Skip to content

[v18] Proxy Recording fixes#61246

Merged
Joerger merged 5 commits intobranch/v18from
joerger/v18/proxy-recording-fixes
Dec 3, 2025
Merged

[v18] Proxy Recording fixes#61246
Joerger merged 5 commits intobranch/v18from
joerger/v18/proxy-recording-fixes

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Nov 11, 2025
edited
Loading

Changelog: Fix a bug in Proxy recording mode where Teleport Node sessions would result in duplicate audit events with a different session ID.

Backport #58707, #59610, #59206, #59850 to branch/v18

I decided to backport these together so that I can manually test them all together, since many of the changes overlap and build upon each other.

Manual Tests

Last run: 2c50e61

  • Proxy recording mode:
    • Teleport Node
      • Start a session and use teleport status to get the session ID. it should appear in the session list (e.g. tsh session ls).
      • End the session. Observe session start, end, data, and leave events are emitted with the same session ID.
        • No duplicate events
        • these events should have the forwarded_by and recording_mode: proxy fields.
        • Other event fields should reference the target node (addr.local, server_id, server_addr)
    • Teleport Node (tunnel / different process)
      • Start a session and use teleport status to get the session ID. it should appear in the session list (e.g. tsh session ls).
      • End the session. Observe session start, end, data, and leave events are emitted with the same session ID.
        • No duplicate events
        • these events should have the forwarded_by and recording_mode: proxy fields.
        • Other event fields should reference the target node (addr.local, server_id, server_addr)
    • Agentless Node
      • Start a session and use teleport status to get the session ID. it should appear in the session list (e.g. tsh session ls).
      • End the session. Observe session start, end, data, and leave events are emitted with the same session ID.
        • these events should have the forwarded_by and recording_mode: proxy fields.
        • Other event fields should reference the target node (addr.local, server_id, server_addr)
  • Node recording mode:
    • Teleport Node
      • Start a session and use teleport status to get the session ID. it should appear in the session list (e.g. tsh session ls).
      • End the session. Observe session start, end, data, and leave events are emitted with the same session ID.
        • these events should not have the forwarded_by and recording_mode: proxy fields.
        • Other event fields should reference the target node (addr.local, server_id, server_addr)
  • Teleport Node (tunnel / different process)
    • Start a session and use teleport status to get the session ID. it should appear in the session list (e.g. tsh session ls).
    • End the session. Observe session start, end, data, and leave events are emitted with the same session ID.
      • No duplicate events
      • these events should not have the forwarded_by and recording_mode: proxy fields.
      • Other event fields should reference the target node (addr.local, server_id, server_addr)
    • Agentless Node
      • Start a session and use teleport status to get the session ID. it should appear in the session list (e.g. tsh session ls).
      • End the session. Observe session start, end, data, and leave events are emitted with the same session ID.
        • these events should have the forwarded_by and recording_mode: proxy fields.
        • Other event fields should reference the target node (addr.local, server_id, server_addr)

Backwards compatibility:

Proxy Node Mismatched ID w/ tracker Duplicate events
new new no no
new old no yes
old new yes no
old old yes yes

Teleport Cloud smoke tests:

  • Connect to Teleport Node, check session recording and audit log for expected results

@Joerger Joerger force-pushed the joerger/v18/proxy-recording-fixes branch 2 times, most recently from 9873b1c to 2c50e61 Compare November 17, 2025 18:56
@Joerger Joerger marked this pull request as ready for review November 17, 2025 22:40
@github-actions github-actions bot requested review from rosstimothy and zmb3 November 17, 2025 22:41
@Joerger Joerger mentioned this pull request Nov 17, 2025
Closed
Joerger and others added 4 commits November 24, 2025 10:52
@Joerger
Fix discrepancies between Node and Proxy recording modes. (#58707)
eb5ee3a
@Joerger
Replace flaky test with more straightforward event metadata test. (#5…
9a85d8a 
…9610)
@Joerger
Make SSH session client provide session params upfront rather than wi…
f9d1749 
…th synchronous `envs@goteleport.com` requests (#59206)
@Joerger @rosstimothy
Coordinate session ID with Node in Proxy recording mode (#59850)
8ca4420 
* Generalize PrepareToReceiveSessionID.

* Initialize session ID in the connection context and update it from node current-session-id request.

* Add session-id-query-v2@goteleport.com request and ensure new session ID is correctly set in proxy recording mode during the channel request.

* Replace PrepareToReceiveSessionID with simpler in-place logic.

* Don't emit session events or tracker when proxy forwarding to a Teleport Node.

* Fix missing session tracker for outdated Teleport Node.

* Remove extra major version grace period.

* Update integration test.

* Cleanup current session ID handling and fix failing tests.

* Fix tests.

* Address comments.

* Restructure currentSessionID handling.

* Set newSessionID in test server context.

* Fix integration test.

* Fix AuditOn integration test.

* Address comment on channel close.

* Track session on forwarding node.

* Fix web shutdown.

* Fix nil pointer dereference in test.

* Fix test flake.

* Fix nil pointer in test.

* Fix test flake.

* Update lib/srv/ctx.go

Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>

* Forwarding Node accepts client connection after receiving preparing session ID from node. This way, the forwarder can reject client connections if there is an issue preparing the session ID (impossible join sessions).

* Remove check for session.data event which may not be emitted in time for the test.

* Address comments.

---------

Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
@Joerger Joerger force-pushed the joerger/v18/proxy-recording-fixes branch from 2c50e61 to 8ca4420 Compare November 24, 2025 18:53
@Joerger Joerger enabled auto-merge November 24, 2025 18:53
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from zmb3 November 24, 2025 18:53
@Joerger Joerger disabled auto-merge November 24, 2025 21:00
@Joerger Joerger enabled auto-merge December 3, 2025 18:24
@Joerger Joerger added this pull request to the merge queue Dec 3, 2025
Merged via the queue into branch/v18 with commit 6364c3d Dec 3, 2025
40 checks passed
@Joerger Joerger deleted the joerger/v18/proxy-recording-fixes branch December 3, 2025 19:43
@aadc-dev aadc-dev mentioned this pull request Dec 4, 2025
Merged
@BrewTestBot BrewTestBot mentioned this pull request Dec 4, 2025
Merged
@atburke atburke mentioned this pull request Dec 11, 2025
Closed
@Joerger Joerger mentioned this pull request Dec 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

+1 more reviewer

@vapopov vapopov vapopov approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Joerger @marcoandredinis @vapopov @rosstimothy