00
isInteractive: true,
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
command: "echo 1",
add test for exec events
2021-02-18 13:51:43 +00:00
},
{
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
name: "PTY not allocated",
add test for exec events
2021-02-18 13:51:43 +00:00
isInteractive: false,
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
command: "echo 2",
},
{
name: "long command interactive",
isInteractive: true,
command: "true 1 " + string(lotsOfBytes),
},
{
name: "long command uninteractive",
isInteractive: false,
command: "true 2 " + string(lotsOfBytes),
add test for exec events
2021-02-18 13:51:43 +00:00
},
}
for _, tt := range execTests {
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
t.Run(tt.name, func(t *testing.T) {
// Create client for each test in grid tests
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
clientConfig := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, main.SSH),
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
Interactive: tt.isInteractive,
}
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
_, err := runCommand(t, main, []string{tt.command}, clientConfig, 1)
require.NoError(t, err)
expectedCommandPrefix := tt.command
if len(expectedCommandPrefix) > 32 {
expectedCommandPrefix = expectedCommandPrefix[:32]
}
// Make sure the session start event was emitted to the audit log
// and includes (a prefix of) the command
_, err = findMatchingEventInLog(main, events.SessionStartEvent, func(fields events.EventFields) bool {
initialCommand := fields.GetStrings("initial_command")
return events.SessionStartCode == fields.GetCode() && len(initialCommand) == 1 &&
strings.HasPrefix(initialCommand[0], expectedCommandPrefix)
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
// Make sure the exec event was emitted to the audit log.
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
_, err = findMatchingEventInLog(main, events.ExecEvent, func(fields events.EventFields) bool {
return events.ExecCode == fields.GetCode() &&
strings.HasPrefix(fields.GetString(events.ExecEventCommand), expectedCommandPrefix)
})
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
require.NoError(t, err)
})
add test for exec events
2021-02-18 13:51:43 +00:00
}
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
t.Run("long running", func(t *testing.T) {
clientConfig := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
Port: helpers.Port(t, main.SSH),
Interactive: false,
}
ctx, cancel := context.WithCancel(context.Background())
cmd := "sleep 10"
errC := make(chan error)
go func() {
_, err := runCommandWithContext(ctx, t, main, []string{cmd}, clientConfig, 1)
errC <- err
}()
// Make sure the session start event was emitted immediately to the audit log
// before waiting for the command to complete, and includes the command
startEvent, err := findMatchingEventInLog(main, events.SessionStartEvent, func(fields events.EventFields) bool {
initialCommand := fields.GetStrings("initial_command")
return len(initialCommand) == 1 && initialCommand[0] == cmd
})
require.NoError(t, err)
sessionID := startEvent.GetString(events.SessionEventID)
require.NotEmpty(t, sessionID)
cancel()
// This may or may not be an error, depending on whether we canceled it
// before the command died of natural causes, no need to test the value
// here but we'll wait for it in order to avoid leaking goroutines
<-errC
// Wait for the session end event to avoid writes to the tempdir after
// the test completes (and make sure it's actually sent)
require.Eventually(t, func() bool {
_, err := findMatchingEventInLog(main, events.SessionEndEvent, func(fields events.EventFields) bool {
return sessionID == fields.GetString(events.SessionEventID)
})
return err == nil
}, 30*time.Second, 1*time.Second)
})
add test for exec events
2021-02-18 13:51:43 +00:00
}
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
func testSessionStartContainsAccessRequest(t *testing.T, suite *integrationTestSuite) {
accessRequestsKey := "access_requests"
requestedRoleName := "requested-role"
userRoleName := "user-role"
tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()
lsPath, err := exec.LookPath("ls")
require.NoError(t, err)
// Creates new teleport cluster
main := suite.newTeleport(t, nil, true)
defer main.StopAll()
ctx := context.Background()
// Get auth server
authServer := main.Process.GetAuthServer()
// Create new request role
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
requestedRole, err := types.NewRole(requestedRoleName, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Options: types.RoleOptions{},
Allow: types.RoleConditions{},
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
})
require.NoError(t, err)
err = authServer.UpsertRole(ctx, requestedRole)
require.NoError(t, err)
// Create user role with ability to request role
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
userRole, err := types.NewRole(userRoleName, types.RoleSpecV6{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Options: types.RoleOptions{},
Allow: types.RoleConditions{
Fixed TestSessionStartContainsAccessRequest. Fixed issue with TestSessionStartContainsAccessRequest where the login was not being injected into the user role.
2022-02-08 20:49:58 +00:00
Logins: []string{
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
suite.Me.Username,
Fixed TestSessionStartContainsAccessRequest. Fixed issue with TestSessionStartContainsAccessRequest where the login was not being injected into the user role.
2022-02-08 20:49:58 +00:00
},
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Request: &types.AccessRequestConditions{
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
Roles: []string{requestedRoleName},
},
},
})
require.NoError(t, err)
err = authServer.UpsertRole(ctx, userRole)
require.NoError(t, err)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
user, err := types.NewUser(suite.Me.Username)
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
user.AddRole(userRole.GetName())
require.NoError(t, err)
watcher, err := authServer.NewWatcher(ctx, types.Watch{
Kinds: []types.WatchKind{
{Kind: types.KindUser},
{Kind: types.KindAccessRequest},
},
})
require.NoError(t, err)
defer watcher.Close()
select {
case <-time.After(time.Second * 30):
t.Fatalf("Timeout waiting for event.")
case event := <-watcher.Events():
if event.Type != types.OpInit {
t.Fatalf("Unexpected event type.")
}
require.Equal(t, event.Type, types.OpInit)
case <-watcher.Done():
t.Fatal(watcher.Error())
}
// Update user
Update users interface (#32987) services.UsersService now takes a context and returns the user from write operations as shown in the diff below. The bulk of the changes are from modifying code to account for the additional parameter and/or return value. Functional changes to better make use of the new API will come in follow up PRs. ```diff // UserGetter is responsible for getting users type UserGetter interface { // GetUser returns a user by name - GetUser(user string, withSecrets bool) (types.User, error) + GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error) } // UsersService is responsible for basic user management type UsersService interface { UserGetter // CreateUser creates user, only if the user entry does not exist - CreateUser(user types.User) error + CreateUser(ctx context.Context, user types.User) (types.User, error) // UpdateUser updates an existing user. - UpdateUser(ctx context.Context, user types.User) error + UpdateUser(ctx context.Context, user types.User) (types.User, error) // UpdateAndSwapUser reads an existing user, runs `fn` against it and writes // the result to storage. Return `false` from `fn` to avoid storage changes. // Roughly equivalent to [GetUser] followed by [CompareAndSwapUser]. // Returns the storage user. UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error) // UpsertUser updates parameters about user - UpsertUser(user types.User) error + UpsertUser(ctx context.Context, user types.User) (types.User, error) // CompareAndSwapUser updates an existing user, but fails if the user does // not match an expected backend value. CompareAndSwapUser(ctx context.Context, new, existing types.User) error // DeleteUser deletes a user with all the keys from the backend DeleteUser(ctx context.Context, user string) error // GetUsers returns a list of users registered with the local auth server - GetUsers(withSecrets bool) ([]types.User, error) + GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error) // DeleteAllUsers deletes all users - DeleteAllUsers() error + DeleteAllUsers(ctx context.Context) error } ``` Depends on gravitational/teleport.e#2346 Implements step 3 of #32949
2023-10-10 14:07:46 +00:00
user, err = authServer.UpsertUser(ctx, user)
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
require.NoError(t, err)
WaitForResource(t, watcher, user.GetKind(), user.GetName())
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
req, err := services.NewAccessRequest(suite.Me.Username, requestedRole.GetMetadata().Name)
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
require.NoError(t, err)
always generate request IDs server-side (#31760) * server-side request ids * update e-ref
2023-09-13 16:08:11 +00:00
req, err = authServer.CreateAccessRequestV2(ctx, req, tlsca.Identity{})
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
require.NoError(t, err)
always generate request IDs server-side (#31760) * server-side request ids * update e-ref
2023-09-13 16:08:11 +00:00
accessRequestID := req.GetName()
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
err = authServer.SetAccessRequestState(ctx, types.AccessRequestUpdate{
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
RequestID: accessRequestID,
State: types.RequestState_APPROVED,
})
require.NoError(t, err)
WaitForResource(t, watcher, req.GetKind(), req.GetName())
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
clientConfig := helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
Host: Host,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
Port: helpers.Port(t, main.SSH),
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
Interactive: false,
}
clientReissueParams := client.ReissueParams{
AccessRequests: []string{accessRequestID},
}
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
err = runCommandWithCertReissue(t, main, []string{lsPath}, clientReissueParams, client.CertCacheDrop, clientConfig)
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
require.NoError(t, err)
// Get session start event
sessionStart, err := findEventInLog(main, events.SessionStartEvent)
require.NoError(t, err)
require.Equal(t, sessionStart.GetCode(), events.SessionStartCode)
require.Equal(t, sessionStart.HasField(accessRequestsKey), true)
val, found := sessionStart[accessRequestsKey]
require.Equal(t, found, true)
result := strings.Contains(fmt.Sprintf("%v", val), accessRequestID)
require.Equal(t, result, true)
}
func WaitForResource(t *testing.T, watcher types.Watcher, kind, name string) {
timeout := time.After(time.Second * 15)
for {
select {
case <-timeout:
t.Fatalf("Timeout waiting for event.")
case event := <-watcher.Events():
if event.Type != types.OpPut {
continue
}
if event.Resource.GetKind() == kind && event.Resource.GetMetadata().Name == name {
return
}
case <-watcher.Done():
t.Fatalf("Watcher error %s.", watcher.Error())
}
}
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// findEventInLog polls the event log looking for an event of a particular type.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func findEventInLog(t *helpers.TeleInstance, eventName string) (events.EventFields, error) {
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
for i := 0; i < 10; i++ {
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
eventFields, err := eventsInLog(t.Config.DataDir+"/log/events.log", eventName)
if err != nil {
time.Sleep(1 * time.Second)
continue
}
for _, fields := range eventFields {
eventType, ok := fields[events.EventType]
if !ok {
return nil, trace.BadParameter("not found")
}
if eventType == eventName {
return fields, nil
}
}
time.Sleep(250 * time.Millisecond)
}
return nil, trace.NotFound("event not found")
}
// findCommandEventInLog polls the event log looking for an event of a particular type.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func findCommandEventInLog(t *helpers.TeleInstance, eventName string, programName string) (events.EventFields, error) {
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
return findMatchingEventInLog(t, eventName, func(fields events.EventFields) bool {
eventType := fields[events.EventType]
eventPath := fields[events.Path]
return eventType == eventName && eventPath == programName
})
}
func findMatchingEventInLog(t *helpers.TeleInstance, eventName string, match func(events.EventFields) bool) (events.EventFields, error) {
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
for i := 0; i < 10; i++ {
eventFields, err := eventsInLog(t.Config.DataDir+"/log/events.log", eventName)
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
if err != nil {
time.Sleep(1 * time.Second)
continue
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
for _, fields := range eventFields {
security: log non-interactive SSH commands at beginning of session (#16872) * include exec command in session.start.initial_command * trim oversized events
2022-09-30 19:57:01 +00:00
if match(fields) {
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
return fields, nil
}
}
time.Sleep(1 * time.Second)
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
}
return nil, trace.NotFound("event not found")
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// eventsInLog returns all events in a log file.
func eventsInLog(path string, eventName string) ([]events.EventFields, error) {
var ret []events.EventFields
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
file, err := os.Open(path)
if err != nil {
return nil, trace.Wrap(err)
}
defer file.Close()
scanner := bufio.NewScanner(file)
for scanner.Scan() {
var fields events.EventFields
err = json.Unmarshal(scanner.Bytes(), &fields)
if err != nil {
return nil, trace.Wrap(err)
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
ret = append(ret, fields)
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
if len(ret) == 0 {
return nil, trace.NotFound("event not found")
}
return ret, nil
Emit data transfer events. Created *utils.TrackingConn that wraps the server side net.Conn and is used to track how much data is transmitted and received over the net.Conn. At the close of a connection (close of a *srv.ServerContext) the total data transmitted and received is emitted to the Audit Log.
2019-02-15 02:15:45 +00:00
}
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
// runCommandWithCertReissue runs an SSH command and generates certificates for the user
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func runCommandWithCertReissue(t *testing.T, instance *helpers.TeleInstance, cmd []string, reissueParams client.ReissueParams, cachePolicy client.CertCachePolicy, cfg helpers.ClientConfig) error {
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
tc, err := instance.NewClient(cfg)
Improve Access Request Events (#6863)
2021-06-03 21:28:38 +00:00
if err != nil {
return trace.Wrap(err)
}
err = tc.ReissueUserCerts(context.Background(), cachePolicy, reissueParams)
if err != nil {
return trace.Wrap(err)
}
out := &bytes.Buffer{}
tc.Stdout = out
err = tc.SSH(context.TODO(), cmd, false)
if err != nil {
return trace.Wrap(err)
}
return nil
}
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
func runCommandWithContext(ctx context.Context, t *testing.T, instance *helpers.TeleInstance, cmd []string, cfg helpers.ClientConfig, attempts int) (string, error) {
Cleaned up NewClient in integration tests. Updated "NewClient" in integration tests to not take testing.T and return an error.
2022-02-08 23:49:26 +00:00
tc, err := instance.NewClient(cfg)
fix tests
2017-10-12 23:51:18 +00:00
if err != nil {
return "", trace.Wrap(err)
}
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
// since this helper is sometimes used for running commands on
// multiple nodes concurrently, we use io.Pipe to protect our
// output buffer from concurrent writes.
read, write := io.Pipe()
fix tests
2017-10-12 23:51:18 +00:00
output := &bytes.Buffer{}
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
doneC := make(chan struct{})
go func() {
io.Copy(output, read)
close(doneC)
}()
tc.Stdout = write
fix tests
2017-10-12 23:51:18 +00:00
for i := 0; i < attempts; i++ {
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
err = tc.SSH(ctx, cmd, false)
fix tests
2017-10-12 23:51:18 +00:00
if err == nil {
break
}
Fixes for integration tests and discovery protocol.
2019-05-14 22:16:27 +00:00
time.Sleep(1 * time.Second)
fix tests
2017-10-12 23:51:18 +00:00
}
improve reversetunnel integration tests
2020-06-26 20:58:40 +00:00
write.Close()
if err != nil {
return "", trace.Wrap(err)
}
<-doneC
return output.String(), nil
fix tests
2017-10-12 23:51:18 +00:00
}
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
// invoke makes it easier to defer multiple cancelFuncs held by the same variable
// without them stomping on one another.
