(3.2) Teach tsh login to configure docker/helm clients.

Gopkg.toml

@@ -181,3 +181,11 @@ ignored = ["github.com/Sirupsen/logrus"]
 [[constraint]]
   name = "github.com/Microsoft/go-winio"
   version = "=v0.4.9"
+
+[[constraint]]
+  name = "github.com/fatih/color"
+  version = "=v1.7.0"
+
+[[constraint]]
+  name = "github.com/cyphar/filepath-securejoin"
+  version = "=v0.2.2"

lib/client/api.go

@@ -48,6 +48,7 @@ import (
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/dir"
+	"github.com/gravitational/teleport/lib/client/extensions"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/services"
@@ -244,6 +245,16 @@ type Config struct {
 
 	// BindAddr is an optional host:port to bind to for SSO redirect flows
 	BindAddr string
+
+	// ServerFeatures lists additional features supported by the server.
+	//
+	// This field is populated based on the settings received from the server
+	// as a part of the ping response.
+	ServerFeatures []string
+
+	// Configurators configure additional services that may be optionally
+	// supported by a server such as Docker registry or Helm repository.
+	Configurators map[string]extensions.Configurator
 }
 
 // CachePolicy defines cache policy for local clients
@@ -771,6 +782,13 @@ func NewClient(c *Config) (tc *TeleportClient, err error) {
 		}
 	}
 
+	if len(tc.Configurators) == 0 {
+		tc.Configurators = map[string]extensions.Configurator{
+			FeatureDocker: extensions.NewDockerConfigurator(),
+			FeatureHelm:   extensions.NewHelmConfigurator(),
+		}
+	}
+
 	return tc, nil
 }
 
@@ -1657,6 +1675,30 @@ func (tc *TeleportClient) Login(ctx context.Context, activateKey bool) (*Key, er
 	return key, nil
 }
 
+// ConfigureFeatures configures additional features provided by the server.
+func (tc *TeleportClient) ConfigureFeatures() error {
+	if len(tc.ServerFeatures) == 0 {
+		return nil // Nothing to do.
+	}
+	log.Infof("Server supports additional features: %v.", tc.ServerFeatures)
+	profile, err := CurrentProfile(tc.KeysDir)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	config := profile.ToConfig(tc.KeysDir)
+	for _, feature := range tc.ServerFeatures {
+		configurator, ok := tc.Configurators[feature]
+		if !ok {
+			log.Debugf("No configurator for %q.", feature)
+		} else {
+			if err := configurator.Configure(config); err != nil {
+				return trace.Wrap(err)
+			}
+		}
+	}
+	return nil
+}
+
 // GetTrustedCA returns a list of host certificate authorities
 // trusted by the cluster client is authenticated with.
 func (tc *TeleportClient) GetTrustedCA(ctx context.Context, clusterName string) ([]services.CertAuthority, error) {
@@ -1765,6 +1807,13 @@ func (tc *TeleportClient) applyProxySettings(proxySettings ProxySettings) error
 		tc.SSHProxyAddr = net.JoinHostPort(addr.Host(), strconv.Itoa(addr.Port(defaults.SSHProxyListenPort)))
 	}
 
+	// If the server indicated that it provides additional services such as
+	// Docker registry or Helm chart repository, set appropriate settings
+	// so they can be configured upon login.
+	if len(proxySettings.Features) != 0 {
+		tc.ServerFeatures = proxySettings.Features
+	}
+
 	return nil
 }
 

lib/client/api_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2016 Gravitational, Inc.
+Copyright 2016-2019 Gravitational, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,8 +17,10 @@ limitations under the License.
 package client
 
 import (
+	"path/filepath"
 	"testing"
 
+	"github.com/gravitational/teleport/lib/client/extensions"
 	"github.com/gravitational/teleport/lib/utils"
 
 	"gopkg.in/check.v1"
@@ -87,6 +89,47 @@ func (s *APITestSuite) TestNew(c *check.C) {
 	c.Assert(la, check.NotNil)
 }
 
