Retrieve auth server features on register.proxy

- Use Ping (that responds with server features) instead of GetNamespace to test c/n - Set server features for web handler (to set it once on register.proxy)
gravitational · Apr 26, 2021 · 5d58a63 · 5d58a63
1 parent ab93862
commit 5d58a63
Show file tree

Hide file tree

Showing 7 changed files with 54 additions and 30 deletions.
diff --git a/lib/service/cfg.go b/lib/service/cfg.go
@@ -29,6 +29,7 @@ import (
 	"golang.org/x/crypto/ssh"
 	"k8s.io/apimachinery/pkg/util/validation"
 
+	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/lite"
@@ -204,6 +205,9 @@ type Config struct {
 
 	// PluginRegistry allows adding enterprise logic to Teleport services
 	PluginRegistry plugin.Registry
+
+	// AuthServerFeatures contain flags for supported and unsupported features.
+	AuthServerFeatures proto.Features
 }
 
 // ApplyToken assigns a given token to all internal services but only if token

diff --git a/lib/service/cfg_test.go b/lib/service/cfg_test.go
@@ -20,6 +20,7 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/lib/backend/lite"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/fixtures"
@@ -40,6 +41,17 @@ func (s *ConfigSuite) TestDefaultConfig(c *check.C) {
 	config := MakeDefaultConfig()
 	c.Assert(config, check.NotNil)
 
+	c.Assert(config.AuthServerFeatures, check.DeepEquals, proto.Features{
+		Kubernetes:              false,
+		App:                     false,
+		DB:                      false,
+		OIDC:                    false,
+		SAML:                    false,
+		AccessControls:          false,
+		AdvancedAccessWorkflows: false,
+		Cloud:                   false,
+	})
+
 	// all 3 services should be enabled by default
 	c.Assert(config.Auth.Enabled, check.Equals, true)
 	c.Assert(config.SSH.Enabled, check.Equals, true)

diff --git a/lib/service/connect.go b/lib/service/connect.go
@@ -17,6 +17,7 @@ limitations under the License.
 package service
 
 import (
+	"context"
 	"crypto/tls"
 	"net"
 	"path/filepath"
@@ -55,8 +56,9 @@ func (process *TeleportProcess) reconnectToAuthService(role teleport.Role) (*Con
 			// if connected and client is present, make sure the connector's
 			// client works, by using call that should succeed at all times
 			if connector.Client != nil {
-				_, err = connector.Client.GetNamespace(defaults.Namespace)
+				pingResponse, err := connector.Client.Ping(context.TODO())
 				if err == nil {
+					process.Config.AuthServerFeatures = *pingResponse.GetServerFeatures()
 					return connector, nil
 				}
 				process.log.Debugf("Connected client %v failed to execute test call: %v. Node or proxy credentials are out of sync.", role, err)

diff --git a/lib/service/service.go b/lib/service/service.go
@@ -2528,23 +2528,25 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 				return trace.Wrap(err)
 			}
 		}
+
 		webHandler, err = web.NewHandler(
 			web.Config{
-				Proxy:          tsrv,
-				AuthServers:    cfg.AuthServers[0],
-				DomainName:     cfg.Hostname,
-				ProxyClient:    conn.Client,
-				ProxySSHAddr:   proxySSHAddr,
-				ProxyWebAddr:   cfg.Proxy.WebAddr,
-				ProxySettings:  proxySettings,
-				CipherSuites:   cfg.CipherSuites,
-				FIPS:           cfg.FIPS,
-				AccessPoint:    accessPoint,
-				Emitter:        streamEmitter,
-				PluginRegistry: process.PluginRegistry,
-				HostUUID:       process.Config.HostUUID,
-				Context:        process.ExitContext(),
-				StaticFS:       fs,
+				Proxy:              tsrv,
+				AuthServers:        cfg.AuthServers[0],
+				DomainName:         cfg.Hostname,
+				ProxyClient:        conn.Client,
+				ProxySSHAddr:       proxySSHAddr,
+				ProxyWebAddr:       cfg.Proxy.WebAddr,
+				ProxySettings:      proxySettings,
+				CipherSuites:       cfg.CipherSuites,
+				FIPS:               cfg.FIPS,
+				AccessPoint:        accessPoint,
+				Emitter:            streamEmitter,
+				PluginRegistry:     process.PluginRegistry,
+				HostUUID:           process.Config.HostUUID,
+				Context:            process.ExitContext(),
+				StaticFS:           fs,
+				AuthServerFeatures: process.Config.AuthServerFeatures,
 			})
 		if err != nil {
 			return trace.Wrap(err)

