self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-21 17:53:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Address review comments, batch 1

Browse source
This commit is contained in:
Andrew Lytvynov 2021-08-17 11:10:46 -07:00
parent ab062428b1
commit e9351457ba
10 changed files with 156 additions and 307 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
api/types/desktop.go
View file

@ -33,10 +33,12 @@ type WindowsDesktopService interface {
var _ WindowsDesktopService = &WindowsDesktopServiceV3{}
// NewWindowsDesktopServiceV3 creates a new WindowsDesktopServiceV3 resource.
func NewWindowsDesktopServiceV3(meta Metadata, spec WindowsDesktopServiceSpecV3) (*WindowsDesktopServiceV3, error) {
func NewWindowsDesktopServiceV3(name string, spec WindowsDesktopServiceSpecV3) (*WindowsDesktopServiceV3, error) {
s := &WindowsDesktopServiceV3{
ResourceHeader: ResourceHeader{
Metadata: meta,
Metadata: Metadata{
Name: name,
},
},
Spec: spec,
}
@ -53,16 +55,17 @@ func (s *WindowsDesktopServiceV3) setStaticFields() {
// CheckAndSetDefaults checks and sets default values for any missing fields.
func (s *WindowsDesktopServiceV3) CheckAndSetDefaults() error {
s.setStaticFields()
if err := s.ResourceHeader.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
if s.Spec.Addr == "" {
return trace.BadParameter("WindowsDesktopServiceV3.Spec missing Addr field")
}
if s.Spec.TeleportVersion == "" {
return trace.BadParameter("WindowsDesktopServiceV3.Spec missing TeleportVersion field")
}
s.setStaticFields()
if err := s.ResourceHeader.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
return nil
}
@ -87,10 +90,13 @@ type WindowsDesktop interface {
var _ WindowsDesktop = &WindowsDesktopV3{}
// NewWindowsDesktopV3 creates a new WindowsDesktopV3 resource.
func NewWindowsDesktopV3(meta Metadata, spec WindowsDesktopSpecV3) (*WindowsDesktopV3, error) {
func NewWindowsDesktopV3(name string, labels map[string]string, spec WindowsDesktopSpecV3) (*WindowsDesktopV3, error) {
d := &WindowsDesktopV3{
ResourceHeader: ResourceHeader{
Metadata: meta,
Metadata: Metadata{
Name: name,
Labels: labels,
},
},
Spec: spec,
}
@ -107,13 +113,14 @@ func (d *WindowsDesktopV3) setStaticFields() {
// CheckAndSetDefaults checks and sets default values for any missing fields.
func (d *WindowsDesktopV3) CheckAndSetDefaults() error {
if d.Spec.Addr == "" {
return trace.BadParameter("WindowsDesktopV3.Spec missing Addr field")
}
d.setStaticFields()
if err := d.ResourceHeader.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
if d.Spec.Addr == "" {
return trace.BadParameter("WindowsDesktopV3.Spec missing Addr field")
}
return nil
}

3
lib/auth/api.go
View file

@ -166,6 +166,9 @@ type ReadAccessPoint interface {
// GetWindowsDesktops returns windows desktop hosts.
GetWindowsDesktops(ctx context.Context) ([]types.WindowsDesktop, error)
// GetWindowsDesktops returns windows desktop hosts.
GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error)
}
// AccessPoint is an API interface implemented by a certificate authority (CA)

2
lib/auth/auth.go
View file

@ -125,7 +125,7 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
cfg.Streamer = events.NewDiscardEmitter()
}
if cfg.WindowsDesktops == nil {
cfg.WindowsDesktops = local.NewWindowsDesktopsService(cfg.Backend)
cfg.WindowsDesktops = local.NewWindowsDesktopService(cfg.Backend)
}
limiter, err := limiter.NewConnectionsLimiter(limiter.Config{

