Skip cache during CreateBot RPC (#14899)

* Skip cache during CreateBot RPC

* Adjust calls to use .Service rather than .Identity

* Switch to CreateRole from UpsertRole

lib/auth/auth_with_roles.go

@@ -3175,7 +3175,7 @@ func (a *ServerWithRoles) GetRoles(ctx context.Context) ([]types.Role, error) {
 }
 
 // CreateRole not implemented: can only be called locally.
-func (a *ServerWithRoles) CreateRole(role types.Role) error {
+func (a *ServerWithRoles) CreateRole(ctx context.Context, role types.Role) error {
 	return trace.NotImplemented(notImplementedMessage)
 }
 

lib/auth/bot.go

@@ -72,7 +72,7 @@ func createBotRole(ctx context.Context, s *Server, botName string, resourceName
 	meta.Labels[types.BotLabel] = botName
 	role.SetMetadata(meta)
 
-	err = s.UpsertRole(ctx, role)
+	err = s.CreateRole(ctx, role)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -125,15 +125,16 @@ func (s *Server) createBot(ctx context.Context, req *proto.CreateBotRequest) (*p
 	resourceName := BotResourceName(req.Name)
 
 	// Ensure conflicting resources don't already exist.
-	_, err := s.GetRole(ctx, resourceName)
+	// We skip the cache here to allow for bot recreation shortly after bot
+	// deletion.
+	_, err := s.Services.GetRole(ctx, resourceName)
 	if err != nil && !trace.IsNotFound(err) {
 		return nil, trace.Wrap(err)
 	}
 	if roleExists := (err == nil); roleExists {
 		return nil, trace.AlreadyExists("cannot add bot: role %q already exists", resourceName)
 	}
-
-	_, err = s.GetUser(resourceName, false)
+	_, err = s.Services.GetUser(resourceName, false)
 	if err != nil && !trace.IsNotFound(err) {
 		return nil, trace.Wrap(err)
 	}

lib/auth/clt.go

@@ -1187,7 +1187,7 @@ func (c *Client) DeleteNamespace(name string) error {
 }
 
 // CreateRole not implemented: can only be called locally.
-func (c *Client) CreateRole(role types.Role) error {
+func (c *Client) CreateRole(ctx context.Context, role types.Role) error {
 	return trace.NotImplemented(notImplementedMessage)
 }
 

lib/auth/init.go

@@ -403,7 +403,7 @@ func Init(cfg InitConfig, opts ...ServerOption) (*Server, error) {
 	}
 
 	// Create presets - convenience and example resources.
-	err = createPresets(asrv)
+	err = createPresets(ctx, asrv)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -514,14 +514,14 @@ func migrateLegacyResources(ctx context.Context, asrv *Server) error {
 }
 
 // createPresets creates preset resources (eg, roles).
-func createPresets(asrv *Server) error {
+func createPresets(ctx context.Context, asrv *Server) error {
 	roles := []types.Role{
 		services.NewPresetEditorRole(),
 		services.NewPresetAccessRole(),
 		services.NewPresetAuditorRole(),
 	}
 	for _, role := range roles {
-		err := asrv.CreateRole(role)
+		err := asrv.CreateRole(ctx, role)
 		if err != nil {
 			if !trace.IsAlreadyExists(err) {
 				return trace.WrapWithMessage(err, "failed to create preset role %v", role.GetName())

lib/auth/init_test.go

@@ -447,18 +447,19 @@ func TestPresets(t *testing.T) {
 	roles := []types.Role{
 		services.NewPresetEditorRole(),
 		services.NewPresetAccessRole(),
-		services.NewPresetAuditorRole()}
+		services.NewPresetAuditorRole(),
+	}
 
 	t.Run("EmptyCluster", func(t *testing.T) {
 		as := newTestAuthServer(ctx, t)
 		clock := clockwork.NewFakeClock()
 		as.SetClock(clock)
 
-		err := createPresets(as)
+		err := createPresets(ctx, as)
 		require.NoError(t, err)
 
 		// Second call should not fail
-		err = createPresets(as)
+		err = createPresets(ctx, as)
 		require.NoError(t, err)
 
 		// Presets were created
@@ -476,10 +477,10 @@ func TestPresets(t *testing.T) {
 
 		access := services.NewPresetEditorRole()
 		access.SetLogins(types.Allow, []string{"root"})
-		err := as.CreateRole(access)
+		err := as.CreateRole(ctx, access)
 		require.NoError(t, err)
 
-		err = createPresets(as)
+		err = createPresets(ctx, as)
 		require.NoError(t, err)
 
 		// Presets were created
@@ -973,8 +974,10 @@ func TestRotateDuplicatedCerts(t *testing.T) {
 		require.NoError(t, err)
 	})
 
-	rotationPhases := []string{types.RotationPhaseInit, types.RotationPhaseUpdateClients,
-		types.RotationPhaseUpdateServers, types.RotationPhaseStandby}
+	rotationPhases := []string{
+		types.RotationPhaseInit, types.RotationPhaseUpdateClients,
+		types.RotationPhaseUpdateServers, types.RotationPhaseStandby,
+	}
 
 	ctx := context.Background()
 	// Rotate CAs.

lib/auth/oidc_test.go

@@ -236,7 +236,7 @@ func TestSSODiagnostic(t *testing.T) {
 				},
 			})
 			require.NoError(t, err)
-			err = s.a.CreateRole(role)
+			err = s.a.CreateRole(ctx, role)
 			require.NoError(t, err)
 
 			// connector spec

lib/auth/saml_test.go

@@ -410,7 +410,7 @@ func TestServer_ValidateSAMLResponse(t *testing.T) {
 		},
 	})
 	require.NoError(t, err)
-	err = a.CreateRole(role)
+	err = a.CreateRole(ctx, role)
 	require.NoError(t, err)
 
 	// real response from Okta

lib/services/access.go

@@ -35,7 +35,7 @@ type Access interface {
 	// GetRoles returns a list of roles.
 	GetRoles(ctx context.Context) ([]types.Role, error)
 	// CreateRole creates a role.
-	CreateRole(role types.Role) error
+	CreateRole(ctx context.Context, role types.Role) error
 	// UpsertRole creates or updates role.
 	UpsertRole(ctx context.Context, role types.Role) error
 	// DeleteAllRoles deletes all roles.

lib/services/local/access.go

@@ -69,7 +69,7 @@ func (s *AccessService) GetRoles(ctx context.Context) ([]types.Role, error) {
 }
 
 // CreateRole creates a role on the backend.
-func (s *AccessService) CreateRole(role types.Role) error {
+func (s *AccessService) CreateRole(ctx context.Context, role types.Role) error {
 	err := services.ValidateRoleName(role)
 	if err != nil {
 		return trace.Wrap(err)
@@ -86,7 +86,7 @@ func (s *AccessService) CreateRole(role types.Role) error {
 		Expires: role.Expiry(),
 	}
 
-	_, err = s.Create(context.TODO(), item)
+	_, err = s.Create(ctx, item)
 	if err != nil {
 		return trace.Wrap(err)
 	}