Temporary skip TestReverseTunnelCollapse (#20198) * Temporary skip TestReverseTunnelCollapse Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
2023-01-13 17:04:02 +00:00
func invoke(cancel context.CancelFunc) { //nolint:unused // unused as TestReverseTunnelCollapse is skipped
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
cancel()
}
// runCommand is a shortcut for running SSH command, it creates a client
// connected to proxy of the passed in instance, runs the command, and returns
// the result. If multiple attempts are requested, a 250 millisecond delay is
// added between them before giving up.
func runCommand(t *testing.T, instance *helpers.TeleInstance, cmd []string, cfg helpers.ClientConfig, attempts int) (string, error) {
return runCommandWithContext(context.TODO(), t, instance, cmd, cfg, attempts)
}
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
type InstanceConfigOption func(t *testing.T, config *helpers.InstanceConfig)
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
func (s *integrationTestSuite) newNamedTeleportInstance(t *testing.T, clusterName string, opts ...InstanceConfigOption) *helpers.TeleInstance {
cfg := helpers.InstanceConfig{
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
ClusterName: clusterName,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
HostID: helpers.HostID,
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
NodeName: Host,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Priv: s.Priv,
Pub: s.Pub,
Log: utils.WrapLogger(s.Log.WithField("cluster", clusterName)),
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
}
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
for _, opt := range opts {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
opt(t, &cfg)
ALPN SNI Proxy (#7524)
2021-09-13 09:54:49 +00:00
}
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
if cfg.Listeners == nil {
cfg.Listeners = helpers.StandardListenerSetupOn(cfg.NodeName)(t, &cfg.Fds)
}
return helpers.NewInstance(t, cfg)
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
}
NO_PROXY port support + special case for proxying via localhost (#11403) This change updates NO_PROXY handling to allow blocking specific host:port combinations, rather than just the host. It also adds a special case for downgrading requests to plain HTTP when --insecure is true and the request goes through a plain HTTP proxy at localhost (i.e. HTTP_PROXY=http://localhost).
2022-04-04 21:23:50 +00:00
func WithNodeName(nodeName string) InstanceConfigOption {
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
return func(_ *testing.T, config *helpers.InstanceConfig) {
NO_PROXY port support + special case for proxying via localhost (#11403) This change updates NO_PROXY handling to allow blocking specific host:port combinations, rather than just the host. It also adds a special case for downgrading requests to plain HTTP when --insecure is true and the request goes through a plain HTTP proxy at localhost (i.e. HTTP_PROXY=http://localhost).
2022-04-04 21:23:50 +00:00
config.NodeName = nodeName
}
}
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
func WithListeners(setupFn helpers.InstanceListenerSetupFunc) InstanceConfigOption {
return func(t *testing.T, config *helpers.InstanceConfig) {
config.Listeners = setupFn(t, &config.Fds)
}
}
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
func (s *integrationTestSuite) defaultServiceConfig() *servicecfg.Config {
cfg := servicecfg.MakeDefaultConfig()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
cfg.Console = nil
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
cfg.Log = s.Log
Add client side circuit breaker to auth clients (#10282) * Add client side circuit breaker to auth clients In order to apply back pressure we can utilize a circuit breaker that monitors error responses from auth server. When tripped it will prevent all outbound requests to auth for a period of time. This can also help prevent a potential thundering heard when auth is in an unhealthy state. By default the circuit breaker will only be tripped if 90% of the requests made in the monitoring interval fail.
2022-06-03 15:55:56 +00:00
cfg.CircuitBreakerConfig = breaker.NoopBreakerConfig()
Fix `Too many requests` error in github actions test (#19606)
2022-12-23 03:47:02 +00:00
cfg.InstanceMetadataClient = cloud.NewDisabledIMDSClient()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
return cfg
}
Ports some integration tests to Testify/Subtests (#6884) In an attempt to make it easier to 1) navigate the integration test output, 2) find the cause of test failures, and 3) run individual tests, make it easier to run individual integration tests from the command line, ...this change ports some of the OSS integration tests away from GoCheck and implements them in terms of the standard `testing` package. The main changes are: * Test suites are now constructed as a normal Test function with many subtests. * The GoCheck assertions have been replaced with equivalent assertions from `testify/require`, for example: `c.Assert(err, check.IsNil)` becomes `require.NoError(t, err)` ... and so on
2021-05-27 02:05:46 +00:00
// waitFor helper waits on a channel for up to the given timeout
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
func waitFor(c chan interface{}, timeout time.Duration) error {
tick := time.Tick(timeout)
select {
case <-c:
return nil
case <-tick:
Adds per-node ability to disable ssh TCP forwarding (#6989) Prior to this change, TCP forwarding over SSH could only be disallowed by user-based rules, rather than by individual target nodes. This change adds: * the`port_forwarding` key to the yaml SSH config block, with a boolean value * Plumbing to pipe the resulting config value through to the SSH server * A predicate check in the SSH server to [dis]allow port forwarding based on the setting. This change also: * adds a common way for integration tests to await the establishment of an SSH session * refactors several integration tests to use this new method rather than manually waiting * adds some marshaling code to move errors from spawned goroutines back into the main test routine in verifySessionJoin() See-Also: Issue #6783
2021-06-17 01:17:26 +00:00
return trace.LimitExceeded("timeout waiting for event")
}
}
// waitForError helper waits on an error channel for up to the given timeout
func waitForError(c chan error, timeout time.Duration) error {
tick := time.Tick(timeout)
select {
case err := <-c:
return err
case <-tick:
return trace.LimitExceeded("timeout waiting for event")
Addded integration tests for: - interactive SSH (with shell) - joining sessions
2016-04-14 20:30:13 +00:00
}
}
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
// hasPAMPolicy checks if the three policy files needed for tests exists. If
// they do it returns true, otherwise returns false.
func hasPAMPolicy() bool {
pamPolicyFiles := []string{
"/etc/pam.d/teleport-acct-failure",
"/etc/pam.d/teleport-session-failure",
"/etc/pam.d/teleport-success",
add PAM environment with interpolation support
2021-03-30 15:30:34 +00:00
"/etc/pam.d/teleport-custom-env",
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
}
for _, fileName := range pamPolicyFiles {
_, err := os.Stat(fileName)
if os.IsNotExist(err) {
return false
}
}
return true
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
Implemented utmp/wtmp support.
2021-02-15 19:43:39 +00:00
// isRoot returns a boolean if the test is being run as root or not.
func isRoot() bool {
return os.Geteuid() == 0
}
// canTestBPF runs checks to determine whether BPF tests will run or not.
// Tests for this package must be run as root.
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
func canTestBPF() error {
Implemented utmp/wtmp support.
2021-02-15 19:43:39 +00:00
if !isRoot() {
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
return trace.BadParameter("not root")
}
err := bpf.IsHostCompatible()
if err != nil {
return trace.Wrap(err)
}
return nil
}
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
func dumpGoroutineProfile() {
pprof.Lookup("goroutine").WriteTo(os.Stderr, 2)
}
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
// TestWebProxyInsecure makes sure that proxy endpoint works when TLS is disabled.
func TestWebProxyInsecure(t *testing.T) {
Remove needlessly complex key generation scheme (#12113)
2022-04-25 09:26:10 +00:00
privateKey, publicKey, err := testauthority.New().GenerateKeyPair()
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
require.NoError(t, err)
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
rc := helpers.NewInstance(t, helpers.InstanceConfig{
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
ClusterName: "example.com",
use google/uuid instead of pborman/uuid (#9793) * replace imports * use google/uuid * fix test * reverse changelog changes * update gomod * zac steps * tidy Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
2022-01-19 23:44:48 +00:00
HostID: uuid.New().String(),
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Log: utils.NewLoggerForTests(),
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
})
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
rcConf := servicecfg.MakeDefaultConfig()
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
rcConf.DataDir = t.TempDir()
rcConf.Auth.Enabled = true
rcConf.Auth.Preference.SetSecondFactor("off")
rcConf.Proxy.Enabled = true
rcConf.Proxy.DisableWebInterface = true
// DisableTLS flag should turn off TLS termination and multiplexing.
rcConf.Proxy.DisableTLS = true
Add client side circuit breaker to auth clients (#10282) * Add client side circuit breaker to auth clients In order to apply back pressure we can utilize a circuit breaker that monitors error responses from auth server. When tripped it will prevent all outbound requests to auth for a period of time. This can also help prevent a potential thundering heard when auth is in an unhealthy state. By default the circuit breaker will only be tripped if 90% of the requests made in the monitoring interval fail.
2022-06-03 15:55:56 +00:00
rcConf.CircuitBreakerConfig = breaker.NoopBreakerConfig()
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
err = rc.CreateEx(t, nil, rcConf)
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
require.NoError(t, err)
err = rc.Start()
require.NoError(t, err)
t.Cleanup(func() {
rc.StopAll()
})
// Web proxy endpoint should just respond with 200 when called over http://,
// content doesn't matter.
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
resp, err := http.Get(fmt.Sprintf("http://%v/webapi/ping", rc.Web))
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
require.NoError(t, err)
Fix app access websockets support (#6072)
2021-03-22 15:56:44 +00:00
require.Equal(t, http.StatusOK, resp.StatusCode)
Fix --insecure-no-tls flag (#5924)
2021-03-10 15:42:23 +00:00
require.NoError(t, resp.Body.Close())
}
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
// TestTraitsPropagation makes sure that user traits are applied properly to
// roles in root and leaf clusters.
func TestTraitsPropagation(t *testing.T) {
Migrate upserting CAs to gRPC (#23140) Adds `UpsertCertAuthority` to the `teleport.v1.trust.TrustService` and deprecates the HTTP api. The `services.Trust` interface was also updated to include a `context.Context` in both `CreateCertAuthority` and `UpsertCertAuthority. To ensure backwards compatibility the `auth.Client` will first attempt to use the gRPC client and if that fails with a not implemented error it will fallback to using HTTP. Part of #6394
2023-03-16 14:46:43 +00:00
ctx := context.Background()
Attempts to make CI integration test logs more useful (#9626) Actually tracking down the cause of a failure in the integration tests can be hard: * It's hard to get an overall summary of what failed * The tests sometimes emit no output before timing out, meaning any diagnostic info is lost * The emitted logs are too voluminous for a human to parse * The emitted logs can present information out of order * It's often hard to tell where the output from one test ends and the next one begins This patch attempts to address these concerns without attempting to rewrite any of the underlying teleport logging. * It improves the render-tests script to (optionally) report progress per- test, rather than on a per-package basis. My working hypothesis on the tests that time out with no output is that go test ./integration is waiting for the entire set of integration tests tests to be complete before reporting success or failure. Reporting on a per-test cycle gives faster feedback and means that any timed-out builds should give at least some idea of where they are stuck. * Adds the render-tests filter to the integration and integration-root make targets. This will show an overall summary of test results, as well as - Discarding log output from passing tests to increase signal-to-noise ratio, and - Strongly delimiting the output from each failed test, making failures easier to find. * Removes the notion of a failure-only logger in favour of post-processing the log events with render-tests. The failure-only logger catches log output from the tests and only forwards it to the console if the test fails. Unfortunately, not all log output is guaranteed to pass through this logger (some teleport packages do not honour the configured logger, and reports from the go race detector certainly don't), meaning some output is presented at the time it happens, and other output is batched and displayed at the end of the test. This makes working out what happened where harder than it need be. In addition, this patch also promotes the render-tests script into a fully- fledged program, with appropriate makefile targets, make clean support, etc. It is now also more robust in the face on non-JSON output from go test (which happens if a package fails to compile).
2022-01-04 23:42:07 +00:00
log := utils.NewLoggerForTests()
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
Remove needlessly complex key generation scheme (#12113)
2022-04-25 09:26:10 +00:00
privateKey, publicKey, err := testauthority.New().GenerateKeyPair()
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
require.NoError(t, err)
// Create root cluster.
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
rc := helpers.NewInstance(t, helpers.InstanceConfig{
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
ClusterName: "root.example.com",
use google/uuid instead of pborman/uuid (#9793) * replace imports * use google/uuid * fix test * reverse changelog changes * update gomod * zac steps * tidy Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
2022-01-19 23:44:48 +00:00
HostID: uuid.New().String(),
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Log: log,
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
})
// Create leaf cluster.
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
lc := helpers.NewInstance(t, helpers.InstanceConfig{
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
ClusterName: "leaf.example.com",
use google/uuid instead of pborman/uuid (#9793) * replace imports * use google/uuid * fix test * reverse changelog changes * update gomod * zac steps * tidy Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
2022-01-19 23:44:48 +00:00
HostID: uuid.New().String(),
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Log: log,
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
})
// Make root cluster config.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
rcConf := servicecfg.MakeDefaultConfig()
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
rcConf.DataDir = t.TempDir()
rcConf.Auth.Enabled = true
rcConf.Auth.Preference.SetSecondFactor("off")
rcConf.Proxy.Enabled = true
rcConf.Proxy.DisableWebService = true
rcConf.Proxy.DisableWebInterface = true
rcConf.SSH.Enabled = true
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
rcConf.SSH.Addr.Addr = rc.SSH
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
rcConf.SSH.Labels = map[string]string{"env": "integration"}
Add client side circuit breaker to auth clients (#10282) * Add client side circuit breaker to auth clients In order to apply back pressure we can utilize a circuit breaker that monitors error responses from auth server. When tripped it will prevent all outbound requests to auth for a period of time. This can also help prevent a potential thundering heard when auth is in an unhealthy state. By default the circuit breaker will only be tripped if 90% of the requests made in the monitoring interval fail.
2022-06-03 15:55:56 +00:00
rcConf.CircuitBreakerConfig = breaker.NoopBreakerConfig()
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
// Make leaf cluster config.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
lcConf := servicecfg.MakeDefaultConfig()
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
lcConf.DataDir = t.TempDir()
lcConf.Auth.Enabled = true
lcConf.Auth.Preference.SetSecondFactor("off")
lcConf.Proxy.Enabled = true
lcConf.Proxy.DisableWebInterface = true
lcConf.SSH.Enabled = true
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
lcConf.SSH.Addr.Addr = lc.SSH
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
lcConf.SSH.Labels = map[string]string{"env": "integration"}
Add client side circuit breaker to auth clients (#10282) * Add client side circuit breaker to auth clients In order to apply back pressure we can utilize a circuit breaker that monitors error responses from auth server. When tripped it will prevent all outbound requests to auth for a period of time. This can also help prevent a potential thundering heard when auth is in an unhealthy state. By default the circuit breaker will only be tripped if 90% of the requests made in the monitoring interval fail.
