mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 08:43:58 +00:00
Use a getter/setter for reading the token value from the config (#14080)
This commit is contained in:
parent
42f399e573
commit
29175e57d3
|
@ -83,8 +83,9 @@ teleport:
|
|||
# PID file for Teleport process
|
||||
#pid_file: /var/run/teleport.pid
|
||||
|
||||
# Invitation token or file path containing token used to join a cluster. It
|
||||
# is not used on subsequent starts.
|
||||
# The invitation token or an absolute path to a file containing the token used
|
||||
# to join a cluster. It is not used on subsequent starts.
|
||||
# If using a file, it only needs to exist when teleport is first ran.
|
||||
#
|
||||
# File path example:
|
||||
# auth_token: /var/lib/teleport/tokenjoin
|
||||
|
|
|
@ -1501,7 +1501,7 @@ func (p *pack) startRootAppServers(t *testing.T, count int, extraApps []service.
|
|||
raConf.Console = nil
|
||||
raConf.Log = log
|
||||
raConf.DataDir = t.TempDir()
|
||||
raConf.Token = "static-token-value"
|
||||
raConf.SetToken("static-token-value")
|
||||
raConf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -1635,7 +1635,7 @@ func (p *pack) startLeafAppServers(t *testing.T, count int, extraApps []service.
|
|||
laConf.Console = nil
|
||||
laConf.Log = log
|
||||
laConf.DataDir = t.TempDir()
|
||||
laConf.Token = "static-token-value"
|
||||
laConf.SetToken("static-token-value")
|
||||
laConf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
|
|
@ -1103,7 +1103,7 @@ func setupDatabaseTest(t *testing.T, options ...testOptionFunc) *databasePack {
|
|||
}
|
||||
rdConf := service.MakeDefaultConfig()
|
||||
rdConf.DataDir = t.TempDir()
|
||||
rdConf.Token = "static-token-value"
|
||||
rdConf.SetToken("static-token-value")
|
||||
rdConf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -1141,7 +1141,7 @@ func setupDatabaseTest(t *testing.T, options ...testOptionFunc) *databasePack {
|
|||
}
|
||||
ldConf := service.MakeDefaultConfig()
|
||||
ldConf.DataDir = t.TempDir()
|
||||
ldConf.Token = "static-token-value"
|
||||
ldConf.SetToken("static-token-value")
|
||||
ldConf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -1303,7 +1303,7 @@ type databaseAgentStartParams struct {
|
|||
func (p *databasePack) startRootDatabaseAgent(t *testing.T, params databaseAgentStartParams) (*service.TeleportProcess, *auth.Client) {
|
||||
conf := service.MakeDefaultConfig()
|
||||
conf.DataDir = t.TempDir()
|
||||
conf.Token = "static-token-value"
|
||||
conf.SetToken("static-token-value")
|
||||
conf.DiagnosticAddr = *utils.MustParseAddr(helpers.NewListener(t, service.ListenerDiagnostic, &conf.FileDescriptors))
|
||||
conf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
|
|
|
@ -56,7 +56,7 @@ func newSilentLogger() utils.Logger {
|
|||
|
||||
func newNodeConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinMethod types.JoinMethod) *service.Config {
|
||||
config := service.MakeDefaultConfig()
|
||||
config.Token = tokenName
|
||||
config.SetToken(tokenName)
|
||||
config.JoinMethod = joinMethod
|
||||
config.SSH.Enabled = true
|
||||
config.SSH.Addr.Addr = helpers.NewListener(t, service.ListenerNodeSSH, &config.FileDescriptors)
|
||||
|
@ -72,7 +72,7 @@ func newNodeConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinM
|
|||
func newProxyConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinMethod types.JoinMethod) *service.Config {
|
||||
config := service.MakeDefaultConfig()
|
||||