377
lib/auth/auth_with_roles.go
View file

@ -58,12 +58,20 @@ func (a *ServerWithRoles) CloseContext() context.Context {
return a.authServer.closeCtx
}
func (a *ServerWithRoles) actionWithContext(ctx *services.Context, namespace string, resource string, action string) error {
return a.context.Checker.CheckAccessToRule(ctx, namespace, resource, action, false)
func (a *ServerWithRoles) actionWithContext(ctx *services.Context, namespace, resource string, verbs ...string) error {
if len(verbs) == 0 {
return trace.BadParameter("no verbs provided for authorization check on resource %q", resource)
}
var errs []error
for _, verb := range verbs {
errs = append(errs, a.context.Checker.CheckAccessToRule(ctx, namespace, resource, verb, false))
}
return trace.NewAggregate(errs...)
}
type actionConfig struct {
quiet bool
quiet bool
context Context
}
type actionOption func(*actionConfig)
@ -74,12 +82,27 @@ func quietAction(quiet bool) actionOption {
}
}
func (a *ServerWithRoles) action(namespace string, resource string, action string, opts ...actionOption) error {
var cfg actionConfig
func (a *ServerWithRoles) withOptions(opts ...actionOption) actionConfig {
cfg := actionConfig{context: a.context}
for _, opt := range opts {
opt(&cfg)
}
return a.context.Checker.CheckAccessToRule(&services.Context{User: a.context.User}, namespace, resource, action, cfg.quiet)
return cfg
}
func (c actionConfig) action(namespace, resource string, verbs ...string) error {
if len(verbs) == 0 {
return trace.BadParameter("no verbs provided for authorization check on resource %q", resource)
}
var errs []error
for _, verb := range verbs {
errs = append(errs, c.context.Checker.CheckAccessToRule(&services.Context{User: c.context.User}, namespace, resource, verb, c.quiet))
}
return trace.NewAggregate(errs...)
}
func (a *ServerWithRoles) action(namespace, resource string, verbs ...string) error {
return a.withOptions().action(namespace, resource, verbs...)
}
// currentUserAction is a special checker that allows certain actions for users
@ -219,10 +242,7 @@ func (a *ServerWithRoles) RotateCertAuthority(req RotateRequest) error {
if err := req.CheckAndSetDefaults(a.authServer.clock); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.RotateCertAuthority(req)
@ -248,10 +268,7 @@ func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error {
return trace.BadParameter("missing certificate authority")
}
ctx := &services.Context{User: a.context.User, Resource: ca}
if err := a.actionWithContext(ctx, apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.actionWithContext(ctx, apidefaults.Namespace, types.KindCertAuthority, types.VerbUpdate); err != nil {
if err := a.actionWithContext(ctx, apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertCertAuthority(ca)
@ -260,20 +277,14 @@ func (a *ServerWithRoles) UpsertCertAuthority(ca types.CertAuthority) error {
// CompareAndSwapCertAuthority updates existing cert authority if the existing cert authority
// value matches the value stored in the backend.
func (a *ServerWithRoles) CompareAndSwapCertAuthority(new, existing types.CertAuthority) error {
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.CompareAndSwapCertAuthority(new, existing)
}
func (a *ServerWithRoles) GetCertAuthorities(caType types.CertAuthType, loadKeys bool, opts ...services.MarshalOption) ([]types.CertAuthority, error) {
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbReadNoSecrets); err != nil {
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbList, types.VerbReadNoSecrets); err != nil {
return nil, trace.Wrap(err)
}
if loadKeys {
@ -313,10 +324,7 @@ func (a *ServerWithRoles) GetClusterCACert() (*LocalCAResponse, error) {
}
func (a *ServerWithRoles) UpsertLocalClusterName(clusterName string) error {
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertLocalClusterName(clusterName)
@ -381,20 +389,14 @@ func (a *ServerWithRoles) GenerateServerKeys(req GenerateServerKeysRequest) (*Pa
// UpsertNodes bulk upserts nodes into the backend.
func (a *ServerWithRoles) UpsertNodes(namespace string, servers []types.Server) error {
if err := a.action(namespace, types.KindNode, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(namespace, types.KindNode, types.VerbUpdate); err != nil {
if err := a.action(namespace, types.KindNode, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertNodes(namespace, servers)
}
func (a *ServerWithRoles) UpsertNode(ctx context.Context, s types.Server) (*types.KeepAlive, error) {
if err := a.action(s.GetNamespace(), types.KindNode, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(s.GetNamespace(), types.KindNode, types.VerbUpdate); err != nil {
if err := a.action(s.GetNamespace(), types.KindNode, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.UpsertNode(ctx, s)
@ -487,14 +489,12 @@ func (a *ServerWithRoles) NewWatcher(ctx context.Context, watch types.Watch) (ty
// complicated logic.
switch kind.Kind {
case types.KindCertAuthority:
verb := types.VerbReadNoSecrets
if kind.LoadSecrets {
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
} else {
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, types.VerbReadNoSecrets); err != nil {
return nil, trace.Wrap(err)
}
verb = types.VerbRead
}
if err := a.action(apidefaults.Namespace, types.KindCertAuthority, verb); err != nil {
return nil, trace.Wrap(err)
}
case types.KindAccessRequest:
var filter types.AccessRequestFilter
@ -705,20 +705,14 @@ func (a *ServerWithRoles) filterAndListNodes(ctx context.Context, namespace stri
}
func (a *ServerWithRoles) UpsertAuthServer(s types.Server) error {
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertAuthServer(s)
}
func (a *ServerWithRoles) GetAuthServers() ([]types.Server, error) {
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindAuthServer, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetAuthServers()