2022-06-03 15:55:56 +00:00
lcConf.CircuitBreakerConfig = breaker.NoopBreakerConfig()
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
// Create identical user/role in both clusters.
me, err := user.Current()
require.NoError(t, err)
Add RBAC for Windows desktop access (#8520) * Add RBAC for Windows desktop access This commit adds RBAC checks for Windows Desktops as described in RFD 33 and RFD 34: - add Windows desktop logins & labels to role definition - introduce new file config for host labels based on a regexp match - auth server API performs access checking for Windows desktop resources - add RDP client callback to authorize the user - support user/role locks - respect the client idle timeout setting Note: in cases where an connection is terminated to to RBAC, the web UI currently displays "websocket connection failed" because the connection is closed from the server. We'll need to follow up with a nice error message for the client side to improve the UX here. Other changes: * Remove OSS RBAC migration marked for deletion * Stop creating a default admin role * add wildcard desktop access to the preset access role Updates #7761
2021-10-12 20:52:59 +00:00
role := services.NewImplicitRole()
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
role.SetName("test")
Remove RoleConditions type alias from lib/services. (#8441)
2021-10-05 21:04:18 +00:00
role.SetLogins(types.Allow, []string{me.Username})
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
// Users created by CreateEx have "testing: integration" trait.
Remove RoleConditions type alias from lib/services. (#8441)
2021-10-05 21:04:18 +00:00
role.SetNodeLabels(types.Allow, map[string]apiutils.Strings{"env": []string{"{{external.testing}}"}})
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
rc.AddUserWithRole(me.Username, role)
lc.AddUserWithRole(me.Username, role)
// Establish trust b/w root and leaf.
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
err = rc.CreateEx(t, lc.Secrets.AsSlice(), rcConf)
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
require.NoError(t, err)
CheckAndSetDefaults sets all defaults. (#6846)
2021-06-18 19:57:29 +00:00
err = lc.CreateEx(t, rc.Secrets.AsSlice(), lcConf)
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
require.NoError(t, err)
// Start both clusters.
require.NoError(t, rc.Start())
t.Cleanup(func() {
rc.StopAll()
})
require.NoError(t, lc.Start())
t.Cleanup(func() {
lc.StopAll()
})
// Update root's certificate authority on leaf to configure role mapping.
Migrate upserting CAs to gRPC (#23140) Adds `UpsertCertAuthority` to the `teleport.v1.trust.TrustService` and deprecates the HTTP api. The `services.Trust` interface was also updated to include a `context.Context` in both `CreateCertAuthority` and `UpsertCertAuthority. To ensure backwards compatibility the `auth.Client` will first attempt to use the gRPC client and if that fails with a not implemented error it will fallback to using HTTP. Part of #6394
2023-03-16 14:46:43 +00:00
ca, err := lc.Process.GetAuthServer().GetCertAuthority(ctx, types.CertAuthID{
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
Type: types.UserCA,
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
DomainName: rc.Secrets.SiteName,
}, false)
require.NoError(t, err)
ca.SetRoles(nil) // Reset roles, otherwise they will take precedence.
Remove API aliases (#6983)
2021-06-04 20:29:31 +00:00
ca.SetRoleMap(types.RoleMap{{Remote: role.GetName(), Local: []string{role.GetName()}}})
Migrate upserting CAs to gRPC (#23140) Adds `UpsertCertAuthority` to the `teleport.v1.trust.TrustService` and deprecates the HTTP api. The `services.Trust` interface was also updated to include a `context.Context` in both `CreateCertAuthority` and `UpsertCertAuthority. To ensure backwards compatibility the `auth.Client` will first attempt to use the gRPC client and if that fails with a not implemented error it will fallback to using HTTP. Part of #6394
2023-03-16 14:46:43 +00:00
err = lc.Process.GetAuthServer().UpsertCertAuthority(ctx, ca)
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
require.NoError(t, err)
// Run command in root.
Dont allow directly dialing to servers not in inventory (#30323) * Dont allow directly dialing to servers not in inventory add direct dial escape hatch * Fix failing unit test * Fix TestProxySSH * Fix TestTraitsPropagation * resolve comment * fix non-multiplexed trusted cluster setup in tsh test suite * Fix TestProxySSH * wait on nodes * Skip the flaky check for TestSSHLoadAllCAs --------- Co-authored-by: Forrest Marshall <forrest@goteleport.com>
2023-08-29 11:52:55 +00:00
require.Eventually(t, func() bool {
outputRoot, err := runCommand(t, rc, []string{"echo", "hello root"}, helpers.ClientConfig{
Login: me.Username,
Cluster: "root.example.com",
Host: Loopback,
Port: helpers.Port(t, rc.SSH),
}, 1)
return err == nil && strings.TrimSpace(outputRoot) == "hello root"
}, time.Second*30, time.Millisecond*100)
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
// Run command in leaf.
Dont allow directly dialing to servers not in inventory (#30323) * Dont allow directly dialing to servers not in inventory add direct dial escape hatch * Fix failing unit test * Fix TestProxySSH * Fix TestTraitsPropagation * resolve comment * fix non-multiplexed trusted cluster setup in tsh test suite * Fix TestProxySSH * wait on nodes * Skip the flaky check for TestSSHLoadAllCAs --------- Co-authored-by: Forrest Marshall <forrest@goteleport.com>
2023-08-29 11:52:55 +00:00
require.Eventually(t, func() bool {
outputLeaf, err := runCommand(t, rc, []string{"echo", "hello leaf"}, helpers.ClientConfig{
Login: me.Username,
Cluster: "leaf.example.com",
Host: Loopback,
Port: helpers.Port(t, lc.SSH),
}, 1)
return err == nil && strings.TrimSpace(outputLeaf) == "hello leaf"
}, time.Second*30, time.Millisecond*100)
Propagate external traits to leaf clusters (#6540)
2021-04-29 16:39:43 +00:00
}
Implement an API for exporting session events (#7360)
2021-07-13 23:29:00 +00:00
// testSessionStreaming tests streaming events from session recordings.
func testSessionStreaming(t *testing.T, suite *integrationTestSuite) {
ctx := context.Background()
use google/uuid instead of pborman/uuid (#9793) * replace imports * use google/uuid * fix test * reverse changelog changes * update gomod * zac steps * tidy Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
2022-01-19 23:44:48 +00:00
sessionID := session.ID(uuid.New().String())
Implement an API for exporting session events (#7360)
2021-07-13 23:29:00 +00:00
teleport := suite.newTeleport(t, nil, true)
defer teleport.StopAll()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
api := teleport.GetSiteAPI(helpers.Site)
Implement an API for exporting session events (#7360)
2021-07-13 23:29:00 +00:00
uploadStream, err := api.CreateAuditStream(ctx, sessionID)
require.Nil(t, err)
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
generatedSession := eventstest.GenerateTestSession(eventstest.SessionParams{
Implement an API for exporting session events (#7360)
2021-07-13 23:29:00 +00:00
PrintEvents: 100,
SessionID: string(sessionID),
ServerID: "00000000-0000-0000-0000-000000000000",
})
for _, event := range generatedSession {
split recording session events and emitting audit events (#27873) * split recording session events and emitting audit events This is a refactor of how audit events and session events are handled. Previously, all events were emitted using the same interface, api/types/events.Emitter. This lead to event-related code getting to be very confusing, as it was often unclear whether a given event was being recorded as a session event and emitted as an audit event, or only one of the two. Naturally, a few bugs arose due to this. To simplify event handling, a separate interface for recording session events has been created. A api/types/events.Recorder should now only be used to record session events, and an Emitter should now only be used to emit audit events. Instead of using a confusing TeeWriter that would transparently (and confusingly, given its name) hold a few event types that only belonged in session recordings, callers can now explicitly record and/or emit an event when necessary. * ensure e build won't break
2023-07-11 19:53:33 +00:00
err := uploadStream.RecordEvent(ctx, eventstest.PrepareEvent(event))
Implement an API for exporting session events (#7360)
2021-07-13 23:29:00 +00:00
require.NoError(t, err)
}
err = uploadStream.Complete(ctx)
require.Nil(t, err)
start := time.Now()
// retry in case of error
outer:
for time.Since(start) < time.Minute*5 {
time.Sleep(time.Second * 5)
receivedSession := make([]apievents.AuditEvent, 0)
sessionPlayback, e := api.StreamSessionEvents(ctx, sessionID, 0)
inner:
for {
select {
case event, more := <-sessionPlayback:
if !more {
break inner
}
receivedSession = append(receivedSession, event)
case <-ctx.Done():
require.Nil(t, ctx.Err())
case err := <-e:
require.Nil(t, err)
case <-time.After(time.Minute * 5):
t.FailNow()
}
}
for i := range generatedSession {
receivedSession[i].SetClusterName("")
if !reflect.DeepEqual(generatedSession[i], receivedSession[i]) {
continue outer
}
}
return
}
t.FailNow()
}
Restrict moderated sessions users from accessing V8 kube cluster agents (#11691)
2022-04-06 15:31:24 +00:00
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
type serviceCfgOpt func(cfg *servicecfg.Config, isRoot bool)
func createTrustedClusterPair(t *testing.T, suite *integrationTestSuite, extraServices func(*testing.T, *helpers.TeleInstance, *helpers.TeleInstance), cfgOpts ...serviceCfgOpt) (*client.TeleportClient, *helpers.TeleInstance, *helpers.TeleInstance) {
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
ctx := context.Background()
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
username := suite.Me.Username
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
name := "test"
rootName := fmt.Sprintf("root-%s", name)
leafName := fmt.Sprintf("leaf-%s", name)
// Create root and leaf clusters.
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
rootCfg := helpers.InstanceConfig{
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
ClusterName: rootName,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
HostID: helpers.HostID,
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
NodeName: Host,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Priv: suite.Priv,
Pub: suite.Pub,
Log: suite.Log,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
}
rootCfg.Listeners = standardPortsOrMuxSetup(t, false, &rootCfg.Fds)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
root := helpers.NewInstance(t, rootCfg)
leafCfg := helpers.InstanceConfig{
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
ClusterName: leafName,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
HostID: helpers.HostID,
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
NodeName: Host,
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
Priv: suite.Priv,
Pub: suite.Pub,
Log: suite.Log,
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
}
leafCfg.Listeners = standardPortsOrMuxSetup(t, false, &leafCfg.Fds)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
leaf := helpers.NewInstance(t, leafCfg)
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
role, err := types.NewRole("dev", types.RoleSpecV6{
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
Allow: types.RoleConditions{
Convert usages of `types.NewRoleV3` to `types.NewRole` (#19793) Closes #14345
2023-01-11 16:58:22 +00:00
Logins: []string{username},
NodeLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
AppLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
KubernetesLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
DatabaseLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
Rules: []types.Rule{
{
Resources: []string{types.KindSession},
Verbs: []string{
types.VerbList,
types.VerbRead,
},
},
},
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
},
})
require.NoError(t, err)
root.AddUserWithRole(username, role)
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
leaf.AddUserWithRole(username, role)
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
makeConfig := func(isRoot bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) {
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
tconf := suite.defaultServiceConfig()
tconf.Proxy.DisableWebService = false
tconf.Proxy.DisableWebInterface = true
tconf.SSH.Enabled = false
Add MaxRetryPeriod for cachePolicy config to use in tests (#22656) This fixes couple of flaky tests that surfaced after recent changes to the retry logic/timeouts.
2023-03-06 19:00:17 +00:00
tconf.CachePolicy.MaxRetryPeriod = time.Millisecond * 500
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
for _, opt := range cfgOpts {
opt(tconf, isRoot)
}
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
return t, nil, tconf
}
oldInsecure := lib.IsInsecureDevMode()
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(oldInsecure)
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
require.NoError(t, root.CreateEx(makeConfig(true)))
require.NoError(t, leaf.CreateEx(makeConfig(false)))
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
require.NoError(t, leaf.Process.GetAuthServer().UpsertRole(ctx, role))
// Connect leaf to root.
tcToken := "trusted-cluster-token"
tokenResource, err := types.NewProvisionToken(tcToken, []types.SystemRole{types.RoleTrustedCluster}, time.Time{})
require.NoError(t, err)
require.NoError(t, root.Process.GetAuthServer().UpsertToken(ctx, tokenResource))
trustedCluster := root.AsTrustedCluster(tcToken, types.RoleMap{
{Remote: "dev", Local: []string{"dev"}},
})
require.NoError(t, root.Start())
t.Cleanup(func() { root.StopAll() })
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
require.NoError(t, leaf.Start())
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
t.Cleanup(func() { leaf.StopAll() })
require.NoError(t, trustedCluster.CheckAndSetDefaults())
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
helpers.TryCreateTrustedCluster(t, leaf.Process.GetAuthServer(), trustedCluster)
helpers.WaitForTunnelConnections(t, root.Process.GetAuthServer(), leafName, 1)
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
_, _, rootProxySSHPort := root.StartNodeAndProxy(t, "root-zero")
_, _, _ = leaf.StartNodeAndProxy(t, "leaf-zero")
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
// Add any extra services.
if extraServices != nil {
extraServices(t, root, leaf)
}
Split out appaccess and proxy integration tests (#16232) * Proxy tests running * rollback * whitespace fix * Rollback port fix * Linter appeasement * License fix * Update signals.go
2022-09-08 14:27:51 +00:00
require.Eventually(t, helpers.WaitForClusters(root.Tunnel, 1), 10*time.Second, 1*time.Second)
require.Eventually(t, helpers.WaitForClusters(leaf.Tunnel, 1), 10*time.Second, 1*time.Second)
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
// Create client.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
creds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
Process: root.Process,
Username: username,
RouteToCluster: rootName,
})
require.NoError(t, err)
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
tc, err := root.NewClientWithCreds(helpers.ClientConfig{
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
Login: username,
Cluster: rootName,
Host: Loopback,
Port: rootProxySSHPort,
}, *creds)
require.NoError(t, err)
leafCAs, err := leaf.Secrets.GetCAs()
require.NoError(t, err)
for _, leafCA := range leafCAs {
Add manual tracing instrumentation to tsh (#13204) Create spans for all public facing TeleportClient, ProxyClient, and NodeClient methods. This makes correlating spans easier to reason about when looking at `tsh` traces. As a result of creating spans, some additional context propagation is required as well to ensure that spans are linked properly. This also removes the unused `quiet` argument from `ConnectToCluster`. It's usage was not consistent by existing callers, and it was ignored, so in order to avoid confusion in future calls, it was removed. #12241
2022-06-11 15:34:40 +00:00
require.NoError(t, tc.AddTrustedCA(context.Background(), leafCA))
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
}
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
return tc, root, leaf
Fix dependencies in integration tests (#13321) This change moves some type/function definitions in integration tests to fix compilation.
