Skip to content

Commit

Permalink
Add teleport networking subprocess for port/agent/x11 forwarding (#…
Browse files Browse the repository at this point in the history 
…43756)

* Add networking subprocess for port and agent forwarding.

* Remove extraneous x11 forwarding logic.

* Add x11 forwarding to the networking subprocess.

* Fix lint.

* Try create host user before starting networking process.

* Resolve comments

* Fix networking process memory leak.

* Run networking subprocess as root but change to user login after PAM call.

* Update agent forwarding socket dir permissions.

* Handle networking requests synchronously to maintain the current PAM context.

* Use user environment in networking process.

* Fix issue with PAM thread state being locked to the main goroutine; Clean up homeDir logic; Fix PAM thread state for xauth commands.

* Selectively handle some networking requests in goroutines.

* Address comments.

* Use an interrupt signal to trigger graceful exit in the networking subprocess.

* Cleanup unix sockets from the child namespace.

* Address comments.

* Remove extraneous network forwarding socket validation.

* Fix tests and lint.

* Re-add networking process done channel to avoid deadlocks on reading unix sockets passed to a dead process.

* Remove broken test.

* Address comments.

* Cleanup; remove unused child error file.

* - Explicility list file paths to clean up at the end of the networking process.
- Use terminate FD instead of interrupt to signal the process to exit.
- Log errors from the parent process.
- Read networking request response without goroutine.

* Cleanup.

* Make request socket a stream.

* Remove extraneious Chmod.

* Send request level error to request conn.

* Don't unlink unix sockets from the parent process.

* Read full error message from stream.

* Remove remaining logs in child process.

* Fix typos.

* web: support SAML resource deletion in unified resources view (#44311)

* update SAML app edit mechanism to accomodate both edit and delete functions

* use user saml idp access to disable menu actions

* add comment to ResourceActionButton props

* refactor: SamlAppActionContext to edit and delete Saml application

* address review comments

* Add networking process tests to replace old tests.

* Don't close remote file descriptor before the child process has a chance to connect to it.

* Fix lint; skip broken test.

* Disable broken test and restore older test to cover for it.

* Remove unused agent forwarding test.

* Fix lint, replace broken test.

* Fix old test that used testify/require in goroutine.

* Close request context immediately to avoid deadlock (extended timeout) on reading from the closed process.

---------

Co-authored-by: Sakshyam Shah <[email protected]>
  • Loading branch information
@Joerger @flyinghermit
Joerger and flyinghermit authored Aug 13, 2024
1 parent 8d12347 commit d26ca00
Show file tree
Hide file tree
Showing 25 changed files with 1,035 additions and 1,519 deletions.
11 changes: 4 additions & 7 deletions constants.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -839,13 +839,10 @@ const (
// command execution (exec and shells).
ExecSubCommand = "exec"

// LocalForwardSubCommand is the sub-command Teleport uses to re-exec itself
// for local port forwarding.
LocalForwardSubCommand = "forwardv2"

// RemoteForwardSubCommand is the sub-command Teleport uses to re-exec itself
// for remote port forwarding.
RemoteForwardSubCommand = "remoteforward"
// NetworkingSubCommand is the sub-command Teleport uses to re-exec itself
// for networking operations. e.g. local/remote port forwarding, agent forwarding,
// or x11 forwarding.
NetworkingSubCommand = "networking"

// CheckHomeDirSubCommand is the sub-command Teleport uses to re-exec itself
// to check if the user's home directory exists.
Expand Down
85 changes: 0 additions & 85 deletions integration/agent_forwarding_test.go
View file

This file was deleted.

4 changes: 2 additions & 2 deletions integration/helpers/helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ func ExternalSSHCommand(o CommandOptions) (*exec.Cmd, error) {

// CreateAgent creates a SSH agent with the passed in key ring that can be used
// in tests. This is useful so tests don't clobber your system agent.
func CreateAgent(me *user.User, keyRing *client.KeyRing) (*teleagent.AgentServer, string, string, error) {
func CreateAgent(keyRing *client.KeyRing) (*teleagent.AgentServer, string, string, error) {
// create a path to the unix socket
sockDirName := "int-test"
sockName := "agent.sock"
Expand All @@ -165,7 +165,7 @@ func CreateAgent(me *user.User, keyRing *client.KeyRing) (*teleagent.AgentServer
})

// start the SSH agent
err = teleAgent.ListenUnixSocket(sockDirName, sockName, me)
err = teleAgent.ListenUnixSocket(sockDirName, sockName, nil)
if err != nil {
return nil, "", "", trace.Wrap(err)
}
Expand Down
8 changes: 4 additions & 4 deletions integration/integration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4535,7 +4535,7 @@ func testExternalClient(t *testing.T, suite *integrationTestSuite) {
require.NoError(t, err)

// Start (and defer close) a agent that runs during this integration test.
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(suite.Me, &creds.KeyRing)
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(&creds.KeyRing)
require.NoError(t, err)
defer helpers.CloseAgent(teleAgent, socketDirPath)

Expand Down Expand Up @@ -4631,7 +4631,7 @@ func testControlMaster(t *testing.T, suite *integrationTestSuite) {
require.NoError(t, err)

// Start (and defer close) a agent that runs during this integration test.
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(suite.Me, &creds.KeyRing)
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(&creds.KeyRing)
require.NoError(t, err)
defer helpers.CloseAgent(teleAgent, socketDirPath)

Expand Down Expand Up @@ -4728,7 +4728,7 @@ func testX11Forwarding(t *testing.T, suite *integrationTestSuite) {
require.NoError(t, err)

// Start an agent that runs during this integration test.
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(suite.Me, &creds.KeyRing)
teleAgent, socketDirPath, socketPath, err := helpers.CreateAgent(&creds.KeyRing)
require.NoError(t, err)
t.Cleanup(func() { helpers.CloseAgent(teleAgent, socketDirPath) })

Expand All @@ -4746,7 +4746,7 @@ func testX11Forwarding(t *testing.T, suite *integrationTestSuite) {
}

// Create and run an exec command twice. When ControlPath is set, this will cause
// re-use of the connection and creation of two sessions within the connection.
// re-use of the connection and creation of two sessions within the connection.
for i := 0; i < 2; i++ {
execCmd, err := helpers.ExternalSSHCommand(helpers.CommandOptions{
ForcePTY: true,
Expand Down
3 changes: 2 additions & 1 deletion lib/client/x11_session.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
tracessh "github.com/gravitational/teleport/api/observability/tracing/ssh"
"github.com/gravitational/teleport/lib/sshutils"
"github.com/gravitational/teleport/lib/sshutils/x11"
"github.com/gravitational/teleport/lib/utils"
)

// handleX11Forwarding handles X11 channel requests for the given server session.
Expand Down Expand Up @@ -198,7 +199,7 @@ func (ns *NodeSession) serveX11Channels(ctx context.Context, sess *tracessh.Sess
}
}()

if err := x11.Forward(ctx, xconn, xchan); err != nil {
if err := utils.ProxyConn(ctx, xconn, xchan); err != nil {
log.WithError(err).Debug("Encountered error during X11 forwarding")
}
})
Expand Down
Loading

0 comments on commit d26ca00

Please sign in to comment.