Fix discrepancies between Node and Proxy recording modes.

integration/integration_test.go

@@ -149,8 +149,8 @@ func TestIntegrations(t *testing.T) {
 	t.Run("BPFSessionDifferentiation", suite.bind(testBPFSessionDifferentiation))
 	t.Run("ClientIdleConnection", suite.bind(testClientIdleConnection))
 	t.Run("CmdLabels", suite.bind(testCmdLabels))
+	t.Run("CreateAndUpdateTrustedClusters", suite.bind(testCreateAndUpdateTrustedClusters))
 	t.Run("ControlMaster", suite.bind(testControlMaster))
-	t.Run("X11Forwarding", suite.bind(testX11Forwarding))
 	t.Run("CustomReverseTunnel", suite.bind(testCustomReverseTunnel))
 	t.Run("DataTransfer", suite.bind(testDataTransfer))
 	t.Run("DifferentPinnedIP", suite.bind(testDifferentPinnedIP))
@@ -183,6 +183,7 @@ func TestIntegrations(t *testing.T) {
 	t.Run("PAM", suite.bind(testPAM))
 	t.Run("PortForwarding", suite.bind(testPortForwarding))
 	t.Run("ProxyHostKeyCheck", suite.bind(testProxyHostKeyCheck))
+	t.Run("RecordingModesSessionTrackers", suite.bind(testRecordingModesSessionTrackers))
 	t.Run("ReverseTunnelCollapse", suite.bind(testReverseTunnelCollapse))
 	t.Run("RotateRollback", suite.bind(testRotateRollback))
 	t.Run("RotateSuccess", suite.bind(testRotateSuccess))
@@ -199,12 +200,12 @@ func TestIntegrations(t *testing.T) {
 	t.Run("TrustedClustersRoleMapChanges", suite.bind(testTrustedClustersRoleMapChanges))
 	t.Run("TrustedClustersWithLabels", suite.bind(testTrustedClustersWithLabels))
 	t.Run("TrustedClustersSkipNameValidation", suite.bind(testTrustedClustersSkipNameValidation))
-	t.Run("CreateAndUpdateTrustedClusters", suite.bind(testCreateAndUpdateTrustedClusters))
 	t.Run("TrustedTunnelNode", suite.bind(testTrustedTunnelNode))
 	t.Run("TwoClustersProxy", suite.bind(testTwoClustersProxy))
 	t.Run("TwoClustersTunnel", suite.bind(testTwoClustersTunnel))
 	t.Run("UUIDBasedProxy", suite.bind(testUUIDBasedProxy))
 	t.Run("WindowChange", suite.bind(testWindowChange))
+	t.Run("X11Forwarding", suite.bind(testX11Forwarding))
 }
 
 // testDifferentPinnedIP tests connection is rejected when source IP doesn't match the pinned one
@@ -1038,6 +1039,83 @@ func testSessionRecordingModes(t *testing.T, suite *integrationTestSuite) {
 	}
 }
 