2022-06-10 22:41:29 +00:00
}
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
func testListResourcesAcrossClusters(t *testing.T, suite *integrationTestSuite) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
ctx := context.Background()
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
tc, _, _ := createTrustedClusterPair(t, suite, func(t *testing.T, root, leaf *helpers.TeleInstance) {
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
rootNodes := []string{"root-one", "root-two"}
leafNodes := []string{"leaf-one", "leaf-two"}
// Start a Teleport node that has SSH, Apps, Databases, and Kubernetes.
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
startNode := func(name string, i *helpers.TeleInstance) {
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
conf := suite.defaultServiceConfig()
conf.Auth.Enabled = false
conf.Proxy.Enabled = false
conf.DataDir = t.TempDir()
Use a getter/setter for reading the token value from the config (#14080)
2022-08-10 08:50:21 +00:00
conf.SetToken("token")
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
conf.UploadEventsC = i.UploadEventsC
Introduce config v3, add auth_server and proxy_server, remove auth_addresses (#15761)
2022-09-28 15:30:15 +00:00
conf.SetAuthServerAddress(*utils.MustParseAddr(net.JoinHostPort(i.Hostname, helpers.PortStr(t, i.Web))))
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
conf.HostUUID = name
conf.Hostname = name
conf.SSH.Enabled = true
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
conf.CachePolicy = servicecfg.CachePolicy{
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
Enabled: true,
}
conf.SSH.Addr = utils.NetAddr{
Remove more integration test port list allocations (#16266) Following on from #13658, this patch removes more (but unfortunately not all) usages of the deprecated, list-based port-allocation scheme. This patch: 1. Updates the integration test `TeleInstance` fixture to use injected listeners rather than static ports when creating a new proxy node in a cluster, 2. Updates tests affected by (1) to pre-allocate and inject listeners, including handling caching the listener FDs between proxy restarts 3. Removed unnecessary port allocations when creating LoadBalancer fixtures, and 4. Moved the remaining list-base port allocation functions out of helpers and back into integrations and made private. These functions should never be used by more than one test package concurrently or there is a very high chance of a port collision. Rather than just write that rule down in the comments, I have contained the deprecated code into the affected package made the compiler enforce the rule for us. See-Also: #12421 See-Also: #13658 See-Also: #14408
2022-09-14 06:53:19 +00:00
Addr: helpers.NewListenerOn(t, Host, service.ListenerNodeSSH, &conf.FileDescriptors),
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
}
conf.Proxy.Enabled = false
conf.Apps.Enabled = true
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
conf.Apps.Apps = []servicecfg.App{
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
{
Name: name,
URI: name,
},
}
conf.Databases.Enabled = true
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
conf.Databases.Databases = []servicecfg.Database{
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
{
Name: name,
URI: name,
Protocol: "postgres",
},
}
conf.Kube.KubeconfigPath = filepath.Join(conf.DataDir, "kube_config")
Remove centralised port allocation for tests (#13658) Ports used by the unit tests have been allocated by pulling them out of a list, with no guarantee that the port is not actually in use. This central allocation point also means that tests cannot be split into separate packages to be run in parallel, as the ports allocated between the various packages will be allocated multiple times and end up intermittently clashing. There is also no guarantee, even when the tests are run serially, that the ports will not clash with services already running on the machine. This patch (largely) replaces the use of this centralised port allocation with pre-created listeners injected into the test via the file descriptor import mechanism use by Teleport to pass open ports to child processes. There are still some cases where the old port allocation system is still in use. I felt this was already getting beyond the bounds of sensibly reviewable, so I have left those for a further PR after this. See-Also: #12421 See-Also: #14408
2022-07-20 02:04:54 +00:00
require.NoError(t, helpers.EnableKube(t, conf, name))
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
conf.Kube.ListenAddr = nil
process, err := service.NewTeleport(conf)
require.NoError(t, err)
i.Nodes = append(i.Nodes, process)
expectedEvents := []string{
service.NodeSSHReady,
service.AppsReady,
service.DatabasesIdentityEvent,
service.DatabasesReady,
service.KubeIdentityEvent,
service.KubernetesReady,
service.TeleportReadyEvent,
}
Split integration test fixtures into a package (#13465) As a prelude to breaking individual integration test suites out into their own packages (in order to make them more amenable to running in parallel), this patch extracts the common test fixtures and places them in a common `helpers` package. This will allow the integration test package to share common infrastructure and vocabulary once they are split out.
2022-06-15 07:07:26 +00:00
receivedEvents, err := helpers.StartAndWait(process, expectedEvents)
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
require.NoError(t, err)
log.Debugf("Teleport Kube Server (in instance %v) started: %v/%v events received.",
i.Secrets.SiteName, len(expectedEvents), len(receivedEvents))
}
for _, node := range rootNodes {
startNode(node, root)
}
for _, node := range leafNodes {
startNode(node, leaf)
}
})
nodeTests := []struct {
name string
search string
expected []string
}{
{
name: "all nodes",
Embed auth.Cache in auth.Server (#14698) * Embed auth.Cache in auth.Server * Hit the backend during Auth initialization * Bypass the cache when rotating CAs * Services.UpsertTrustedCluster is different * Bypass the cache in waitForTunnelConnections * Fix infinite recursion * More cache bypassing during init and rotations * Rename Services to Uncached in auth.Server * Further cleanups * Don't start the auth cache immediately * Go back to Services rather than Uncached * Comments and a missing method
2022-07-27 21:05:53 +00:00
expected: []string{
"root-zero", "root-one", "root-two",
"leaf-zero", "leaf-one", "leaf-two",
},
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
},
{
name: "leaf only",
search: "leaf",
expected: []string{"leaf-zero", "leaf-one", "leaf-two"},
},
{
name: "two only",
search: "two",
expected: []string{"root-two", "leaf-two"},
},
}
for _, test := range nodeTests {
t.Run("node - "+test.name, func(t *testing.T) {
if test.search != "" {
tc.SearchKeywords = strings.Split(test.search, " ")
} else {
tc.SearchKeywords = nil
}
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
clusters, err := tc.ListNodesWithFiltersAllClusters(ctx)
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
require.NoError(t, err)
nodes := make([]string, 0)
for _, v := range clusters {
for _, node := range v {
nodes = append(nodes, node.GetHostname())
}
}
require.ElementsMatch(t, test.expected, nodes)
})
}
// Everything other than ssh nodes.
tests := []struct {
name string
search string
expected []string
}{
{
name: "all",
Embed auth.Cache in auth.Server (#14698) * Embed auth.Cache in auth.Server * Hit the backend during Auth initialization * Bypass the cache when rotating CAs * Services.UpsertTrustedCluster is different * Bypass the cache in waitForTunnelConnections * Fix infinite recursion * More cache bypassing during init and rotations * Rename Services to Uncached in auth.Server * Further cleanups * Don't start the auth cache immediately * Go back to Services rather than Uncached * Comments and a missing method
2022-07-27 21:05:53 +00:00
expected: []string{
"root-one", "root-two",
"leaf-one", "leaf-two",
},
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
},
{
name: "leaf only",
search: "leaf",
expected: []string{"leaf-one", "leaf-two"},
},
{
name: "two only",
search: "two",
expected: []string{"root-two", "leaf-two"},
},
}
for _, test := range tests {
if test.search != "" {
tc.SearchKeywords = strings.Split(test.search, " ")
} else {
tc.SearchKeywords = nil
}
t.Run("apps - "+test.name, func(t *testing.T) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
clusters, err := tc.ListAppsAllClusters(ctx, nil)
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
require.NoError(t, err)
apps := make([]string, 0)
for _, v := range clusters {
for _, app := range v {
apps = append(apps, app.GetName())
}
}
require.ElementsMatch(t, test.expected, apps)
})
t.Run("databases - "+test.name, func(t *testing.T) {
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
clusters, err := tc.ListDatabasesAllClusters(ctx, nil)
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
require.NoError(t, err)
databases := make([]string, 0)
for _, v := range clusters {
for _, db := range v {
databases = append(databases, db.GetName())
}
}
require.ElementsMatch(t, test.expected, databases)
})
t.Run("kube - "+test.name, func(t *testing.T) {
req := proto.ListResourcesRequest{}
if test.search != "" {
req.SearchKeywords = strings.Split(test.search, " ")
}
`context.TODO()` tidying (#21288) * Use `ctx` rather than `context.TODO()` where available * Further propagation of context * Use `context.Background()` instead of `context.TODO()` where appropriate in tests * Further remove `context.TODO` from tests * Appease linter on parameter order
2023-02-07 09:01:35 +00:00
clusterMap, err := tc.ListKubernetesClustersWithFiltersAllClusters(ctx, req)
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
require.NoError(t, err)
clusters := make([]string, 0)
for _, cl := range clusterMap {
for _, c := range cl {
Introduce dedicated server type for Kubernetes resources (#14389) ## What First part of the Kubernetes [Discovery RFD](https://github.com/gravitational/teleport/pull/13376/) to introduce a Kubernetes server per cluster. This PR introduces a separate Kubernetes server that uses the already introduced `KubernetesClusterV3`. ## Compatibility In previous versions, Kubernetes Clusters were part of regular `ServerV2` resource and this refactoring deprecates the `ServerV2` usage but keeps them for compatibility with previous version. Everything is backward compatible, so v10 kubernetes agents and trusted clusters can connect fine. ## Next steps Once this is merged, a new PR will introduce dynamic registration for Kubernetes Clusters discovered through EKS Discovery.
2022-08-04 14:21:11 +00:00
clusters = append(clusters, c.GetName())
`tsh` list resources accross proxies and clusters (#12934) This change adds the --all/-R flag to tsh ls, tsh apps ls, tsh db ls, and tsh kube ls, which lets tsh list resources from across all clusters and logged in proxies.
2022-06-08 18:42:25 +00:00
}
}
require.ElementsMatch(t, test.expected, clusters)
})
}
}
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
func testJoinOverReverseTunnelOnly(t *testing.T, suite *integrationTestSuite) {
Change 'proxy_protocol' default mode and behavior (#31622) * Change 'proxy_protocol' default mode and behavior Now by default `proxy_protocol` is unspecified and in that mode we don't allow IP pinned connections and mark incoming conection with setting source port = 0. 'on' mode now requires PROXY header. * Don't require PROXY headers for connection to itself. There cases when Telelport will call itself and it can go directly, avoiding load balancer, so connection will not have unsigned PROXY header. * Refactor validation of 'proxy_protocol' input * Clarify PROXY protocol modes description * Tweak unexpected PROXY protocol line error message * Add comments about setting port to 0 * Return an error if we get unsigned PROXY line after signed * Improve wording for error when IP pinning is now allowed when source port = 0 * Add test for checking unspecified PROXY protocol mode on multiplexer * Fix the test * Refactor tracking of receiving of unsigned PROXY line. It makes sure we don't allow multiple PROXY lines with LOCAL command. * Improve comment wording. * Fix typo and improve wording. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Clarify PROXYProtocolMode description * Add comment about self connections * Set correct PROXYProtocolMode for multiplexers that don't need unsigned PROXY support * Fix typo. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add comment about PROXY protocol mode on kube service. * Clarify comment for starting auth service in unspecified PROXY protocol mode * Add dedicated error for rejecting IP pinning on connection with port=0 * Improve error message * Rate limit logging error about unexpected PROXY line. * Tweak error message. --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2023-09-12 21:41:20 +00:00
for _, proxyProtocolMode := range []multiplexer.PROXYProtocolMode{
fix leaf SSH sessions not getting recorded (#32163) * fix leaf SSH sessions not getting recorded * add integration test * address feedback, overhaul integration test * make each test case use fresh clusters to fix failing case * address feedback * Apply suggestions from code review Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix integration test failures --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
2023-10-06 12:54:57 +00:00
multiplexer.PROXYProtocolOn, multiplexer.PROXYProtocolOff, multiplexer.PROXYProtocolUnspecified,
} {
Change 'proxy_protocol' default mode and behavior (#31622) * Change 'proxy_protocol' default mode and behavior Now by default `proxy_protocol` is unspecified and in that mode we don't allow IP pinned connections and mark incoming conection with setting source port = 0. 'on' mode now requires PROXY header. * Don't require PROXY headers for connection to itself. There cases when Telelport will call itself and it can go directly, avoiding load balancer, so connection will not have unsigned PROXY header. * Refactor validation of 'proxy_protocol' input * Clarify PROXY protocol modes description * Tweak unexpected PROXY protocol line error message * Add comments about setting port to 0 * Return an error if we get unsigned PROXY line after signed * Improve wording for error when IP pinning is now allowed when source port = 0 * Add test for checking unspecified PROXY protocol mode on multiplexer * Fix the test * Refactor tracking of receiving of unsigned PROXY line. It makes sure we don't allow multiple PROXY lines with LOCAL command. * Improve comment wording. * Fix typo and improve wording. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Clarify PROXYProtocolMode description * Add comment about self connections * Set correct PROXYProtocolMode for multiplexers that don't need unsigned PROXY support * Fix typo. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add comment about PROXY protocol mode on kube service. * Clarify comment for starting auth service in unspecified PROXY protocol mode * Add dedicated error for rejecting IP pinning on connection with port=0 * Improve error message * Rate limit logging error about unexpected PROXY line. * Tweak error message. --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2023-09-12 21:41:20 +00:00
t.Run(fmt.Sprintf("proxy protocol mode: %v", proxyProtocolMode), func(t *testing.T) {
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
lib.SetInsecureDevMode(true)
Allow Azure/IAM join over reverse tunnel (#30720) This change adds support for gRPC-based join methods (Azure and IAM) over the reverse tunnel port.
