MFA for App Access - tsh for cloud apps (#40985) (#43334)

* Add generic app proxy implementation. * Incorporate forwarding proxy in generic app proxy. * Utilize cert checker middleware for http local proxies. * Use generalized local proxy app for aws. * Use generalized local proxy app for azure. * Use generalized local proxy app for gcp. * Refactor, simplify, and unify app logic logic for app, proxy app, and cloud commands. * * Load existing app certs before reissuing new certs for proxy app commands * Fix the same intended functionality for tsh proxy db * Fix hardware key test for tsh app login. * Remove unused code. * Fix merge conflict. * Address Gavin's comments. * Restore RetryWithRelogin for app commands by making missing profile status a retryable error; cache profile status in appInfo. * Address Tim's comments. * Remove read lock. * Add tests to CertChecker and LocalCertGenerator. * Fix lint.
gravitational · Jun 21, 2024 · 2520a57 · 2520a57
1 parent 1262019
commit 2520a57
Show file tree

Hide file tree

Showing 21 changed files with 1,132 additions and 1,125 deletions.
diff --git a/integration/proxy/proxy_helpers.go b/integration/proxy/proxy_helpers.go
@@ -531,12 +531,7 @@ func mustStartALPNLocalProxyWithConfig(t *testing.T, config alpnproxy.LocalProxy
 	})
 
 	go func() {
-		var err error
-		if config.HTTPMiddleware == nil {
-			err = lp.Start(context.Background())
-		} else {
-			err = lp.StartHTTPAccessProxy(context.Background())
-		}
+		err := lp.Start(context.Background())
 		assert.NoError(t, err)
 	}()
 	return lp

diff --git a/lib/client/api.go b/lib/client/api.go
@@ -593,7 +593,7 @@ func RetryWithRelogin(ctx context.Context, tc *TeleportClient, fn func() error,
 	case utils.IsPredicateError(fnErr):
 		return trace.Wrap(utils.PredicateError{Err: fnErr})
 	case tc.NonInteractive:
-		return trace.Wrap(fnErr)
+		return trace.Wrap(fnErr, "cannot relogin in non-interactive session")
 	case !IsErrorResolvableWithRelogin(fnErr):
 		return trace.Wrap(fnErr)
 	}

diff --git a/lib/client/client_store.go b/lib/client/client_store.go
@@ -82,14 +82,21 @@ func (s *Store) AddKey(key *Key) error {
 	return nil
 }
 
-// ErrNoCredentials is returned by the client store when a specific key is not found.
-// This error can be used to determine whether a client should retrieve new credentials,
-// like how it is used with lib/client.RetryWithRelogin.
-var ErrNoCredentials = trace.NotFound("no credentials")
+var (
+	// ErrNoCredentials is returned by the client store when a specific key is not found.
+	// This error can be used to determine whether a client should retrieve new credentials,
+	// like how it is used with lib/client.RetryWithRelogin.
+	ErrNoCredentials = &trace.NotFoundError{Message: "no credentials"}
 
-// IsNoCredentialsError returns whether the given error is an ErrNoCredentials error.
+	// ErrNoProfile is returned by the client store when a specific profile is not found.
+	// This error can be used to determine whether a client should retrieve new credentials,
+	// like how it is used with lib/client.RetryWithRelogin.
+	ErrNoProfile = &trace.NotFoundError{Message: "no profile"}
+)
+
+// IsNoCredentialsError returns whether the given error implies that the user should retrieve new credentials.
 func IsNoCredentialsError(err error) bool {
-	return errors.Is(err, ErrNoCredentials)
+	return errors.Is(err, ErrNoCredentials) || errors.Is(err, ErrNoProfile)
 }
 
 // GetKey gets the requested key with trusted the requested certificates. The key's
@@ -161,6 +168,9 @@ func (s *Store) ReadProfileStatus(profileName string) (*ProfileStatus, error) {
 
 	profile, err := s.GetProfile(profileName)
 	if err != nil {
+		if trace.IsNotFound(err) {
+			return nil, trace.Wrap(ErrNoProfile, err.Error())
+		}
 		return nil, trace.Wrap(err)
 	}
 	idx := KeyIndex{