config.Version = defaults.TeleportConfigVersionV2
|
||||
config.Token = tokenName
|
||||
config.SetToken(tokenName)
|
||||
config.JoinMethod = joinMethod
|
||||
config.SSH.Enabled = false
|
||||
config.Auth.Enabled = false
|
||||
|
|
|
@ -620,7 +620,7 @@ func (i *TeleInstance) startNode(tconf *service.Config, authPort string) (*servi
|
|||
|
||||
authServer := utils.MustParseAddr(net.JoinHostPort(i.Hostname, authPort))
|
||||
tconf.AuthServers = append(tconf.AuthServers, *authServer)
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
tconf.UploadEventsC = i.UploadEventsC
|
||||
tconf.CachePolicy = service.CachePolicy{
|
||||
Enabled: true,
|
||||
|
@ -677,7 +677,7 @@ func (i *TeleInstance) StartApp(conf *service.Config) (*service.TeleportProcess,
|
|||
Addr: i.Web,
|
||||
},
|
||||
}
|
||||
conf.Token = "token"
|
||||
conf.SetToken("token")
|
||||
conf.UploadEventsC = i.UploadEventsC
|
||||
conf.Auth.Enabled = false
|
||||
conf.Proxy.Enabled = false
|
||||
|
@ -729,7 +729,7 @@ func (i *TeleInstance) StartApps(configs []*service.Config) ([]*service.Teleport
|
|||
Addr: i.Web,
|
||||
},
|
||||
}
|
||||
cfg.Token = "token"
|
||||
cfg.SetToken("token")
|
||||
cfg.UploadEventsC = i.UploadEventsC
|
||||
cfg.Auth.Enabled = false
|
||||
cfg.Proxy.Enabled = false
|
||||
|
@ -793,7 +793,7 @@ func (i *TeleInstance) StartDatabase(conf *service.Config) (*service.TeleportPro
|
|||
Addr: i.Web,
|
||||
},
|
||||
}
|
||||
conf.Token = "token"
|
||||
conf.SetToken("token")
|
||||
conf.UploadEventsC = i.UploadEventsC
|
||||
conf.Auth.Enabled = false
|
||||
conf.Proxy.Enabled = false
|
||||
|
@ -856,7 +856,7 @@ func (i *TeleInstance) StartKube(t *testing.T, conf *service.Config, clusterName
|
|||
Addr: i.Web,
|
||||
},
|
||||
}
|
||||
conf.Token = "token"
|
||||
conf.SetToken("token")
|
||||
conf.UploadEventsC = i.UploadEventsC
|
||||
conf.Auth.Enabled = false
|
||||
conf.Proxy.Enabled = false
|
||||
|
@ -904,7 +904,7 @@ func (i *TeleInstance) StartNodeAndProxy(t *testing.T, name string) (sshPort, we
|
|||
tconf.Log = i.Log
|
||||
authServer := utils.MustParseAddr(i.Auth)
|
||||
tconf.AuthServers = append(tconf.AuthServers, *authServer)
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
tconf.HostUUID = name
|
||||
tconf.Hostname = name
|
||||
tconf.UploadEventsC = i.UploadEventsC
|
||||
|
@ -997,7 +997,7 @@ func (i *TeleInstance) StartProxy(cfg ProxyConfig) (reversetunnel.Server, error)
|
|||
tconf.UploadEventsC = i.UploadEventsC
|
||||
tconf.HostUUID = cfg.Name
|
||||
tconf.Hostname = cfg.Name
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
|
||||
tconf.Auth.Enabled = false
|
||||
|
||||
|
|
|
@ -278,7 +278,7 @@ func newProxyConfig(ctx context.Context, t *testing.T, authAddr utils.NetAddr, l
|
|||
|
||||
config := service.MakeDefaultConfig()
|
||||
config.PollingPeriod = 1 * time.Second
|
||||
config.Token = "foo"
|
||||
config.SetToken("foo")
|
||||
config.SSH.Enabled = false
|
||||
config.Auth.Enabled = false
|
||||
config.Proxy.Enabled = true
|
||||
|
|
|
@ -718,7 +718,7 @@ func (s *integrationTestSuite) newTeleportIoT(t *testing.T, logins []string) *he
|
|||
nodeConfig := func() *service.Config {
|
||||
tconf := s.defaultServiceConfig()
|
||||
tconf.Hostname = Host
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
tconf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -1088,7 +1088,7 @@ func testCustomReverseTunnel(t *testing.T, suite *integrationTestSuite) {
|
|||
// Create a Teleport instance with a Node.