2023-08-24 18:35:26 +00:00
t.Cleanup(func() { lib.SetInsecureDevMode(false) })
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
// Create a Teleport instance with Auth/Proxy.
mainConfig := suite.defaultServiceConfig()
mainConfig.Auth.Enabled = true
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
mainConfig.Proxy.Enabled = true
mainConfig.Proxy.DisableWebService = false
mainConfig.Proxy.DisableWebInterface = true
Change 'proxy_protocol' default mode and behavior (#31622) * Change 'proxy_protocol' default mode and behavior Now by default `proxy_protocol` is unspecified and in that mode we don't allow IP pinned connections and mark incoming conection with setting source port = 0. 'on' mode now requires PROXY header. * Don't require PROXY headers for connection to itself. There cases when Telelport will call itself and it can go directly, avoiding load balancer, so connection will not have unsigned PROXY header. * Refactor validation of 'proxy_protocol' input * Clarify PROXY protocol modes description * Tweak unexpected PROXY protocol line error message * Add comments about setting port to 0 * Return an error if we get unsigned PROXY line after signed * Improve wording for error when IP pinning is now allowed when source port = 0 * Add test for checking unspecified PROXY protocol mode on multiplexer * Fix the test * Refactor tracking of receiving of unsigned PROXY line. It makes sure we don't allow multiple PROXY lines with LOCAL command. * Improve comment wording. * Fix typo and improve wording. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Clarify PROXYProtocolMode description * Add comment about self connections * Set correct PROXYProtocolMode for multiplexers that don't need unsigned PROXY support * Fix typo. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add comment about PROXY protocol mode on kube service. * Clarify comment for starting auth service in unspecified PROXY protocol mode * Add dedicated error for rejecting IP pinning on connection with port=0 * Improve error message * Rate limit logging error about unexpected PROXY line. * Tweak error message. --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2023-09-12 21:41:20 +00:00
mainConfig.Proxy.PROXYProtocolMode = proxyProtocolMode
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
mainConfig.SSH.Enabled = false
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
Change 'proxy_protocol' default mode and behavior (#31622) * Change 'proxy_protocol' default mode and behavior Now by default `proxy_protocol` is unspecified and in that mode we don't allow IP pinned connections and mark incoming conection with setting source port = 0. 'on' mode now requires PROXY header. * Don't require PROXY headers for connection to itself. There cases when Telelport will call itself and it can go directly, avoiding load balancer, so connection will not have unsigned PROXY header. * Refactor validation of 'proxy_protocol' input * Clarify PROXY protocol modes description * Tweak unexpected PROXY protocol line error message * Add comments about setting port to 0 * Return an error if we get unsigned PROXY line after signed * Improve wording for error when IP pinning is now allowed when source port = 0 * Add test for checking unspecified PROXY protocol mode on multiplexer * Fix the test * Refactor tracking of receiving of unsigned PROXY line. It makes sure we don't allow multiple PROXY lines with LOCAL command. * Improve comment wording. * Fix typo and improve wording. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Clarify PROXYProtocolMode description * Add comment about self connections * Set correct PROXYProtocolMode for multiplexers that don't need unsigned PROXY support * Fix typo. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add comment about PROXY protocol mode on kube service. * Clarify comment for starting auth service in unspecified PROXY protocol mode * Add dedicated error for rejecting IP pinning on connection with port=0 * Improve error message * Rate limit logging error about unexpected PROXY line. * Tweak error message. --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2023-09-12 21:41:20 +00:00
// Create load balancer that will send PROXY header if required
frontendTun := *utils.MustParseAddr(net.JoinHostPort(Loopback, "0"))
tunLB, err := utils.NewLoadBalancer(context.Background(), frontendTun)
require.NoError(t, err)
if proxyProtocolMode == multiplexer.PROXYProtocolOn {
tunLB.PROXYHeader = []byte("PROXY TCP4 127.0.0.1 127.0.0.2 12345 42\r\n")
}
err = tunLB.Listen()
require.NoError(t, err)
mainConfig.Proxy.TunnelPublicAddrs = []utils.NetAddr{*utils.MustParseAddr(tunLB.Addr().String())}
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
main := suite.NewTeleportWithConfig(t, nil, nil, mainConfig)
t.Cleanup(func() { require.NoError(t, main.StopAll()) })
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
// Create a Teleport instance with a Node.
nodeConfig := suite.defaultServiceConfig()
nodeConfig.Hostname = Host
nodeConfig.SetToken("token")
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
nodeConfig.Auth.Enabled = false
nodeConfig.Proxy.Enabled = false
nodeConfig.SSH.Enabled = true
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
Change 'proxy_protocol' default mode and behavior (#31622) * Change 'proxy_protocol' default mode and behavior Now by default `proxy_protocol` is unspecified and in that mode we don't allow IP pinned connections and mark incoming conection with setting source port = 0. 'on' mode now requires PROXY header. * Don't require PROXY headers for connection to itself. There cases when Telelport will call itself and it can go directly, avoiding load balancer, so connection will not have unsigned PROXY header. * Refactor validation of 'proxy_protocol' input * Clarify PROXY protocol modes description * Tweak unexpected PROXY protocol line error message * Add comments about setting port to 0 * Return an error if we get unsigned PROXY line after signed * Improve wording for error when IP pinning is now allowed when source port = 0 * Add test for checking unspecified PROXY protocol mode on multiplexer * Fix the test * Refactor tracking of receiving of unsigned PROXY line. It makes sure we don't allow multiple PROXY lines with LOCAL command. * Improve comment wording. * Fix typo and improve wording. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Clarify PROXYProtocolMode description * Add comment about self connections * Set correct PROXYProtocolMode for multiplexers that don't need unsigned PROXY support * Fix typo. Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add comment about PROXY protocol mode on kube service. * Clarify comment for starting auth service in unspecified PROXY protocol mode * Add dedicated error for rejecting IP pinning on connection with port=0 * Improve error message * Rate limit logging error about unexpected PROXY line. * Tweak error message. --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
2023-09-12 21:41:20 +00:00
backendTun := *utils.MustParseAddr(main.ReverseTunnel)
tunLB.AddBackend(backendTun)
require.NoError(t, err)
go tunLB.Serve()
t.Cleanup(func() { require.NoError(t, tunLB.Close()) })
_, err = main.StartNodeWithTargetPort(nodeConfig, helpers.PortStr(t, tunLB.Addr().String()))
Enable minimal web handler when proxy protocol is enabled (#22753) This change fixes a bug where the minimal web handler (#12730) is not created when proxy protocol is enabled.
2023-03-22 23:05:08 +00:00
require.NoError(t, err, "Node failed to join over reverse tunnel")
})
}
Allow Azure/IAM join over reverse tunnel (#30720) This change adds support for gRPC-based join methods (Azure and IAM) over the reverse tunnel port.
2023-08-24 18:35:26 +00:00
// Assert that gRPC-based join methods work over reverse tunnel.
t.Run("gRPC join service", func(t *testing.T) {
lib.SetInsecureDevMode(true)
defer lib.SetInsecureDevMode(false)
// Create a Teleport instance with Auth/Proxy.
mainConfig := suite.defaultServiceConfig()
mainConfig.Auth.Enabled = true
mainConfig.Proxy.Enabled = true
mainConfig.Proxy.DisableWebService = false
mainConfig.Proxy.DisableWebInterface = true
mainConfig.SSH.Enabled = false
main := suite.NewTeleportWithConfig(t, nil, nil, mainConfig)
t.Cleanup(func() { require.NoError(t, main.StopAll()) })
ctx, cancel := context.WithCancel(context.Background())
t.Cleanup(cancel)
dialer := apiclient.NewDialer(
ctx,
Fix some lint warnings (#31740) Including redundant types in composite literals and duplicate imports in the same file.
2023-09-12 16:18:23 +00:00
defaults.DefaultIdleTimeout,
defaults.DefaultIOTimeout,
Allow Azure/IAM join over reverse tunnel (#30720) This change adds support for gRPC-based join methods (Azure and IAM) over the reverse tunnel port.
2023-08-24 18:35:26 +00:00
)
tlsConfig := utils.TLSConfig(nil)
tlsConfig.InsecureSkipVerify = true
tlsConfig.NextProtos = []string{string(common.ProtocolProxyGRPCInsecure)}
conn, err := grpc.Dial(
main.ReverseTunnel,
grpc.WithContextDialer(apiclient.GRPCContextDialer(dialer)),
grpc.WithUnaryInterceptor(metadata.UnaryClientInterceptor),
grpc.WithStreamInterceptor(metadata.StreamClientInterceptor),
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
)
require.NoError(t, err)
joinServiceClient := apiclient.NewJoinServiceClient(proto.NewJoinServiceClient(conn))
_, err = joinServiceClient.RegisterUsingAzureMethod(ctx, func(challenge string) (*proto.RegisterUsingAzureMethodRequest, error) {
return &proto.RegisterUsingAzureMethodRequest{
RegisterUsingTokenRequest: &types.RegisterUsingTokenRequest{},
}, nil
})
// We don't care about the join succeeding, we just want to confirm
// that gRPC works.
require.True(t, trace.IsBadParameter(trail.FromGRPC(err)), err)
})
Allow reverse tunnel join without exposing the web API (#13598) This change allows agents to join over a reverse tunnel (port 3024 by default) only, instead of also requiring access to the web API (port 3080).
2022-08-15 21:28:24 +00:00
}
Add secure client IP propagation throughout teleport (#21080)
2023-02-28 20:38:12 +00:00
func getRemoteAddrString(sshClientString string) string {
parts := strings.Split(sshClientString, " ")
if len(parts) != 3 {
return ""
}
return fmt.Sprintf("%s:%s", parts[0], parts[1])
}
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
func testSFTP(t *testing.T, suite *integrationTestSuite) {
// Create Teleport instance.
teleport := suite.newTeleport(t, nil, true)
t.Cleanup(func() {
teleport.StopAll()
})
client, err := teleport.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
})
require.NoError(t, err)
// Create SFTP session.
ctx := context.Background()
proxyClient, err := client.ConnectToProxy(ctx)
require.NoError(t, err)
t.Cleanup(func() {
proxyClient.Close()
})
sftpClient, err := sftp.NewClient(proxyClient.Client.Client)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, sftpClient.Close())
})
// Create file that will be uploaded and downloaded.
tempDir := t.TempDir()
testFilePath := filepath.Join(tempDir, "testfile")
testFile, err := os.Create(testFilePath)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, testFile.Close())
})
refactor SFTP backend to use upstream dep, not our fork (#23786) * refactor SFTP backend to use upstream dep, not our fork This change also greatly reduces the number of SFTP audit logs. Now SFTP events are only sent when files are opened or modified in any way, instead of for *every* SFTP request. * added to SFTP integration test * fix error when handling setstat on dirs * fix linter warning * move file/dir permission constants to lib/defaults package
2023-04-07 01:51:22 +00:00
contents := []byte("This is test data.")
_, err = testFile.Write(contents)
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
require.NoError(t, err)
require.NoError(t, testFile.Sync())
refactor SFTP backend to use upstream dep, not our fork (#23786) * refactor SFTP backend to use upstream dep, not our fork This change also greatly reduces the number of SFTP audit logs. Now SFTP events are only sent when files are opened or modified in any way, instead of for *every* SFTP request. * added to SFTP integration test * fix error when handling setstat on dirs * fix linter warning * move file/dir permission constants to lib/defaults package
2023-04-07 01:51:22 +00:00
_, err = testFile.Seek(0, io.SeekStart)
require.NoError(t, err)
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
// Test stat'ing a file.
t.Run("stat", func(t *testing.T) {
fi, err := sftpClient.Stat(testFilePath)
require.NoError(t, err)
require.NotNil(t, fi)
})
// Test downloading a file.
t.Run("download", func(t *testing.T) {
testFileDownload := testFilePath + "-download"
downloadFile, err := os.Create(testFileDownload)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, downloadFile.Close())
})
remoteDownloadFile, err := sftpClient.Open(testFilePath)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, remoteDownloadFile.Close())
})
_, err = io.Copy(downloadFile, remoteDownloadFile)
require.NoError(t, err)
refactor SFTP backend to use upstream dep, not our fork (#23786) * refactor SFTP backend to use upstream dep, not our fork This change also greatly reduces the number of SFTP audit logs. Now SFTP events are only sent when files are opened or modified in any way, instead of for *every* SFTP request. * added to SFTP integration test * fix error when handling setstat on dirs * fix linter warning * move file/dir permission constants to lib/defaults package
2023-04-07 01:51:22 +00:00
_, err = downloadFile.Seek(0, io.SeekStart)
require.NoError(t, err)
data, err := io.ReadAll(downloadFile)
require.NoError(t, err)
require.Equal(t, contents, data)
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
})
// Test uploading a file.
t.Run("upload", func(t *testing.T) {
testFileUpload := testFilePath + "-upload"
remoteUploadFile, err := sftpClient.Create(testFileUpload)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, remoteUploadFile.Close())
})
_, err = io.Copy(remoteUploadFile, testFile)
require.NoError(t, err)
refactor SFTP backend to use upstream dep, not our fork (#23786) * refactor SFTP backend to use upstream dep, not our fork This change also greatly reduces the number of SFTP audit logs. Now SFTP events are only sent when files are opened or modified in any way, instead of for *every* SFTP request. * added to SFTP integration test * fix error when handling setstat on dirs * fix linter warning * move file/dir permission constants to lib/defaults package
2023-04-07 01:51:22 +00:00
_, err = remoteUploadFile.Seek(0, io.SeekStart)
require.NoError(t, err)
data, err := io.ReadAll(remoteUploadFile)
require.NoError(t, err)
require.Equal(t, contents, data)
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
})
refactor SFTP backend to use upstream dep, not our fork (#23786) * refactor SFTP backend to use upstream dep, not our fork This change also greatly reduces the number of SFTP audit logs. Now SFTP events are only sent when files are opened or modified in any way, instead of for *every* SFTP request. * added to SFTP integration test * fix error when handling setstat on dirs * fix linter warning * move file/dir permission constants to lib/defaults package
2023-04-07 01:51:22 +00:00
// Test changing file permissions.
