Use a getter/setter for reading the token value from the config (#14080)

2024-10-19 08:43:58 +00:00 · 2022-08-10 09:50:21 +01:00 · 2022-08-10 09:50:21 +01:00 · 29175e57d3
parent 42f399e573
commit 29175e57d3
18 changed files with 95 additions and 65 deletions
--- a/docs/pages/setup/reference/config.mdx
+++ b/docs/pages/setup/reference/config.mdx
@ -83,8 +83,9 @@ teleport:
    # PID file for Teleport process
    #pid_file: /var/run/teleport.pid

-    # Invitation token or file path containing token used to join a cluster. It
-    # is not used on subsequent starts.
+    # The invitation token or an absolute path to a file containing the token used 
+    # to join a cluster. It is not used on subsequent starts.
+    # If using a file, it only needs to exist when teleport is first ran.
    #
    # File path example:
    # auth_token: /var/lib/teleport/tokenjoin
--- a/integration/app_integration_test.go
+++ b/integration/app_integration_test.go
@ -1501,7 +1501,7 @@ func (p *pack) startRootAppServers(t *testing.T, count int, extraApps []service.
 		raConf.Console = nil
 		raConf.Log = log
 		raConf.DataDir = t.TempDir()
-		raConf.Token = "static-token-value"
+		raConf.SetToken("static-token-value")
 		raConf.AuthServers = []utils.NetAddr{
 			{
 				AddrNetwork: "tcp",
@ -1635,7 +1635,7 @@ func (p *pack) startLeafAppServers(t *testing.T, count int, extraApps []service.
 		laConf.Console = nil
 		laConf.Log = log
 		laConf.DataDir = t.TempDir()
-		laConf.Token = "static-token-value"
+		laConf.SetToken("static-token-value")
 		laConf.AuthServers = []utils.NetAddr{
 			{
 				AddrNetwork: "tcp",
--- a/integration/db_integration_test.go
+++ b/integration/db_integration_test.go
@ -1103,7 +1103,7 @@ func setupDatabaseTest(t *testing.T, options ...testOptionFunc) *databasePack {
 	}
 	rdConf := service.MakeDefaultConfig()
 	rdConf.DataDir = t.TempDir()
-	rdConf.Token = "static-token-value"
+	rdConf.SetToken("static-token-value")
 	rdConf.AuthServers = []utils.NetAddr{
 		{
 			AddrNetwork: "tcp",
@ -1141,7 +1141,7 @@ func setupDatabaseTest(t *testing.T, options ...testOptionFunc) *databasePack {
 	}
 	ldConf := service.MakeDefaultConfig()
 	ldConf.DataDir = t.TempDir()
-	ldConf.Token = "static-token-value"
+	ldConf.SetToken("static-token-value")
 	ldConf.AuthServers = []utils.NetAddr{
 		{
 			AddrNetwork: "tcp",
@ -1303,7 +1303,7 @@ type databaseAgentStartParams struct {
 func (p *databasePack) startRootDatabaseAgent(t *testing.T, params databaseAgentStartParams) (*service.TeleportProcess, *auth.Client) {
 	conf := service.MakeDefaultConfig()
 	conf.DataDir = t.TempDir()
-	conf.Token = "static-token-value"
+	conf.SetToken("static-token-value")
 	conf.DiagnosticAddr = *utils.MustParseAddr(helpers.NewListener(t, service.ListenerDiagnostic, &conf.FileDescriptors))
 	conf.AuthServers = []utils.NetAddr{
 		{
--- a/integration/ec2_test.go
+++ b/integration/ec2_test.go
@ -56,7 +56,7 @@ func newSilentLogger() utils.Logger {

 func newNodeConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinMethod types.JoinMethod) *service.Config {
 	config := service.MakeDefaultConfig()
-	config.Token = tokenName
+	config.SetToken(tokenName)
 	config.JoinMethod = joinMethod
 	config.SSH.Enabled = true
 	config.SSH.Addr.Addr = helpers.NewListener(t, service.ListenerNodeSSH, &config.FileDescriptors)
@ -72,7 +72,7 @@ func newNodeConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinM
 func newProxyConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinMethod types.JoinMethod) *service.Config {
 	config := service.MakeDefaultConfig()
 	config.Version = defaults.TeleportConfigVersionV2
-	config.Token = tokenName
+	config.SetToken(tokenName)
 	config.JoinMethod = joinMethod
 	config.SSH.Enabled = false
 	config.Auth.Enabled = false
--- a/integration/helpers/instance.go
+++ b/integration/helpers/instance.go
@ -620,7 +620,7 @@ func (i *TeleInstance) startNode(tconf *service.Config, authPort string) (*servi