@ -741,20 +735,14 @@ func (a *ServerWithRoles) DeleteAuthServer(name string) error {
}
func (a *ServerWithRoles) UpsertProxy(s types.Server) error {
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertProxy(s)
}
func (a *ServerWithRoles) GetProxies() ([]types.Server, error) {
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindProxy, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetProxies()
@ -777,10 +765,7 @@ func (a *ServerWithRoles) DeleteProxy(name string) error {
}
func (a *ServerWithRoles) UpsertReverseTunnel(r types.ReverseTunnel) error {
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertReverseTunnel(r)
@ -794,10 +779,7 @@ func (a *ServerWithRoles) GetReverseTunnel(name string, opts ...services.Marshal
}
func (a *ServerWithRoles) GetReverseTunnels(opts ...services.MarshalOption) ([]types.ReverseTunnel, error) {
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindReverseTunnel, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetReverseTunnels(opts...)
@ -818,10 +800,7 @@ func (a *ServerWithRoles) DeleteToken(ctx context.Context, token string) error {
}
func (a *ServerWithRoles) GetTokens(ctx context.Context, opts ...services.MarshalOption) ([]types.ProvisionToken, error) {
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetTokens(ctx, opts...)
@ -835,10 +814,7 @@ func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.Pro
}
func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.ProvisionToken) error {
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertToken(ctx, token)
@ -1038,7 +1014,7 @@ type webTokensWithRoles struct {
}
type accessChecker interface {
action(namespace, resource, action string, opts ...actionOption) error
action(namespace, resource string, verbs ...string) error
currentUserAction(user string) error
}
@ -1049,8 +1025,8 @@ func (a *ServerWithRoles) GetAccessRequests(ctx context.Context, filter types.Ac
}
// users with read + list permissions can get all requests
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList, quietAction(true)) == nil {
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead, quietAction(true)) == nil {
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList) == nil {
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead) == nil {
return a.authServer.GetAccessRequests(ctx, filter)
}
}
@ -1162,10 +1138,7 @@ func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.A
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
}
@ -1179,12 +1152,12 @@ func (a *ServerWithRoles) GetPluginData(ctx context.Context, filter types.Plugin
case types.KindAccessRequest:
// for backwards compatibility, we allow list/read against access requests to also grant list/read for
// access request related plugin data.
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList, quietAction(true)) != nil {
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbList) != nil {
if err := a.action(apidefaults.Namespace, types.KindAccessPluginData, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
}
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead, quietAction(true)) != nil {
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbRead) != nil {
if err := a.action(apidefaults.Namespace, types.KindAccessPluginData, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
@ -1201,7 +1174,7 @@ func (a *ServerWithRoles) UpdatePluginData(ctx context.Context, params types.Plu
case types.KindAccessRequest:
// for backwards compatibility, we allow update against access requests to also grant update for
// access request related plugin data.
if a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbUpdate, quietAction(true)) != nil {
if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbUpdate) != nil {
if err := a.action(apidefaults.Namespace, types.KindAccessPluginData, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
@ -1279,10 +1252,7 @@ func (a *ServerWithRoles) GetUsers(withSecrets bool) ([]types.User, error) {
return nil, trace.AccessDenied("this request can be only executed by an admin")
}
} else {
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
}
@ -1623,10 +1593,7 @@ func (a *ServerWithRoles) UpdateUser(ctx context.Context, user types.User) error
}
func (a *ServerWithRoles) UpsertUser(u types.User) error {
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindUser, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
@ -1905,10 +1872,7 @@ func (a *ServerWithRoles) EmitAuditEvent(ctx context.Context, event apievents.Au
// CreateAuditStream creates audit event stream
func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID) (apievents.Stream, error) {
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
role, ok := a.context.Identity.(BuiltinRole)
@ -1928,10 +1892,7 @@ func (a *ServerWithRoles) CreateAuditStream(ctx context.Context, sid session.ID)
// ResumeAuditStream resumes the stream that has been created
func (a *ServerWithRoles) ResumeAuditStream(ctx context.Context, sid session.ID, uploadID string) (apievents.Stream, error) {
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
role, ok := a.context.Identity.(BuiltinRole)
@ -1994,20 +1955,14 @@ func (s *streamWithRoles) EmitAuditEvent(ctx context.Context, event apievents.Au
}
func (a *ServerWithRoles) EmitAuditEventLegacy(event events.Event, fields events.EventFields) error {
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.alog.EmitAuditEventLegacy(event, fields)
}
func (a *ServerWithRoles) PostSessionSlice(slice events.SessionSlice) error {
if err := a.action(slice.Namespace, types.KindEvent, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(slice.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
if err := a.action(slice.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.alog.PostSessionSlice(slice)
@ -2017,10 +1972,7 @@ func (a *ServerWithRoles) UploadSessionRecording(r events.SessionRecording) erro