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
t.Run("chmod", func(t *testing.T) {
refactor SFTP backend to use upstream dep, not our fork (#23786) * refactor SFTP backend to use upstream dep, not our fork This change also greatly reduces the number of SFTP audit logs. Now SFTP events are only sent when files are opened or modified in any way, instead of for *every* SFTP request. * added to SFTP integration test * fix error when handling setstat on dirs * fix linter warning * move file/dir permission constants to lib/defaults package
2023-04-07 01:51:22 +00:00
err := sftpClient.Chmod(testFilePath, 0o777)
require.NoError(t, err)
fi, err := os.Stat(testFilePath)
require.NoError(t, err)
require.Equal(t, fs.FileMode(0o777), fi.Mode().Perm())
})
// Test operations on a directory.
t.Run("mkdir", func(t *testing.T) {
dirPath := filepath.Join(tempDir, "dir")
require.NoError(t, sftpClient.Mkdir(dirPath))
err := sftpClient.Chmod(dirPath, 0o777)
require.NoError(t, err)
fi, err := os.Stat(dirPath)
require.NoError(t, err)
require.Equal(t, fs.FileMode(0o777), fi.Mode().Perm())
f, err := sftpClient.Create(filepath.Join(dirPath, "file"))
require.NoError(t, err)
require.NoError(t, f.Close())
fileInfos, err := sftpClient.ReadDir(dirPath)
require.NoError(t, err)
require.Len(t, fileInfos, 1)
require.Equal(t, "file", fileInfos[0].Name())
})
// Test renaming a file.
t.Run("rename", func(t *testing.T) {
path := filepath.Join(tempDir, "to-be-renamed")
f, err := sftpClient.Create(path)
require.NoError(t, err)
require.NoError(t, f.Close())
newPath := path + "-done"
err = sftpClient.Rename(path, newPath)
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
require.NoError(t, err)
refactor SFTP backend to use upstream dep, not our fork (#23786) * refactor SFTP backend to use upstream dep, not our fork This change also greatly reduces the number of SFTP audit logs. Now SFTP events are only sent when files are opened or modified in any way, instead of for *every* SFTP request. * added to SFTP integration test * fix error when handling setstat on dirs * fix linter warning * move file/dir permission constants to lib/defaults package
2023-04-07 01:51:22 +00:00
_, err = sftpClient.Stat(path)
require.ErrorIs(t, err, os.ErrNotExist)
_, err = sftpClient.Stat(newPath)
require.NoError(t, err)
})
// Test removing a file.
t.Run("remove", func(t *testing.T) {
path := filepath.Join(tempDir, "to-be-removed")
f, err := sftpClient.Create(path)
require.NoError(t, err)
require.NoError(t, f.Close())
err = sftpClient.Remove(path)
require.NoError(t, err)
_, err = sftpClient.Stat(path)
require.ErrorIs(t, err, os.ErrNotExist)
SFTP server side support (#13491) add sftp server functionality
2022-07-07 20:08:26 +00:00
})
// Ensure SFTP audit events are present.
sftpEvent, err := findEventInLog(teleport, events.SFTPEvent)
require.NoError(t, err)
require.Equal(t, testFilePath, sftpEvent.GetString(events.SFTPPath))
}
Multiplex Proxy SSH port (#19813)
2023-01-06 16:54:05 +00:00
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
func testAgentlessConnection(t *testing.T, suite *integrationTestSuite) {
// create Teleport instance
teleInst := suite.newTeleport(t, nil, true)
t.Cleanup(func() {
require.NoError(t, teleInst.StopAll())
})
// get OpenSSH CA public key and create host certs
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
authSrv := teleInst.Process.GetAuthServer()
node := createAgentlessNode(t, authSrv, helpers.Site, "agentless-node")
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
// create client
tc, err := teleInst.NewClient(helpers.ClientConfig{
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
})
require.NoError(t, err)
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
testAgentlessConn(t, tc, tc, node)
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
}
func createAgentlessNode(t *testing.T, authServer *auth.Server, clusterName, nodeHostname string) *types.ServerV2 {
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
t.Helper()
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
ctx := context.Background()
openSSHCA, err := authServer.GetCertAuthority(ctx, types.CertAuthID{
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
Type: types.OpenSSHCA,
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
DomainName: clusterName,
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
}, false)
require.NoError(t, err)
caCheckers, err := sshutils.GetCheckers(openSSHCA)
require.NoError(t, err)
key, err := native.GeneratePrivateKey()
require.NoError(t, err)
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
nodeUUID := uuid.New().String()
hostCertBytes, err := authServer.GenerateHostCert(
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
ctx,
key.MarshalSSHPublicKey(),
"",
"",
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
[]string{nodeUUID, nodeHostname, Loopback},
clusterName,
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
types.RoleNode,
0,
)
require.NoError(t, err)
hostCert, err := apisshutils.ParseCertificate(hostCertBytes)
require.NoError(t, err)
signer, err := ssh.NewSignerFromSigner(key.Signer)
require.NoError(t, err)
hostKeySigner, err := ssh.NewCertSigner(hostCert, signer)
require.NoError(t, err)
// start SSH server
sshAddr := startSSHServer(t, caCheckers, hostKeySigner)
// create node resource
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
node := &types.ServerV2{
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
Kind: types.KindNode,
SubKind: types.SubKindOpenSSHNode,
Version: types.V2,
Metadata: types.Metadata{
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
Name: nodeUUID,
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
},
Spec: types.ServerSpecV2{
Addr: sshAddr,
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
Hostname: nodeHostname,
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
},
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
}
_, err = authServer.UpsertNode(ctx, node)
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
require.NoError(t, err)
// wait for node resource to be written to the backend
timedCtx, cancel := context.WithTimeout(ctx, time.Second)
t.Cleanup(cancel)
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
w, err := authServer.NewWatcher(timedCtx, types.Watch{
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
Name: "node-create watcher",
Kinds: []types.WatchKind{
{
Kind: types.KindNode,
},
},
})
require.NoError(t, err)
for nodeCreated := false; !nodeCreated; {
select {
case e := <-w.Events():
if e.Type == types.OpPut {
nodeCreated = true
}
case <-w.Done():
t.Fatal("Did not receive node create event")
}
}
require.NoError(t, w.Close())
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
return node
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
}
fix running non-interactive commands on agentless nodes (#24023) * fix running non-interactive commands on agentless nodes * addressed feedback
2023-04-05 18:55:35 +00:00
// startSSHServer starts a SSH server that roughly mimics an unregistered
// OpenSSH (agentless) server. The SSH server started only handles a small
// subset of SSH requests necessary for testing.
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
func startSSHServer(t *testing.T, caPubKeys []ssh.PublicKey, hostKey ssh.Signer) string {
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
t.Helper()
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
sshCfg := ssh.ServerConfig{
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
PublicKeyCallback: func(_ ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
cert, ok := key.(*ssh.Certificate)
if !ok {
return nil, fmt.Errorf("expected *ssh.Certificate, got %T", key)
}
for _, pubKey := range caPubKeys {
if bytes.Equal(cert.SignatureKey.Marshal(), pubKey.Marshal()) {
return &ssh.Permissions{}, nil
}
}
return nil, fmt.Errorf("signature key %v does not match OpenSSH CA", cert.SignatureKey)
},
}
sshCfg.AddHostKey(hostKey)
lis, err := net.Listen("tcp", Loopback+":")
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, lis.Close())
})
go func() {
nConn, err := lis.Accept()
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
assert.NoError(t, err)
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
t.Cleanup(func() {
Remove returning Teleport version on dialing a host (#29799) It was required for compatibilty reasons - v13 proxy could connect to v12 agents, which didn't support signed PROXY headers. But we don't need it in v14.
2023-08-03 02:40:44 +00:00
if nConn != nil {
// the error is ignored here to avoid failing on net.ErrClosed
_ = nConn.Close()
}
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
})
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
conn, channels, reqs, err := ssh.NewServerConn(nConn, &sshCfg)
assert.NoError(t, err)
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
t.Cleanup(func() {
Remove returning Teleport version on dialing a host (#29799) It was required for compatibilty reasons - v13 proxy could connect to v12 agents, which didn't support signed PROXY headers. But we don't need it in v14.
2023-08-03 02:40:44 +00:00
if conn != nil {
// the error is ignored here to avoid failing on net.ErrClosed
_ = conn.Close()
}
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
})
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
go ssh.DiscardRequests(reqs)
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
var agentForwarded bool
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
var shellRequested bool
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
for channelReq := range channels {
assert.Equal(t, "session", channelReq.ChannelType())
channel, reqs, err := channelReq.Accept()
assert.NoError(t, err)
t.Cleanup(func() {
// the error is ignored here to avoid failing on net.ErrClosed
_ = channel.Close()
})
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
for req := range reqs {
if req.WantReply {
assert.NoError(t, req.Reply(true, nil))
}
if req.Type == sshutils.AgentForwardRequest {
agentForwarded = true
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
} else if req.Type == sshutils.ShellRequest {
assert.NoError(t, channel.Close())
fix running non-interactive commands on agentless nodes (#24023) * fix running non-interactive commands on agentless nodes * addressed feedback
2023-04-05 18:55:35 +00:00
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
shellRequested = true
Fix SSH agent forwarding to agentless nodes (#22567) * lazily forward SSH agents when connecting to agentless nodes When connecting to unregistered OpenSSH nodes, the SSH agent is always forwarded. When connecting to registered OpenSSH (agentless) nodes however, the SSH agent doesn't *need* to be forwarded, so only do so if the user explicitly asks to. * test SSH agent forwarding in agentless integration test
2023-03-21 14:44:23 +00:00
break
}
}
}
assert.True(t, agentForwarded)
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
assert.True(t, shellRequested)
Add agentless connection integration test (#23120) * add agentless connection integration test * address feedback
2023-03-16 15:20:31 +00:00
}()
return lis.Addr().String()
}
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
func testAgentlessConn(t *testing.T, tc, joinTC *client.TeleportClient, node *types.ServerV2) {
t.Helper()
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
// connect to cluster
ctx := context.Background()
clt, err := tc.ConnectToCluster(ctx)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, clt.Close())
})
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
// connect to other cluster if needed
joinClt := clt
if tc != joinTC {
joinClt, err = joinTC.ConnectToCluster(ctx)
require.NoError(t, err)
t.Cleanup(func() {
require.NoError(t, joinClt.Close())
})
}
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
// connect to node
_, port, err := net.SplitHostPort(node.Spec.Addr)
require.NoError(t, err)
uuidAddr := net.JoinHostPort(node.Metadata.Name, port)
nodeClient, err := tc.ConnectToNode(
ctx,
clt,
client.NodeDetails{
Addr: uuidAddr,
Namespace: tc.Namespace,
Cluster: tc.SiteName,
},
tc.Username,
)
require.NoError(t, err)
t.Cleanup(func() {
// ignore the error here, nodeClient is closed below if the
// test passes
_ = nodeClient.Close()
})
// forward SSH agent
sshClient := nodeClient.Client.Client
Fix some lint warnings (#31740) Including redundant types in composite literals and duplicate imports in the same file.
2023-09-12 16:18:23 +00:00
s, err := sshClient.NewSession()
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
require.NoError(t, err)
t.Cleanup(func() {
// the SSH server will close the session to avoid a deadlock,
// so closing it here will result in io.EOF if the test passes
Fix some lint warnings (#31740) Including redundant types in composite literals and duplicate imports in the same file.
2023-09-12 16:18:23 +00:00
_ = s.Close()
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
})
// this is essentially what agent.ForwardToAgent does, but we're
// doing it manually so can take ownership of the opened SSH channel
// and check that it's closed correctly
channels := sshClient.HandleChannelOpen("auth-agent@openssh.com")
require.NotNil(t, channels)
doneServing := make(chan error)
go func() {
for ch := range channels {
channel, reqs, err := ch.Accept()
assert.NoError(t, err)
go ssh.DiscardRequests(reqs)
go func() {
doneServing <- agent.ServeAgent(tc.LocalAgent(), channel)
channel.Close()
}()
}
}()
Fix some lint warnings (#31740) Including redundant types in composite literals and duplicate imports in the same file.
2023-09-12 16:18:23 +00:00
require.NoError(t, agent.RequestAgentForwarding(s))
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
// request a shell so Teleport starts tracking this session
Fix some lint warnings (#31740) Including redundant types in composite literals and duplicate imports in the same file.
2023-09-12 16:18:23 +00:00
s.Stderr = io.Discard
s.Stdout = io.Discard
require.NoError(t, s.Shell())
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
var sessTracker types.SessionTracker
require.Eventually(t, func() bool {
trackers, err := joinClt.AuthClient.GetActiveSessionTrackers(ctx)
require.NoError(t, err)
if len(trackers) == 1 {
sessTracker = trackers[0]
return true
}
return false
}, 3*time.Second, 100*time.Millisecond)
// test that attempting to join the session returns an error
Fix some lint warnings (#31740) Including redundant types in composite literals and duplicate imports in the same file.