+func testRecordingModesSessionTrackers(t *testing.T, suite *integrationTestSuite) {
+	ctx := t.Context()
+
+	cfg := suite.defaultServiceConfig()
+	cfg.Auth.Enabled = true
+	cfg.Proxy.DisableWebService = true
+	cfg.Proxy.DisableWebInterface = true
+	cfg.Proxy.Enabled = true
+	cfg.SSH.Enabled = true
+
+	teleport := suite.NewTeleportWithConfig(t, nil, nil, cfg)
+	defer teleport.StopAll()
+
+	// startSession starts an interactive session, users must terminate the
+	// session by typing "exit" in the terminal.
+	startSession := func(username string) (*Terminal, chan error) {
+		term := NewTerminal(250)
+		errCh := make(chan error)
+
+		go func() {
+			cl, err := teleport.NewClient(helpers.ClientConfig{
+				Login:   username,
+				Cluster: helpers.Site,
+				Host:    Host,
+			})
+			if err != nil {
+				errCh <- trace.Wrap(err)
+				return
+			}
+			cl.Stdout = term
+			cl.Stdin = term
+
+			ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+			defer cancel()
+			errCh <- cl.SSH(ctx, nil)
+		}()
+
+		return term, errCh
+	}
+
+	err := teleport.WaitForNodeCount(ctx, helpers.Site, 1)
+	require.NoError(t, err)
+
+	auth := teleport.Process.GetAuthServer()
+	for _, mode := range []string{types.RecordAtNode, types.RecordAtProxy} {
+		t.Run(mode, func(t *testing.T) {
+			rc := types.DefaultSessionRecordingConfig()
+			rc.SetMode(mode)
+
+			_, err := auth.UpsertSessionRecordingConfig(ctx, rc)
+			require.NoError(t, err)
+
+			// Start session.
+			term, errCh := startSession(suite.Me.Username)
+
+			// Validate that the session tracker exists and contains
+			// the correct target address.
+			var sessionID string
+			require.EventuallyWithT(t, func(t *assert.CollectT) {
+				trackers, err := auth.GetActiveSessionTrackers(ctx)
+				require.NoError(t, err)
+				require.Len(t, trackers, 1)
+				require.Equal(t, helpers.HostID, trackers[0].GetAddress())
+				sessionID = trackers[0].GetSessionID()
+			}, 30*time.Second, 100*time.Millisecond)
+
+			// Wait for the session to terminate without error.
+			term.Type("exit\n\r")
+			require.NoError(t, waitForError(errCh, 30*time.Second))
+
+			// Manually clean up the tracker for the session to prevent
+			// it leaking into the next test case.
+			require.NoError(t, auth.RemoveSessionTracker(ctx, sessionID))
+		})
+	}
+}
+
 func testLeafProxySessionRecording(t *testing.T, suite *integrationTestSuite) {
 	tests := []struct {
 		rootRecordingMode string

lib/reversetunnel/leaf_cluster.go

@@ -913,13 +913,10 @@ func (s *leafCluster) dialAndForward(params reversetunnelclient.DialParams) (_ n
 		Address:                  params.Address,
 		UseTunnel:                UseTunnel(s.logger, targetConn),
 		FIPS:                     s.srv.FIPS,
-		HostUUID:                 s.srv.ID,
+		ProxyUUID:                s.srv.ID,
 		Emitter:                  s.srv.Config.Emitter,
 		ParentContext:            s.srv.Context,
 		LockWatcher:              s.srv.LockWatcher,
-		TargetID:                 params.ServerID,
-		TargetAddr:               params.To.String(),
-		TargetHostname:           params.Address,
 		TargetServer:             params.TargetServer,
 		Clock:                    s.clock,
 		EICESigner:               s.srv.EICESigner,

lib/reversetunnel/local_cluster.go

@@ -468,13 +468,10 @@ func (s *localCluster) dialAndForward(params reversetunnelclient.DialParams) (_
 		DataDir:                  s.srv.Config.DataDir,
 		Address:                  params.Address,
 		UseTunnel:                useTunnel,
-		HostUUID:                 s.srv.ID,
+		ProxyUUID:                s.srv.ID,
 		Emitter:                  s.srv.Config.Emitter,
 		ParentContext:            s.srv.Context,
 		LockWatcher:              s.srv.LockWatcher,
-		TargetID:                 params.ServerID,
-		TargetAddr:               params.To.String(),
-		TargetHostname:           params.Address,
 		TargetServer:             params.TargetServer,
 		Clock:                    s.clock,
 		EICESigner:               s.srv.EICESigner,

lib/srv/authhandlers.go

@@ -689,7 +689,7 @@ func (h *AuthHandlers) hostKeyCallback(hostname string, remote net.Addr, key ssh
 	ctx := h.c.Server.Context()
 
 	// For SubKindOpenSSHEICENode we use SSH Keys (EC2 does not support Certificates in ec2.SendSSHPublicKey).
-	if h.c.Server.TargetMetadata().ServerSubKind == types.SubKindOpenSSHEICENode {
+	if h.c.Server.GetInfo().GetSubKind() == types.SubKindOpenSSHEICENode {
 		return nil
 	}
 

lib/srv/ctx.go

@@ -156,6 +156,7 @@ type Server interface {
 	GetClock() clockwork.Clock
 
 	// GetInfo returns a services.Server that represents this server.
+	// In the case of the Proxy forwarder, this is the node target.
 	GetInfo() types.Server
 
 	// UseTunnel used to determine if this node has connected to this cluster
@@ -190,8 +191,8 @@ type Server interface {
 	// support or not.
 	GetSELinuxEnabled() bool
 