 	authServer := utils.MustParseAddr(net.JoinHostPort(i.Hostname, authPort))
 	tconf.AuthServers = append(tconf.AuthServers, *authServer)
-	tconf.Token = "token"
+	tconf.SetToken("token")
 	tconf.UploadEventsC = i.UploadEventsC
 	tconf.CachePolicy = service.CachePolicy{
 		Enabled: true,
@ -677,7 +677,7 @@ func (i *TeleInstance) StartApp(conf *service.Config) (*service.TeleportProcess,
 			Addr:        i.Web,
 		},
 	}
-	conf.Token = "token"
+	conf.SetToken("token")
 	conf.UploadEventsC = i.UploadEventsC
 	conf.Auth.Enabled = false
 	conf.Proxy.Enabled = false
@ -729,7 +729,7 @@ func (i *TeleInstance) StartApps(configs []*service.Config) ([]*service.Teleport
 					Addr:        i.Web,
 				},
 			}
-			cfg.Token = "token"
+			cfg.SetToken("token")
 			cfg.UploadEventsC = i.UploadEventsC
 			cfg.Auth.Enabled = false
 			cfg.Proxy.Enabled = false
@ -793,7 +793,7 @@ func (i *TeleInstance) StartDatabase(conf *service.Config) (*service.TeleportPro
 			Addr:        i.Web,
 		},
 	}
-	conf.Token = "token"
+	conf.SetToken("token")
 	conf.UploadEventsC = i.UploadEventsC
 	conf.Auth.Enabled = false
 	conf.Proxy.Enabled = false
@ -856,7 +856,7 @@ func (i *TeleInstance) StartKube(t *testing.T, conf *service.Config, clusterName
 			Addr:        i.Web,
 		},
 	}
-	conf.Token = "token"
+	conf.SetToken("token")
 	conf.UploadEventsC = i.UploadEventsC
 	conf.Auth.Enabled = false
 	conf.Proxy.Enabled = false
@ -904,7 +904,7 @@ func (i *TeleInstance) StartNodeAndProxy(t *testing.T, name string) (sshPort, we
 	tconf.Log = i.Log
 	authServer := utils.MustParseAddr(i.Auth)
 	tconf.AuthServers = append(tconf.AuthServers, *authServer)
-	tconf.Token = "token"
+	tconf.SetToken("token")
 	tconf.HostUUID = name
 	tconf.Hostname = name
 	tconf.UploadEventsC = i.UploadEventsC
@ -997,7 +997,7 @@ func (i *TeleInstance) StartProxy(cfg ProxyConfig) (reversetunnel.Server, error)
 	tconf.UploadEventsC = i.UploadEventsC
 	tconf.HostUUID = cfg.Name
 	tconf.Hostname = cfg.Name
-	tconf.Token = "token"
+	tconf.SetToken("token")

 	tconf.Auth.Enabled = false

--- a/integration/hsm/hsm_test.go
+++ b/integration/hsm/hsm_test.go
@ -278,7 +278,7 @@ func newProxyConfig(ctx context.Context, t *testing.T, authAddr utils.NetAddr, l