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -36,6 +36,7 @@ import (
 	"time"
 
 	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/client/webclient"
 	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/types"
@@ -84,6 +85,9 @@ type Handler struct {
 	// sshPort specifies the SSH proxy port extracted
 	// from configuration
 	sshPort string
+
+	// authServerFeatures contain flags for supported and unsupported features.
+	authServerFeatures proto.Features
 }
 
 // HandlerOption is a functional argument - an option that can be passed
@@ -157,6 +161,9 @@ type Config struct {
 	// in the cache before getting purged after it has expired.
 	// Defaults to cachedSessionLingeringThreshold if unspecified.
 	cachedSessionLingeringThreshold *time.Duration
+
+	// AuthServerFeatures contains flags for supported/unsupported features.
+	AuthServerFeatures proto.Features
 }
 
 type RewritingHandler struct {
@@ -197,9 +204,10 @@ func (h *RewritingHandler) Close() error {
 func NewHandler(cfg Config, opts ...HandlerOption) (*RewritingHandler, error) {
 	const apiPrefix = "/" + teleport.WebAPIVersion
 	h := &Handler{
-		cfg:   cfg,
-		log:   newPackageLogger(),
-		clock: clockwork.NewRealClock(),
+		cfg:                cfg,
+		log:                newPackageLogger(),
+		clock:              clockwork.NewRealClock(),
+		authServerFeatures: cfg.AuthServerFeatures,
 	}
 
 	for _, o := range opts {
@@ -498,12 +506,9 @@ func (h *Handler) getUserContext(w http.ResponseWriter, r *http.Request, p httpr
 		return nil, trace.Wrap(err)
 	}
 
-	pingResponse, err := clt.Ping(r.Context())
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
+	fmt.Println("--------------------- >>>> : ", h.authServerFeatures)
 
-	userContext, err := ui.NewUserContext(user, roleset, pingResponse.GetServerFeatures())
+	userContext, err := ui.NewUserContext(user, roleset, h.authServerFeatures)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go
@@ -167,7 +167,7 @@ func getAccessStrategy(roleset services.RoleSet) accessStrategy {
 }
 
 // NewUserContext returns user context
-func NewUserContext(user services.User, userRoles services.RoleSet, features *proto.Features) (*UserContext, error) {
+func NewUserContext(user services.User, userRoles services.RoleSet, features proto.Features) (*UserContext, error) {
 	ctx := &services.Context{User: user}
 	sessionAccess := newAccess(userRoles, ctx, services.KindSession)
 	roleAccess := newAccess(userRoles, ctx, services.KindRole)
@@ -181,7 +181,7 @@ func NewUserContext(user services.User, userRoles services.RoleSet, features *pr
 	requestAccess := newAccess(userRoles, ctx, services.KindAccessRequest)
 
 	var billingAccess access
-	if features != nil && features.Cloud {
+	if features.Cloud {
 		billingAccess = newAccess(userRoles, ctx, services.KindBilling)
 	}
 

diff --git a/lib/web/ui/usercontext_test.go b/lib/web/ui/usercontext_test.go
@@ -59,7 +59,7 @@ func (s *UserContextSuite) TestNewUserContext(c *check.C) {
 	role2.SetLogins(services.Allow, []string{"d"})
 
 	roleSet := []services.Role{role1, role2}
-	userContext, err := NewUserContext(user, roleSet, nil)
+	userContext, err := NewUserContext(user, roleSet, proto.Features{})
 	c.Assert(err, check.IsNil)
 
 	allowed := access{true, true, true, true, true}
@@ -89,12 +89,11 @@ func (s *UserContextSuite) TestNewUserContext(c *check.C) {
 
 	// test sso auth type
 	user.Spec.GithubIdentities = []services.ExternalIdentity{{ConnectorID: "foo", Username: "bar"}}
-	userContext, err = NewUserContext(user, roleSet, &proto.Features{Cloud: false})
+	userContext, err = NewUserContext(user, roleSet, proto.Features{})
 	c.Assert(err, check.IsNil)
 	c.Assert(userContext.AuthType, check.Equals, authSSO)
-	c.Assert(userContext.ACL.Billing, check.DeepEquals, denied)
 
-	userContext, err = NewUserContext(user, roleSet, &proto.Features{Cloud: true})
+	userContext, err = NewUserContext(user, roleSet, proto.Features{Cloud: true})
 	c.Assert(err, check.IsNil)
 	c.Assert(userContext.ACL.Billing, check.DeepEquals, access{true, true, false, false, false})
 }