2023-09-12 16:18:23 +00:00
err = joinTC.Join(ctx, types.SessionPeerMode, tc.Namespace, session.ID(sessTracker.GetSessionID()), nil)
return an error when attempting to join a session of an OpenSSH node (#31472) * return an error when attempting to join a session of an OpenSSH node * remove item from test plan and note to docs * add test coverage to integration test * fix integration test * fixed linter issue
2023-09-08 22:16:02 +00:00
require.True(t, trace.IsBadParameter(err))
require.ErrorContains(t, err, "session joining is only supported for Teleport nodes, not OpenSSH nodes")
fix connecting to agentless leaf nodes (#25206) * fix connecting to agentless leaf nodes Pass user and role information to Auth server signing OpenSSH cert so avoid user/role lookup errors if the target node is on a leaf cluster. Also use role and trait information from the current connection rather than the backend to support role impersonation. * make protobuf changes backwards-compatible
2023-05-02 17:39:47 +00:00
// test that SSH agent channel is closed properly
select {
case err := <-doneServing:
require.ErrorIs(t, err, io.EOF)
case <-time.After(3 * time.Second):
require.Fail(t, "timeout waiting for SSH agent channel to be closed")
}
require.NoError(t, nodeClient.Close())
}
Multiplex Proxy SSH port (#19813)
2023-01-06 16:54:05 +00:00
// TestProxySSHPortMultiplexing ensures that the Proxy SSH port
// is serving both SSH and gRPC regardless of TLS Routing mode.
func TestProxySSHPortMultiplexing(t *testing.T) {
t.Parallel()
tests := []struct {
name string
disableTLSRouting bool
}{
{
name: "TLS routing enabled",
},
{
name: "TLS routing disabled",
disableTLSRouting: true,
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
privateKey, publicKey, err := testauthority.New().GenerateKeyPair()
require.NoError(t, err)
rc := helpers.NewInstance(t, helpers.InstanceConfig{
ClusterName: "example.com",
HostID: uuid.New().String(),
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Log: utils.NewLoggerForTests(),
})
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
rcConf := servicecfg.MakeDefaultConfig()
Multiplex Proxy SSH port (#19813)
2023-01-06 16:54:05 +00:00
rcConf.DataDir = t.TempDir()
rcConf.Auth.Preference.SetSecondFactor("off")
rcConf.SSH.Enabled = false
rcConf.Proxy.DisableWebInterface = true
rcConf.Proxy.DisableTLS = false
rcConf.Proxy.DisableALPNSNIListener = test.disableTLSRouting
rcConf.CircuitBreakerConfig = breaker.NoopBreakerConfig()
// Create identical user/role in both clusters.
me, err := user.Current()
require.NoError(t, err)
role := services.NewImplicitRole()
role.SetName("test")
role.SetLogins(types.Allow, []string{me.Username})
role.SetNodeLabels(types.Allow, map[string]apiutils.Strings{types.Wildcard: []string{types.Wildcard}})
rc.AddUserWithRole(me.Username, role)
err = rc.CreateEx(t, nil, rcConf)
require.NoError(t, err)
require.NoError(t, rc.Start())
t.Cleanup(func() {
require.NoError(t, rc.StopAll())
})
// create an authenticated client for the user
tc, err := rc.NewClient(helpers.ClientConfig{
Login: me.Username,
Cluster: helpers.Site,
Host: Host,
})
require.NoError(t, err)
// connect via SSH
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
defer cancel()
pc, err := tc.ConnectToProxy(ctx)
require.NoError(t, err)
require.NoError(t, pc.Close())
// connect via gRPC
tlsConfig, err := tc.LoadTLSConfig()
require.NoError(t, err)
tlsConfig.NextProtos = []string{string(common.ProtocolProxySSHGRPC)}
ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
defer cancel()
conn, err := grpc.DialContext(
ctx,
tc.SSHProxyAddr,
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
grpc.WithBlock(),
)
require.NoError(t, err)
require.Equal(t, connectivity.Ready, conn.GetState())
require.NoError(t, conn.Close())
})
}
}
Add test that verifies connectivity when Auth is down (#20450) Ensures that if a user has a valid certificate and Auth is down that they can still establish a session to nodes.
2023-01-24 21:07:11 +00:00
// TestConnectivityWithoutAuth ensures that sessions
// can/cannot be established with an existing certificate
// based on cluster configuration or roles.
func TestConnectivityWithoutAuth(t *testing.T) {
modules.SetTestModules(t, &modules.TestModules{TestBuildType: modules.BuildEnterprise})
tests := []struct {
name string
adjustRole func(r types.Role)
command []string
sshAssertion func(t *testing.T, authRunning bool, errChan chan error, term *Terminal)
}{
{
name: "offline connectivity allowed",
adjustRole: func(r types.Role) {},
sshAssertion: func(t *testing.T, authRunning bool, errChan chan error, term *Terminal) {
term.Type("echo hi\n\rexit\n\r")
select {
case err := <-errChan:
require.NoError(t, err)
case <-time.After(5 * time.Second):
t.Fatal("timeout waiting for session to exit")
}
require.Contains(t, term.AllOutput(), "hi")
},
},
{
name: "moderated sessions requires auth connectivity",
adjustRole: func(r types.Role) {
r.SetSessionRequirePolicies([]*types.SessionRequirePolicy{
{
Name: "bar",
Kinds: []string{string(types.SSHSessionKind)},
},
})
},
sshAssertion: func(t *testing.T, authRunning bool, errChan chan error, term *Terminal) {
if authRunning {
require.Eventually(t, func() bool {
return strings.Contains(term.AllOutput(), "Waiting for required participants")
}, 5*time.Second, 500*time.Millisecond)
// send ctrl-c to exit
term.Type("\x03\r")
}
select {
case err := <-errChan:
require.Error(t, err)
if !authRunning {
require.Empty(t, term.AllOutput())
}
case <-time.After(5 * time.Second):
t.Fatal("timeout waiting for session to exit")
}
},
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
// Create auth config.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
authCfg := servicecfg.MakeDefaultConfig()
Add test that verifies connectivity when Auth is down (#20450) Ensures that if a user has a valid certificate and Auth is down that they can still establish a session to nodes.
2023-01-24 21:07:11 +00:00
authCfg.Console = nil
authCfg.Log = utils.NewLoggerForTests()
authCfg.CircuitBreakerConfig = breaker.NoopBreakerConfig()
authCfg.InstanceMetadataClient = cloud.NewDisabledIMDSClient()
authCfg.Auth.Preference.SetSecondFactor("off")
authCfg.Auth.Enabled = true
authCfg.Auth.NoAudit = true
authCfg.Proxy.Enabled = false
authCfg.SSH.Enabled = false
privateKey, publicKey, err := testauthority.New().GenerateKeyPair()
require.NoError(t, err)
auth := helpers.NewInstance(t, helpers.InstanceConfig{
ClusterName: helpers.Site,
HostID: uuid.New().String(),
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Log: utils.NewLoggerForTests(),
})
// Create a user and role.
me, err := user.Current()
require.NoError(t, err)
role := services.NewImplicitRole()
role.SetName("test")
role.SetLogins(types.Allow, []string{me.Username})
role.SetNodeLabels(types.Allow, map[string]apiutils.Strings{types.Wildcard: []string{types.Wildcard}})
auth.AddUserWithRole(me.Username, role)
// allow test case to tweak the role
test.adjustRole(role)
// create and launch the auth server
err = auth.CreateEx(t, nil, authCfg)
require.NoError(t, err)
require.NoError(t, auth.Start())
t.Cleanup(func() {
require.NoError(t, auth.StopAll())
})
// create a proxy/node instance
privateKey, publicKey, err = testauthority.New().GenerateKeyPair()
require.NoError(t, err)
node := helpers.NewInstance(t, helpers.InstanceConfig{
ClusterName: helpers.Site,
HostID: uuid.New().String(),
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Log: utils.NewLoggerForTests(),
})
// Create node config.
Refactor tctl's dependencies (#22693) * Move configuration from lib/service to lib/service/servicecfg The new servicecfg package will hold only configuration for services. This will allow other packages (like tctl and tsh) to depend on servicecfg without pulling in all of lib/service (which has a number of platform-specific details). This is the first step towards being able to build tctl for Windows. * Move PAM and BPF config into servicecfg This breaks a compile-time dependency on BPF/PAM for tctl.
2023-03-09 17:48:36 +00:00
nodeCfg := servicecfg.MakeDefaultConfig()
Add test that verifies connectivity when Auth is down (#20450) Ensures that if a user has a valid certificate and Auth is down that they can still establish a session to nodes.
2023-01-24 21:07:11 +00:00
nodeCfg.SetAuthServerAddress(authCfg.Auth.ListenAddr)
nodeCfg.SetToken("token")
nodeCfg.CachePolicy.Enabled = true
nodeCfg.DataDir = t.TempDir()
nodeCfg.Console = nil
nodeCfg.Log = utils.NewLoggerForTests()
nodeCfg.CircuitBreakerConfig = breaker.NoopBreakerConfig()
nodeCfg.InstanceMetadataClient = cloud.NewDisabledIMDSClient()
nodeCfg.Auth.Enabled = false
// Configure Proxy.
nodeCfg.Proxy.Enabled = true
nodeCfg.Proxy.DisableWebService = false
nodeCfg.Proxy.DisableWebInterface = true
nodeCfg.FileDescriptors = append(nodeCfg.FileDescriptors, node.Fds...)
nodeCfg.Proxy.SSHAddr.Addr = node.SSHProxy
nodeCfg.Proxy.WebAddr.Addr = node.Web
nodeCfg.Proxy.ReverseTunnelListenAddr.Addr = node.Secrets.TunnelAddr
// Configure Node.
nodeCfg.SSH.Enabled = true
nodeCfg.SSH.Addr.Addr = node.SSH
err = node.CreateWithConf(t, nodeCfg)
require.NoError(t, err)
require.NoError(t, node.Start())
t.Cleanup(func() {
require.NoError(t, node.StopAll())
})
// create a client for the user created above
cli, err := auth.NewClient(helpers.ClientConfig{
Login: me.Username,
Cluster: helpers.Site,
Host: Host,
Port: helpers.Port(t, node.SSH),
Proxy: &helpers.ProxyConfig{
SSHAddr: nodeCfg.Proxy.SSHAddr.String(),
WebAddr: nodeCfg.Proxy.WebAddr.String(),
},
})
require.NoError(t, err)
// start ssh session with auth still running
term := NewTerminal(200)
cli.Stdout = term
cli.Stdin = term
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
defer cancel()
errChan := make(chan error, 1)
go func() {
errChan <- cli.SSH(ctx, test.command, false)
}()
t.Run("auth running", func(t *testing.T) {
test.sshAssertion(t, true, errChan, term)
})
// shut down auth server
require.NoError(t, auth.StopAuth(false))
// start ssh session after auth has shutdown
term = NewTerminal(200)
cli.Stdout = term
cli.Stdin = term
ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
defer cancel()
go func() {
errChan <- cli.SSH(ctx, test.command, false)
}()
t.Run("auth not running", func(t *testing.T) {
test.sshAssertion(t, false, errChan, term)
})
})
}
}
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
Add test that verifies sessions are unaffected by Auth restarts (#28949) Addresses part of #24096 via a new integration test. > With HA you should be able to reboot the > cluster without dropping the connection The test starts two processes, one running just Auth, another running SSH+Proxy. An interactive session is created which periodically executes a command and verifies the output contains the expected values. The Auth instance is restarted in the background while the command validation occurs.
2023-07-12 13:16:50 +00:00
// TestConnectivityDuringAuthRestart ensures that sessions
// survive an Auth restart.
func TestConnectivityDuringAuthRestart(t *testing.T) {
t.Parallel()
// Create auth config.
authCfg := servicecfg.MakeDefaultConfig()
authCfg.Console = nil
authCfg.Log = utils.NewLoggerForTests()
authCfg.CircuitBreakerConfig = breaker.NoopBreakerConfig()
authCfg.InstanceMetadataClient = cloud.NewDisabledIMDSClient()
authCfg.Auth.Preference.SetSecondFactor("off")
authCfg.Auth.Enabled = true
authCfg.Auth.NoAudit = true
authCfg.Proxy.Enabled = false
authCfg.SSH.Enabled = false
privateKey, publicKey, err := testauthority.New().GenerateKeyPair()
require.NoError(t, err)
auth := helpers.NewInstance(t, helpers.InstanceConfig{
ClusterName: helpers.Site,
HostID: uuid.New().String(),
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Log: utils.NewLoggerForTests(),
})
// Create a user and role.
me, err := user.Current()
require.NoError(t, err)
role := services.NewImplicitRole()
role.SetName("test")
role.SetLogins(types.Allow, []string{me.Username})
role.SetNodeLabels(types.Allow, map[string]apiutils.Strings{types.Wildcard: []string{types.Wildcard}})
auth.AddUserWithRole(me.Username, role)
// create and launch the auth server
err = auth.CreateEx(t, nil, authCfg)
require.NoError(t, err)
require.NoError(t, auth.Start())
t.Cleanup(func() {
require.NoError(t, auth.StopAll())
})
// create a proxy/node instance
privateKey, publicKey, err = testauthority.New().GenerateKeyPair()
require.NoError(t, err)
node := helpers.NewInstance(t, helpers.InstanceConfig{
ClusterName: helpers.Site,
HostID: uuid.New().String(),
NodeName: Host,
Priv: privateKey,
Pub: publicKey,
Log: utils.NewLoggerForTests(),
})
// Create node config.
nodeCfg := servicecfg.MakeDefaultConfig()
nodeCfg.SetAuthServerAddress(authCfg.Auth.ListenAddr)
nodeCfg.SetToken("token")
nodeCfg.CachePolicy.Enabled = true
nodeCfg.DataDir = t.TempDir()
nodeCfg.Console = nil
nodeCfg.Log = utils.NewLoggerForTests()
nodeCfg.CircuitBreakerConfig = breaker.NoopBreakerConfig()
nodeCfg.InstanceMetadataClient = cloud.NewDisabledIMDSClient()
nodeCfg.DiagnosticAddr = *utils.MustParseAddr(helpers.NewListener(t, service.ListenerType("diag"), &node.Fds))
nodeCfg.Auth.Enabled = false
// Configure Proxy.
nodeCfg.Proxy.Enabled = true
nodeCfg.Proxy.DisableWebService = false
nodeCfg.Proxy.DisableWebInterface = true
nodeCfg.FileDescriptors = append(nodeCfg.FileDescriptors, node.Fds...)
nodeCfg.Proxy.SSHAddr.Addr = node.SSHProxy
nodeCfg.Proxy.WebAddr.Addr = node.Web
nodeCfg.Proxy.ReverseTunnelListenAddr.Addr = node.Secrets.TunnelAddr
// Configure Node.
nodeCfg.SSH.Enabled = true
nodeCfg.SSH.Addr.Addr = node.SSH
err = node.CreateWithConf(t, nodeCfg)
require.NoError(t, err)
require.NoError(t, node.Start())
t.Cleanup(func() {
require.NoError(t, node.StopAll())
})
term := NewTerminal(200)
// create a client for the user created above
cli, err := auth.NewClient(helpers.ClientConfig{
Login: me.Username,
Cluster: helpers.Site,
Host: Host,
Port: helpers.Port(t, node.SSH),
Interactive: true,
Stdin: term,
Stdout: term,
Stderr: term,
Proxy: &helpers.ProxyConfig{
SSHAddr: nodeCfg.Proxy.SSHAddr.String(),
WebAddr: nodeCfg.Proxy.WebAddr.String(),
},
})
require.NoError(t, err)
// start ssh session with auth still running
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
errChan := make(chan error, 1)
go func() {
errChan <- cli.SSH(ctx, nil, false)
}()
// validate that the session is active
term.Type("echo txlxport100 | sed 's/x/e/g'\n\r")
require.Eventually(t, func() bool {
idx := strings.Index(term.AllOutput(), "teleport100")
return idx != -1
}, 3*time.Second, 100*time.Millisecond, "session output never received")
// restart the auth service a few times
authRestartChan := make(chan error, 3)
go func() {
for i := 0; i < 3; i++ {
authRestartChan <- auth.RestartAuth()
}
}()
// test that the session remains alive until after auth starts again
var (
terminate bool
restartCount int
)
for i := 0; !terminate; i++ {
term.Type(fmt.Sprintf("echo txlxport%d | sed 's/x/e/g'\n\r", i+10))
require.Eventually(t, func() bool {
idx := strings.Index(term.AllOutput(), fmt.Sprintf("teleport%d", i+10))
return idx != -1
}, 3*time.Second, 100*time.Millisecond, "session output never received")
select {
case err := <-authRestartChan:
require.NoError(t, err)
restartCount++
default:
if restartCount == 3 {
terminate = true
}
}
}
// terminate the session
term.Type("exit\n\r")
require.NoError(t, <-errChan)
}
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
func testModeratedSessions(t *testing.T, suite *integrationTestSuite) {
modules.SetTestModules(t, &modules.TestModules{TestBuildType: modules.BuildEnterprise})
const password = "supersecretpassword"
inputReader := prompt.NewFakeReader().