+// TestConfigureFeatures verifies that Teleport client invokes appropriate
+// configurators if server supports additional features.
+func (s *APITestSuite) TestConfigureFeatures(c *check.C) {
+	tmpDir := c.MkDir()
+	docker := &testConfigurator{}
+	helm := &testConfigurator{}
+	config := &Config{
+		KeysDir: tmpDir,
+		Configurators: map[string]extensions.Configurator{
+			FeatureDocker: docker,
+			FeatureHelm:   helm,
+		},
+	}
+	err := config.ParseProxyHost("proxy")
+	c.Assert(err, check.IsNil)
+
+	profile := ClientProfile{
+		WebProxyAddr: "example.com:3080",
+		Username:     "[email protected]",
+	}
+	err = profile.SaveTo("", filepath.Join(tmpDir, profile.Name()), ProfileMakeCurrent)
+	c.Assert(err, check.IsNil)
+
+	tc, err := NewClient(config)
+	c.Assert(err, check.IsNil)
+	c.Assert(tc, check.NotNil)
+
+	// Server does not provide Docker/Helm so nothing should be configured.
+	err = tc.ConfigureFeatures()
+	c.Assert(err, check.IsNil)
+	c.Assert(docker.configured, check.Equals, false)
+	c.Assert(helm.configured, check.Equals, false)
+
+	// Docker/Helm registries should be configured.
+	tc.ServerFeatures = []string{FeatureDocker, FeatureHelm}
+	err = tc.ConfigureFeatures()
+	c.Assert(err, check.IsNil)
+	c.Assert(docker.configured, check.Equals, true)
+	c.Assert(helm.configured, check.Equals, true)
+}
+
 func (s *APITestSuite) TestParseLabels(c *check.C) {
 	// simplest case:
 	m, err := ParseLabelSpec("key=value")
@@ -224,3 +267,25 @@ func (s *APITestSuite) TestDynamicPortsParsing(c *check.C) {
 		c.Assert(specs, check.DeepEquals, tt.output)
 	}
 }
+
+// testConfigurator is used in tests to test additional features configuration.
+type testConfigurator struct {
+	configured bool
+}
+
+// Configure marks the feature as configured.
+func (c *testConfigurator) Configure(_ extensions.Config) error {
+	c.configured = true
+	return nil
+}
+
+// Deconfigure marks the feature as not configured.
+func (c *testConfigurator) Deconfigure(_ extensions.Config) error {
+	c.configured = false
+	return nil
+}
+
+// String returns test configurator name.
+func (c *testConfigurator) String() string {
+	return "test"
+}

lib/client/extensions/configurator.go

@@ -0,0 +1,66 @@
+/*
+Copyright 2019 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package extensions provides the Teleport client with additional functionality
+// such as the means for configuring access to extra services that may be supported
+// by a teleport cluster.
+//
+// For instance, in certain cases the cluster's proxy server may implement
+// Docker registry or Helm chart repository support, in which case Docker
+// and Helm clients will be configured with proper access credentials upon
+// successful tsh login.
+package extensions
+
+import (
+	"fmt"
+
+	"github.com/gravitational/trace"
+	"github.com/sirupsen/logrus"
+)
+
+var log = logrus.WithField(trace.Component, "client:ext")
+
+// Configurator defines an interface for configuring additional services
+// provided by a Teleport server such as a Docker registry or Helm chart
+// repository.
+type Configurator interface {
+	// Configure performs necessary service configuration.
+	Configure(Config) error
+	// Deconfigure removes configuration for the service.
+	Deconfigure(Config) error
+	// Stringer returns human-friendly description of the configurator.
+	fmt.Stringer
+}
+
+// Config represents a service configuration parameters.
+type Config struct {
+	// ProxyAddress is the address of web proxy that provides the service.
+	ProxyAddress string
+	// CertificatePath is the full path to the client certificate file.
+	CertificatePath string
+	// KeyPath is the full path to the client private key file.
+	KeyPath string
+}
+
+// NewDockerConfigurator returns a new instance of a Docker configurator.
+func NewDockerConfigurator() *dockerConfigurator {
+	return &dockerConfigurator{}
+}
+
+// NewHelmConfigurator returns a new instance of a Helm configurator.
+func NewHelmConfigurator() *helmConfigurator {
+	return &helmConfigurator{}
+}