if err := r.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
if err := a.action(r.Namespace, types.KindEvent, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(r.Namespace, types.KindEvent, types.VerbUpdate); err != nil {
if err := a.action(r.Namespace, types.KindEvent, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.alog.UploadSessionRecording(r)
@ -2044,10 +1996,7 @@ func (a *ServerWithRoles) GetSessionEvents(namespace string, sid session.ID, aft
// GetNamespaces returns a list of namespaces
func (a *ServerWithRoles) GetNamespaces() ([]types.Namespace, error) {
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetNamespaces()
@ -2063,10 +2012,7 @@ func (a *ServerWithRoles) GetNamespace(name string) (*types.Namespace, error) {
// UpsertNamespace upserts namespace
func (a *ServerWithRoles) UpsertNamespace(ns types.Namespace) error {
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindNamespace, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertNamespace(ns)
@ -2082,10 +2028,7 @@ func (a *ServerWithRoles) DeleteNamespace(name string) error {
// GetRoles returns a list of roles
func (a *ServerWithRoles) GetRoles(ctx context.Context) ([]types.Role, error) {
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetRoles(ctx)
@ -2098,10 +2041,7 @@ func (a *ServerWithRoles) CreateRole(role types.Role) error {
// UpsertRole creates or updates role.
func (a *ServerWithRoles) UpsertRole(ctx context.Context, role types.Role) error {
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindRole, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
@ -2198,10 +2138,7 @@ func (a *ServerWithRoles) DeleteStaticTokens() error {
// SetClusterConfig sets cluster level configuration.
func (a *ServerWithRoles) SetClusterConfig(c types.ClusterConfig) error {
if err := a.action(apidefaults.Namespace, types.KindClusterConfig, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindClusterConfig, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindClusterConfig, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.SetClusterConfig(c)
@ -2217,10 +2154,7 @@ func (a *ServerWithRoles) GetClusterName(opts ...services.MarshalOption) (types.
// SetClusterName sets the name of the cluster. SetClusterName can only be called once.
func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error {
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.SetClusterName(c)
@ -2228,10 +2162,7 @@ func (a *ServerWithRoles) SetClusterName(c types.ClusterName) error {
// UpsertClusterName sets the name of the cluster.
func (a *ServerWithRoles) UpsertClusterName(c types.ClusterName) error {
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindClusterName, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertClusterName(c)
@ -2247,10 +2178,7 @@ func (a *ServerWithRoles) GetStaticTokens() (types.StaticTokens, error) {
// SetStaticTokens sets the list of static tokens used to provision nodes.
func (a *ServerWithRoles) SetStaticTokens(s types.StaticTokens) error {
if err := a.action(apidefaults.Namespace, types.KindStaticTokens, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindStaticTokens, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindStaticTokens, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.SetStaticTokens(s)
@ -2272,10 +2200,8 @@ func (a *ServerWithRoles) SetAuthPreference(ctx context.Context, newAuthPref typ
return trace.Wrap(err)
}
for _, verb := range verbsToReplaceResourceWithOrigin(storedAuthPref) {
if err := a.action(apidefaults.Namespace, types.KindClusterAuthPreference, verb); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindClusterAuthPreference, verbsToReplaceResourceWithOrigin(storedAuthPref)...); err != nil {
return trace.Wrap(err)
}
return a.authServer.SetAuthPreference(ctx, newAuthPref)
@ -2336,10 +2262,8 @@ func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNet
return trace.Wrap(err)
}
for _, verb := range verbsToReplaceResourceWithOrigin(storedNetConfig) {
if err := a.action(apidefaults.Namespace, types.KindClusterNetworkingConfig, verb); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindClusterNetworkingConfig, verbsToReplaceResourceWithOrigin(storedNetConfig)...); err != nil {
return trace.Wrap(err)
}
return a.authServer.SetClusterNetworkingConfig(ctx, newNetConfig)
@ -2382,10 +2306,8 @@ func (a *ServerWithRoles) SetSessionRecordingConfig(ctx context.Context, newRecC
return trace.Wrap(err)
}
for _, verb := range verbsToReplaceResourceWithOrigin(storedRecConfig) {
if err := a.action(apidefaults.Namespace, types.KindSessionRecordingConfig, verb); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindSessionRecordingConfig, verbsToReplaceResourceWithOrigin(storedRecConfig)...); err != nil {
return trace.Wrap(err)
}
return a.authServer.SetSessionRecordingConfig(ctx, newRecConfig)
@ -2444,10 +2366,7 @@ func (a *ServerWithRoles) DeleteAllUsers() error {
}
func (a *ServerWithRoles) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error) {
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
@ -2464,10 +2383,7 @@ func (a *ServerWithRoles) GetTrustedCluster(ctx context.Context, name string) (t
// UpsertTrustedCluster creates or updates a trusted cluster.
func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error) {
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindTrustedCluster, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
@ -2489,10 +2405,7 @@ func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string)
}
func (a *ServerWithRoles) UpsertTunnelConnection(conn types.TunnelConnection) error {
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertTunnelConnection(conn)
@ -2520,20 +2433,14 @@ func (a *ServerWithRoles) DeleteTunnelConnection(clusterName string, connName st
}
func (a *ServerWithRoles) DeleteTunnelConnections(clusterName string) error {