-	// TargetMetadata returns metadata about the session target node.
-	TargetMetadata() apievents.ServerMetadata
+	// EventMetadata returns [events.ServerMetadata] for this server.
+	EventMetadata() apievents.ServerMetadata
 }
 
 // IdentityContext holds all identity information associated with the user
@@ -484,7 +485,7 @@ func NewServerContext(ctx context.Context, parent *sshutils.ConnectionContext, s
 		clientIdleTimeout:      clientIdleTimeout,
 		cancelContext:          cancelContext,
 		cancel:                 cancel,
-		ServerSubKind:          srv.TargetMetadata().ServerSubKind,
+		ServerSubKind:          srv.GetInfo().GetSubKind(),
 	}
 
 	child.Logger = slog.With(
@@ -902,7 +903,7 @@ func (c *ServerContext) reportStats(conn utils.Stater) {
 			Type:  events.SessionDataEvent,
 			Code:  events.SessionDataCode,
 		},
-		ServerMetadata:  c.srv.TargetMetadata(),
+		ServerMetadata:  c.srv.EventMetadata(),
 		SessionMetadata: c.GetSessionMetadata(),
 		UserMetadata:    c.Identity.GetUserMetadata(),
 		ConnectionMetadata: apievents.ConnectionMetadata{

lib/srv/exec.go

@@ -264,7 +264,7 @@ func (e *localExec) transformSecureCopy() error {
 				Time: time.Now(),
 			},
 			UserMetadata:   e.Ctx.Identity.GetUserMetadata(),
-			ServerMetadata: e.Ctx.GetServer().TargetMetadata(),
+			ServerMetadata: e.Ctx.GetServer().EventMetadata(),
 			Error:          err.Error(),
 		})
 		return trace.Wrap(err)
@@ -369,7 +369,7 @@ func (e *remoteExec) Start(ctx context.Context, ch ssh.Channel) (*ExecResult, er
 				Time: time.Now(),
 			},
 			UserMetadata:   e.ctx.Identity.GetUserMetadata(),
-			ServerMetadata: e.ctx.GetServer().TargetMetadata(),
+			ServerMetadata: e.ctx.GetServer().EventMetadata(),
 			Error:          err.Error(),
 		})
 		return nil, trace.Wrap(err)
@@ -435,7 +435,7 @@ func (e *remoteExec) PID() int {
 // instead of ctx.srv.
 func emitExecAuditEvent(ctx *ServerContext, cmd string, execErr error) {
 	// Create common fields for event.
-	serverMeta := ctx.GetServer().TargetMetadata()
+	serverMeta := ctx.GetServer().EventMetadata()
 	sessionMeta := ctx.GetSessionMetadata()
 	userMeta := ctx.Identity.GetUserMetadata()
 

lib/srv/exec_test.go

@@ -64,8 +64,6 @@ func TestEmitExecAuditEvent(t *testing.T) {
 	rec, ok := scx.session.recorder.(*mockRecorder)
 	require.True(t, ok)
 
-	scx.GetServer().TargetMetadata()
-
 	expectedUsr, err := user.Current()
 	require.NoError(t, err)
 	expectedHostname := "testHost"

lib/srv/forward/sftp.go

@@ -94,7 +94,7 @@ func (p *SFTPProxy) Serve() error {
 			Code: events.SFTPSummaryCode,
 			Time: time.Now(),
 		},
-		ServerMetadata:  scx.GetServer().TargetMetadata(),
+		ServerMetadata:  scx.GetServer().EventMetadata(),
 		SessionMetadata: scx.GetSessionMetadata(),
 		UserMetadata:    scx.Identity.GetUserMetadata(),
 		ConnectionMetadata: apievents.ConnectionMetadata{
@@ -224,7 +224,7 @@ func (h *proxyHandlers) sendSFTPEvent(req *sftp.Request, reqErr error) {
 	} else if reqErr != nil {
 		h.logger.DebugContext(req.Context(), "failed handling SFTP request", "request", req.Method, "error", reqErr)
 	}
-	event.ServerMetadata = h.scx.GetServer().TargetMetadata()
+	event.ServerMetadata = h.scx.GetServer().EventMetadata()
 	event.SessionMetadata = h.scx.GetSessionMetadata()
 	event.UserMetadata = h.scx.Identity.GetUserMetadata()
 	event.ConnectionMetadata = apievents.ConnectionMetadata{