 	config := service.MakeDefaultConfig()
 	config.PollingPeriod = 1 * time.Second
-	config.Token = "foo"
+	config.SetToken("foo")
 	config.SSH.Enabled = false
 	config.Auth.Enabled = false
 	config.Proxy.Enabled = true
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@ -718,7 +718,7 @@ func (s *integrationTestSuite) newTeleportIoT(t *testing.T, logins []string) *he
 	nodeConfig := func() *service.Config {
 		tconf := s.defaultServiceConfig()
 		tconf.Hostname = Host
-		tconf.Token = "token"
+		tconf.SetToken("token")
 		tconf.AuthServers = []utils.NetAddr{
 			{
 				AddrNetwork: "tcp",
@ -1088,7 +1088,7 @@ func testCustomReverseTunnel(t *testing.T, suite *integrationTestSuite) {
 	// Create a Teleport instance with a Node.
 	nodeConf := suite.defaultServiceConfig()
 	nodeConf.Hostname = Host
-	nodeConf.Token = "token"
+	nodeConf.SetToken("token")
 	nodeConf.Auth.Enabled = false
 	nodeConf.Proxy.Enabled = false
 	nodeConf.SSH.Enabled = true
@ -2742,7 +2742,7 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) {
 	nodeConfig := func() *service.Config {
 		tconf := suite.defaultServiceConfig()
 		tconf.Hostname = tunnelNodeHostname
-		tconf.Token = "token"
+		tconf.SetToken("token")
 		tconf.AuthServers = []utils.NetAddr{
 			{
 				AddrNetwork: "tcp",
@ -3142,7 +3142,7 @@ func testReverseTunnelCollapse(t *testing.T, suite *integrationTestSuite) {
 	nodeConfig := func() *service.Config {
 		tconf := suite.defaultServiceConfig()
 		tconf.Hostname = "cluster-main-node"
-		tconf.Token = "token"
+		tconf.SetToken("token")
 		tconf.AuthServers = []utils.NetAddr{
 			{
 				AddrNetwork: "tcp",
@ -3278,7 +3278,7 @@ func testDiscoveryNode(t *testing.T, suite *integrationTestSuite) {
 	nodeConfig := func() *service.Config {
 		tconf := suite.defaultServiceConfig()
 		tconf.Hostname = "cluster-main-node"
-		tconf.Token = "token"
+		tconf.SetToken("token")
 		tconf.AuthServers = []utils.NetAddr{
 			{
 				AddrNetwork: "tcp",
@ -6430,7 +6430,7 @@ func testListResourcesAcrossClusters(t *testing.T, suite *integrationTestSuite)
 			conf.Proxy.Enabled = false

 			conf.DataDir = t.TempDir()
-			conf.Token = "token"
+			conf.SetToken("token")
 			conf.UploadEventsC = i.UploadEventsC
 			conf.AuthServers = []utils.NetAddr{
 				*utils.MustParseAddr(net.JoinHostPort(i.Hostname, helpers.PortStr(t, i.Web))),
--- a/integration/proxy_helpers_test.go
+++ b/integration/proxy_helpers_test.go
@ -171,7 +171,7 @@ func (p *ProxySuite) addNodeToLeafCluster(t *testing.T, tunnelNodeHostname strin
 		tconf.Console = nil
 		tconf.Log = utils.NewLoggerForTests()
 		tconf.Hostname = tunnelNodeHostname
-		tconf.Token = "token"
+		tconf.SetToken("token")
 		tconf.AuthServers = []utils.NetAddr{
 			{
 				AddrNetwork: "tcp",
@ -499,7 +499,7 @@ func mustStartALPNLocalProxy(t *testing.T, addr string, protocol alpncommon.Prot
 func makeNodeConfig(nodeName, authAddr string) *service.Config {
 	nodeConfig := service.MakeDefaultConfig()
 	nodeConfig.Hostname = nodeName
-	nodeConfig.Token = "token"
+	nodeConfig.SetToken("token")
 	nodeConfig.AuthServers = []utils.NetAddr{
 		{
 			AddrNetwork: "tcp",
--- a/integration/proxy_tunnel_strategy_test.go
+++ b/integration/proxy_tunnel_strategy_test.go
@ -329,7 +329,7 @@ func (p *proxyTunnelStrategy) makeProxy(t *testing.T) {

 	conf := service.MakeDefaultConfig()
 	conf.AuthServers = append(conf.AuthServers, *authAddr)
-	conf.Token = "token"
+	conf.SetToken("token")
 	conf.DataDir = t.TempDir()

 	conf.Auth.Enabled = false
@ -373,7 +373,7 @@ func (p *proxyTunnelStrategy) makeNode(t *testing.T) {

 	conf := service.MakeDefaultConfig()
 	conf.AuthServers = append(conf.AuthServers, utils.FromAddr(p.lb.Addr()))
-	conf.Token = "token"
+	conf.SetToken("token")
 	conf.DataDir = t.TempDir()

 	conf.Auth.Enabled = false
@ -409,7 +409,7 @@ func (p *proxyTunnelStrategy) makeDatabase(t *testing.T) {

 	conf := service.MakeDefaultConfig()
 	conf.AuthServers = append(conf.AuthServers, utils.FromAddr(p.lb.Addr()))
-	conf.Token = "token"
+	conf.SetToken("token")
 	conf.DataDir = t.TempDir()