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbDelete); err != nil {
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
return a.authServer.DeleteTunnelConnections(clusterName)
}
func (a *ServerWithRoles) DeleteAllTunnelConnections() error {
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbDelete); err != nil {
if err := a.action(apidefaults.Namespace, types.KindTunnelConnection, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
return a.authServer.DeleteAllTunnelConnections()
@ -2601,10 +2508,7 @@ func (a *ServerWithRoles) DeleteRemoteCluster(clusterName string) error {
}
func (a *ServerWithRoles) DeleteAllRemoteClusters() error {
if err := a.action(apidefaults.Namespace, types.KindRemoteCluster, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindRemoteCluster, types.VerbDelete); err != nil {
if err := a.action(apidefaults.Namespace, types.KindRemoteCluster, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
return a.authServer.DeleteAllRemoteClusters()
@ -2612,10 +2516,7 @@ func (a *ServerWithRoles) DeleteAllRemoteClusters() error {
// AcquireSemaphore acquires lease with requested resources from semaphore.
func (a *ServerWithRoles) AcquireSemaphore(ctx context.Context, params types.AcquireSemaphoreRequest) (*types.SemaphoreLease, error) {
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.AcquireSemaphore(ctx, params)
@ -2639,10 +2540,7 @@ func (a *ServerWithRoles) CancelSemaphoreLease(ctx context.Context, lease types.
// GetSemaphores returns a list of all semaphores matching the supplied filter.
func (a *ServerWithRoles) GetSemaphores(ctx context.Context, filter types.SemaphoreFilter) ([]types.Semaphore, error) {
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbReadNoSecrets); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbList); err != nil {
if err := a.action(apidefaults.Namespace, types.KindSemaphore, types.VerbReadNoSecrets, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetSemaphores(ctx, filter)
@ -2668,10 +2566,7 @@ func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error)
// GetDatabaseServers returns all registered database servers.
func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.DatabaseServer, error) {
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(namespace, types.KindDatabaseServer, types.VerbRead); err != nil {
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
servers, err := a.authServer.GetDatabaseServers(ctx, namespace, opts...)
@ -2696,10 +2591,7 @@ func (a *ServerWithRoles) GetDatabaseServers(ctx context.Context, namespace stri
// UpsertDatabaseServer creates or updates a new database proxy server.
func (a *ServerWithRoles) UpsertDatabaseServer(ctx context.Context, server types.DatabaseServer) (*types.KeepAlive, error) {
if err := a.action(server.GetNamespace(), types.KindDatabaseServer, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(server.GetNamespace(), types.KindDatabaseServer, types.VerbUpdate); err != nil {
if err := a.action(server.GetNamespace(), types.KindDatabaseServer, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.UpsertDatabaseServer(ctx, server)
@ -2715,10 +2607,7 @@ func (a *ServerWithRoles) DeleteDatabaseServer(ctx context.Context, namespace, h
// DeleteAllDatabaseServers removes all registered database proxy servers.
func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespace string) error {
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(namespace, types.KindDatabaseServer, types.VerbDelete); err != nil {
if err := a.action(namespace, types.KindDatabaseServer, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
return a.authServer.DeleteAllDatabaseServers(ctx, namespace)
@ -2781,10 +2670,7 @@ func (a *ServerWithRoles) canImpersonateBuiltinRole(role types.SystemRole) error
// GetAppServers gets all application servers.
func (a *ServerWithRoles) GetAppServers(ctx context.Context, namespace string, opts ...services.MarshalOption) ([]types.Server, error) {
if err := a.action(namespace, types.KindAppServer, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(namespace, types.KindAppServer, types.VerbRead); err != nil {
if err := a.action(namespace, types.KindAppServer, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
@ -2819,10 +2705,7 @@ func (a *ServerWithRoles) GetAppServers(ctx context.Context, namespace string, o
// UpsertAppServer adds an application server.
func (a *ServerWithRoles) UpsertAppServer(ctx context.Context, server types.Server) (*types.KeepAlive, error) {
if err := a.action(server.GetNamespace(), types.KindAppServer, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(server.GetNamespace(), types.KindAppServer, types.VerbUpdate); err != nil {
if err := a.action(server.GetNamespace(), types.KindAppServer, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
@ -2843,10 +2726,7 @@ func (a *ServerWithRoles) DeleteAppServer(ctx context.Context, namespace string,
// DeleteAllAppServers removes all application servers.
func (a *ServerWithRoles) DeleteAllAppServers(ctx context.Context, namespace string) error {
if err := a.action(namespace, types.KindAppServer, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(namespace, types.KindAppServer, types.VerbDelete); err != nil {
if err := a.action(namespace, types.KindAppServer, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
@ -2873,10 +2753,7 @@ func (a *ServerWithRoles) GetAppSession(ctx context.Context, req types.GetAppSes
// GetAppSessions gets all application web sessions.
func (a *ServerWithRoles) GetAppSessions(ctx context.Context) ([]types.WebSession, error) {
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
@ -2926,10 +2803,7 @@ func (a *ServerWithRoles) DeleteAppSession(ctx context.Context, req types.Delete
// DeleteAllAppSessions removes all application web sessions.
func (a *ServerWithRoles) DeleteAllAppSessions(ctx context.Context) error {