|
||||
nodeConf := suite.defaultServiceConfig()
|
||||
nodeConf.Hostname = Host
|
||||
nodeConf.Token = "token"
|
||||
nodeConf.SetToken("token")
|
||||
nodeConf.Auth.Enabled = false
|
||||
nodeConf.Proxy.Enabled = false
|
||||
nodeConf.SSH.Enabled = true
|
||||
|
@ -2742,7 +2742,7 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) {
|
|||
nodeConfig := func() *service.Config {
|
||||
tconf := suite.defaultServiceConfig()
|
||||
tconf.Hostname = tunnelNodeHostname
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
tconf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -3142,7 +3142,7 @@ func testReverseTunnelCollapse(t *testing.T, suite *integrationTestSuite) {
|
|||
nodeConfig := func() *service.Config {
|
||||
tconf := suite.defaultServiceConfig()
|
||||
tconf.Hostname = "cluster-main-node"
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
tconf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -3278,7 +3278,7 @@ func testDiscoveryNode(t *testing.T, suite *integrationTestSuite) {
|
|||
nodeConfig := func() *service.Config {
|
||||
tconf := suite.defaultServiceConfig()
|
||||
tconf.Hostname = "cluster-main-node"
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
tconf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -6430,7 +6430,7 @@ func testListResourcesAcrossClusters(t *testing.T, suite *integrationTestSuite)
|
|||
conf.Proxy.Enabled = false
|
||||
|
||||
conf.DataDir = t.TempDir()
|
||||
conf.Token = "token"
|
||||
conf.SetToken("token")
|
||||
conf.UploadEventsC = i.UploadEventsC
|
||||
conf.AuthServers = []utils.NetAddr{
|
||||
*utils.MustParseAddr(net.JoinHostPort(i.Hostname, helpers.PortStr(t, i.Web))),
|
||||
|
|
|
@ -171,7 +171,7 @@ func (p *ProxySuite) addNodeToLeafCluster(t *testing.T, tunnelNodeHostname strin
|
|||
tconf.Console = nil
|
||||
tconf.Log = utils.NewLoggerForTests()
|
||||
tconf.Hostname = tunnelNodeHostname
|
||||
tconf.Token = "token"
|
||||
tconf.SetToken("token")
|
||||
tconf.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
@ -499,7 +499,7 @@ func mustStartALPNLocalProxy(t *testing.T, addr string, protocol alpncommon.Prot
|
|||
func makeNodeConfig(nodeName, authAddr string) *service.Config {
|
||||
nodeConfig := service.MakeDefaultConfig()
|
||||
nodeConfig.Hostname = nodeName
|
||||
nodeConfig.Token = "token"
|
||||
nodeConfig.SetToken("token")
|
||||
nodeConfig.AuthServers = []utils.NetAddr{
|
||||
{
|
||||
AddrNetwork: "tcp",
|
||||
|
|
|
@ -329,7 +329,7 @@ func (p *proxyTunnelStrategy) makeProxy(t *testing.T) {
|
|||
|
||||
conf := service.MakeDefaultConfig()
|
||||
conf.AuthServers = append(conf.AuthServers, *authAddr)
|
||||
conf.Token = "token"
|
||||
conf.SetToken("token")
|
||||
conf.DataDir = t.TempDir()
|
||||
|
||||
conf.Auth.Enabled = false
|
||||
|
@ -373,7 +373,7 @@ func (p *proxyTunnelStrategy) makeNode(t *testing.T) {
|
|||
|
||||
conf := service.MakeDefaultConfig()
|
||||
conf.AuthServers = append(conf.AuthServers, utils.FromAddr(p.lb.Addr()))
|
||||
conf.Token = "token"
|
||||
conf.SetToken("token")
|
||||
conf.DataDir = t.TempDir()
|
||||
|
||||
conf.Auth.Enabled = false
|
||||
|
@ -409,7 +409,7 @@ func (p *proxyTunnelStrategy) makeDatabase(t *testing.T) {
|
|||
|
||||
conf := service.MakeDefaultConfig()
|
||||
conf.AuthServers = append(conf.AuthServers, utils.FromAddr(p.lb.Addr()))
|
||||
conf.Token = "token"
|
||||
conf.SetToken("token")
|
||||
conf.DataDir = t.TempDir()
|
||||
|
||||
conf.Auth.Enabled = false
|
||||
|
|
|
@ -448,7 +448,7 @@ func newStandaloneTeleport(t *testing.T, clock clockwork.Clock) *standaloneBundl
|
|||
cfg = service.MakeDefaultConfig()
|
||||
cfg.DataDir = t.TempDir()
|
||||
cfg.Hostname = "localhost"
|
||||
cfg.Token = staticToken
|
||||
cfg.SetToken(staticToken)
|
||||
cfg.Clock = clock
|
||||
cfg.Console = console
|
||||
cfg.Log = logger
|
||||
|
|
|
@ -1955,9 +1955,9 @@ func Configure(clf *CommandLineFlags, cfg *service.Config) error {
|
|||
cfg.PIDFile = clf.PIDFile
|
||||
}
|
||||
|
||||
// apply --token flag:
|
||||
if _, err := cfg.ApplyToken(clf.AuthToken); err != nil {
|
||||
return trace.Wrap(err)
|
||||
if clf.AuthToken != "" {
|
||||
// store the value of the --token flag:
|
||||
cfg.SetToken(clf.AuthToken)
|
||||
}
|
||||
|
||||
// Apply flags used for the node to validate the Auth Server.