 	conf.Auth.Enabled = false
--- a/lib/client/api_login_test.go
+++ b/lib/client/api_login_test.go
@ -448,7 +448,7 @@ func newStandaloneTeleport(t *testing.T, clock clockwork.Clock) *standaloneBundl
 	cfg = service.MakeDefaultConfig()
 	cfg.DataDir = t.TempDir()
 	cfg.Hostname = "localhost"
-	cfg.Token = staticToken
+	cfg.SetToken(staticToken)
 	cfg.Clock = clock
 	cfg.Console = console
 	cfg.Log = logger
--- a/lib/config/configuration.go
+++ b/lib/config/configuration.go
@ -1955,9 +1955,9 @@ func Configure(clf *CommandLineFlags, cfg *service.Config) error {
 		cfg.PIDFile = clf.PIDFile
 	}

-	// apply --token flag:
-	if _, err := cfg.ApplyToken(clf.AuthToken); err != nil {
-		return trace.Wrap(err)
+	if clf.AuthToken != "" {
+		// store the value of the --token flag:
+		cfg.SetToken(clf.AuthToken)
 	}

 	// Apply flags used for the node to validate the Auth Server.
@ -2145,17 +2145,18 @@ func splitRoles(roles string) []string {
 func applyTokenConfig(fc *FileConfig, cfg *service.Config) error {
 	if fc.AuthToken != "" {
 		cfg.JoinMethod = types.JoinMethodToken
-		_, err := cfg.ApplyToken(fc.AuthToken)
-		return trace.Wrap(err)
+		cfg.SetToken(fc.AuthToken)
+
+		return nil
 	}
+
 	if fc.JoinParams != (JoinParams{}) {
-		if cfg.Token != "" {
+		if !cfg.HasToken() {
 			return trace.BadParameter("only one of auth_token or join_params should be set")
 		}
-		_, err := cfg.ApplyToken(fc.JoinParams.TokenName)
-		if err != nil {
-			return trace.Wrap(err)
-		}
+
+		cfg.SetToken(fc.JoinParams.TokenName)
+
 		switch fc.JoinParams.Method {
 		case types.JoinMethodEC2, types.JoinMethodIAM, types.JoinMethodToken:
 			cfg.JoinMethod = fc.JoinParams.Method
--- a/lib/config/configuration_test.go
+++ b/lib/config/configuration_test.go
@ -664,7 +664,10 @@ func TestApplyConfig(t *testing.T) {
 	err = ApplyFileConfig(conf, cfg)
 	require.NoError(t, err)

-	require.Equal(t, "join-token", cfg.Token)
+	token, err := cfg.Token()
+	require.NoError(t, err)
+
+	require.Equal(t, "join-token", token)
 	require.Equal(t, types.ProvisionTokensFromV1([]types.ProvisionTokenV1{
 		{
 			Token:   "xxx",
--- a/lib/service/cfg.go
+++ b/lib/service/cfg.go
@ -87,9 +87,6 @@ type Config struct {
 	// Hostname is a node host name
 	Hostname string

-	// Token is used to register this Teleport instance with the auth server
-	Token string
-
 	// JoinMethod is the method the instance will use to join the auth server
 	JoinMethod types.JoinMethod

@ -262,25 +259,41 @@ type Config struct {

 	// CircuitBreakerConfig configures the auth client circuit breaker.
 	CircuitBreakerConfig breaker.Config
+
+	// token is either the token needed to join the auth server, or a path pointing to a file
+	// that contains the token
+	//
+	// This is private to avoid external packages reading the value - the value should be obtained
+	// using Token()
+	token string
 }

-// ApplyToken assigns a given token to all internal services but only if token
-// is not an empty string.
+// Token returns token needed to join the auth server
 //
-// returns:
-// true, nil if the token has been modified
-// false, nil if the token has not been modified
-// false, err if there was an error
-func (cfg *Config) ApplyToken(token string) (bool, error) {
-	if token != "" {
-		var err error
-		cfg.Token, err = utils.TryReadValueAsFile(token)
-		if err != nil {
-			return false, trace.Wrap(err)
-		}
-		return true, nil
+// If the value stored points to a file, it will attempt to read the token value from the file
+// and return an error if it wasn't successful
+// If the value stored doesn't point to a file, it'll return the value stored
+// If the token hasn't been set, an empty string will be returned
+func (cfg *Config) Token() (string, error) {
+	token, err := utils.TryReadValueAsFile(cfg.token)
+	if err != nil {
+		return "", trace.Wrap(err)
 	}
-	return false, nil
+
+	return token, nil
+}
+
+// SetToken stores the value for --token or auth_token in the config
+//
+// This can be either the token or an absolute path to a file containing the token.
+func (cfg *Config) SetToken(token string) {
+	cfg.token = token
+}
+
+// HasToken gives the ability to check if there has been a token value stored
+// in the config
+func (cfg *Config) HasToken() bool {
+	return cfg.token != ""
 }