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbDelete); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWebSession, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
@ -2963,10 +2837,7 @@ func (a *ServerWithRoles) WaitForDelivery(context.Context) error {
// UpsertKubeService creates or updates a Server representing a teleport
// kubernetes service.
func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s types.Server) error {
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
@ -2995,10 +2866,7 @@ func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s types.Server)
// GetKubeServices returns all Servers representing teleport kubernetes
// services.
func (a *ServerWithRoles) GetKubeServices(ctx context.Context) ([]types.Server, error) {
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
servers, err := a.authServer.GetKubeServices(ctx)
@ -3054,10 +2922,7 @@ func (a *ServerWithRoles) GetNetworkRestrictions(ctx context.Context) (types.Net
// SetNetworkRestrictions updates the network restrictions.
func (a *ServerWithRoles) SetNetworkRestrictions(ctx context.Context, nr types.NetworkRestrictions) error {
if err := a.action(apidefaults.Namespace, types.KindNetworkRestrictions, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindNetworkRestrictions, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindNetworkRestrictions, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.SetNetworkRestrictions(ctx, nr)
@ -3146,10 +3011,7 @@ func (a *ServerWithRoles) GetLock(ctx context.Context, name string) (types.Lock,
// GetLocks gets all/in-force locks that match at least one of the targets when specified.
func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error) {
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.GetLocks(ctx, inForceOnly, targets...)
@ -3157,10 +3019,7 @@ func (a *ServerWithRoles) GetLocks(ctx context.Context, inForceOnly bool, target
// UpsertLock upserts a lock.
func (a *ServerWithRoles) UpsertLock(ctx context.Context, lock types.Lock) error {
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindLock, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertLock(ctx, lock)
@ -3259,10 +3118,7 @@ func (a *ServerWithRoles) GetDatabase(ctx context.Context, name string) (types.D
// GetDatabases returns all database resources.
func (a *ServerWithRoles) GetDatabases(ctx context.Context) (result []types.Database, err error) {
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
// Filter out databases user doesn't have access to.
@ -3296,10 +3152,7 @@ func (a *ServerWithRoles) DeleteDatabase(ctx context.Context, name string) error
// DeleteAllDatabases removes all database resources.
func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error {
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbDelete); err != nil {
if err := a.action(apidefaults.Namespace, types.KindDatabase, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
// Make sure to only delete databases user has access to.
@ -3319,10 +3172,7 @@ func (a *ServerWithRoles) DeleteAllDatabases(ctx context.Context) error {
// GetWindowsDesktopServices returns all registered windows desktop services.
func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]types.WindowsDesktopService, error) {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
services, err := a.authServer.GetWindowsDesktopServices(ctx)
@ -3334,10 +3184,7 @@ func (a *ServerWithRoles) GetWindowsDesktopServices(ctx context.Context) ([]type
// UpsertWindowsDesktopService creates or updates a new windows desktop service.
func (a *ServerWithRoles) UpsertWindowsDesktopService(ctx context.Context, s types.WindowsDesktopService) (*types.KeepAlive, error) {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
return a.authServer.UpsertWindowsDesktopService(ctx, s)
@ -3353,10 +3200,7 @@ func (a *ServerWithRoles) DeleteWindowsDesktopService(ctx context.Context, name
// DeleteAllWindowsDesktopServices removes all registered windows desktop services.
func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) error {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbDelete); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
return a.authServer.DeleteAllWindowsDesktopServices(ctx)
@ -3364,10 +3208,7 @@ func (a *ServerWithRoles) DeleteAllWindowsDesktopServices(ctx context.Context) e
// GetWindowsDesktops returns all registered windows desktop hosts.
func (a *ServerWithRoles) GetWindowsDesktops(ctx context.Context) ([]types.WindowsDesktop, error) {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList); err != nil {
return nil, trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbRead); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList, types.VerbRead); err != nil {
return nil, trace.Wrap(err)
}
hosts, err := a.authServer.GetWindowsDesktops(ctx)
@ -3391,10 +3232,7 @@ func (a *ServerWithRoles) GetWindowsDesktop(ctx context.Context, name string) (t
// UpsertWindowsDesktop creates or updates a new windows desktop host.
func (a *ServerWithRoles) UpsertWindowsDesktop(ctx context.Context, s types.WindowsDesktop) error {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbUpdate); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbCreate, types.VerbUpdate); err != nil {
return trace.Wrap(err)
}
return a.authServer.UpsertWindowsDesktop(ctx, s)
@ -3410,10 +3248,7 @@ func (a *ServerWithRoles) DeleteWindowsDesktop(ctx context.Context, name string)
// DeleteAllWindowsDesktops removes all registered windows desktop hosts.
func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList); err != nil {
return trace.Wrap(err)
}
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbDelete); err != nil {
if err := a.action(apidefaults.Namespace, types.KindWindowsDesktop, types.VerbList, types.VerbDelete); err != nil {
return trace.Wrap(err)
}
return a.authServer.DeleteAllWindowsDesktops(ctx)