|
||||
|
@ -2145,17 +2145,18 @@ func splitRoles(roles string) []string {
|
|||
func applyTokenConfig(fc *FileConfig, cfg *service.Config) error {
|
||||
if fc.AuthToken != "" {
|
||||
cfg.JoinMethod = types.JoinMethodToken
|
||||
_, err := cfg.ApplyToken(fc.AuthToken)
|
||||
return trace.Wrap(err)
|
||||
cfg.SetToken(fc.AuthToken)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
if fc.JoinParams != (JoinParams{}) {
|
||||
if cfg.Token != "" {
|
||||
if !cfg.HasToken() {
|
||||
return trace.BadParameter("only one of auth_token or join_params should be set")
|
||||
}
|
||||
_, err := cfg.ApplyToken(fc.JoinParams.TokenName)
|
||||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
}
|
||||
|
||||
cfg.SetToken(fc.JoinParams.TokenName)
|
||||
|
||||
switch fc.JoinParams.Method {
|
||||
case types.JoinMethodEC2, types.JoinMethodIAM, types.JoinMethodToken:
|
||||
cfg.JoinMethod = fc.JoinParams.Method
|
||||
|
|
|
@ -664,7 +664,10 @@ func TestApplyConfig(t *testing.T) {
|
|||
err = ApplyFileConfig(conf, cfg)
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Equal(t, "join-token", cfg.Token)
|
||||
token, err := cfg.Token()
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Equal(t, "join-token", token)
|
||||
require.Equal(t, types.ProvisionTokensFromV1([]types.ProvisionTokenV1{
|
||||
{
|
||||
Token: "xxx",
|
||||
|
|
|
@ -87,9 +87,6 @@ type Config struct {
|
|||
// Hostname is a node host name
|
||||
Hostname string
|
||||
|
||||
// Token is used to register this Teleport instance with the auth server
|
||||
Token string
|
||||
|
||||
// JoinMethod is the method the instance will use to join the auth server
|
||||
JoinMethod types.JoinMethod
|
||||
|
||||
|
@ -262,25 +259,41 @@ type Config struct {
|
|||
|
||||
// CircuitBreakerConfig configures the auth client circuit breaker.
|
||||
CircuitBreakerConfig breaker.Config
|
||||
|
||||
// token is either the token needed to join the auth server, or a path pointing to a file
|
||||
// that contains the token
|
||||
//
|
||||
// This is private to avoid external packages reading the value - the value should be obtained
|
||||
// using Token()
|
||||
token string
|
||||
}
|
||||
|
||||
// ApplyToken assigns a given token to all internal services but only if token
|
||||
// is not an empty string.
|
||||
// Token returns token needed to join the auth server
|
||||
//
|
||||
// returns:
|
||||
// true, nil if the token has been modified
|
||||
// false, nil if the token has not been modified
|
||||
// false, err if there was an error
|
||||
func (cfg *Config) ApplyToken(token string) (bool, error) {
|
||||
if token != "" {
|
||||
var err error
|
||||
cfg.Token, err = utils.TryReadValueAsFile(token)
|
||||
if err != nil {
|
||||
return false, trace.Wrap(err)
|
||||
}
|
||||
return true, nil
|
||||
// If the value stored points to a file, it will attempt to read the token value from the file
|
||||
// and return an error if it wasn't successful
|
||||
// If the value stored doesn't point to a file, it'll return the value stored
|
||||
// If the token hasn't been set, an empty string will be returned
|
||||
func (cfg *Config) Token() (string, error) {
|
||||
token, err := utils.TryReadValueAsFile(cfg.token)
|
||||
if err != nil {
|
||||
return "", trace.Wrap(err)
|
||||
}
|
||||
return false, nil
|
||||
|
||||
return token, nil
|
||||
}
|
||||
|
||||
// SetToken stores the value for --token or auth_token in the config
|
||||
//
|
||||
// This can be either the token or an absolute path to a file containing the token.
