[v9] Fix file descriptor leaks in tbot (#13386)

* Fix file descriptor leaks in `tbot` This fixes two file descriptor leaks in `tbot`, caused by a failure to close the previous socket connected to the auth server after renewing an identity. * Remove unnecessary `defer` from socket close
gravitational · Jun 14, 2022 · 9468154 · 9468154
1 parent f490ba2
commit 9468154
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/tbot/renew.go b/lib/tbot/renew.go
@@ -305,6 +305,8 @@ func (b *Bot) generateImpersonatedIdentity(
 			return nil, trace.Wrap(err)
 		}
 
+		defer impClient.Close()
+
 		route, err := b.getRouteToDatabase(ctx, impClient, destCfg.Database)
 		if err != nil {
 			return nil, trace.Wrap(err)
@@ -463,9 +465,9 @@ func (b *Bot) renew(
 		return trace.Wrap(err, "unable to communicate with auth server")
 	}
 
-	b.log.Debug("Auth client now using renewed credentials.")
 	b.setClient(newClient)
 	b.setIdent(newIdentity)
+	b.log.Debug("Auth client now using renewed credentials.")
 
 	// Now that we're sure the new creds work, persist them.
 	if err := identity.SaveIdentity(newIdentity, botDestination, identity.BotKinds()...); err != nil {

diff --git a/lib/tbot/tbot.go b/lib/tbot/tbot.go
@@ -68,6 +68,11 @@ func (b *Bot) setClient(client auth.ClientI) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
+	// Make sure the previous client is closed.
+	if b._client != nil {
+		_ = b._client.Close()
+	}
+
 	b._client = client
 }