 // ApplyCAPins assigns the given CA pin(s), filtering out empty pins.
--- a/lib/service/connect.go
+++ b/lib/service/connect.go
@ -571,7 +571,7 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
 		}
 	} else {
 		// Auth server is remote, so we need a provisioning token.
-		if process.Config.Token == "" {
+		if !process.Config.HasToken() {
 			return nil, trace.BadParameter("%v must join a cluster and needs a provisioning token", role)
 		}

@ -582,8 +582,13 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
 			return nil, trace.Wrap(err)
 		}

+		token, err := process.Config.Token()
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+
 		certs, err := auth.Register(auth.RegisterParams{
-			Token:                process.Config.Token,
+			Token:                token,
 			ID:                   id,
 			Servers:              process.Config.AuthServers,
 			AdditionalPrincipals: additionalPrincipals,
--- a/lib/service/service_test.go
+++ b/lib/service/service_test.go
@ -627,7 +627,7 @@ func TestTeleportProcessAuthVersionCheck(t *testing.T) {
 	nodeCfg := MakeDefaultConfig()
 	nodeCfg.AuthServers = []utils.NetAddr{listenAddr}
 	nodeCfg.DataDir = t.TempDir()
-	nodeCfg.Token = token
+	nodeCfg.SetToken(token)
 	nodeCfg.Auth.Enabled = false
 	nodeCfg.Proxy.Enabled = false
 	nodeCfg.SSH.Enabled = true
--- a/tool/teleport/common/teleport_test.go
+++ b/tool/teleport/common/teleport_test.go
@ -124,7 +124,10 @@ func TestTeleportMain(t *testing.T) {
 		require.False(t, conf.Proxy.Enabled)
 		require.Equal(t, log.DebugLevel, conf.Log.GetLevel())
 		require.Equal(t, "hvostongo.example.org", conf.Hostname)
-		require.Equal(t, "xxxyyy", conf.Token)
+
+		token, err := conf.Token()
+		require.NoError(t, err)
+		require.Equal(t, "xxxyyy", token)
 		require.Equal(t, "10.5.5.5", conf.AdvertiseIP)
 		require.Equal(t, map[string]string{"a": "a1", "b": "b1"}, conf.SSH.Labels)
 	})
--- a/tool/tsh/db_test.go
+++ b/tool/tsh/db_test.go
@ -312,7 +312,11 @@ func makeTestDatabaseServer(t *testing.T, auth *service.TeleportProcess, proxy *
 	require.NoError(t, err)

 	cfg.AuthServers = []utils.NetAddr{*proxyAddr}
-	cfg.Token = proxy.Config.Token
+
+	token, err := proxy.Config.Token()
+	require.NoError(t, err)
+
+	cfg.SetToken(token)
 	cfg.SSH.Enabled = false
 	cfg.Auth.Enabled = false
 	cfg.Databases.Enabled = true
--- a/tool/tsh/tsh_test.go
+++ b/tool/tsh/tsh_test.go
@ -1937,7 +1937,7 @@ func makeTestSSHNode(t *testing.T, authAddr *utils.NetAddr, opts ...testServerOp
 	cfg.DataDir = t.TempDir()

 	cfg.AuthServers = []utils.NetAddr{*authAddr}
-	cfg.Token = staticToken
+	cfg.SetToken(staticToken)
 	cfg.Auth.Enabled = false
 	cfg.Proxy.Enabled = false
 	cfg.SSH.Enabled = true
@ -2028,7 +2028,7 @@ func makeTestServers(t *testing.T, opts ...testServerOptFunc) (auth *service.Tel
 	cfg.DataDir = t.TempDir()

 	cfg.AuthServers = []utils.NetAddr{*authAddr}
-	cfg.Token = staticToken
+	cfg.SetToken(staticToken)
 	cfg.SSH.Enabled = false
 	cfg.Auth.Enabled = false
 	cfg.Proxy.Enabled = true