11
lib/auth/grpcserver.go
View file

@ -3077,7 +3077,7 @@ func (g *GRPCServer) DeleteWindowsDesktopService(ctx context.Context, req *proto
}
// DeleteAllWindowsDesktopServices removes all registered Windows desktop services.
func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, req *empty.Empty) (*empty.Empty, error) {
func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
auth, err := g.authenticate(ctx)
if err != nil {
return nil, trace.Wrap(err)
@ -3090,7 +3090,7 @@ func (g *GRPCServer) DeleteAllWindowsDesktopServices(ctx context.Context, req *e
}
// GetWindowsDesktops returns all registered Windows desktop hosts.
func (g *GRPCServer) GetWindowsDesktops(ctx context.Context, req *empty.Empty) (*proto.GetWindowsDesktopsResponse, error) {
func (g *GRPCServer) GetWindowsDesktops(ctx context.Context, _ *empty.Empty) (*proto.GetWindowsDesktopsResponse, error) {
auth, err := g.authenticate(ctx)
if err != nil {
return nil, trace.Wrap(err)
@ -3135,8 +3135,11 @@ func (g *GRPCServer) UpsertWindowsDesktop(ctx context.Context, desktop *types.Wi
if err != nil {
return nil, trace.Wrap(err)
}
if err := auth.UpsertWindowsDesktop(ctx, desktop); err != nil {
return nil, trace.Wrap(err)
}
return &empty.Empty{}, trace.Wrap(auth.UpsertWindowsDesktop(ctx, desktop))
return &empty.Empty{}, nil
}
// DeleteWindowsDesktop removes the specified Windows desktop host.
@ -3153,7 +3156,7 @@ func (g *GRPCServer) DeleteWindowsDesktop(ctx context.Context, req *proto.Delete
}
// DeleteAllWindowsDesktops removes all registered Windows desktop hosts.
func (g *GRPCServer) DeleteAllWindowsDesktops(ctx context.Context, req *empty.Empty) (*empty.Empty, error) {
func (g *GRPCServer) DeleteAllWindowsDesktops(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
auth, err := g.authenticate(ctx)
if err != nil {
return nil, trace.Wrap(err)

2
lib/cache/cache.go vendored
View file

@ -630,7 +630,7 @@ func New(config Config) (*Cache, error) {
appSessionCache: local.NewIdentityService(wrapper),
webSessionCache: local.NewIdentityService(wrapper).WebSessions(),
webTokenCache: local.NewIdentityService(wrapper).WebTokens(),
windowsDesktopsCache: local.NewWindowsDesktopsService(wrapper),
windowsDesktopsCache: local.NewWindowsDesktopService(wrapper),
eventsFanout: services.NewFanout(),
Entry: log.WithFields(log.Fields{
trace.Component: config.Component,

