Convert RegisterUsingToken RPC from HTTP to gRPC (#47853)

* Add proto changews for shifting RegisterUsingToken to gRPC * Implement RegisterUsingToken RPC and client fallback * Add methods to `api/client` * Adjust join/register code to try new API first and fallback to old * Rejig JoinServerGRPCServer to invoke auth.Server * Tidy up some code duplication * Fix broken build * Fix TestRegisterBot_RemoteAddr * Fix TestServer_RegisterUsingTPMMethod * Add test for new RegisterUsingToken gRPC RPC * Remove unused helper function * Fix test * Walk back switch to gRPC endpoint for registration via proxy * Remove unused code
gravitational · Oct 24, 2024 · bad3497 · bad3497
1 parent 1396179
commit bad3497
Show file tree

Hide file tree

Showing 18 changed files with 310 additions and 156 deletions.
diff --git a/api/client/joinservice.go b/api/client/joinservice.go
@@ -22,6 +22,7 @@ import (
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport/api/client/proto"
+	"github.com/gravitational/teleport/api/types"
 )
 
 // JoinServiceClient is a client for the JoinService, which runs on both the
@@ -200,3 +201,13 @@ func (c *JoinServiceClient) RegisterUsingTPMMethod(
 
 	return certs, nil
 }
+
+// RegisterUsingToken registers the caller using a token and returns signed
+// certs.
+// This is used where a more specific RPC has not been introduced for the join
+// method.
+func (c *JoinServiceClient) RegisterUsingToken(
+	ctx context.Context, req *types.RegisterUsingTokenRequest,
+) (*proto.Certs, error) {
+	return c.grpcClient.RegisterUsingToken(ctx, req)
+}
diff --git a/api/client/proto/joinservice.pb.go b/api/client/proto/joinservice.pb.go
diff --git a/api/proto/teleport/legacy/client/proto/joinservice.proto b/api/proto/teleport/legacy/client/proto/joinservice.proto
@@ -173,4 +173,7 @@ service JoinService {
   // RegisterUsingTPMMethod allows registration of a new agent or Bot to the
   // cluster using a known TPM.
   rpc RegisterUsingTPMMethod(stream RegisterUsingTPMMethodRequest) returns (stream RegisterUsingTPMMethodResponse);
+  // RegisterUsingToken is used to register a new node to the cluster using one
+  // of the legacy join methods which do not yet have their own gRPC method.
+  rpc RegisterUsingToken(types.RegisterUsingTokenRequest) returns (Certs);
 }
diff --git a/lib/auth/apiserver.go b/lib/auth/apiserver.go
@@ -141,6 +141,7 @@ func NewAPIServer(config *APIConfig) (http.Handler, error) {
 	srv.POST("/:version/trustedclusters/validate", srv.WithAuth(srv.validateTrustedCluster))
 
 	// Tokens
+	// TODO(strideynet): REMOVE IN 18.0.0 - this method is now gRPC
 	srv.POST("/:version/tokens/register", srv.WithAuth(srv.registerUsingToken))
 
 	// Namespaces
@@ -489,6 +490,7 @@ func rawMessage(data []byte, err error) (interface{}, error) {
 	return &m, nil
 }
 
+// TODO(strideynet): REMOVE IN v18.0.0
 func (s *APIServer) registerUsingToken(auth *ServerWithRoles, w http.ResponseWriter, r *http.Request, _ httprouter.Params, version string) (interface{}, error) {
 	var req types.RegisterUsingTokenRequest
 	if err := httplib.ReadJSON(r, &req); err != nil {

diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -573,6 +573,11 @@ func (a *ServerWithRoles) GetClusterCACert(
 	return a.authServer.GetClusterCACert(ctx)
 }
 
+// Deprecated: This method only exists to service the RegisterUsingToken HTTP
+// RPC, which has been replaced by an RPC on the JoinServiceServer.
+// JoinServiceServer directly invokes auth.Server and performs its own checks
+// on metadata.
+// TODO(strideynet): DELETE IN V18.0.0
 func (a *ServerWithRoles) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error) {
 	isProxy := a.hasBuiltinRole(types.RoleProxy)
 
@@ -615,48 +620,6 @@ func (a *ServerWithRoles) RegisterUsingToken(ctx context.Context, req *types.Reg
 	return a.authServer.RegisterUsingToken(ctx, req)
 }
 
-// RegisterUsingIAMMethod registers the caller using the IAM join method and
-// returns signed certs to join the cluster.
-//
-// See (*Server).RegisterUsingIAMMethod for further documentation.
-//
-// This wrapper does not do any extra authz checks, as the register method has
-// its own authz mechanism.
-func (a *ServerWithRoles) RegisterUsingIAMMethod(ctx context.Context, challengeResponse client.RegisterIAMChallengeResponseFunc) (*proto.Certs, error) {
-	certs, err := a.authServer.RegisterUsingIAMMethod(ctx, challengeResponse)
-	return certs, trace.Wrap(err)
-}
-
-// RegisterUsingAzureMethod registers the caller using the Azure join method and
-// returns signed certs to join the cluster.
-//
-// See (*Server).RegisterUsingAzureMethod for further documentation.
-//
-// This wrapper does not do any extra authz checks, as the register method has
-// its own authz mechanism.
-func (a *ServerWithRoles) RegisterUsingAzureMethod(ctx context.Context, challengeResponse client.RegisterAzureChallengeResponseFunc) (*proto.Certs, error) {
-	certs, err := a.authServer.RegisterUsingAzureMethod(ctx, challengeResponse)
-	return certs, trace.Wrap(err)
-}
-
-// RegisterUsingTPMMethod registers the caller using the TPM join method and
-// returns signed certs to join the cluster.
-//
-// See (*Server).RegisterUsingTPMMethod for further documentation.
-//
-// This wrapper does not do any extra authz checks, as the register method has
-// its own authz mechanism.
-func (a *ServerWithRoles) RegisterUsingTPMMethod(
-	ctx context.Context,
-	initReq *proto.RegisterUsingTPMMethodInitialRequest,
-	solveChallenge client.RegisterTPMChallengeResponseFunc,
-) (*proto.Certs, error) {
-	certs, err := a.authServer.registerUsingTPMMethod(
-		ctx, initReq, solveChallenge,
-	)
-	return certs, trace.Wrap(err)
-}
-
 // GenerateHostCerts generates new host certificates (signed
 // by the host certificate authority) for a node.
 func (a *ServerWithRoles) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequest) (*proto.Certs, error) {

diff --git a/lib/auth/authclient/http_client.go b/lib/auth/authclient/http_client.go
@@ -33,7 +33,6 @@ import (
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/breaker"
 	"github.com/gravitational/teleport/api/client"
-	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/constants"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	tracehttp "github.com/gravitational/teleport/api/observability/tracing/http"
@@ -336,25 +335,6 @@ func (c *HTTPClient) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error) {
 	return &re, nil
 }
 
-// RegisterUsingToken calls the auth service API to register a new node using a registration token
-// which was previously issued via CreateToken/UpsertToken.
-func (c *HTTPClient) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error) {
-	if err := req.CheckAndSetDefaults(); err != nil {
-		return nil, trace.Wrap(err)
-	}
-	out, err := c.PostJSON(ctx, c.Endpoint("tokens", "register"), req)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	var certs proto.Certs
-	if err := json.Unmarshal(out.Bytes(), &certs); err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	return &certs, nil
-}
-
 type upsertTunnelConnectionRawReq struct {
 	TunnelConnection json.RawMessage `json:"tunnel_connection"`
 }