AddString(password).
AddReply(func(ctx context.Context) (string, error) {
panic("this should not be called")
})
Remove exported Webauthn functions (#30420) * Add WebauthnLogin field to teleportClient and tsh for tests. * Use custom WebauthnLogin func instead of test export. * Remove HasPlatformSupport exported function. * Add todo to remove lib/client/export.go. * Parallelize affected tests. * Apply suggestions from CR.
2023-08-17 02:18:23 +00:00
oldStdin := prompt.Stdin()
prompt.SetStdin(inputReader)
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
t.Cleanup(func() {
prompt.SetStdin(oldStdin)
})
device, err := mocku2f.Create()
require.NoError(t, err)
device.SetPasswordless()
Remove exported Webauthn functions (#30420) * Add WebauthnLogin field to teleportClient and tsh for tests. * Use custom WebauthnLogin func instead of test export. * Remove HasPlatformSupport exported function. * Add todo to remove lib/client/export.go. * Parallelize affected tests. * Apply suggestions from CR.
2023-08-17 02:18:23 +00:00
customWebauthnLogin := func(ctx context.Context, realOrigin string, assertion *wantypes.CredentialAssertion, prompt wancli.LoginPrompt, _ *wancli.LoginOpts) (*proto.MFAAuthenticateResponse, string, error) {
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
car, err := device.SignAssertion("https://127.0.0.1", assertion) // use the fake origin to prevent a mismatch
if err != nil {
return nil, "", err
}
return &proto.MFAAuthenticateResponse{
Response: &proto.MFAAuthenticateResponse_Webauthn{
Remove `lib/auth/webauthn` dependency from `webauthncli` (#30377) * Alias `api/types/webauthn` imports to `wanpb` * Use `webauthnpb` as the default package name * Move messages.go to webauthntypes/ * Move extensions.go to webauthntypes/ * Move proto.go to webauthntypes/ * nit: Use consistent license style * Use the `wantypes` alias for webauthntypes * Use the `wanwin` alias for webauthnwin * nit: Move winwebauthn.go to webauthnwin.go * Document package webauthntypes * Alias types required by e/ * Appease linter * Add all main types/method to compat.go * Reinstate spaces on proxy_test.go * Alias newly-added usages
2023-08-14 21:24:37 +00:00
Webauthn: wantypes.CredentialAssertionResponseToProto(car),
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
},
}, "", nil
}
// Enable web service.
cfg := suite.defaultServiceConfig()
cfg.Auth.Enabled = true
cfg.Auth.Preference.SetSecondFactor("on")
cfg.Auth.Preference.(*types.AuthPreferenceV2).Spec.RequireMFAType = types.RequireMFAType_SESSION
cfg.Auth.Preference.SetWebauthn(&types.Webauthn{RPID: "127.0.0.1"})
cfg.Proxy.DisableWebService = false
cfg.Proxy.DisableWebInterface = true
cfg.Proxy.Enabled = true
cfg.SSH.Enabled = true
instance := suite.NewTeleportWithConfig(t, nil, nil, cfg)
ctx, cancel := context.WithCancelCause(context.Background())
defer cancel(nil)
peerRole, err := types.NewRole("moderated", types.RoleSpecV6{
Allow: types.RoleConditions{
RequireSessionJoin: []*types.SessionRequirePolicy{
{
Name: "moderated",
Filter: "contains(user.roles, \"moderator\")",
Kinds: []string{string(types.SSHSessionKind)},
Count: 1,
Modes: []string{string(types.SessionModeratorMode)},
},
},
},
})
require.NoError(t, err)
require.NoError(t, instance.Process.GetAuthServer().UpsertRole(ctx, peerRole))
moderatorRole, err := types.NewRole("moderator", types.RoleSpecV6{
Allow: types.RoleConditions{
JoinSessions: []*types.SessionJoinPolicy{
{
Name: "moderated",
Roles: []string{peerRole.GetName()},
Kinds: []string{string(types.SSHSessionKind)},
Modes: []string{string(types.SessionModeratorMode), string(types.SessionObserverMode)},
},
},
},
})
require.NoError(t, err)
require.NoError(t, instance.Process.GetAuthServer().UpsertRole(ctx, moderatorRole))
setupUser := func(user, role string, asrv *auth.Server) {
u, err := types.NewUser(user)
require.NoError(t, err)
u.SetRoles([]string{"access", role})
u.SetLogins([]string{suite.Me.Username, user})
Update users interface (#32987) services.UsersService now takes a context and returns the user from write operations as shown in the diff below. The bulk of the changes are from modifying code to account for the additional parameter and/or return value. Functional changes to better make use of the new API will come in follow up PRs. ```diff // UserGetter is responsible for getting users type UserGetter interface { // GetUser returns a user by name - GetUser(user string, withSecrets bool) (types.User, error) + GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error) } // UsersService is responsible for basic user management type UsersService interface { UserGetter // CreateUser creates user, only if the user entry does not exist - CreateUser(user types.User) error + CreateUser(ctx context.Context, user types.User) (types.User, error) // UpdateUser updates an existing user. - UpdateUser(ctx context.Context, user types.User) error + UpdateUser(ctx context.Context, user types.User) (types.User, error) // UpdateAndSwapUser reads an existing user, runs `fn` against it and writes // the result to storage. Return `false` from `fn` to avoid storage changes. // Roughly equivalent to [GetUser] followed by [CompareAndSwapUser]. // Returns the storage user. UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error) // UpsertUser updates parameters about user - UpsertUser(user types.User) error + UpsertUser(ctx context.Context, user types.User) (types.User, error) // CompareAndSwapUser updates an existing user, but fails if the user does // not match an expected backend value. CompareAndSwapUser(ctx context.Context, new, existing types.User) error // DeleteUser deletes a user with all the keys from the backend DeleteUser(ctx context.Context, user string) error // GetUsers returns a list of users registered with the local auth server - GetUsers(withSecrets bool) ([]types.User, error) + GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error) // DeleteAllUsers deletes all users - DeleteAllUsers() error + DeleteAllUsers(ctx context.Context) error } ``` Depends on gravitational/teleport.e#2346 Implements step 3 of #32949
2023-10-10 14:07:46 +00:00
_, err = asrv.CreateUser(ctx, u)
require.NoError(t, err)
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
token, err := asrv.CreateResetPasswordToken(ctx, auth.CreateUserTokenRequest{
Name: user,
})
require.NoError(t, err)
tokenID := token.GetName()
res, err := asrv.CreateRegisterChallenge(ctx, &proto.CreateRegisterChallengeRequest{
TokenID: tokenID,
DeviceType: proto.DeviceType_DEVICE_TYPE_WEBAUTHN,
DeviceUsage: proto.DeviceUsage_DEVICE_USAGE_PASSWORDLESS,
})
require.NoError(t, err)
Remove `lib/auth/webauthn` dependency from `webauthncli` (#30377) * Alias `api/types/webauthn` imports to `wanpb` * Use `webauthnpb` as the default package name * Move messages.go to webauthntypes/ * Move extensions.go to webauthntypes/ * Move proto.go to webauthntypes/ * nit: Use consistent license style * Use the `wantypes` alias for webauthntypes * Use the `wanwin` alias for webauthnwin * nit: Move winwebauthn.go to webauthnwin.go * Document package webauthntypes * Alias types required by e/ * Appease linter * Add all main types/method to compat.go * Reinstate spaces on proxy_test.go * Alias newly-added usages
2023-08-14 21:24:37 +00:00
cc := wantypes.CredentialCreationFromProto(res.GetWebauthn())
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
ccr, err := device.SignCredentialCreation("https://127.0.0.1", cc)
require.NoError(t, err)
_, err = asrv.ChangeUserAuthentication(ctx, &proto.ChangeUserAuthenticationRequest{
TokenID: tokenID,
NewPassword: []byte(password),
NewMFARegisterResponse: &proto.MFARegisterResponse{
Response: &proto.MFARegisterResponse_Webauthn{
Remove `lib/auth/webauthn` dependency from `webauthncli` (#30377) * Alias `api/types/webauthn` imports to `wanpb` * Use `webauthnpb` as the default package name * Move messages.go to webauthntypes/ * Move extensions.go to webauthntypes/ * Move proto.go to webauthntypes/ * nit: Use consistent license style * Use the `wantypes` alias for webauthntypes * Use the `wanwin` alias for webauthnwin * nit: Move winwebauthn.go to webauthnwin.go * Document package webauthntypes * Alias types required by e/ * Appease linter * Add all main types/method to compat.go * Reinstate spaces on proxy_test.go * Alias newly-added usages
2023-08-14 21:24:37 +00:00
Webauthn: wantypes.CredentialCreationResponseToProto(ccr),
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
},
},
})
require.NoError(t, err)
}
setupUser("peer", peerRole.GetName(), instance.Process.GetAuthServer())
setupUser("moderator", moderatorRole.GetName(), instance.Process.GetAuthServer())
peerTerminal := NewTerminal(250)
moderatorTerminal := NewTerminal(250)
// get a reference to site obj:
site := instance.GetSiteAPI(helpers.Site)
require.NotNil(t, site)
// PersonA: SSH into the server, wait one second, then type some commands on stdin:
openSession := func() {
cl, err := instance.NewClient(helpers.ClientConfig{
TeleportUser: "peer",
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
})
if err != nil {
cancel(trace.Wrap(err, "failed to create peer client"))
return
}
Remove exported Webauthn functions (#30420) * Add WebauthnLogin field to teleportClient and tsh for tests. * Use custom WebauthnLogin func instead of test export. * Remove HasPlatformSupport exported function. * Add todo to remove lib/client/export.go. * Parallelize affected tests. * Apply suggestions from CR.
2023-08-17 02:18:23 +00:00
cl.WebauthnLogin = customWebauthnLogin
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
cl.Stdout = peerTerminal
cl.Stdin = peerTerminal
if err := cl.SSH(ctx, []string{}, false); err != nil {
cancel(trace.Wrap(err, "peer session failed"))
return
}
}
// PersonB: wait for a session to become available, then join:
joinSession := func() {
sessionTimeoutCtx, sessionTimeoutCancel := context.WithTimeout(context.Background(), 10*time.Second)
defer sessionTimeoutCancel()
sessions, err := waitForSessionToBeEstablished(sessionTimeoutCtx, defaults.Namespace, site)
if err != nil {
cancel(trace.Wrap(err, "failed waiting for peer session to be established"))
return
}
sessionID := sessions[0].GetSessionID()
cl, err := instance.NewClient(helpers.ClientConfig{
TeleportUser: "moderator",
Login: suite.Me.Username,
Cluster: helpers.Site,
Host: Host,
})
if err != nil {
cancel(trace.Wrap(err, "failed to create peer client"))
return
}
Remove exported Webauthn functions (#30420) * Add WebauthnLogin field to teleportClient and tsh for tests. * Use custom WebauthnLogin func instead of test export. * Remove HasPlatformSupport exported function. * Add todo to remove lib/client/export.go. * Parallelize affected tests. * Apply suggestions from CR.
2023-08-17 02:18:23 +00:00
cl.WebauthnLogin = customWebauthnLogin
Fix moderated session presence checking (#25988) * Fix moderated session presence checking Addresses all of the issues that were preventing presence checking during moderated sessions from working as described in [#18092](https://github.com/gravitational/teleport/issues/18092#issuecomment-1540900859). Closes #18092 * make presence test clearer * fix presence checking on the web ui * Refactor web socket message handling A single message processing loop handles retrieving the envelope and passing it off to individual message handlers. This allows all messages to be processed outside of `Read` which was dependent on the terminal being active to process any messages. The webauthn challenge response was also moved from a raw message to a webauthn message. By sending it as a raw message it made presence checking fail because the response has a `t` in it which caused the session to be killed during moderated sessions. * enforce mfa ceremony when joining and cluster wide mfa is enabled * fix conflicts with master * moderated tests * Add moderated session tests for the UI * Add moderated session integration test * fix lints * clean up presence test * refactor envelope handling * fix build * fix: revert test debug timeout * fix: use local context in tests * simplify closing streams * generalize waitForOutput to work with an io.Reader * fix error handling in stream close * unexport PresenceOptions * Improve waitForOutput to match against output in successive reads
2023-06-08 20:27:13 +00:00
cl.Stdout = moderatorTerminal
cl.Stdin = moderatorTerminal
if err := cl.Join(ctx, types.SessionModeratorMode, defaults.Namespace, session.ID(sessionID), moderatorTerminal); err != nil {
cancel(trace.Wrap(err, "moderator session failed"))
}
}
go openSession()
go joinSession()
require.Eventually(t, func() bool {
ss, err := site.GetActiveSessionTrackers(ctx)
if err != nil {
return false
}
if len(ss) != 1 {
return false
}
return len(ss[0].GetParticipants()) == 2
}, 5*time.Second, 100*time.Millisecond)
peerTerminal.Type("echo llamas\n\r")
require.Eventually(t, func() bool {
return strings.Contains(moderatorTerminal.AllOutput(), "llamas")
}, 5*time.Second, 100*time.Millisecond)
// terminate the session
moderatorTerminal.Type("t\n\r")
select {
case <-ctx.Done():
err = context.Cause(ctx)
require.Contains(t, err.Error(), "Process exited with status 255")
p := peerTerminal.AllOutput()
require.Contains(t, p, "Forcefully terminating session...")
m := moderatorTerminal.AllOutput()
require.Contains(t, m, "Forcefully terminating session...")
case <-time.After(5 * time.Second):
t.Fatal("Timeout waiting for session to be terminated.")
}
}
Reference in a new issue Copy permalink