|
||||
func (cfg *Config) SetToken(token string) {
|
||||
cfg.token = token
|
||||
}
|
||||
|
||||
// HasToken gives the ability to check if there has been a token value stored
|
||||
// in the config
|
||||
func (cfg *Config) HasToken() bool {
|
||||
return cfg.token != ""
|
||||
}
|
||||
|
||||
// ApplyCAPins assigns the given CA pin(s), filtering out empty pins.
|
||||
|
|
|
@ -571,7 +571,7 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
|
|||
}
|
||||
} else {
|
||||
// Auth server is remote, so we need a provisioning token.
|
||||
if process.Config.Token == "" {
|
||||
if !process.Config.HasToken() {
|
||||
return nil, trace.BadParameter("%v must join a cluster and needs a provisioning token", role)
|
||||
}
|
||||
|
||||
|
@ -582,8 +582,13 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
|
|||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
||||
token, err := process.Config.Token()
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
||||
certs, err := auth.Register(auth.RegisterParams{
|
||||
Token: process.Config.Token,
|
||||
Token: token,
|
||||
ID: id,
|
||||
Servers: process.Config.AuthServers,
|
||||
AdditionalPrincipals: additionalPrincipals,
|
||||
|
|
|
@ -627,7 +627,7 @@ func TestTeleportProcessAuthVersionCheck(t *testing.T) {
|
|||
nodeCfg := MakeDefaultConfig()
|
||||
nodeCfg.AuthServers = []utils.NetAddr{listenAddr}
|
||||
nodeCfg.DataDir = t.TempDir()
|
||||
nodeCfg.Token = token
|
||||
nodeCfg.SetToken(token)
|
||||
nodeCfg.Auth.Enabled = false
|
||||
nodeCfg.Proxy.Enabled = false
|
||||
nodeCfg.SSH.Enabled = true
|
||||
|
|
|
@ -124,7 +124,10 @@ func TestTeleportMain(t *testing.T) {
|
|||
require.False(t, conf.Proxy.Enabled)
|
||||
require.Equal(t, log.DebugLevel, conf.Log.GetLevel())
|
||||
require.Equal(t, "hvostongo.example.org", conf.Hostname)
|
||||
require.Equal(t, "xxxyyy", conf.Token)
|
||||
|
||||
token, err := conf.Token()
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, "xxxyyy", token)
|
||||
require.Equal(t, "10.5.5.5", conf.AdvertiseIP)
|
||||
require.Equal(t, map[string]string{"a": "a1", "b": "b1"}, conf.SSH.Labels)
|
||||
})
|
||||
|
|
|
@ -312,7 +312,11 @@ func makeTestDatabaseServer(t *testing.T, auth *service.TeleportProcess, proxy *
|
|||
require.NoError(t, err)
|
||||
|
||||
cfg.AuthServers = []utils.NetAddr{*proxyAddr}
|
||||
cfg.Token = proxy.Config.Token
|
||||
|
||||
token, err := proxy.Config.Token()
|
||||
require.NoError(t, err)
|
||||
|
||||
cfg.SetToken(token)
|
||||
cfg.SSH.Enabled = false
|
||||
cfg.Auth.Enabled = false
|
||||
cfg.Databases.Enabled = true
|
||||
|
|
|
@ -1937,7 +1937,7 @@ func makeTestSSHNode(t *testing.T, authAddr *utils.NetAddr, opts ...testServerOp
|
|||
cfg.DataDir = t.TempDir()
|
||||
|
||||
cfg.AuthServers = []utils.NetAddr{*authAddr}
|
||||
cfg.Token = staticToken
|
||||
cfg.SetToken(staticToken)
|
||||
cfg.Auth.Enabled = false
|
||||
cfg.Proxy.Enabled = false
|
||||
cfg.SSH.Enabled = true
|
||||
|
@ -2028,7 +2028,7 @@ func makeTestServers(t *testing.T, opts ...testServerOptFunc) (auth *service.Tel
|
|||
cfg.DataDir = t.TempDir()
|
||||
|
||||
cfg.AuthServers = []utils.NetAddr{*authAddr}
|
||||
cfg.Token = staticToken
|
||||
cfg.SetToken(staticToken)
|
||||
cfg.SSH.Enabled = false
|
||||
cfg.Auth.Enabled = false
|
||||
cfg.Proxy.Enabled = true
|
||||
|
|
Loading…
Reference in a new issue