2
lib/cache/cache_test.go vendored
View file

@ -168,7 +168,7 @@ func newPackWithoutCache(dir string, ssetupConfig SetupConfigFn) (*testPack, err
p.webSessionS = local.NewIdentityService(p.backend).WebSessions()
p.webTokenS = local.NewIdentityService(p.backend).WebTokens()
p.restrictions = local.NewRestrictionsService(p.backend)
p.windowsDesktops = local.NewWindowsDesktopsService(p.backend)
p.windowsDesktops = local.NewWindowsDesktopService(p.backend)
return p, nil
}

4
lib/service/desktop.go
View file

@ -57,7 +57,7 @@ func (process *TeleportProcess) initWindowsDesktopService() {
return trace.BadParameter("unsupported connector type: %T", event.Payload)
}
err := process.initWindowsDesktopServieRegistered(log, conn)
err := process.initWindowsDesktopServiceRegistered(log, conn)
if err != nil {
warnOnErr(conn.Close(), log)
return trace.Wrap(err)
@ -66,7 +66,7 @@ func (process *TeleportProcess) initWindowsDesktopService() {
})
}
func (process *TeleportProcess) initWindowsDesktopServieRegistered(log *logrus.Entry, conn *Connector) (retErr error) {
func (process *TeleportProcess) initWindowsDesktopServiceRegistered(log *logrus.Entry, conn *Connector) (retErr error) {
defer func() {
if err := process.closeImportedDescriptors(teleport.ComponentWindowsDesktop); err != nil {
log.WithError(err).Warn("Failed closing imported file descriptors.")

4
lib/services/local/desktops.go
View file

@ -31,8 +31,8 @@ type WindowsDesktopService struct {
backend.Backend
}
// NewWindowsDesktopsService creates a new WindowsDesktopsService.
func NewWindowsDesktopsService(backend backend.Backend) *WindowsDesktopService {
// NewWindowsDesktopService creates a new WindowsDesktopsService.
func NewWindowsDesktopService(backend backend.Backend) *WindowsDesktopService {
return &WindowsDesktopService{Backend: backend}
}

29
lib/srv/desktop/windows_server.go
View file

@ -82,7 +82,7 @@ type HeartbeatConfig struct {
StaticHosts []utils.NetAddr
}
func (cfg WindowsServiceConfig) CheckAndSetDefaults() error {
func (cfg *WindowsServiceConfig) CheckAndSetDefaults() error {
if cfg.Log == nil {
cfg.Log = logrus.New().WithField(trace.Component, teleport.ComponentWindowsDesktop)
}
@ -104,7 +104,7 @@ func (cfg WindowsServiceConfig) CheckAndSetDefaults() error {
return nil
}
func (cfg HeartbeatConfig) CheckAndSetDefaults() error {
func (cfg *HeartbeatConfig) CheckAndSetDefaults() error {
if cfg.HostUUID == "" {
return trace.BadParameter("HeartbeatConfig is missing HostUUID")
}
@ -213,7 +213,7 @@ func (s *WindowsService) Close() error {
return nil
}
// Serve starts serving TLS connections fro plainLis. plainLis should be a TCP
// Serve starts serving TLS connections for plainLis. plainLis should be a TCP
// listener and Serve will handle TLS internally.
func (s *WindowsService) Serve(plainLis net.Listener) error {
lis := tls.NewListener(plainLis, s.cfg.TLS)
@ -272,12 +272,12 @@ func (s *WindowsService) handleConnection(con net.Conn) {
}
func (s *WindowsService) getServiceHeartbeatInfo() (types.Resource, error) {
srv, err := types.NewWindowsDesktopServiceV3(types.Metadata{
Name: s.cfg.Heartbeat.HostUUID,
}, types.WindowsDesktopServiceSpecV3{
Addr: s.cfg.Heartbeat.PublicAddr,
TeleportVersion: teleport.Version,
})
srv, err := types.NewWindowsDesktopServiceV3(
s.cfg.Heartbeat.HostUUID,
types.WindowsDesktopServiceSpecV3{
Addr: s.cfg.Heartbeat.PublicAddr,
TeleportVersion: teleport.Version,
})
if err != nil {
return nil, trace.Wrap(err)
}
@ -292,11 +292,12 @@ func (s *WindowsService) getHostHeartbeatInfo(netAddr utils.NetAddr) func() (typ
if err != nil {
return nil, trace.Wrap(err)
}
desktop, err := types.NewWindowsDesktopV3(types.Metadata{
Name: name,
}, types.WindowsDesktopSpecV3{
Addr: addr,
})
desktop, err := types.NewWindowsDesktopV3(
name,
nil, // TODO(awly): set RBAC labels.
types.WindowsDesktopSpecV3{
Addr: addr,
})
if err != nil {
return nil, trace.Wrap(err)
}